diff options
Diffstat (limited to 'doc/pdf')
| -rw-r--r-- | doc/pdf/GMakefile | 66 | ||||
| -rw-r--r-- | doc/pdf/admin.pdf | bin | 0 -> 742854 bytes | |||
| -rw-r--r-- | doc/pdf/admin.tex | 11630 | ||||
| -rw-r--r-- | doc/pdf/appdev.pdf | bin | 0 -> 1445440 bytes | |||
| -rw-r--r-- | doc/pdf/appdev.tex | 23032 | ||||
| -rw-r--r-- | doc/pdf/basic.pdf | bin | 0 -> 138064 bytes | |||
| -rw-r--r-- | doc/pdf/basic.tex | 751 | ||||
| -rw-r--r-- | doc/pdf/build.pdf | bin | 0 -> 153561 bytes | |||
| -rw-r--r-- | doc/pdf/build.tex | 993 | ||||
| -rw-r--r-- | doc/pdf/fncychap.sty | 683 | ||||
| -rw-r--r-- | doc/pdf/plugindev.pdf | bin | 0 -> 140040 bytes | |||
| -rw-r--r-- | doc/pdf/plugindev.tex | 801 | ||||
| -rw-r--r-- | doc/pdf/python.ist | 11 | ||||
| -rw-r--r-- | doc/pdf/sphinx.sty | 522 | ||||
| -rw-r--r-- | doc/pdf/sphinxhowto.cls | 104 | ||||
| -rw-r--r-- | doc/pdf/sphinxmanual.cls | 148 | ||||
| -rw-r--r-- | doc/pdf/tabulary.sty | 449 | ||||
| -rw-r--r-- | doc/pdf/user.pdf | bin | 0 -> 200228 bytes | |||
| -rw-r--r-- | doc/pdf/user.tex | 1923 |
19 files changed, 41113 insertions, 0 deletions
diff --git a/doc/pdf/GMakefile b/doc/pdf/GMakefile new file mode 100644 index 000000000000..6b87ad8814cc --- /dev/null +++ b/doc/pdf/GMakefile @@ -0,0 +1,66 @@ +# Makefile for Sphinx LaTeX output + +ALLDOCS = $(basename $(wildcard *.tex)) +ALLPDF = $(addsuffix .pdf,$(ALLDOCS)) +ALLDVI = $(addsuffix .dvi,$(ALLDOCS)) + +# Prefix for archive names +ARCHIVEPRREFIX = +# Additional LaTeX options +LATEXOPTS = + +all: $(ALLPDF) +all-pdf: $(ALLPDF) +all-dvi: $(ALLDVI) +all-ps: all-dvi + for f in *.dvi; do dvips $$f; done + +all-pdf-ja: + for f in *.pdf *.png *.gif *.jpg *.jpeg; do extractbb $$f; done + for f in *.tex; do platex -kanji=utf8 $(LATEXOPTS) $$f; done + for f in *.tex; do platex -kanji=utf8 $(LATEXOPTS) $$f; done + for f in *.tex; do platex -kanji=utf8 $(LATEXOPTS) $$f; done + -for f in *.idx; do mendex -U -f -d "`basename $$f .idx`.dic" -s python.ist $$f; done + for f in *.tex; do platex -kanji=utf8 $(LATEXOPTS) $$f; done + for f in *.tex; do platex -kanji=utf8 $(LATEXOPTS) $$f; done + for f in *.dvi; do dvipdfmx $$f; done + +zip: all-$(FMT) + mkdir $(ARCHIVEPREFIX)docs-$(FMT) + cp $(ALLPDF) $(ARCHIVEPREFIX)docs-$(FMT) + zip -q -r -9 $(ARCHIVEPREFIX)docs-$(FMT).zip $(ARCHIVEPREFIX)docs-$(FMT) + rm -r $(ARCHIVEPREFIX)docs-$(FMT) + +tar: all-$(FMT) + mkdir $(ARCHIVEPREFIX)docs-$(FMT) + cp $(ALLPDF) $(ARCHIVEPREFIX)docs-$(FMT) + tar cf $(ARCHIVEPREFIX)docs-$(FMT).tar $(ARCHIVEPREFIX)docs-$(FMT) + rm -r $(ARCHIVEPREFIX)docs-$(FMT) + +bz2: tar + bzip2 -9 -k $(ARCHIVEPREFIX)docs-$(FMT).tar + +# The number of LaTeX runs is quite conservative, but I don't expect it +# to get run often, so the little extra time won't hurt. +%.dvi: %.tex + latex $(LATEXOPTS) '$<' + latex $(LATEXOPTS) '$<' + latex $(LATEXOPTS) '$<' + -makeindex -s python.ist '$(basename $<).idx' + latex $(LATEXOPTS) '$<' + latex $(LATEXOPTS) '$<' + +%.pdf: %.tex + pdflatex $(LATEXOPTS) '$<' + pdflatex $(LATEXOPTS) '$<' + pdflatex $(LATEXOPTS) '$<' + -makeindex -s python.ist '$(basename $<).idx' + pdflatex $(LATEXOPTS) '$<' + pdflatex $(LATEXOPTS) '$<' + +clean: + rm -f *.dvi *.log *.ind *.aux *.toc *.syn *.idx *.out *.ilg *.pla + +.PHONY: all all-pdf all-dvi all-ps clean +.PHONY: all-pdf-ja + diff --git a/doc/pdf/admin.pdf b/doc/pdf/admin.pdf Binary files differnew file mode 100644 index 000000000000..5e55aece3f2b --- /dev/null +++ b/doc/pdf/admin.pdf diff --git a/doc/pdf/admin.tex b/doc/pdf/admin.tex new file mode 100644 index 000000000000..1cf190826169 --- /dev/null +++ b/doc/pdf/admin.tex @@ -0,0 +1,11630 @@ +% Generated by Sphinx. +\def\sphinxdocclass{report} +\documentclass[letterpaper,10pt,english]{sphinxmanual} +\usepackage[utf8]{inputenc} +\DeclareUnicodeCharacter{00A0}{\nobreakspace} +\usepackage{cmap} +\usepackage[T1]{fontenc} +\usepackage{babel} +\usepackage{times} +\usepackage[Bjarne]{fncychap} +\usepackage{longtable} +\usepackage{sphinx} +\usepackage{multirow} + + +\title{Kerberos Administration Guide} +\date{ } +\release{1.15.1} +\author{MIT} +\newcommand{\sphinxlogo}{} +\renewcommand{\releasename}{Release} +\makeindex + +\makeatletter +\def\PYG@reset{\let\PYG@it=\relax \let\PYG@bf=\relax% + \let\PYG@ul=\relax \let\PYG@tc=\relax% + \let\PYG@bc=\relax \let\PYG@ff=\relax} +\def\PYG@tok#1{\csname PYG@tok@#1\endcsname} +\def\PYG@toks#1+{\ifx\relax#1\empty\else% + \PYG@tok{#1}\expandafter\PYG@toks\fi} +\def\PYG@do#1{\PYG@bc{\PYG@tc{\PYG@ul{% + \PYG@it{\PYG@bf{\PYG@ff{#1}}}}}}} +\def\PYG#1#2{\PYG@reset\PYG@toks#1+\relax+\PYG@do{#2}} + +\expandafter\def\csname PYG@tok@gd\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.63,0.00,0.00}{##1}}} +\expandafter\def\csname PYG@tok@gu\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.50,0.00,0.50}{##1}}} +\expandafter\def\csname PYG@tok@gt\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.27,0.87}{##1}}} +\expandafter\def\csname PYG@tok@gs\endcsname{\let\PYG@bf=\textbf} +\expandafter\def\csname PYG@tok@gr\endcsname{\def\PYG@tc##1{\textcolor[rgb]{1.00,0.00,0.00}{##1}}} +\expandafter\def\csname PYG@tok@cm\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} +\expandafter\def\csname PYG@tok@vg\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} +\expandafter\def\csname PYG@tok@m\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@mh\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@cs\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}\def\PYG@bc##1{\setlength{\fboxsep}{0pt}\colorbox[rgb]{1.00,0.94,0.94}{\strut ##1}}} +\expandafter\def\csname PYG@tok@ge\endcsname{\let\PYG@it=\textit} +\expandafter\def\csname PYG@tok@vc\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} +\expandafter\def\csname PYG@tok@il\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@go\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.20,0.20,0.20}{##1}}} +\expandafter\def\csname PYG@tok@cp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@gi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.63,0.00}{##1}}} +\expandafter\def\csname PYG@tok@gh\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.00,0.50}{##1}}} +\expandafter\def\csname PYG@tok@ni\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.84,0.33,0.22}{##1}}} +\expandafter\def\csname PYG@tok@nl\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.13,0.44}{##1}}} +\expandafter\def\csname PYG@tok@nn\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.05,0.52,0.71}{##1}}} +\expandafter\def\csname PYG@tok@no\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.38,0.68,0.84}{##1}}} +\expandafter\def\csname PYG@tok@na\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@nb\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@nc\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.05,0.52,0.71}{##1}}} +\expandafter\def\csname PYG@tok@nd\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.33,0.33,0.33}{##1}}} +\expandafter\def\csname PYG@tok@ne\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@nf\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.02,0.16,0.49}{##1}}} +\expandafter\def\csname PYG@tok@si\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.44,0.63,0.82}{##1}}} +\expandafter\def\csname PYG@tok@s2\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@vi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} +\expandafter\def\csname PYG@tok@nt\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.02,0.16,0.45}{##1}}} +\expandafter\def\csname PYG@tok@nv\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} +\expandafter\def\csname PYG@tok@s1\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@gp\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.78,0.36,0.04}{##1}}} +\expandafter\def\csname PYG@tok@sh\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@ow\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@sx\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.78,0.36,0.04}{##1}}} +\expandafter\def\csname PYG@tok@bp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@c1\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} +\expandafter\def\csname PYG@tok@kc\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@c\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} +\expandafter\def\csname PYG@tok@mf\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@err\endcsname{\def\PYG@bc##1{\setlength{\fboxsep}{0pt}\fcolorbox[rgb]{1.00,0.00,0.00}{1,1,1}{\strut ##1}}} +\expandafter\def\csname PYG@tok@kd\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@ss\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.32,0.47,0.09}{##1}}} +\expandafter\def\csname PYG@tok@sr\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.14,0.33,0.53}{##1}}} +\expandafter\def\csname PYG@tok@mo\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@mi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@kn\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@o\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.40,0.40,0.40}{##1}}} +\expandafter\def\csname PYG@tok@kr\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@s\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@kp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@w\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.73,0.73}{##1}}} +\expandafter\def\csname PYG@tok@kt\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.56,0.13,0.00}{##1}}} +\expandafter\def\csname PYG@tok@sc\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@sb\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@k\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@se\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@sd\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} + +\def\PYGZbs{\char`\\} +\def\PYGZus{\char`\_} +\def\PYGZob{\char`\{} +\def\PYGZcb{\char`\}} +\def\PYGZca{\char`\^} +\def\PYGZam{\char`\&} +\def\PYGZlt{\char`\<} +\def\PYGZgt{\char`\>} +\def\PYGZsh{\char`\#} +\def\PYGZpc{\char`\%} +\def\PYGZdl{\char`\$} +\def\PYGZhy{\char`\-} +\def\PYGZsq{\char`\'} +\def\PYGZdq{\char`\"} +\def\PYGZti{\char`\~} +% for compatibility with earlier versions +\def\PYGZat{@} +\def\PYGZlb{[} +\def\PYGZrb{]} +\makeatother + +\begin{document} + +\maketitle +\tableofcontents +\phantomsection\label{admin/index::doc} + + + +\chapter{Installation guide} +\label{admin/install:for-administrators}\label{admin/install::doc}\label{admin/install:installation-guide} + +\section{Contents} +\label{admin/install:contents} + +\subsection{Installing KDCs} +\label{admin/install_kdc:installing-kdcs}\label{admin/install_kdc::doc} +When setting up Kerberos in a production environment, it is best to +have multiple slave KDCs alongside with a master KDC to ensure the +continued availability of the Kerberized services. Each KDC contains +a copy of the Kerberos database. The master KDC contains the writable +copy of the realm database, which it replicates to the slave KDCs at +regular intervals. All database changes (such as password changes) +are made on the master KDC. Slave KDCs provide Kerberos +ticket-granting services, but not database administration, when the +master KDC is unavailable. MIT recommends that you install all of +your KDCs to be able to function as either the master or one of the +slaves. This will enable you to easily switch your master KDC with +one of the slaves if necessary (see {\hyperref[admin/install_kdc:switch-master-slave]{\emph{Switching master and slave KDCs}}}). This +installation procedure is based on that recommendation. + +\begin{notice}{warning}{Warning:}\begin{itemize} +\item {} +The Kerberos system relies on the availability of correct time +information. Ensure that the master and all slave KDCs have +properly synchronized clocks. + +\item {} +It is best to install and run KDCs on secured and dedicated +hardware with limited access. If your KDC is also a file +server, FTP server, Web server, or even just a client machine, +someone who obtained root access through a security hole in any +of those areas could potentially gain access to the Kerberos +database. + +\end{itemize} +\end{notice} + + +\subsubsection{Install and configure the master KDC} +\label{admin/install_kdc:install-and-configure-the-master-kdc} +Install Kerberos either from the OS-provided packages or from the +source (See \emph{do\_build}). + +\begin{notice}{note}{Note:} +For the purpose of this document we will use the following +names: + +\begin{Verbatim}[commandchars=\\\{\}] +kerberos.mit.edu \PYGZhy{} master KDC +kerberos\PYGZhy{}1.mit.edu \PYGZhy{} slave KDC +ATHENA.MIT.EDU \PYGZhy{} realm name +.k5.ATHENA.MIT.EDU \PYGZhy{} stash file +admin/admin \PYGZhy{} admin principal +\end{Verbatim} + +See {\hyperref[mitK5defaults:mitk5defaults]{\emph{MIT Kerberos defaults}}} for the default names and locations +of the relevant to this topic files. Adjust the names and +paths to your system environment. +\end{notice} + + +\subsubsection{Edit KDC configuration files} +\label{admin/install_kdc:edit-kdc-configuration-files} +Modify the configuration files, {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} and +{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}, to reflect the correct information (such as +domain-realm mappings and Kerberos servers names) for your realm. +(See {\hyperref[mitK5defaults:mitk5defaults]{\emph{MIT Kerberos defaults}}} for the recommended default locations for +these files). + +Most of the tags in the configuration have default values that will +work well for most sites. There are some tags in the +{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} file whose values must be specified, and this +section will explain those. + +If the locations for these configuration files differs from the +default ones, set \textbf{KRB5\_CONFIG} and \textbf{KRB5\_KDC\_PROFILE} environment +variables to point to the krb5.conf and kdc.conf respectively. For +example: + +\begin{Verbatim}[commandchars=\\\{\}] +export KRB5\PYGZus{}CONFIG=/yourdir/krb5.conf +export KRB5\PYGZus{}KDC\PYGZus{}PROFILE=/yourdir/kdc.conf +\end{Verbatim} + + +\paragraph{krb5.conf} +\label{admin/install_kdc:krb5-conf} +If you are not using DNS TXT records (see {\hyperref[admin/realm_config:mapping-hostnames]{\emph{Mapping hostnames onto Kerberos realms}}}), +you must specify the \textbf{default\_realm} in the {\hyperref[admin/conf_files/krb5_conf:libdefaults]{\emph{{[}libdefaults{]}}}} +section. If you are not using DNS URI or SRV records (see +{\hyperref[admin/realm_config:kdc-hostnames]{\emph{Hostnames for KDCs}}} and {\hyperref[admin/realm_config:kdc-discovery]{\emph{KDC Discovery}}}), you must include the +\textbf{kdc} tag for each \emph{realm} in the {\hyperref[admin/conf_files/krb5_conf:realms]{\emph{{[}realms{]}}}} section. To +communicate with the kadmin server in each realm, the \textbf{admin\_server} +tag must be set in the +{\hyperref[admin/conf_files/krb5_conf:realms]{\emph{{[}realms{]}}}} section. + +An example krb5.conf file: + +\begin{Verbatim}[commandchars=\\\{\}] +[libdefaults] + default\PYGZus{}realm = ATHENA.MIT.EDU + +[realms] + ATHENA.MIT.EDU = \PYGZob{} + kdc = kerberos.mit.edu + kdc = kerberos\PYGZhy{}1.mit.edu + admin\PYGZus{}server = kerberos.mit.edu + \PYGZcb{} +\end{Verbatim} + + +\paragraph{kdc.conf} +\label{admin/install_kdc:kdc-conf} +The kdc.conf file can be used to control the listening ports of the +KDC and kadmind, as well as realm-specific defaults, the database type +and location, and logging. + +An example kdc.conf file: + +\begin{Verbatim}[commandchars=\\\{\}] +[kdcdefaults] + kdc\PYGZus{}listen = 88 + kdc\PYGZus{}tcp\PYGZus{}listen = 88 + +[realms] + ATHENA.MIT.EDU = \PYGZob{} + kadmind\PYGZus{}port = 749 + max\PYGZus{}life = 12h 0m 0s + max\PYGZus{}renewable\PYGZus{}life = 7d 0h 0m 0s + master\PYGZus{}key\PYGZus{}type = aes256\PYGZhy{}cts + supported\PYGZus{}enctypes = aes256\PYGZhy{}cts:normal aes128\PYGZhy{}cts:normal + \PYGZsh{} If the default location does not suit your setup, + \PYGZsh{} explicitly configure the following values: + \PYGZsh{} database\PYGZus{}name = /var/krb5kdc/principal + \PYGZsh{} key\PYGZus{}stash\PYGZus{}file = /var/krb5kdc/.k5.ATHENA.MIT.EDU + \PYGZsh{} acl\PYGZus{}file = /var/krb5kdc/kadm5.acl + \PYGZcb{} + +[logging] + \PYGZsh{} By default, the KDC and kadmind will log output using + \PYGZsh{} syslog. You can instead send log output to files like this: + kdc = FILE:/var/log/krb5kdc.log + admin\PYGZus{}server = FILE:/var/log/kadmin.log + default = FILE:/var/log/krb5lib.log +\end{Verbatim} + +Replace \code{ATHENA.MIT.EDU} and \code{kerberos.mit.edu} with the name of +your Kerberos realm and server respectively. + +\begin{notice}{note}{Note:} +You have to have write permission on the target directories +(these directories must exist) used by \textbf{database\_name}, +\textbf{key\_stash\_file}, and \textbf{acl\_file}. +\end{notice} + + +\subsubsection{Create the KDC database} +\label{admin/install_kdc:create-the-kdc-database}\label{admin/install_kdc:create-db} +You will use the {\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} command on the master KDC to +create the Kerberos database and the optional \emph{stash\_definition}. + +\begin{notice}{note}{Note:} +If you choose not to install a stash file, the KDC will +prompt you for the master key each time it starts up. This +means that the KDC will not be able to start automatically, +such as after a system reboot. +\end{notice} + +{\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} will prompt you for the master password for the +Kerberos database. This password can be any string. A good password +is one you can remember, but that no one else can guess. Examples of +bad passwords are words that can be found in a dictionary, any common +or popular name, especially a famous person (or cartoon character), +your username in any form (e.g., forward, backward, repeated twice, +etc.), and any of the sample passwords that appear in this manual. +One example of a password which might be good if it did not appear in +this manual is ``MITiys4K5!'', which represents the sentence ``MIT is +your source for Kerberos 5!'' (It's the first letter of each word, +substituting the numeral ``4'' for the word ``for'', and includes the +punctuation mark at the end.) + +The following is an example of how to create a Kerberos database and +stash file on the master KDC, using the {\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} command. +Replace \code{ATHENA.MIT.EDU} with the name of your Kerberos realm: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} kdb5\PYGZus{}util create \PYGZhy{}r ATHENA.MIT.EDU \PYGZhy{}s + +Initializing database \PYGZsq{}/usr/local/var/krb5kdc/principal\PYGZsq{} for realm \PYGZsq{}ATHENA.MIT.EDU\PYGZsq{}, +master key name \PYGZsq{}K/M@ATHENA.MIT.EDU\PYGZsq{} +You will be prompted for the database Master Password. +It is important that you NOT FORGET this password. +Enter KDC database master key: \PYGZlt{}= Type the master password. +Re\PYGZhy{}enter KDC database master key to verify: \PYGZlt{}= Type it again. +shell\PYGZpc{} +\end{Verbatim} + +This will create five files in {\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc} (or at the locations specified +in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}): +\begin{itemize} +\item {} +two Kerberos database files, \code{principal}, and \code{principal.ok} + +\item {} +the Kerberos administrative database file, \code{principal.kadm5} + +\item {} +the administrative database lock file, \code{principal.kadm5.lock} + +\item {} +the stash file, in this example \code{.k5.ATHENA.MIT.EDU}. If you do +not want a stash file, run the above command without the \textbf{-s} +option. + +\end{itemize} + +For more information on administrating Kerberos database see +{\hyperref[admin/database:db-operations]{\emph{Operations on the Kerberos database}}}. + + +\subsubsection{Add administrators to the ACL file} +\label{admin/install_kdc:add-administrators-to-the-acl-file}\label{admin/install_kdc:admin-acl} +Next, you need create an Access Control List (ACL) file and put the +Kerberos principal of at least one of the administrators into it. +This file is used by the {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} daemon to control which +principals may view and make privileged modifications to the Kerberos +database files. The ACL filename is determined by the \textbf{acl\_file} +variable in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}; the default is {\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/kadm5.acl}. + +For more information on Kerberos ACL file see {\hyperref[admin/conf_files/kadm5_acl:kadm5-acl-5]{\emph{kadm5.acl}}}. + + +\subsubsection{Add administrators to the Kerberos database} +\label{admin/install_kdc:add-administrators-to-the-kerberos-database}\label{admin/install_kdc:addadmin-kdb} +Next you need to add administrative principals (i.e., principals who +are allowed to administer Kerberos database) to the Kerberos database. +You \emph{must} add at least one principal now to allow communication +between the Kerberos administration daemon kadmind and the kadmin +program over the network for further administration. To do this, use +the kadmin.local utility on the master KDC. kadmin.local is designed +to be run on the master KDC host without using Kerberos authentication +to an admin server; instead, it must have read and write access to the +Kerberos database on the local filesystem. + +The administrative principals you create should be the ones you added +to the ACL file (see {\hyperref[admin/install_kdc:admin-acl]{\emph{Add administrators to the ACL file}}}). + +In the following example, the administrative principal \code{admin/admin} +is created: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} kadmin.local + +kadmin.local: addprinc admin/admin@ATHENA.MIT.EDU + +WARNING: no policy specified for \PYGZdq{}admin/admin@ATHENA.MIT.EDU\PYGZdq{}; +assigning \PYGZdq{}default\PYGZdq{}. +Enter password for principal admin/admin@ATHENA.MIT.EDU: \PYGZlt{}= Enter a password. +Re\PYGZhy{}enter password for principal admin/admin@ATHENA.MIT.EDU: \PYGZlt{}= Type it again. +Principal \PYGZdq{}admin/admin@ATHENA.MIT.EDU\PYGZdq{} created. +kadmin.local: +\end{Verbatim} + + +\subsubsection{Start the Kerberos daemons on the master KDC} +\label{admin/install_kdc:start-the-kerberos-daemons-on-the-master-kdc}\label{admin/install_kdc:start-kdc-daemons} +At this point, you are ready to start the Kerberos KDC +({\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}}) and administrative daemons on the Master KDC. To +do so, type: + +\begin{Verbatim}[commandchars=\\\{\}] +\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{krb5kdc} +\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kadmind} +\end{Verbatim} + +Each server daemon will fork and run in the background. + +\begin{notice}{note}{Note:} +Assuming you want these daemons to start up automatically at +boot time, you can add them to the KDC's \code{/etc/rc} or +\code{/etc/inittab} file. You need to have a +\emph{stash\_definition} in order to do this. +\end{notice} + +You can verify that they started properly by checking for their +startup messages in the logging locations you defined in +{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} (see {\hyperref[admin/conf_files/kdc_conf:logging]{\emph{{[}logging{]}}}}). For example: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} tail /var/log/krb5kdc.log +Dec 02 12:35:47 beeblebrox krb5kdc[3187](info): commencing operation +shell\PYGZpc{} tail /var/log/kadmin.log +Dec 02 12:35:52 beeblebrox kadmind[3189](info): starting +\end{Verbatim} + +Any errors the daemons encounter while starting will also be listed in +the logging output. + +As an additional verification, check if \emph{kinit(1)} succeeds +against the principals that you have created on the previous step +({\hyperref[admin/install_kdc:addadmin-kdb]{\emph{Add administrators to the Kerberos database}}}). Run: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} kinit admin/admin@ATHENA.MIT.EDU +\end{Verbatim} + + +\subsubsection{Install the slave KDCs} +\label{admin/install_kdc:install-the-slave-kdcs} +You are now ready to start configuring the slave KDCs. + +\begin{notice}{note}{Note:} +Assuming you are setting the KDCs up so that you can easily +switch the master KDC with one of the slaves, you should +perform each of these steps on the master KDC as well as the +slave KDCs, unless these instructions specify otherwise. +\end{notice} + + +\paragraph{Create host keytabs for slave KDCs} +\label{admin/install_kdc:slave-host-key}\label{admin/install_kdc:create-host-keytabs-for-slave-kdcs} +Each KDC needs a \code{host} key in the Kerberos database. These keys +are used for mutual authentication when propagating the database dump +file from the master KDC to the secondary KDC servers. + +On the master KDC, connect to administrative interface and create the +host principal for each of the KDCs' \code{host} services. For example, +if the master KDC were called \code{kerberos.mit.edu}, and you had a +slave KDC named \code{kerberos-1.mit.edu}, you would type the following: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} kadmin +kadmin: addprinc \PYGZhy{}randkey host/kerberos.mit.edu +NOTICE: no policy specified for \PYGZdq{}host/kerberos.mit.edu@ATHENA.MIT.EDU\PYGZdq{}; assigning \PYGZdq{}default\PYGZdq{} +Principal \PYGZdq{}host/kerberos.mit.edu@ATHENA.MIT.EDU\PYGZdq{} created. + +kadmin: addprinc \PYGZhy{}randkey host/kerberos\PYGZhy{}1.mit.edu +NOTICE: no policy specified for \PYGZdq{}host/kerberos\PYGZhy{}1.mit.edu@ATHENA.MIT.EDU\PYGZdq{}; assigning \PYGZdq{}default\PYGZdq{} +Principal \PYGZdq{}host/kerberos\PYGZhy{}1.mit.edu@ATHENA.MIT.EDU\PYGZdq{} created. +\end{Verbatim} + +It is not strictly necessary to have the master KDC server in the +Kerberos database, but it can be handy if you want to be able to swap +the master KDC with one of the slaves. + +Next, extract \code{host} random keys for all participating KDCs and +store them in each host's default keytab file. Ideally, you should +extract each keytab locally on its own KDC. If this is not feasible, +you should use an encrypted session to send them across the network. +To extract a keytab directly on a slave KDC called +\code{kerberos-1.mit.edu}, you would execute the following command: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: ktadd host/kerberos\PYGZhy{}1.mit.edu +Entry for principal host/kerberos\PYGZhy{}1.mit.edu with kvno 2, encryption + type aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab FILE:/etc/krb5.keytab. +Entry for principal host/kerberos\PYGZhy{}1.mit.edu with kvno 2, encryption + type aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab FILE:/etc/krb5.keytab. +Entry for principal host/kerberos\PYGZhy{}1.mit.edu with kvno 2, encryption + type des3\PYGZhy{}cbc\PYGZhy{}sha1 added to keytab FILE:/etc/krb5.keytab. +Entry for principal host/kerberos\PYGZhy{}1.mit.edu with kvno 2, encryption + type arcfour\PYGZhy{}hmac added to keytab FILE:/etc/krb5.keytab. +\end{Verbatim} + +If you are instead extracting a keytab for the slave KDC called +\code{kerberos-1.mit.edu} on the master KDC, you should use a dedicated +temporary keytab file for that machine's keytab: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: ktadd \PYGZhy{}k /tmp/kerberos\PYGZhy{}1.keytab host/kerberos\PYGZhy{}1.mit.edu +Entry for principal host/kerberos\PYGZhy{}1.mit.edu with kvno 2, encryption + type aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab FILE:/etc/krb5.keytab. +Entry for principal host/kerberos\PYGZhy{}1.mit.edu with kvno 2, encryption + type aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab FILE:/etc/krb5.keytab. +\end{Verbatim} + +The file \code{/tmp/kerberos-1.keytab} can then be installed as +\code{/etc/krb5.keytab} on the host \code{kerberos-1.mit.edu}. + + +\paragraph{Configure slave KDCs} +\label{admin/install_kdc:configure-slave-kdcs} +Database propagation copies the contents of the master's database, but +does not propagate configuration files, stash files, or the kadm5 ACL +file. The following files must be copied by hand to each slave (see +{\hyperref[mitK5defaults:mitk5defaults]{\emph{MIT Kerberos defaults}}} for the default locations for these files): +\begin{itemize} +\item {} +krb5.conf + +\item {} +kdc.conf + +\item {} +kadm5.acl + +\item {} +master key stash file + +\end{itemize} + +Move the copied files into their appropriate directories, exactly as +on the master KDC. kadm5.acl is only needed to allow a slave to swap +with the master KDC. + +The database is propagated from the master KDC to the slave KDCs via +the {\hyperref[admin/admin_commands/kpropd:kpropd-8]{\emph{kpropd}}} daemon. You must explicitly specify the +principals which are allowed to provide Kerberos dump updates on the +slave machine with a new database. Create a file named kpropd.acl in +the KDC state directory containing the \code{host} principals for each of +the KDCs: + +\begin{Verbatim}[commandchars=\\\{\}] +host/kerberos.mit.edu@ATHENA.MIT.EDU +host/kerberos\PYGZhy{}1.mit.edu@ATHENA.MIT.EDU +\end{Verbatim} + +\begin{notice}{note}{Note:} +If you expect that the master and slave KDCs will be +switched at some point of time, list the host principals +from all participating KDC servers in kpropd.acl files on +all of the KDCs. Otherwise, you only need to list the +master KDC's host principal in the kpropd.acl files of the +slave KDCs. +\end{notice} + +Then, add the following line to \code{/etc/inetd.conf} on each KDC +(adjust the path to kpropd): + +\begin{Verbatim}[commandchars=\\\{\}] +krb5\PYGZus{}prop stream tcp nowait root /usr/local/sbin/kpropd kpropd +\end{Verbatim} + +You also need to add the following line to \code{/etc/services} on each +KDC, if it is not already present (assuming that the default port is +used): + +\begin{Verbatim}[commandchars=\\\{\}] +krb5\PYGZus{}prop 754/tcp \PYGZsh{} Kerberos slave propagation +\end{Verbatim} + +Restart inetd daemon. + +Alternatively, start {\hyperref[admin/admin_commands/kpropd:kpropd-8]{\emph{kpropd}}} as a stand-alone daemon. This is +required when incremental propagation is enabled. + +Now that the slave KDC is able to accept database propagation, you’ll +need to propagate the database from the master server. + +NOTE: Do not start the slave KDC yet; you still do not have a copy of +the master's database. + + +\paragraph{Propagate the database to each slave KDC} +\label{admin/install_kdc:kprop-to-slaves}\label{admin/install_kdc:propagate-the-database-to-each-slave-kdc} +First, create a dump file of the database on the master KDC, as +follows: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} kdb5\PYGZus{}util dump /usr/local/var/krb5kdc/slave\PYGZus{}datatrans +\end{Verbatim} + +Then, manually propagate the database to each slave KDC, as in the +following example: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} kprop \PYGZhy{}f /usr/local/var/krb5kdc/slave\PYGZus{}datatrans kerberos\PYGZhy{}1.mit.edu + +Database propagation to kerberos\PYGZhy{}1.mit.edu: SUCCEEDED +\end{Verbatim} + +You will need a script to dump and propagate the database. The +following is an example of a Bourne shell script that will do this. + +\begin{notice}{note}{Note:} +Remember that you need to replace \code{/usr/local/var/krb5kdc} +with the name of the KDC state directory. +\end{notice} + +\begin{Verbatim}[commandchars=\\\{\}] +\PYGZsh{}!/bin/sh + +kdclist = \PYGZdq{}kerberos\PYGZhy{}1.mit.edu kerberos\PYGZhy{}2.mit.edu\PYGZdq{} + +kdb5\PYGZus{}util dump /usr/local/var/krb5kdc/slave\PYGZus{}datatrans + +for kdc in \PYGZdl{}kdclist +do + kprop \PYGZhy{}f /usr/local/var/krb5kdc/slave\PYGZus{}datatrans \PYGZdl{}kdc +done +\end{Verbatim} + +You will need to set up a cron job to run this script at the intervals +you decided on earlier (see {\hyperref[admin/realm_config:db-prop]{\emph{Database propagation}}}). + +Now that the slave KDC has a copy of the Kerberos database, you can +start the krb5kdc daemon: + +\begin{Verbatim}[commandchars=\\\{\}] +\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{krb5kdc} +\end{Verbatim} + +As with the master KDC, you will probably want to add this command to +the KDCs' \code{/etc/rc} or \code{/etc/inittab} files, so they will start +the krb5kdc daemon automatically at boot time. + + +\subparagraph{Propagation failed?} +\label{admin/install_kdc:propagation-failed} +You may encounter the following error messages. For a more detailed +discussion on possible causes and solutions click on the error link +to be redirected to {\hyperref[admin/troubleshoot:troubleshoot]{\emph{Troubleshooting}}} section. +\begin{enumerate} +\item {} +{\hyperref[admin/troubleshoot:kprop-no-route]{\emph{kprop: No route to host while connecting to server}}} + +\item {} +{\hyperref[admin/troubleshoot:kprop-con-refused]{\emph{kprop: Connection refused while connecting to server}}} + +\item {} +{\hyperref[admin/troubleshoot:kprop-sendauth-exchange]{\emph{kprop: Server rejected authentication (during sendauth exchange) while authenticating to server}}} + +\end{enumerate} + + +\subsubsection{Add Kerberos principals to the database} +\label{admin/install_kdc:add-kerberos-principals-to-the-database} +Once your KDCs are set up and running, you are ready to use +{\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} to load principals for your users, hosts, and other +services into the Kerberos database. This procedure is described +fully in {\hyperref[admin/database:add-mod-del-princs]{\emph{Adding, modifying and deleting principals}}}. + +You may occasionally want to use one of your slave KDCs as the master. +This might happen if you are upgrading the master KDC, or if your +master KDC has a disk crash. See the following section for the +instructions. + + +\subsubsection{Switching master and slave KDCs} +\label{admin/install_kdc:switching-master-and-slave-kdcs}\label{admin/install_kdc:switch-master-slave} +You may occasionally want to use one of your slave KDCs as the master. +This might happen if you are upgrading the master KDC, or if your +master KDC has a disk crash. + +Assuming you have configured all of your KDCs to be able to function +as either the master KDC or a slave KDC (as this document recommends), +all you need to do to make the changeover is: + +If the master KDC is still running, do the following on the \emph{old} +master KDC: +\begin{enumerate} +\item {} +Kill the kadmind process. + +\item {} +Disable the cron job that propagates the database. + +\item {} +Run your database propagation script manually, to ensure that the +slaves all have the latest copy of the database (see +{\hyperref[admin/install_kdc:kprop-to-slaves]{\emph{Propagate the database to each slave KDC}}}). + +\end{enumerate} + +On the \emph{new} master KDC: +\begin{enumerate} +\item {} +Start the {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} daemon (see {\hyperref[admin/install_kdc:start-kdc-daemons]{\emph{Start the Kerberos daemons on the master KDC}}}). + +\item {} +Set up the cron job to propagate the database (see +{\hyperref[admin/install_kdc:kprop-to-slaves]{\emph{Propagate the database to each slave KDC}}}). + +\item {} +Switch the CNAMEs of the old and new master KDCs. If you can't do +this, you'll need to change the {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} file on every +client machine in your Kerberos realm. + +\end{enumerate} + + +\subsubsection{Incremental database propagation} +\label{admin/install_kdc:incremental-database-propagation} +If you expect your Kerberos database to become large, you may wish to +set up incremental propagation to slave KDCs. See {\hyperref[admin/database:incr-db-prop]{\emph{Incremental database propagation}}} +for details. + + +\subsection{Installing and configuring UNIX client machines} +\label{admin/install_clients:installing-and-configuring-unix-client-machines}\label{admin/install_clients::doc} +The Kerberized client programs include \emph{kinit(1)}, +\emph{klist(1)}, \emph{kdestroy(1)}, and \emph{kpasswd(1)}. All of +these programs are in the directory {\hyperref[mitK5defaults:paths]{\emph{BINDIR}}}. + +You can often integrate Kerberos with the login system on client +machines, typically through the use of PAM. The details vary by +operating system, and should be covered in your operating system's +documentation. If you do this, you will need to make sure your users +know to use their Kerberos passwords when they log in. + +You will also need to educate your users to use the ticket management +programs kinit, klist, and kdestroy. If you do not have Kerberos +password changing integrated into the native password program (again, +typically through PAM), you will need to educate users to use kpasswd +in place of its non-Kerberos counterparts passwd. + + +\subsubsection{Client machine configuration files} +\label{admin/install_clients:client-machine-configuration-files} +Each machine running Kerberos should have a {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} file. +At a minimum, it should define a \textbf{default\_realm} setting in +{\hyperref[admin/conf_files/krb5_conf:libdefaults]{\emph{{[}libdefaults{]}}}}. If you are not using DNS SRV records +({\hyperref[admin/realm_config:kdc-hostnames]{\emph{Hostnames for KDCs}}}) or URI records ({\hyperref[admin/realm_config:kdc-discovery]{\emph{KDC Discovery}}}), it must +also contain a {\hyperref[admin/conf_files/krb5_conf:realms]{\emph{{[}realms{]}}}} section containing information for your +realm's KDCs. + +Consider setting \textbf{rdns} to false in order to reduce your dependence +on precisely correct DNS information for service hostnames. Turning +this flag off means that service hostnames will be canonicalized +through forward name resolution (which adds your domain name to +unqualified hostnames, and resolves CNAME records in DNS), but not +through reverse address lookup. The default value of this flag is +true for historical reasons only. + +If you anticipate users frequently logging into remote hosts +(e.g., using ssh) using forwardable credentials, consider setting +\textbf{forwardable} to true so that users obtain forwardable tickets by +default. Otherwise users will need to use \code{kinit -f} to get +forwardable tickets. + +Consider adjusting the \textbf{ticket\_lifetime} setting to match the likely +length of sessions for your users. For instance, if most of your +users will be logging in for an eight-hour workday, you could set the +default to ten hours so that tickets obtained in the morning expire +shortly after the end of the workday. Users can still manually +request longer tickets when necessary, up to the maximum allowed by +each user's principal record on the KDC. + +If a client host may access services in different realms, it may be +useful to define a {\hyperref[admin/conf_files/krb5_conf:domain-realm]{\emph{{[}domain\_realm{]}}}} mapping so that clients know +which hosts belong to which realms. However, if your clients and KDC +are running release 1.7 or later, it is also reasonable to leave this +section out on client machines and just define it in the KDC's +krb5.conf. + + +\subsection{UNIX Application Servers} +\label{admin/install_appl_srv:unix-application-servers}\label{admin/install_appl_srv::doc} +An application server is a host that provides one or more services +over the network. Application servers can be ``secure'' or ``insecure.'' +A ``secure'' host is set up to require authentication from every client +connecting to it. An ``insecure'' host will still provide Kerberos +authentication, but will also allow unauthenticated clients to +connect. + +If you have Kerberos V5 installed on all of your client machines, MIT +recommends that you make your hosts secure, to take advantage of the +security that Kerberos authentication affords. However, if you have +some clients that do not have Kerberos V5 installed, you can run an +insecure server, and still take advantage of Kerberos V5's single +sign-on capability. + + +\subsubsection{The keytab file} +\label{admin/install_appl_srv:the-keytab-file}\label{admin/install_appl_srv:keytab-file} +All Kerberos server machines need a keytab file to authenticate to the +KDC. By default on UNIX-like systems this file is named {\hyperref[mitK5defaults:paths]{\emph{DEFKTNAME}}}. +The keytab file is an local copy of the host's key. The keytab file +is a potential point of entry for a break-in, and if compromised, +would allow unrestricted access to its host. The keytab file should +be readable only by root, and should exist only on the machine's local +disk. The file should not be part of any backup of the machine, +unless access to the backup data is secured as tightly as access to +the machine's root password. + +In order to generate a keytab for a host, the host must have a +principal in the Kerberos database. The procedure for adding hosts to +the database is described fully in {\hyperref[admin/database:add-mod-del-princs]{\emph{Adding, modifying and deleting principals}}}. (See +{\hyperref[admin/install_kdc:slave-host-key]{\emph{Create host keytabs for slave KDCs}}} for a brief description.) The keytab is +generated by running {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} and issuing the {\hyperref[admin/admin_commands/kadmin_local:ktadd]{\emph{ktadd}}} +command. + +For example, to generate a keytab file to allow the host +\code{trillium.mit.edu} to authenticate for the services host, ftp, and +pop, the administrator \code{joeadmin} would issue the command (on +\code{trillium.mit.edu}): + +\begin{Verbatim}[commandchars=\\\{\}] +trillium\PYGZpc{} kadmin +kadmin5: ktadd host/trillium.mit.edu ftp/trillium.mit.edu + pop/trillium.mit.edu +kadmin: Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with + kvno 3, encryption type DES\PYGZhy{}CBC\PYGZhy{}CRC added to keytab + FILE:/etc/krb5.keytab. +kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with + kvno 3, encryption type DES\PYGZhy{}CBC\PYGZhy{}CRC added to keytab + FILE:/etc/krb5.keytab. +kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with + kvno 3, encryption type DES\PYGZhy{}CBC\PYGZhy{}CRC added to keytab + FILE:/etc/krb5.keytab. +kadmin5: quit +trillium\PYGZpc{} +\end{Verbatim} + +If you generate the keytab file on another host, you need to get a +copy of the keytab file onto the destination host (\code{trillium}, in +the above example) without sending it unencrypted over the network. + + +\subsubsection{Some advice about secure hosts} +\label{admin/install_appl_srv:some-advice-about-secure-hosts} +Kerberos V5 can protect your host from certain types of break-ins, but +it is possible to install Kerberos V5 and still leave your host +vulnerable to attack. Obviously an installation guide is not the +place to try to include an exhaustive list of countermeasures for +every possible attack, but it is worth noting some of the larger holes +and how to close them. + +We recommend that backups of secure machines exclude the keytab file +({\hyperref[mitK5defaults:paths]{\emph{DEFKTNAME}}}). If this is not possible, the backups should at least be +done locally, rather than over a network, and the backup tapes should +be physically secured. + +The keytab file and any programs run by root, including the Kerberos +V5 binaries, should be kept on local disk. The keytab file should be +readable only by root. + + +\section{Additional references} +\label{admin/install:additional-references}\begin{enumerate} +\item {} +Debian: \href{http://techpubs.spinlocksolutions.com/dklar/kerberos.html}{Setting up MIT Kerberos 5} + +\item {} +Solaris: \href{http://download.oracle.com/docs/cd/E19253-01/816-4557/6maosrjv2/index.html}{Configuring the Kerberos Service} + +\end{enumerate} + + +\chapter{Configuration Files} +\label{admin/conf_files/index:configuration-files}\label{admin/conf_files/index::doc} +Kerberos uses configuration files to allow administrators to specify +settings on a per-machine basis. {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} applies to all +applications using the Kerboros library, on clients and servers. +For KDC-specific applications, additional settings can be specified in +{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}; the two files are merged into a configuration profile +used by applications accessing the KDC database directly. {\hyperref[admin/conf_files/kadm5_acl:kadm5-acl-5]{\emph{kadm5.acl}}} +is also only used on the KDC, it controls permissions for modifying the +KDC database. + + +\section{Contents} +\label{admin/conf_files/index:contents} + +\subsection{krb5.conf} +\label{admin/conf_files/krb5_conf::doc}\label{admin/conf_files/krb5_conf:krb5-conf}\label{admin/conf_files/krb5_conf:krb5-conf-5} +The krb5.conf file contains Kerberos configuration information, +including the locations of KDCs and admin servers for the Kerberos +realms of interest, defaults for the current realm and for Kerberos +applications, and mappings of hostnames onto Kerberos realms. +Normally, you should install your krb5.conf file in the directory +\code{/etc}. You can override the default location by setting the +environment variable \textbf{KRB5\_CONFIG}. Multiple colon-separated +filenames may be specified in \textbf{KRB5\_CONFIG}; all files which are +present will be read. Starting in release 1.14, directory names can +also be specified in \textbf{KRB5\_CONFIG}; all files within the directory +whose names consist solely of alphanumeric characters, dashes, or +underscores will be read. + + +\subsubsection{Structure} +\label{admin/conf_files/krb5_conf:structure} +The krb5.conf file is set up in the style of a Windows INI file. +Sections are headed by the section name, in square brackets. Each +section may contain zero or more relations, of the form: + +\begin{Verbatim}[commandchars=\\\{\}] +\PYG{n}{foo} \PYG{o}{=} \PYG{n}{bar} +\end{Verbatim} + +or: + +\begin{Verbatim}[commandchars=\\\{\}] +fubar = \PYGZob{} + foo = bar + baz = quux +\PYGZcb{} +\end{Verbatim} + +Placing a `*' at the end of a line indicates that this is the \emph{final} +value for the tag. This means that neither the remainder of this +configuration file nor any other configuration file will be checked +for any other values for this tag. + +For example, if you have the following lines: + +\begin{Verbatim}[commandchars=\\\{\}] +foo = bar* +foo = baz +\end{Verbatim} + +then the second value of \code{foo} (\code{baz}) would never be read. + +The krb5.conf file can include other files using either of the +following directives at the beginning of a line: + +\begin{Verbatim}[commandchars=\\\{\}] +include FILENAME +includedir DIRNAME +\end{Verbatim} + +\emph{FILENAME} or \emph{DIRNAME} should be an absolute path. The named file or +directory must exist and be readable. Including a directory includes +all files within the directory whose names consist solely of +alphanumeric characters, dashes, or underscores. Starting in release +1.15, files with names ending in ''.conf'' are also included. Included +profile files are syntactically independent of their parents, so each +included file must begin with a section header. + +The krb5.conf file can specify that configuration should be obtained +from a loadable module, rather than the file itself, using the +following directive at the beginning of a line before any section +headers: + +\begin{Verbatim}[commandchars=\\\{\}] +module MODULEPATH:RESIDUAL +\end{Verbatim} + +\emph{MODULEPATH} may be relative to the library path of the krb5 +installation, or it may be an absolute path. \emph{RESIDUAL} is provided +to the module at initialization time. If krb5.conf uses a module +directive, {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} should also use one if it exists. + + +\subsubsection{Sections} +\label{admin/conf_files/krb5_conf:sections} +The krb5.conf file may contain the following sections: + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +{\hyperref[admin/conf_files/krb5_conf:libdefaults]{\emph{{[}libdefaults{]}}}} + & +Settings used by the Kerberos V5 library +\\ +\hline +{\hyperref[admin/conf_files/krb5_conf:realms]{\emph{{[}realms{]}}}} + & +Realm-specific contact information and settings +\\ +\hline +{\hyperref[admin/conf_files/krb5_conf:domain-realm]{\emph{{[}domain\_realm{]}}}} + & +Maps server hostnames to Kerberos realms +\\ +\hline +{\hyperref[admin/conf_files/krb5_conf:capaths]{\emph{{[}capaths{]}}}} + & +Authentication paths for non-hierarchical cross-realm +\\ +\hline +{\hyperref[admin/conf_files/krb5_conf:appdefaults]{\emph{{[}appdefaults{]}}}} + & +Settings used by some Kerberos V5 applications +\\ +\hline +{\hyperref[admin/conf_files/krb5_conf:plugins]{\emph{{[}plugins{]}}}} + & +Controls plugin module registration +\\ +\hline\end{tabulary} + + +Additionally, krb5.conf may include any of the relations described in +{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}, but it is not a recommended practice. + + +\paragraph{{[}libdefaults{]}} +\label{admin/conf_files/krb5_conf:libdefaults}\label{admin/conf_files/krb5_conf:id1} +The libdefaults section may contain any of the following relations: +\begin{description} +\item[{\textbf{allow\_weak\_crypto}}] \leavevmode +If this flag is set to false, then weak encryption types (as noted +in {\hyperref[admin/conf_files/kdc_conf:encryption-types]{\emph{Encryption types}}} in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}) will be filtered +out of the lists \textbf{default\_tgs\_enctypes}, +\textbf{default\_tkt\_enctypes}, and \textbf{permitted\_enctypes}. The default +value for this tag is false, which may cause authentication +failures in existing Kerberos infrastructures that do not support +strong crypto. Users in affected environments should set this tag +to true until their infrastructure adopts stronger ciphers. + +\item[{\textbf{ap\_req\_checksum\_type}}] \leavevmode +An integer which specifies the type of AP-REQ checksum to use in +authenticators. This variable should be unset so the appropriate +checksum for the encryption key in use will be used. This can be +set if backward compatibility requires a specific checksum type. +See the \textbf{kdc\_req\_checksum\_type} configuration option for the +possible values and their meanings. + +\item[{\textbf{canonicalize}}] \leavevmode +If this flag is set to true, initial ticket requests to the KDC +will request canonicalization of the client principal name, and +answers with different client principals than the requested +principal will be accepted. The default value is false. + +\item[{\textbf{ccache\_type}}] \leavevmode +This parameter determines the format of credential cache types +created by \emph{kinit(1)} or other programs. The default value +is 4, which represents the most current format. Smaller values +can be used for compatibility with very old implementations of +Kerberos which interact with credential caches on the same host. + +\item[{\textbf{clockskew}}] \leavevmode +Sets the maximum allowable amount of clockskew in seconds that the +library will tolerate before assuming that a Kerberos message is +invalid. The default value is 300 seconds, or five minutes. + +The clockskew setting is also used when evaluating ticket start +and expiration times. For example, tickets that have reached +their expiration time can still be used (and renewed if they are +renewable tickets) if they have been expired for a shorter +duration than the \textbf{clockskew} setting. + +\item[{\textbf{default\_ccache\_name}}] \leavevmode +This relation specifies the name of the default credential cache. +The default is {\hyperref[mitK5defaults:paths]{\emph{DEFCCNAME}}}. This relation is subject to parameter +expansion (see below). New in release 1.11. + +\item[{\textbf{default\_client\_keytab\_name}}] \leavevmode +This relation specifies the name of the default keytab for +obtaining client credentials. The default is {\hyperref[mitK5defaults:paths]{\emph{DEFCKTNAME}}}. This +relation is subject to parameter expansion (see below). +New in release 1.11. + +\item[{\textbf{default\_keytab\_name}}] \leavevmode +This relation specifies the default keytab name to be used by +application servers such as sshd. The default is {\hyperref[mitK5defaults:paths]{\emph{DEFKTNAME}}}. This +relation is subject to parameter expansion (see below). + +\item[{\textbf{default\_realm}}] \leavevmode +Identifies the default Kerberos realm for the client. Set its +value to your Kerberos realm. If this value is not set, then a +realm must be specified with every Kerberos principal when +invoking programs such as \emph{kinit(1)}. + +\item[{\textbf{default\_tgs\_enctypes}}] \leavevmode +Identifies the supported list of session key encryption types that +the client should request when making a TGS-REQ, in order of +preference from highest to lowest. The list may be delimited with +commas or whitespace. See {\hyperref[admin/conf_files/kdc_conf:encryption-types]{\emph{Encryption types}}} in +{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} for a list of the accepted values for this tag. +The default value is \code{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4}, but single-DES encryption types +will be implicitly removed from this list if the value of +\textbf{allow\_weak\_crypto} is false. + +Do not set this unless required for specific backward +compatibility purposes; stale values of this setting can prevent +clients from taking advantage of new stronger enctypes when the +libraries are upgraded. + +\item[{\textbf{default\_tkt\_enctypes}}] \leavevmode +Identifies the supported list of session key encryption types that +the client should request when making an AS-REQ, in order of +preference from highest to lowest. The format is the same as for +default\_tgs\_enctypes. The default value for this tag is +\code{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4}, but single-DES encryption types will be implicitly +removed from this list if the value of \textbf{allow\_weak\_crypto} is +false. + +Do not set this unless required for specific backward +compatibility purposes; stale values of this setting can prevent +clients from taking advantage of new stronger enctypes when the +libraries are upgraded. + +\item[{\textbf{dns\_canonicalize\_hostname}}] \leavevmode +Indicate whether name lookups will be used to canonicalize +hostnames for use in service principal names. Setting this flag +to false can improve security by reducing reliance on DNS, but +means that short hostnames will not be canonicalized to +fully-qualified hostnames. The default value is true. + +\item[{\textbf{dns\_lookup\_kdc}}] \leavevmode +Indicate whether DNS SRV records should be used to locate the KDCs +and other servers for a realm, if they are not listed in the +krb5.conf information for the realm. (Note that the admin\_server +entry must be in the krb5.conf realm information in order to +contact kadmind, because the DNS implementation for kadmin is +incomplete.) + +Enabling this option does open up a type of denial-of-service +attack, if someone spoofs the DNS records and redirects you to +another server. However, it's no worse than a denial of service, +because that fake KDC will be unable to decode anything you send +it (besides the initial ticket request, which has no encrypted +data), and anything the fake KDC sends will not be trusted without +verification using some secret that it won't know. + +\item[{\textbf{dns\_uri\_lookup}}] \leavevmode +Indicate whether DNS URI records should be used to locate the KDCs +and other servers for a realm, if they are not listed in the +krb5.conf information for the realm. SRV records are used as a +fallback if no URI records were found. The default value is true. +New in release 1.15. + +\item[{\textbf{err\_fmt}}] \leavevmode +This relation allows for custom error message formatting. If a +value is set, error messages will be formatted by substituting a +normal error message for \%M and an error code for \%C in the value. + +\item[{\textbf{extra\_addresses}}] \leavevmode +This allows a computer to use multiple local addresses, in order +to allow Kerberos to work in a network that uses NATs while still +using address-restricted tickets. The addresses should be in a +comma-separated list. This option has no effect if +\textbf{noaddresses} is true. + +\item[{\textbf{forwardable}}] \leavevmode +If this flag is true, initial tickets will be forwardable by +default, if allowed by the KDC. The default value is false. + +\item[{\textbf{ignore\_acceptor\_hostname}}] \leavevmode +When accepting GSSAPI or krb5 security contexts for host-based +service principals, ignore any hostname passed by the calling +application, and allow clients to authenticate to any service +principal in the keytab matching the service name and realm name +(if given). This option can improve the administrative +flexibility of server applications on multihomed hosts, but could +compromise the security of virtual hosting environments. The +default value is false. New in release 1.10. + +\item[{\textbf{k5login\_authoritative}}] \leavevmode +If this flag is true, principals must be listed in a local user's +k5login file to be granted login access, if a \emph{.k5login(5)} +file exists. If this flag is false, a principal may still be +granted login access through other mechanisms even if a k5login +file exists but does not list the principal. The default value is +true. + +\item[{\textbf{k5login\_directory}}] \leavevmode +If set, the library will look for a local user's k5login file +within the named directory, with a filename corresponding to the +local username. If not set, the library will look for k5login +files in the user's home directory, with the filename .k5login. +For security reasons, .k5login files must be owned by +the local user or by root. + +\item[{\textbf{kcm\_mach\_service}}] \leavevmode +On OS X only, determines the name of the bootstrap service used to +contact the KCM daemon for the KCM credential cache type. If the +value is \code{-}, Mach RPC will not be used to contact the KCM +daemon. The default value is \code{org.h5l.kcm}. + +\item[{\textbf{kcm\_socket}}] \leavevmode +Determines the path to the Unix domain socket used to access the +KCM daemon for the KCM credential cache type. If the value is +\code{-}, Unix domain sockets will not be used to contact the KCM +daemon. The default value is +\code{/var/run/.heim\_org.h5l.kcm-socket}. + +\item[{\textbf{kdc\_default\_options}}] \leavevmode +Default KDC options (Xored for multiple values) when requesting +initial tickets. By default it is set to 0x00000010 +(KDC\_OPT\_RENEWABLE\_OK). + +\item[{\textbf{kdc\_timesync}}] \leavevmode +Accepted values for this relation are 1 or 0. If it is nonzero, +client machines will compute the difference between their time and +the time returned by the KDC in the timestamps in the tickets and +use this value to correct for an inaccurate system clock when +requesting service tickets or authenticating to services. This +corrective factor is only used by the Kerberos library; it is not +used to change the system clock. The default value is 1. + +\item[{\textbf{kdc\_req\_checksum\_type}}] \leavevmode +An integer which specifies the type of checksum to use for the KDC +requests, for compatibility with very old KDC implementations. +This value is only used for DES keys; other keys use the preferred +checksum type for those keys. + +The possible values and their meanings are as follows. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +1 + & +CRC32 +\\ +\hline +2 + & +RSA MD4 +\\ +\hline +3 + & +RSA MD4 DES +\\ +\hline +4 + & +DES CBC +\\ +\hline +7 + & +RSA MD5 +\\ +\hline +8 + & +RSA MD5 DES +\\ +\hline +9 + & +NIST SHA +\\ +\hline +12 + & +HMAC SHA1 DES3 +\\ +\hline +-138 + & +Microsoft MD5 HMAC checksum type +\\ +\hline\end{tabulary} + + +\item[{\textbf{noaddresses}}] \leavevmode +If this flag is true, requests for initial tickets will not be +made with address restrictions set, allowing the tickets to be +used across NATs. The default value is true. + +\item[{\textbf{permitted\_enctypes}}] \leavevmode +Identifies all encryption types that are permitted for use in +session key encryption. The default value for this tag is +\code{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4}, but single-DES encryption types will be implicitly +removed from this list if the value of \textbf{allow\_weak\_crypto} is +false. + +\item[{\textbf{plugin\_base\_dir}}] \leavevmode +If set, determines the base directory where krb5 plugins are +located. The default value is the \code{krb5/plugins} subdirectory +of the krb5 library directory. + +\item[{\textbf{preferred\_preauth\_types}}] \leavevmode +This allows you to set the preferred preauthentication types which +the client will attempt before others which may be advertised by a +KDC. The default value for this setting is ``17, 16, 15, 14'', +which forces libkrb5 to attempt to use PKINIT if it is supported. + +\item[{\textbf{proxiable}}] \leavevmode +If this flag is true, initial tickets will be proxiable by +default, if allowed by the KDC. The default value is false. + +\item[{\textbf{rdns}}] \leavevmode +If this flag is true, reverse name lookup will be used in addition +to forward name lookup to canonicalizing hostnames for use in +service principal names. If \textbf{dns\_canonicalize\_hostname} is set +to false, this flag has no effect. The default value is true. + +\item[{\textbf{realm\_try\_domains}}] \leavevmode +Indicate whether a host's domain components should be used to +determine the Kerberos realm of the host. The value of this +variable is an integer: -1 means not to search, 0 means to try the +host's domain itself, 1 means to also try the domain's immediate +parent, and so forth. The library's usual mechanism for locating +Kerberos realms is used to determine whether a domain is a valid +realm, which may involve consulting DNS if \textbf{dns\_lookup\_kdc} is +set. The default is not to search domain components. + +\item[{\textbf{renew\_lifetime}}] \leavevmode +(\emph{duration} string.) Sets the default renewable lifetime +for initial ticket requests. The default value is 0. + +\item[{\textbf{safe\_checksum\_type}}] \leavevmode +An integer which specifies the type of checksum to use for the +KRB-SAFE requests. By default it is set to 8 (RSA MD5 DES). For +compatibility with applications linked against DCE version 1.1 or +earlier Kerberos libraries, use a value of 3 to use the RSA MD4 +DES instead. This field is ignored when its value is incompatible +with the session key type. See the \textbf{kdc\_req\_checksum\_type} +configuration option for the possible values and their meanings. + +\item[{\textbf{ticket\_lifetime}}] \leavevmode +(\emph{duration} string.) Sets the default lifetime for initial +ticket requests. The default value is 1 day. + +\item[{\textbf{udp\_preference\_limit}}] \leavevmode +When sending a message to the KDC, the library will try using TCP +before UDP if the size of the message is above +\textbf{udp\_preference\_limit}. If the message is smaller than +\textbf{udp\_preference\_limit}, then UDP will be tried before TCP. +Regardless of the size, both protocols will be tried if the first +attempt fails. + +\item[{\textbf{verify\_ap\_req\_nofail}}] \leavevmode +If this flag is true, then an attempt to verify initial +credentials will fail if the client machine does not have a +keytab. The default value is false. + +\end{description} + + +\paragraph{{[}realms{]}} +\label{admin/conf_files/krb5_conf:id2}\label{admin/conf_files/krb5_conf:realms} +Each tag in the {[}realms{]} section of the file is the name of a Kerberos +realm. The value of the tag is a subsection with relations that +define the properties of that particular realm. For each realm, the +following tags may be specified in the realm's subsection: +\begin{description} +\item[{\textbf{admin\_server}}] \leavevmode +Identifies the host where the administration server is running. +Typically, this is the master Kerberos server. This tag must be +given a value in order to communicate with the {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} +server for the realm. + +\item[{\textbf{auth\_to\_local}}] \leavevmode +This tag allows you to set a general rule for mapping principal +names to local user names. It will be used if there is not an +explicit mapping for the principal name that is being +translated. The possible values are: +\begin{description} +\item[{\textbf{RULE:}\emph{exp}}] \leavevmode +The local name will be formulated from \emph{exp}. + +The format for \emph{exp} is \textbf{{[}}\emph{n}\textbf{:}\emph{string}\textbf{{]}(}\emph{regexp}\textbf{)s/}\emph{pattern}\textbf{/}\emph{replacement}\textbf{/g}. +The integer \emph{n} indicates how many components the target +principal should have. If this matches, then a string will be +formed from \emph{string}, substituting the realm of the principal +for \code{\$0} and the \emph{n}`th component of the principal for +\code{\$n} (e.g., if the principal was \code{johndoe/admin} then +\code{{[}2:\$2\$1foo{]}} would result in the string +\code{adminjohndoefoo}). If this string matches \emph{regexp}, then +the \code{s//{[}g{]}} substitution command will be run over the +string. The optional \textbf{g} will cause the substitution to be +global over the \emph{string}, instead of replacing only the first +match in the \emph{string}. + +\item[{\textbf{DEFAULT}}] \leavevmode +The principal name will be used as the local user name. If +the principal has more than one component or is not in the +default realm, this rule is not applicable and the conversion +will fail. + +\end{description} + +For example: + +\begin{Verbatim}[commandchars=\\\{\}] +[realms] + ATHENA.MIT.EDU = \PYGZob{} + auth\PYGZus{}to\PYGZus{}local = RULE:[2:\PYGZdl{}1](johndoe)s/\PYGZca{}.*\PYGZdl{}/guest/ + auth\PYGZus{}to\PYGZus{}local = RULE:[2:\PYGZdl{}1;\PYGZdl{}2](\PYGZca{}.*;admin\PYGZdl{})s/;admin\PYGZdl{}// + auth\PYGZus{}to\PYGZus{}local = RULE:[2:\PYGZdl{}2](\PYGZca{}.*;root)s/\PYGZca{}.*\PYGZdl{}/root/ + auto\PYGZus{}to\PYGZus{}local = DEFAULT + \PYGZcb{} +\end{Verbatim} + +would result in any principal without \code{root} or \code{admin} as the +second component to be translated with the default rule. A +principal with a second component of \code{admin} will become its +first component. \code{root} will be used as the local name for any +principal with a second component of \code{root}. The exception to +these two rules are any principals \code{johndoe/*}, which will +always get the local name \code{guest}. + +\item[{\textbf{auth\_to\_local\_names}}] \leavevmode +This subsection allows you to set explicit mappings from principal +names to local user names. The tag is the mapping name, and the +value is the corresponding local user name. + +\item[{\textbf{default\_domain}}] \leavevmode +This tag specifies the domain used to expand hostnames when +translating Kerberos 4 service principals to Kerberos 5 principals +(for example, when converting \code{rcmd.hostname} to +\code{host/hostname.domain}). + +\item[{\textbf{http\_anchors}}] \leavevmode +When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag +can be used to specify the location of the CA certificate which should be +trusted to issue the certificate for a proxy server. If left unspecified, +the system-wide default set of CA certificates is used. + +The syntax for values is similar to that of values for the +\textbf{pkinit\_anchors} tag: + +\textbf{FILE:} \emph{filename} + +\emph{filename} is assumed to be the name of an OpenSSL-style ca-bundle file. + +\textbf{DIR:} \emph{dirname} + +\emph{dirname} is assumed to be an directory which contains CA certificates. +All files in the directory will be examined; if they contain certificates +(in PEM format), they will be used. + +\textbf{ENV:} \emph{envvar} + +\emph{envvar} specifies the name of an environment variable which has been set +to a value conforming to one of the previous values. For example, +\code{ENV:X509\_PROXY\_CA}, where environment variable \code{X509\_PROXY\_CA} has +been set to \code{FILE:/tmp/my\_proxy.pem}. + +\item[{\textbf{kdc}}] \leavevmode +The name or address of a host running a KDC for that realm. An +optional port number, separated from the hostname by a colon, may +be included. If the name or address contains colons (for example, +if it is an IPv6 address), enclose it in square brackets to +distinguish the colon from a port separator. For your computer to +be able to communicate with the KDC for each realm, this tag must +be given a value in each realm subsection in the configuration +file, or there must be DNS SRV records specifying the KDCs. + +\item[{\textbf{kpasswd\_server}}] \leavevmode +Points to the server where all the password changes are performed. +If there is no such entry, the port 464 on the \textbf{admin\_server} +host will be tried. + +\item[{\textbf{master\_kdc}}] \leavevmode +Identifies the master KDC(s). Currently, this tag is used in only +one case: If an attempt to get credentials fails because of an +invalid password, the client software will attempt to contact the +master KDC, in case the user's password has just been changed, and +the updated database has not been propagated to the slave servers +yet. + +\item[{\textbf{v4\_instance\_convert}}] \leavevmode +This subsection allows the administrator to configure exceptions +to the \textbf{default\_domain} mapping rule. It contains V4 instances +(the tag name) which should be translated to some specific +hostname (the tag value) as the second component in a Kerberos V5 +principal name. + +\item[{\textbf{v4\_realm}}] \leavevmode +This relation is used by the krb524 library routines when +converting a V5 principal name to a V4 principal name. It is used +when the V4 realm name and the V5 realm name are not the same, but +still share the same principal names and passwords. The tag value +is the Kerberos V4 realm name. + +\end{description} + + +\paragraph{{[}domain\_realm{]}} +\label{admin/conf_files/krb5_conf:id3}\label{admin/conf_files/krb5_conf:domain-realm} +The {[}domain\_realm{]} section provides a translation from a domain name +or hostname to a Kerberos realm name. The tag name can be a host name +or domain name, where domain names are indicated by a prefix of a +period (\code{.}). The value of the relation is the Kerberos realm name +for that particular host or domain. A host name relation implicitly +provides the corresponding domain name relation, unless an explicit domain +name relation is provided. The Kerberos realm may be +identified either in the {\hyperref[admin/conf_files/krb5_conf:realms]{realms}} section or using DNS SRV records. +Host names and domain names should be in lower case. For example: + +\begin{Verbatim}[commandchars=\\\{\}] +[domain\PYGZus{}realm] + crash.mit.edu = TEST.ATHENA.MIT.EDU + .dev.mit.edu = TEST.ATHENA.MIT.EDU + mit.edu = ATHENA.MIT.EDU +\end{Verbatim} + +maps the host with the name \code{crash.mit.edu} into the +\code{TEST.ATHENA.MIT.EDU} realm. The second entry maps all hosts under the +domain \code{dev.mit.edu} into the \code{TEST.ATHENA.MIT.EDU} realm, but not +the host with the name \code{dev.mit.edu}. That host is matched +by the third entry, which maps the host \code{mit.edu} and all hosts +under the domain \code{mit.edu} that do not match a preceding rule +into the realm \code{ATHENA.MIT.EDU}. + +If no translation entry applies to a hostname used for a service +principal for a service ticket request, the library will try to get a +referral to the appropriate realm from the client realm's KDC. If +that does not succeed, the host's realm is considered to be the +hostname's domain portion converted to uppercase, unless the +\textbf{realm\_try\_domains} setting in {[}libdefaults{]} causes a different +parent domain to be used. + + +\paragraph{{[}capaths{]}} +\label{admin/conf_files/krb5_conf:id4}\label{admin/conf_files/krb5_conf:capaths} +In order to perform direct (non-hierarchical) cross-realm +authentication, configuration is needed to determine the +authentication paths between realms. + +A client will use this section to find the authentication path between +its realm and the realm of the server. The server will use this +section to verify the authentication path used by the client, by +checking the transited field of the received ticket. + +There is a tag for each participating client realm, and each tag has +subtags for each of the server realms. The value of the subtags is an +intermediate realm which may participate in the cross-realm +authentication. The subtags may be repeated if there is more then one +intermediate realm. A value of ''.'' means that the two realms share +keys directly, and no intermediate realms should be allowed to +participate. + +Only those entries which will be needed on the client or the server +need to be present. A client needs a tag for its local realm with +subtags for all the realms of servers it will need to authenticate to. +A server needs a tag for each realm of the clients it will serve, with +a subtag of the server realm. + +For example, \code{ANL.GOV}, \code{PNL.GOV}, and \code{NERSC.GOV} all wish to +use the \code{ES.NET} realm as an intermediate realm. ANL has a sub +realm of \code{TEST.ANL.GOV} which will authenticate with \code{NERSC.GOV} +but not \code{PNL.GOV}. The {[}capaths{]} section for \code{ANL.GOV} systems +would look like this: + +\begin{Verbatim}[commandchars=\\\{\}] +[capaths] + ANL.GOV = \PYGZob{} + TEST.ANL.GOV = . + PNL.GOV = ES.NET + NERSC.GOV = ES.NET + ES.NET = . + \PYGZcb{} + TEST.ANL.GOV = \PYGZob{} + ANL.GOV = . + \PYGZcb{} + PNL.GOV = \PYGZob{} + ANL.GOV = ES.NET + \PYGZcb{} + NERSC.GOV = \PYGZob{} + ANL.GOV = ES.NET + \PYGZcb{} + ES.NET = \PYGZob{} + ANL.GOV = . + \PYGZcb{} +\end{Verbatim} + +The {[}capaths{]} section of the configuration file used on \code{NERSC.GOV} +systems would look like this: + +\begin{Verbatim}[commandchars=\\\{\}] +[capaths] + NERSC.GOV = \PYGZob{} + ANL.GOV = ES.NET + TEST.ANL.GOV = ES.NET + TEST.ANL.GOV = ANL.GOV + PNL.GOV = ES.NET + ES.NET = . + \PYGZcb{} + ANL.GOV = \PYGZob{} + NERSC.GOV = ES.NET + \PYGZcb{} + PNL.GOV = \PYGZob{} + NERSC.GOV = ES.NET + \PYGZcb{} + ES.NET = \PYGZob{} + NERSC.GOV = . + \PYGZcb{} + TEST.ANL.GOV = \PYGZob{} + NERSC.GOV = ANL.GOV + NERSC.GOV = ES.NET + \PYGZcb{} +\end{Verbatim} + +When a subtag is used more than once within a tag, clients will use +the order of values to determine the path. The order of values is not +important to servers. + + +\paragraph{{[}appdefaults{]}} +\label{admin/conf_files/krb5_conf:id5}\label{admin/conf_files/krb5_conf:appdefaults} +Each tag in the {[}appdefaults{]} section names a Kerberos V5 application +or an option that is used by some Kerberos V5 application{[}s{]}. The +value of the tag defines the default behaviors for that application. + +For example: + +\begin{Verbatim}[commandchars=\\\{\}] +[appdefaults] + telnet = \PYGZob{} + ATHENA.MIT.EDU = \PYGZob{} + option1 = false + \PYGZcb{} + \PYGZcb{} + telnet = \PYGZob{} + option1 = true + option2 = true + \PYGZcb{} + ATHENA.MIT.EDU = \PYGZob{} + option2 = false + \PYGZcb{} + option2 = true +\end{Verbatim} + +The above four ways of specifying the value of an option are shown in +order of decreasing precedence. In this example, if telnet is running +in the realm EXAMPLE.COM, it should, by default, have option1 and +option2 set to true. However, a telnet program in the realm +\code{ATHENA.MIT.EDU} should have \code{option1} set to false and +\code{option2} set to true. Any other programs in ATHENA.MIT.EDU should +have \code{option2} set to false by default. Any programs running in +other realms should have \code{option2} set to true. + +The list of specifiable options for each application may be found in +that application's man pages. The application defaults specified here +are overridden by those specified in the {\hyperref[admin/conf_files/krb5_conf:realms]{realms}} section. + + +\paragraph{{[}plugins{]}} +\label{admin/conf_files/krb5_conf:id6}\label{admin/conf_files/krb5_conf:plugins}\begin{itemize} +\item {} +{\hyperref[admin/conf_files/krb5_conf:pwqual]{pwqual}} interface + +\item {} +{\hyperref[admin/conf_files/krb5_conf:kadm5-hook]{kadm5\_hook}} interface + +\item {} +{\hyperref[admin/conf_files/krb5_conf:clpreauth]{clpreauth}} and {\hyperref[admin/conf_files/krb5_conf:kdcpreauth]{kdcpreauth}} interfaces + +\end{itemize} + +Tags in the {[}plugins{]} section can be used to register dynamic plugin +modules and to turn modules on and off. Not every krb5 pluggable +interface uses the {[}plugins{]} section; the ones that do are documented +here. + +New in release 1.9. + +Each pluggable interface corresponds to a subsection of {[}plugins{]}. +All subsections support the same tags: +\begin{description} +\item[{\textbf{disable}}] \leavevmode +This tag may have multiple values. If there are values for this +tag, then the named modules will be disabled for the pluggable +interface. + +\item[{\textbf{enable\_only}}] \leavevmode +This tag may have multiple values. If there are values for this +tag, then only the named modules will be enabled for the pluggable +interface. + +\item[{\textbf{module}}] \leavevmode +This tag may have multiple values. Each value is a string of the +form \code{modulename:pathname}, which causes the shared object +located at \emph{pathname} to be registered as a dynamic module named +\emph{modulename} for the pluggable interface. If \emph{pathname} is not an +absolute path, it will be treated as relative to the +\textbf{plugin\_base\_dir} value from {\hyperref[admin/conf_files/krb5_conf:libdefaults]{\emph{{[}libdefaults{]}}}}. + +\end{description} + +For pluggable interfaces where module order matters, modules +registered with a \textbf{module} tag normally come first, in the order +they are registered, followed by built-in modules in the order they +are documented below. If \textbf{enable\_only} tags are used, then the +order of those tags overrides the normal module order. + +The following subsections are currently supported within the {[}plugins{]} +section: + + +\subparagraph{ccselect interface} +\label{admin/conf_files/krb5_conf:ccselect}\label{admin/conf_files/krb5_conf:ccselect-interface} +The ccselect subsection controls modules for credential cache +selection within a cache collection. In addition to any registered +dynamic modules, the following built-in modules exist (and may be +disabled with the disable tag): +\begin{description} +\item[{\textbf{k5identity}}] \leavevmode +Uses a .k5identity file in the user's home directory to select a +client principal + +\item[{\textbf{realm}}] \leavevmode +Uses the service realm to guess an appropriate cache from the +collection + +\end{description} + + +\subparagraph{pwqual interface} +\label{admin/conf_files/krb5_conf:pwqual-interface}\label{admin/conf_files/krb5_conf:pwqual} +The pwqual subsection controls modules for the password quality +interface, which is used to reject weak passwords when passwords are +changed. The following built-in modules exist for this interface: +\begin{description} +\item[{\textbf{dict}}] \leavevmode +Checks against the realm dictionary file + +\item[{\textbf{empty}}] \leavevmode +Rejects empty passwords + +\item[{\textbf{hesiod}}] \leavevmode +Checks against user information stored in Hesiod (only if Kerberos +was built with Hesiod support) + +\item[{\textbf{princ}}] \leavevmode +Checks against components of the principal name + +\end{description} + + +\subparagraph{kadm5\_hook interface} +\label{admin/conf_files/krb5_conf:kadm5-hook-interface}\label{admin/conf_files/krb5_conf:kadm5-hook} +The kadm5\_hook interface provides plugins with information on +principal creation, modification, password changes and deletion. This +interface can be used to write a plugin to synchronize MIT Kerberos +with another database such as Active Directory. No plugins are built +in for this interface. +\phantomsection\label{admin/conf_files/krb5_conf:clpreauth} + +\subparagraph{clpreauth and kdcpreauth interfaces} +\label{admin/conf_files/krb5_conf:clpreauth-and-kdcpreauth-interfaces}\label{admin/conf_files/krb5_conf:clpreauth}\label{admin/conf_files/krb5_conf:kdcpreauth} +The clpreauth and kdcpreauth interfaces allow plugin modules to +provide client and KDC preauthentication mechanisms. The following +built-in modules exist for these interfaces: +\begin{description} +\item[{\textbf{pkinit}}] \leavevmode +This module implements the PKINIT preauthentication mechanism. + +\item[{\textbf{encrypted\_challenge}}] \leavevmode +This module implements the encrypted challenge FAST factor. + +\item[{\textbf{encrypted\_timestamp}}] \leavevmode +This module implements the encrypted timestamp mechanism. + +\end{description} + + +\subparagraph{hostrealm interface} +\label{admin/conf_files/krb5_conf:hostrealm-interface}\label{admin/conf_files/krb5_conf:hostrealm} +The hostrealm section (introduced in release 1.12) controls modules +for the host-to-realm interface, which affects the local mapping of +hostnames to realm names and the choice of default realm. The following +built-in modules exist for this interface: +\begin{description} +\item[{\textbf{profile}}] \leavevmode +This module consults the {[}domain\_realm{]} section of the profile for +authoritative host-to-realm mappings, and the \textbf{default\_realm} +variable for the default realm. + +\item[{\textbf{dns}}] \leavevmode +This module looks for DNS records for fallback host-to-realm +mappings and the default realm. It only operates if the +\textbf{dns\_lookup\_realm} variable is set to true. + +\item[{\textbf{domain}}] \leavevmode +This module applies heuristics for fallback host-to-realm +mappings. It implements the \textbf{realm\_try\_domains} variable, and +uses the uppercased parent domain of the hostname if that does not +produce a result. + +\end{description} + + +\subparagraph{localauth interface} +\label{admin/conf_files/krb5_conf:localauth-interface}\label{admin/conf_files/krb5_conf:localauth} +The localauth section (introduced in release 1.12) controls modules +for the local authorization interface, which affects the relationship +between Kerberos principals and local system accounts. The following +built-in modules exist for this interface: +\begin{description} +\item[{\textbf{default}}] \leavevmode +This module implements the \textbf{DEFAULT} type for \textbf{auth\_to\_local} +values. + +\item[{\textbf{rule}}] \leavevmode +This module implements the \textbf{RULE} type for \textbf{auth\_to\_local} +values. + +\item[{\textbf{names}}] \leavevmode +This module looks for an \textbf{auth\_to\_local\_names} mapping for the +principal name. + +\item[{\textbf{auth\_to\_local}}] \leavevmode +This module processes \textbf{auth\_to\_local} values in the default +realm's section, and applies the default method if no +\textbf{auth\_to\_local} values exist. + +\item[{\textbf{k5login}}] \leavevmode +This module authorizes a principal to a local account according to +the account's \emph{.k5login(5)} file. + +\item[{\textbf{an2ln}}] \leavevmode +This module authorizes a principal to a local account if the +principal name maps to the local account name. + +\end{description} + + +\subsubsection{PKINIT options} +\label{admin/conf_files/krb5_conf:pkinit-options} +\begin{notice}{note}{Note:} +The following are PKINIT-specific options. These values may +be specified in {[}libdefaults{]} as global defaults, or within +a realm-specific subsection of {[}libdefaults{]}, or may be +specified as realm-specific values in the {[}realms{]} section. +A realm-specific value overrides, not adds to, a generic +{[}libdefaults{]} specification. The search order is: +\end{notice} +\begin{enumerate} +\item {} +realm-specific subsection of {[}libdefaults{]}: + +\begin{Verbatim}[commandchars=\\\{\}] +[libdefaults] + EXAMPLE.COM = \PYGZob{} + pkinit\PYGZus{}anchors = FILE:/usr/local/example.com.crt + \PYGZcb{} +\end{Verbatim} + +\item {} +realm-specific value in the {[}realms{]} section: + +\begin{Verbatim}[commandchars=\\\{\}] +[realms] + OTHERREALM.ORG = \PYGZob{} + pkinit\PYGZus{}anchors = FILE:/usr/local/otherrealm.org.crt + \PYGZcb{} +\end{Verbatim} + +\item {} +generic value in the {[}libdefaults{]} section: + +\begin{Verbatim}[commandchars=\\\{\}] +[libdefaults] + pkinit\PYGZus{}anchors = DIR:/usr/local/generic\PYGZus{}trusted\PYGZus{}cas/ +\end{Verbatim} + +\end{enumerate} + + +\paragraph{Specifying PKINIT identity information} +\label{admin/conf_files/krb5_conf:specifying-pkinit-identity-information}\label{admin/conf_files/krb5_conf:pkinit-identity} +The syntax for specifying Public Key identity, trust, and revocation +information for PKINIT is as follows: +\begin{description} +\item[{\textbf{FILE:}\emph{filename}{[}\textbf{,}\emph{keyfilename}{]}}] \leavevmode +This option has context-specific behavior. + +In \textbf{pkinit\_identity} or \textbf{pkinit\_identities}, \emph{filename} +specifies the name of a PEM-format file containing the user's +certificate. If \emph{keyfilename} is not specified, the user's +private key is expected to be in \emph{filename} as well. Otherwise, +\emph{keyfilename} is the name of the file containing the private key. + +In \textbf{pkinit\_anchors} or \textbf{pkinit\_pool}, \emph{filename} is assumed to +be the name of an OpenSSL-style ca-bundle file. + +\item[{\textbf{DIR:}\emph{dirname}}] \leavevmode +This option has context-specific behavior. + +In \textbf{pkinit\_identity} or \textbf{pkinit\_identities}, \emph{dirname} +specifies a directory with files named \code{*.crt} and \code{*.key} +where the first part of the file name is the same for matching +pairs of certificate and private key files. When a file with a +name ending with \code{.crt} is found, a matching file ending with +\code{.key} is assumed to contain the private key. If no such file +is found, then the certificate in the \code{.crt} is not used. + +In \textbf{pkinit\_anchors} or \textbf{pkinit\_pool}, \emph{dirname} is assumed to +be an OpenSSL-style hashed CA directory where each CA cert is +stored in a file named \code{hash-of-ca-cert.\#}. This infrastructure +is encouraged, but all files in the directory will be examined and +if they contain certificates (in PEM format), they will be used. + +In \textbf{pkinit\_revoke}, \emph{dirname} is assumed to be an OpenSSL-style +hashed CA directory where each revocation list is stored in a file +named \code{hash-of-ca-cert.r\#}. This infrastructure is encouraged, +but all files in the directory will be examined and if they +contain a revocation list (in PEM format), they will be used. + +\item[{\textbf{PKCS12:}\emph{filename}}] \leavevmode +\emph{filename} is the name of a PKCS \#12 format file, containing the +user's certificate and private key. + +\item[{\textbf{PKCS11:}{[}\textbf{module\_name=}{]}\emph{modname}{[}\textbf{:slotid=}\emph{slot-id}{]}{[}\textbf{:token=}\emph{token-label}{]}{[}\textbf{:certid=}\emph{cert-id}{]}{[}\textbf{:certlabel=}\emph{cert-label}{]}}] \leavevmode +All keyword/values are optional. \emph{modname} specifies the location +of a library implementing PKCS \#11. If a value is encountered +with no keyword, it is assumed to be the \emph{modname}. If no +module-name is specified, the default is \code{opensc-pkcs11.so}. +\code{slotid=} and/or \code{token=} may be specified to force the use of +a particular smard card reader or token if there is more than one +available. \code{certid=} and/or \code{certlabel=} may be specified to +force the selection of a particular certificate on the device. +See the \textbf{pkinit\_cert\_match} configuration option for more ways +to select a particular certificate to use for PKINIT. + +\item[{\textbf{ENV:}\emph{envvar}}] \leavevmode +\emph{envvar} specifies the name of an environment variable which has +been set to a value conforming to one of the previous values. For +example, \code{ENV:X509\_PROXY}, where environment variable +\code{X509\_PROXY} has been set to \code{FILE:/tmp/my\_proxy.pem}. + +\end{description} + + +\paragraph{PKINIT krb5.conf options} +\label{admin/conf_files/krb5_conf:pkinit-krb5-conf-options}\begin{description} +\item[{\textbf{pkinit\_anchors}}] \leavevmode +Specifies the location of trusted anchor (root) certificates which +the client trusts to sign KDC certificates. This option may be +specified multiple times. These values from the config file are +not used if the user specifies X509\_anchors on the command line. + +\item[{\textbf{pkinit\_cert\_match}}] \leavevmode +Specifies matching rules that the client certificate must match +before it is used to attempt PKINIT authentication. If a user has +multiple certificates available (on a smart card, or via other +media), there must be exactly one certificate chosen before +attempting PKINIT authentication. This option may be specified +multiple times. All the available certificates are checked +against each rule in order until there is a match of exactly one +certificate. + +The Subject and Issuer comparison strings are the \index{RFC!RFC 2253}\href{http://tools.ietf.org/html/rfc2253.html}{\textbf{RFC 2253}} +string representations from the certificate Subject DN and Issuer +DN values. + +The syntax of the matching rules is: +\begin{quote} + +{[}\emph{relation-operator}{]}\emph{component-rule} ... +\end{quote} + +where: +\begin{description} +\item[{\emph{relation-operator}}] \leavevmode +can be either \code{\&\&}, meaning all component rules must match, +or \code{\textbar{}\textbar{}}, meaning only one component rule must match. The +default is \code{\&\&}. + +\item[{\emph{component-rule}}] \leavevmode +can be one of the following. Note that there is no +punctuation or whitespace between component rules. +\begin{quote} + +\begin{DUlineblock}{0em} +\item[] \textbf{\textless{}SUBJECT\textgreater{}}\emph{regular-expression} +\item[] \textbf{\textless{}ISSUER\textgreater{}}\emph{regular-expression} +\item[] \textbf{\textless{}SAN\textgreater{}}\emph{regular-expression} +\item[] \textbf{\textless{}EKU\textgreater{}}\emph{extended-key-usage-list} +\item[] \textbf{\textless{}KU\textgreater{}}\emph{key-usage-list} +\end{DUlineblock} +\end{quote} + +\emph{extended-key-usage-list} is a comma-separated list of +required Extended Key Usage values. All values in the list +must be present in the certificate. Extended Key Usage values +can be: +\begin{itemize} +\item {} +pkinit + +\item {} +msScLogin + +\item {} +clientAuth + +\item {} +emailProtection + +\end{itemize} + +\emph{key-usage-list} is a comma-separated list of required Key +Usage values. All values in the list must be present in the +certificate. Key Usage values can be: +\begin{itemize} +\item {} +digitalSignature + +\item {} +keyEncipherment + +\end{itemize} + +\end{description} + +Examples: + +\begin{Verbatim}[commandchars=\\\{\}] +pkinit\PYGZus{}cert\PYGZus{}match = \textbar{}\textbar{}\PYGZlt{}SUBJECT\PYGZgt{}.*DoE.*\PYGZlt{}SAN\PYGZgt{}.*@EXAMPLE.COM +pkinit\PYGZus{}cert\PYGZus{}match = \PYGZam{}\PYGZam{}\PYGZlt{}EKU\PYGZgt{}msScLogin,clientAuth\PYGZlt{}ISSUER\PYGZgt{}.*DoE.* +pkinit\PYGZus{}cert\PYGZus{}match = \PYGZlt{}EKU\PYGZgt{}msScLogin,clientAuth\PYGZlt{}KU\PYGZgt{}digitalSignature +\end{Verbatim} + +\item[{\textbf{pkinit\_eku\_checking}}] \leavevmode +This option specifies what Extended Key Usage value the KDC +certificate presented to the client must contain. (Note that if +the KDC certificate has the pkinit SubjectAlternativeName encoded +as the Kerberos TGS name, EKU checking is not necessary since the +issuing CA has certified this as a KDC certificate.) The values +recognized in the krb5.conf file are: +\begin{description} +\item[{\textbf{kpKDC}}] \leavevmode +This is the default value and specifies that the KDC must have +the id-pkinit-KPKdc EKU as defined in \index{RFC!RFC 4556}\href{http://tools.ietf.org/html/rfc4556.html}{\textbf{RFC 4556}}. + +\item[{\textbf{kpServerAuth}}] \leavevmode +If \textbf{kpServerAuth} is specified, a KDC certificate with the +id-kp-serverAuth EKU will be accepted. This key usage value +is used in most commercially issued server certificates. + +\item[{\textbf{none}}] \leavevmode +If \textbf{none} is specified, then the KDC certificate will not be +checked to verify it has an acceptable EKU. The use of this +option is not recommended. + +\end{description} + +\item[{\textbf{pkinit\_dh\_min\_bits}}] \leavevmode +Specifies the size of the Diffie-Hellman key the client will +attempt to use. The acceptable values are 1024, 2048, and 4096. +The default is 2048. + +\item[{\textbf{pkinit\_identities}}] \leavevmode +Specifies the location(s) to be used to find the user's X.509 +identity information. This option may be specified multiple +times. Each value is attempted in order until identity +information is found and authentication is attempted. Note that +these values are not used if the user specifies +\textbf{X509\_user\_identity} on the command line. + +\item[{\textbf{pkinit\_kdc\_hostname}}] \leavevmode +The presense of this option indicates that the client is willing +to accept a KDC certificate with a dNSName SAN (Subject +Alternative Name) rather than requiring the id-pkinit-san as +defined in \index{RFC!RFC 4556}\href{http://tools.ietf.org/html/rfc4556.html}{\textbf{RFC 4556}}. This option may be specified multiple +times. Its value should contain the acceptable hostname for the +KDC (as contained in its certificate). + +\item[{\textbf{pkinit\_pool}}] \leavevmode +Specifies the location of intermediate certificates which may be +used by the client to complete the trust chain between a KDC +certificate and a trusted anchor. This option may be specified +multiple times. + +\item[{\textbf{pkinit\_require\_crl\_checking}}] \leavevmode +The default certificate verification process will always check the +available revocation information to see if a certificate has been +revoked. If a match is found for the certificate in a CRL, +verification fails. If the certificate being verified is not +listed in a CRL, or there is no CRL present for its issuing CA, +and \textbf{pkinit\_require\_crl\_checking} is false, then verification +succeeds. + +However, if \textbf{pkinit\_require\_crl\_checking} is true and there is +no CRL information available for the issuing CA, then verification +fails. + +\textbf{pkinit\_require\_crl\_checking} should be set to true if the +policy is such that up-to-date CRLs must be present for every CA. + +\item[{\textbf{pkinit\_revoke}}] \leavevmode +Specifies the location of Certificate Revocation List (CRL) +information to be used by the client when verifying the validity +of the KDC certificate presented. This option may be specified +multiple times. + +\end{description} + + +\subsubsection{Parameter expansion} +\label{admin/conf_files/krb5_conf:id7}\label{admin/conf_files/krb5_conf:parameter-expansion} +Starting with release 1.11, several variables, such as +\textbf{default\_keytab\_name}, allow parameters to be expanded. +Valid parameters are: +\begin{quote} + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\%\{TEMP\} + & +Temporary directory +\\ +\hline +\%\{uid\} + & +Unix real UID or Windows SID +\\ +\hline +\%\{euid\} + & +Unix effective user ID or Windows SID +\\ +\hline +\%\{USERID\} + & +Same as \%\{uid\} +\\ +\hline +\%\{null\} + & +Empty string +\\ +\hline +\%\{LIBDIR\} + & +Installation library directory +\\ +\hline +\%\{BINDIR\} + & +Installation binary directory +\\ +\hline +\%\{SBINDIR\} + & +Installation admin binary directory +\\ +\hline +\%\{username\} + & +(Unix) Username of effective user ID +\\ +\hline +\%\{APPDATA\} + & +(Windows) Roaming application data for current user +\\ +\hline +\%\{COMMON\_APPDATA\} + & +(Windows) Application data for all users +\\ +\hline +\%\{LOCAL\_APPDATA\} + & +(Windows) Local application data for current user +\\ +\hline +\%\{SYSTEM\} + & +(Windows) Windows system folder +\\ +\hline +\%\{WINDOWS\} + & +(Windows) Windows folder +\\ +\hline +\%\{USERCONFIG\} + & +(Windows) Per-user MIT krb5 config file directory +\\ +\hline +\%\{COMMONCONFIG\} + & +(Windows) Common MIT krb5 config file directory +\\ +\hline\end{tabulary} + +\end{quote} + + +\subsubsection{Sample krb5.conf file} +\label{admin/conf_files/krb5_conf:sample-krb5-conf-file} +Here is an example of a generic krb5.conf file: + +\begin{Verbatim}[commandchars=\\\{\}] +[libdefaults] + default\PYGZus{}realm = ATHENA.MIT.EDU + dns\PYGZus{}lookup\PYGZus{}kdc = true + dns\PYGZus{}lookup\PYGZus{}realm = false + +[realms] + ATHENA.MIT.EDU = \PYGZob{} + kdc = kerberos.mit.edu + kdc = kerberos\PYGZhy{}1.mit.edu + kdc = kerberos\PYGZhy{}2.mit.edu + admin\PYGZus{}server = kerberos.mit.edu + master\PYGZus{}kdc = kerberos.mit.edu + \PYGZcb{} + EXAMPLE.COM = \PYGZob{} + kdc = kerberos.example.com + kdc = kerberos\PYGZhy{}1.example.com + admin\PYGZus{}server = kerberos.example.com + \PYGZcb{} + +[domain\PYGZus{}realm] + mit.edu = ATHENA.MIT.EDU + +[capaths] + ATHENA.MIT.EDU = \PYGZob{} + EXAMPLE.COM = . + \PYGZcb{} + EXAMPLE.COM = \PYGZob{} + ATHENA.MIT.EDU = . + \PYGZcb{} +\end{Verbatim} + + +\subsubsection{FILES} +\label{admin/conf_files/krb5_conf:files} +\code{/etc/krb5.conf} + + +\subsubsection{SEE ALSO} +\label{admin/conf_files/krb5_conf:see-also} +syslog(3) + + +\subsection{kdc.conf} +\label{admin/conf_files/kdc_conf:kdc-conf}\label{admin/conf_files/kdc_conf::doc}\label{admin/conf_files/kdc_conf:kdc-conf-5} +The kdc.conf file supplements {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} for programs which +are typically only used on a KDC, such as the {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}} and +{\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} daemons and the {\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} program. +Relations documented here may also be specified in krb5.conf; for the +KDC programs mentioned, krb5.conf and kdc.conf will be merged into a +single configuration profile. + +Normally, the kdc.conf file is found in the KDC state directory, +{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}. You can override the default location by setting the +environment variable \textbf{KRB5\_KDC\_PROFILE}. + +Please note that you need to restart the KDC daemon for any configuration +changes to take effect. + + +\subsubsection{Structure} +\label{admin/conf_files/kdc_conf:structure} +The kdc.conf file is set up in the same format as the +{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} file. + + +\subsubsection{Sections} +\label{admin/conf_files/kdc_conf:sections} +The kdc.conf file may contain the following sections: + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +{\hyperref[admin/conf_files/kdc_conf:kdcdefaults]{\emph{{[}kdcdefaults{]}}}} + & +Default values for KDC behavior +\\ +\hline +{\hyperref[admin/conf_files/kdc_conf:kdc-realms]{\emph{{[}realms{]}}}} + & +Realm-specific database configuration and settings +\\ +\hline +{\hyperref[admin/conf_files/kdc_conf:dbdefaults]{\emph{{[}dbdefaults{]}}}} + & +Default database settings +\\ +\hline +{\hyperref[admin/conf_files/kdc_conf:dbmodules]{\emph{{[}dbmodules{]}}}} + & +Per-database settings +\\ +\hline +{\hyperref[admin/conf_files/kdc_conf:logging]{\emph{{[}logging{]}}}} + & +Controls how Kerberos daemons perform logging +\\ +\hline\end{tabulary} + + + +\paragraph{{[}kdcdefaults{]}} +\label{admin/conf_files/kdc_conf:kdcdefaults}\label{admin/conf_files/kdc_conf:id1} +With two exceptions, relations in the {[}kdcdefaults{]} section specify +default values for realm variables, to be used if the {[}realms{]} +subsection does not contain a relation for the tag. See the +{\hyperref[admin/conf_files/kdc_conf:kdc-realms]{\emph{{[}realms{]}}}} section for the definitions of these relations. +\begin{itemize} +\item {} +\textbf{host\_based\_services} + +\item {} +\textbf{kdc\_listen} + +\item {} +\textbf{kdc\_ports} + +\item {} +\textbf{kdc\_tcp\_listen} + +\item {} +\textbf{kdc\_tcp\_ports} + +\item {} +\textbf{no\_host\_referral} + +\item {} +\textbf{restrict\_anonymous\_to\_tgt} + +\end{itemize} +\begin{description} +\item[{\textbf{kdc\_max\_dgram\_reply\_size}}] \leavevmode +Specifies the maximum packet size that can be sent over UDP. The +default value is 4096 bytes. + +\item[{\textbf{kdc\_tcp\_listen\_backlog}}] \leavevmode +(Integer.) Set the size of the listen queue length for the KDC +daemon. The value may be limited by OS settings. The default +value is 5. + +\end{description} + + +\paragraph{{[}realms{]}} +\label{admin/conf_files/kdc_conf:realms}\label{admin/conf_files/kdc_conf:kdc-realms} +Each tag in the {[}realms{]} section is the name of a Kerberos realm. The +value of the tag is a subsection where the relations define KDC +parameters for that particular realm. The following example shows how +to define one parameter for the ATHENA.MIT.EDU realm: + +\begin{Verbatim}[commandchars=\\\{\}] +[realms] + ATHENA.MIT.EDU = \PYGZob{} + max\PYGZus{}renewable\PYGZus{}life = 7d 0h 0m 0s + \PYGZcb{} +\end{Verbatim} + +The following tags may be specified in a {[}realms{]} subsection: +\begin{description} +\item[{\textbf{acl\_file}}] \leavevmode +(String.) Location of the access control list file that +{\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} uses to determine which principals are allowed +which permissions on the Kerberos database. The default value is +{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/kadm5.acl}. For more information on Kerberos ACL +file see {\hyperref[admin/conf_files/kadm5_acl:kadm5-acl-5]{\emph{kadm5.acl}}}. + +\item[{\textbf{database\_module}}] \leavevmode +(String.) This relation indicates the name of the configuration +section under {\hyperref[admin/conf_files/kdc_conf:dbmodules]{\emph{{[}dbmodules{]}}}} for database-specific parameters +used by the loadable database library. The default value is the +realm name. If this configuration section does not exist, default +values will be used for all database parameters. + +\item[{\textbf{database\_name}}] \leavevmode +(String, deprecated.) This relation specifies the location of the +Kerberos database for this realm, if the DB2 module is being used +and the {\hyperref[admin/conf_files/kdc_conf:dbmodules]{\emph{{[}dbmodules{]}}}} configuration section does not specify a +database name. The default value is {\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/principal}. + +\item[{\textbf{default\_principal\_expiration}}] \leavevmode +(\emph{abstime} string.) Specifies the default expiration date of +principals created in this realm. The default value is 0, which +means no expiration date. + +\item[{\textbf{default\_principal\_flags}}] \leavevmode +(Flag string.) Specifies the default attributes of principals +created in this realm. The format for this string is a +comma-separated list of flags, with `+' before each flag that +should be enabled and `-` before each flag that should be +disabled. The \textbf{postdateable}, \textbf{forwardable}, \textbf{tgt-based}, +\textbf{renewable}, \textbf{proxiable}, \textbf{dup-skey}, \textbf{allow-tickets}, and +\textbf{service} flags default to enabled. + +There are a number of possible flags: +\begin{description} +\item[{\textbf{allow-tickets}}] \leavevmode +Enabling this flag means that the KDC will issue tickets for +this principal. Disabling this flag essentially deactivates +the principal within this realm. + +\item[{\textbf{dup-skey}}] \leavevmode +Enabling this flag allows the principal to obtain a session +key for another user, permitting user-to-user authentication +for this principal. + +\item[{\textbf{forwardable}}] \leavevmode +Enabling this flag allows the principal to obtain forwardable +tickets. + +\item[{\textbf{hwauth}}] \leavevmode +If this flag is enabled, then the principal is required to +preauthenticate using a hardware device before receiving any +tickets. + +\item[{\textbf{no-auth-data-required}}] \leavevmode +Enabling this flag prevents PAC or AD-SIGNEDPATH data from +being added to service tickets for the principal. + +\item[{\textbf{ok-as-delegate}}] \leavevmode +If this flag is enabled, it hints the client that credentials +can and should be delegated when authenticating to the +service. + +\item[{\textbf{ok-to-auth-as-delegate}}] \leavevmode +Enabling this flag allows the principal to use S4USelf tickets. + +\item[{\textbf{postdateable}}] \leavevmode +Enabling this flag allows the principal to obtain postdateable +tickets. + +\item[{\textbf{preauth}}] \leavevmode +If this flag is enabled on a client principal, then that +principal is required to preauthenticate to the KDC before +receiving any tickets. On a service principal, enabling this +flag means that service tickets for this principal will only +be issued to clients with a TGT that has the preauthenticated +bit set. + +\item[{\textbf{proxiable}}] \leavevmode +Enabling this flag allows the principal to obtain proxy +tickets. + +\item[{\textbf{pwchange}}] \leavevmode +Enabling this flag forces a password change for this +principal. + +\item[{\textbf{pwservice}}] \leavevmode +If this flag is enabled, it marks this principal as a password +change service. This should only be used in special cases, +for example, if a user's password has expired, then the user +has to get tickets for that principal without going through +the normal password authentication in order to be able to +change the password. + +\item[{\textbf{renewable}}] \leavevmode +Enabling this flag allows the principal to obtain renewable +tickets. + +\item[{\textbf{service}}] \leavevmode +Enabling this flag allows the the KDC to issue service tickets +for this principal. + +\item[{\textbf{tgt-based}}] \leavevmode +Enabling this flag allows a principal to obtain tickets based +on a ticket-granting-ticket, rather than repeating the +authentication process that was used to obtain the TGT. + +\end{description} + +\item[{\textbf{dict\_file}}] \leavevmode +(String.) Location of the dictionary file containing strings that +are not allowed as passwords. The file should contain one string +per line, with no additional whitespace. If none is specified or +if there is no policy assigned to the principal, no dictionary +checks of passwords will be performed. + +\item[{\textbf{host\_based\_services}}] \leavevmode +(Whitespace- or comma-separated list.) Lists services which will +get host-based referral processing even if the server principal is +not marked as host-based by the client. + +\item[{\textbf{iprop\_enable}}] \leavevmode +(Boolean value.) Specifies whether incremental database +propagation is enabled. The default value is false. + +\item[{\textbf{iprop\_master\_ulogsize}}] \leavevmode +(Integer.) Specifies the maximum number of log entries to be +retained for incremental propagation. The default value is 1000. +Prior to release 1.11, the maximum value was 2500. + +\item[{\textbf{iprop\_slave\_poll}}] \leavevmode +(Delta time string.) Specifies how often the slave KDC polls for +new updates from the master. The default value is \code{2m} (that +is, two minutes). + +\item[{\textbf{iprop\_listen}}] \leavevmode +(Whitespace- or comma-separated list.) Specifies the iprop RPC +listening addresses and/or ports for the {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} daemon. +Each entry may be an interface address, a port number, or an +address and port number separated by a colon. If the address +contains colons, enclose it in square brackets. If no address is +specified, the wildcard address is used. If kadmind fails to bind +to any of the specified addresses, it will fail to start. The +default (when \textbf{iprop\_enable} is true) is to bind to the wildcard +address at the port specified in \textbf{iprop\_port}. New in release +1.15. + +\item[{\textbf{iprop\_port}}] \leavevmode +(Port number.) Specifies the port number to be used for +incremental propagation. When \textbf{iprop\_enable} is true, this +relation is required in the slave configuration file, and this +relation or \textbf{iprop\_listen} is required in the master +configuration file, as there is no default port number. Port +numbers specified in \textbf{iprop\_listen} entries will override this +port number for the {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} daemon. + +\item[{\textbf{iprop\_resync\_timeout}}] \leavevmode +(Delta time string.) Specifies the amount of time to wait for a +full propagation to complete. This is optional in configuration +files, and is used by slave KDCs only. The default value is 5 +minutes (\code{5m}). New in release 1.11. + +\item[{\textbf{iprop\_logfile}}] \leavevmode +(File name.) Specifies where the update log file for the realm +database is to be stored. The default is to use the +\textbf{database\_name} entry from the realms section of the krb5 config +file, with \code{.ulog} appended. (NOTE: If \textbf{database\_name} isn't +specified in the realms section, perhaps because the LDAP database +back end is being used, or the file name is specified in the +{[}dbmodules{]} section, then the hard-coded default for +\textbf{database\_name} is used. Determination of the \textbf{iprop\_logfile} +default value will not use values from the {[}dbmodules{]} section.) + +\item[{\textbf{kadmind\_listen}}] \leavevmode +(Whitespace- or comma-separated list.) Specifies the kadmin RPC +listening addresses and/or ports for the {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} daemon. +Each entry may be an interface address, a port number, or an +address and port number separated by a colon. If the address +contains colons, enclose it in square brackets. If no address is +specified, the wildcard address is used. If kadmind fails to bind +to any of the specified addresses, it will fail to start. The +default is to bind to the wildcard address at the port specified +in \textbf{kadmind\_port}, or the standard kadmin port (749). New in +release 1.15. + +\item[{\textbf{kadmind\_port}}] \leavevmode +(Port number.) Specifies the port on which the {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} +daemon is to listen for this realm. Port numbers specified in +\textbf{kadmind\_listen} entries will override this port number. The +assigned port for kadmind is 749, which is used by default. + +\item[{\textbf{key\_stash\_file}}] \leavevmode +(String.) Specifies the location where the master key has been +stored (via kdb5\_util stash). The default is {\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/.k5.REALM}, where \emph{REALM} is the Kerberos realm. + +\item[{\textbf{kdc\_listen}}] \leavevmode +(Whitespace- or comma-separated list.) Specifies the UDP +listening addresses and/or ports for the {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}} daemon. +Each entry may be an interface address, a port number, or an +address and port number separated by a colon. If the address +contains colons, enclose it in square brackets. If no address is +specified, the wildcard address is used. If no port is specified, +the standard port (88) is used. If the KDC daemon fails to bind +to any of the specified addresses, it will fail to start. The +default is to bind to the wildcard address on the standard port. +New in release 1.15. + +\item[{\textbf{kdc\_ports}}] \leavevmode +(Whitespace- or comma-separated list, deprecated.) Prior to +release 1.15, this relation lists the ports for the +{\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}} daemon to listen on for UDP requests. In +release 1.15 and later, it has the same meaning as \textbf{kdc\_listen} +if that relation is not defined. + +\item[{\textbf{kdc\_tcp\_listen}}] \leavevmode +(Whitespace- or comma-separated list.) Specifies the TCP +listening addresses and/or ports for the {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}} daemon. +Each entry may be an interface address, a port number, or an +address and port number separated by a colon. If the address +contains colons, enclose it in square brackets. If no address is +specified, the wildcard address is used. If no port is specified, +the standard port (88) is used. To disable listening on TCP, set +this relation to the empty string with \code{kdc\_tcp\_listen = ""}. +If the KDC daemon fails to bind to any of the specified addresses, +it will fail to start. The default is to bind to the wildcard +address on the standard port. New in release 1.15. + +\item[{\textbf{kdc\_tcp\_ports}}] \leavevmode +(Whitespace- or comma-separated list, deprecated.) Prior to +release 1.15, this relation lists the ports for the +{\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}} daemon to listen on for UDP requests. In +release 1.15 and later, it has the same meaning as +\textbf{kdc\_tcp\_listen} if that relation is not defined. + +\item[{\textbf{kpasswd\_listen}}] \leavevmode +(Comma-separated list.) Specifies the kpasswd listening addresses +and/or ports for the {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} daemon. Each entry may be +an interface address, a port number, or an address and port number +separated by a colon. If the address contains colons, enclose it +in square brackets. If no address is specified, the wildcard +address is used. If kadmind fails to bind to any of the specified +addresses, it will fail to start. The default is to bind to the +wildcard address at the port specified in \textbf{kpasswd\_port}, or the +standard kpasswd port (464). New in release 1.15. + +\item[{\textbf{kpasswd\_port}}] \leavevmode +(Port number.) Specifies the port on which the {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} +daemon is to listen for password change requests for this realm. +Port numbers specified in \textbf{kpasswd\_listen} entries will override +this port number. The assigned port for password change requests +is 464, which is used by default. + +\item[{\textbf{master\_key\_name}}] \leavevmode +(String.) Specifies the name of the principal associated with the +master key. The default is \code{K/M}. + +\item[{\textbf{master\_key\_type}}] \leavevmode +(Key type string.) Specifies the master key's key type. The +default value for this is \code{aes256-cts-hmac-sha1-96}. For a list of all possible +values, see {\hyperref[admin/conf_files/kdc_conf:encryption-types]{\emph{Encryption types}}}. + +\item[{\textbf{max\_life}}] \leavevmode +(\emph{duration} string.) Specifies the maximum time period for +which a ticket may be valid in this realm. The default value is +24 hours. + +\item[{\textbf{max\_renewable\_life}}] \leavevmode +(\emph{duration} string.) Specifies the maximum time period +during which a valid ticket may be renewed in this realm. +The default value is 0. + +\item[{\textbf{no\_host\_referral}}] \leavevmode +(Whitespace- or comma-separated list.) Lists services to block +from getting host-based referral processing, even if the client +marks the server principal as host-based or the service is also +listed in \textbf{host\_based\_services}. \code{no\_host\_referral = *} will +disable referral processing altogether. + +\item[{\textbf{des\_crc\_session\_supported}}] \leavevmode +(Boolean value). If set to true, the KDC will assume that service +principals support des-cbc-crc for session key enctype negotiation +purposes. If \textbf{allow\_weak\_crypto} in {\hyperref[admin/conf_files/krb5_conf:libdefaults]{\emph{{[}libdefaults{]}}}} is +false, or if des-cbc-crc is not a permitted enctype, then this +variable has no effect. Defaults to true. New in release 1.11. + +\item[{\textbf{reject\_bad\_transit}}] \leavevmode +(Boolean value.) If set to true, the KDC will check the list of +transited realms for cross-realm tickets against the transit path +computed from the realm names and the capaths section of its +{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} file; if the path in the ticket to be issued +contains any realms not in the computed path, the ticket will not +be issued, and an error will be returned to the client instead. +If this value is set to false, such tickets will be issued +anyways, and it will be left up to the application server to +validate the realm transit path. + +If the disable-transited-check flag is set in the incoming +request, this check is not performed at all. Having the +\textbf{reject\_bad\_transit} option will cause such ticket requests to +be rejected always. + +This transit path checking and config file option currently apply +only to TGS requests. + +The default value is true. + +\item[{\textbf{restrict\_anonymous\_to\_tgt}}] \leavevmode +(Boolean value.) If set to true, the KDC will reject ticket +requests from anonymous principals to service principals other +than the realm's ticket-granting service. This option allows +anonymous PKINIT to be enabled for use as FAST armor tickets +without allowing anonymous authentication to services. The +default value is false. New in release 1.9. + +\item[{\textbf{supported\_enctypes}}] \leavevmode +(List of \emph{key}:\emph{salt} strings.) Specifies the default key/salt +combinations of principals for this realm. Any principals created +through {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} will have keys of these types. The +default value for this tag is \code{aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal}. For lists of +possible values, see {\hyperref[admin/conf_files/kdc_conf:keysalt-lists]{\emph{Keysalt lists}}}. + +\end{description} + + +\paragraph{{[}dbdefaults{]}} +\label{admin/conf_files/kdc_conf:id2}\label{admin/conf_files/kdc_conf:dbdefaults} +The {[}dbdefaults{]} section specifies default values for some database +parameters, to be used if the {[}dbmodules{]} subsection does not contain +a relation for the tag. See the {\hyperref[admin/conf_files/kdc_conf:dbmodules]{\emph{{[}dbmodules{]}}}} section for the +definitions of these relations. +\begin{itemize} +\item {} +\textbf{ldap\_kerberos\_container\_dn} + +\item {} +\textbf{ldap\_kdc\_dn} + +\item {} +\textbf{ldap\_kdc\_sasl\_authcid} + +\item {} +\textbf{ldap\_kdc\_sasl\_authzid} + +\item {} +\textbf{ldap\_kdc\_sasl\_mech} + +\item {} +\textbf{ldap\_kdc\_sasl\_realm} + +\item {} +\textbf{ldap\_kadmind\_dn} + +\item {} +\textbf{ldap\_kadmind\_sasl\_authcid} + +\item {} +\textbf{ldap\_kadmind\_sasl\_authzid} + +\item {} +\textbf{ldap\_kadmind\_sasl\_mech} + +\item {} +\textbf{ldap\_kadmind\_sasl\_realm} + +\item {} +\textbf{ldap\_service\_password\_file} + +\item {} +\textbf{ldap\_servers} + +\item {} +\textbf{ldap\_conns\_per\_server} + +\end{itemize} + + +\paragraph{{[}dbmodules{]}} +\label{admin/conf_files/kdc_conf:dbmodules}\label{admin/conf_files/kdc_conf:id3} +The {[}dbmodules{]} section contains parameters used by the KDC database +library and database modules. Each tag in the {[}dbmodules{]} section is +the name of a Kerberos realm or a section name specified by a realm's +\textbf{database\_module} parameter. The following example shows how to +define one database parameter for the ATHENA.MIT.EDU realm: + +\begin{Verbatim}[commandchars=\\\{\}] +[dbmodules] + ATHENA.MIT.EDU = \PYGZob{} + disable\PYGZus{}last\PYGZus{}success = true + \PYGZcb{} +\end{Verbatim} + +The following tags may be specified in a {[}dbmodules{]} subsection: +\begin{description} +\item[{\textbf{database\_name}}] \leavevmode +This DB2-specific tag indicates the location of the database in +the filesystem. The default is {\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/principal}. + +\item[{\textbf{db\_library}}] \leavevmode +This tag indicates the name of the loadable database module. The +value should be \code{db2} for the DB2 module and \code{kldap} for the +LDAP module. + +\item[{\textbf{disable\_last\_success}}] \leavevmode +If set to \code{true}, suppresses KDC updates to the ``Last successful +authentication'' field of principal entries requiring +preauthentication. Setting this flag may improve performance. +(Principal entries which do not require preauthentication never +update the ``Last successful authentication'' field.). First +introduced in release 1.9. + +\item[{\textbf{disable\_lockout}}] \leavevmode +If set to \code{true}, suppresses KDC updates to the ``Last failed +authentication'' and ``Failed password attempts'' fields of principal +entries requiring preauthentication. Setting this flag may +improve performance, but also disables account lockout. First +introduced in release 1.9. + +\item[{\textbf{ldap\_conns\_per\_server}}] \leavevmode +This LDAP-specific tag indicates the number of connections to be +maintained per LDAP server. + +\item[{\textbf{ldap\_kdc\_dn} and \textbf{ldap\_kadmind\_dn}}] \leavevmode +These LDAP-specific tags indicate the default DN for binding to +the LDAP server. The {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}} daemon uses +\textbf{ldap\_kdc\_dn}, while the {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} daemon and other +administrative programs use \textbf{ldap\_kadmind\_dn}. The kadmind DN +must have the rights to read and write the Kerberos data in the +LDAP database. The KDC DN must have the same rights, unless +\textbf{disable\_lockout} and \textbf{disable\_last\_success} are true, in +which case it only needs to have rights to read the Kerberos data. +These tags are ignored if a SASL mechanism is set with +\textbf{ldap\_kdc\_sasl\_mech} or \textbf{ldap\_kadmind\_sasl\_mech}. + +\item[{\textbf{ldap\_kdc\_sasl\_mech} and \textbf{ldap\_kadmind\_sasl\_mech}}] \leavevmode +These LDAP-specific tags specify the SASL mechanism (such as +\code{EXTERNAL}) to use when binding to the LDAP server. New in +release 1.13. + +\item[{\textbf{ldap\_kdc\_sasl\_authcid} and \textbf{ldap\_kadmind\_sasl\_authcid}}] \leavevmode +These LDAP-specific tags specify the SASL authentication identity +to use when binding to the LDAP server. Not all SASL mechanisms +require an authentication identity. If the SASL mechanism +requires a secret (such as the password for \code{DIGEST-MD5}), these +tags also determine the name within the +\textbf{ldap\_service\_password\_file} where the secret is stashed. New +in release 1.13. + +\item[{\textbf{ldap\_kdc\_sasl\_authzid} and \textbf{ldap\_kadmind\_sasl\_authzid}}] \leavevmode +These LDAP-specific tags specify the SASL authorization identity +to use when binding to the LDAP server. In most circumstances +they do not need to be specified. New in release 1.13. + +\item[{\textbf{ldap\_kdc\_sasl\_realm} and \textbf{ldap\_kadmind\_sasl\_realm}}] \leavevmode +These LDAP-specific tags specify the SASL realm to use when +binding to the LDAP server. In most circumstances they do not +need to be set. New in release 1.13. + +\item[{\textbf{ldap\_kerberos\_container\_dn}}] \leavevmode +This LDAP-specific tag indicates the DN of the container object +where the realm objects will be located. + +\item[{\textbf{ldap\_servers}}] \leavevmode +This LDAP-specific tag indicates the list of LDAP servers that the +Kerberos servers can connect to. The list of LDAP servers is +whitespace-separated. The LDAP server is specified by a LDAP URI. +It is recommended to use \code{ldapi:} or \code{ldaps:} URLs to connect +to the LDAP server. + +\item[{\textbf{ldap\_service\_password\_file}}] \leavevmode +This LDAP-specific tag indicates the file containing the stashed +passwords (created by \code{kdb5\_ldap\_util stashsrvpw}) for the +\textbf{ldap\_kdc\_dn} and \textbf{ldap\_kadmind\_dn} objects, or for the +\textbf{ldap\_kdc\_sasl\_authcid} or \textbf{ldap\_kadmind\_sasl\_authcid} names +for SASL authentication. This file must be kept secure. + +\item[{\textbf{unlockiter}}] \leavevmode +If set to \code{true}, this DB2-specific tag causes iteration +operations to release the database lock while processing each +principal. Setting this flag to \code{true} can prevent extended +blocking of KDC or kadmin operations when dumps of large databases +are in progress. First introduced in release 1.13. + +\end{description} + +The following tag may be specified directly in the {[}dbmodules{]} +section to control where database modules are loaded from: +\begin{description} +\item[{\textbf{db\_module\_dir}}] \leavevmode +This tag controls where the plugin system looks for database +modules. The value should be an absolute path. + +\end{description} + + +\paragraph{{[}logging{]}} +\label{admin/conf_files/kdc_conf:id4}\label{admin/conf_files/kdc_conf:logging} +The {[}logging{]} section indicates how {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}} and +{\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} perform logging. It may contain the following +relations: +\begin{description} +\item[{\textbf{admin\_server}}] \leavevmode +Specifies how {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} performs logging. + +\item[{\textbf{kdc}}] \leavevmode +Specifies how {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}} performs logging. + +\item[{\textbf{default}}] \leavevmode +Specifies how either daemon performs logging in the absence of +relations specific to the daemon. + +\item[{\textbf{debug}}] \leavevmode +(Boolean value.) Specifies whether debugging messages are +included in log outputs other than SYSLOG. Debugging messages are +always included in the system log output because syslog performs +its own priority filtering. The default value is false. New in +release 1.15. + +\end{description} + +Logging specifications may have the following forms: +\begin{description} +\item[{\textbf{FILE=}\emph{filename} or \textbf{FILE:}\emph{filename}}] \leavevmode +This value causes the daemon's logging messages to go to the +\emph{filename}. If the \code{=} form is used, the file is overwritten. +If the \code{:} form is used, the file is appended to. + +\item[{\textbf{STDERR}}] \leavevmode +This value causes the daemon's logging messages to go to its +standard error stream. + +\item[{\textbf{CONSOLE}}] \leavevmode +This value causes the daemon's logging messages to go to the +console, if the system supports it. + +\item[{\textbf{DEVICE=}\emph{\textless{}devicename\textgreater{}}}] \leavevmode +This causes the daemon's logging messages to go to the specified +device. + +\item[{\textbf{SYSLOG}{[}\textbf{:}\emph{severity}{[}\textbf{:}\emph{facility}{]}{]}}] \leavevmode +This causes the daemon's logging messages to go to the system log. + +The severity argument specifies the default severity of system log +messages. This may be any of the following severities supported +by the syslog(3) call, minus the \code{LOG\_} prefix: \textbf{EMERG}, +\textbf{ALERT}, \textbf{CRIT}, \textbf{ERR}, \textbf{WARNING}, \textbf{NOTICE}, \textbf{INFO}, +and \textbf{DEBUG}. + +The facility argument specifies the facility under which the +messages are logged. This may be any of the following facilities +supported by the syslog(3) call minus the LOG\_ prefix: \textbf{KERN}, +\textbf{USER}, \textbf{MAIL}, \textbf{DAEMON}, \textbf{AUTH}, \textbf{LPR}, \textbf{NEWS}, +\textbf{UUCP}, \textbf{CRON}, and \textbf{LOCAL0} through \textbf{LOCAL7}. + +If no severity is specified, the default is \textbf{ERR}. If no +facility is specified, the default is \textbf{AUTH}. + +\end{description} + +In the following example, the logging messages from the KDC will go to +the console and to the system log under the facility LOG\_DAEMON with +default severity of LOG\_INFO; and the logging messages from the +administrative server will be appended to the file +\code{/var/adm/kadmin.log} and sent to the device \code{/dev/tty04}. + +\begin{Verbatim}[commandchars=\\\{\}] +[logging] + kdc = CONSOLE + kdc = SYSLOG:INFO:DAEMON + admin\PYGZus{}server = FILE:/var/adm/kadmin.log + admin\PYGZus{}server = DEVICE=/dev/tty04 +\end{Verbatim} + + +\paragraph{{[}otp{]}} +\label{admin/conf_files/kdc_conf:otp}\label{admin/conf_files/kdc_conf:id5} +Each subsection of {[}otp{]} is the name of an OTP token type. The tags +within the subsection define the configuration required to forward a +One Time Password request to a RADIUS server. + +For each token type, the following tags may be specified: +\begin{description} +\item[{\textbf{server}}] \leavevmode +This is the server to send the RADIUS request to. It can be a +hostname with optional port, an ip address with optional port, or +a Unix domain socket address. The default is +{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/\textless{}name\textgreater{}.socket}. + +\item[{\textbf{secret}}] \leavevmode +This tag indicates a filename (which may be relative to {\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}) +containing the secret used to encrypt the RADIUS packets. The +secret should appear in the first line of the file by itself; +leading and trailing whitespace on the line will be removed. If +the value of \textbf{server} is a Unix domain socket address, this tag +is optional, and an empty secret will be used if it is not +specified. Otherwise, this tag is required. + +\item[{\textbf{timeout}}] \leavevmode +An integer which specifies the time in seconds during which the +KDC should attempt to contact the RADIUS server. This tag is the +total time across all retries and should be less than the time +which an OTP value remains valid for. The default is 5 seconds. + +\item[{\textbf{retries}}] \leavevmode +This tag specifies the number of retries to make to the RADIUS +server. The default is 3 retries (4 tries). + +\item[{\textbf{strip\_realm}}] \leavevmode +If this tag is \code{true}, the principal without the realm will be +passed to the RADIUS server. Otherwise, the realm will be +included. The default value is \code{true}. + +\item[{\textbf{indicator}}] \leavevmode +This tag specifies an authentication indicator to be included in +the ticket if this token type is used to authenticate. This +option may be specified multiple times. (New in release 1.14.) + +\end{description} + +In the following example, requests are sent to a remote server via UDP: + +\begin{Verbatim}[commandchars=\\\{\}] +[otp] + MyRemoteTokenType = \PYGZob{} + server = radius.mydomain.com:1812 + secret = SEmfiajf42\PYGZdl{} + timeout = 15 + retries = 5 + strip\PYGZus{}realm = true + \PYGZcb{} +\end{Verbatim} + +An implicit default token type named \code{DEFAULT} is defined for when +the per-principal configuration does not specify a token type. Its +configuration is shown below. You may override this token type to +something applicable for your situation: + +\begin{Verbatim}[commandchars=\\\{\}] +[otp] + DEFAULT = \PYGZob{} + strip\PYGZus{}realm = false + \PYGZcb{} +\end{Verbatim} + + +\subsubsection{PKINIT options} +\label{admin/conf_files/kdc_conf:pkinit-options} +\begin{notice}{note}{Note:} +The following are pkinit-specific options. These values may +be specified in {[}kdcdefaults{]} as global defaults, or within +a realm-specific subsection of {[}realms{]}. Also note that a +realm-specific value over-rides, does not add to, a generic +{[}kdcdefaults{]} specification. The search order is: +\end{notice} +\begin{enumerate} +\item {} +realm-specific subsection of {[}realms{]}: + +\begin{Verbatim}[commandchars=\\\{\}] +[realms] + EXAMPLE.COM = \PYGZob{} + pkinit\PYGZus{}anchors = FILE:/usr/local/example.com.crt + \PYGZcb{} +\end{Verbatim} + +\item {} +generic value in the {[}kdcdefaults{]} section: + +\begin{Verbatim}[commandchars=\\\{\}] +[kdcdefaults] + pkinit\PYGZus{}anchors = DIR:/usr/local/generic\PYGZus{}trusted\PYGZus{}cas/ +\end{Verbatim} + +\end{enumerate} + +For information about the syntax of some of these options, see +{\hyperref[admin/conf_files/krb5_conf:pkinit-identity]{\emph{Specifying PKINIT identity information}}} in +{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}}. +\begin{description} +\item[{\textbf{pkinit\_anchors}}] \leavevmode +Specifies the location of trusted anchor (root) certificates which +the KDC trusts to sign client certificates. This option is +required if pkinit is to be supported by the KDC. This option may +be specified multiple times. + +\item[{\textbf{pkinit\_dh\_min\_bits}}] \leavevmode +Specifies the minimum number of bits the KDC is willing to accept +for a client's Diffie-Hellman key. The default is 2048. + +\item[{\textbf{pkinit\_allow\_upn}}] \leavevmode +Specifies that the KDC is willing to accept client certificates +with the Microsoft UserPrincipalName (UPN) Subject Alternative +Name (SAN). This means the KDC accepts the binding of the UPN in +the certificate to the Kerberos principal name. The default value +is false. + +Without this option, the KDC will only accept certificates with +the id-pkinit-san as defined in \index{RFC!RFC 4556}\href{http://tools.ietf.org/html/rfc4556.html}{\textbf{RFC 4556}}. There is currently +no option to disable SAN checking in the KDC. + +\item[{\textbf{pkinit\_eku\_checking}}] \leavevmode +This option specifies what Extended Key Usage (EKU) values the KDC +is willing to accept in client certificates. The values +recognized in the kdc.conf file are: +\begin{description} +\item[{\textbf{kpClientAuth}}] \leavevmode +This is the default value and specifies that client +certificates must have the id-pkinit-KPClientAuth EKU as +defined in \index{RFC!RFC 4556}\href{http://tools.ietf.org/html/rfc4556.html}{\textbf{RFC 4556}}. + +\item[{\textbf{scLogin}}] \leavevmode +If scLogin is specified, client certificates with the +Microsoft Smart Card Login EKU (id-ms-kp-sc-logon) will be +accepted. + +\item[{\textbf{none}}] \leavevmode +If none is specified, then client certificates will not be +checked to verify they have an acceptable EKU. The use of +this option is not recommended. + +\end{description} + +\item[{\textbf{pkinit\_identity}}] \leavevmode +Specifies the location of the KDC's X.509 identity information. +This option is required if pkinit is to be supported by the KDC. + +\item[{\textbf{pkinit\_indicator}}] \leavevmode +Specifies an authentication indicator to include in the ticket if +pkinit is used to authenticate. This option may be specified +multiple times. (New in release 1.14.) + +\item[{\textbf{pkinit\_kdc\_ocsp}}] \leavevmode +Specifies the location of the KDC's OCSP. + +\item[{\textbf{pkinit\_pool}}] \leavevmode +Specifies the location of intermediate certificates which may be +used by the KDC to complete the trust chain between a client's +certificate and a trusted anchor. This option may be specified +multiple times. + +\item[{\textbf{pkinit\_revoke}}] \leavevmode +Specifies the location of Certificate Revocation List (CRL) +information to be used by the KDC when verifying the validity of +client certificates. This option may be specified multiple times. + +\item[{\textbf{pkinit\_require\_crl\_checking}}] \leavevmode +The default certificate verification process will always check the +available revocation information to see if a certificate has been +revoked. If a match is found for the certificate in a CRL, +verification fails. If the certificate being verified is not +listed in a CRL, or there is no CRL present for its issuing CA, +and \textbf{pkinit\_require\_crl\_checking} is false, then verification +succeeds. + +However, if \textbf{pkinit\_require\_crl\_checking} is true and there is +no CRL information available for the issuing CA, then verification +fails. + +\textbf{pkinit\_require\_crl\_checking} should be set to true if the +policy is such that up-to-date CRLs must be present for every CA. + +\end{description} + + +\subsubsection{Encryption types} +\label{admin/conf_files/kdc_conf:id6}\label{admin/conf_files/kdc_conf:encryption-types} +Any tag in the configuration files which requires a list of encryption +types can be set to some combination of the following strings. +Encryption types marked as ``weak'' are available for compatibility but +not recommended for use. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +des-cbc-crc + & +DES cbc mode with CRC-32 (weak) +\\ +\hline +des-cbc-md4 + & +DES cbc mode with RSA-MD4 (weak) +\\ +\hline +des-cbc-md5 + & +DES cbc mode with RSA-MD5 (weak) +\\ +\hline +des-cbc-raw + & +DES cbc mode raw (weak) +\\ +\hline +des3-cbc-raw + & +Triple DES cbc mode raw (weak) +\\ +\hline +des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd + & +Triple DES cbc mode with HMAC/sha1 +\\ +\hline +des-hmac-sha1 + & +DES with HMAC/sha1 (weak) +\\ +\hline +aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1 + & +AES-256 CTS mode with 96-bit SHA-1 HMAC +\\ +\hline +aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1 + & +AES-128 CTS mode with 96-bit SHA-1 HMAC +\\ +\hline +aes256-cts-hmac-sha384-192 aes256-sha2 + & +AES-256 CTS mode with 192-bit SHA-384 HMAC +\\ +\hline +aes128-cts-hmac-sha256-128 aes128-sha2 + & +AES-128 CTS mode with 128-bit SHA-256 HMAC +\\ +\hline +arcfour-hmac rc4-hmac arcfour-hmac-md5 + & +RC4 with HMAC/MD5 +\\ +\hline +arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp + & +Exportable RC4 with HMAC/MD5 (weak) +\\ +\hline +camellia256-cts-cmac camellia256-cts + & +Camellia-256 CTS mode with CMAC +\\ +\hline +camellia128-cts-cmac camellia128-cts + & +Camellia-128 CTS mode with CMAC +\\ +\hline +des + & +The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak) +\\ +\hline +des3 + & +The triple DES family: des3-cbc-sha1 +\\ +\hline +aes + & +The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96 +\\ +\hline +rc4 + & +The RC4 family: arcfour-hmac +\\ +\hline +camellia + & +The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac +\\ +\hline\end{tabulary} + + +The string \textbf{DEFAULT} can be used to refer to the default set of +types for the variable in question. Types or families can be removed +from the current list by prefixing them with a minus sign (``-''). +Types or families can be prefixed with a plus sign (``+'') for symmetry; +it has the same meaning as just listing the type or family. For +example, ``\code{DEFAULT -des}'' would be the default set of encryption +types with DES types removed, and ``\code{des3 DEFAULT}'' would be the +default set of encryption types with triple DES types moved to the +front. + +While \textbf{aes128-cts} and \textbf{aes256-cts} are supported for all Kerberos +operations, they are not supported by very old versions of our GSSAPI +implementation (krb5-1.3.1 and earlier). Services running versions of +krb5 without AES support must not be given keys of these encryption +types in the KDC database. + +The \textbf{aes128-sha2} and \textbf{aes256-sha2} encryption types are new in +release 1.15. Services running versions of krb5 without support for +these newer encryption types must not be given keys of these +encryption types in the KDC database. + + +\subsubsection{Keysalt lists} +\label{admin/conf_files/kdc_conf:id7}\label{admin/conf_files/kdc_conf:keysalt-lists} +Kerberos keys for users are usually derived from passwords. Kerberos +commands and configuration parameters that affect generation of keys +take lists of enctype-salttype (``keysalt'') pairs, known as \emph{keysalt +lists}. Each keysalt pair is an enctype name followed by a salttype +name, in the format \emph{enc}:\emph{salt}. Individual keysalt list members are +separated by comma ('','') characters or space characters. For example: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin \PYGZhy{}e aes256\PYGZhy{}cts:normal,aes128\PYGZhy{}cts:normal +\end{Verbatim} + +would start up kadmin so that by default it would generate +password-derived keys for the \textbf{aes256-cts} and \textbf{aes128-cts} +encryption types, using a \textbf{normal} salt. + +To ensure that people who happen to pick the same password do not have +the same key, Kerberos 5 incorporates more information into the key +using something called a salt. The supported salt types are as +follows: + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +normal + & +default for Kerberos Version 5 +\\ +\hline +v4 + & +the only type used by Kerberos Version 4 (no salt) +\\ +\hline +norealm + & +same as the default, without using realm information +\\ +\hline +onlyrealm + & +uses only realm information as the salt +\\ +\hline +afs3 + & +AFS version 3, only used for compatibility with Kerberos 4 in AFS +\\ +\hline +special + & +generate a random salt +\\ +\hline\end{tabulary} + + + +\subsubsection{Sample kdc.conf File} +\label{admin/conf_files/kdc_conf:sample-kdc-conf-file} +Here's an example of a kdc.conf file: + +\begin{Verbatim}[commandchars=\\\{\}] +[kdcdefaults] + kdc\PYGZus{}listen = 88 + kdc\PYGZus{}tcp\PYGZus{}listen = 88 +[realms] + ATHENA.MIT.EDU = \PYGZob{} + kadmind\PYGZus{}port = 749 + max\PYGZus{}life = 12h 0m 0s + max\PYGZus{}renewable\PYGZus{}life = 7d 0h 0m 0s + master\PYGZus{}key\PYGZus{}type = aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 + supported\PYGZus{}enctypes = aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal + database\PYGZus{}module = openldap\PYGZus{}ldapconf + \PYGZcb{} + +[logging] + kdc = FILE:/usr/local/var/krb5kdc/kdc.log + admin\PYGZus{}server = FILE:/usr/local/var/krb5kdc/kadmin.log + +[dbdefaults] + ldap\PYGZus{}kerberos\PYGZus{}container\PYGZus{}dn = cn=krbcontainer,dc=mit,dc=edu + +[dbmodules] + openldap\PYGZus{}ldapconf = \PYGZob{} + db\PYGZus{}library = kldap + disable\PYGZus{}last\PYGZus{}success = true + ldap\PYGZus{}kdc\PYGZus{}dn = \PYGZdq{}cn=krbadmin,dc=mit,dc=edu\PYGZdq{} + \PYGZsh{} this object needs to have read rights on + \PYGZsh{} the realm container and principal subtrees + ldap\PYGZus{}kadmind\PYGZus{}dn = \PYGZdq{}cn=krbadmin,dc=mit,dc=edu\PYGZdq{} + \PYGZsh{} this object needs to have read and write rights on + \PYGZsh{} the realm container and principal subtrees + ldap\PYGZus{}service\PYGZus{}password\PYGZus{}file = /etc/kerberos/service.keyfile + ldap\PYGZus{}servers = ldaps://kerberos.mit.edu + ldap\PYGZus{}conns\PYGZus{}per\PYGZus{}server = 5 + \PYGZcb{} +\end{Verbatim} + + +\subsubsection{FILES} +\label{admin/conf_files/kdc_conf:files} +{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/kdc.conf} + + +\subsubsection{SEE ALSO} +\label{admin/conf_files/kdc_conf:see-also} +{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}}, {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}}, {\hyperref[admin/conf_files/kadm5_acl:kadm5-acl-5]{\emph{kadm5.acl}}} + + +\subsection{kadm5.acl} +\label{admin/conf_files/kadm5_acl:kadm5-acl}\label{admin/conf_files/kadm5_acl:kadm5-acl-5}\label{admin/conf_files/kadm5_acl::doc} + +\subsubsection{DESCRIPTION} +\label{admin/conf_files/kadm5_acl:description} +The Kerberos {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} daemon uses an Access Control List +(ACL) file to manage access rights to the Kerberos database. +For operations that affect principals, the ACL file also controls +which principals can operate on which other principals. + +The default location of the Kerberos ACL file is +{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/kadm5.acl} unless this is overridden by the \emph{acl\_file} +variable in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. + + +\subsubsection{SYNTAX} +\label{admin/conf_files/kadm5_acl:syntax} +Empty lines and lines starting with the sharp sign (\code{\#}) are +ignored. Lines containing ACL entries have the format: + +\begin{Verbatim}[commandchars=\\\{\}] +principal permissions [target\PYGZus{}principal [restrictions] ] +\end{Verbatim} + +\begin{notice}{note}{Note:} +Line order in the ACL file is important. The first matching entry +will control access for an actor principal on a target principal. +\end{notice} +\begin{description} +\item[{\emph{principal}}] \leavevmode +(Partially or fully qualified Kerberos principal name.) Specifies +the principal whose permissions are to be set. + +Each component of the name may be wildcarded using the \code{*} +character. + +\item[{\emph{permissions}}] \leavevmode +Specifies what operations may or may not be performed by a +\emph{principal} matching a particular entry. This is a string of one or +more of the following list of characters or their upper-case +counterparts. If the character is \emph{upper-case}, then the operation +is disallowed. If the character is \emph{lower-case}, then the operation +is permitted. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +a + & +{[}Dis{]}allows the addition of principals or policies +\\ +\hline +c + & +{[}Dis{]}allows the changing of passwords for principals +\\ +\hline +d + & +{[}Dis{]}allows the deletion of principals or policies +\\ +\hline +e + & +{[}Dis{]}allows the extraction of principal keys +\\ +\hline +i + & +{[}Dis{]}allows inquiries about principals or policies +\\ +\hline +l + & +{[}Dis{]}allows the listing of all principals or policies +\\ +\hline +m + & +{[}Dis{]}allows the modification of principals or policies +\\ +\hline +p + & +{[}Dis{]}allows the propagation of the principal database (used in {\hyperref[admin/database:incr-db-prop]{\emph{Incremental database propagation}}}) +\\ +\hline +s + & +{[}Dis{]}allows the explicit setting of the key for a principal +\\ +\hline +x + & +Short for admcilsp. All privileges (except \code{e}) +\\ +\hline +* + & +Same as x. +\\ +\hline\end{tabulary} + + +\end{description} + +\begin{notice}{note}{Note:} +The \code{extract} privilege is not included in the wildcard +privilege; it must be explicitly assigned. This privilege +allows the user to extract keys from the database, and must be +handled with great care to avoid disclosure of important keys +like those of the kadmin/* or krbtgt/* principals. The +\textbf{lockdown\_keys} principal attribute can be used to prevent +key extraction from specific principals regardless of the +granted privilege. +\end{notice} +\begin{description} +\item[{\emph{target\_principal}}] \leavevmode +(Optional. Partially or fully qualified Kerberos principal name.) +Specifies the principal on which \emph{permissions} may be applied. +Each component of the name may be wildcarded using the \code{*} +character. + +\emph{target\_principal} can also include back-references to \emph{principal}, +in which \code{*number} matches the corresponding wildcard in +\emph{principal}. + +\item[{\emph{restrictions}}] \leavevmode +(Optional) A string of flags. Allowed restrictions are: +\begin{quote} +\begin{description} +\item[{\{+\textbar{}-\}\emph{flagname}}] \leavevmode +flag is forced to the indicated value. The permissible flags +are the same as those for the \textbf{default\_principal\_flags} +variable in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. + +\item[{\emph{-clearpolicy}}] \leavevmode +policy is forced to be empty. + +\item[{\emph{-policy pol}}] \leavevmode +policy is forced to be \emph{pol}. + +\item[{-\{\emph{expire, pwexpire, maxlife, maxrenewlife}\} \emph{time}}] \leavevmode +(\emph{getdate} string) associated value will be forced to +MIN(\emph{time}, requested value). + +\end{description} +\end{quote} + +The above flags act as restrictions on any add or modify operation +which is allowed due to that ACL line. + +\end{description} + +\begin{notice}{warning}{Warning:} +If the kadmind ACL file is modified, the kadmind daemon needs to be +restarted for changes to take effect. +\end{notice} + + +\subsubsection{EXAMPLE} +\label{admin/conf_files/kadm5_acl:example} +Here is an example of a kadm5.acl file: + +\begin{Verbatim}[commandchars=\\\{\}] +*/admin@ATHENA.MIT.EDU * \PYGZsh{} line 1 +joeadmin@ATHENA.MIT.EDU ADMCIL \PYGZsh{} line 2 +joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU \PYGZsh{} line 3 +*/root@ATHENA.MIT.EDU ci *1@ATHENA.MIT.EDU \PYGZsh{} line 4 +*/root@ATHENA.MIT.EDU l * \PYGZsh{} line 5 +sms@ATHENA.MIT.EDU x * \PYGZhy{}maxlife 9h \PYGZhy{}postdateable \PYGZsh{} line 6 +\end{Verbatim} + +(line 1) Any principal in the \code{ATHENA.MIT.EDU} realm with +an \code{admin} instance has all administrative privileges. + +(lines 1-3) The user \code{joeadmin} has all permissions with his +\code{admin} instance, \code{joeadmin/admin@ATHENA.MIT.EDU} (matches line +1). He has no permissions at all with his null instance, +\code{joeadmin@ATHENA.MIT.EDU} (matches line 2). His \code{root} and other +non-\code{admin}, non-null instances (e.g., \code{extra} or \code{dbadmin}) have +inquire permissions with any principal that has the instance \code{root} +(matches line 3). + +(line 4) Any \code{root} principal in \code{ATHENA.MIT.EDU} can inquire +or change the password of their null instance, but not any other +null instance. (Here, \code{*1} denotes a back-reference to the +component matching the first wildcard in the actor principal.) + +(line 5) Any \code{root} principal in \code{ATHENA.MIT.EDU} can generate +the list of principals in the database, and the list of policies +in the database. This line is separate from line 4, because list +permission can only be granted globally, not to specific target +principals. + +(line 6) Finally, the Service Management System principal +\code{sms@ATHENA.MIT.EDU} has all permissions, but any principal that it +creates or modifies will not be able to get postdateable tickets or +tickets with a life of longer than 9 hours. + + +\subsubsection{SEE ALSO} +\label{admin/conf_files/kadm5_acl:see-also} +{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}, {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} + + +\chapter{Realm configuration decisions} +\label{admin/realm_config:realm-configuration-decisions}\label{admin/realm_config::doc} +Before installing Kerberos V5, it is necessary to consider the +following issues: +\begin{itemize} +\item {} +The name of your Kerberos realm (or the name of each realm, if you +need more than one). + +\item {} +How you will assign your hostnames to Kerberos realms. + +\item {} +Which ports your KDC and and kadmind services will use, if they will +not be using the default ports. + +\item {} +How many slave KDCs you need and where they should be located. + +\item {} +The hostnames of your master and slave KDCs. + +\item {} +How frequently you will propagate the database from the master KDC +to the slave KDCs. + +\end{itemize} + + +\section{Realm name} +\label{admin/realm_config:realm-name} +Although your Kerberos realm can be any ASCII string, convention is to +make it the same as your domain name, in upper-case letters. + +For example, hosts in the domain \code{example.com} would be in the +Kerberos realm: + +\begin{Verbatim}[commandchars=\\\{\}] +\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} +\end{Verbatim} + +If you need multiple Kerberos realms, MIT recommends that you use +descriptive names which end with your domain name, such as: + +\begin{Verbatim}[commandchars=\\\{\}] +\PYG{n}{BOSTON}\PYG{o}{.}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} +\PYG{n}{HOUSTON}\PYG{o}{.}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} +\end{Verbatim} + + +\section{Mapping hostnames onto Kerberos realms} +\label{admin/realm_config:mapping-hostnames-onto-kerberos-realms}\label{admin/realm_config:mapping-hostnames} +Mapping hostnames onto Kerberos realms is done in one of three ways. + +The first mechanism works through a set of rules in the +{\hyperref[admin/conf_files/krb5_conf:domain-realm]{\emph{{[}domain\_realm{]}}}} section of {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}}. You can specify +mappings for an entire domain or on a per-hostname basis. Typically +you would do this by specifying the mappings for a given domain or +subdomain and listing the exceptions. + +The second mechanism is to use KDC host-based service referrals. With +this method, the KDC's krb5.conf has a full {[}domain\_realm{]} mapping for +hosts, but the clients do not, or have mappings for only a subset of +the hosts they might contact. When a client needs to contact a server +host for which it has no mapping, it will ask the client realm's KDC +for the service ticket, and will receive a referral to the appropriate +service realm. + +To use referrals, clients must be running MIT krb5 1.6 or later, and +the KDC must be running MIT krb5 1.7 or later. The +\textbf{host\_based\_services} and \textbf{no\_host\_referral} variables in the +{\hyperref[admin/conf_files/kdc_conf:kdc-realms]{\emph{{[}realms{]}}}} section of {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} can be used to +fine-tune referral behavior on the KDC. + +It is also possible for clients to use DNS TXT records, if +\textbf{dns\_lookup\_realm} is enabled in {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}}. Such lookups +are disabled by default because DNS is an insecure protocol and security +holes could result if DNS records are spoofed. If enabled, the client +will try to look up a TXT record formed by prepending the prefix +\code{\_kerberos} to the hostname in question. If that record is not +found, the client will attempt a lookup by prepending \code{\_kerberos} to the +host's domain name, then its parent domain, up to the top-level domain. +For the hostname \code{boston.engineering.example.com}, the names looked up +would be: + +\begin{Verbatim}[commandchars=\\\{\}] +\PYG{n}{\PYGZus{}kerberos}\PYG{o}{.}\PYG{n}{boston}\PYG{o}{.}\PYG{n}{engineering}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} +\PYG{n}{\PYGZus{}kerberos}\PYG{o}{.}\PYG{n}{engineering}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} +\PYG{n}{\PYGZus{}kerberos}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} +\PYG{n}{\PYGZus{}kerberos}\PYG{o}{.}\PYG{n}{com} +\end{Verbatim} + +The value of the first TXT record found is taken as the realm name. + +Even if you do not choose to use this mechanism within your site, +you may wish to set it up anyway, for use when interacting with other sites. + + +\section{Ports for the KDC and admin services} +\label{admin/realm_config:ports-for-the-kdc-and-admin-services} +The default ports used by Kerberos are port 88 for the KDC and port +749 for the admin server. You can, however, choose to run on other +ports, as long as they are specified in each host's +{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} files or in DNS SRV records, and the +{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} file on each KDC. For a more thorough treatment of +port numbers used by the Kerberos V5 programs, refer to the +{\hyperref[admin/appl_servers:conf-firewall]{\emph{Configuring your firewall to work with Kerberos V5}}}. + + +\section{Slave KDCs} +\label{admin/realm_config:slave-kdcs} +Slave KDCs provide an additional source of Kerberos ticket-granting +services in the event of inaccessibility of the master KDC. The +number of slave KDCs you need and the decision of where to place them, +both physically and logically, depends on the specifics of your +network. + +Kerberos authentication requires that each client be able to contact a +KDC. Therefore, you need to anticipate any likely reason a KDC might +be unavailable and have a slave KDC to take up the slack. + +Some considerations include: +\begin{itemize} +\item {} +Have at least one slave KDC as a backup, for when the master KDC is +down, is being upgraded, or is otherwise unavailable. + +\item {} +If your network is split such that a network outage is likely to +cause a network partition (some segment or segments of the network +to become cut off or isolated from other segments), have a slave KDC +accessible to each segment. + +\item {} +If possible, have at least one slave KDC in a different building +from the master, in case of power outages, fires, or other localized +disasters. + +\end{itemize} + + +\section{Hostnames for KDCs} +\label{admin/realm_config:kdc-hostnames}\label{admin/realm_config:hostnames-for-kdcs} +MIT recommends that your KDCs have a predefined set of CNAME records +(DNS hostname aliases), such as \code{kerberos} for the master KDC and +\code{kerberos-1}, \code{kerberos-2}, ... for the slave KDCs. This way, if +you need to swap a machine, you only need to change a DNS entry, +rather than having to change hostnames. + +As of MIT krb5 1.4, clients can locate a realm's KDCs through DNS +using SRV records (\index{RFC!RFC 2782}\href{http://tools.ietf.org/html/rfc2782.html}{\textbf{RFC 2782}}), assuming the Kerberos realm name is +also a DNS domain name. These records indicate the hostname and port +number to contact for that service, optionally with weighting and +prioritization. The domain name used in the SRV record name is the +realm name. Several different Kerberos-related service names are +used: +\begin{description} +\item[{\_kerberos.\_udp}] \leavevmode +This is for contacting any KDC by UDP. This entry will be used +the most often. Normally you should list port 88 on each of your +KDCs. + +\item[{\_kerberos.\_tcp}] \leavevmode +This is for contacting any KDC by TCP. The MIT KDC by default +will not listen on any TCP ports, so unless you've changed the +configuration or you're running another KDC implementation, you +should leave this unspecified. If you do enable TCP support, +normally you should use port 88. + +\item[{\_kerberos-master.\_udp}] \leavevmode +This entry should refer to those KDCs, if any, that will +immediately see password changes to the Kerberos database. If a +user is logging in and the password appears to be incorrect, the +client will retry with the master KDC before failing with an +``incorrect password'' error given. + +If you have only one KDC, or for whatever reason there is no +accessible KDC that would get database changes faster than the +others, you do not need to define this entry. + +\item[{\_kerberos-adm.\_tcp}] \leavevmode +This should list port 749 on your master KDC. Support for it is +not complete at this time, but it will eventually be used by the +{\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} program and related utilities. For now, you will +also need the \textbf{admin\_server} variable in {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}}. + +\item[{\_kpasswd.\_udp}] \leavevmode +This should list port 464 on your master KDC. It is used when a +user changes her password. If this entry is not defined but a +\_kerberos-adm.\_tcp entry is defined, the client will use the +\_kerberos-adm.\_tcp entry with the port number changed to 749. + +\end{description} + +The DNS SRV specification requires that the hostnames listed be the +canonical names, not aliases. So, for example, you might include the +following records in your (BIND-style) zone file: + +\begin{Verbatim}[commandchars=\\\{\}] +\PYGZdl{}ORIGIN foobar.com. +\PYGZus{}kerberos TXT \PYGZdq{}FOOBAR.COM\PYGZdq{} +kerberos CNAME daisy +kerberos\PYGZhy{}1 CNAME use\PYGZhy{}the\PYGZhy{}force\PYGZhy{}luke +kerberos\PYGZhy{}2 CNAME bunny\PYGZhy{}rabbit +\PYGZus{}kerberos.\PYGZus{}udp SRV 0 0 88 daisy + SRV 0 0 88 use\PYGZhy{}the\PYGZhy{}force\PYGZhy{}luke + SRV 0 0 88 bunny\PYGZhy{}rabbit +\PYGZus{}kerberos\PYGZhy{}master.\PYGZus{}udp SRV 0 0 88 daisy +\PYGZus{}kerberos\PYGZhy{}adm.\PYGZus{}tcp SRV 0 0 749 daisy +\PYGZus{}kpasswd.\PYGZus{}udp SRV 0 0 464 daisy +\end{Verbatim} + +Clients can also be configured with the explicit location of services +using the \textbf{kdc}, \textbf{master\_kdc}, \textbf{admin\_server}, and +\textbf{kpasswd\_server} variables in the {\hyperref[admin/conf_files/krb5_conf:realms]{\emph{{[}realms{]}}}} section of +{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}}. Even if some clients will be configured with +explicit server locations, providing SRV records will still benefit +unconfigured clients, and be useful for other sites. + + +\section{KDC Discovery} +\label{admin/realm_config:kdc-discovery}\label{admin/realm_config:id1} +As of MIT krb5 1.15, clients can also locate KDCs in DNS through URI +records (\index{RFC!RFC 7553}\href{http://tools.ietf.org/html/rfc7553.html}{\textbf{RFC 7553}}). Limitations with the SRV record format may +result in extra DNS queries in situations where a client must failover +to other transport types, or find a master server. The URI record can +convey more information about a realm's KDCs with a single query. + +The client performs a query for the following URI records: +\begin{itemize} +\item {} +\code{\_kerberos.REALM} for fiding KDCs. + +\item {} +\code{\_kerberos-adm.REALM} for finding kadmin services. + +\item {} +\code{\_kpasswd.REALM} for finding password services. + +\end{itemize} + +The URI record includes a priority, weight, and a URI string that +consists of case-insensitive colon separated fields, in the form +\code{scheme:{[}flags{]}:transport:residual}. +\begin{itemize} +\item {} +\emph{scheme} defines the registered URI type. It should always be +\code{krb5srv}. + +\item {} +\emph{flags} contains zero or more flag characters. Currently the only +valid flag is \code{m}, which indicates that the record is for a master +server. + +\item {} +\emph{transport} defines the transport type of the residual URL or +address. Accepted values are \code{tcp}, \code{udp}, or \code{kkdcp} for the +MS-KKDCP type. + +\item {} +\emph{residual} contains the hostname, IP address, or URL to be +contacted using the specified transport, with an optional port +extension. The MS-KKDCP transport type uses a HTTPS URL, and can +include a port and/or path extension. + +\end{itemize} + +An example of URI records in a zone file: + +\begin{Verbatim}[commandchars=\\\{\}] +\PYGZus{}kerberos.EXAMPLE.COM URI 10 1 krb5srv:m:tcp:kdc1.example.com + URI 20 1 krb5srv:m:udp:kdc2.example.com:89 + URI 40 1 krb5srv::udp:10.10.0.23 + URI 30 1 krb5srv::kkdcp:https://proxy:89/auth +\end{Verbatim} + +URI lookups are enabled by default, and can be disabled by setting +\textbf{dns\_uri\_lookup} in the {\hyperref[admin/conf_files/krb5_conf:libdefaults]{\emph{{[}libdefaults{]}}}} section of +{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} to False. When enabled, URI lookups take +precedence over SRV lookups, falling back to SRV lookups if no URI +records are found. + + +\section{Database propagation} +\label{admin/realm_config:database-propagation}\label{admin/realm_config:db-prop} +The Kerberos database resides on the master KDC, and must be +propagated regularly (usually by a cron job) to the slave KDCs. In +deciding how frequently the propagation should happen, you will need +to balance the amount of time the propagation takes against the +maximum reasonable amount of time a user should have to wait for a +password change to take effect. + +If the propagation time is longer than this maximum reasonable time +(e.g., you have a particularly large database, you have a lot of +slaves, or you experience frequent network delays), you may wish to +cut down on your propagation delay by performing the propagation in +parallel. To do this, have the master KDC propagate the database to +one set of slaves, and then have each of these slaves propagate the +database to additional slaves. + +See also {\hyperref[admin/database:incr-db-prop]{\emph{Incremental database propagation}}} + + +\chapter{Database administration} +\label{admin/database::doc}\label{admin/database:database-administration} +A Kerberos database contains all of a realm's Kerberos principals, +their passwords, and other administrative information about each +principal. For the most part, you will use the {\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} +program to manipulate the Kerberos database as a whole, and the +{\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} program to make changes to the entries in the +database. (One notable exception is that users will use the +\emph{kpasswd(1)} program to change their own passwords.) The kadmin +program has its own command-line interface, to which you type the +database administrating commands. + +{\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} provides a means to create, delete, load, or dump +a Kerberos database. It also contains commands to roll over the +database master key, and to stash a copy of the key so that the +{\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} and {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}} daemons can use the database +without manual input. + +{\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} provides for the maintenance of Kerberos principals, +password policies, and service key tables (keytabs). Normally it +operates as a network client using Kerberos authentication to +communicate with {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}}, but there is also a variant, named +kadmin.local, which directly accesses the Kerberos database on the +local filesystem (or through LDAP). kadmin.local is necessary to set +up enough of the database to be able to use the remote version. + +kadmin can authenticate to the admin server using the service +principal \code{kadmin/HOST} (where \emph{HOST} is the hostname of the admin +server) or \code{kadmin/admin}. If the credentials cache contains a +ticket for either service principal and the \textbf{-c} ccache option is +specified, that ticket is used to authenticate to KADM5. Otherwise, +the \textbf{-p} and \textbf{-k} options are used to specify the client Kerberos +principal name used to authenticate. Once kadmin has determined the +principal name, it requests a \code{kadmin/admin} Kerberos service ticket +from the KDC, and uses that service ticket to authenticate to KADM5. + +See {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} for the available kadmin and kadmin.local +commands and options. + + +\section{kadmin options} +\label{admin/database:kadmin-options} +You can invoke {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} or kadmin.local with any of the +following options: + +\textbf{kadmin} +{[}\textbf{-O}\textbar{}\textbf{-N}{]} +{[}\textbf{-r} \emph{realm}{]} +{[}\textbf{-p} \emph{principal}{]} +{[}\textbf{-q} \emph{query}{]} +{[}{[}\textbf{-c} \emph{cache\_name}{]}\textbar{}{[}\textbf{-k} {[}\textbf{-t} \emph{keytab}{]}{]}\textbar{}\textbf{-n}{]} +{[}\textbf{-w} \emph{password}{]} +{[}\textbf{-s} \emph{admin\_server}{[}:\emph{port}{]}{]} +{[}command args...{]} + +\textbf{kadmin.local} +{[}\textbf{-r} \emph{realm}{]} +{[}\textbf{-p} \emph{principal}{]} +{[}\textbf{-q} \emph{query}{]} +{[}\textbf{-d} \emph{dbname}{]} +{[}\textbf{-e} \emph{enc}:\emph{salt} ...{]} +{[}\textbf{-m}{]} +{[}\textbf{-x} \emph{db\_args}{]} +{[}command args...{]} + +\textbf{OPTIONS} +\begin{description} +\item[{\textbf{-r} \emph{realm}}] \leavevmode +Use \emph{realm} as the default database realm. + +\item[{\textbf{-p} \emph{principal}}] \leavevmode +Use \emph{principal} to authenticate. Otherwise, kadmin will append +\code{/admin} to the primary principal name of the default ccache, +the value of the \textbf{USER} environment variable, or the username as +obtained with getpwuid, in order of preference. + +\item[{\textbf{-k}}] \leavevmode +Use a keytab to decrypt the KDC response instead of prompting for +a password. In this case, the default principal will be +\code{host/hostname}. If there is no keytab specified with the +\textbf{-t} option, then the default keytab will be used. + +\item[{\textbf{-t} \emph{keytab}}] \leavevmode +Use \emph{keytab} to decrypt the KDC response. This can only be used +with the \textbf{-k} option. + +\item[{\textbf{-n}}] \leavevmode +Requests anonymous processing. Two types of anonymous principals +are supported. For fully anonymous Kerberos, configure PKINIT on +the KDC and configure \textbf{pkinit\_anchors} in the client's +{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}}. Then use the \textbf{-n} option with a principal +of the form \code{@REALM} (an empty principal name followed by the +at-sign and a realm name). If permitted by the KDC, an anonymous +ticket will be returned. A second form of anonymous tickets is +supported; these realm-exposed tickets hide the identity of the +client but not the client's realm. For this mode, use \code{kinit +-n} with a normal principal name. If supported by the KDC, the +principal (but not realm) will be replaced by the anonymous +principal. As of release 1.8, the MIT Kerberos KDC only supports +fully anonymous operation. + +\item[{\textbf{-c} \emph{credentials\_cache}}] \leavevmode +Use \emph{credentials\_cache} as the credentials cache. The +cache should contain a service ticket for the \code{kadmin/ADMINHOST} +(where \emph{ADMINHOST} is the fully-qualified hostname of the admin +server) or \code{kadmin/admin} service; it can be acquired with the +\emph{kinit(1)} program. If this option is not specified, kadmin +requests a new service ticket from the KDC, and stores it in its +own temporary ccache. + +\item[{\textbf{-w} \emph{password}}] \leavevmode +Use \emph{password} instead of prompting for one. Use this option with +care, as it may expose the password to other users on the system +via the process list. + +\item[{\textbf{-q} \emph{query}}] \leavevmode +Perform the specified query and then exit. + +\item[{\textbf{-d} \emph{dbname}}] \leavevmode +Specifies the name of the KDC database. This option does not +apply to the LDAP database module. + +\item[{\textbf{-s} \emph{admin\_server}{[}:\emph{port}{]}}] \leavevmode +Specifies the admin server which kadmin should contact. + +\item[{\textbf{-m}}] \leavevmode +If using kadmin.local, prompt for the database master password +instead of reading it from a stash file. + +\item[{\textbf{-e} ``\emph{enc}:\emph{salt} ...''}] \leavevmode +Sets the keysalt list to be used for any new keys created. See +{\hyperref[admin/conf_files/kdc_conf:keysalt-lists]{\emph{Keysalt lists}}} in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} for a list of possible +values. + +\item[{\textbf{-O}}] \leavevmode +Force use of old AUTH\_GSSAPI authentication flavor. + +\item[{\textbf{-N}}] \leavevmode +Prevent fallback to AUTH\_GSSAPI authentication flavor. + +\item[{\textbf{-x} \emph{db\_args}}] \leavevmode +Specifies the database specific arguments. See the next section +for supported options. + +\end{description} + + +\section{Date Format} +\label{admin/database:date-format} +For the supported date-time formats see \emph{getdate} section +in \emph{datetime}. + + +\section{Principals} +\label{admin/database:principals} +Each entry in the Kerberos database contains a Kerberos principal and +the attributes and policies associated with that principal. + + +\subsection{Adding, modifying and deleting principals} +\label{admin/database:add-mod-del-princs}\label{admin/database:adding-modifying-and-deleting-principals} +To add a principal to the database, use the {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} +\textbf{add\_principal} command. + +To modify attributes of a principal, use the kadmin +\textbf{modify\_principal} command. + +To delete a principal, use the kadmin \textbf{delete\_principal} command. + + +\subsection{add\_principal} +\label{admin/database:add-principal}\begin{quote} + +\textbf{add\_principal} {[}\emph{options}{]} \emph{newprinc} +\end{quote} + +Creates the principal \emph{newprinc}, prompting twice for a password. If +no password policy is specified with the \textbf{-policy} option, and the +policy named \code{default} is assigned to the principal if it exists. +However, creating a policy named \code{default} will not automatically +assign this policy to previously existing principals. This policy +assignment can be suppressed with the \textbf{-clearpolicy} option. + +This command requires the \textbf{add} privilege. + +Aliases: \textbf{addprinc}, \textbf{ank} + +Options: +\begin{description} +\item[{\textbf{-expire} \emph{expdate}}] \leavevmode +(\emph{getdate} string) The expiration date of the principal. + +\item[{\textbf{-pwexpire} \emph{pwexpdate}}] \leavevmode +(\emph{getdate} string) The password expiration date. + +\item[{\textbf{-maxlife} \emph{maxlife}}] \leavevmode +(\emph{duration} or \emph{getdate} string) The maximum ticket life +for the principal. + +\item[{\textbf{-maxrenewlife} \emph{maxrenewlife}}] \leavevmode +(\emph{duration} or \emph{getdate} string) The maximum renewable +life of tickets for the principal. + +\item[{\textbf{-kvno} \emph{kvno}}] \leavevmode +The initial key version number. + +\item[{\textbf{-policy} \emph{policy}}] \leavevmode +The password policy used by this principal. If not specified, the +policy \code{default} is used if it exists (unless \textbf{-clearpolicy} +is specified). + +\item[{\textbf{-clearpolicy}}] \leavevmode +Prevents any policy from being assigned when \textbf{-policy} is not +specified. + +\item[{\{-\textbar{}+\}\textbf{allow\_postdated}}] \leavevmode +\textbf{-allow\_postdated} prohibits this principal from obtaining +postdated tickets. \textbf{+allow\_postdated} clears this flag. + +\item[{\{-\textbar{}+\}\textbf{allow\_forwardable}}] \leavevmode +\textbf{-allow\_forwardable} prohibits this principal from obtaining +forwardable tickets. \textbf{+allow\_forwardable} clears this flag. + +\item[{\{-\textbar{}+\}\textbf{allow\_renewable}}] \leavevmode +\textbf{-allow\_renewable} prohibits this principal from obtaining +renewable tickets. \textbf{+allow\_renewable} clears this flag. + +\item[{\{-\textbar{}+\}\textbf{allow\_proxiable}}] \leavevmode +\textbf{-allow\_proxiable} prohibits this principal from obtaining +proxiable tickets. \textbf{+allow\_proxiable} clears this flag. + +\item[{\{-\textbar{}+\}\textbf{allow\_dup\_skey}}] \leavevmode +\textbf{-allow\_dup\_skey} disables user-to-user authentication for this +principal by prohibiting this principal from obtaining a session +key for another user. \textbf{+allow\_dup\_skey} clears this flag. + +\item[{\{-\textbar{}+\}\textbf{requires\_preauth}}] \leavevmode +\textbf{+requires\_preauth} requires this principal to preauthenticate +before being allowed to kinit. \textbf{-requires\_preauth} clears this +flag. When \textbf{+requires\_preauth} is set on a service principal, +the KDC will only issue service tickets for that service principal +if the client's initial authentication was performed using +preauthentication. + +\item[{\{-\textbar{}+\}\textbf{requires\_hwauth}}] \leavevmode +\textbf{+requires\_hwauth} requires this principal to preauthenticate +using a hardware device before being allowed to kinit. +\textbf{-requires\_hwauth} clears this flag. When \textbf{+requires\_hwauth} is +set on a service principal, the KDC will only issue service tickets +for that service principal if the client's initial authentication was +performed using a hardware device to preauthenticate. + +\item[{\{-\textbar{}+\}\textbf{ok\_as\_delegate}}] \leavevmode +\textbf{+ok\_as\_delegate} sets the \textbf{okay as delegate} flag on tickets +issued with this principal as the service. Clients may use this +flag as a hint that credentials should be delegated when +authenticating to the service. \textbf{-ok\_as\_delegate} clears this +flag. + +\item[{\{-\textbar{}+\}\textbf{allow\_svr}}] \leavevmode +\textbf{-allow\_svr} prohibits the issuance of service tickets for this +principal. \textbf{+allow\_svr} clears this flag. + +\item[{\{-\textbar{}+\}\textbf{allow\_tgs\_req}}] \leavevmode +\textbf{-allow\_tgs\_req} specifies that a Ticket-Granting Service (TGS) +request for a service ticket for this principal is not permitted. +\textbf{+allow\_tgs\_req} clears this flag. + +\item[{\{-\textbar{}+\}\textbf{allow\_tix}}] \leavevmode +\textbf{-allow\_tix} forbids the issuance of any tickets for this +principal. \textbf{+allow\_tix} clears this flag. + +\item[{\{-\textbar{}+\}\textbf{needchange}}] \leavevmode +\textbf{+needchange} forces a password change on the next initial +authentication to this principal. \textbf{-needchange} clears this +flag. + +\item[{\{-\textbar{}+\}\textbf{password\_changing\_service}}] \leavevmode +\textbf{+password\_changing\_service} marks this principal as a password +change service principal. + +\item[{\{-\textbar{}+\}\textbf{ok\_to\_auth\_as\_delegate}}] \leavevmode +\textbf{+ok\_to\_auth\_as\_delegate} allows this principal to acquire +forwardable tickets to itself from arbitrary users, for use with +constrained delegation. + +\item[{\{-\textbar{}+\}\textbf{no\_auth\_data\_required}}] \leavevmode +\textbf{+no\_auth\_data\_required} prevents PAC or AD-SIGNEDPATH data from +being added to service tickets for the principal. + +\item[{\{-\textbar{}+\}\textbf{lockdown\_keys}}] \leavevmode +\textbf{+lockdown\_keys} prevents keys for this principal from leaving +the KDC via kadmind. The chpass and extract operations are denied +for a principal with this attribute. The chrand operation is +allowed, but will not return the new keys. The delete and rename +operations are also denied if this attribute is set, in order to +prevent a malicious administrator from replacing principals like +krbtgt/* or kadmin/* with new principals without the attribute. +This attribute can be set via the network protocol, but can only +be removed using kadmin.local. + +\item[{\textbf{-randkey}}] \leavevmode +Sets the key of the principal to a random value. + +\item[{\textbf{-nokey}}] \leavevmode +Causes the principal to be created with no key. New in release +1.12. + +\item[{\textbf{-pw} \emph{password}}] \leavevmode +Sets the password of the principal to the specified string and +does not prompt for a password. Note: using this option in a +shell script may expose the password to other users on the system +via the process list. + +\item[{\textbf{-e} \emph{enc}:\emph{salt},...}] \leavevmode +Uses the specified keysalt list for setting the keys of the +principal. See {\hyperref[admin/conf_files/kdc_conf:keysalt-lists]{\emph{Keysalt lists}}} in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} for a +list of possible values. + +\item[{\textbf{-x} \emph{db\_princ\_args}}] \leavevmode +Indicates database-specific options. The options for the LDAP +database module are: +\begin{description} +\item[{\textbf{-x dn=}\emph{dn}}] \leavevmode +Specifies the LDAP object that will contain the Kerberos +principal being created. + +\item[{\textbf{-x linkdn=}\emph{dn}}] \leavevmode +Specifies the LDAP object to which the newly created Kerberos +principal object will point. + +\item[{\textbf{-x containerdn=}\emph{container\_dn}}] \leavevmode +Specifies the container object under which the Kerberos +principal is to be created. + +\item[{\textbf{-x tktpolicy=}\emph{policy}}] \leavevmode +Associates a ticket policy to the Kerberos principal. + +\end{description} + +\begin{notice}{note}{Note:}\begin{itemize} +\item {} +The \textbf{containerdn} and \textbf{linkdn} options cannot be +specified with the \textbf{dn} option. + +\item {} +If the \emph{dn} or \emph{containerdn} options are not specified while +adding the principal, the principals are created under the +principal container configured in the realm or the realm +container. + +\item {} +\emph{dn} and \emph{containerdn} should be within the subtrees or +principal container configured in the realm. + +\end{itemize} +\end{notice} + +\end{description} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: addprinc jennifer +WARNING: no policy specified for \PYGZdq{}jennifer@ATHENA.MIT.EDU\PYGZdq{}; +defaulting to no policy. +Enter password for principal jennifer@ATHENA.MIT.EDU: +Re\PYGZhy{}enter password for principal jennifer@ATHENA.MIT.EDU: +Principal \PYGZdq{}jennifer@ATHENA.MIT.EDU\PYGZdq{} created. +kadmin: +\end{Verbatim} + + +\subsection{modify\_principal} +\label{admin/database:modify-principal}\begin{quote} + +\textbf{modify\_principal} {[}\emph{options}{]} \emph{principal} +\end{quote} + +Modifies the specified principal, changing the fields as specified. +The options to \textbf{add\_principal} also apply to this command, except +for the \textbf{-randkey}, \textbf{-pw}, and \textbf{-e} options. In addition, the +option \textbf{-clearpolicy} will clear the current policy of a principal. + +This command requires the \emph{modify} privilege. + +Alias: \textbf{modprinc} + +Options (in addition to the \textbf{addprinc} options): +\begin{description} +\item[{\textbf{-unlock}}] \leavevmode +Unlocks a locked principal (one which has received too many failed +authentication attempts without enough time between them according +to its password policy) so that it can successfully authenticate. + +\end{description} + + +\subsection{delete\_principal} +\label{admin/database:delete-principal}\begin{quote} + +\textbf{delete\_principal} {[}\textbf{-force}{]} \emph{principal} +\end{quote} + +Deletes the specified \emph{principal} from the database. This command +prompts for deletion, unless the \textbf{-force} option is given. + +This command requires the \textbf{delete} privilege. + +Alias: \textbf{delprinc} + + +\subsubsection{Examples} +\label{admin/database:examples} +If you want to create a principal which is contained by a LDAP object, +all you need to do is: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: addprinc \PYGZhy{}x dn=cn=jennifer,dc=example,dc=com jennifer +WARNING: no policy specified for \PYGZdq{}jennifer@ATHENA.MIT.EDU\PYGZdq{}; +defaulting to no policy. +Enter password for principal jennifer@ATHENA.MIT.EDU: \PYGZlt{}= Type the password. +Re\PYGZhy{}enter password for principal jennifer@ATHENA.MIT.EDU: \PYGZlt{}=Type it again. +Principal \PYGZdq{}jennifer@ATHENA.MIT.EDU\PYGZdq{} created. +kadmin: +\end{Verbatim} + +If you want to create a principal under a specific LDAP container and +link to an existing LDAP object, all you need to do is: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: addprinc \PYGZhy{}x containerdn=dc=example,dc=com \PYGZhy{}x linkdn=cn=david,dc=example,dc=com david +WARNING: no policy specified for \PYGZdq{}david@ATHENA.MIT.EDU\PYGZdq{}; +defaulting to no policy. +Enter password for principal david@ATHENA.MIT.EDU: \PYGZlt{}= Type the password. +Re\PYGZhy{}enter password for principal david@ATHENA.MIT.EDU: \PYGZlt{}=Type it again. +Principal \PYGZdq{}david@ATHENA.MIT.EDU\PYGZdq{} created. +kadmin: +\end{Verbatim} + +If you want to associate a ticket policy to a principal, all you need +to do is: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: modprinc \PYGZhy{}x tktpolicy=userpolicy david +Principal \PYGZdq{}david@ATHENA.MIT.EDU\PYGZdq{} modified. +kadmin: +\end{Verbatim} + +If, on the other hand, you want to set up an account that expires on +January 1, 2000, that uses a policy called ``stduser'', with a temporary +password (which you want the user to change immediately), you would +type the following: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: addprinc david \PYGZhy{}expire \PYGZdq{}1/1/2000 12:01am EST\PYGZdq{} \PYGZhy{}policy stduser +needchange +Enter password for principal david@ATHENA.MIT.EDU: \PYGZlt{}= Type the password. +Re\PYGZhy{}enter password for principal +david@ATHENA.MIT.EDU: \PYGZlt{}= Type it again. +Principal \PYGZdq{}david@ATHENA.MIT.EDU\PYGZdq{} created. +kadmin: +\end{Verbatim} + +If you want to delete a principal: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: delprinc jennifer +Are you sure you want to delete the principal +\PYGZdq{}jennifer@ATHENA.MIT.EDU\PYGZdq{}? (yes/no): yes +Principal \PYGZdq{}jennifer@ATHENA.MIT.EDU\PYGZdq{} deleted. +Make sure that you have removed this principal from +all ACLs before reusing. +kadmin: +\end{Verbatim} + + +\subsection{Retrieving information about a principal} +\label{admin/database:retrieving-information-about-a-principal} +To retrieve a listing of the attributes and/or policies associated +with a principal, use the {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} \textbf{get\_principal} command. + +To generate a listing of principals, use the kadmin +\textbf{list\_principals} command. + + +\subsection{get\_principal} +\label{admin/database:get-principal}\begin{quote} + +\textbf{get\_principal} {[}\textbf{-terse}{]} \emph{principal} +\end{quote} + +Gets the attributes of principal. With the \textbf{-terse} option, outputs +fields as quoted tab-separated strings. + +This command requires the \textbf{inquire} privilege, or that the principal +running the the program to be the same as the one being listed. + +Alias: \textbf{getprinc} + +Examples: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: getprinc tlyu/admin +Principal: tlyu/admin@BLEEP.COM +Expiration date: [never] +Last password change: Mon Aug 12 14:16:47 EDT 1996 +Password expiration date: [none] +Maximum ticket life: 0 days 10:00:00 +Maximum renewable life: 7 days 00:00:00 +Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) +Last successful authentication: [never] +Last failed authentication: [never] +Failed password attempts: 0 +Number of keys: 2 +Key: vno 1, des\PYGZhy{}cbc\PYGZhy{}crc +Key: vno 1, des\PYGZhy{}cbc\PYGZhy{}crc:v4 +Attributes: +Policy: [none] + +kadmin: getprinc \PYGZhy{}terse systest +systest@BLEEP.COM 3 86400 604800 1 +785926535 753241234 785900000 +tlyu/admin@BLEEP.COM 786100034 0 0 +kadmin: +\end{Verbatim} + + +\subsection{list\_principals} +\label{admin/database:list-principals}\begin{quote} + +\textbf{list\_principals} {[}\emph{expression}{]} +\end{quote} + +Retrieves all or some principal names. \emph{expression} is a shell-style +glob expression that can contain the wild-card characters \code{?}, +\code{*}, and \code{{[}{]}}. All principal names matching the expression are +printed. If no expression is provided, all principal names are +printed. If the expression does not contain an \code{@} character, an +\code{@} character followed by the local realm is appended to the +expression. + +This command requires the \textbf{list} privilege. + +Alias: \textbf{listprincs}, \textbf{get\_principals}, \textbf{get\_princs} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: listprincs test* +test3@SECURE\PYGZhy{}TEST.OV.COM +test2@SECURE\PYGZhy{}TEST.OV.COM +test1@SECURE\PYGZhy{}TEST.OV.COM +testuser@SECURE\PYGZhy{}TEST.OV.COM +kadmin: +\end{Verbatim} + + +\subsection{Changing passwords} +\label{admin/database:changing-passwords} +To change a principal's password use the {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} +\textbf{change\_password} command. + + +\subsection{change\_password} +\label{admin/database:change-password}\begin{quote} + +\textbf{change\_password} {[}\emph{options}{]} \emph{principal} +\end{quote} + +Changes the password of \emph{principal}. Prompts for a new password if +neither \textbf{-randkey} or \textbf{-pw} is specified. + +This command requires the \textbf{changepw} privilege, or that the +principal running the program is the same as the principal being +changed. + +Alias: \textbf{cpw} + +The following options are available: +\begin{description} +\item[{\textbf{-randkey}}] \leavevmode +Sets the key of the principal to a random value. + +\item[{\textbf{-pw} \emph{password}}] \leavevmode +Set the password to the specified string. Using this option in a +script may expose the password to other users on the system via +the process list. + +\item[{\textbf{-e} \emph{enc}:\emph{salt},...}] \leavevmode +Uses the specified keysalt list for setting the keys of the +principal. See {\hyperref[admin/conf_files/kdc_conf:keysalt-lists]{\emph{Keysalt lists}}} in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} for a +list of possible values. + +\item[{\textbf{-keepold}}] \leavevmode +Keeps the existing keys in the database. This flag is usually not +necessary except perhaps for \code{krbtgt} principals. + +\end{description} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: cpw systest +Enter password for principal systest@BLEEP.COM: +Re\PYGZhy{}enter password for principal systest@BLEEP.COM: +Password for systest@BLEEP.COM changed. +kadmin: +\end{Verbatim} + +\begin{notice}{note}{Note:} +Password changes through kadmin are subject to the same +password policies as would apply to password changes through +\emph{kpasswd(1)}. +\end{notice} + + +\section{Policies} +\label{admin/database:policies}\label{admin/database:id1} +A policy is a set of rules governing passwords. Policies can dictate +minimum and maximum password lifetimes, minimum number of characters +and character classes a password must contain, and the number of old +passwords kept in the database. + + +\subsection{Adding, modifying and deleting policies} +\label{admin/database:adding-modifying-and-deleting-policies} +To add a new policy, use the {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} \textbf{add\_policy} command. + +To modify attributes of a principal, use the kadmin \textbf{modify\_policy} +command. + +To delete a policy, use the kadmin \textbf{delete\_policy} command. + + +\subsection{add\_policy} +\label{admin/database:add-policy}\begin{quote} + +\textbf{add\_policy} {[}\emph{options}{]} \emph{policy} +\end{quote} + +Adds a password policy named \emph{policy} to the database. + +This command requires the \textbf{add} privilege. + +Alias: \textbf{addpol} + +The following options are available: +\begin{description} +\item[{\textbf{-maxlife} \emph{time}}] \leavevmode +(\emph{duration} or \emph{getdate} string) Sets the maximum +lifetime of a password. + +\item[{\textbf{-minlife} \emph{time}}] \leavevmode +(\emph{duration} or \emph{getdate} string) Sets the minimum +lifetime of a password. + +\item[{\textbf{-minlength} \emph{length}}] \leavevmode +Sets the minimum length of a password. + +\item[{\textbf{-minclasses} \emph{number}}] \leavevmode +Sets the minimum number of character classes required in a +password. The five character classes are lower case, upper case, +numbers, punctuation, and whitespace/unprintable characters. + +\item[{\textbf{-history} \emph{number}}] \leavevmode +Sets the number of past keys kept for a principal. This option is +not supported with the LDAP KDC database module. + +\end{description} +\phantomsection\label{admin/database:policy-maxfailure}\begin{description} +\item[{\textbf{-maxfailure} \emph{maxnumber}}] \leavevmode +Sets the number of authentication failures before the principal is +locked. Authentication failures are only tracked for principals +which require preauthentication. The counter of failed attempts +resets to 0 after a successful attempt to authenticate. A +\emph{maxnumber} value of 0 (the default) disables lockout. + +\end{description} +\phantomsection\label{admin/database:policy-failurecountinterval}\begin{description} +\item[{\textbf{-failurecountinterval} \emph{failuretime}}] \leavevmode +(\emph{duration} or \emph{getdate} string) Sets the allowable time +between authentication failures. If an authentication failure +happens after \emph{failuretime} has elapsed since the previous +failure, the number of authentication failures is reset to 1. A +\emph{failuretime} value of 0 (the default) means forever. + +\end{description} +\phantomsection\label{admin/database:policy-lockoutduration}\begin{description} +\item[{\textbf{-lockoutduration} \emph{lockouttime}}] \leavevmode +(\emph{duration} or \emph{getdate} string) Sets the duration for +which the principal is locked from authenticating if too many +authentication failures occur without the specified failure count +interval elapsing. A duration of 0 (the default) means the +principal remains locked out until it is administratively unlocked +with \code{modprinc -unlock}. + +\item[{\textbf{-allowedkeysalts}}] \leavevmode +Specifies the key/salt tuples supported for long-term keys when +setting or changing a principal's password/keys. See +{\hyperref[admin/conf_files/kdc_conf:keysalt-lists]{\emph{Keysalt lists}}} in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} for a list of the +accepted values, but note that key/salt tuples must be separated +with commas (`,') only. To clear the allowed key/salt policy use +a value of `-`. + +\end{description} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: add\PYGZus{}policy \PYGZhy{}maxlife \PYGZdq{}2 days\PYGZdq{} \PYGZhy{}minlength 5 guests +kadmin: +\end{Verbatim} + + +\subsection{modify\_policy} +\label{admin/database:modify-policy}\begin{quote} + +\textbf{modify\_policy} {[}\emph{options}{]} \emph{policy} +\end{quote} + +Modifies the password policy named \emph{policy}. Options are as described +for \textbf{add\_policy}. + +This command requires the \textbf{modify} privilege. + +Alias: \textbf{modpol} + + +\subsection{delete\_policy} +\label{admin/database:delete-policy}\begin{quote} + +\textbf{delete\_policy} {[}\textbf{-force}{]} \emph{policy} +\end{quote} + +Deletes the password policy named \emph{policy}. Prompts for confirmation +before deletion. The command will fail if the policy is in use by any +principals. + +This command requires the \textbf{delete} privilege. + +Alias: \textbf{delpol} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: del\PYGZus{}policy guests +Are you sure you want to delete the policy \PYGZdq{}guests\PYGZdq{}? +(yes/no): yes +kadmin: +\end{Verbatim} + +\begin{notice}{note}{Note:} +You must cancel the policy from \emph{all} principals before +deleting it. The \emph{delete\_policy} command will fail if the policy +is in use by any principals. +\end{notice} + + +\subsection{Retrieving policies} +\label{admin/database:retrieving-policies} +To retrieve a policy, use the {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} \textbf{get\_policy} command. + +You can retrieve the list of policies with the kadmin +\textbf{list\_policies} command. + + +\subsection{get\_policy} +\label{admin/database:get-policy}\begin{quote} + +\textbf{get\_policy} {[} \textbf{-terse} {]} \emph{policy} +\end{quote} + +Displays the values of the password policy named \emph{policy}. With the +\textbf{-terse} flag, outputs the fields as quoted strings separated by +tabs. + +This command requires the \textbf{inquire} privilege. + +Alias: getpol + +Examples: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: get\PYGZus{}policy admin +Policy: admin +Maximum password life: 180 days 00:00:00 +Minimum password life: 00:00:00 +Minimum password length: 6 +Minimum number of password character classes: 2 +Number of old keys kept: 5 +Reference count: 17 + +kadmin: get\PYGZus{}policy \PYGZhy{}terse admin +admin 15552000 0 6 2 5 17 +kadmin: +\end{Verbatim} + +The ``Reference count'' is the number of principals using that policy. +With the LDAP KDC database module, the reference count field is not +meaningful. + + +\subsection{list\_policies} +\label{admin/database:list-policies}\begin{quote} + +\textbf{list\_policies} {[}\emph{expression}{]} +\end{quote} + +Retrieves all or some policy names. \emph{expression} is a shell-style +glob expression that can contain the wild-card characters \code{?}, +\code{*}, and \code{{[}{]}}. All policy names matching the expression are +printed. If no expression is provided, all existing policy names are +printed. + +This command requires the \textbf{list} privilege. + +Aliases: \textbf{listpols}, \textbf{get\_policies}, \textbf{getpols}. + +Examples: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: listpols +test\PYGZhy{}pol +dict\PYGZhy{}only +once\PYGZhy{}a\PYGZhy{}min +test\PYGZhy{}pol\PYGZhy{}nopw + +kadmin: listpols t* +test\PYGZhy{}pol +test\PYGZhy{}pol\PYGZhy{}nopw +kadmin: +\end{Verbatim} + + +\subsection{Policies and principals} +\label{admin/database:policies-and-principals} +Policies can be applied to principals as they are created by using +the \textbf{-policy} flag to {\hyperref[admin/admin_commands/kadmin_local:add-principal]{\emph{add\_principal}}}. Existing principals can +be modified by using the \textbf{-policy} or \textbf{-clearpolicy} flag to +{\hyperref[admin/admin_commands/kadmin_local:modify-principal]{\emph{modify\_principal}}}. + + +\subsection{Updating the history key} +\label{admin/database:updating-the-history-key} +If a policy specifies a number of old keys kept of two or more, the +stored old keys are encrypted in a history key, which is found in the +key data of the \code{kadmin/history} principal. + +Currently there is no support for proper rollover of the history key, +but you can change the history key (for example, to use a better +encryption type) at the cost of invalidating currently stored old +keys. To change the history key, run: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: change\PYGZus{}password \PYGZhy{}randkey kadmin/history +\end{Verbatim} + +This command will fail if you specify the \textbf{-keepold} flag. Only one +new history key will be created, even if you specify multiple key/salt +combinations. + +In the future, we plan to migrate towards encrypting old keys in the +master key instead of the history key, and implementing proper +rollover support for stored old keys. + + +\section{Privileges} +\label{admin/database:privileges}\label{admin/database:id2} +Administrative privileges for the Kerberos database are stored in the +file {\hyperref[admin/conf_files/kadm5_acl:kadm5-acl-5]{\emph{kadm5.acl}}}. + +\begin{notice}{note}{Note:} +A common use of an admin instance is so you can grant +separate permissions (such as administrator access to the +Kerberos database) to a separate Kerberos principal. For +example, the user \code{joeadmin} might have a principal for +his administrative use, called \code{joeadmin/admin}. This +way, \code{joeadmin} would obtain \code{joeadmin/admin} tickets +only when he actually needs to use those permissions. +\end{notice} + + +\section{Operations on the Kerberos database} +\label{admin/database:db-operations}\label{admin/database:operations-on-the-kerberos-database} +The {\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} command is the primary tool for administrating +the Kerberos database. + +\textbf{kdb5\_util} +{[}\textbf{-r} \emph{realm}{]} +{[}\textbf{-d} \emph{dbname}{]} +{[}\textbf{-k} \emph{mkeytype}{]} +{[}\textbf{-M} \emph{mkeyname}{]} +{[}\textbf{-kv} \emph{mkeyVNO}{]} +{[}\textbf{-sf} \emph{stashfilename}{]} +{[}\textbf{-m}{]} +\emph{command} {[}\emph{command\_options}{]} + +\textbf{OPTIONS} +\begin{description} +\item[{\textbf{-r} \emph{realm}}] \leavevmode +specifies the Kerberos realm of the database. + +\item[{\textbf{-d} \emph{dbname}}] \leavevmode +specifies the name under which the principal database is stored; +by default the database is that listed in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. The +password policy database and lock files are also derived from this +value. + +\item[{\textbf{-k} \emph{mkeytype}}] \leavevmode +specifies the key type of the master key in the database. The +default is given by the \textbf{master\_key\_type} variable in +{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. + +\item[{\textbf{-kv} \emph{mkeyVNO}}] \leavevmode +Specifies the version number of the master key in the database; +the default is 1. Note that 0 is not allowed. + +\item[{\textbf{-M} \emph{mkeyname}}] \leavevmode +principal name for the master key in the database. If not +specified, the name is determined by the \textbf{master\_key\_name} +variable in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. + +\item[{\textbf{-m}}] \leavevmode +specifies that the master database password should be read from +the keyboard rather than fetched from a file on disk. + +\item[{\textbf{-sf} \emph{stash\_file}}] \leavevmode +specifies the stash filename of the master database password. If +not specified, the filename is determined by the +\textbf{key\_stash\_file} variable in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. + +\item[{\textbf{-P} \emph{password}}] \leavevmode +specifies the master database password. Using this option may +expose the password to other users on the system via the process +list. + +\end{description} + + +\subsection{Dumping a Kerberos database to a file} +\label{admin/database:dumping-a-kerberos-database-to-a-file} +To dump a Kerberos database into a file, use the {\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} +\textbf{dump} command on one of the KDCs. +\begin{quote} + +\textbf{dump} {[}\textbf{-b7}\textbar{}\textbf{-ov}\textbar{}\textbf{-r13}{]} {[}\textbf{-verbose}{]} +{[}\textbf{-mkey\_convert}{]} {[}\textbf{-new\_mkey\_file} \emph{mkey\_file}{]} {[}\textbf{-rev}{]} +{[}\textbf{-recurse}{]} {[}\emph{filename} {[}\emph{principals}...{]}{]} +\end{quote} + +Dumps the current Kerberos and KADM5 database into an ASCII file. By +default, the database is dumped in current format, ``kdb5\_util +load\_dump version 7''. If filename is not specified, or is the string +``-'', the dump is sent to standard output. Options: +\begin{description} +\item[{\textbf{-b7}}] \leavevmode +causes the dump to be in the Kerberos 5 Beta 7 format (``kdb5\_util +load\_dump version 4''). This was the dump format produced on +releases prior to 1.2.2. + +\item[{\textbf{-ov}}] \leavevmode +causes the dump to be in ``ovsec\_adm\_export'' format. + +\item[{\textbf{-r13}}] \leavevmode +causes the dump to be in the Kerberos 5 1.3 format (``kdb5\_util +load\_dump version 5''). This was the dump format produced on +releases prior to 1.8. + +\item[{\textbf{-r18}}] \leavevmode +causes the dump to be in the Kerberos 5 1.8 format (``kdb5\_util +load\_dump version 6''). This was the dump format produced on +releases prior to 1.11. + +\item[{\textbf{-verbose}}] \leavevmode +causes the name of each principal and policy to be printed as it +is dumped. + +\item[{\textbf{-mkey\_convert}}] \leavevmode +prompts for a new master key. This new master key will be used to +re-encrypt principal key data in the dumpfile. The principal keys +themselves will not be changed. + +\item[{\textbf{-new\_mkey\_file} \emph{mkey\_file}}] \leavevmode +the filename of a stash file. The master key in this stash file +will be used to re-encrypt the key data in the dumpfile. The key +data in the database will not be changed. + +\item[{\textbf{-rev}}] \leavevmode +dumps in reverse order. This may recover principals that do not +dump normally, in cases where database corruption has occurred. + +\item[{\textbf{-recurse}}] \leavevmode +causes the dump to walk the database recursively (btree only). +This may recover principals that do not dump normally, in cases +where database corruption has occurred. In cases of such +corruption, this option will probably retrieve more principals +than the \textbf{-rev} option will. + +\DUspan{versionmodified}{Changed in version 1.15: }Release 1.15 restored the functionality of the \textbf{-recurse} +option. + +\DUspan{versionmodified}{Changed in version 1.5: }The \textbf{-recurse} option ceased working until release 1.15, +doing a normal dump instead of a recursive traversal. + +\end{description} + + +\subsubsection{Examples} +\label{admin/database:id3} +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} kdb5\PYGZus{}util dump dumpfile +shell\PYGZpc{} + +shell\PYGZpc{} kbd5\PYGZus{}util dump \PYGZhy{}verbose dumpfile +kadmin/admin@ATHENA.MIT.EDU +krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU +kadmin/history@ATHENA.MIT.EDU +K/M@ATHENA.MIT.EDU +kadmin/changepw@ATHENA.MIT.EDU +shell\PYGZpc{} +\end{Verbatim} + +If you specify which principals to dump, you must use the full +principal, as in the following example: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} kdb5\PYGZus{}util dump \PYGZhy{}verbose dumpfile K/M@ATHENA.MIT.EDU kadmin/admin@ATHENA.MIT.EDU +kadmin/admin@ATHENA.MIT.EDU +K/M@ATHENA.MIT.EDU +shell\PYGZpc{} +\end{Verbatim} + +Otherwise, the principals will not match those in the database and +will not be dumped: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} kdb5\PYGZus{}util dump \PYGZhy{}verbose dumpfile K/M kadmin/admin +shell\PYGZpc{} +\end{Verbatim} + +If you do not specify a dump file, kdb5\_util will dump the database to +the standard output. + + +\subsection{Restoring a Kerberos database from a dump file} +\label{admin/database:restore-from-dump}\label{admin/database:restoring-a-kerberos-database-from-a-dump-file} +To restore a Kerberos database dump from a file, use the +{\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} \textbf{load} command on one of the KDCs. +\begin{quote} + +\textbf{load} {[}\textbf{-b7}\textbar{}\textbf{-ov}\textbar{}\textbf{-r13}{]} {[}\textbf{-hash}{]} +{[}\textbf{-verbose}{]} {[}\textbf{-update}{]} \emph{filename} {[}\emph{dbname}{]} +\end{quote} + +Loads a database dump from the named file into the named database. If +no option is given to determine the format of the dump file, the +format is detected automatically and handled as appropriate. Unless +the \textbf{-update} option is given, \textbf{load} creates a new database +containing only the data in the dump file, overwriting the contents of +any previously existing database. Note that when using the LDAP KDC +database module, the \textbf{-update} flag is required. + +Options: +\begin{description} +\item[{\textbf{-b7}}] \leavevmode +requires the database to be in the Kerberos 5 Beta 7 format +(``kdb5\_util load\_dump version 4''). This was the dump format +produced on releases prior to 1.2.2. + +\item[{\textbf{-ov}}] \leavevmode +requires the database to be in ``ovsec\_adm\_import'' format. Must be +used with the \textbf{-update} option. + +\item[{\textbf{-r13}}] \leavevmode +requires the database to be in Kerberos 5 1.3 format (``kdb5\_util +load\_dump version 5''). This was the dump format produced on +releases prior to 1.8. + +\item[{\textbf{-r18}}] \leavevmode +requires the database to be in Kerberos 5 1.8 format (``kdb5\_util +load\_dump version 6''). This was the dump format produced on +releases prior to 1.11. + +\item[{\textbf{-hash}}] \leavevmode +requires the database to be stored as a hash. If this option is +not specified, the database will be stored as a btree. This +option is not recommended, as databases stored in hash format are +known to corrupt data and lose principals. + +\item[{\textbf{-verbose}}] \leavevmode +causes the name of each principal and policy to be printed as it +is dumped. + +\item[{\textbf{-update}}] \leavevmode +records from the dump file are added to or updated in the existing +database. Otherwise, a new database is created containing only +what is in the dump file and the old one destroyed upon successful +completion. + +\end{description} + +If specified, \emph{dbname} overrides the value specified on the command +line or the default. + + +\subsubsection{Examples} +\label{admin/database:id4} +To load a single principal, either replacing or updating the database: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} kdb5\PYGZus{}util load dumpfile principal +shell\PYGZpc{} + +shell\PYGZpc{} kdb5\PYGZus{}util load \PYGZhy{}update dumpfile principal +shell\PYGZpc{} +\end{Verbatim} + +\begin{notice}{note}{Note:} +If the database file exists, and the \emph{-update} flag was not +given, \emph{kdb5\_util} will overwrite the existing database. +\end{notice} + +Using kdb5\_util to upgrade a master KDC from krb5 1.1.x: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} kdb5\PYGZus{}util dump old\PYGZhy{}kdb\PYGZhy{}dump +shell\PYGZpc{} kdb5\PYGZus{}util dump \PYGZhy{}ov old\PYGZhy{}kdb\PYGZhy{}dump.ov + [Create a new KDC installation, using the old stash file/master password] +shell\PYGZpc{} kdb5\PYGZus{}util load old\PYGZhy{}kdb\PYGZhy{}dump +shell\PYGZpc{} kdb5\PYGZus{}util load \PYGZhy{}update old\PYGZhy{}kdb\PYGZhy{}dump.ov +\end{Verbatim} + +The use of old-kdb-dump.ov for an extra dump and load is necessary +to preserve per-principal policy information, which is not included in +the default dump format of krb5 1.1.x. + +\begin{notice}{note}{Note:} +Using kdb5\_util to dump and reload the principal database is +only necessary when upgrading from versions of krb5 prior +to 1.2.0---newer versions will use the existing database as-is. +\end{notice} + + +\subsection{Creating a stash file} +\label{admin/database:create-stash}\label{admin/database:creating-a-stash-file} +A stash file allows a KDC to authenticate itself to the database +utilities, such as {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}}, {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}}, and +{\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}}. + +To create a stash file, use the {\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} \textbf{stash} command. +\begin{quote} + +\textbf{stash} {[}\textbf{-f} \emph{keyfile}{]} +\end{quote} + +Stores the master principal's keys in a stash file. The \textbf{-f} +argument can be used to override the \emph{keyfile} specified in +{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. + + +\subsubsection{Example} +\label{admin/database:example}\begin{quote} + +shell\% kdb5\_util stash +kdb5\_util: Cannot find/read stored master key while reading master key +kdb5\_util: Warning: proceeding without master key +Enter KDC database master key: \textless{}= Type the KDC database master password. +shell\% +\end{quote} + +If you do not specify a stash file, kdb5\_util will stash the key in +the file specified in your {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} file. + + +\subsection{Creating and destroying a Kerberos database} +\label{admin/database:creating-and-destroying-a-kerberos-database} +If you need to create a new Kerberos database, use the +{\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} \textbf{create} command. +\begin{quote} + +\textbf{create} {[}\textbf{-s}{]} +\end{quote} + +Creates a new database. If the \textbf{-s} option is specified, the stash +file is also created. This command fails if the database already +exists. If the command is successful, the database is opened just as +if it had already existed when the program was first run. + +If you need to destroy the current Kerberos database, use the +{\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} \textbf{destroy} command. +\begin{quote} + +\textbf{destroy} {[}\textbf{-f}{]} +\end{quote} + +Destroys the database, first overwriting the disk sectors and then +unlinking the files, after prompting the user for confirmation. With +the \textbf{-f} argument, does not prompt the user. + + +\subsubsection{Examples} +\label{admin/database:id5} +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} kdb5\PYGZus{}util \PYGZhy{}r ATHENA.MIT.EDU create \PYGZhy{}s +Loading random data +Initializing database \PYGZsq{}/usr/local/var/krb5kdc/principal\PYGZsq{} for realm \PYGZsq{}ATHENA.MIT.EDU\PYGZsq{}, +master key name \PYGZsq{}K/M@ATHENA.MIT.EDU\PYGZsq{} +You will be prompted for the database Master Password. +It is important that you NOT FORGET this password. +Enter KDC database master key: \PYGZlt{}= Type the master password. +Re\PYGZhy{}enter KDC database master key to verify: \PYGZlt{}= Type it again. +shell\PYGZpc{} + +shell\PYGZpc{} kdb5\PYGZus{}util \PYGZhy{}r ATHENA.MIT.EDU destroy +Deleting KDC database stored in \PYGZsq{}/usr/local/var/krb5kdc/principal\PYGZsq{}, are you sure? +(type \PYGZsq{}yes\PYGZsq{} to confirm)? \PYGZlt{}= yes +OK, deleting database \PYGZsq{}/usr/local/var/krb5kdc/principal\PYGZsq{}... +** Database \PYGZsq{}/usr/local/var/krb5kdc/principal\PYGZsq{} destroyed. +shell\PYGZpc{} +\end{Verbatim} + + +\subsection{Updating the master key} +\label{admin/database:updating-the-master-key} +Starting with release 1.7, {\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} allows the master key +to be changed using a rollover process, with minimal loss of +availability. To roll over the master key, follow these steps: +\begin{enumerate} +\item {} +On the master KDC, run \code{kdb5\_util list\_mkeys} to view the current +master key version number (KVNO). If you have never rolled over +the master key before, this will likely be version 1: + +\begin{Verbatim}[commandchars=\\\{\}] +\PYGZdl{} kdb5\PYGZus{}util list\PYGZus{}mkeys +Master keys for Principal: K/M@KRBTEST.COM +KVNO: 1, Enctype: des\PYGZhy{}cbc\PYGZhy{}crc, Active on: Wed Dec 31 19:00:00 EST 1969 * +\end{Verbatim} + +\item {} +On the master KDC, run \code{kdb5\_util use\_mkey 1} to ensure that a +master key activation list is present in the database. This step +is unnecessary in release 1.11.4 or later, or if the database was +initially created with release 1.7 or later. + +\item {} +On the master KDC, run \code{kdb5\_util add\_mkey -s} to create a new +master key and write it to the stash file. Enter a secure password +when prompted. If this is the first time you are changing the +master key, the new key will have version 2. The new master key +will not be used until you make it active. + +\item {} +Propagate the database to all slave KDCs, either manually or by +waiting until the next scheduled propagation. If you do not have +any slave KDCs, you can skip this and the next step. + +\item {} +On each slave KDC, run \code{kdb5\_util list\_mkeys} to verify that the +new master key is present, and then \code{kdb5\_util stash} to write +the new master key to the slave KDC's stash file. + +\item {} +On the master KDC, run \code{kdb5\_util use\_mkey 2} to begin using the +new master key. Replace \code{2} with the version of the new master +key, as appropriate. You can optionally specify a date for the new +master key to become active; by default, it will become active +immediately. Prior to release 1.12, {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} must be +restarted for this change to take full effect. + +\item {} +On the master KDC, run \code{kdb5\_util update\_princ\_encryption}. This +command will iterate over the database and re-encrypt all keys in +the new master key. If the database is large and uses DB2, the +master KDC will become unavailable while this command runs, but +clients should fail over to slave KDCs (if any are present) during +this time period. In release 1.13 and later, you can instead run +\code{kdb5\_util -x unlockiter update\_princ\_encryption} to use unlocked +iteration; this variant will take longer, but will keep the +database available to the KDC and kadmind while it runs. + +\item {} +On the master KDC, run \code{kdb5\_util purge\_mkeys} to clean up the +old master key. + +\end{enumerate} + + +\section{Operations on the LDAP database} +\label{admin/database:operations-on-the-ldap-database}\label{admin/database:ops-on-ldap} +The {\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} is the primary tool for administrating +the Kerberos LDAP database. It allows an administrator to manage +realms, Kerberos services (KDC and Admin Server) and ticket policies. + +\textbf{kdb5\_ldap\_util} +{[}\textbf{-D} \emph{user\_dn} {[}\textbf{-w} \emph{passwd}{]}{]} +{[}\textbf{-H} \emph{ldapuri}{]} +\textbf{command} +{[}\emph{command\_options}{]} + +\textbf{OPTIONS} +\begin{description} +\item[{\textbf{-D} \emph{user\_dn}}] \leavevmode +Specifies the Distinguished Name (DN) of the user who has +sufficient rights to perform the operation on the LDAP server. + +\item[{\textbf{-w} \emph{passwd}}] \leavevmode +Specifies the password of \emph{user\_dn}. This option is not +recommended. + +\item[{\textbf{-H} \emph{ldapuri}}] \leavevmode +Specifies the URI of the LDAP server. It is recommended to use +\code{ldapi://} or \code{ldaps://} to connect to the LDAP server. + +\end{description} + + +\subsection{Creating a Kerberos realm} +\label{admin/database:creating-a-kerberos-realm}\label{admin/database:ldap-create-realm} +If you need to create a new realm, use the {\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} +\textbf{create} command as follows. +\begin{quote} + +\textbf{create} +{[}\textbf{-subtrees} \emph{subtree\_dn\_list}{]} +{[}\textbf{-sscope} \emph{search\_scope}{]} +{[}\textbf{-containerref} \emph{container\_reference\_dn}{]} +{[}\textbf{-k} \emph{mkeytype}{]} +{[}\textbf{-kv} \emph{mkeyVNO}{]} +{[}\textbf{-m\textbar{}-P} \emph{password}\textbar{}\textbf{-sf} \emph{stashfilename}{]} +{[}\textbf{-s}{]} +{[}\textbf{-r} \emph{realm}{]} +{[}\textbf{-maxtktlife} \emph{max\_ticket\_life}{]} +{[}\textbf{-maxrenewlife} \emph{max\_renewable\_ticket\_life}{]} +{[}\emph{ticket\_flags}{]} +\end{quote} + +Creates realm in directory. Options: +\begin{description} +\item[{\textbf{-subtrees} \emph{subtree\_dn\_list}}] \leavevmode +Specifies the list of subtrees containing the principals of a +realm. The list contains the DNs of the subtree objects separated +by colon (\code{:}). + +\item[{\textbf{-sscope} \emph{search\_scope}}] \leavevmode +Specifies the scope for searching the principals under the +subtree. The possible values are 1 or one (one level), 2 or sub +(subtrees). + +\item[{\textbf{-containerref} \emph{container\_reference\_dn}}] \leavevmode +Specifies the DN of the container object in which the principals +of a realm will be created. If the container reference is not +configured for a realm, the principals will be created in the +realm container. + +\item[{\textbf{-k} \emph{mkeytype}}] \leavevmode +Specifies the key type of the master key in the database. The +default is given by the \textbf{master\_key\_type} variable in +{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. + +\item[{\textbf{-kv} \emph{mkeyVNO}}] \leavevmode +Specifies the version number of the master key in the database; +the default is 1. Note that 0 is not allowed. + +\item[{\textbf{-m}}] \leavevmode +Specifies that the master database password should be read from +the TTY rather than fetched from a file on the disk. + +\item[{\textbf{-P} \emph{password}}] \leavevmode +Specifies the master database password. This option is not +recommended. + +\item[{\textbf{-r} \emph{realm}}] \leavevmode +Specifies the Kerberos realm of the database. + +\item[{\textbf{-sf} \emph{stashfilename}}] \leavevmode +Specifies the stash file of the master database password. + +\item[{\textbf{-s}}] \leavevmode +Specifies that the stash file is to be created. + +\item[{\textbf{-maxtktlife} \emph{max\_ticket\_life}}] \leavevmode +(\emph{getdate} string) Specifies maximum ticket life for +principals in this realm. + +\item[{\textbf{-maxrenewlife} \emph{max\_renewable\_ticket\_life}}] \leavevmode +(\emph{getdate} string) Specifies maximum renewable life of +tickets for principals in this realm. + +\item[{\emph{ticket\_flags}}] \leavevmode +Specifies global ticket flags for the realm. Allowable flags are +documented in the description of the \textbf{add\_principal} command in +{\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}}. + +\end{description} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H ldaps://ldap\PYGZhy{}server1.mit.edu + create \PYGZhy{}subtrees o=org \PYGZhy{}sscope SUB \PYGZhy{}r ATHENA.MIT.EDU +Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: +Initializing database for realm \PYGZsq{}ATHENA.MIT.EDU\PYGZsq{} +You will be prompted for the database Master Password. +It is important that you NOT FORGET this password. +Enter KDC database master key: +Re\PYGZhy{}enter KDC database master key to verify: +\end{Verbatim} + + +\subsection{Modifying a Kerberos realm} +\label{admin/database:ldap-mod-realm}\label{admin/database:modifying-a-kerberos-realm} +If you need to modify a realm, use the {\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} +\textbf{modify} command as follows. +\begin{quote} + +\textbf{modify} +{[}\textbf{-subtrees} \emph{subtree\_dn\_list}{]} +{[}\textbf{-sscope} \emph{search\_scope}{]} +{[}\textbf{-containerref} \emph{container\_reference\_dn}{]} +{[}\textbf{-r} \emph{realm}{]} +{[}\textbf{-maxtktlife} \emph{max\_ticket\_life}{]} +{[}\textbf{-maxrenewlife} \emph{max\_renewable\_ticket\_life}{]} +{[}\emph{ticket\_flags}{]} +\end{quote} + +Modifies the attributes of a realm. Options: +\begin{description} +\item[{\textbf{-subtrees} \emph{subtree\_dn\_list}}] \leavevmode +Specifies the list of subtrees containing the principals of a +realm. The list contains the DNs of the subtree objects separated +by colon (\code{:}). This list replaces the existing list. + +\item[{\textbf{-sscope} \emph{search\_scope}}] \leavevmode +Specifies the scope for searching the principals under the +subtrees. The possible values are 1 or one (one level), 2 or sub +(subtrees). + +\item[{\textbf{-containerref} \emph{container\_reference\_dn} Specifies the DN of the}] \leavevmode +container object in which the principals of a realm will be +created. + +\item[{\textbf{-r} \emph{realm}}] \leavevmode +Specifies the Kerberos realm of the database. + +\item[{\textbf{-maxtktlife} \emph{max\_ticket\_life}}] \leavevmode +(\emph{getdate} string) Specifies maximum ticket life for +principals in this realm. + +\item[{\textbf{-maxrenewlife} \emph{max\_renewable\_ticket\_life}}] \leavevmode +(\emph{getdate} string) Specifies maximum renewable life of +tickets for principals in this realm. + +\item[{\emph{ticket\_flags}}] \leavevmode +Specifies global ticket flags for the realm. Allowable flags are +documented in the description of the \textbf{add\_principal} command in +{\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}}. + +\end{description} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H + ldaps://ldap\PYGZhy{}server1.mit.edu modify +requires\PYGZus{}preauth \PYGZhy{}r + ATHENA.MIT.EDU +Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: +shell\PYGZpc{} +\end{Verbatim} + + +\subsection{Destroying a Kerberos realm} +\label{admin/database:destroying-a-kerberos-realm} +If you need to destroy a Kerberos realm, use the +{\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} \textbf{destroy} command as follows. +\begin{quote} + +\textbf{destroy} {[}\textbf{-f}{]} {[}\textbf{-r} \emph{realm}{]} +\end{quote} + +Destroys an existing realm. Options: +\begin{description} +\item[{\textbf{-f}}] \leavevmode +If specified, will not prompt the user for confirmation. + +\item[{\textbf{-r} \emph{realm}}] \leavevmode +Specifies the Kerberos realm of the database. + +\end{description} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H + ldaps://ldap\PYGZhy{}server1.mit.edu destroy \PYGZhy{}r ATHENA.MIT.EDU +Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: +Deleting KDC database of \PYGZsq{}ATHENA.MIT.EDU\PYGZsq{}, are you sure? +(type \PYGZsq{}yes\PYGZsq{} to confirm)? yes +OK, deleting database of \PYGZsq{}ATHENA.MIT.EDU\PYGZsq{}... +shell\PYGZpc{} +\end{Verbatim} + + +\subsection{Retrieving information about a Kerberos realm} +\label{admin/database:retrieving-information-about-a-kerberos-realm} +If you need to display the attributes of a realm, use the +{\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} \textbf{view} command as follows. +\begin{quote} + +\textbf{view} {[}\textbf{-r} \emph{realm}{]} +\end{quote} + +Displays the attributes of a realm. Options: +\begin{description} +\item[{\textbf{-r} \emph{realm}}] \leavevmode +Specifies the Kerberos realm of the database. + +\end{description} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H ldaps://ldap\PYGZhy{}server1.mit.edu + view \PYGZhy{}r ATHENA.MIT.EDU +Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: +Realm Name: ATHENA.MIT.EDU +Subtree: ou=users,o=org +Subtree: ou=servers,o=org +SearchScope: ONE +Maximum ticket life: 0 days 01:00:00 +Maximum renewable life: 0 days 10:00:00 +Ticket flags: DISALLOW\PYGZus{}FORWARDABLE REQUIRES\PYGZus{}PWCHANGE +\end{Verbatim} + + +\subsection{Listing available Kerberos realms} +\label{admin/database:listing-available-kerberos-realms} +If you need to display the list of the realms, use the +{\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} \textbf{list} command as follows. +\begin{quote} + +\textbf{list} +\end{quote} + +Lists the name of realms. + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H + ldaps://ldap\PYGZhy{}server1.mit.edu list +Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: +ATHENA.MIT.EDU +OPENLDAP.MIT.EDU +MEDIA\PYGZhy{}LAB.MIT.EDU +shell\PYGZpc{} +\end{Verbatim} + + +\subsection{Stashing service object's password} +\label{admin/database:stashing-service-object-s-password}\label{admin/database:stash-ldap} +The {\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} \textbf{stashsrvpw} command allows an +administrator to store the password of service object in a file. The +KDC and Administration server uses this password to authenticate to +the LDAP server. +\begin{quote} + +\textbf{stashsrvpw} +{[}\textbf{-f} \emph{filename}{]} +\emph{name} +\end{quote} + +Allows an administrator to store the password for service object in a +file so that KDC and Administration server can use it to authenticate +to the LDAP server. Options: +\begin{description} +\item[{\textbf{-f} \emph{filename}}] \leavevmode +Specifies the complete path of the service password file. By +default, \code{/usr/local/var/service\_passwd} is used. + +\item[{\emph{name}}] \leavevmode +Specifies the name of the object whose password is to be stored. +If {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}} or {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} are configured for +simple binding, this should be the distinguished name it will +use as given by the \textbf{ldap\_kdc\_dn} or \textbf{ldap\_kadmind\_dn} +variable in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. If the KDC or kadmind is +configured for SASL binding, this should be the authentication +name it will use as given by the \textbf{ldap\_kdc\_sasl\_authcid} or +\textbf{ldap\_kadmind\_sasl\_authcid} variable. + +\end{description} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kdb5\PYGZus{}ldap\PYGZus{}util stashsrvpw \PYGZhy{}f /home/andrew/conf\PYGZus{}keyfile + cn=service\PYGZhy{}kdc,o=org +Password for \PYGZdq{}cn=service\PYGZhy{}kdc,o=org\PYGZdq{}: +Re\PYGZhy{}enter password for \PYGZdq{}cn=service\PYGZhy{}kdc,o=org\PYGZdq{}: +\end{Verbatim} + + +\subsection{Ticket Policy operations} +\label{admin/database:ticket-policy-operations} + +\subsubsection{Creating a Ticket Policy} +\label{admin/database:creating-a-ticket-policy} +To create a new ticket policy in directory , use the +{\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} \textbf{create\_policy} command. Ticket policy +objects are created under the realm container. +\begin{quote} + +\textbf{create\_policy} +{[}\textbf{-r} \emph{realm}{]} +{[}\textbf{-maxtktlife} \emph{max\_ticket\_life}{]} +{[}\textbf{-maxrenewlife} \emph{max\_renewable\_ticket\_life}{]} +{[}\emph{ticket\_flags}{]} +\emph{policy\_name} +\end{quote} + +Creates a ticket policy in the directory. Options: +\begin{description} +\item[{\textbf{-r} \emph{realm}}] \leavevmode +Specifies the Kerberos realm of the database. + +\item[{\textbf{-maxtktlife} \emph{max\_ticket\_life}}] \leavevmode +(\emph{getdate} string) Specifies maximum ticket life for +principals. + +\item[{\textbf{-maxrenewlife} \emph{max\_renewable\_ticket\_life}}] \leavevmode +(\emph{getdate} string) Specifies maximum renewable life of +tickets for principals. + +\item[{\emph{ticket\_flags}}] \leavevmode +Specifies the ticket flags. If this option is not specified, by +default, no restriction will be set by the policy. Allowable +flags are documented in the description of the \textbf{add\_principal} +command in {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}}. + +\item[{\emph{policy\_name}}] \leavevmode +Specifies the name of the ticket policy. + +\end{description} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H ldaps://ldap\PYGZhy{}server1.mit.edu + create\PYGZus{}policy \PYGZhy{}r ATHENA.MIT.EDU \PYGZhy{}maxtktlife \PYGZdq{}1 day\PYGZdq{} + \PYGZhy{}maxrenewlife \PYGZdq{}1 week\PYGZdq{} \PYGZhy{}allow\PYGZus{}postdated +needchange + \PYGZhy{}allow\PYGZus{}forwardable tktpolicy +Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: +\end{Verbatim} + + +\subsubsection{Modifying a Ticket Policy} +\label{admin/database:modifying-a-ticket-policy} +To modify a ticket policy in directory, use the +{\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} \textbf{modify\_policy} command. +\begin{quote} + +\textbf{modify\_policy} +{[}\textbf{-r} \emph{realm}{]} +{[}\textbf{-maxtktlife} \emph{max\_ticket\_life}{]} +{[}\textbf{-maxrenewlife} \emph{max\_renewable\_ticket\_life}{]} +{[}\emph{ticket\_flags}{]} +\emph{policy\_name} +\end{quote} + +Modifies the attributes of a ticket policy. Options are same as for +\textbf{create\_policy}. + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H + ldaps://ldap\PYGZhy{}server1.mit.edu modify\PYGZus{}policy \PYGZhy{}r ATHENA.MIT.EDU + \PYGZhy{}maxtktlife \PYGZdq{}60 minutes\PYGZdq{} \PYGZhy{}maxrenewlife \PYGZdq{}10 hours\PYGZdq{} + +allow\PYGZus{}postdated \PYGZhy{}requires\PYGZus{}preauth tktpolicy +Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: +\end{Verbatim} + + +\subsubsection{Retrieving Information About a Ticket Policy} +\label{admin/database:retrieving-information-about-a-ticket-policy} +To display the attributes of a ticket policy, use the +{\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} \textbf{view\_policy} command. +\begin{quote} + +\textbf{view\_policy} +{[}\textbf{-r} \emph{realm}{]} +\emph{policy\_name} +\end{quote} + +Displays the attributes of a ticket policy. Options: +\begin{description} +\item[{\emph{policy\_name}}] \leavevmode +Specifies the name of the ticket policy. + +\end{description} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H ldaps://ldap\PYGZhy{}server1.mit.edu + view\PYGZus{}policy \PYGZhy{}r ATHENA.MIT.EDU tktpolicy +Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: +Ticket policy: tktpolicy +Maximum ticket life: 0 days 01:00:00 +Maximum renewable life: 0 days 10:00:00 +Ticket flags: DISALLOW\PYGZus{}FORWARDABLE REQUIRES\PYGZus{}PWCHANGE +\end{Verbatim} + + +\subsubsection{Destroying a Ticket Policy} +\label{admin/database:destroying-a-ticket-policy} +To destroy an existing ticket policy, use the {\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} +\textbf{destroy\_policy} command. +\begin{quote} + +\textbf{destroy\_policy} +{[}\textbf{-r} \emph{realm}{]} +{[}\textbf{-force}{]} +\emph{policy\_name} +\end{quote} + +Destroys an existing ticket policy. Options: +\begin{description} +\item[{\textbf{-r} \emph{realm}}] \leavevmode +Specifies the Kerberos realm of the database. + +\item[{\textbf{-force}}] \leavevmode +Forces the deletion of the policy object. If not specified, the +user will be prompted for confirmation before deleting the policy. + +\item[{\emph{policy\_name}}] \leavevmode +Specifies the name of the ticket policy. + +\end{description} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H ldaps://ldap\PYGZhy{}server1.mit.edu + destroy\PYGZus{}policy \PYGZhy{}r ATHENA.MIT.EDU tktpolicy +Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: +This will delete the policy object \PYGZsq{}tktpolicy\PYGZsq{}, are you sure? +(type \PYGZsq{}yes\PYGZsq{} to confirm)? yes +** policy object \PYGZsq{}tktpolicy\PYGZsq{} deleted. +\end{Verbatim} + + +\subsubsection{Listing available Ticket Policies} +\label{admin/database:listing-available-ticket-policies} +To list the name of ticket policies in a realm, use the +{\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} \textbf{list\_policy} command. +\begin{quote} + +\textbf{list\_policy} +{[}\textbf{-r} \emph{realm}{]} +\end{quote} + +Lists the ticket policies in realm if specified or in the default +realm. Options: +\begin{description} +\item[{\textbf{-r} \emph{realm}}] \leavevmode +Specifies the Kerberos realm of the database. + +\end{description} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H ldaps://ldap\PYGZhy{}server1.mit.edu + list\PYGZus{}policy \PYGZhy{}r ATHENA.MIT.EDU +Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: +tktpolicy +tmppolicy +userpolicy +\end{Verbatim} + + +\section{Cross-realm authentication} +\label{admin/database:cross-realm-authentication}\label{admin/database:xrealm-authn} +In order for a KDC in one realm to authenticate Kerberos users in a +different realm, it must share a key with the KDC in the other realm. +In both databases, there must be krbtgt service principals for both realms. +For example, if you need to do cross-realm authentication between the realms +\code{ATHENA.MIT.EDU} and \code{EXAMPLE.COM}, you would need to add the +principals \code{krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU} and +\code{krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM} to both databases. +These principals must all have the same passwords, key version +numbers, and encryption types; this may require explicitly setting +the key version number with the \textbf{-kvno} option. + +In the ATHENA.MIT.EDU and EXAMPLE.COM cross-realm case, the administrators +would run the following commands on the KDCs in both realms: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{}: kadmin.local \PYGZhy{}e \PYGZdq{}aes256\PYGZhy{}cts:normal\PYGZdq{} +kadmin: addprinc \PYGZhy{}requires\PYGZus{}preauth krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM +Enter password for principal krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM: +Re\PYGZhy{}enter password for principal krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM: +kadmin: addprinc \PYGZhy{}requires\PYGZus{}preauth krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU +Enter password for principal krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU: +Enter password for principal krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU: +kadmin: +\end{Verbatim} + +\begin{notice}{note}{Note:} +Even if most principals in a realm are generally created +with the \textbf{requires\_preauth} flag enabled, this flag is not +desirable on cross-realm authentication keys because doing +so makes it impossible to disable preauthentication on a +service-by-service basis. Disabling it as in the example +above is recommended. +\end{notice} + +\begin{notice}{note}{Note:} +It is very important that these principals have good +passwords. MIT recommends that TGT principal passwords be +at least 26 characters of random ASCII text. +\end{notice} + + +\section{Changing the krbtgt key} +\label{admin/database:changing-krbtgt-key}\label{admin/database:changing-the-krbtgt-key} +A Kerberos Ticket Granting Ticket (TGT) is a service ticket for the +principal \code{krbtgt/REALM}. The key for this principal is created +when the Kerberos database is initialized and need not be changed. +However, it will only have the encryption types supported by the KDC +at the time of the initial database creation. To allow use of newer +encryption types for the TGT, this key has to be changed. + +Changing this key using the normal {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} +\textbf{change\_password} command would invalidate any previously issued +TGTs. Therefore, when changing this key, normally one should use the +\textbf{-keepold} flag to change\_password to retain the previous key in the +database as well as the new key. For example: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: change\PYGZus{}password \PYGZhy{}randkey \PYGZhy{}keepold krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU +\end{Verbatim} + +\begin{notice}{warning}{Warning:} +After issuing this command, the old key is still valid +and is still vulnerable to (for instance) brute force +attacks. To completely retire an old key or encryption +type, run the kadmin \textbf{purgekeys} command to delete keys +with older kvnos, ideally first making sure that all +tickets issued with the old keys have expired. +\end{notice} + +Only the first krbtgt key of the newest key version is used to encrypt +ticket-granting tickets. However, the set of encryption types present +in the krbtgt keys is used by default to determine the session key +types supported by the krbtgt service (see +{\hyperref[admin/enctypes:session-key-selection]{\emph{Session key selection}}}). Because non-MIT Kerberos clients +sometimes send a limited set of encryption types when making AS +requests, it can be important to for the krbtgt service to support +multiple encryption types. This can be accomplished by giving the +krbtgt principal multiple keys, which is usually as simple as not +specifying any \textbf{-e} option when changing the krbtgt key, or by +setting the \textbf{session\_enctypes} string attribute on the krbtgt +principal (see {\hyperref[admin/admin_commands/kadmin_local:set-string]{\emph{set\_string}}}). + +Due to a bug in releases 1.8 through 1.13, renewed and forwarded +tickets may not work if the original ticket was obtained prior to a +krbtgt key change and the modified ticket is obtained afterwards. +Upgrading the KDC to release 1.14 or later will correct this bug. + + +\section{Incremental database propagation} +\label{admin/database:incremental-database-propagation}\label{admin/database:incr-db-prop} + +\subsection{Overview} +\label{admin/database:overview} +At some very large sites, dumping and transmitting the database can +take more time than is desirable for changes to propagate from the +master KDC to the slave KDCs. The incremental propagation support +added in the 1.7 release is intended to address this. + +With incremental propagation enabled, all programs on the master KDC +that change the database also write information about the changes to +an ``update log'' file, maintained as a circular buffer of a certain +size. A process on each slave KDC connects to a service on the master +KDC (currently implemented in the {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} server) and +periodically requests the changes that have been made since the last +check. By default, this check is done every two minutes. If the +database has just been modified in the previous several seconds +(currently the threshold is hard-coded at 10 seconds), the slave will +not retrieve updates, but instead will pause and try again soon after. +This reduces the likelihood that incremental update queries will cause +delays for an administrator trying to make a bunch of changes to the +database at the same time. + +Incremental propagation uses the following entries in the per-realm +data in the KDC config file (See {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}): + +\begin{tabulary}{\linewidth}{|L|L|L|} +\hline + +iprop\_enable + & +\emph{boolean} + & +If \emph{true}, then incremental propagation is enabled, and (as noted below) normal kprop propagation is disabled. The default is \emph{false}. +\\ +\hline +iprop\_master\_ulogsize + & +\emph{integer} + & +Indicates the number of entries that should be retained in the update log. The default is 1000; the maximum number is 2500. +\\ +\hline +iprop\_slave\_poll + & +\emph{time interval} + & +Indicates how often the slave should poll the master KDC for changes to the database. The default is two minutes. +\\ +\hline +iprop\_port + & +\emph{integer} + & +Specifies the port number to be used for incremental propagation. This is required in both master and slave configuration files. +\\ +\hline +iprop\_resync\_timeout + & +\emph{integer} + & +Specifies the number of seconds to wait for a full propagation to complete. This is optional on slave configurations. Defaults to 300 seconds (5 minutes). +\\ +\hline +iprop\_logfile + & +\emph{file name} + & +Specifies where the update log file for the realm database is to be stored. The default is to use the \emph{database\_name} entry from the realms section of the config file {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}, with \emph{.ulog} appended. (NOTE: If database\_name isn't specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the \emph{dbmodules} section, then the hard-coded default for \emph{database\_name} is used. Determination of the \emph{iprop\_logfile} default value will not use values from the \emph{dbmodules} section.) +\\ +\hline\end{tabulary} + + +Both master and slave sides must have a principal named +\code{kiprop/hostname} (where \emph{hostname} is the lowercase, +fully-qualified, canonical name for the host) registered in the +Kerberos database, and have keys for that principal stored in the +default keytab file ({\hyperref[mitK5defaults:paths]{\emph{DEFKTNAME}}}). In release 1.13, the +\code{kiprop/hostname} principal is created automatically for the master +KDC, but it must still be created for slave KDCs. + +On the master KDC side, the \code{kiprop/hostname} principal must be +listed in the kadmind ACL file {\hyperref[admin/conf_files/kadm5_acl:kadm5-acl-5]{\emph{kadm5.acl}}}, and given the +\textbf{p} privilege (see {\hyperref[admin/database:privileges]{\emph{Privileges}}}). + +On the slave KDC side, {\hyperref[admin/admin_commands/kpropd:kpropd-8]{\emph{kpropd}}} should be run. When +incremental propagation is enabled, it will connect to the kadmind on +the master KDC and start requesting updates. + +The normal kprop mechanism is disabled by the incremental propagation +support. However, if the slave has been unable to fetch changes from +the master KDC for too long (network problems, perhaps), the log on +the master may wrap around and overwrite some of the updates that the +slave has not yet retrieved. In this case, the slave will instruct +the master KDC to dump the current database out to a file and invoke a +one-time kprop propagation, with special options to also convey the +point in the update log at which the slave should resume fetching +incremental updates. Thus, all the keytab and ACL setup previously +described for kprop propagation is still needed. + +If an environment has a large number of slaves, it may be desirable to +arrange them in a hierarchy instead of having the master serve updates +to every slave. To do this, run \code{kadmind -proponly} on each +intermediate slave, and \code{kpropd -A upstreamhostname} on downstream +slaves to direct each one to the appropriate upstream slave. + +There are several known restrictions in the current implementation: +\begin{itemize} +\item {} +The incremental update protocol does not transport changes to policy +objects. Any policy changes on the master will result in full +resyncs to all slaves. + +\item {} +The slave's KDB module must support locking; it cannot be using the +LDAP KDB module. + +\item {} +The master and slave must be able to initiate TCP connections in +both directions, without an intervening NAT. + +\end{itemize} + + +\subsection{Sun/MIT incremental propagation differences} +\label{admin/database:sun-mit-incremental-propagation-differences} +Sun donated the original code for supporting incremental database +propagation to MIT. Some changes have been made in the MIT source +tree that will be visible to administrators. (These notes are based +on Sun's patches. Changes to Sun's implementation since then may not +be reflected here.) + +The Sun config file support looks for \code{sunw\_dbprop\_enable}, +\code{sunw\_dbprop\_master\_ulogsize}, and \code{sunw\_dbprop\_slave\_poll}. + +The incremental propagation service is implemented as an ONC RPC +service. In the Sun implementation, the service is registered with +rpcbind (also known as portmapper) and the client looks up the port +number to contact. In the MIT implementation, where interaction with +some modern versions of rpcbind doesn't always work well, the port +number must be specified in the config file on both the master and +slave sides. + +The Sun implementation hard-codes pathnames in \code{/var/krb5} for the +update log and the per-slave kprop dump files. In the MIT +implementation, the pathname for the update log is specified in the +config file, and the per-slave dump files are stored in +{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/slave\_datatrans\_hostname}. + + +\chapter{Account lockout} +\label{admin/lockout::doc}\label{admin/lockout:account-lockout} +As of release 1.8, the KDC can be configured to lock out principals +after a number of failed authentication attempts within a period of +time. Account lockout can make it more difficult to attack a +principal's password by brute force, but also makes it easy for an +attacker to deny access to a principal. + + +\section{Configuring account lockout} +\label{admin/lockout:configuring-account-lockout} +Account lockout only works for principals with the +\textbf{+requires\_preauth} flag set. Without this flag, the KDC cannot +know whether or not a client successfully decrypted the ticket it +issued. It is also important to set the \textbf{-allow\_svr} flag on a +principal to protect its password from an off-line dictionary attack +through a TGS request. You can set these flags on a principal with +{\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} as follows: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: modprinc +requires\PYGZus{}preauth \PYGZhy{}allow\PYGZus{}svr PRINCNAME +\end{Verbatim} + +Account lockout parameters are configured via {\hyperref[admin/database:policies]{\emph{policy objects}}}. There may be an existing policy associated with user +principals (such as the ``default'' policy), or you may need to create a +new one and associate it with each user principal. + +The policy parameters related to account lockout are: +\begin{itemize} +\item {} +{\hyperref[admin/database:policy-maxfailure]{\emph{maxfailure}}}: the number of failed attempts +before the principal is locked out + +\item {} +{\hyperref[admin/database:policy-failurecountinterval]{\emph{failurecountinterval}}}: the +allowable interval between failed attempts + +\item {} +{\hyperref[admin/database:policy-lockoutduration]{\emph{lockoutduration}}}: the amount of time +a principal is locked out for + +\end{itemize} + +Here is an example of setting these parameters on a new policy and +associating it with a principal: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: addpol \PYGZhy{}maxfailure 10 \PYGZhy{}failurecountinterval 180 + \PYGZhy{}lockoutduration 60 lockout\PYGZus{}policy +kadmin: modprinc \PYGZhy{}policy lockout\PYGZus{}policy PRINCNAME +\end{Verbatim} + + +\section{Testing account lockout} +\label{admin/lockout:testing-account-lockout} +To test that account lockout is working, try authenticating as the +principal (hopefully not one that might be in use) multiple times with +the wrong password. For instance, if \textbf{maxfailure} is set to 2, you +might see: + +\begin{Verbatim}[commandchars=\\\{\}] +\PYGZdl{} kinit user +Password for user@KRBTEST.COM: +kinit: Password incorrect while getting initial credentials +\PYGZdl{} kinit user +Password for user@KRBTEST.COM: +kinit: Password incorrect while getting initial credentials +\PYGZdl{} kinit user +kinit: Client\PYGZsq{}s credentials have been revoked while getting initial credentials +\end{Verbatim} + + +\section{Account lockout principal state} +\label{admin/lockout:account-lockout-principal-state} +A principal entry keeps three pieces of state related to account +lockout: +\begin{itemize} +\item {} +The time of last successful authentication + +\item {} +The time of last failed authentication + +\item {} +A counter of failed attempts + +\end{itemize} + +The time of last successful authentication is not actually needed for +the account lockout system to function, but may be of administrative +interest. These fields can be observed with the \textbf{getprinc} kadmin +command. For example: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: getprinc user +Principal: user@KRBTEST.COM +... +Last successful authentication: [never] +Last failed authentication: Mon Dec 03 12:30:33 EST 2012 +Failed password attempts: 2 +... +\end{Verbatim} + +A principal which has been locked out can be administratively unlocked +with the \textbf{-unlock} option to the \textbf{modprinc} kadmin command: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: modprinc \PYGZhy{}unlock PRINCNAME +\end{Verbatim} + +This command will reset the number of failed attempts to 0. + + +\section{KDC replication and account lockout} +\label{admin/lockout:kdc-replication-and-account-lockout} +The account lockout state of a principal is not replicated by either +traditional {\hyperref[admin/admin_commands/kprop:kprop-8]{\emph{kprop}}} or incremental propagation. Because of +this, the number of attempts an attacker can make within a time period +is multiplied by the number of KDCs. For instance, if the +\textbf{maxfailure} parameter on a policy is 10 and there are four KDCs in +the environment (a master and three slaves), an attacker could make as +many as 40 attempts before the principal is locked out on all four +KDCs. + +An administrative unlock is propagated from the master to the slave +KDCs during the next propagation. Propagation of an administrative +unlock will cause the counter of failed attempts on each slave to +reset to 1 on the next failure. + +If a KDC environment uses a replication strategy other than kprop or +incremental propagation, such as the LDAP KDB module with multi-master +LDAP replication, then account lockout state may be replicated between +KDCs and the concerns of this section may not apply. + + +\section{KDC performance and account lockout} +\label{admin/lockout:kdc-performance-and-account-lockout} +In order to fully track account lockout state, the KDC must write to +the the database on each successful and failed authentication. +Writing to the database is generally more expensive than reading from +it, so these writes may have a significant impact on KDC performance. +As of release 1.9, it is possible to turn off account lockout state +tracking in order to improve performance, by setting the +\textbf{disable\_last\_success} and \textbf{disable\_lockout} variables in the +database module subsection of {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. For example: + +\begin{Verbatim}[commandchars=\\\{\}] +[dbmodules] + DB = \PYGZob{} + disable\PYGZus{}last\PYGZus{}success = true + disable\PYGZus{}lockout = true + \PYGZcb{} +\end{Verbatim} + +Of the two variables, setting \textbf{disable\_last\_success} will usually +have the largest positive impact on performance, and will still allow +account lockout policies to operate. However, it will make it +impossible to observe the last successful authentication time with +kadmin. + + +\section{KDC setup and account lockout} +\label{admin/lockout:kdc-setup-and-account-lockout} +To update the account lockout state on principals, the KDC must be +able to write to the principal database. For the DB2 module, no +special setup is required. For the LDAP module, the KDC DN must be +granted write access to the principal objects. If the KDC DN has only +read access, account lockout will not function. + + +\chapter{Configuring Kerberos with OpenLDAP back-end} +\label{admin/conf_ldap::doc}\label{admin/conf_ldap:configuring-kerberos-with-openldap-back-end}\begin{enumerate} +\item {} +Set up SSL on the OpenLDAP server and client to ensure secure +communication when the KDC service and LDAP server are on different +machines. \code{ldapi://} can be used if the LDAP server and KDC +service are running on the same machine. +\begin{enumerate} +\item {} +Setting up SSL on the OpenLDAP server: + +\end{enumerate} +\begin{enumerate} +\item {} +Get a CA certificate using OpenSSL tools + +\item {} +Configure OpenLDAP server for using SSL/TLS + +For the latter, you need to specify the location of CA +certificate location in \emph{slapd.conf} file. + +Refer to the following link for more information: +\href{http://www.openldap.org/doc/admin23/tls.html}{http://www.openldap.org/doc/admin23/tls.html} + +\end{enumerate} +\begin{enumerate} +\setcounter{enumi}{1} +\item {} +Setting up SSL on OpenLDAP client: +\begin{enumerate} +\item {} +For the KDC and Admin Server, you need to do the client-side +configuration in ldap.conf. For example: + +\begin{Verbatim}[commandchars=\\\{\}] +\PYG{n}{TLS\PYGZus{}CACERT} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{openldap}\PYG{o}{/}\PYG{n}{certs}\PYG{o}{/}\PYG{n}{cacert}\PYG{o}{.}\PYG{n}{pem} +\end{Verbatim} + +\end{enumerate} + +\end{enumerate} + +\item {} +Include the Kerberos schema file (kerberos.schema) in the +configuration file (slapd.conf) on the LDAP Server, by providing +the location where it is stored: + +\begin{Verbatim}[commandchars=\\\{\}] +\PYG{n}{include} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{openldap}\PYG{o}{/}\PYG{n}{schema}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{schema} +\end{Verbatim} + +\item {} +Choose DNs for the {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}} and {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} servers +to bind to the LDAP server, and create them if necessary. These DNs +will be specified with the \textbf{ldap\_kdc\_dn} and \textbf{ldap\_kadmind\_dn} +directives in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}; their passwords can be stashed +with ``\code{kdb5\_ldap\_util stashsrvpw}'' and the resulting file +specified with the \textbf{ldap\_service\_password\_file} directive. + +\item {} +Choose a DN for the global Kerberos container entry (but do not +create the entry at this time). This DN will be specified with the +\textbf{ldap\_kerberos\_container\_dn} directive in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. +Realm container entries will be created underneath this DN. +Principal entries may exist either underneath the realm container +(the default) or in separate trees referenced from the realm +container. + +\item {} +Configure the LDAP server ACLs to enable the KDC and kadmin server +DNs to read and write the Kerberos data. If +\textbf{disable\_last\_success} and \textbf{disable\_lockout} are both set to +true in the {\hyperref[admin/conf_files/kdc_conf:dbmodules]{\emph{{[}dbmodules{]}}}} subsection for the realm, then the +KDC DN only requires read access to the Kerberos data. + +Sample access control information: + +\begin{Verbatim}[commandchars=\\\{\}] +access to dn.base=\PYGZdq{}\PYGZdq{} + by * read + +access to dn.base=\PYGZdq{}cn=Subschema\PYGZdq{} + by * read + +access to attrs=userPassword,userPKCS12 + by self write + by * auth + +access to attrs=shadowLastChange + by self write + by * read + +\PYGZsh{} Providing access to realm container +access to dn.subtree= \PYGZdq{}cn=EXAMPLE.COM,cn=krbcontainer,dc=example,dc=com\PYGZdq{} + by dn.exact=\PYGZdq{}cn=kdc\PYGZhy{}service,dc=example,dc=com\PYGZdq{} write + by dn.exact=\PYGZdq{}cn=adm\PYGZhy{}service,dc=example,dc=com\PYGZdq{} write + by * none + +\PYGZsh{} Providing access to principals, if not underneath realm container +access to dn.subtree= \PYGZdq{}ou=users,dc=example,dc=com\PYGZdq{} + by dn.exact=\PYGZdq{}cn=kdc\PYGZhy{}service,dc=example,dc=com\PYGZdq{} write + by dn.exact=\PYGZdq{}cn=adm\PYGZhy{}service,dc=example,dc=com\PYGZdq{} write + by * none + +access to * + by * read +\end{Verbatim} + +If the locations of the container and principals or the DNs of +the service objects for a realm are changed then this +information should be updated. + +\item {} +Start the LDAP server as follows: + +\begin{Verbatim}[commandchars=\\\{\}] +slapd \PYGZhy{}h \PYGZdq{}ldapi:/// ldaps:///\PYGZdq{} +\end{Verbatim} + +\item {} +Modify the {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} file to include LDAP specific items +listed below: + +\begin{Verbatim}[commandchars=\\\{\}] +realms + database\PYGZus{}module + +dbmodules + db\PYGZus{}library + db\PYGZus{}module\PYGZus{}dir + ldap\PYGZus{}kdc\PYGZus{}dn + ldap\PYGZus{}kadmind\PYGZus{}dn + ldap\PYGZus{}service\PYGZus{}password\PYGZus{}file + ldap\PYGZus{}servers + ldap\PYGZus{}conns\PYGZus{}per\PYGZus{}server +\end{Verbatim} + +\item {} +Create the realm using {\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} (see +{\hyperref[admin/database:ldap-create-realm]{\emph{Creating a Kerberos realm}}}): + +\begin{Verbatim}[commandchars=\\\{\}] +kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,dc=example,dc=com create \PYGZhy{}subtrees ou=users,dc=example,dc=com \PYGZhy{}r EXAMPLE.COM \PYGZhy{}s +\end{Verbatim} + +Use the \textbf{-subtrees} option if the principals are to exist in a +separate subtree from the realm container. Before executing the +command, make sure that the subtree mentioned above +\code{(ou=users,dc=example,dc=com)} exists. If the principals will +exist underneath the realm container, omit the \textbf{-subtrees} option +and do not worry about creating the principal subtree. + +For more information, refer to the section {\hyperref[admin/database:ops-on-ldap]{\emph{Operations on the LDAP database}}}. + +The realm object is created under the +\textbf{ldap\_kerberos\_container\_dn} specified in the configuration file. +This operation will also create the Kerberos container, if not +present already. This will be used to store information related to +all realms. + +\item {} +Stash the password of the service object used by the KDC and +Administration service to bind to the LDAP server using the +{\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} \textbf{stashsrvpw} command (see +{\hyperref[admin/database:stash-ldap]{\emph{Stashing service object's password}}}). The object DN should be the same as +\textbf{ldap\_kdc\_dn} and \textbf{ldap\_kadmind\_dn} values specified in the +{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} file: + +\begin{Verbatim}[commandchars=\\\{\}] +kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,dc=example,dc=com stashsrvpw \PYGZhy{}f /etc/kerberos/service.keyfile cn=krbadmin,dc=example,dc=com +\end{Verbatim} + +\item {} +Add \code{krbPrincipalName} to the indexes in slapd.conf to speed up +the access. + +\end{enumerate} + +With the LDAP back end it is possible to provide aliases for principal +entries. Currently we provide no mechanism provided for creating +aliases, so it must be done by direct manipulation of the LDAP +entries. + +An entry with aliases contains multiple values of the +\emph{krbPrincipalName} attribute. Since LDAP attribute values are not +ordered, it is necessary to specify which principal name is canonical, +by using the \emph{krbCanonicalName} attribute. Therefore, to create +aliases for an entry, first set the \emph{krbCanonicalName} attribute of +the entry to the canonical principal name (which should be identical +to the pre-existing \emph{krbPrincipalName} value), and then add additional +\emph{krbPrincipalName} attributes for the aliases. + +Principal aliases are only returned by the KDC when the client +requests canonicalization. Canonicalization is normally requested for +service principals; for client principals, an explicit flag is often +required (e.g., \code{kinit -C}) and canonicalization is only performed +for initial ticket requests. + + +\strong{See also:} + + +{\hyperref[admin/advanced/ldapbackend:ldap-be-ubuntu]{\emph{LDAP backend on Ubuntu 10.4 (lucid)}}} + + + + +\chapter{Application servers} +\label{admin/appl_servers::doc}\label{admin/appl_servers:application-servers} +If you need to install the Kerberos V5 programs on an application +server, please refer to the Kerberos V5 Installation Guide. Once you +have installed the software, you need to add that host to the Kerberos +database (see {\hyperref[admin/database:add-mod-del-princs]{\emph{Adding, modifying and deleting principals}}}), and generate a keytab for +that host, that contains the host's key. You also need to make sure +the host's clock is within your maximum clock skew of the KDCs. + + +\section{Keytabs} +\label{admin/appl_servers:keytabs} +A keytab is a host's copy of its own keylist, which is analogous to a +user's password. An application server that needs to authenticate +itself to the KDC has to have a keytab that contains its own principal +and key. Just as it is important for users to protect their +passwords, it is equally important for hosts to protect their keytabs. +You should always store keytab files on local disk, and make them +readable only by root, and you should never send a keytab file over a +network in the clear. Ideally, you should run the {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} +command to extract a keytab on the host on which the keytab is to +reside. + + +\subsection{Adding principals to keytabs} +\label{admin/appl_servers:adding-principals-to-keytabs}\label{admin/appl_servers:add-princ-kt} +To generate a keytab, or to add a principal to an existing keytab, use +the \textbf{ktadd} command from kadmin. + + +\subsection{ktadd} +\label{admin/appl_servers:ktadd}\begin{quote} + +\begin{DUlineblock}{0em} +\item[] \textbf{ktadd} {[}options{]} \emph{principal} +\item[] \textbf{ktadd} {[}options{]} \textbf{-glob} \emph{princ-exp} +\end{DUlineblock} +\end{quote} + +Adds a \emph{principal}, or all principals matching \emph{princ-exp}, to a +keytab file. Each principal's keys are randomized in the process. +The rules for \emph{princ-exp} are described in the \textbf{list\_principals} +command. + +This command requires the \textbf{inquire} and \textbf{changepw} privileges. +With the \textbf{-glob} form, it also requires the \textbf{list} privilege. + +The options are: +\begin{description} +\item[{\textbf{-k{[}eytab{]}} \emph{keytab}}] \leavevmode +Use \emph{keytab} as the keytab file. Otherwise, the default keytab is +used. + +\item[{\textbf{-e} \emph{enc}:\emph{salt},...}] \leavevmode +Uses the specified keysalt list for setting the new keys of the +principal. See {\hyperref[admin/conf_files/kdc_conf:keysalt-lists]{\emph{Keysalt lists}}} in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} for a +list of possible values. + +\item[{\textbf{-q}}] \leavevmode +Display less verbose information. + +\item[{\textbf{-norandkey}}] \leavevmode +Do not randomize the keys. The keys and their version numbers stay +unchanged. This option cannot be specified in combination with the +\textbf{-e} option. + +\end{description} + +An entry for each of the principal's unique encryption types is added, +ignoring multiple keys with the same encryption type but different +salt types. + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: ktadd \PYGZhy{}k /tmp/foo\PYGZhy{}new\PYGZhy{}keytab host/foo.mit.edu +Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3, + encryption type aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab + FILE:/tmp/foo\PYGZhy{}new\PYGZhy{}keytab +kadmin: +\end{Verbatim} + + +\subsubsection{Examples} +\label{admin/appl_servers:examples} +Here is a sample session, using configuration files that enable only +AES encryption: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: ktadd host/daffodil.mit.edu@ATHENA.MIT.EDU +Entry for principal host/daffodil.mit.edu with kvno 2, encryption type aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab FILE:/etc/krb5.keytab +Entry for principal host/daffodil.mit.edu with kvno 2, encryption type aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab FILE:/etc/krb5.keytab +kadmin: +\end{Verbatim} + + +\subsection{Removing principals from keytabs} +\label{admin/appl_servers:removing-principals-from-keytabs} +To remove a principal from an existing keytab, use the kadmin +\textbf{ktremove} command. + + +\subsection{ktremove} +\label{admin/appl_servers:ktremove}\begin{quote} + +\textbf{ktremove} {[}options{]} \emph{principal} {[}\emph{kvno} \textbar{} \emph{all} \textbar{} \emph{old}{]} +\end{quote} + +Removes entries for the specified \emph{principal} from a keytab. Requires +no permissions, since this does not require database access. + +If the string ``all'' is specified, all entries for that principal are +removed; if the string ``old'' is specified, all entries for that +principal except those with the highest kvno are removed. Otherwise, +the value specified is parsed as an integer, and all entries whose +kvno match that integer are removed. + +The options are: +\begin{description} +\item[{\textbf{-k{[}eytab{]}} \emph{keytab}}] \leavevmode +Use \emph{keytab} as the keytab file. Otherwise, the default keytab is +used. + +\item[{\textbf{-q}}] \leavevmode +Display less verbose information. + +\end{description} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: ktremove kadmin/admin all +Entry for principal kadmin/admin with kvno 3 removed from keytab + FILE:/etc/krb5.keytab +kadmin: +\end{Verbatim} + + +\section{Clock Skew} +\label{admin/appl_servers:clock-skew} +A Kerberos application server host must keep its clock synchronized or +it will reject authentication requests from clients. Modern operating +systems typically provide a facility to maintain the correct time; +make sure it is enabled. This is especially important on virtual +machines, where clocks tend to drift more rapidly than normal machine +clocks. + +The default allowable clock skew is controlled by the \textbf{clockskew} +variable in {\hyperref[admin/conf_files/krb5_conf:libdefaults]{\emph{{[}libdefaults{]}}}}. + + +\section{Getting DNS information correct} +\label{admin/appl_servers:getting-dns-information-correct} +Several aspects of Kerberos rely on name service. When a hostname is +used to name a service, the Kerberos library canonicalizes the +hostname using forward and reverse name resolution. (The reverse name +resolution step can be turned off using the \textbf{rdns} variable in +{\hyperref[admin/conf_files/krb5_conf:libdefaults]{\emph{{[}libdefaults{]}}}}.) The result of this canonicalization must match +the principal entry in the host's keytab, or authentication will fail. + +Each host's canonical name must be the fully-qualified host name +(including the domain), and each host's IP address must +reverse-resolve to the canonical name. + +Configuration of hostnames varies by operating system. On the +application server itself, canonicalization will typically use the +\code{/etc/hosts} file rather than the DNS. Ensure that the line for the +server's hostname is in the following form: + +\begin{Verbatim}[commandchars=\\\{\}] +IP address fully\PYGZhy{}qualified hostname aliases +\end{Verbatim} + +Here is a sample \code{/etc/hosts} file: + +\begin{Verbatim}[commandchars=\\\{\}] +\PYGZsh{} this is a comment +127.0.0.1 localhost localhost.mit.edu +10.0.0.6 daffodil.mit.edu daffodil trillium wake\PYGZhy{}robin +\end{Verbatim} + +The output of \code{klist -k} for this example host should look like: + +\begin{Verbatim}[commandchars=\\\{\}] +viola\PYGZsh{} klist \PYGZhy{}k +Keytab name: /etc/krb5.keytab +KVNO Principal +\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{} \PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{} + 2 host/daffodil.mit.edu@ATHENA.MIT.EDU +\end{Verbatim} + +If you were to ssh to this host with a fresh credentials cache (ticket +file), and then \emph{klist(1)}, the output should list a service +principal of \code{host/daffodil.mit.edu@ATHENA.MIT.EDU}. + + +\section{Configuring your firewall to work with Kerberos V5} +\label{admin/appl_servers:conf-firewall}\label{admin/appl_servers:configuring-your-firewall-to-work-with-kerberos-v5} +If you need off-site users to be able to get Kerberos tickets in your +realm, they must be able to get to your KDC. This requires either +that you have a slave KDC outside your firewall, or that you configure +your firewall to allow UDP requests into at least one of your KDCs, on +whichever port the KDC is running. (The default is port 88; other +ports may be specified in the KDC's {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} file.) +Similarly, if you need off-site users to be able to change their +passwords in your realm, they must be able to get to your Kerberos +admin server on the kpasswd port (which defaults to 464). If you need +off-site users to be able to administer your Kerberos realm, they must +be able to get to your Kerberos admin server on the administrative +port (which defaults to 749). + +If your on-site users inside your firewall will need to get to KDCs in +other realms, you will also need to configure your firewall to allow +outgoing TCP and UDP requests to port 88, and to port 464 to allow +password changes. If your on-site users inside your firewall will +need to get to Kerberos admin servers in other realms, you will also +need to allow outgoing TCP and UDP requests to port 749. + +If any of your KDCs are outside your firewall, you will need to allow +kprop requests to get through to the remote KDC. {\hyperref[admin/admin_commands/kprop:kprop-8]{\emph{kprop}}} uses +the \code{krb5\_prop} service on port 754 (tcp). + +The book \emph{UNIX System Security}, by David Curry, is a good starting +point for learning to configure firewalls. + + +\chapter{Host configuration} +\label{admin/host_config:host-configuration}\label{admin/host_config::doc} +All hosts running Kerberos software, whether they are clients, +application servers, or KDCs, can be configured using +{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}}. Here we describe some of the behavior changes +you might want to make. + + +\section{Default realm} +\label{admin/host_config:default-realm} +In the {\hyperref[admin/conf_files/krb5_conf:libdefaults]{\emph{{[}libdefaults{]}}}} section, the \textbf{default\_realm} realm +relation sets the default Kerberos realm. For example: + +\begin{Verbatim}[commandchars=\\\{\}] +[libdefaults] + default\PYGZus{}realm = ATHENA.MIT.EDU +\end{Verbatim} + +The default realm affects Kerberos behavior in the following ways: +\begin{itemize} +\item {} +When a principal name is parsed from text, the default realm is used +if no \code{@REALM} component is specified. + +\item {} +The default realm affects login authorization as described below. + +\item {} +For programs which operate on a Kerberos database, the default realm +is used to determine which database to operate on, unless the \textbf{-r} +parameter is given to specify a realm. + +\item {} +A server program may use the default realm when looking up its key +in a {\hyperref[admin/install_appl_srv:keytab-file]{\emph{keytab file}}}, if its realm is not +determined by {\hyperref[admin/conf_files/krb5_conf:domain-realm]{\emph{{[}domain\_realm{]}}}} configuration or by the server +program itself. + +\item {} +If \emph{kinit(1)} is passed the \textbf{-n} flag, it requests anonymous +tickets from the default realm. + +\end{itemize} + +In some situations, these uses of the default realm might conflict. +For example, it might be desirable for principal name parsing to use +one realm by default, but for login authorization to use a second +realm. In this situation, the first realm can be configured as the +default realm, and \textbf{auth\_to\_local} relations can be used as +described below to use the second realm for login authorization. + + +\section{Login authorization} +\label{admin/host_config:login-authorization}\label{admin/host_config:id1} +If a host runs a Kerberos-enabled login service such as OpenSSH with +GSSAPIAuthentication enabled, login authorization rules determine +whether a Kerberos principal is allowed to access a local account. + +By default, a Kerberos principal is allowed access to an account if +its realm matches the default realm and its name matches the account +name. (For historical reasons, access is also granted by default if +the name has two components and the second component matches the +default realm; for instance, \code{alice/ATHENA.MIT.EDU@ATHENA.MIT.EDU} +is granted access to the \code{alice} account if \code{ATHENA.MIT.EDU} is +the default realm.) + +The simplest way to control local access is using \emph{.k5login(5)} +files. To use these, place a \code{.k5login} file in the home directory +of each account listing the principal names which should have login +access to that account. If it is not desirable to use \code{.k5login} +files located in account home directories, the \textbf{k5login\_directory} +relation in the {\hyperref[admin/conf_files/krb5_conf:libdefaults]{\emph{{[}libdefaults{]}}}} section can specify a directory +containing one file per account uname. + +By default, if a \code{.k5login} file is present, it controls +authorization both positively and negatively--any principal name +contained in the file is granted access and any other principal name +is denied access, even if it would have had access if the \code{.k5login} +file didn't exist. The \textbf{k5login\_authoritative} relation in the +{\hyperref[admin/conf_files/krb5_conf:libdefaults]{\emph{{[}libdefaults{]}}}} section can be set to false to make \code{.k5login} +files provide positive authorization only. + +The \textbf{auth\_to\_local} relation in the {\hyperref[admin/conf_files/krb5_conf:realms]{\emph{{[}realms{]}}}} section for the +default realm can specify pattern-matching rules to control login +authorization. For example, the following configuration allows access +to principals from a different realm than the default realm: + +\begin{Verbatim}[commandchars=\\\{\}] +[realms] + DEFAULT.REALM = \PYGZob{} + \PYGZsh{} Allow access to principals from OTHER.REALM. + \PYGZsh{} + \PYGZsh{} [1:\PYGZdl{}1@\PYGZdl{}0] matches single\PYGZhy{}component principal names and creates + \PYGZsh{} a selection string containing the principal name and realm. + \PYGZsh{} + \PYGZsh{} (.*@OTHER\PYGZbs{}.REALM) matches against the selection string, so that + \PYGZsh{} only principals in OTHER.REALM are matched. + \PYGZsh{} + \PYGZsh{} s/@OTHER\PYGZbs{}.REALM\PYGZdl{}// removes the realm name, leaving behind the + \PYGZsh{} principal name as the acount name. + auth\PYGZus{}to\PYGZus{}local = RULE:[1:\PYGZdl{}1@\PYGZdl{}0](.*@OTHER\PYGZbs{}.REALM)s/@OTHER\PYGZbs{}.REALM\PYGZdl{}// + + \PYGZsh{} Also allow principals from the default realm. Omit this line + \PYGZsh{} to only allow access to principals in OTHER.REALM. + auth\PYGZus{}to\PYGZus{}local = DEFAULT + \PYGZcb{} +\end{Verbatim} + +The \textbf{auth\_to\_local\_names} subsection of the {\hyperref[admin/conf_files/krb5_conf:realms]{\emph{{[}realms{]}}}} section +for the default realm can specify explicit mappings from principal +names to local accounts. The key used in this subsection is the +principal name without realm, so it is only safe to use in a Kerberos +environment with a single realm or a tightly controlled set of realms. +An example use of \textbf{auth\_to\_local\_names} might be: + +\begin{Verbatim}[commandchars=\\\{\}] +[realms] + ATHENA.MIT.EDU = \PYGZob{} + auth\PYGZus{}to\PYGZus{}local\PYGZus{}names = \PYGZob{} + \PYGZsh{} Careful, these match principals in any realm! + host/example.com = hostaccount + fred = localfred + \PYGZcb{} + \PYGZcb{} +\end{Verbatim} + +Local authorization behavior can also be modified using plugin +modules; see \emph{hostrealm\_plugin} for details. + + +\section{Plugin module configuration} +\label{admin/host_config:plugin-config}\label{admin/host_config:plugin-module-configuration} +Many aspects of Kerberos behavior, such as client preauthentication +and KDC service location, can be modified through the use of plugin +modules. For most of these behaviors, you can use the {\hyperref[admin/conf_files/krb5_conf:plugins]{\emph{{[}plugins{]}}}} +section of krb5.conf to register third-party modules, and to switch +off registered or built-in modules. + +A plugin module takes the form of a Unix shared object +(\code{modname.so}) or Windows DLL (\code{modname.dll}). If you have +installed a third-party plugin module and want to register it, you do +so using the \textbf{module} relation in the appropriate subsection of the +{[}plugins{]} section. The value for \textbf{module} must give the module name +and the path to the module, separated by a colon. The module name +will often be the same as the shared object's name, but in unusual +cases (such as a shared object which implements multiple modules for +the same interface) it might not be. For example, to register a +client preauthentication module named \code{mypreauth} installed at +\code{/path/to/mypreauth.so}, you could write: + +\begin{Verbatim}[commandchars=\\\{\}] +[plugins] + clpreauth = \PYGZob{} + module = mypreauth:/path/to/mypreauth.so + \PYGZcb{} +\end{Verbatim} + +Many of the pluggable behaviors in MIT krb5 contain built-in modules +which can be switched off. You can disable a built-in module (or one +you have registered) using the \textbf{disable} directive in the +appropriate subsection of the {[}plugins{]} section. For example, to +disable the use of .k5identity files to select credential caches, you +could write: + +\begin{Verbatim}[commandchars=\\\{\}] +[plugins] + ccselect = \PYGZob{} + disable = k5identity + \PYGZcb{} +\end{Verbatim} + +If you want to disable multiple modules, specify the \textbf{disable} +directive multiple times, giving one module to disable each time. + +Alternatively, you can explicitly specify which modules you want to be +enabled for that behavior using the \textbf{enable\_only} directive. For +example, to make {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} check password quality using only a +module you have registered, and no other mechanism, you could write: + +\begin{Verbatim}[commandchars=\\\{\}] +[plugins] + pwqual = \PYGZob{} + module = mymodule:/path/to/mymodule.so + enable\PYGZus{}only = mymodule + \PYGZcb{} +\end{Verbatim} + +Again, if you want to specify multiple modules, specify the +\textbf{enable\_only} directive multiple times, giving one module to enable +each time. + +Some Kerberos interfaces use different mechanisms to register plugin +modules. + + +\subsection{KDC location modules} +\label{admin/host_config:kdc-location-modules} +For historical reasons, modules to control how KDC servers are located +are registered simply by placing the shared object or DLL into the +``libkrb5'' subdirectory of the krb5 plugin directory, which defaults to +{\hyperref[mitK5defaults:paths]{\emph{LIBDIR}}}\code{/krb5/plugins}. For example, Samba's winbind krb5 +locator plugin would be registered by placing its shared object in +{\hyperref[mitK5defaults:paths]{\emph{LIBDIR}}}\code{/krb5/plugins/libkrb5/winbind\_krb5\_locator.so}. + + +\subsection{GSSAPI mechanism modules} +\label{admin/host_config:gssapi-plugin-config}\label{admin/host_config:gssapi-mechanism-modules} +GSSAPI mechanism modules are registered using the file +\code{/etc/gss/mech} or configuration files in the \code{/etc/gss/mech.d/} +directory. Only files with a \code{.conf} suffix will be read from the +\code{/etc/gss/mech.d/} directory. Each line in these files has the +form: + +\begin{Verbatim}[commandchars=\\\{\}] +oid pathname [options] \PYGZlt{}type\PYGZgt{} +\end{Verbatim} + +Only the oid and pathname are required. \emph{oid} is the object +identifier of the GSSAPI mechanism to be registered. \emph{pathname} is a +path to the module shared object or DLL. \emph{options} (if present) are +options provided to the plugin module, surrounded in square brackets. +\emph{type} (if present) can be used to indicate a special type of module. +Currently the only special module type is ``interposer'', for a module +designed to intercept calls to other mechanisms. + + +\subsection{Configuration profile modules} +\label{admin/host_config:profile-plugin-config}\label{admin/host_config:configuration-profile-modules} +A configuration profile module replaces the information source for +{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} itself. To use a profile module, begin krb5.conf +with the line: + +\begin{Verbatim}[commandchars=\\\{\}] +module PATHNAME:STRING +\end{Verbatim} + +where \emph{PATHNAME} is a path to the module shared object or DLL, and +\emph{STRING} is a string to provide to the module. The module will then +take over, and the rest of krb5.conf will be ignored. + + +\chapter{Backups of secure hosts} +\label{admin/backup_host:backups-of-secure-hosts}\label{admin/backup_host::doc} +When you back up a secure host, you should exclude the host's keytab +file from the backup. If someone obtained a copy of the keytab from a +backup, that person could make any host masquerade as the host whose +keytab was compromised. In many configurations, knowledge of the +host's keytab also allows root access to the host. This could be +particularly dangerous if the compromised keytab was from one of your +KDCs. If the machine has a disk crash and the keytab file is lost, it +is easy to generate another keytab file. (See {\hyperref[admin/appl_servers:add-princ-kt]{\emph{Adding principals to keytabs}}}.) +If you are unable to exclude particular files from backups, you should +ensure that the backups are kept as secure as the host's root +password. + + +\section{Backing up the Kerberos database} +\label{admin/backup_host:backing-up-the-kerberos-database} +As with any file, it is possible that your Kerberos database could +become corrupted. If this happens on one of the slave KDCs, you might +never notice, since the next automatic propagation of the database +would install a fresh copy. However, if it happens to the master KDC, +the corrupted database would be propagated to all of the slaves during +the next propagation. For this reason, MIT recommends that you back +up your Kerberos database regularly. Because the master KDC is +continuously dumping the database to a file in order to propagate it +to the slave KDCs, it is a simple matter to have a cron job +periodically copy the dump file to a secure machine elsewhere on your +network. (Of course, it is important to make the host where these +backups are stored as secure as your KDCs, and to encrypt its +transmission across your network.) Then if your database becomes +corrupted, you can load the most recent dump onto the master KDC. +(See {\hyperref[admin/database:restore-from-dump]{\emph{Restoring a Kerberos database from a dump file}}}.) + + +\chapter{PKINIT configuration} +\label{admin/pkinit:pkinit-configuration}\label{admin/pkinit:pkinit}\label{admin/pkinit::doc} +PKINIT is a preauthentication mechanism for Kerberos 5 which uses +X.509 certificates to authenticate the KDC to clients and vice versa. +PKINIT can also be used to enable anonymity support, allowing clients +to communicate securely with the KDC or with application servers +without authenticating as a particular client principal. + + +\section{Creating certificates} +\label{admin/pkinit:creating-certificates} +PKINIT requires an X.509 certificate for the KDC and one for each +client principal which will authenticate using PKINIT. For anonymous +PKINIT, a KDC certificate is required, but client certificates are +not. A commercially issued server certificate can be used for the KDC +certificate, but generally cannot be used for client certificates. + +The instruction in this section describe how to establish a +certificate authority and create standard PKINIT certificates. Skip +this section if you are using a commercially issued server certificate +as the KDC certificate for anonymous PKINIT, or if you are configuring +a client to use an Active Directory KDC. + + +\subsection{Generating a certificate authority certificate} +\label{admin/pkinit:generating-a-certificate-authority-certificate} +You can establish a new certificate authority (CA) for use with a +PKINIT deployment with the commands: + +\begin{Verbatim}[commandchars=\\\{\}] +openssl genrsa \PYGZhy{}out cakey.pem 2048 +openssl req \PYGZhy{}key cakey.pem \PYGZhy{}new \PYGZhy{}x509 \PYGZhy{}out cacert.pem \PYGZhy{}days 3650 +\end{Verbatim} + +The second command will ask for the values of several certificate +fields. These fields can be set to any values. You can adjust the +expiration time of the CA certificate by changing the number after +\code{-days}. Since the CA certificate must be deployed to client +machines each time it changes, it should normally have an expiration +time far in the future; however, expiration times after 2037 may cause +interoperability issues in rare circumstances. + +The result of these commands will be two files, cakey.pem and +cacert.pem. cakey.pem will contain a 2048-bit RSA private key, which +must be carefully protected. cacert.pem will contain the CA +certificate, which must be placed in the filesytems of the KDC and +each client host. cakey.pem will be required to create KDC and client +certificates. + + +\subsection{Generating a KDC certificate} +\label{admin/pkinit:generating-a-kdc-certificate} +A KDC certificate for use with PKINIT is required to have some unusual +fields, which makes generating them with OpenSSL somewhat complicated. +First, you will need a file containing the following: + +\begin{Verbatim}[commandchars=\\\{\}] +[kdc\PYGZus{}cert] +basicConstraints=CA:FALSE +keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement +extendedKeyUsage=1.3.6.1.5.2.3.5 +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer +issuerAltName=issuer:copy +subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc\PYGZus{}princ\PYGZus{}name + +[kdc\PYGZus{}princ\PYGZus{}name] +realm=EXP:0,GeneralString:\PYGZdl{}\PYGZob{}ENV::REALM\PYGZcb{} +principal\PYGZus{}name=EXP:1,SEQUENCE:kdc\PYGZus{}principal\PYGZus{}seq + +[kdc\PYGZus{}principal\PYGZus{}seq] +name\PYGZus{}type=EXP:0,INTEGER:1 +name\PYGZus{}string=EXP:1,SEQUENCE:kdc\PYGZus{}principals + +[kdc\PYGZus{}principals] +princ1=GeneralString:krbtgt +princ2=GeneralString:\PYGZdl{}\PYGZob{}ENV::REALM\PYGZcb{} +\end{Verbatim} + +If the above contents are placed in extensions.kdc, you can generate +and sign a KDC certificate with the following commands: + +\begin{Verbatim}[commandchars=\\\{\}] +openssl genrsa \PYGZhy{}out kdckey.pem 2048 +openssl req \PYGZhy{}new \PYGZhy{}out kdc.req \PYGZhy{}key kdckey.pem +env REALM=YOUR\PYGZus{}REALMNAME openssl x509 \PYGZhy{}req \PYGZhy{}in kdc.req \PYGZbs{} + \PYGZhy{}CAkey cakey.pem \PYGZhy{}CA cacert.pem \PYGZhy{}out kdc.pem \PYGZhy{}days 365 \PYGZbs{} + \PYGZhy{}extfile extensions.kdc \PYGZhy{}extensions kdc\PYGZus{}cert \PYGZhy{}CAcreateserial +rm kdc.req +\end{Verbatim} + +The second command will ask for the values of certificate fields, +which can be set to any values. In the third command, substitute your +KDC's realm name for YOUR\_REALMNAME. You can adjust the certificate's +expiration date by changing the number after \code{-days}. Remember to +create a new KDC certificate before the old one expires. + +The result of this operation will be in two files, kdckey.pem and +kdc.pem. Both files must be placed in the KDC's filesystem. +kdckey.pem, which contains the KDC's private key, must be carefully +protected. + +If you examine the KDC certificate with \code{openssl x509 -in kdc.pem +-text -noout}, OpenSSL will not know how to display the KDC principal +name in the Subject Alternative Name extension, so it will appear as +\code{othername:\textless{}unsupported\textgreater{}}. This is normal and does not mean +anything is wrong with the KDC certificate. + + +\subsection{Generating client certificates} +\label{admin/pkinit:generating-client-certificates} +PKINIT client certificates also must have some unusual certificate +fields. To generate a client certificate with OpenSSL for a +single-component principal name, you will need an extensions file +(different from the KDC extensions file above) containing: + +\begin{Verbatim}[commandchars=\\\{\}] +[client\PYGZus{}cert] +basicConstraints=CA:FALSE +keyUsage=digitalSignature,keyEncipherment,keyAgreement +extendedKeyUsage=1.3.6.1.5.2.3.4 +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer +issuerAltName=issuer:copy +subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ\PYGZus{}name + +[princ\PYGZus{}name] +realm=EXP:0,GeneralString:\PYGZdl{}\PYGZob{}ENV::REALM\PYGZcb{} +principal\PYGZus{}name=EXP:1,SEQUENCE:principal\PYGZus{}seq + +[principal\PYGZus{}seq] +name\PYGZus{}type=EXP:0,INTEGER:1 +name\PYGZus{}string=EXP:1,SEQUENCE:principals + +[principals] +princ1=GeneralString:\PYGZdl{}\PYGZob{}ENV::CLIENT\PYGZcb{} +\end{Verbatim} + +If the above contents are placed in extensions.client, you can +generate and sign a client certificate with the following commands: + +\begin{Verbatim}[commandchars=\\\{\}] +openssl genrsa \PYGZhy{}out clientkey.pem 2048 +openssl req \PYGZhy{}new \PYGZhy{}key clientkey.pem \PYGZhy{}out client.req +env REALM=YOUR\PYGZus{}REALMNAME CLIENT=YOUR\PYGZus{}PRINCNAME openssl x509 \PYGZbs{} + \PYGZhy{}CAkey cakey.pem \PYGZhy{}CA cacert.pem \PYGZhy{}req \PYGZhy{}in client.req \PYGZbs{} + \PYGZhy{}extensions client\PYGZus{}cert \PYGZhy{}extfile extensions.client \PYGZbs{} + \PYGZhy{}days 365 \PYGZhy{}out client.pem +rm client.req +\end{Verbatim} + +Normally, the first two commands should be run on the client host, and +the resulting client.req file transferred to the certificate authority +host for the third command. As in the previous steps, the second +command will ask for the values of certificate fields, which can be +set to any values. In the third command, substitute your realm's name +for YOUR\_REALMNAME and the client's principal name (without realm) for +YOUR\_PRINCNAME. You can adjust the certificate's expiration date by +changing the number after \code{-days}. + +The result of this operation will be two files, clientkey.pem and +client.pem. Both files must be present on the client's host; +clientkey.pem, which contains the client's private key, must be +protected from access by others. + +As in the KDC certificate, OpenSSL will display the client principal +name as \code{othername:\textless{}unsupported\textgreater{}} in the Subject Alternative Name +extension of a PKINIT client certificate. + +If the client principal name contains more than one component +(e.g. \code{host/example.com@REALM}), the \code{{[}principals{]}} section of +\code{extensions.client} must be altered to contain multiple entries. +(Simply setting \code{CLIENT} to \code{host/example.com} would generate a +certificate for \code{host\textbackslash{}/example.com@REALM} which would not match the +multi-component principal name.) For a two-component principal, the +section should read: + +\begin{Verbatim}[commandchars=\\\{\}] +[principals] +princ1=GeneralString:\PYGZdl{}\PYGZob{}ENV::CLIENT1\PYGZcb{} +princ2=GeneralString:\PYGZdl{}\PYGZob{}ENV::CLIENT2\PYGZcb{} +\end{Verbatim} + +The environment variables \code{CLIENT1} and \code{CLIENT2} must then be set +to the first and second components when running \code{openssl x509}. + + +\section{Configuring the KDC} +\label{admin/pkinit:configuring-the-kdc} +The KDC must have filesystem access to the KDC certificate (kdc.pem) +and the KDC private key (kdckey.pem). Configure the following +relation in the KDC's {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} file, either in the +{\hyperref[admin/conf_files/kdc_conf:kdcdefaults]{\emph{{[}kdcdefaults{]}}}} section or in a {\hyperref[admin/conf_files/kdc_conf:kdc-realms]{\emph{{[}realms{]}}}} subsection (with +appropriate pathnames): + +\begin{Verbatim}[commandchars=\\\{\}] +pkinit\PYGZus{}identity = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem +\end{Verbatim} + +If any clients will authenticate using regular (as opposed to +anonymous) PKINIT, the KDC must also have filesystem access to the CA +certificate (cacert.pem), and the following configuration (with the +appropriate pathname): + +\begin{Verbatim}[commandchars=\\\{\}] +pkinit\PYGZus{}anchors = FILE:/var/lib/krb5kdc/cacert.pem +\end{Verbatim} + +Because of the larger size of requests and responses using PKINIT, you +may also need to allow TCP access to the KDC: + +\begin{Verbatim}[commandchars=\\\{\}] +\PYG{n}{kdc\PYGZus{}tcp\PYGZus{}listen} \PYG{o}{=} \PYG{l+m+mi}{88} +\end{Verbatim} + +Restart the {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}} daemon to pick up the configuration +changes. + +The principal entry for each PKINIT-using client must be configured to +require preauthentication. Ensure this with the command: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin \PYGZhy{}q \PYGZsq{}modprinc +requires\PYGZus{}preauth YOUR\PYGZus{}PRINCNAME\PYGZsq{} +\end{Verbatim} + +Starting with release 1.12, it is possible to remove the long-term +keys of a principal entry, which can save some space in the database +and help to clarify some PKINIT-related error conditions by not asking +for a password: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin \PYGZhy{}q \PYGZsq{}purgekeys \PYGZhy{}all YOUR\PYGZus{}PRINCNAME\PYGZsq{} +\end{Verbatim} + +These principal options can also be specified at principal creation +time as follows: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin \PYGZhy{}q \PYGZsq{}add\PYGZus{}principal +requires\PYGZus{}preauth \PYGZhy{}nokey YOUR\PYGZus{}PRINCNAME\PYGZsq{} +\end{Verbatim} + + +\section{Configuring the clients} +\label{admin/pkinit:configuring-the-clients} +Client hosts must be configured to trust the issuing authority for the +KDC certificate. For a newly established certificate authority, the +client host must have filesystem access to the CA certificate +(cacert.pem) and the following relation in {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} in the +appropriate {\hyperref[admin/conf_files/krb5_conf:realms]{\emph{{[}realms{]}}}} subsection (with appropriate pathnames): + +\begin{Verbatim}[commandchars=\\\{\}] +pkinit\PYGZus{}anchors = FILE:/etc/krb5/cacert.pem +\end{Verbatim} + +If the KDC certificate is a commercially issued server certificate, +the issuing certificate is most likely included in a system directory. +You can specify it by filename as above, or specify the whole +directory like so: + +\begin{Verbatim}[commandchars=\\\{\}] +pkinit\PYGZus{}anchors = DIR:/etc/ssl/certs +\end{Verbatim} + +A commercially issued server certificate will usually not have the +standard PKINIT principal name or Extended Key Usage extensions, so +the following additional configuration is required: + +\begin{Verbatim}[commandchars=\\\{\}] +\PYG{n}{pkinit\PYGZus{}eku\PYGZus{}checking} \PYG{o}{=} \PYG{n}{kpServerAuth} +\PYG{n}{pkinit\PYGZus{}kdc\PYGZus{}hostname} \PYG{o}{=} \PYG{n}{hostname}\PYG{o}{.}\PYG{n}{of}\PYG{o}{.}\PYG{n}{kdc}\PYG{o}{.}\PYG{n}{certificate} +\end{Verbatim} + +Multiple \textbf{pkinit\_kdc\_hostname} relations can be configured to +recognize multiple KDC certificates. If the KDC is an Active +Directory domain controller, setting \textbf{pkinit\_kdc\_hostname} is +necessary, but it should not be necessary to set +\textbf{pkinit\_eku\_checking}. + +To perform regular (as opposed to anonymous) PKINIT authentication, a +client host must have filesystem access to a client certificate +(client.pem), and the corresponding private key (clientkey.pem). +Configure the following relations in the client host's +{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} file in the appropriate {\hyperref[admin/conf_files/krb5_conf:realms]{\emph{{[}realms{]}}}} subsection +(with appropriate pathnames): + +\begin{Verbatim}[commandchars=\\\{\}] +pkinit\PYGZus{}identities = FILE:/etc/krb5/client.pem,/etc/krb5/clientkey.pem +\end{Verbatim} + +If the KDC and client are properly configured, it should now be +possible to run \code{kinit username} without entering a password. + + +\section{Anonymous PKINIT} +\label{admin/pkinit:anonymous-pkinit}\label{admin/pkinit:id1} +Anonymity support in Kerberos allows a client to obtain a ticket +without authenticating as any particular principal. Such a ticket can +be used as a FAST armor ticket, or to securely communicate with an +application server anonymously. + +To configure anonymity support, you must generate or otherwise procure +a KDC certificate and configure the KDC host, but you do not need to +generate any client certificates. On the KDC, you must set the +\textbf{pkinit\_identity} variable to provide the KDC certificate, but do +not need to set the \textbf{pkinit\_anchors} variable or store the issuing +certificate if you won't have any client certificates to verify. On +client hosts, you must set the \textbf{pkinit\_anchors} variable (and +possibly \textbf{pkinit\_kdc\_hostname} and \textbf{pkinit\_eku\_checking}) in order +to trust the issuing authority for the KDC certificate, but do not +need to set the \textbf{pkinit\_identities} variable. + +Anonymity support is not enabled by default. To enable it, you must +create the principal \code{WELLKNOWN/ANONYMOUS} using the command: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin \PYGZhy{}q \PYGZsq{}addprinc \PYGZhy{}randkey WELLKNOWN/ANONYMOUS\PYGZsq{} +\end{Verbatim} + +Some Kerberos deployments include application servers which lack +proper access control, and grant some level of access to any user who +can authenticate. In such an environment, enabling anonymity support +on the KDC would present a security issue. If you need to enable +anonymity support for TGTs (for use as FAST armor tickets) without +enabling anonymous authentication to application servers, you can set +the variable \textbf{restrict\_anonymous\_to\_tgt} to \code{true} in the +appropriate {\hyperref[admin/conf_files/kdc_conf:kdc-realms]{\emph{{[}realms{]}}}} subsection of the KDC's +{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} file. + +To obtain anonymous credentials on a client, run \code{kinit -n}, or +\code{kinit -n @REALMNAME} to specify a realm. The resulting tickets +will have the client name \code{WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS}. + + +\chapter{OTP Preauthentication} +\label{admin/otp::doc}\label{admin/otp:otp-preauthentication}\label{admin/otp:otp-preauth} +OTP is a preauthentication mechanism for Kerberos 5 which uses One +Time Passwords (OTP) to authenticate the client to the KDC. The OTP +is passed to the KDC over an encrypted FAST channel in clear-text. +The KDC uses the password along with per-user configuration to proxy +the request to a third-party RADIUS system. This enables +out-of-the-box compatibility with a large number of already widely +deployed proprietary systems. + +Additionally, our implementation of the OTP system allows for the +passing of RADIUS requests over a UNIX domain stream socket. This +permits the use of a local companion daemon which can handle the +details of authentication. + + +\section{Defining token types} +\label{admin/otp:defining-token-types} +Token types are defined in either {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} or +{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} according to the following format: + +\begin{Verbatim}[commandchars=\\\{\}] +[otp] + \PYGZlt{}name\PYGZgt{} = \PYGZob{} + server = \PYGZlt{}host:port or filename\PYGZgt{} (default: see below) + secret = \PYGZlt{}filename\PYGZgt{} + timeout = \PYGZlt{}integer\PYGZgt{} (default: 5 [seconds]) + retries = \PYGZlt{}integer\PYGZgt{} (default: 3) + strip\PYGZus{}realm = \PYGZlt{}boolean\PYGZgt{} (default: true) + indicator = \PYGZlt{}string\PYGZgt{} (default: none) + \PYGZcb{} +\end{Verbatim} + +If the server field begins with `/', it will be interpreted as a UNIX +socket. Otherwise, it is assumed to be in the format host:port. When +a UNIX domain socket is specified, the secret field is optional and an +empty secret is used by default. If the server field is not +specified, it defaults to {\hyperref[mitK5defaults:paths]{\emph{RUNSTATEDIR}}}\code{/krb5kdc}\code{/\textless{}name\textgreater{}.socket}. + +When forwarding the request over RADIUS, by default the principal is +used in the User-Name attribute of the RADIUS packet. The strip\_realm +parameter controls whether the principal is forwarded with or without +the realm portion. + +If an indicator field is present, tickets issued using this token type +will be annotated with the specified authentication indicator (see +{\hyperref[admin/auth_indicator:auth-indicator]{\emph{Authentication indicators}}}). This key may be specified multiple times to +add multiple indicators. + + +\section{The default token type} +\label{admin/otp:the-default-token-type} +A default token type is used internally when no token type is specified for a +given user. It is defined as follows: + +\begin{Verbatim}[commandchars=\\\{\}] +[otp] + DEFAULT = \PYGZob{} + strip\PYGZus{}realm = false + \PYGZcb{} +\end{Verbatim} + +The administrator may override the internal \code{DEFAULT} token type +simply by defining a configuration with the same name. + + +\section{Token instance configuration} +\label{admin/otp:token-instance-configuration} +To enable OTP for a client principal, the administrator must define +the \textbf{otp} string attribute for that principal. (See +{\hyperref[admin/admin_commands/kadmin_local:set-string]{\emph{set\_string}}}.) The \textbf{otp} user string is a JSON string of the +format: + +\begin{Verbatim}[commandchars=\\\{\}] +[\PYGZob{} + \PYGZdq{}type\PYGZdq{}: \PYG{n+nt}{\PYGZlt{}string}\PYG{n+nt}{\PYGZgt{}}, + \PYGZdq{}username\PYGZdq{}: \PYG{n+nt}{\PYGZlt{}string}\PYG{n+nt}{\PYGZgt{}}, + \PYGZdq{}indicators\PYGZdq{}: [\PYG{n+nt}{\PYGZlt{}string}\PYG{n+nt}{\PYGZgt{}}, ...] + \PYGZcb{}, ...] +\end{Verbatim} + +This is an array of token objects. Both fields of token objects are +optional. The \textbf{type} field names the token type of this token; if +not specified, it defaults to \code{DEFAULT}. The \textbf{username} field +specifies the value to be sent in the User-Name RADIUS attribute. If +not specified, the principal name is sent, with or without realm as +defined in the token type. The \textbf{indicators} field specifies a list +of authentication indicators to annotate tickets with, overriding any +indicators specified in the token type. + +For ease of configuration, an empty array (\code{{[}{]}}) is treated as +equivalent to one DEFAULT token (\code{{[}\{\}{]}}). + + +\section{Other considerations} +\label{admin/otp:other-considerations}\begin{enumerate} +\item {} +FAST is required for OTP to work. + +\end{enumerate} + + +\chapter{Principal names and DNS} +\label{admin/princ_dns:principal-names-and-dns}\label{admin/princ_dns::doc} +Kerberos clients can do DNS lookups to canonicalize service principal +names. This can cause difficulties when setting up Kerberos +application servers, especially when the client's name for the service +is different from what the service thinks its name is. + + +\section{Service principal names} +\label{admin/princ_dns:service-principal-names} +A frequently used kind of principal name is the host-based service +principal name. This kind of principal name has two components: a +service name and a hostname. For example, \code{imap/imap.example.com} +is the principal name of the ``imap'' service on the host +``imap.example.com''. Other possible service names for the first +component include ``host'' (remote login services such as ssh), ``HTTP'', +and ``nfs'' (Network File System). + +Service administrators often publish well-known hostname aliases that +they would prefer users to use instead of the canonical name of the +service host. This gives service administrators more flexibility in +deploying services. For example, a shell login server might be named +``long-vanity-hostname.example.com'', but users will naturally prefer to +type something like ``login.example.com''. Hostname aliases also allow +for administrators to set up load balancing for some sorts of services +based on rotating \code{CNAME} records in DNS. + + +\section{Service principal canonicalization} +\label{admin/princ_dns:service-principal-canonicalization} +MIT Kerberos clients currently always do forward resolution (looking +up the IPv4 and possibly IPv6 addresses using \code{getaddrinfo()}) of +the hostname part of a host-based service principal to canonicalize +the hostname. They obtain the ``canonical'' name of the host when doing +so. By default, MIT Kerberos clients will also then do reverse DNS +resolution (looking up the hostname associated with the IPv4 or IPv6 +address using \code{getnameinfo()}) of the hostname. Using the +{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} setting: + +\begin{Verbatim}[commandchars=\\\{\}] +[libdefaults] + rdns = false +\end{Verbatim} + +will disable reverse DNS lookup on clients. The default setting is +``true''. + +Operating system bugs may prevent a setting of \code{rdns = false} from +disabling reverse DNS lookup. Some versions of GNU libc have a bug in +\code{getaddrinfo()} that cause them to look up \code{PTR} records even when +not required. MIT Kerberos releases krb5-1.10.2 and newer have a +workaround for this problem, as does the krb5-1.9.x series as of +release krb5-1.9.4. + + +\section{Reverse DNS mismatches} +\label{admin/princ_dns:reverse-dns-mismatches} +Sometimes, an enterprise will have control over its forward DNS but +not its reverse DNS. The reverse DNS is sometimes under the control +of the Internet service provider of the enterprise, and the enterprise +may not have much influence in setting up reverse DNS records for its +address space. If there are difficulties with getting forward and +reverse DNS to match, it is best to set \code{rdns = false} on client +machines. + + +\section{Overriding application behavior} +\label{admin/princ_dns:overriding-application-behavior} +Applications can choose to use a default hostname component in their +service principal name when accepting authentication, which avoids +some sorts of hostname mismatches. Because not all relevant +applications do this yet, using the {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} setting: + +\begin{Verbatim}[commandchars=\\\{\}] +[libdefaults] + ignore\PYGZus{}acceptor\PYGZus{}hostname = true +\end{Verbatim} + +will allow the Kerberos library to override the application's choice +of service principal hostname and will allow a server program to +accept incoming authentications using any key in its keytab that +matches the service name and realm name (if given). This setting +defaults to ``false'' and is available in releases krb5-1.10 and later. + + +\section{Provisioning keytabs} +\label{admin/princ_dns:provisioning-keytabs} +One service principal entry that should be in the keytab is a +principal whose hostname component is the canonical hostname that +\code{getaddrinfo()} reports for all known aliases for the host. If the +reverse DNS information does not match this canonical hostname, an +additional service principal entry should be in the keytab for this +different hostname. + + +\section{Specific application advice} +\label{admin/princ_dns:specific-application-advice} + +\subsection{Secure shell (ssh)} +\label{admin/princ_dns:secure-shell-ssh} +Setting \code{GSSAPIStrictAcceptorCheck = no} in the configuration file +of modern versions of the openssh daemon will allow the daemon to try +any key in its keytab when accepting a connection, rather than looking +for the keytab entry that matches the host's own idea of its name +(typically the name that \code{gethostname()} returns). This requires +krb5-1.10 or later. + + +\chapter{Encryption types} +\label{admin/enctypes:enctypes}\label{admin/enctypes::doc}\label{admin/enctypes:encryption-types} +Kerberos can use a variety of cipher algorithms to protect data. A +Kerberos \textbf{encryption type} (also known as an \textbf{enctype}) is a +specific combination of a cipher algorithm with an integrity algorithm +to provide both confidentiality and integrity to data. + + +\section{Enctypes in requests} +\label{admin/enctypes:enctypes-in-requests} +Clients make two types of requests (KDC-REQ) to the KDC: AS-REQs and +TGS-REQs. The client uses the AS-REQ to obtain initial tickets +(typically a Ticket-Granting Ticket (TGT)), and uses the TGS-REQ to +obtain service tickets. + +The KDC uses three different keys when issuing a ticket to a client: +\begin{itemize} +\item {} +The long-term key of the service: the KDC uses this to encrypt the +actual service ticket. The KDC only uses the first long-term key in +the most recent kvno for this purpose. + +\item {} +The session key: the KDC randomly chooses this key and places one +copy inside the ticket and the other copy inside the encrypted part +of the reply. + +\item {} +The reply-encrypting key: the KDC uses this to encrypt the reply it +sends to the client. For AS replies, this is a long-term key of the +client principal. For TGS replies, this is either the session key of the +authenticating ticket, or a subsession key. + +\end{itemize} + +Each of these keys is of a specific enctype. + +Each request type allows the client to submit a list of enctypes that +it is willing to accept. For the AS-REQ, this list affects both the +session key selection and the reply-encrypting key selection. For the +TGS-REQ, this list only affects the session key selection. + + +\section{Session key selection} +\label{admin/enctypes:session-key-selection}\label{admin/enctypes:id1} +The KDC chooses the session key enctype by taking the intersection of +its \textbf{permitted\_enctypes} list, the list of long-term keys for the +most recent kvno of the service, and the client's requested list of +enctypes. If \textbf{allow\_weak\_crypto} is true, all services are assumed +to support des-cbc-crc. + +Starting in krb5-1.11, \textbf{des\_crc\_session\_supported} in +{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} allows additional control over whether the KDC +issues des-cbc-crc session keys. + +Also starting in krb5-1.11, it is possible to set a string attribute +on a service principal to control what session key enctypes the KDC +may issue for service tickets for that principal. See +{\hyperref[admin/admin_commands/kadmin_local:set-string]{\emph{set\_string}}} in {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} for details. + + +\section{Choosing enctypes for a service} +\label{admin/enctypes:choosing-enctypes-for-a-service} +Generally, a service should have a key of the strongest +enctype that both it and the KDC support. If the KDC is running a +release earlier than krb5-1.11, it is also useful to generate an +additional key for each enctype that the service can support. The KDC +will only use the first key in the list of long-term keys for encrypting +the service ticket, but the additional long-term keys indicate the +other enctypes that the service supports. + +As noted above, starting with release krb5-1.11, there are additional +configuration settings that control session key enctype selection +independently of the set of long-term keys that the KDC has stored for +a service principal. + + +\section{Configuration variables} +\label{admin/enctypes:configuration-variables} +The following \code{{[}libdefaults{]}} settings in {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} will +affect how enctypes are chosen. +\begin{description} +\item[{\textbf{allow\_weak\_crypto}}] \leavevmode +defaults to \emph{false} starting with krb5-1.8. When \emph{false}, removes +single-DES enctypes (and other weak enctypes) from +\textbf{permitted\_enctypes}, \textbf{default\_tkt\_enctypes}, and +\textbf{default\_tgs\_enctypes}. Do not set this to \emph{true} unless the +use of weak enctypes is an acceptable risk for your environment +and the weak enctypes are required for backward compatibility. + +\item[{\textbf{permitted\_enctypes}}] \leavevmode +controls the set of enctypes that a service will accept as session +keys. + +\item[{\textbf{default\_tkt\_enctypes}}] \leavevmode +controls the default set of enctypes that the Kerberos client +library requests when making an AS-REQ. Do not set this unless +required for specific backward compatibility purposes; stale +values of this setting can prevent clients from taking advantage +of new stronger enctypes when the libraries are upgraded. + +\item[{\textbf{default\_tgs\_enctypes}}] \leavevmode +controls the default set of enctypes that the Kerberos client +library requests when making a TGS-REQ. Do not set this unless +required for specific backward compatibility purposes; stale +values of this setting can prevent clients from taking advantage +of new stronger enctypes when the libraries are upgraded. + +\end{description} + +The following per-realm setting in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} affects the +generation of long-term keys. +\begin{description} +\item[{\textbf{supported\_enctypes}}] \leavevmode +controls the default set of enctype-salttype pairs that {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} +will use for generating long-term keys, either randomly or from +passwords + +\end{description} + + +\section{Enctype compatibility} +\label{admin/enctypes:enctype-compatibility} +See {\hyperref[admin/conf_files/kdc_conf:encryption-types]{\emph{Encryption types}}} for additional information about enctypes. + +\begin{tabulary}{\linewidth}{|L|L|L|L|} +\hline +\textsf{\relax +enctype +} & \textsf{\relax +weak? +} & \textsf{\relax +krb5 +} & \textsf{\relax +Windows +}\\ +\hline +des-cbc-crc + & +weak + & +all + & +\textgreater{}=2000 +\\ +\hline +des-cbc-md4 + & +weak + & +all + & +? +\\ +\hline +des-cbc-md5 + & +weak + & +all + & +\textgreater{}=2000 +\\ +\hline +des3-cbc-sha1 + & & +\textgreater{}=1.1 + & +none +\\ +\hline +arcfour-hmac + & & +\textgreater{}=1.3 + & +\textgreater{}=2000 +\\ +\hline +arcfour-hmac-exp + & +weak + & +\textgreater{}=1.3 + & +\textgreater{}=2000 +\\ +\hline +aes128-cts-hmac-sha1-96 + & & +\textgreater{}=1.3 + & +\textgreater{}=Vista +\\ +\hline +aes256-cts-hmac-sha1-96 + & & +\textgreater{}=1.3 + & +\textgreater{}=Vista +\\ +\hline +aes128-cts-hmac-sha256-128 + & & +\textgreater{}=1.15 + & +none +\\ +\hline +aes256-cts-hmac-sha384-192 + & & +\textgreater{}=1.15 + & +none +\\ +\hline +camellia128-cts-cmac + & & +\textgreater{}=1.9 + & +none +\\ +\hline +camellia256-cts-cmac + & & +\textgreater{}=1.9 + & +none +\\ +\hline\end{tabulary} + + +krb5 releases 1.8 and later disable the single-DES enctypes by +default. Microsoft Windows releases Windows 7 and later disable +single-DES enctypes by default. + + +\chapter{HTTPS proxy configuration} +\label{admin/https:https-proxy-configuration}\label{admin/https::doc}\label{admin/https:https} +In addition to being able to use UDP or TCP to communicate directly +with a KDC as is outlined in RFC4120, and with kpasswd services in a +similar fashion, the client libraries can attempt to use an HTTPS +proxy server to communicate with a KDC or kpasswd service, using the +protocol outlined in {[}MS-KKDCP{]}. + +Communicating with a KDC through an HTTPS proxy allows clients to +contact servers when network firewalls might otherwise prevent them +from doing so. The use of TLS also encrypts all traffic between the +clients and the KDC, preventing observers from conducting password +dictionary attacks or from observing the client and server principals +being authenticated, at additional computational cost to both clients +and servers. + +An HTTPS proxy server is provided as a feature in some versions of +Microsoft Windows Server, and a WSGI implementation named \emph{kdcproxy} +is available in the python package index. + + +\section{Configuring the clients} +\label{admin/https:configuring-the-clients} +To use an HTTPS proxy, a client host must trust the CA which issued +that proxy's SSL certificate. If that CA's certificate is not in the +system-wide default set of trusted certificates, configure the +following relation in the client host's {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} file in +the appropriate {\hyperref[admin/conf_files/krb5_conf:realms]{\emph{{[}realms{]}}}} subsection: + +\begin{Verbatim}[commandchars=\\\{\}] +http\PYGZus{}anchors = FILE:/etc/krb5/cacert.pem +\end{Verbatim} + +Adjust the pathname to match the path of the file which contains a +copy of the CA's certificate. The \emph{http\_anchors} option is documented +more fully in {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}}. + +Configure the client to access the KDC and kpasswd service by +specifying their locations in its {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} file in the form +of HTTPS URLs for the proxy server: + +\begin{Verbatim}[commandchars=\\\{\}] +kdc = https://server.fqdn/KdcProxy +kpasswd\PYGZus{}server = https://server.fqdn/KdcProxy +\end{Verbatim} + +If the proxy and client are properly configured, client commands such +as \code{kinit}, \code{kvno}, and \code{kpasswd} should all function normally. + + +\chapter{Authentication indicators} +\label{admin/auth_indicator:auth-indicator}\label{admin/auth_indicator:authentication-indicators}\label{admin/auth_indicator::doc} +As of release 1.14, the KDC can be configured to annotate tickets if +the client authenticated using a stronger preauthentication mechanism +such as {\hyperref[admin/pkinit:pkinit]{\emph{PKINIT}}} or {\hyperref[admin/otp:otp-preauth]{\emph{OTP}}}. These +annotations are called ``authentication indicators.'' Service +principals can be configured to require particular authentication +indicators in order to authenticate to that service. An +authentication indicator value can be any string chosen by the KDC +administrator; there are no pre-set values. + +To use authentication indicators with PKINIT or OTP, first configure +the KDC to include an indicator when that preauthentication mechanism +is used. For PKINIT, use the \textbf{pkinit\_indicator} variable in +{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. For OTP, use the \textbf{indicator} variable in the +token type definition, or specify the indicators in the \textbf{otp} user +string as described in {\hyperref[admin/otp:otp-preauth]{\emph{OTP Preauthentication}}}. + +To require an indicator to be present in order to authenticate to a +service principal, set the \textbf{require\_auth} string attribute on the +principal to the indicator value to be required. If you wish to allow +one of several indicators to be accepted, you can specify multiple +indicator values separated by spaces. + +For example, a realm could be configured to set the authentication +indicator value ``strong'' when PKINIT is used to authenticate, using a +setting in the {\hyperref[admin/conf_files/kdc_conf:kdc-realms]{\emph{{[}realms{]}}}} subsection: + +\begin{Verbatim}[commandchars=\\\{\}] +\PYG{n}{pkinit\PYGZus{}indicator} \PYG{o}{=} \PYG{n}{strong} +\end{Verbatim} + +A service principal could be configured to require the ``strong'' +authentication indicator value: + +\begin{Verbatim}[commandchars=\\\{\}] +\PYGZdl{} kadmin setstr host/high.value.server require\PYGZus{}auth strong +Password for user/admin@KRBTEST.COM: +\end{Verbatim} + +A user who authenticates with PKINIT would be able to obtain a ticket +for the service principal: + +\begin{Verbatim}[commandchars=\\\{\}] +\PYGZdl{} kinit \PYGZhy{}X X509\PYGZus{}user\PYGZus{}identity=FILE:/my/cert.pem,/my/key.pem user +\PYGZdl{} kvno host/high.value.server +host/high.value.server@KRBTEST.COM: kvno = 1 +\end{Verbatim} + +but a user who authenticates with a password would not: + +\begin{Verbatim}[commandchars=\\\{\}] +\PYGZdl{} kinit user +Password for user@KRBTEST.COM: +\PYGZdl{} kvno host/high.value.server +kvno: KDC policy rejects request while getting credentials for + host/high.value.server@KRBTEST.COM +\end{Verbatim} + +GSSAPI server applications can inspect authentication indicators +through the \emph{auth-indicators} name +attribute. + + +\chapter{Administration programs} +\label{admin/admin_commands/index:administration-programs}\label{admin/admin_commands/index::doc} + +\section{kadmin} +\label{admin/admin_commands/kadmin_local::doc}\label{admin/admin_commands/kadmin_local:kadmin}\label{admin/admin_commands/kadmin_local:kadmin-1} + +\subsection{SYNOPSIS} +\label{admin/admin_commands/kadmin_local:synopsis}\phantomsection\label{admin/admin_commands/kadmin_local:kadmin-synopsis} +\textbf{kadmin} +{[}\textbf{-O}\textbar{}\textbf{-N}{]} +{[}\textbf{-r} \emph{realm}{]} +{[}\textbf{-p} \emph{principal}{]} +{[}\textbf{-q} \emph{query}{]} +{[}{[}\textbf{-c} \emph{cache\_name}{]}\textbar{}{[}\textbf{-k} {[}\textbf{-t} \emph{keytab}{]}{]}\textbar{}\textbf{-n}{]} +{[}\textbf{-w} \emph{password}{]} +{[}\textbf{-s} \emph{admin\_server}{[}:\emph{port}{]}{]} +{[}command args...{]} + +\textbf{kadmin.local} +{[}\textbf{-r} \emph{realm}{]} +{[}\textbf{-p} \emph{principal}{]} +{[}\textbf{-q} \emph{query}{]} +{[}\textbf{-d} \emph{dbname}{]} +{[}\textbf{-e} \emph{enc}:\emph{salt} ...{]} +{[}\textbf{-m}{]} +{[}\textbf{-x} \emph{db\_args}{]} +{[}command args...{]} + + +\subsection{DESCRIPTION} +\label{admin/admin_commands/kadmin_local:kadmin-synopsis-end}\label{admin/admin_commands/kadmin_local:description} +kadmin and kadmin.local are command-line interfaces to the Kerberos V5 +administration system. They provide nearly identical functionalities; +the difference is that kadmin.local directly accesses the KDC +database, while kadmin performs operations using {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}}. +Except as explicitly noted otherwise, this man page will use ``kadmin'' +to refer to both versions. kadmin provides for the maintenance of +Kerberos principals, password policies, and service key tables +(keytabs). + +The remote kadmin client uses Kerberos to authenticate to kadmind +using the service principal \code{kadmin/ADMINHOST} (where \emph{ADMINHOST} is +the fully-qualified hostname of the admin server) or \code{kadmin/admin}. +If the credentials cache contains a ticket for one of these +principals, and the \textbf{-c} credentials\_cache option is specified, that +ticket is used to authenticate to kadmind. Otherwise, the \textbf{-p} and +\textbf{-k} options are used to specify the client Kerberos principal name +used to authenticate. Once kadmin has determined the principal name, +it requests a service ticket from the KDC, and uses that service +ticket to authenticate to kadmind. + +Since kadmin.local directly accesses the KDC database, it usually must +be run directly on the master KDC with sufficient permissions to read +the KDC database. If the KDC database uses the LDAP database module, +kadmin.local can be run on any host which can access the LDAP server. + + +\subsection{OPTIONS} +\label{admin/admin_commands/kadmin_local:options}\phantomsection\label{admin/admin_commands/kadmin_local:kadmin-options}\begin{description} +\item[{\textbf{-r} \emph{realm}}] \leavevmode +Use \emph{realm} as the default database realm. + +\item[{\textbf{-p} \emph{principal}}] \leavevmode +Use \emph{principal} to authenticate. Otherwise, kadmin will append +\code{/admin} to the primary principal name of the default ccache, +the value of the \textbf{USER} environment variable, or the username as +obtained with getpwuid, in order of preference. + +\item[{\textbf{-k}}] \leavevmode +Use a keytab to decrypt the KDC response instead of prompting for +a password. In this case, the default principal will be +\code{host/hostname}. If there is no keytab specified with the +\textbf{-t} option, then the default keytab will be used. + +\item[{\textbf{-t} \emph{keytab}}] \leavevmode +Use \emph{keytab} to decrypt the KDC response. This can only be used +with the \textbf{-k} option. + +\item[{\textbf{-n}}] \leavevmode +Requests anonymous processing. Two types of anonymous principals +are supported. For fully anonymous Kerberos, configure PKINIT on +the KDC and configure \textbf{pkinit\_anchors} in the client's +{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}}. Then use the \textbf{-n} option with a principal +of the form \code{@REALM} (an empty principal name followed by the +at-sign and a realm name). If permitted by the KDC, an anonymous +ticket will be returned. A second form of anonymous tickets is +supported; these realm-exposed tickets hide the identity of the +client but not the client's realm. For this mode, use \code{kinit +-n} with a normal principal name. If supported by the KDC, the +principal (but not realm) will be replaced by the anonymous +principal. As of release 1.8, the MIT Kerberos KDC only supports +fully anonymous operation. + +\item[{\textbf{-c} \emph{credentials\_cache}}] \leavevmode +Use \emph{credentials\_cache} as the credentials cache. The +cache should contain a service ticket for the \code{kadmin/ADMINHOST} +(where \emph{ADMINHOST} is the fully-qualified hostname of the admin +server) or \code{kadmin/admin} service; it can be acquired with the +\emph{kinit(1)} program. If this option is not specified, kadmin +requests a new service ticket from the KDC, and stores it in its +own temporary ccache. + +\item[{\textbf{-w} \emph{password}}] \leavevmode +Use \emph{password} instead of prompting for one. Use this option with +care, as it may expose the password to other users on the system +via the process list. + +\item[{\textbf{-q} \emph{query}}] \leavevmode +Perform the specified query and then exit. + +\item[{\textbf{-d} \emph{dbname}}] \leavevmode +Specifies the name of the KDC database. This option does not +apply to the LDAP database module. + +\item[{\textbf{-s} \emph{admin\_server}{[}:\emph{port}{]}}] \leavevmode +Specifies the admin server which kadmin should contact. + +\item[{\textbf{-m}}] \leavevmode +If using kadmin.local, prompt for the database master password +instead of reading it from a stash file. + +\item[{\textbf{-e} ``\emph{enc}:\emph{salt} ...''}] \leavevmode +Sets the keysalt list to be used for any new keys created. See +{\hyperref[admin/conf_files/kdc_conf:keysalt-lists]{\emph{Keysalt lists}}} in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} for a list of possible +values. + +\item[{\textbf{-O}}] \leavevmode +Force use of old AUTH\_GSSAPI authentication flavor. + +\item[{\textbf{-N}}] \leavevmode +Prevent fallback to AUTH\_GSSAPI authentication flavor. + +\item[{\textbf{-x} \emph{db\_args}}] \leavevmode +Specifies the database specific arguments. See the next section +for supported options. + +\end{description} +\phantomsection\label{admin/admin_commands/kadmin_local:kadmin-options-end} +Starting with release 1.14, if any command-line arguments remain after +the options, they will be treated as a single query to be executed. +This mode of operation is intended for scripts and behaves differently +from the interactive mode in several respects: +\begin{itemize} +\item {} +Query arguments are split by the shell, not by kadmin. + +\item {} +Informational and warning messages are suppressed. Error messages +and query output (e.g. for \textbf{get\_principal}) will still be +displayed. + +\item {} +Confirmation prompts are disabled (as if \textbf{-force} was given). +Password prompts will still be issued as required. + +\item {} +The exit status will be non-zero if the query fails. + +\end{itemize} + +The \textbf{-q} option does not carry these behavior differences; the query +will be processed as if it was entered interactively. The \textbf{-q} +option cannot be used in combination with a query in the remaining +arguments. + + +\subsection{DATABASE OPTIONS} +\label{admin/admin_commands/kadmin_local:database-options}\label{admin/admin_commands/kadmin_local:dboptions} +Database options can be used to override database-specific defaults. +Supported options for the DB2 module are: +\begin{quote} +\begin{description} +\item[{\textbf{-x dbname=}*filename*}] \leavevmode +Specifies the base filename of the DB2 database. + +\item[{\textbf{-x lockiter}}] \leavevmode +Make iteration operations hold the lock for the duration of +the entire operation, rather than temporarily releasing the +lock while handling each principal. This is the default +behavior, but this option exists to allow command line +override of a {[}dbmodules{]} setting. First introduced in +release 1.13. + +\item[{\textbf{-x unlockiter}}] \leavevmode +Make iteration operations unlock the database for each +principal, instead of holding the lock for the duration of the +entire operation. First introduced in release 1.13. + +\end{description} +\end{quote} + +Supported options for the LDAP module are: +\begin{quote} +\begin{description} +\item[{\textbf{-x host=}\emph{ldapuri}}] \leavevmode +Specifies the LDAP server to connect to by a LDAP URI. + +\item[{\textbf{-x binddn=}\emph{bind\_dn}}] \leavevmode +Specifies the DN used to bind to the LDAP server. + +\item[{\textbf{-x bindpwd=}\emph{password}}] \leavevmode +Specifies the password or SASL secret used to bind to the LDAP +server. Using this option may expose the password to other +users on the system via the process list; to avoid this, +instead stash the password using the \textbf{stashsrvpw} command of +{\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}}. + +\item[{\textbf{-x sasl\_mech=}\emph{mechanism}}] \leavevmode +Specifies the SASL mechanism used to bind to the LDAP server. +The bind DN is ignored if a SASL mechanism is used. New in +release 1.13. + +\item[{\textbf{-x sasl\_authcid=}\emph{name}}] \leavevmode +Specifies the authentication name used when binding to the +LDAP server with a SASL mechanism, if the mechanism requires +one. New in release 1.13. + +\item[{\textbf{-x sasl\_authzid=}\emph{name}}] \leavevmode +Specifies the authorization name used when binding to the LDAP +server with a SASL mechanism. New in release 1.13. + +\item[{\textbf{-x sasl\_realm=}\emph{realm}}] \leavevmode +Specifies the realm used when binding to the LDAP server with +a SASL mechanism, if the mechanism uses one. New in release +1.13. + +\item[{\textbf{-x debug=}\emph{level}}] \leavevmode +sets the OpenLDAP client library debug level. \emph{level} is an +integer to be interpreted by the library. Debugging messages +are printed to standard error. New in release 1.12. + +\end{description} +\end{quote} + + +\subsection{COMMANDS} +\label{admin/admin_commands/kadmin_local:commands} +When using the remote client, available commands may be restricted +according to the privileges specified in the {\hyperref[admin/conf_files/kadm5_acl:kadm5-acl-5]{\emph{kadm5.acl}}} file +on the admin server. + + +\subsubsection{add\_principal} +\label{admin/admin_commands/kadmin_local:add-principal}\label{admin/admin_commands/kadmin_local:id1}\begin{quote} + +\textbf{add\_principal} {[}\emph{options}{]} \emph{newprinc} +\end{quote} + +Creates the principal \emph{newprinc}, prompting twice for a password. If +no password policy is specified with the \textbf{-policy} option, and the +policy named \code{default} is assigned to the principal if it exists. +However, creating a policy named \code{default} will not automatically +assign this policy to previously existing principals. This policy +assignment can be suppressed with the \textbf{-clearpolicy} option. + +This command requires the \textbf{add} privilege. + +Aliases: \textbf{addprinc}, \textbf{ank} + +Options: +\begin{description} +\item[{\textbf{-expire} \emph{expdate}}] \leavevmode +(\emph{getdate} string) The expiration date of the principal. + +\item[{\textbf{-pwexpire} \emph{pwexpdate}}] \leavevmode +(\emph{getdate} string) The password expiration date. + +\item[{\textbf{-maxlife} \emph{maxlife}}] \leavevmode +(\emph{duration} or \emph{getdate} string) The maximum ticket life +for the principal. + +\item[{\textbf{-maxrenewlife} \emph{maxrenewlife}}] \leavevmode +(\emph{duration} or \emph{getdate} string) The maximum renewable +life of tickets for the principal. + +\item[{\textbf{-kvno} \emph{kvno}}] \leavevmode +The initial key version number. + +\item[{\textbf{-policy} \emph{policy}}] \leavevmode +The password policy used by this principal. If not specified, the +policy \code{default} is used if it exists (unless \textbf{-clearpolicy} +is specified). + +\item[{\textbf{-clearpolicy}}] \leavevmode +Prevents any policy from being assigned when \textbf{-policy} is not +specified. + +\item[{\{-\textbar{}+\}\textbf{allow\_postdated}}] \leavevmode +\textbf{-allow\_postdated} prohibits this principal from obtaining +postdated tickets. \textbf{+allow\_postdated} clears this flag. + +\item[{\{-\textbar{}+\}\textbf{allow\_forwardable}}] \leavevmode +\textbf{-allow\_forwardable} prohibits this principal from obtaining +forwardable tickets. \textbf{+allow\_forwardable} clears this flag. + +\item[{\{-\textbar{}+\}\textbf{allow\_renewable}}] \leavevmode +\textbf{-allow\_renewable} prohibits this principal from obtaining +renewable tickets. \textbf{+allow\_renewable} clears this flag. + +\item[{\{-\textbar{}+\}\textbf{allow\_proxiable}}] \leavevmode +\textbf{-allow\_proxiable} prohibits this principal from obtaining +proxiable tickets. \textbf{+allow\_proxiable} clears this flag. + +\item[{\{-\textbar{}+\}\textbf{allow\_dup\_skey}}] \leavevmode +\textbf{-allow\_dup\_skey} disables user-to-user authentication for this +principal by prohibiting this principal from obtaining a session +key for another user. \textbf{+allow\_dup\_skey} clears this flag. + +\item[{\{-\textbar{}+\}\textbf{requires\_preauth}}] \leavevmode +\textbf{+requires\_preauth} requires this principal to preauthenticate +before being allowed to kinit. \textbf{-requires\_preauth} clears this +flag. When \textbf{+requires\_preauth} is set on a service principal, +the KDC will only issue service tickets for that service principal +if the client's initial authentication was performed using +preauthentication. + +\item[{\{-\textbar{}+\}\textbf{requires\_hwauth}}] \leavevmode +\textbf{+requires\_hwauth} requires this principal to preauthenticate +using a hardware device before being allowed to kinit. +\textbf{-requires\_hwauth} clears this flag. When \textbf{+requires\_hwauth} is +set on a service principal, the KDC will only issue service tickets +for that service principal if the client's initial authentication was +performed using a hardware device to preauthenticate. + +\item[{\{-\textbar{}+\}\textbf{ok\_as\_delegate}}] \leavevmode +\textbf{+ok\_as\_delegate} sets the \textbf{okay as delegate} flag on tickets +issued with this principal as the service. Clients may use this +flag as a hint that credentials should be delegated when +authenticating to the service. \textbf{-ok\_as\_delegate} clears this +flag. + +\item[{\{-\textbar{}+\}\textbf{allow\_svr}}] \leavevmode +\textbf{-allow\_svr} prohibits the issuance of service tickets for this +principal. \textbf{+allow\_svr} clears this flag. + +\item[{\{-\textbar{}+\}\textbf{allow\_tgs\_req}}] \leavevmode +\textbf{-allow\_tgs\_req} specifies that a Ticket-Granting Service (TGS) +request for a service ticket for this principal is not permitted. +\textbf{+allow\_tgs\_req} clears this flag. + +\item[{\{-\textbar{}+\}\textbf{allow\_tix}}] \leavevmode +\textbf{-allow\_tix} forbids the issuance of any tickets for this +principal. \textbf{+allow\_tix} clears this flag. + +\item[{\{-\textbar{}+\}\textbf{needchange}}] \leavevmode +\textbf{+needchange} forces a password change on the next initial +authentication to this principal. \textbf{-needchange} clears this +flag. + +\item[{\{-\textbar{}+\}\textbf{password\_changing\_service}}] \leavevmode +\textbf{+password\_changing\_service} marks this principal as a password +change service principal. + +\item[{\{-\textbar{}+\}\textbf{ok\_to\_auth\_as\_delegate}}] \leavevmode +\textbf{+ok\_to\_auth\_as\_delegate} allows this principal to acquire +forwardable tickets to itself from arbitrary users, for use with +constrained delegation. + +\item[{\{-\textbar{}+\}\textbf{no\_auth\_data\_required}}] \leavevmode +\textbf{+no\_auth\_data\_required} prevents PAC or AD-SIGNEDPATH data from +being added to service tickets for the principal. + +\item[{\{-\textbar{}+\}\textbf{lockdown\_keys}}] \leavevmode +\textbf{+lockdown\_keys} prevents keys for this principal from leaving +the KDC via kadmind. The chpass and extract operations are denied +for a principal with this attribute. The chrand operation is +allowed, but will not return the new keys. The delete and rename +operations are also denied if this attribute is set, in order to +prevent a malicious administrator from replacing principals like +krbtgt/* or kadmin/* with new principals without the attribute. +This attribute can be set via the network protocol, but can only +be removed using kadmin.local. + +\item[{\textbf{-randkey}}] \leavevmode +Sets the key of the principal to a random value. + +\item[{\textbf{-nokey}}] \leavevmode +Causes the principal to be created with no key. New in release +1.12. + +\item[{\textbf{-pw} \emph{password}}] \leavevmode +Sets the password of the principal to the specified string and +does not prompt for a password. Note: using this option in a +shell script may expose the password to other users on the system +via the process list. + +\item[{\textbf{-e} \emph{enc}:\emph{salt},...}] \leavevmode +Uses the specified keysalt list for setting the keys of the +principal. See {\hyperref[admin/conf_files/kdc_conf:keysalt-lists]{\emph{Keysalt lists}}} in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} for a +list of possible values. + +\item[{\textbf{-x} \emph{db\_princ\_args}}] \leavevmode +Indicates database-specific options. The options for the LDAP +database module are: +\begin{description} +\item[{\textbf{-x dn=}\emph{dn}}] \leavevmode +Specifies the LDAP object that will contain the Kerberos +principal being created. + +\item[{\textbf{-x linkdn=}\emph{dn}}] \leavevmode +Specifies the LDAP object to which the newly created Kerberos +principal object will point. + +\item[{\textbf{-x containerdn=}\emph{container\_dn}}] \leavevmode +Specifies the container object under which the Kerberos +principal is to be created. + +\item[{\textbf{-x tktpolicy=}\emph{policy}}] \leavevmode +Associates a ticket policy to the Kerberos principal. + +\end{description} + +\begin{notice}{note}{Note:}\begin{itemize} +\item {} +The \textbf{containerdn} and \textbf{linkdn} options cannot be +specified with the \textbf{dn} option. + +\item {} +If the \emph{dn} or \emph{containerdn} options are not specified while +adding the principal, the principals are created under the +principal container configured in the realm or the realm +container. + +\item {} +\emph{dn} and \emph{containerdn} should be within the subtrees or +principal container configured in the realm. + +\end{itemize} +\end{notice} + +\end{description} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: addprinc jennifer +WARNING: no policy specified for \PYGZdq{}jennifer@ATHENA.MIT.EDU\PYGZdq{}; +defaulting to no policy. +Enter password for principal jennifer@ATHENA.MIT.EDU: +Re\PYGZhy{}enter password for principal jennifer@ATHENA.MIT.EDU: +Principal \PYGZdq{}jennifer@ATHENA.MIT.EDU\PYGZdq{} created. +kadmin: +\end{Verbatim} +\phantomsection\label{admin/admin_commands/kadmin_local:add-principal-end} + +\subsubsection{modify\_principal} +\label{admin/admin_commands/kadmin_local:add-principal-end}\label{admin/admin_commands/kadmin_local:id2}\label{admin/admin_commands/kadmin_local:modify-principal}\begin{quote} + +\textbf{modify\_principal} {[}\emph{options}{]} \emph{principal} +\end{quote} + +Modifies the specified principal, changing the fields as specified. +The options to \textbf{add\_principal} also apply to this command, except +for the \textbf{-randkey}, \textbf{-pw}, and \textbf{-e} options. In addition, the +option \textbf{-clearpolicy} will clear the current policy of a principal. + +This command requires the \emph{modify} privilege. + +Alias: \textbf{modprinc} + +Options (in addition to the \textbf{addprinc} options): +\begin{description} +\item[{\textbf{-unlock}}] \leavevmode +Unlocks a locked principal (one which has received too many failed +authentication attempts without enough time between them according +to its password policy) so that it can successfully authenticate. + +\end{description} +\phantomsection\label{admin/admin_commands/kadmin_local:modify-principal-end} + +\subsubsection{rename\_principal} +\label{admin/admin_commands/kadmin_local:modify-principal-end}\label{admin/admin_commands/kadmin_local:rename-principal}\label{admin/admin_commands/kadmin_local:id3}\begin{quote} + +\textbf{rename\_principal} {[}\textbf{-force}{]} \emph{old\_principal} \emph{new\_principal} +\end{quote} + +Renames the specified \emph{old\_principal} to \emph{new\_principal}. This +command prompts for confirmation, unless the \textbf{-force} option is +given. + +This command requires the \textbf{add} and \textbf{delete} privileges. + +Alias: \textbf{renprinc} +\phantomsection\label{admin/admin_commands/kadmin_local:rename-principal-end} + +\subsubsection{delete\_principal} +\label{admin/admin_commands/kadmin_local:id4}\label{admin/admin_commands/kadmin_local:delete-principal}\label{admin/admin_commands/kadmin_local:rename-principal-end}\begin{quote} + +\textbf{delete\_principal} {[}\textbf{-force}{]} \emph{principal} +\end{quote} + +Deletes the specified \emph{principal} from the database. This command +prompts for deletion, unless the \textbf{-force} option is given. + +This command requires the \textbf{delete} privilege. + +Alias: \textbf{delprinc} +\phantomsection\label{admin/admin_commands/kadmin_local:delete-principal-end} + +\subsubsection{change\_password} +\label{admin/admin_commands/kadmin_local:id5}\label{admin/admin_commands/kadmin_local:delete-principal-end}\label{admin/admin_commands/kadmin_local:change-password}\begin{quote} + +\textbf{change\_password} {[}\emph{options}{]} \emph{principal} +\end{quote} + +Changes the password of \emph{principal}. Prompts for a new password if +neither \textbf{-randkey} or \textbf{-pw} is specified. + +This command requires the \textbf{changepw} privilege, or that the +principal running the program is the same as the principal being +changed. + +Alias: \textbf{cpw} + +The following options are available: +\begin{description} +\item[{\textbf{-randkey}}] \leavevmode +Sets the key of the principal to a random value. + +\item[{\textbf{-pw} \emph{password}}] \leavevmode +Set the password to the specified string. Using this option in a +script may expose the password to other users on the system via +the process list. + +\item[{\textbf{-e} \emph{enc}:\emph{salt},...}] \leavevmode +Uses the specified keysalt list for setting the keys of the +principal. See {\hyperref[admin/conf_files/kdc_conf:keysalt-lists]{\emph{Keysalt lists}}} in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} for a +list of possible values. + +\item[{\textbf{-keepold}}] \leavevmode +Keeps the existing keys in the database. This flag is usually not +necessary except perhaps for \code{krbtgt} principals. + +\end{description} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: cpw systest +Enter password for principal systest@BLEEP.COM: +Re\PYGZhy{}enter password for principal systest@BLEEP.COM: +Password for systest@BLEEP.COM changed. +kadmin: +\end{Verbatim} +\phantomsection\label{admin/admin_commands/kadmin_local:change-password-end} + +\subsubsection{purgekeys} +\label{admin/admin_commands/kadmin_local:id6}\label{admin/admin_commands/kadmin_local:change-password-end}\label{admin/admin_commands/kadmin_local:purgekeys}\begin{quote} + +\textbf{purgekeys} {[}\textbf{-all}\textbar{}\textbf{-keepkvno} \emph{oldest\_kvno\_to\_keep}{]} \emph{principal} +\end{quote} + +Purges previously retained old keys (e.g., from \textbf{change\_password +-keepold}) from \emph{principal}. If \textbf{-keepkvno} is specified, then +only purges keys with kvnos lower than \emph{oldest\_kvno\_to\_keep}. If +\textbf{-all} is specified, then all keys are purged. The \textbf{-all} option +is new in release 1.12. + +This command requires the \textbf{modify} privilege. +\phantomsection\label{admin/admin_commands/kadmin_local:purgekeys-end} + +\subsubsection{get\_principal} +\label{admin/admin_commands/kadmin_local:get-principal}\label{admin/admin_commands/kadmin_local:id7}\label{admin/admin_commands/kadmin_local:purgekeys-end}\begin{quote} + +\textbf{get\_principal} {[}\textbf{-terse}{]} \emph{principal} +\end{quote} + +Gets the attributes of principal. With the \textbf{-terse} option, outputs +fields as quoted tab-separated strings. + +This command requires the \textbf{inquire} privilege, or that the principal +running the the program to be the same as the one being listed. + +Alias: \textbf{getprinc} + +Examples: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: getprinc tlyu/admin +Principal: tlyu/admin@BLEEP.COM +Expiration date: [never] +Last password change: Mon Aug 12 14:16:47 EDT 1996 +Password expiration date: [none] +Maximum ticket life: 0 days 10:00:00 +Maximum renewable life: 7 days 00:00:00 +Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) +Last successful authentication: [never] +Last failed authentication: [never] +Failed password attempts: 0 +Number of keys: 2 +Key: vno 1, des\PYGZhy{}cbc\PYGZhy{}crc +Key: vno 1, des\PYGZhy{}cbc\PYGZhy{}crc:v4 +Attributes: +Policy: [none] + +kadmin: getprinc \PYGZhy{}terse systest +systest@BLEEP.COM 3 86400 604800 1 +785926535 753241234 785900000 +tlyu/admin@BLEEP.COM 786100034 0 0 +kadmin: +\end{Verbatim} +\phantomsection\label{admin/admin_commands/kadmin_local:get-principal-end} + +\subsubsection{list\_principals} +\label{admin/admin_commands/kadmin_local:get-principal-end}\label{admin/admin_commands/kadmin_local:id8}\label{admin/admin_commands/kadmin_local:list-principals}\begin{quote} + +\textbf{list\_principals} {[}\emph{expression}{]} +\end{quote} + +Retrieves all or some principal names. \emph{expression} is a shell-style +glob expression that can contain the wild-card characters \code{?}, +\code{*}, and \code{{[}{]}}. All principal names matching the expression are +printed. If no expression is provided, all principal names are +printed. If the expression does not contain an \code{@} character, an +\code{@} character followed by the local realm is appended to the +expression. + +This command requires the \textbf{list} privilege. + +Alias: \textbf{listprincs}, \textbf{get\_principals}, \textbf{get\_princs} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: listprincs test* +test3@SECURE\PYGZhy{}TEST.OV.COM +test2@SECURE\PYGZhy{}TEST.OV.COM +test1@SECURE\PYGZhy{}TEST.OV.COM +testuser@SECURE\PYGZhy{}TEST.OV.COM +kadmin: +\end{Verbatim} +\phantomsection\label{admin/admin_commands/kadmin_local:list-principals-end} + +\subsubsection{get\_strings} +\label{admin/admin_commands/kadmin_local:id9}\label{admin/admin_commands/kadmin_local:get-strings}\label{admin/admin_commands/kadmin_local:list-principals-end}\begin{quote} + +\textbf{get\_strings} \emph{principal} +\end{quote} + +Displays string attributes on \emph{principal}. + +This command requires the \textbf{inquire} privilege. + +Alias: \textbf{getstr} +\phantomsection\label{admin/admin_commands/kadmin_local:get-strings-end} + +\subsubsection{set\_string} +\label{admin/admin_commands/kadmin_local:id10}\label{admin/admin_commands/kadmin_local:set-string}\label{admin/admin_commands/kadmin_local:get-strings-end}\begin{quote} + +\textbf{set\_string} \emph{principal} \emph{name} \emph{value} +\end{quote} + +Sets a string attribute on \emph{principal}. String attributes are used to +supply per-principal configuration to the KDC and some KDC plugin +modules. The following string attribute names are recognized by the +KDC: +\begin{description} +\item[{\textbf{require\_auth}}] \leavevmode +Specifies an authentication indicator which is required to +authenticate to the principal as a service. Multiple indicators +can be specified, separated by spaces; in this case any of the +specified indicators will be accepted. (New in release 1.14.) + +\item[{\textbf{session\_enctypes}}] \leavevmode +Specifies the encryption types supported for session keys when the +principal is authenticated to as a server. See +{\hyperref[admin/conf_files/kdc_conf:encryption-types]{\emph{Encryption types}}} in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} for a list of the +accepted values. + +\item[{\textbf{otp}}] \leavevmode +Enables One Time Passwords (OTP) preauthentication for a client +\emph{principal}. The \emph{value} is a JSON string representing an array +of objects, each having optional \code{type} and \code{username} fields. + +\end{description} + +This command requires the \textbf{modify} privilege. + +Alias: \textbf{setstr} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +set\PYGZus{}string host/foo.mit.edu session\PYGZus{}enctypes aes128\PYGZhy{}cts +set\PYGZus{}string user@FOO.COM otp \PYGZdq{}[\PYGZob{}\PYGZdq{}\PYGZdq{}type\PYGZdq{}\PYGZdq{}:\PYGZdq{}\PYGZdq{}hotp\PYGZdq{}\PYGZdq{},\PYGZdq{}\PYGZdq{}username\PYGZdq{}\PYGZdq{}:\PYGZdq{}\PYGZdq{}al\PYGZdq{}\PYGZdq{}\PYGZcb{}]\PYGZdq{} +\end{Verbatim} +\phantomsection\label{admin/admin_commands/kadmin_local:set-string-end} + +\subsubsection{del\_string} +\label{admin/admin_commands/kadmin_local:set-string-end}\label{admin/admin_commands/kadmin_local:del-string}\label{admin/admin_commands/kadmin_local:id11}\begin{quote} + +\textbf{del\_string} \emph{principal} \emph{key} +\end{quote} + +Deletes a string attribute from \emph{principal}. + +This command requires the \textbf{delete} privilege. + +Alias: \textbf{delstr} +\phantomsection\label{admin/admin_commands/kadmin_local:del-string-end} + +\subsubsection{add\_policy} +\label{admin/admin_commands/kadmin_local:id12}\label{admin/admin_commands/kadmin_local:del-string-end}\label{admin/admin_commands/kadmin_local:add-policy}\begin{quote} + +\textbf{add\_policy} {[}\emph{options}{]} \emph{policy} +\end{quote} + +Adds a password policy named \emph{policy} to the database. + +This command requires the \textbf{add} privilege. + +Alias: \textbf{addpol} + +The following options are available: +\begin{description} +\item[{\textbf{-maxlife} \emph{time}}] \leavevmode +(\emph{duration} or \emph{getdate} string) Sets the maximum +lifetime of a password. + +\item[{\textbf{-minlife} \emph{time}}] \leavevmode +(\emph{duration} or \emph{getdate} string) Sets the minimum +lifetime of a password. + +\item[{\textbf{-minlength} \emph{length}}] \leavevmode +Sets the minimum length of a password. + +\item[{\textbf{-minclasses} \emph{number}}] \leavevmode +Sets the minimum number of character classes required in a +password. The five character classes are lower case, upper case, +numbers, punctuation, and whitespace/unprintable characters. + +\item[{\textbf{-history} \emph{number}}] \leavevmode +Sets the number of past keys kept for a principal. This option is +not supported with the LDAP KDC database module. + +\end{description} +\phantomsection\label{admin/admin_commands/kadmin_local:policy-maxfailure}\begin{description} +\item[{\textbf{-maxfailure} \emph{maxnumber}}] \leavevmode +Sets the number of authentication failures before the principal is +locked. Authentication failures are only tracked for principals +which require preauthentication. The counter of failed attempts +resets to 0 after a successful attempt to authenticate. A +\emph{maxnumber} value of 0 (the default) disables lockout. + +\end{description} +\phantomsection\label{admin/admin_commands/kadmin_local:policy-failurecountinterval}\begin{description} +\item[{\textbf{-failurecountinterval} \emph{failuretime}}] \leavevmode +(\emph{duration} or \emph{getdate} string) Sets the allowable time +between authentication failures. If an authentication failure +happens after \emph{failuretime} has elapsed since the previous +failure, the number of authentication failures is reset to 1. A +\emph{failuretime} value of 0 (the default) means forever. + +\end{description} +\phantomsection\label{admin/admin_commands/kadmin_local:policy-lockoutduration}\begin{description} +\item[{\textbf{-lockoutduration} \emph{lockouttime}}] \leavevmode +(\emph{duration} or \emph{getdate} string) Sets the duration for +which the principal is locked from authenticating if too many +authentication failures occur without the specified failure count +interval elapsing. A duration of 0 (the default) means the +principal remains locked out until it is administratively unlocked +with \code{modprinc -unlock}. + +\item[{\textbf{-allowedkeysalts}}] \leavevmode +Specifies the key/salt tuples supported for long-term keys when +setting or changing a principal's password/keys. See +{\hyperref[admin/conf_files/kdc_conf:keysalt-lists]{\emph{Keysalt lists}}} in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} for a list of the +accepted values, but note that key/salt tuples must be separated +with commas (`,') only. To clear the allowed key/salt policy use +a value of `-`. + +\end{description} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: add\PYGZus{}policy \PYGZhy{}maxlife \PYGZdq{}2 days\PYGZdq{} \PYGZhy{}minlength 5 guests +kadmin: +\end{Verbatim} +\phantomsection\label{admin/admin_commands/kadmin_local:add-policy-end} + +\subsubsection{modify\_policy} +\label{admin/admin_commands/kadmin_local:id13}\label{admin/admin_commands/kadmin_local:modify-policy}\label{admin/admin_commands/kadmin_local:add-policy-end}\begin{quote} + +\textbf{modify\_policy} {[}\emph{options}{]} \emph{policy} +\end{quote} + +Modifies the password policy named \emph{policy}. Options are as described +for \textbf{add\_policy}. + +This command requires the \textbf{modify} privilege. + +Alias: \textbf{modpol} +\phantomsection\label{admin/admin_commands/kadmin_local:modify-policy-end} + +\subsubsection{delete\_policy} +\label{admin/admin_commands/kadmin_local:delete-policy}\label{admin/admin_commands/kadmin_local:modify-policy-end}\label{admin/admin_commands/kadmin_local:id14}\begin{quote} + +\textbf{delete\_policy} {[}\textbf{-force}{]} \emph{policy} +\end{quote} + +Deletes the password policy named \emph{policy}. Prompts for confirmation +before deletion. The command will fail if the policy is in use by any +principals. + +This command requires the \textbf{delete} privilege. + +Alias: \textbf{delpol} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: del\PYGZus{}policy guests +Are you sure you want to delete the policy \PYGZdq{}guests\PYGZdq{}? +(yes/no): yes +kadmin: +\end{Verbatim} +\phantomsection\label{admin/admin_commands/kadmin_local:delete-policy-end} + +\subsubsection{get\_policy} +\label{admin/admin_commands/kadmin_local:delete-policy-end}\label{admin/admin_commands/kadmin_local:get-policy}\label{admin/admin_commands/kadmin_local:id15}\begin{quote} + +\textbf{get\_policy} {[} \textbf{-terse} {]} \emph{policy} +\end{quote} + +Displays the values of the password policy named \emph{policy}. With the +\textbf{-terse} flag, outputs the fields as quoted strings separated by +tabs. + +This command requires the \textbf{inquire} privilege. + +Alias: getpol + +Examples: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: get\PYGZus{}policy admin +Policy: admin +Maximum password life: 180 days 00:00:00 +Minimum password life: 00:00:00 +Minimum password length: 6 +Minimum number of password character classes: 2 +Number of old keys kept: 5 +Reference count: 17 + +kadmin: get\PYGZus{}policy \PYGZhy{}terse admin +admin 15552000 0 6 2 5 17 +kadmin: +\end{Verbatim} + +The ``Reference count'' is the number of principals using that policy. +With the LDAP KDC database module, the reference count field is not +meaningful. +\phantomsection\label{admin/admin_commands/kadmin_local:get-policy-end} + +\subsubsection{list\_policies} +\label{admin/admin_commands/kadmin_local:get-policy-end}\label{admin/admin_commands/kadmin_local:list-policies}\label{admin/admin_commands/kadmin_local:id16}\begin{quote} + +\textbf{list\_policies} {[}\emph{expression}{]} +\end{quote} + +Retrieves all or some policy names. \emph{expression} is a shell-style +glob expression that can contain the wild-card characters \code{?}, +\code{*}, and \code{{[}{]}}. All policy names matching the expression are +printed. If no expression is provided, all existing policy names are +printed. + +This command requires the \textbf{list} privilege. + +Aliases: \textbf{listpols}, \textbf{get\_policies}, \textbf{getpols}. + +Examples: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: listpols +test\PYGZhy{}pol +dict\PYGZhy{}only +once\PYGZhy{}a\PYGZhy{}min +test\PYGZhy{}pol\PYGZhy{}nopw + +kadmin: listpols t* +test\PYGZhy{}pol +test\PYGZhy{}pol\PYGZhy{}nopw +kadmin: +\end{Verbatim} +\phantomsection\label{admin/admin_commands/kadmin_local:list-policies-end} + +\subsubsection{ktadd} +\label{admin/admin_commands/kadmin_local:ktadd}\label{admin/admin_commands/kadmin_local:list-policies-end}\label{admin/admin_commands/kadmin_local:id17}\begin{quote} + +\begin{DUlineblock}{0em} +\item[] \textbf{ktadd} {[}options{]} \emph{principal} +\item[] \textbf{ktadd} {[}options{]} \textbf{-glob} \emph{princ-exp} +\end{DUlineblock} +\end{quote} + +Adds a \emph{principal}, or all principals matching \emph{princ-exp}, to a +keytab file. Each principal's keys are randomized in the process. +The rules for \emph{princ-exp} are described in the \textbf{list\_principals} +command. + +This command requires the \textbf{inquire} and \textbf{changepw} privileges. +With the \textbf{-glob} form, it also requires the \textbf{list} privilege. + +The options are: +\begin{description} +\item[{\textbf{-k{[}eytab{]}} \emph{keytab}}] \leavevmode +Use \emph{keytab} as the keytab file. Otherwise, the default keytab is +used. + +\item[{\textbf{-e} \emph{enc}:\emph{salt},...}] \leavevmode +Uses the specified keysalt list for setting the new keys of the +principal. See {\hyperref[admin/conf_files/kdc_conf:keysalt-lists]{\emph{Keysalt lists}}} in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} for a +list of possible values. + +\item[{\textbf{-q}}] \leavevmode +Display less verbose information. + +\item[{\textbf{-norandkey}}] \leavevmode +Do not randomize the keys. The keys and their version numbers stay +unchanged. This option cannot be specified in combination with the +\textbf{-e} option. + +\end{description} + +An entry for each of the principal's unique encryption types is added, +ignoring multiple keys with the same encryption type but different +salt types. + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: ktadd \PYGZhy{}k /tmp/foo\PYGZhy{}new\PYGZhy{}keytab host/foo.mit.edu +Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3, + encryption type aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab + FILE:/tmp/foo\PYGZhy{}new\PYGZhy{}keytab +kadmin: +\end{Verbatim} +\phantomsection\label{admin/admin_commands/kadmin_local:ktadd-end} + +\subsubsection{ktremove} +\label{admin/admin_commands/kadmin_local:id18}\label{admin/admin_commands/kadmin_local:ktremove}\label{admin/admin_commands/kadmin_local:ktadd-end}\begin{quote} + +\textbf{ktremove} {[}options{]} \emph{principal} {[}\emph{kvno} \textbar{} \emph{all} \textbar{} \emph{old}{]} +\end{quote} + +Removes entries for the specified \emph{principal} from a keytab. Requires +no permissions, since this does not require database access. + +If the string ``all'' is specified, all entries for that principal are +removed; if the string ``old'' is specified, all entries for that +principal except those with the highest kvno are removed. Otherwise, +the value specified is parsed as an integer, and all entries whose +kvno match that integer are removed. + +The options are: +\begin{description} +\item[{\textbf{-k{[}eytab{]}} \emph{keytab}}] \leavevmode +Use \emph{keytab} as the keytab file. Otherwise, the default keytab is +used. + +\item[{\textbf{-q}}] \leavevmode +Display less verbose information. + +\end{description} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin: ktremove kadmin/admin all +Entry for principal kadmin/admin with kvno 3 removed from keytab + FILE:/etc/krb5.keytab +kadmin: +\end{Verbatim} + + +\subsubsection{lock} +\label{admin/admin_commands/kadmin_local:ktremove-end}\label{admin/admin_commands/kadmin_local:lock} +Lock database exclusively. Use with extreme caution! This command +only works with the DB2 KDC database module. + + +\subsubsection{unlock} +\label{admin/admin_commands/kadmin_local:unlock} +Release the exclusive database lock. + + +\subsubsection{list\_requests} +\label{admin/admin_commands/kadmin_local:list-requests} +Lists available for kadmin requests. + +Aliases: \textbf{lr}, \textbf{?} + + +\subsubsection{quit} +\label{admin/admin_commands/kadmin_local:quit} +Exit program. If the database was locked, the lock is released. + +Aliases: \textbf{exit}, \textbf{q} + + +\subsection{HISTORY} +\label{admin/admin_commands/kadmin_local:history} +The kadmin program was originally written by Tom Yu at MIT, as an +interface to the OpenVision Kerberos administration program. + + +\subsection{SEE ALSO} +\label{admin/admin_commands/kadmin_local:see-also} +\emph{kpasswd(1)}, {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} + + +\section{kadmind} +\label{admin/admin_commands/kadmind:kadmind-8}\label{admin/admin_commands/kadmind:kadmind}\label{admin/admin_commands/kadmind::doc} + +\subsection{SYNOPSIS} +\label{admin/admin_commands/kadmind:synopsis} +\textbf{kadmind} +{[}\textbf{-x} \emph{db\_args}{]} +{[}\textbf{-r} \emph{realm}{]} +{[}\textbf{-m}{]} +{[}\textbf{-nofork}{]} +{[}\textbf{-proponly}{]} +{[}\textbf{-port} \emph{port-number}{]} +{[}\textbf{-P} \emph{pid\_file}{]} +{[}\textbf{-p} \emph{kdb5\_util\_path}{]} +{[}\textbf{-K} \emph{kprop\_path}{]} +{[}\textbf{-k} \emph{kprop\_port}{]} +{[}\textbf{-F} \emph{dump\_file}{]} + + +\subsection{DESCRIPTION} +\label{admin/admin_commands/kadmind:description} +kadmind starts the Kerberos administration server. kadmind typically +runs on the master Kerberos server, which stores the KDC database. If +the KDC database uses the LDAP module, the administration server and +the KDC server need not run on the same machine. kadmind accepts +remote requests from programs such as {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} and +\emph{kpasswd(1)} to administer the information in these database. + +kadmind requires a number of configuration files to be set up in order +for it to work: +\begin{description} +\item[{{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}}] \leavevmode +The KDC configuration file contains configuration information for +the KDC and admin servers. kadmind uses settings in this file to +locate the Kerberos database, and is also affected by the +\textbf{acl\_file}, \textbf{dict\_file}, \textbf{kadmind\_port}, and iprop-related +settings. + +\item[{{\hyperref[admin/conf_files/kadm5_acl:kadm5-acl-5]{\emph{kadm5.acl}}}}] \leavevmode +kadmind's ACL (access control list) tells it which principals are +allowed to perform administration actions. The pathname to the +ACL file can be specified with the \textbf{acl\_file} {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} +variable; by default, it is {\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/kadm5.acl}. + +\end{description} + +After the server begins running, it puts itself in the background and +disassociates itself from its controlling terminal. + +kadmind can be configured for incremental database propagation. +Incremental propagation allows slave KDC servers to receive principal +and policy updates incrementally instead of receiving full dumps of +the database. This facility can be enabled in the {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} +file with the \textbf{iprop\_enable} option. Incremental propagation +requires the principal \code{kiprop/MASTER\textbackslash{}@REALM} (where MASTER is the +master KDC's canonical host name, and REALM the realm name). In +release 1.13, this principal is automatically created and registered +into the datebase. + + +\subsection{OPTIONS} +\label{admin/admin_commands/kadmind:options}\begin{description} +\item[{\textbf{-r} \emph{realm}}] \leavevmode +specifies the realm that kadmind will serve; if it is not +specified, the default realm of the host is used. + +\item[{\textbf{-m}}] \leavevmode +causes the master database password to be fetched from the +keyboard (before the server puts itself in the background, if not +invoked with the \textbf{-nofork} option) rather than from a file on +disk. + +\item[{\textbf{-nofork}}] \leavevmode +causes the server to remain in the foreground and remain +associated to the terminal. In normal operation, you should allow +the server to place itself in the background. + +\item[{\textbf{-proponly}}] \leavevmode +causes the server to only listen and respond to Kerberos slave +incremental propagation polling requests. This option can be used +to set up a hierarchical propagation topology where a slave KDC +provides incremental updates to other Kerberos slaves. + +\item[{\textbf{-port} \emph{port-number}}] \leavevmode +specifies the port on which the administration server listens for +connections. The default port is determined by the +\textbf{kadmind\_port} configuration variable in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. + +\item[{\textbf{-P} \emph{pid\_file}}] \leavevmode +specifies the file to which the PID of kadmind process should be +written after it starts up. This file can be used to identify +whether kadmind is still running and to allow init scripts to stop +the correct process. + +\item[{\textbf{-p} \emph{kdb5\_util\_path}}] \leavevmode +specifies the path to the kdb5\_util command to use when dumping the +KDB in response to full resync requests when iprop is enabled. + +\item[{\textbf{-K} \emph{kprop\_path}}] \leavevmode +specifies the path to the kprop command to use to send full dumps +to slaves in response to full resync requests. + +\item[{\textbf{-k} \emph{kprop\_port}}] \leavevmode +specifies the port by which the kprop process that is spawned by kadmind +connects to the slave kpropd, in order to transfer the dump file during +an iprop full resync request. + +\item[{\textbf{-F} \emph{dump\_file}}] \leavevmode +specifies the file path to be used for dumping the KDB in response +to full resync requests when iprop is enabled. + +\item[{\textbf{-x} \emph{db\_args}}] \leavevmode +specifies database-specific arguments. See {\hyperref[admin/admin_commands/kadmin_local:dboptions]{\emph{Database Options}}} in {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} for supported arguments. + +\end{description} + + +\subsection{SEE ALSO} +\label{admin/admin_commands/kadmind:see-also} +\emph{kpasswd(1)}, {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}}, {\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}}, +{\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}}, {\hyperref[admin/conf_files/kadm5_acl:kadm5-acl-5]{\emph{kadm5.acl}}} + + +\section{kdb5\_util} +\label{admin/admin_commands/kdb5_util:kdb5-util-8}\label{admin/admin_commands/kdb5_util::doc}\label{admin/admin_commands/kdb5_util:kdb5-util} + +\subsection{SYNOPSIS} +\label{admin/admin_commands/kdb5_util:synopsis}\phantomsection\label{admin/admin_commands/kdb5_util:kdb5-util-synopsis} +\textbf{kdb5\_util} +{[}\textbf{-r} \emph{realm}{]} +{[}\textbf{-d} \emph{dbname}{]} +{[}\textbf{-k} \emph{mkeytype}{]} +{[}\textbf{-M} \emph{mkeyname}{]} +{[}\textbf{-kv} \emph{mkeyVNO}{]} +{[}\textbf{-sf} \emph{stashfilename}{]} +{[}\textbf{-m}{]} +\emph{command} {[}\emph{command\_options}{]} + + +\subsection{DESCRIPTION} +\label{admin/admin_commands/kdb5_util:kdb5-util-synopsis-end}\label{admin/admin_commands/kdb5_util:description} +kdb5\_util allows an administrator to perform maintenance procedures on +the KDC database. Databases can be created, destroyed, and dumped to +or loaded from ASCII files. kdb5\_util can create a Kerberos master +key stash file or perform live rollover of the master key. + +When kdb5\_util is run, it attempts to acquire the master key and open +the database. However, execution continues regardless of whether or +not kdb5\_util successfully opens the database, because the database +may not exist yet or the stash file may be corrupt. + +Note that some KDC database modules may not support all kdb5\_util +commands. + + +\subsection{COMMAND-LINE OPTIONS} +\label{admin/admin_commands/kdb5_util:command-line-options}\phantomsection\label{admin/admin_commands/kdb5_util:kdb5-util-options}\begin{description} +\item[{\textbf{-r} \emph{realm}}] \leavevmode +specifies the Kerberos realm of the database. + +\item[{\textbf{-d} \emph{dbname}}] \leavevmode +specifies the name under which the principal database is stored; +by default the database is that listed in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. The +password policy database and lock files are also derived from this +value. + +\item[{\textbf{-k} \emph{mkeytype}}] \leavevmode +specifies the key type of the master key in the database. The +default is given by the \textbf{master\_key\_type} variable in +{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. + +\item[{\textbf{-kv} \emph{mkeyVNO}}] \leavevmode +Specifies the version number of the master key in the database; +the default is 1. Note that 0 is not allowed. + +\item[{\textbf{-M} \emph{mkeyname}}] \leavevmode +principal name for the master key in the database. If not +specified, the name is determined by the \textbf{master\_key\_name} +variable in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. + +\item[{\textbf{-m}}] \leavevmode +specifies that the master database password should be read from +the keyboard rather than fetched from a file on disk. + +\item[{\textbf{-sf} \emph{stash\_file}}] \leavevmode +specifies the stash filename of the master database password. If +not specified, the filename is determined by the +\textbf{key\_stash\_file} variable in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. + +\item[{\textbf{-P} \emph{password}}] \leavevmode +specifies the master database password. Using this option may +expose the password to other users on the system via the process +list. + +\end{description} + + +\subsection{COMMANDS} +\label{admin/admin_commands/kdb5_util:commands}\label{admin/admin_commands/kdb5_util:kdb5-util-options-end} + +\subsubsection{create} +\label{admin/admin_commands/kdb5_util:create}\phantomsection\label{admin/admin_commands/kdb5_util:kdb5-util-create}\begin{quote} + +\textbf{create} {[}\textbf{-s}{]} +\end{quote} + +Creates a new database. If the \textbf{-s} option is specified, the stash +file is also created. This command fails if the database already +exists. If the command is successful, the database is opened just as +if it had already existed when the program was first run. + + +\subsubsection{destroy} +\label{admin/admin_commands/kdb5_util:destroy}\label{admin/admin_commands/kdb5_util:kdb5-util-create-end}\phantomsection\label{admin/admin_commands/kdb5_util:kdb5-util-destroy}\begin{quote} + +\textbf{destroy} {[}\textbf{-f}{]} +\end{quote} + +Destroys the database, first overwriting the disk sectors and then +unlinking the files, after prompting the user for confirmation. With +the \textbf{-f} argument, does not prompt the user. + + +\subsubsection{stash} +\label{admin/admin_commands/kdb5_util:kdb5-util-destroy-end}\label{admin/admin_commands/kdb5_util:stash}\phantomsection\label{admin/admin_commands/kdb5_util:kdb5-util-stash}\begin{quote} + +\textbf{stash} {[}\textbf{-f} \emph{keyfile}{]} +\end{quote} + +Stores the master principal's keys in a stash file. The \textbf{-f} +argument can be used to override the \emph{keyfile} specified in +{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. + + +\subsubsection{dump} +\label{admin/admin_commands/kdb5_util:kdb5-util-stash-end}\label{admin/admin_commands/kdb5_util:dump}\phantomsection\label{admin/admin_commands/kdb5_util:kdb5-util-dump}\begin{quote} + +\textbf{dump} {[}\textbf{-b7}\textbar{}\textbf{-ov}\textbar{}\textbf{-r13}{]} {[}\textbf{-verbose}{]} +{[}\textbf{-mkey\_convert}{]} {[}\textbf{-new\_mkey\_file} \emph{mkey\_file}{]} {[}\textbf{-rev}{]} +{[}\textbf{-recurse}{]} {[}\emph{filename} {[}\emph{principals}...{]}{]} +\end{quote} + +Dumps the current Kerberos and KADM5 database into an ASCII file. By +default, the database is dumped in current format, ``kdb5\_util +load\_dump version 7''. If filename is not specified, or is the string +``-'', the dump is sent to standard output. Options: +\begin{description} +\item[{\textbf{-b7}}] \leavevmode +causes the dump to be in the Kerberos 5 Beta 7 format (``kdb5\_util +load\_dump version 4''). This was the dump format produced on +releases prior to 1.2.2. + +\item[{\textbf{-ov}}] \leavevmode +causes the dump to be in ``ovsec\_adm\_export'' format. + +\item[{\textbf{-r13}}] \leavevmode +causes the dump to be in the Kerberos 5 1.3 format (``kdb5\_util +load\_dump version 5''). This was the dump format produced on +releases prior to 1.8. + +\item[{\textbf{-r18}}] \leavevmode +causes the dump to be in the Kerberos 5 1.8 format (``kdb5\_util +load\_dump version 6''). This was the dump format produced on +releases prior to 1.11. + +\item[{\textbf{-verbose}}] \leavevmode +causes the name of each principal and policy to be printed as it +is dumped. + +\item[{\textbf{-mkey\_convert}}] \leavevmode +prompts for a new master key. This new master key will be used to +re-encrypt principal key data in the dumpfile. The principal keys +themselves will not be changed. + +\item[{\textbf{-new\_mkey\_file} \emph{mkey\_file}}] \leavevmode +the filename of a stash file. The master key in this stash file +will be used to re-encrypt the key data in the dumpfile. The key +data in the database will not be changed. + +\item[{\textbf{-rev}}] \leavevmode +dumps in reverse order. This may recover principals that do not +dump normally, in cases where database corruption has occurred. + +\item[{\textbf{-recurse}}] \leavevmode +causes the dump to walk the database recursively (btree only). +This may recover principals that do not dump normally, in cases +where database corruption has occurred. In cases of such +corruption, this option will probably retrieve more principals +than the \textbf{-rev} option will. + +\DUspan{versionmodified}{Changed in version 1.15: }Release 1.15 restored the functionality of the \textbf{-recurse} +option. + +\DUspan{versionmodified}{Changed in version 1.5: }The \textbf{-recurse} option ceased working until release 1.15, +doing a normal dump instead of a recursive traversal. + +\end{description} + + +\subsubsection{load} +\label{admin/admin_commands/kdb5_util:kdb5-util-dump-end}\label{admin/admin_commands/kdb5_util:load}\phantomsection\label{admin/admin_commands/kdb5_util:kdb5-util-load}\begin{quote} + +\textbf{load} {[}\textbf{-b7}\textbar{}\textbf{-ov}\textbar{}\textbf{-r13}{]} {[}\textbf{-hash}{]} +{[}\textbf{-verbose}{]} {[}\textbf{-update}{]} \emph{filename} {[}\emph{dbname}{]} +\end{quote} + +Loads a database dump from the named file into the named database. If +no option is given to determine the format of the dump file, the +format is detected automatically and handled as appropriate. Unless +the \textbf{-update} option is given, \textbf{load} creates a new database +containing only the data in the dump file, overwriting the contents of +any previously existing database. Note that when using the LDAP KDC +database module, the \textbf{-update} flag is required. + +Options: +\begin{description} +\item[{\textbf{-b7}}] \leavevmode +requires the database to be in the Kerberos 5 Beta 7 format +(``kdb5\_util load\_dump version 4''). This was the dump format +produced on releases prior to 1.2.2. + +\item[{\textbf{-ov}}] \leavevmode +requires the database to be in ``ovsec\_adm\_import'' format. Must be +used with the \textbf{-update} option. + +\item[{\textbf{-r13}}] \leavevmode +requires the database to be in Kerberos 5 1.3 format (``kdb5\_util +load\_dump version 5''). This was the dump format produced on +releases prior to 1.8. + +\item[{\textbf{-r18}}] \leavevmode +requires the database to be in Kerberos 5 1.8 format (``kdb5\_util +load\_dump version 6''). This was the dump format produced on +releases prior to 1.11. + +\item[{\textbf{-hash}}] \leavevmode +requires the database to be stored as a hash. If this option is +not specified, the database will be stored as a btree. This +option is not recommended, as databases stored in hash format are +known to corrupt data and lose principals. + +\item[{\textbf{-verbose}}] \leavevmode +causes the name of each principal and policy to be printed as it +is dumped. + +\item[{\textbf{-update}}] \leavevmode +records from the dump file are added to or updated in the existing +database. Otherwise, a new database is created containing only +what is in the dump file and the old one destroyed upon successful +completion. + +\end{description} + +If specified, \emph{dbname} overrides the value specified on the command +line or the default. + + +\subsubsection{ark} +\label{admin/admin_commands/kdb5_util:kdb5-util-load-end}\label{admin/admin_commands/kdb5_util:ark}\begin{quote} + +\textbf{ark} {[}\textbf{-e} \emph{enc}:\emph{salt},...{]} \emph{principal} +\end{quote} + +Adds new random keys to \emph{principal} at the next available key version +number. Keys for the current highest key version number will be +preserved. The \textbf{-e} option specifies the list of encryption and +salt types to be used for the new keys. + + +\subsubsection{add\_mkey} +\label{admin/admin_commands/kdb5_util:add-mkey}\begin{quote} + +\textbf{add\_mkey} {[}\textbf{-e} \emph{etype}{]} {[}\textbf{-s}{]} +\end{quote} + +Adds a new master key to the master key principal, but does not mark +it as active. Existing master keys will remain. The \textbf{-e} option +specifies the encryption type of the new master key; see +{\hyperref[admin/conf_files/kdc_conf:encryption-types]{\emph{Encryption types}}} in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} for a list of possible +values. The \textbf{-s} option stashes the new master key in the stash +file, which will be created if it doesn't already exist. + +After a new master key is added, it should be propagated to slave +servers via a manual or periodic invocation of {\hyperref[admin/admin_commands/kprop:kprop-8]{\emph{kprop}}}. Then, +the stash files on the slave servers should be updated with the +kdb5\_util \textbf{stash} command. Once those steps are complete, the key +is ready to be marked active with the kdb5\_util \textbf{use\_mkey} command. + + +\subsubsection{use\_mkey} +\label{admin/admin_commands/kdb5_util:use-mkey}\begin{quote} + +\textbf{use\_mkey} \emph{mkeyVNO} {[}\emph{time}{]} +\end{quote} + +Sets the activation time of the master key specified by \emph{mkeyVNO}. +Once a master key becomes active, it will be used to encrypt newly +created principal keys. If no \emph{time} argument is given, the current +time is used, causing the specified master key version to become +active immediately. The format for \emph{time} is \emph{getdate} string. + +After a new master key becomes active, the kdb5\_util +\textbf{update\_princ\_encryption} command can be used to update all +principal keys to be encrypted in the new master key. + + +\subsubsection{list\_mkeys} +\label{admin/admin_commands/kdb5_util:list-mkeys}\begin{quote} + +\textbf{list\_mkeys} +\end{quote} + +List all master keys, from most recent to earliest, in the master key +principal. The output will show the kvno, enctype, and salt type for +each mkey, similar to the output of {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} \textbf{getprinc}. A +\code{*} following an mkey denotes the currently active master key. + + +\subsubsection{purge\_mkeys} +\label{admin/admin_commands/kdb5_util:purge-mkeys}\begin{quote} + +\textbf{purge\_mkeys} {[}\textbf{-f}{]} {[}\textbf{-n}{]} {[}\textbf{-v}{]} +\end{quote} + +Delete master keys from the master key principal that are not used to +protect any principals. This command can be used to remove old master +keys all principal keys are protected by a newer master key. +\begin{description} +\item[{\textbf{-f}}] \leavevmode +does not prompt for confirmation. + +\item[{\textbf{-n}}] \leavevmode +performs a dry run, showing master keys that would be purged, but +not actually purging any keys. + +\item[{\textbf{-v}}] \leavevmode +gives more verbose output. + +\end{description} + + +\subsubsection{update\_princ\_encryption} +\label{admin/admin_commands/kdb5_util:update-princ-encryption}\begin{quote} + +\textbf{update\_princ\_encryption} {[}\textbf{-f}{]} {[}\textbf{-n}{]} {[}\textbf{-v}{]} +{[}\emph{princ-pattern}{]} +\end{quote} + +Update all principal records (or only those matching the +\emph{princ-pattern} glob pattern) to re-encrypt the key data using the +active database master key, if they are encrypted using a different +version, and give a count at the end of the number of principals +updated. If the \textbf{-f} option is not given, ask for confirmation +before starting to make changes. The \textbf{-v} option causes each +principal processed to be listed, with an indication as to whether it +needed updating or not. The \textbf{-n} option performs a dry run, only +showing the actions which would have been taken. + + +\subsubsection{tabdump} +\label{admin/admin_commands/kdb5_util:tabdump}\begin{quote} + +\textbf{tabdump} {[}\textbf{-H}{]} {[}\textbf{-c}{]} {[}\textbf{-e}{]} {[}\textbf{-n}{]} {[}\textbf{-o} \emph{outfile}{]} +\emph{dumptype} +\end{quote} + +Dump selected fields of the database in a tabular format suitable for +reporting (e.g., using traditional Unix text processing tools) or +importing into relational databases. The data format is tab-separated +(default), or optionally comma-separated (CSV), with a fixed number of +columns. The output begins with a header line containing field names, +unless suppression is requested using the \textbf{-H} option. + +The \emph{dumptype} parameter specifies the name of an output table (see +below). + +Options: +\begin{description} +\item[{\textbf{-H}}] \leavevmode +suppress writing the field names in a header line + +\item[{\textbf{-c}}] \leavevmode +use comma separated values (CSV) format, with minimal quoting, +instead of the default tab-separated (unquoted, unescaped) format + +\item[{\textbf{-e}}] \leavevmode +write empty hexadecimal string fields as empty fields instead of +as ``-1''. + +\item[{\textbf{-n}}] \leavevmode +produce numeric output for fields that normally have symbolic +output, such as enctypes and flag names. Also requests output of +time stamps as decimal POSIX time\_t values. + +\item[{\textbf{-o} \emph{outfile}}] \leavevmode +write the dump to the specified output file instead of to standard +output + +\end{description} + +Dump types: +\begin{description} +\item[{\textbf{keydata}}] \leavevmode +principal encryption key information, including actual key data +(which is still encrypted in the master key) +\begin{description} +\item[{\textbf{name}}] \leavevmode +principal name + +\item[{\textbf{keyindex}}] \leavevmode +index of this key in the principal's key list + +\item[{\textbf{kvno}}] \leavevmode +key version number + +\item[{\textbf{enctype}}] \leavevmode +encryption type + +\item[{\textbf{key}}] \leavevmode +key data as a hexadecimal string + +\item[{\textbf{salttype}}] \leavevmode +salt type + +\item[{\textbf{salt}}] \leavevmode +salt data as a hexadecimal string + +\end{description} + +\item[{\textbf{keyinfo}}] \leavevmode +principal encryption key information (as in \textbf{keydata} above), +excluding actual key data + +\item[{\textbf{princ\_flags}}] \leavevmode +principal boolean attributes. Flag names print as hexadecimal +numbers if the \textbf{-n} option is specified, and all flag positions +are printed regardless of whether or not they are set. If \textbf{-n} +is not specified, print all known flag names for each principal, +but only print hexadecimal flag names if the corresponding flag is +set. +\begin{description} +\item[{\textbf{name}}] \leavevmode +principal name + +\item[{\textbf{flag}}] \leavevmode +flag name + +\item[{\textbf{value}}] \leavevmode +boolean value (0 for clear, or 1 for set) + +\end{description} + +\item[{\textbf{princ\_lockout}}] \leavevmode +state information used for tracking repeated password failures +\begin{description} +\item[{\textbf{name}}] \leavevmode +principal name + +\item[{\textbf{last\_success}}] \leavevmode +time stamp of most recent successful authentication + +\item[{\textbf{last\_failed}}] \leavevmode +time stamp of most recent failed authentication + +\item[{\textbf{fail\_count}}] \leavevmode +count of failed attempts + +\end{description} + +\item[{\textbf{princ\_meta}}] \leavevmode +principal metadata +\begin{description} +\item[{\textbf{name}}] \leavevmode +principal name + +\item[{\textbf{modby}}] \leavevmode +name of last principal to modify this principal + +\item[{\textbf{modtime}}] \leavevmode +timestamp of last modification + +\item[{\textbf{lastpwd}}] \leavevmode +timestamp of last password change + +\item[{\textbf{policy}}] \leavevmode +policy object name + +\item[{\textbf{mkvno}}] \leavevmode +key version number of the master key that encrypts this +principal's key data + +\item[{\textbf{hist\_kvno}}] \leavevmode +key version number of the history key that encrypts the key +history data for this principal + +\end{description} + +\item[{\textbf{princ\_stringattrs}}] \leavevmode +string attributes (key/value pairs) +\begin{description} +\item[{\textbf{name}}] \leavevmode +principal name + +\item[{\textbf{key}}] \leavevmode +attribute name + +\item[{\textbf{value}}] \leavevmode +attribute value + +\end{description} + +\item[{\textbf{princ\_tktpolicy}}] \leavevmode +per-principal ticket policy data, including maximum ticket +lifetimes +\begin{description} +\item[{\textbf{name}}] \leavevmode +principal name + +\item[{\textbf{expiration}}] \leavevmode +principal expiration date + +\item[{\textbf{pw\_expiration}}] \leavevmode +password expiration date + +\item[{\textbf{max\_life}}] \leavevmode +maximum ticket lifetime + +\item[{\textbf{max\_renew\_life}}] \leavevmode +maximum renewable ticket lifetime + +\end{description} + +\end{description} + +Examples: + +\begin{Verbatim}[commandchars=\\\{\}] +\PYGZdl{} kdb5\PYGZus{}util tabdump \PYGZhy{}o keyinfo.txt keyinfo +\PYGZdl{} cat keyinfo.txt +name keyindex kvno enctype salttype salt +foo@EXAMPLE.COM 0 1 aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 normal \PYGZhy{}1 +bar@EXAMPLE.COM 0 1 aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 normal \PYGZhy{}1 +bar@EXAMPLE.COM 1 1 des\PYGZhy{}cbc\PYGZhy{}crc normal \PYGZhy{}1 +\PYGZdl{} sqlite3 +sqlite\PYGZgt{} .mode tabs +sqlite\PYGZgt{} .import keyinfo.txt keyinfo +sqlite\PYGZgt{} select * from keyinfo where enctype like \PYGZsq{}des\PYGZhy{}cbc\PYGZhy{}\PYGZpc{}\PYGZsq{}; +bar@EXAMPLE.COM 1 1 des\PYGZhy{}cbc\PYGZhy{}crc normal \PYGZhy{}1 +sqlite\PYGZgt{} .quit +\PYGZdl{} awk \PYGZhy{}F\PYGZsq{}\PYGZbs{}t\PYGZsq{} \PYGZsq{}\PYGZdl{}4 \PYGZti{} /des\PYGZhy{}cbc\PYGZhy{}/ \PYGZob{} print \PYGZcb{}\PYGZsq{} keyinfo.txt +bar@EXAMPLE.COM 1 1 des\PYGZhy{}cbc\PYGZhy{}crc normal \PYGZhy{}1 +\end{Verbatim} + + +\subsection{SEE ALSO} +\label{admin/admin_commands/kdb5_util:see-also} +{\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} + + +\section{kdb5\_ldap\_util} +\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}\label{admin/admin_commands/kdb5_ldap_util::doc}\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util} + +\subsection{SYNOPSIS} +\label{admin/admin_commands/kdb5_ldap_util:synopsis}\phantomsection\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-synopsis} +\textbf{kdb5\_ldap\_util} +{[}\textbf{-D} \emph{user\_dn} {[}\textbf{-w} \emph{passwd}{]}{]} +{[}\textbf{-H} \emph{ldapuri}{]} +\textbf{command} +{[}\emph{command\_options}{]} + + +\subsection{DESCRIPTION} +\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-synopsis-end}\label{admin/admin_commands/kdb5_ldap_util:description} +kdb5\_ldap\_util allows an administrator to manage realms, Kerberos +services and ticket policies. + + +\subsection{COMMAND-LINE OPTIONS} +\label{admin/admin_commands/kdb5_ldap_util:command-line-options}\phantomsection\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-options}\begin{description} +\item[{\textbf{-D} \emph{user\_dn}}] \leavevmode +Specifies the Distinguished Name (DN) of the user who has +sufficient rights to perform the operation on the LDAP server. + +\item[{\textbf{-w} \emph{passwd}}] \leavevmode +Specifies the password of \emph{user\_dn}. This option is not +recommended. + +\item[{\textbf{-H} \emph{ldapuri}}] \leavevmode +Specifies the URI of the LDAP server. It is recommended to use +\code{ldapi://} or \code{ldaps://} to connect to the LDAP server. + +\end{description} + + +\subsection{COMMANDS} +\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-options-end}\label{admin/admin_commands/kdb5_ldap_util:commands} + +\subsubsection{create} +\label{admin/admin_commands/kdb5_ldap_util:create}\phantomsection\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-create}\begin{quote} + +\textbf{create} +{[}\textbf{-subtrees} \emph{subtree\_dn\_list}{]} +{[}\textbf{-sscope} \emph{search\_scope}{]} +{[}\textbf{-containerref} \emph{container\_reference\_dn}{]} +{[}\textbf{-k} \emph{mkeytype}{]} +{[}\textbf{-kv} \emph{mkeyVNO}{]} +{[}\textbf{-m\textbar{}-P} \emph{password}\textbar{}\textbf{-sf} \emph{stashfilename}{]} +{[}\textbf{-s}{]} +{[}\textbf{-r} \emph{realm}{]} +{[}\textbf{-maxtktlife} \emph{max\_ticket\_life}{]} +{[}\textbf{-maxrenewlife} \emph{max\_renewable\_ticket\_life}{]} +{[}\emph{ticket\_flags}{]} +\end{quote} + +Creates realm in directory. Options: +\begin{description} +\item[{\textbf{-subtrees} \emph{subtree\_dn\_list}}] \leavevmode +Specifies the list of subtrees containing the principals of a +realm. The list contains the DNs of the subtree objects separated +by colon (\code{:}). + +\item[{\textbf{-sscope} \emph{search\_scope}}] \leavevmode +Specifies the scope for searching the principals under the +subtree. The possible values are 1 or one (one level), 2 or sub +(subtrees). + +\item[{\textbf{-containerref} \emph{container\_reference\_dn}}] \leavevmode +Specifies the DN of the container object in which the principals +of a realm will be created. If the container reference is not +configured for a realm, the principals will be created in the +realm container. + +\item[{\textbf{-k} \emph{mkeytype}}] \leavevmode +Specifies the key type of the master key in the database. The +default is given by the \textbf{master\_key\_type} variable in +{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. + +\item[{\textbf{-kv} \emph{mkeyVNO}}] \leavevmode +Specifies the version number of the master key in the database; +the default is 1. Note that 0 is not allowed. + +\item[{\textbf{-m}}] \leavevmode +Specifies that the master database password should be read from +the TTY rather than fetched from a file on the disk. + +\item[{\textbf{-P} \emph{password}}] \leavevmode +Specifies the master database password. This option is not +recommended. + +\item[{\textbf{-r} \emph{realm}}] \leavevmode +Specifies the Kerberos realm of the database. + +\item[{\textbf{-sf} \emph{stashfilename}}] \leavevmode +Specifies the stash file of the master database password. + +\item[{\textbf{-s}}] \leavevmode +Specifies that the stash file is to be created. + +\item[{\textbf{-maxtktlife} \emph{max\_ticket\_life}}] \leavevmode +(\emph{getdate} string) Specifies maximum ticket life for +principals in this realm. + +\item[{\textbf{-maxrenewlife} \emph{max\_renewable\_ticket\_life}}] \leavevmode +(\emph{getdate} string) Specifies maximum renewable life of +tickets for principals in this realm. + +\item[{\emph{ticket\_flags}}] \leavevmode +Specifies global ticket flags for the realm. Allowable flags are +documented in the description of the \textbf{add\_principal} command in +{\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}}. + +\end{description} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H ldaps://ldap\PYGZhy{}server1.mit.edu + create \PYGZhy{}subtrees o=org \PYGZhy{}sscope SUB \PYGZhy{}r ATHENA.MIT.EDU +Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: +Initializing database for realm \PYGZsq{}ATHENA.MIT.EDU\PYGZsq{} +You will be prompted for the database Master Password. +It is important that you NOT FORGET this password. +Enter KDC database master key: +Re\PYGZhy{}enter KDC database master key to verify: +\end{Verbatim} + + +\subsubsection{modify} +\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-create-end}\label{admin/admin_commands/kdb5_ldap_util:modify}\phantomsection\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-modify}\begin{quote} + +\textbf{modify} +{[}\textbf{-subtrees} \emph{subtree\_dn\_list}{]} +{[}\textbf{-sscope} \emph{search\_scope}{]} +{[}\textbf{-containerref} \emph{container\_reference\_dn}{]} +{[}\textbf{-r} \emph{realm}{]} +{[}\textbf{-maxtktlife} \emph{max\_ticket\_life}{]} +{[}\textbf{-maxrenewlife} \emph{max\_renewable\_ticket\_life}{]} +{[}\emph{ticket\_flags}{]} +\end{quote} + +Modifies the attributes of a realm. Options: +\begin{description} +\item[{\textbf{-subtrees} \emph{subtree\_dn\_list}}] \leavevmode +Specifies the list of subtrees containing the principals of a +realm. The list contains the DNs of the subtree objects separated +by colon (\code{:}). This list replaces the existing list. + +\item[{\textbf{-sscope} \emph{search\_scope}}] \leavevmode +Specifies the scope for searching the principals under the +subtrees. The possible values are 1 or one (one level), 2 or sub +(subtrees). + +\item[{\textbf{-containerref} \emph{container\_reference\_dn} Specifies the DN of the}] \leavevmode +container object in which the principals of a realm will be +created. + +\item[{\textbf{-r} \emph{realm}}] \leavevmode +Specifies the Kerberos realm of the database. + +\item[{\textbf{-maxtktlife} \emph{max\_ticket\_life}}] \leavevmode +(\emph{getdate} string) Specifies maximum ticket life for +principals in this realm. + +\item[{\textbf{-maxrenewlife} \emph{max\_renewable\_ticket\_life}}] \leavevmode +(\emph{getdate} string) Specifies maximum renewable life of +tickets for principals in this realm. + +\item[{\emph{ticket\_flags}}] \leavevmode +Specifies global ticket flags for the realm. Allowable flags are +documented in the description of the \textbf{add\_principal} command in +{\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}}. + +\end{description} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H + ldaps://ldap\PYGZhy{}server1.mit.edu modify +requires\PYGZus{}preauth \PYGZhy{}r + ATHENA.MIT.EDU +Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: +shell\PYGZpc{} +\end{Verbatim} + + +\subsubsection{view} +\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-modify-end}\label{admin/admin_commands/kdb5_ldap_util:view}\phantomsection\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-view}\begin{quote} + +\textbf{view} {[}\textbf{-r} \emph{realm}{]} +\end{quote} + +Displays the attributes of a realm. Options: +\begin{description} +\item[{\textbf{-r} \emph{realm}}] \leavevmode +Specifies the Kerberos realm of the database. + +\end{description} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H ldaps://ldap\PYGZhy{}server1.mit.edu + view \PYGZhy{}r ATHENA.MIT.EDU +Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: +Realm Name: ATHENA.MIT.EDU +Subtree: ou=users,o=org +Subtree: ou=servers,o=org +SearchScope: ONE +Maximum ticket life: 0 days 01:00:00 +Maximum renewable life: 0 days 10:00:00 +Ticket flags: DISALLOW\PYGZus{}FORWARDABLE REQUIRES\PYGZus{}PWCHANGE +\end{Verbatim} + + +\subsubsection{destroy} +\label{admin/admin_commands/kdb5_ldap_util:destroy}\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-view-end}\phantomsection\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-destroy}\begin{quote} + +\textbf{destroy} {[}\textbf{-f}{]} {[}\textbf{-r} \emph{realm}{]} +\end{quote} + +Destroys an existing realm. Options: +\begin{description} +\item[{\textbf{-f}}] \leavevmode +If specified, will not prompt the user for confirmation. + +\item[{\textbf{-r} \emph{realm}}] \leavevmode +Specifies the Kerberos realm of the database. + +\end{description} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H + ldaps://ldap\PYGZhy{}server1.mit.edu destroy \PYGZhy{}r ATHENA.MIT.EDU +Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: +Deleting KDC database of \PYGZsq{}ATHENA.MIT.EDU\PYGZsq{}, are you sure? +(type \PYGZsq{}yes\PYGZsq{} to confirm)? yes +OK, deleting database of \PYGZsq{}ATHENA.MIT.EDU\PYGZsq{}... +shell\PYGZpc{} +\end{Verbatim} + + +\subsubsection{list} +\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-destroy-end}\label{admin/admin_commands/kdb5_ldap_util:list}\phantomsection\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-list}\begin{quote} + +\textbf{list} +\end{quote} + +Lists the name of realms. + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H + ldaps://ldap\PYGZhy{}server1.mit.edu list +Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: +ATHENA.MIT.EDU +OPENLDAP.MIT.EDU +MEDIA\PYGZhy{}LAB.MIT.EDU +shell\PYGZpc{} +\end{Verbatim} + + +\subsubsection{stashsrvpw} +\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-list-end}\label{admin/admin_commands/kdb5_ldap_util:stashsrvpw}\phantomsection\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-stashsrvpw}\begin{quote} + +\textbf{stashsrvpw} +{[}\textbf{-f} \emph{filename}{]} +\emph{name} +\end{quote} + +Allows an administrator to store the password for service object in a +file so that KDC and Administration server can use it to authenticate +to the LDAP server. Options: +\begin{description} +\item[{\textbf{-f} \emph{filename}}] \leavevmode +Specifies the complete path of the service password file. By +default, \code{/usr/local/var/service\_passwd} is used. + +\item[{\emph{name}}] \leavevmode +Specifies the name of the object whose password is to be stored. +If {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}} or {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} are configured for +simple binding, this should be the distinguished name it will +use as given by the \textbf{ldap\_kdc\_dn} or \textbf{ldap\_kadmind\_dn} +variable in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. If the KDC or kadmind is +configured for SASL binding, this should be the authentication +name it will use as given by the \textbf{ldap\_kdc\_sasl\_authcid} or +\textbf{ldap\_kadmind\_sasl\_authcid} variable. + +\end{description} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kdb5\PYGZus{}ldap\PYGZus{}util stashsrvpw \PYGZhy{}f /home/andrew/conf\PYGZus{}keyfile + cn=service\PYGZhy{}kdc,o=org +Password for \PYGZdq{}cn=service\PYGZhy{}kdc,o=org\PYGZdq{}: +Re\PYGZhy{}enter password for \PYGZdq{}cn=service\PYGZhy{}kdc,o=org\PYGZdq{}: +\end{Verbatim} + + +\subsubsection{create\_policy} +\label{admin/admin_commands/kdb5_ldap_util:create-policy}\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-stashsrvpw-end}\phantomsection\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-create-policy}\begin{quote} + +\textbf{create\_policy} +{[}\textbf{-r} \emph{realm}{]} +{[}\textbf{-maxtktlife} \emph{max\_ticket\_life}{]} +{[}\textbf{-maxrenewlife} \emph{max\_renewable\_ticket\_life}{]} +{[}\emph{ticket\_flags}{]} +\emph{policy\_name} +\end{quote} + +Creates a ticket policy in the directory. Options: +\begin{description} +\item[{\textbf{-r} \emph{realm}}] \leavevmode +Specifies the Kerberos realm of the database. + +\item[{\textbf{-maxtktlife} \emph{max\_ticket\_life}}] \leavevmode +(\emph{getdate} string) Specifies maximum ticket life for +principals. + +\item[{\textbf{-maxrenewlife} \emph{max\_renewable\_ticket\_life}}] \leavevmode +(\emph{getdate} string) Specifies maximum renewable life of +tickets for principals. + +\item[{\emph{ticket\_flags}}] \leavevmode +Specifies the ticket flags. If this option is not specified, by +default, no restriction will be set by the policy. Allowable +flags are documented in the description of the \textbf{add\_principal} +command in {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}}. + +\item[{\emph{policy\_name}}] \leavevmode +Specifies the name of the ticket policy. + +\end{description} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H ldaps://ldap\PYGZhy{}server1.mit.edu + create\PYGZus{}policy \PYGZhy{}r ATHENA.MIT.EDU \PYGZhy{}maxtktlife \PYGZdq{}1 day\PYGZdq{} + \PYGZhy{}maxrenewlife \PYGZdq{}1 week\PYGZdq{} \PYGZhy{}allow\PYGZus{}postdated +needchange + \PYGZhy{}allow\PYGZus{}forwardable tktpolicy +Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: +\end{Verbatim} + + +\subsubsection{modify\_policy} +\label{admin/admin_commands/kdb5_ldap_util:modify-policy}\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-create-policy-end}\phantomsection\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-modify-policy}\begin{quote} + +\textbf{modify\_policy} +{[}\textbf{-r} \emph{realm}{]} +{[}\textbf{-maxtktlife} \emph{max\_ticket\_life}{]} +{[}\textbf{-maxrenewlife} \emph{max\_renewable\_ticket\_life}{]} +{[}\emph{ticket\_flags}{]} +\emph{policy\_name} +\end{quote} + +Modifies the attributes of a ticket policy. Options are same as for +\textbf{create\_policy}. + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H + ldaps://ldap\PYGZhy{}server1.mit.edu modify\PYGZus{}policy \PYGZhy{}r ATHENA.MIT.EDU + \PYGZhy{}maxtktlife \PYGZdq{}60 minutes\PYGZdq{} \PYGZhy{}maxrenewlife \PYGZdq{}10 hours\PYGZdq{} + +allow\PYGZus{}postdated \PYGZhy{}requires\PYGZus{}preauth tktpolicy +Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: +\end{Verbatim} + + +\subsubsection{view\_policy} +\label{admin/admin_commands/kdb5_ldap_util:view-policy}\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-modify-policy-end}\phantomsection\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-view-policy}\begin{quote} + +\textbf{view\_policy} +{[}\textbf{-r} \emph{realm}{]} +\emph{policy\_name} +\end{quote} + +Displays the attributes of a ticket policy. Options: +\begin{description} +\item[{\emph{policy\_name}}] \leavevmode +Specifies the name of the ticket policy. + +\end{description} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H ldaps://ldap\PYGZhy{}server1.mit.edu + view\PYGZus{}policy \PYGZhy{}r ATHENA.MIT.EDU tktpolicy +Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: +Ticket policy: tktpolicy +Maximum ticket life: 0 days 01:00:00 +Maximum renewable life: 0 days 10:00:00 +Ticket flags: DISALLOW\PYGZus{}FORWARDABLE REQUIRES\PYGZus{}PWCHANGE +\end{Verbatim} + + +\subsubsection{destroy\_policy} +\label{admin/admin_commands/kdb5_ldap_util:destroy-policy}\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-view-policy-end}\phantomsection\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-destroy-policy}\begin{quote} + +\textbf{destroy\_policy} +{[}\textbf{-r} \emph{realm}{]} +{[}\textbf{-force}{]} +\emph{policy\_name} +\end{quote} + +Destroys an existing ticket policy. Options: +\begin{description} +\item[{\textbf{-r} \emph{realm}}] \leavevmode +Specifies the Kerberos realm of the database. + +\item[{\textbf{-force}}] \leavevmode +Forces the deletion of the policy object. If not specified, the +user will be prompted for confirmation before deleting the policy. + +\item[{\emph{policy\_name}}] \leavevmode +Specifies the name of the ticket policy. + +\end{description} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H ldaps://ldap\PYGZhy{}server1.mit.edu + destroy\PYGZus{}policy \PYGZhy{}r ATHENA.MIT.EDU tktpolicy +Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: +This will delete the policy object \PYGZsq{}tktpolicy\PYGZsq{}, are you sure? +(type \PYGZsq{}yes\PYGZsq{} to confirm)? yes +** policy object \PYGZsq{}tktpolicy\PYGZsq{} deleted. +\end{Verbatim} + + +\subsubsection{list\_policy} +\label{admin/admin_commands/kdb5_ldap_util:list-policy}\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-destroy-policy-end}\phantomsection\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-list-policy}\begin{quote} + +\textbf{list\_policy} +{[}\textbf{-r} \emph{realm}{]} +\end{quote} + +Lists the ticket policies in realm if specified or in the default +realm. Options: +\begin{description} +\item[{\textbf{-r} \emph{realm}}] \leavevmode +Specifies the Kerberos realm of the database. + +\end{description} + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H ldaps://ldap\PYGZhy{}server1.mit.edu + list\PYGZus{}policy \PYGZhy{}r ATHENA.MIT.EDU +Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: +tktpolicy +tmppolicy +userpolicy +\end{Verbatim} + + +\subsection{SEE ALSO} +\label{admin/admin_commands/kdb5_ldap_util:see-also}\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-list-policy-end} +{\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} + + +\section{krb5kdc} +\label{admin/admin_commands/krb5kdc::doc}\label{admin/admin_commands/krb5kdc:krb5kdc-8}\label{admin/admin_commands/krb5kdc:krb5kdc} + +\subsection{SYNOPSIS} +\label{admin/admin_commands/krb5kdc:synopsis} +\textbf{krb5kdc} +{[}\textbf{-x} \emph{db\_args}{]} +{[}\textbf{-d} \emph{dbname}{]} +{[}\textbf{-k} \emph{keytype}{]} +{[}\textbf{-M} \emph{mkeyname}{]} +{[}\textbf{-p} \emph{portnum}{]} +{[}\textbf{-m}{]} +{[}\textbf{-r} \emph{realm}{]} +{[}\textbf{-n}{]} +{[}\textbf{-w} \emph{numworkers}{]} +{[}\textbf{-P} \emph{pid\_file}{]} +{[}\textbf{-T} \emph{time\_offset}{]} + + +\subsection{DESCRIPTION} +\label{admin/admin_commands/krb5kdc:description} +krb5kdc is the Kerberos version 5 Authentication Service and Key +Distribution Center (AS/KDC). + + +\subsection{OPTIONS} +\label{admin/admin_commands/krb5kdc:options} +The \textbf{-r} \emph{realm} option specifies the realm for which the server +should provide service. + +The \textbf{-d} \emph{dbname} option specifies the name under which the +principal database can be found. This option does not apply to the +LDAP database. + +The \textbf{-k} \emph{keytype} option specifies the key type of the master key +to be entered manually as a password when \textbf{-m} is given; the default +is \code{des-cbc-crc}. + +The \textbf{-M} \emph{mkeyname} option specifies the principal name for the +master key in the database (usually \code{K/M} in the KDC's realm). + +The \textbf{-m} option specifies that the master database password should +be fetched from the keyboard rather than from a stash file. + +The \textbf{-n} option specifies that the KDC does not put itself in the +background and does not disassociate itself from the terminal. In +normal operation, you should always allow the KDC to place itself in +the background. + +The \textbf{-P} \emph{pid\_file} option tells the KDC to write its PID into +\emph{pid\_file} after it starts up. This can be used to identify whether +the KDC is still running and to allow init scripts to stop the correct +process. + +The \textbf{-p} \emph{portnum} option specifies the default UDP port numbers +which the KDC should listen on for Kerberos version 5 requests, as a +comma-separated list. This value overrides the UDP port numbers +specified in the {\hyperref[admin/conf_files/kdc_conf:kdcdefaults]{\emph{{[}kdcdefaults{]}}}} section of {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}, but +may be overridden by realm-specific values. If no value is given from +any source, the default port is 88. + +The \textbf{-w} \emph{numworkers} option tells the KDC to fork \emph{numworkers} +processes to listen to the KDC ports and process requests in parallel. +The top level KDC process (whose pid is recorded in the pid file if +the \textbf{-P} option is also given) acts as a supervisor. The supervisor +will relay SIGHUP signals to the worker subprocesses, and will +terminate the worker subprocess if the it is itself terminated or if +any other worker process exits. + +\begin{notice}{note}{Note:} +On operating systems which do not have \emph{pktinfo} support, +using worker processes will prevent the KDC from listening +for UDP packets on network interfaces created after the KDC +starts. +\end{notice} + +The \textbf{-x} \emph{db\_args} option specifies database-specific arguments. +See {\hyperref[admin/admin_commands/kadmin_local:dboptions]{\emph{Database Options}}} in {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} for +supported arguments. + +The \textbf{-T} \emph{offset} option specifies a time offset, in seconds, which +the KDC will operate under. It is intended only for testing purposes. + + +\subsection{EXAMPLE} +\label{admin/admin_commands/krb5kdc:example} +The KDC may service requests for multiple realms (maximum 32 realms). +The realms are listed on the command line. Per-realm options that can +be specified on the command line pertain for each realm that follows +it and are superseded by subsequent definitions of the same option. + +For example: + +\begin{Verbatim}[commandchars=\\\{\}] +krb5kdc \PYGZhy{}p 2001 \PYGZhy{}r REALM1 \PYGZhy{}p 2002 \PYGZhy{}r REALM2 \PYGZhy{}r REALM3 +\end{Verbatim} + +specifies that the KDC listen on port 2001 for REALM1 and on port 2002 +for REALM2 and REALM3. Additionally, per-realm parameters may be +specified in the {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} file. The location of this file +may be specified by the \textbf{KRB5\_KDC\_PROFILE} environment variable. +Per-realm parameters specified in this file take precedence over +options specified on the command line. See the {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} +description for further details. + + +\subsection{ENVIRONMENT} +\label{admin/admin_commands/krb5kdc:environment} +krb5kdc uses the following environment variables: +\begin{itemize} +\item {} +\textbf{KRB5\_CONFIG} + +\item {} +\textbf{KRB5\_KDC\_PROFILE} + +\end{itemize} + + +\subsection{SEE ALSO} +\label{admin/admin_commands/krb5kdc:see-also} +{\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}}, {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}, {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}}, +{\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} + + +\section{kprop} +\label{admin/admin_commands/kprop:kprop-8}\label{admin/admin_commands/kprop::doc}\label{admin/admin_commands/kprop:kprop} + +\subsection{SYNOPSIS} +\label{admin/admin_commands/kprop:synopsis} +\textbf{kprop} +{[}\textbf{-r} \emph{realm}{]} +{[}\textbf{-f} \emph{file}{]} +{[}\textbf{-d}{]} +{[}\textbf{-P} \emph{port}{]} +{[}\textbf{-s} \emph{keytab}{]} +\emph{slave\_host} + + +\subsection{DESCRIPTION} +\label{admin/admin_commands/kprop:description} +kprop is used to securely propagate a Kerberos V5 database dump file +from the master Kerberos server to a slave Kerberos server, which is +specified by \emph{slave\_host}. The dump file must be created by +{\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}}. + + +\subsection{OPTIONS} +\label{admin/admin_commands/kprop:options}\begin{description} +\item[{\textbf{-r} \emph{realm}}] \leavevmode +Specifies the realm of the master server. + +\item[{\textbf{-f} \emph{file}}] \leavevmode +Specifies the filename where the dumped principal database file is +to be found; by default the dumped database file is normally +{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/slave\_datatrans}. + +\item[{\textbf{-P} \emph{port}}] \leavevmode +Specifies the port to use to contact the {\hyperref[admin/admin_commands/kpropd:kpropd-8]{\emph{kpropd}}} server +on the remote host. + +\item[{\textbf{-d}}] \leavevmode +Prints debugging information. + +\item[{\textbf{-s} \emph{keytab}}] \leavevmode +Specifies the location of the keytab file. + +\end{description} + + +\subsection{ENVIRONMENT} +\label{admin/admin_commands/kprop:environment} +\emph{kprop} uses the following environment variable: +\begin{itemize} +\item {} +\textbf{KRB5\_CONFIG} + +\end{itemize} + + +\subsection{SEE ALSO} +\label{admin/admin_commands/kprop:see-also} +{\hyperref[admin/admin_commands/kpropd:kpropd-8]{\emph{kpropd}}}, {\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}}, {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}} + + +\section{kpropd} +\label{admin/admin_commands/kpropd::doc}\label{admin/admin_commands/kpropd:kpropd}\label{admin/admin_commands/kpropd:kpropd-8} + +\subsection{SYNOPSIS} +\label{admin/admin_commands/kpropd:synopsis} +\textbf{kpropd} +{[}\textbf{-r} \emph{realm}{]} +{[}\textbf{-A} \emph{admin\_server}{]} +{[}\textbf{-a} \emph{acl\_file}{]} +{[}\textbf{-f} \emph{slave\_dumpfile}{]} +{[}\textbf{-F} \emph{principal\_database}{]} +{[}\textbf{-p} \emph{kdb5\_util\_prog}{]} +{[}\textbf{-P} \emph{port}{]} +{[}\textbf{-d}{]} +{[}\textbf{-t}{]} + + +\subsection{DESCRIPTION} +\label{admin/admin_commands/kpropd:description} +The \emph{kpropd} command runs on the slave KDC server. It listens for +update requests made by the {\hyperref[admin/admin_commands/kprop:kprop-8]{\emph{kprop}}} program. If incremental +propagation is enabled, it periodically requests incremental updates +from the master KDC. + +When the slave receives a kprop request from the master, kpropd +accepts the dumped KDC database and places it in a file, and then runs +{\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} to load the dumped database into the active +database which is used by {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}}. This allows the master +Kerberos server to use {\hyperref[admin/admin_commands/kprop:kprop-8]{\emph{kprop}}} to propagate its database to +the slave servers. Upon a successful download of the KDC database +file, the slave Kerberos server will have an up-to-date KDC database. + +Where incremental propagation is not used, kpropd is commonly invoked +out of inetd(8) as a nowait service. This is done by adding a line to +the \code{/etc/inetd.conf} file which looks like this: + +\begin{Verbatim}[commandchars=\\\{\}] +kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd +\end{Verbatim} + +kpropd can also run as a standalone daemon, backgrounding itself and +waiting for connections on port 754 (or the port specified with the +\textbf{-P} option if given). Standalone mode is required for incremental +propagation. Starting in release 1.11, kpropd automatically detects +whether it was run from inetd and runs in standalone mode if it is +not. Prior to release 1.11, the \textbf{-S} option is required to run +kpropd in standalone mode; this option is now accepted for backward +compatibility but does nothing. + +Incremental propagation may be enabled with the \textbf{iprop\_enable} +variable in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. If incremental propagation is +enabled, the slave periodically polls the master KDC for updates, at +an interval determined by the \textbf{iprop\_slave\_poll} variable. If the +slave receives updates, kpropd updates its log file with any updates +from the master. {\hyperref[admin/admin_commands/kproplog:kproplog-8]{\emph{kproplog}}} can be used to view a summary of +the update entry log on the slave KDC. If incremental propagation is +enabled, the principal \code{kiprop/slavehostname@REALM} (where +\emph{slavehostname} is the name of the slave KDC host, and \emph{REALM} is the +name of the Kerberos realm) must be present in the slave's keytab +file. + +{\hyperref[admin/admin_commands/kproplog:kproplog-8]{\emph{kproplog}}} can be used to force full replication when iprop is +enabled. + + +\subsection{OPTIONS} +\label{admin/admin_commands/kpropd:options}\begin{description} +\item[{\textbf{-r} \emph{realm}}] \leavevmode +Specifies the realm of the master server. + +\item[{\textbf{-A} \emph{admin\_server}}] \leavevmode +Specifies the server to be contacted for incremental updates; by +default, the master admin server is contacted. + +\item[{\textbf{-f} \emph{file}}] \leavevmode +Specifies the filename where the dumped principal database file is +to be stored; by default the dumped database file is {\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/from\_master}. + +\item[{\textbf{-p}}] \leavevmode +Allows the user to specify the pathname to the {\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} +program; by default the pathname used is {\hyperref[mitK5defaults:paths]{\emph{SBINDIR}}}\code{/kdb5\_util}. + +\item[{\textbf{-d}}] \leavevmode +Turn on debug mode. In this mode, kpropd will not detach +itself from the current job and run in the background. Instead, +it will run in the foreground and print out debugging messages +during the database propagation. + +\item[{\textbf{-t}}] \leavevmode +In standalone mode without incremental propagation, exit after one +dump file is received. In incremental propagation mode, exit as +soon as the database is up to date, or if the master returns an +error. + +\item[{\textbf{-P}}] \leavevmode +Allow for an alternate port number for kpropd to listen on. This +is only useful in combination with the \textbf{-S} option. + +\item[{\textbf{-a} \emph{acl\_file}}] \leavevmode +Allows the user to specify the path to the kpropd.acl file; by +default the path used is {\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/kpropd.acl}. + +\end{description} + + +\subsection{ENVIRONMENT} +\label{admin/admin_commands/kpropd:environment} +kpropd uses the following environment variables: +\begin{itemize} +\item {} +\textbf{KRB5\_CONFIG} + +\item {} +\textbf{KRB5\_KDC\_PROFILE} + +\end{itemize} + + +\subsection{FILES} +\label{admin/admin_commands/kpropd:files}\begin{description} +\item[{kpropd.acl}] \leavevmode +Access file for kpropd; the default location is +\code{/usr/local/var/krb5kdc/kpropd.acl}. Each entry is a line +containing the principal of a host from which the local machine +will allow Kerberos database propagation via {\hyperref[admin/admin_commands/kprop:kprop-8]{\emph{kprop}}}. + +\end{description} + + +\subsection{SEE ALSO} +\label{admin/admin_commands/kpropd:see-also} +{\hyperref[admin/admin_commands/kprop:kprop-8]{\emph{kprop}}}, {\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}}, {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}}, inetd(8) + + +\section{kproplog} +\label{admin/admin_commands/kproplog:kproplog}\label{admin/admin_commands/kproplog:kproplog-8}\label{admin/admin_commands/kproplog::doc} + +\subsection{SYNOPSIS} +\label{admin/admin_commands/kproplog:synopsis} +\textbf{kproplog} {[}\textbf{-h}{]} {[}\textbf{-e} \emph{num}{]} {[}-v{]} +\textbf{kproplog} {[}-R{]} + + +\subsection{DESCRIPTION} +\label{admin/admin_commands/kproplog:description} +The kproplog command displays the contents of the KDC database update +log to standard output. It can be used to keep track of incremental +updates to the principal database. The update log file contains the +update log maintained by the {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} process on the master +KDC server and the {\hyperref[admin/admin_commands/kpropd:kpropd-8]{\emph{kpropd}}} process on the slave KDC servers. +When updates occur, they are logged to this file. Subsequently any +KDC slave configured for incremental updates will request the current +data from the master KDC and update their log file with any updates +returned. + +The kproplog command requires read access to the update log file. It +will display update entries only for the KDC it runs on. + +If no options are specified, kproplog displays a summary of the update +log. If invoked on the master, kproplog also displays all of the +update entries. If invoked on a slave KDC server, kproplog displays +only a summary of the updates, which includes the serial number of the +last update received and the associated time stamp of the last update. + + +\subsection{OPTIONS} +\label{admin/admin_commands/kproplog:options}\begin{description} +\item[{\textbf{-R}}] \leavevmode +Reset the update log. This forces full resynchronization. If used +on a slave then that slave will request a full resync. If used on +the master then all slaves will request full resyncs. + +\item[{\textbf{-h}}] \leavevmode +Display a summary of the update log. This information includes +the database version number, state of the database, the number of +updates in the log, the time stamp of the first and last update, +and the version number of the first and last update entry. + +\item[{\textbf{-e} \emph{num}}] \leavevmode +Display the last \emph{num} update entries in the log. This is useful +when debugging synchronization between KDC servers. + +\item[{\textbf{-v}}] \leavevmode +Display individual attributes per update. An example of the +output generated for one entry: + +\begin{Verbatim}[commandchars=\\\{\}] +Update Entry + Update serial \PYGZsh{} : 4 + Update operation : Add + Update principal : test@EXAMPLE.COM + Update size : 424 + Update committed : True + Update time stamp : Fri Feb 20 23:37:42 2004 + Attributes changed : 6 + Principal + Key data + Password last changed + Modifying principal + Modification time + TL data +\end{Verbatim} + +\end{description} + + +\subsection{ENVIRONMENT} +\label{admin/admin_commands/kproplog:environment} +kproplog uses the following environment variables: +\begin{itemize} +\item {} +\textbf{KRB5\_KDC\_PROFILE} + +\end{itemize} + + +\subsection{SEE ALSO} +\label{admin/admin_commands/kproplog:see-also} +{\hyperref[admin/admin_commands/kpropd:kpropd-8]{\emph{kpropd}}} + + +\section{ktutil} +\label{admin/admin_commands/ktutil:ktutil-1}\label{admin/admin_commands/ktutil::doc}\label{admin/admin_commands/ktutil:ktutil} + +\subsection{SYNOPSIS} +\label{admin/admin_commands/ktutil:synopsis} +\textbf{ktutil} + + +\subsection{DESCRIPTION} +\label{admin/admin_commands/ktutil:description} +The ktutil command invokes a command interface from which an +administrator can read, write, or edit entries in a keytab or Kerberos +V4 srvtab file. + + +\subsection{COMMANDS} +\label{admin/admin_commands/ktutil:commands} + +\subsubsection{list} +\label{admin/admin_commands/ktutil:list}\begin{quote} + +\textbf{list} +\end{quote} + +Displays the current keylist. + +Alias: \textbf{l} + + +\subsubsection{read\_kt} +\label{admin/admin_commands/ktutil:read-kt}\begin{quote} + +\textbf{read\_kt} \emph{keytab} +\end{quote} + +Read the Kerberos V5 keytab file \emph{keytab} into the current keylist. + +Alias: \textbf{rkt} + + +\subsubsection{read\_st} +\label{admin/admin_commands/ktutil:read-st}\begin{quote} + +\textbf{read\_st} \emph{srvtab} +\end{quote} + +Read the Kerberos V4 srvtab file \emph{srvtab} into the current keylist. + +Alias: \textbf{rst} + + +\subsubsection{write\_kt} +\label{admin/admin_commands/ktutil:write-kt}\begin{quote} + +\textbf{write\_kt} \emph{keytab} +\end{quote} + +Write the current keylist into the Kerberos V5 keytab file \emph{keytab}. + +Alias: \textbf{wkt} + + +\subsubsection{write\_st} +\label{admin/admin_commands/ktutil:write-st}\begin{quote} + +\textbf{write\_st} \emph{srvtab} +\end{quote} + +Write the current keylist into the Kerberos V4 srvtab file \emph{srvtab}. + +Alias: \textbf{wst} + + +\subsubsection{clear\_list} +\label{admin/admin_commands/ktutil:clear-list}\begin{quote} + +\textbf{clear\_list} +\end{quote} + +Clear the current keylist. + +Alias: \textbf{clear} + + +\subsubsection{delete\_entry} +\label{admin/admin_commands/ktutil:delete-entry}\begin{quote} + +\textbf{delete\_entry} \emph{slot} +\end{quote} + +Delete the entry in slot number \emph{slot} from the current keylist. + +Alias: \textbf{delent} + + +\subsubsection{add\_entry} +\label{admin/admin_commands/ktutil:add-entry}\begin{quote} + +\textbf{add\_entry} \{\textbf{-key}\textbar{}\textbf{-password}\} \textbf{-p} \emph{principal} +\textbf{-k} \emph{kvno} \textbf{-e} \emph{enctype} +\end{quote} + +Add \emph{principal} to keylist using key or password. + +Alias: \textbf{addent} + + +\subsubsection{list\_requests} +\label{admin/admin_commands/ktutil:list-requests}\begin{quote} + +\textbf{list\_requests} +\end{quote} + +Displays a listing of available commands. + +Aliases: \textbf{lr}, \textbf{?} + + +\subsubsection{quit} +\label{admin/admin_commands/ktutil:quit}\begin{quote} + +\textbf{quit} +\end{quote} + +Quits ktutil. + +Aliases: \textbf{exit}, \textbf{q} + + +\subsection{EXAMPLE} +\label{admin/admin_commands/ktutil:example}\begin{quote} + +\begin{Verbatim}[commandchars=\\\{\}] +ktutil: add\PYGZus{}entry \PYGZhy{}password \PYGZhy{}p alice@BLEEP.COM \PYGZhy{}k 1 \PYGZhy{}e + aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 +Password for alice@BLEEP.COM: +ktutil: add\PYGZus{}entry \PYGZhy{}password \PYGZhy{}p alice@BLEEP.COM \PYGZhy{}k 1 \PYGZhy{}e + aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 +Password for alice@BLEEP.COM: +ktutil: write\PYGZus{}kt keytab +ktutil: +\end{Verbatim} +\end{quote} + + +\subsection{SEE ALSO} +\label{admin/admin_commands/ktutil:see-also} +{\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}}, {\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} + + +\section{k5srvutil} +\label{admin/admin_commands/k5srvutil:k5srvutil-1}\label{admin/admin_commands/k5srvutil::doc}\label{admin/admin_commands/k5srvutil:k5srvutil} + +\subsection{SYNOPSIS} +\label{admin/admin_commands/k5srvutil:synopsis} +\textbf{k5srvutil} \emph{operation} +{[}\textbf{-i}{]} +{[}\textbf{-f} \emph{filename}{]} +{[}\textbf{-e} \emph{keysalts}{]} + + +\subsection{DESCRIPTION} +\label{admin/admin_commands/k5srvutil:description} +k5srvutil allows an administrator to list keys currently in +a keytab, to obtain new keys for a principal currently in a keytab, +or to delete non-current keys from a keytab. + +\emph{operation} must be one of the following: +\begin{description} +\item[{\textbf{list}}] \leavevmode +Lists the keys in a keytab, showing version number and principal +name. + +\item[{\textbf{change}}] \leavevmode +Uses the kadmin protocol to update the keys in the Kerberos +database to new randomly-generated keys, and updates the keys in +the keytab to match. If a key's version number doesn't match the +version number stored in the Kerberos server's database, then the +operation will fail. If the \textbf{-i} flag is given, k5srvutil will +prompt for confirmation before changing each key. If the \textbf{-k} +option is given, the old and new keys will be displayed. +Ordinarily, keys will be generated with the default encryption +types and key salts. This can be overridden with the \textbf{-e} +option. Old keys are retained in the keytab so that existing +tickets continue to work, but \textbf{delold} should be used after +such tickets expire, to prevent attacks against the old keys. + +\item[{\textbf{delold}}] \leavevmode +Deletes keys that are not the most recent version from the keytab. +This operation should be used some time after a change operation +to remove old keys, after existing tickets issued for the service +have expired. If the \textbf{-i} flag is given, then k5srvutil will +prompt for confirmation for each principal. + +\item[{\textbf{delete}}] \leavevmode +Deletes particular keys in the keytab, interactively prompting for +each key. + +\end{description} + +In all cases, the default keytab is used unless this is overridden by +the \textbf{-f} option. + +k5srvutil uses the {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} program to edit the keytab in +place. + + +\subsection{SEE ALSO} +\label{admin/admin_commands/k5srvutil:see-also} +{\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}}, {\hyperref[admin/admin_commands/ktutil:ktutil-1]{\emph{ktutil}}} + + +\section{sserver} +\label{admin/admin_commands/sserver:sserver-8}\label{admin/admin_commands/sserver::doc}\label{admin/admin_commands/sserver:sserver} + +\subsection{SYNOPSIS} +\label{admin/admin_commands/sserver:synopsis} +\textbf{sserver} +{[} \textbf{-p} \emph{port} {]} +{[} \textbf{-S} \emph{keytab} {]} +{[} \emph{server\_port} {]} + + +\subsection{DESCRIPTION} +\label{admin/admin_commands/sserver:description} +sserver and \emph{sclient(1)} are a simple demonstration client/server +application. When sclient connects to sserver, it performs a Kerberos +authentication, and then sserver returns to sclient the Kerberos +principal which was used for the Kerberos authentication. It makes a +good test that Kerberos has been successfully installed on a machine. + +The service name used by sserver and sclient is sample. Hence, +sserver will require that there be a keytab entry for the service +\code{sample/hostname.domain.name@REALM.NAME}. This keytab is generated +using the {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} program. The keytab file is usually +installed as {\hyperref[mitK5defaults:paths]{\emph{DEFKTNAME}}}. + +The \textbf{-S} option allows for a different keytab than the default. + +sserver is normally invoked out of inetd(8), using a line in +\code{/etc/inetd.conf} that looks like this: + +\begin{Verbatim}[commandchars=\\\{\}] +sample stream tcp nowait root /usr/local/sbin/sserver sserver +\end{Verbatim} + +Since \code{sample} is normally not a port defined in \code{/etc/services}, +you will usually have to add a line to \code{/etc/services} which looks +like this: + +\begin{Verbatim}[commandchars=\\\{\}] +sample 13135/tcp +\end{Verbatim} + +When using sclient, you will first have to have an entry in the +Kerberos database, by using {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}}, and then you have to get +Kerberos tickets, by using \emph{kinit(1)}. Also, if you are running +the sclient program on a different host than the sserver it will be +connecting to, be sure that both hosts have an entry in /etc/services +for the sample tcp port, and that the same port number is in both +files. + +When you run sclient you should see something like this: + +\begin{Verbatim}[commandchars=\\\{\}] +sendauth succeeded, reply is: +reply len 32, contents: +You are nlgilman@JIMI.MIT.EDU +\end{Verbatim} + + +\subsection{COMMON ERROR MESSAGES} +\label{admin/admin_commands/sserver:common-error-messages}\begin{enumerate} +\item {} +kinit returns the error: + +\begin{Verbatim}[commandchars=\\\{\}] +kinit: Client not found in Kerberos database while getting + initial credentials +\end{Verbatim} + +This means that you didn't create an entry for your username in the +Kerberos database. + +\item {} +sclient returns the error: + +\begin{Verbatim}[commandchars=\\\{\}] +unknown service sample/tcp; check /etc/services +\end{Verbatim} + +This means that you don't have an entry in /etc/services for the +sample tcp port. + +\item {} +sclient returns the error: + +\begin{Verbatim}[commandchars=\\\{\}] +connect: Connection refused +\end{Verbatim} + +This probably means you didn't edit /etc/inetd.conf correctly, or +you didn't restart inetd after editing inetd.conf. + +\item {} +sclient returns the error: + +\begin{Verbatim}[commandchars=\\\{\}] +sclient: Server not found in Kerberos database while using + sendauth +\end{Verbatim} + +This means that the \code{sample/hostname@LOCAL.REALM} service was not +defined in the Kerberos database; it should be created using +{\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}}, and a keytab file needs to be generated to make +the key for that service principal available for sclient. + +\item {} +sclient returns the error: + +\begin{Verbatim}[commandchars=\\\{\}] +sendauth rejected, error reply is: + \PYGZdq{}No such file or directory\PYGZdq{} +\end{Verbatim} + +This probably means sserver couldn't find the keytab file. It was +probably not installed in the proper directory. + +\end{enumerate} + + +\subsection{SEE ALSO} +\label{admin/admin_commands/sserver:see-also} +\emph{sclient(1)}, services(5), inetd(8) + + +\chapter{MIT Kerberos defaults} +\label{mitK5defaults:mitk5defaults}\label{mitK5defaults::doc}\label{mitK5defaults:mit-kerberos-defaults} + +\section{General defaults} +\label{mitK5defaults:general-defaults} +\begin{tabulary}{\linewidth}{|L|L|L|} +\hline +\textsf{\relax +Description +} & \textsf{\relax +Default +} & \textsf{\relax +Environment +}\\ +\hline +\emph{keytab\_definition} file + & +{\hyperref[mitK5defaults:paths]{\emph{DEFKTNAME}}} + & +\textbf{KRB5\_KTNAME} +\\ +\hline +Client \emph{keytab\_definition} file + & +{\hyperref[mitK5defaults:paths]{\emph{DEFCKTNAME}}} + & +\textbf{KRB5\_CLIENT\_KTNAME} +\\ +\hline +Kerberos config file {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} + & +\code{/etc/krb5.conf}\code{:}{\hyperref[mitK5defaults:paths]{\emph{SYSCONFDIR}}}\code{/krb5.conf} + & +\textbf{KRB5\_CONFIG} +\\ +\hline +KDC config file {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} + & +{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/kdc.conf} + & +\textbf{KRB5\_KDC\_PROFILE} +\\ +\hline +KDC database path (DB2) + & +{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/principal} + & \\ +\hline +Master key \emph{stash\_definition} + & +{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/.k5.}\emph{realm} + & \\ +\hline +Admin server ACL file {\hyperref[admin/conf_files/kadm5_acl:kadm5-acl-5]{\emph{kadm5.acl}}} + & +{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/kadm5.acl} + & \\ +\hline +OTP socket directory + & +{\hyperref[mitK5defaults:paths]{\emph{RUNSTATEDIR}}}\code{/krb5kdc} + & \\ +\hline +Plugin base directory + & +{\hyperref[mitK5defaults:paths]{\emph{LIBDIR}}}\code{/krb5/plugins} + & \\ +\hline +\emph{rcache\_definition} directory + & +\code{/var/tmp} + & +\textbf{KRB5RCACHEDIR} +\\ +\hline +Master key default enctype + & +\code{aes256-cts-hmac-sha1-96} + & \\ +\hline +Default {\hyperref[admin/conf_files/kdc_conf:keysalt-lists]{\emph{keysalt list}}} + & +\code{aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal} + & \\ +\hline +Permitted enctypes + & +\code{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4} + & \\ +\hline +KDC default port + & +88 + & \\ +\hline +Admin server port + & +749 + & \\ +\hline +Password change port + & +464 + & \\ +\hline\end{tabulary} + + + +\section{Slave KDC propagation defaults} +\label{mitK5defaults:slave-kdc-propagation-defaults} +This table shows defaults used by the {\hyperref[admin/admin_commands/kprop:kprop-8]{\emph{kprop}}} and +{\hyperref[admin/admin_commands/kpropd:kpropd-8]{\emph{kpropd}}} programs. + +\begin{tabulary}{\linewidth}{|L|L|L|} +\hline +\textsf{\relax +Description +} & \textsf{\relax +Default +} & \textsf{\relax +Environment +}\\ +\hline +kprop database dump file + & +{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/slave\_datatrans} + & \\ +\hline +kpropd temporary dump file + & +{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/from\_master} + & \\ +\hline +kdb5\_util location + & +{\hyperref[mitK5defaults:paths]{\emph{SBINDIR}}}\code{/kdb5\_util} + & \\ +\hline +kprop location + & +{\hyperref[mitK5defaults:paths]{\emph{SBINDIR}}}\code{/kprop} + & \\ +\hline +kpropd ACL file + & +{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/kpropd.acl} + & \\ +\hline +kprop port + & +754 + & +KPROP\_PORT +\\ +\hline\end{tabulary} + + + +\section{Default paths for Unix-like systems} +\label{mitK5defaults:paths}\label{mitK5defaults:default-paths-for-unix-like-systems} +On Unix-like systems, some paths used by MIT krb5 depend on parameters +chosen at build time. For a custom build, these paths default to +subdirectories of \code{/usr/local}. When MIT krb5 is integrated into an +operating system, the paths are generally chosen to match the +operating system's filesystem layout. + +\begin{tabulary}{\linewidth}{|L|L|L|L|} +\hline +\textsf{\relax +Description +} & \textsf{\relax +Symbolic name +} & \textsf{\relax +Custom build path +} & \textsf{\relax +Typical OS path +}\\ +\hline +User programs + & +BINDIR + & +\code{/usr/local/bin} + & +\code{/usr/bin} +\\ +\hline +Libraries and plugins + & +LIBDIR + & +\code{/usr/local/lib} + & +\code{/usr/lib} +\\ +\hline +Parent of KDC state dir + & +LOCALSTATEDIR + & +\code{/usr/local/var} + & +\code{/var} +\\ +\hline +Parent of KDC runtime dir + & +RUNSTATEDIR + & +\code{/usr/local/var/run} + & +\code{/run} +\\ +\hline +Administrative programs + & +SBINDIR + & +\code{/usr/local/sbin} + & +\code{/usr/sbin} +\\ +\hline +Alternate krb5.conf dir + & +SYSCONFDIR + & +\code{/usr/local/etc} + & +\code{/etc} +\\ +\hline +Default ccache name + & +DEFCCNAME + & +\code{FILE:/tmp/krb5cc\_\%\{uid\}} + & +\code{FILE:/tmp/krb5cc\_\%\{uid\}} +\\ +\hline +Default keytab name + & +DEFKTNAME + & +\code{FILE:/etc/krb5.keytab} + & +\code{FILE:/etc/krb5.keytab} +\\ +\hline\end{tabulary} + + +The default client keytab name (DEFCKTNAME) typically defaults to +\code{FILE:/usr/local/var/krb5/user/\%\{euid\}/client.keytab} for a custom +build. A native build will typically use a path which will vary +according to the operating system's layout of \code{/var}. + + +\chapter{Environment variables} +\label{admin/env_variables:environment-variables}\label{admin/env_variables::doc} +The following environment variables can be used during runtime: +\begin{description} +\item[{\textbf{KRB5\_CONFIG}}] \leavevmode +Main Kerberos configuration file. Multiple filenames can be +specified, separated by a colon; all files which are present will +be read. (See {\hyperref[mitK5defaults:mitk5defaults]{\emph{MIT Kerberos defaults}}} for the default path.) + +\item[{\textbf{KRB5\_KDC\_PROFILE}}] \leavevmode +KDC configuration file. (See {\hyperref[mitK5defaults:mitk5defaults]{\emph{MIT Kerberos defaults}}} for the default +name.) + +\item[{\textbf{KRB5\_KTNAME}}] \leavevmode +Default keytab file name. (See {\hyperref[mitK5defaults:mitk5defaults]{\emph{MIT Kerberos defaults}}} for the +default name.) + +\item[{\textbf{KRB5\_CLIENT\_KTNAME}}] \leavevmode +Default client keytab file name. (See {\hyperref[mitK5defaults:mitk5defaults]{\emph{MIT Kerberos defaults}}} for +the default name.) + +\item[{\textbf{KRB5CCNAME}}] \leavevmode +Default name for the credentials cache file, in the form \emph{type}:\emph{residual}. The type of the default cache may determine the +availability of a cache collection. For instance, a default cache +of type \code{DIR} causes caches within the directory to be present +in the global cache collection. + +\item[{\textbf{KRB5RCACHETYPE}}] \leavevmode +Default replay cache type. Defaults to \code{dfl}. A value of +\code{none} disables the replay cache. + +\item[{\textbf{KRB5RCACHEDIR}}] \leavevmode +Default replay cache directory. (See {\hyperref[mitK5defaults:mitk5defaults]{\emph{MIT Kerberos defaults}}} for the +default location.) + +\item[{\textbf{KPROP\_PORT}}] \leavevmode +{\hyperref[admin/admin_commands/kprop:kprop-8]{\emph{kprop}}} port to use. Defaults to 754. + +\item[{\textbf{KRB5\_TRACE}}] \leavevmode +Filename for trace-logging output (introduced in release 1.9). +For example, \code{env KRB5\_TRACE=/dev/stdout kinit} would send +tracing information for kinit to \code{/dev/stdout}. Some programs +may ignore this variable (particularly setuid or login system +programs). + +\end{description} + + +\chapter{Troubleshooting} +\label{admin/troubleshoot:troubleshoot}\label{admin/troubleshoot::doc}\label{admin/troubleshoot:troubleshooting} + +\section{Trace logging} +\label{admin/troubleshoot:trace-logging}\label{admin/troubleshoot:id1} +Most programs using MIT krb5 1.9 or later can be made to provide +information about internal krb5 library operations using trace +logging. To enable this, set the \textbf{KRB5\_TRACE} environment variable +to a filename before running the program. On many operating systems, +the filename \code{/dev/stdout} can be used to send trace logging output +to standard output. + +Some programs do not honor \textbf{KRB5\_TRACE}, either because they use +secure library contexts (this generally applies to setuid programs and +parts of the login system) or because they take direct control of the +trace logging system using the API. + +Here is a short example showing trace logging output for an invocation +of the \emph{kvno(1)} command: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} env KRB5\PYGZus{}TRACE=/dev/stdout kvno krbtgt/KRBTEST.COM +[9138] 1332348778.823276: Getting credentials user@KRBTEST.COM \PYGZhy{}\PYGZgt{} + krbtgt/KRBTEST.COM@KRBTEST.COM using ccache + FILE:/me/krb5/build/testdir/ccache +[9138] 1332348778.823381: Retrieving user@KRBTEST.COM \PYGZhy{}\PYGZgt{} + krbtgt/KRBTEST.COM@KRBTEST.COM from + FILE:/me/krb5/build/testdir/ccache with result: 0/Unknown code 0 +krbtgt/KRBTEST.COM@KRBTEST.COM: kvno = 1 +\end{Verbatim} + + +\section{List of errors} +\label{admin/troubleshoot:list-of-errors} + +\subsection{Frequently seen errors} +\label{admin/troubleshoot:frequently-seen-errors}\begin{enumerate} +\item {} +{\hyperref[admin/troubleshoot:init-creds-etype-nosupp]{\emph{KDC has no support for encryption type while getting initial credentials}}} + +\item {} +{\hyperref[admin/troubleshoot:cert-chain-etype-nosupp]{\emph{credential verification failed: KDC has no support for encryption type}}} + +\item {} +{\hyperref[admin/troubleshoot:err-cert-chain-cert-expired]{\emph{Cannot create cert chain: certificate has expired}}} + +\end{enumerate} + + +\subsection{Errors seen by admins} +\label{admin/troubleshoot:errors-seen-by-admins}\phantomsection\label{admin/troubleshoot:prop-failed-start}\begin{enumerate} +\item {} +{\hyperref[admin/troubleshoot:kprop-no-route]{\emph{kprop: No route to host while connecting to server}}} + +\item {} +{\hyperref[admin/troubleshoot:kprop-con-refused]{\emph{kprop: Connection refused while connecting to server}}} + +\item {} +{\hyperref[admin/troubleshoot:kprop-sendauth-exchange]{\emph{kprop: Server rejected authentication (during sendauth exchange) while authenticating to server}}} + +\end{enumerate} +\phantomsection\label{admin/troubleshoot:prop-failed-end} + +\bigskip\hrule{}\bigskip + + + +\subsubsection{KDC has no support for encryption type while getting initial credentials} +\label{admin/troubleshoot:kdc-has-no-support-for-encryption-type-while-getting-initial-credentials}\label{admin/troubleshoot:init-creds-etype-nosupp} + +\subsubsection{credential verification failed: KDC has no support for encryption type} +\label{admin/troubleshoot:credential-verification-failed-kdc-has-no-support-for-encryption-type}\label{admin/troubleshoot:cert-chain-etype-nosupp} +This most commonly happens when trying to use a principal with only +DES keys, in a release (MIT krb5 1.7 or later) which disables DES by +default. DES encryption is considered weak due to its inadequate key +size. If you cannot migrate away from its use, you can re-enable DES +by adding \code{allow\_weak\_crypto = true} to the {\hyperref[admin/conf_files/krb5_conf:libdefaults]{\emph{{[}libdefaults{]}}}} +section of {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}}. + + +\subsubsection{Cannot create cert chain: certificate has expired} +\label{admin/troubleshoot:cannot-create-cert-chain-certificate-has-expired}\label{admin/troubleshoot:err-cert-chain-cert-expired} +This error message indicates that PKINIT authentication failed because +the client certificate, KDC certificate, or one of the certificates in +the signing chain above them has expired. + +If the KDC certificate has expired, this message appears in the KDC +log file, and the client will receive a ``Preauthentication failed'' +error. (Prior to release 1.11, the KDC log file message erroneously +appears as ``Out of memory''. Prior to release 1.12, the client will +receive a ``Generic error''.) + +If the client or a signing certificate has expired, this message may +appear in {\hyperref[admin/troubleshoot:trace-logging]{trace\_logging}} output from \emph{kinit(1)} or, starting in +release 1.12, as an error message from kinit or another program which +gets initial tickets. The error message is more likely to appear +properly on the client if the principal entry has no long-term keys. + + +\subsubsection{kprop: No route to host while connecting to server} +\label{admin/troubleshoot:kprop-no-route}\label{admin/troubleshoot:kprop-no-route-to-host-while-connecting-to-server} +Make sure that the hostname of the slave (as given to kprop) is +correct, and that any firewalls between the master and the slave allow +a connection on port 754. + + +\subsubsection{kprop: Connection refused while connecting to server} +\label{admin/troubleshoot:kprop-connection-refused-while-connecting-to-server}\label{admin/troubleshoot:kprop-con-refused} +If the slave is intended to run kpropd out of inetd, make sure that +inetd is configured to accept krb5\_prop connections. inetd may need +to be restarted or sent a SIGHUP to recognize the new configuration. +If the slave is intended to run kpropd in standalone mode, make sure +that it is running. + + +\subsubsection{kprop: Server rejected authentication (during sendauth exchange) while authenticating to server} +\label{admin/troubleshoot:kprop-sendauth-exchange}\label{admin/troubleshoot:kprop-server-rejected-authentication-during-sendauth-exchange-while-authenticating-to-server} +Make sure that: +\begin{enumerate} +\item {} +The time is synchronized between the master and slave KDCs. + +\item {} +The master stash file was copied from the master to the expected +location on the slave. + +\item {} +The slave has a keytab file in the default location containing a +\code{host} principal for the slave's hostname. + +\end{enumerate} + + +\chapter{Advanced topics} +\label{admin/advanced/index:advanced-topics}\label{admin/advanced/index::doc} + +\section{LDAP backend on Ubuntu 10.4 (lucid)} +\label{admin/advanced/ldapbackend:ldap-backend-on-ubuntu-10-4-lucid}\label{admin/advanced/ldapbackend::doc}\label{admin/advanced/ldapbackend:ldap-be-ubuntu} +Setting up Kerberos v1.9 with LDAP backend on Ubuntu 10.4 (Lucid Lynx) + + +\subsection{Prerequisites} +\label{admin/advanced/ldapbackend:prerequisites} +Install the following packages: \emph{slapd, ldap-utils} and \emph{libldap2-dev} + +You can install the necessary packages with these commands: + +\begin{Verbatim}[commandchars=\\\{\}] +sudo apt\PYGZhy{}get install slapd +sudo apt\PYGZhy{}get install ldap\PYGZhy{}utils +sudo apt\PYGZhy{}get install libldap2\PYGZhy{}dev +\end{Verbatim} + +Extend the user schema using schemas from standart OpenLDAP +distribution: \emph{cosine, mics, nis, inetcomperson} + +\begin{Verbatim}[commandchars=\\\{\}] +ldapadd \PYGZhy{}Y EXTERNAL \PYGZhy{}H ldapi:/// \PYGZhy{}f /etc/ldap/schema/cosine.ldif +ldapadd \PYGZhy{}Y EXTERNAL \PYGZhy{}H ldapi:/// \PYGZhy{}f /etc/ldap/schema/mics.ldif +ldapadd \PYGZhy{}Y EXTERNAL \PYGZhy{}H ldapi:/// \PYGZhy{}f /etc/ldap/schema/nis.ldif +ldapadd \PYGZhy{}Y EXTERNAL \PYGZhy{}H ldapi:/// \PYGZhy{}f /etc/ldap/schema/inetcomperson.ldif +\end{Verbatim} + + +\subsection{Building Kerberos from source} +\label{admin/advanced/ldapbackend:building-kerberos-from-source} +\begin{Verbatim}[commandchars=\\\{\}] +./configure \PYGZhy{}\PYGZhy{}with\PYGZhy{}ldap +make +sudo make install +\end{Verbatim} + + +\subsection{Setting up Kerberos} +\label{admin/advanced/ldapbackend:setting-up-kerberos} + +\subsubsection{Configuration} +\label{admin/advanced/ldapbackend:configuration} +Update kdc.conf with the LDAP back-end information: + +\begin{Verbatim}[commandchars=\\\{\}] +[realms] + EXAMPLE.COM = \PYGZob{} + database\PYGZus{}module = LDAP + \PYGZcb{} + +[dbmodules] + LDAP = \PYGZob{} + db\PYGZus{}library = kldap + ldap\PYGZus{}kerberos\PYGZus{}container\PYGZus{}dn = cn=krbContainer,dc=example,dc=com + ldap\PYGZus{}kdc\PYGZus{}dn = cn=admin,dc=example,dc=com + ldap\PYGZus{}kadmind\PYGZus{}dn = cn=admin,dc=example,dc=com + ldap\PYGZus{}service\PYGZus{}password\PYGZus{}file = /usr/local/var/krb5kdc/admin.stash + ldap\PYGZus{}servers = ldapi:/// + \PYGZcb{} +\end{Verbatim} + + +\subsubsection{Schema} +\label{admin/advanced/ldapbackend:schema} +From the source tree copy +\code{src/plugins/kdb/ldap/libkdb\_ldap/kerberos.schema} into +\code{/etc/ldap/schema} + +Warning: this step should be done after slapd is installed to avoid +problems with slapd installation. + +To convert kerberos.schema to run-time configuration (\code{cn=config}) +do the following: +\begin{enumerate} +\item {} +Create a temporary file \code{/tmp/schema\_convert.conf} with the +following content: + +\begin{Verbatim}[commandchars=\\\{\}] +\PYG{n}{include} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{/}\PYG{n}{schema}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{schema} +\end{Verbatim} + +\item {} +Create a temporary directory \code{/tmp/krb5\_ldif}. + +\item {} +Run: + +\begin{Verbatim}[commandchars=\\\{\}] +\PYG{n}{slaptest} \PYG{o}{\PYGZhy{}}\PYG{n}{f} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{schema\PYGZus{}convert}\PYG{o}{.}\PYG{n}{conf} \PYG{o}{\PYGZhy{}}\PYG{n}{F} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{krb5\PYGZus{}ldif} +\end{Verbatim} + +This should in a new file named +\code{/tmp/krb5\_ldif/cn=config/cn=schema/cn=\{0\}kerberos.ldif}. + +\item {} +Edit \code{/tmp/krb5\_ldif/cn=config/cn=schema/cn=\{0\}kerberos.ldif} by +replacing the lines: + +\begin{Verbatim}[commandchars=\\\{\}] +dn: cn=\PYGZob{}0\PYGZcb{}kerberos +cn: \PYGZob{}0\PYGZcb{}kerberos +\end{Verbatim} + +with +\begin{quote} + +dn: cn=kerberos,cn=schema,cn=config +cn: kerberos +\end{quote} + +Also, remove following attribute-value pairs: + +\begin{Verbatim}[commandchars=\\\{\}] +structuralObjectClass: olcSchemaConfig +entryUUID: ... +creatorsName: cn=config +createTimestamp: ... +entryCSN: ... +modifiersName: cn=config +modifyTimestamp: ... +\end{Verbatim} + +\item {} +Load the new schema with ldapadd (with the proper authentication): + +\begin{Verbatim}[commandchars=\\\{\}] +ldapadd \PYGZhy{}Y EXTERNAL \PYGZhy{}H ldapi:/// \PYGZhy{}f /tmp/krb5\PYGZus{}ldif/cn=config/cn=schema/cn=\PYGZob{}0\PYGZcb{}kerberos.ldif +\end{Verbatim} + +which should result the message \code{adding new entry +"cn=kerberos,cn=schema,cn=config"}. + +\end{enumerate} + + +\subsection{Create Kerberos database} +\label{admin/advanced/ldapbackend:create-kerberos-database} +Using LDAP administrator credentials, create Kerberos database and +master key stash: + +\begin{Verbatim}[commandchars=\\\{\}] +kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,dc=example,dc=com \PYGZhy{}H ldapi:/// create \PYGZhy{}s +\end{Verbatim} + +Stash the LDAP administrative passwords: + +\begin{Verbatim}[commandchars=\\\{\}] +kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,dc=example,dc=com \PYGZhy{}H ldapi:/// stashsrvpw cn=admin,dc=example,dc=com +\end{Verbatim} + +Start {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}}: + +\begin{Verbatim}[commandchars=\\\{\}] +\PYG{n}{krb5kdc} +\end{Verbatim} + +To destroy database run: + +\begin{Verbatim}[commandchars=\\\{\}] +kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,dc=example,dc=com \PYGZhy{}H ldapi:/// destroy \PYGZhy{}f +\end{Verbatim} + + +\subsection{Useful references} +\label{admin/advanced/ldapbackend:useful-references}\begin{itemize} +\item {} +\href{https://help.ubuntu.com/10.04/serverguide/C/kerberos-ldap.html}{Kerberos and LDAP} + +\end{itemize} + + +\section{Retiring DES} +\label{admin/advanced/retiring-des:retiring-des}\label{admin/advanced/retiring-des::doc}\label{admin/advanced/retiring-des:id1} +Version 5 of the Kerberos protocol was originally implemented using +the Data Encryption Standard (DES) as a block cipher for encryption. +While it was considered secure at the time, advancements in computational +ability have rendered DES vulnerable to brute force attacks on its 56-bit +keyspace. As such, it is now considered insecure and should not be +used (\index{RFC!RFC 6649}\href{http://tools.ietf.org/html/rfc6649.html}{\textbf{RFC 6649}}). + + +\subsection{History} +\label{admin/advanced/retiring-des:history} +DES was used in the original Kerberos implementation, and was the +only cryptosystem in krb5 1.0. Partial support for triple-DES (3DES) was +added in version 1.1, with full support following in version 1.2. +The Advanced Encryption Standard (AES), which supersedes DES, gained +partial support in version 1.3.0 of krb5 and full support in version 1.3.2. +However, deployments of krb5 using Kerberos databases created with older +versions of krb5 will not necessarily start using strong crypto for +ordinary operation without administrator intervention. + + +\subsection{Types of keys} +\label{admin/advanced/retiring-des:types-of-keys}\begin{itemize} +\item {} +The database master key: This key is not exposed to user requests, +but is used to encrypt other key material stored in the kerberos +database. The database master key is currently stored as \code{K/M} +by default. + +\item {} +Password-derived keys: User principals frequently have keys +derived from a password. When a new password is set, the KDC +uses various string2key functions to generate keys in the database +for that principal. + +\item {} +Keytab keys: Application server principals generally use random +keys which are not derived from a password. When the database +entry is created, the KDC generates random keys of various enctypes +to enter in the database, which are conveyed to the application server +and stored in a keytab. + +\item {} +Session keys: These are short-term keys generated by the KDC while +processing client requests, with an enctype selected by the KDC. + +\end{itemize} + +For details on the various enctypes and how enctypes are selected by the KDC +for session keys and client/server long-term keys, see {\hyperref[admin/enctypes:enctypes]{\emph{Encryption types}}}. +When using the {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} interface to generate new long-term keys, +the \textbf{-e} argument can be used to force a particular set of enctypes, +overriding the KDC default values. + +\begin{notice}{note}{Note:} +When the KDC is selecting a session key, it has no knowledge about the +kerberos installation on the server which will receive the service ticket, +only what keys are in the database for the service principal. +In order to allow uninterrupted operation to +clients while migrating away from DES, care must be taken to ensure that +kerberos installations on application server machines are configured to +support newer encryption types before keys of those new encryption types +are created in the Kerberos database for those server principals. +\end{notice} + + +\subsection{Upgrade procedure} +\label{admin/advanced/retiring-des:upgrade-procedure} +This procedure assumes that the KDC software has already been upgraded +to a modern version of krb5 that supports non-DES keys, so that the +only remaining task is to update the actual keys used to service requests. +The realm used for demonstrating this procedure, ZONE.MIT.EDU, +is an example of the worst-case scenario, where all keys in the realm +are DES. The realm was initially created with a very old version of krb5, +and \textbf{supported\_enctypes} in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} was set to a value +appropriate when the KDC was installed, but was not updated as the KDC +was upgraded: + +\begin{Verbatim}[commandchars=\\\{\}] +[realms] + ZONE.MIT.EDU = \PYGZob{} + [...] + master\PYGZus{}key\PYGZus{}type = des\PYGZhy{}cbc\PYGZhy{}crc + supported\PYGZus{}enctypes = des\PYGZhy{}cbc\PYGZhy{}crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 + \PYGZcb{} +\end{Verbatim} + +This resulted in the keys for all principals in the realm being forced +to DES-only, unless specifically requested using {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}}. + +Before starting the upgrade, all KDCs were running krb5 1.11, +and the database entries for some ``high-value'' principals were: + +\begin{Verbatim}[commandchars=\\\{\}] +[root@casio krb5kdc]\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}getprinc krbtgt/ZONE.MIT.EDU\PYGZsq{} +[...] +Number of keys: 1 +Key: vno 1, des\PYGZhy{}cbc\PYGZhy{}crc:v4 +[...] +[root@casio krb5kdc]\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}getprinc kadmin/admin\PYGZsq{} +[...] +Number of keys: 1 +Key: vno 15, des\PYGZhy{}cbc\PYGZhy{}crc +[...] +[root@casio krb5kdc]\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}getprinc kadmin/changepw\PYGZsq{} +[...] +Number of keys: 1 +Key: vno 14, des\PYGZhy{}cbc\PYGZhy{}crc +[...] +\end{Verbatim} + +The \code{krbtgt/REALM} key appears to have never been changed since creation +(its kvno is 1), and all three database entries have only a des-cbc-crc key. + + +\subsubsection{The krbtgt key and KDC keys} +\label{admin/advanced/retiring-des:the-krbtgt-key-and-kdc-keys} +Perhaps the biggest single-step improvement in the security of the cell +is gained by strengthening the key of the ticket-granting service principal, +\code{krbtgt/REALM}---if this principal's key is compromised, so is the +entire realm. Since the server that will handle service tickets +for this principal is the KDC itself, it is easy to guarantee that it +will be configured to support any encryption types which might be +selected. However, the default KDC behavior when creating new keys is to +remove the old keys, which would invalidate all existing tickets issued +against that principal, rendering the TGTs cached by clients useless. +Instead, a new key can be created with the old key retained, so that +existing tickets will still function until their scheduled expiry +(see {\hyperref[admin/database:changing-krbtgt-key]{\emph{Changing the krbtgt key}}}). + +\begin{Verbatim}[commandchars=\\\{\}] +[root@casio krb5kdc]\PYGZsh{} enctypes=aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal,\PYGZbs{} +\PYGZgt{} aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal,des3\PYGZhy{}hmac\PYGZhy{}sha1:normal,des\PYGZhy{}cbc\PYGZhy{}crc:normal +[root@casio krb5kdc]\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZdq{}cpw \PYGZhy{}e \PYGZdl{}\PYGZob{}enctypes\PYGZcb{} \PYGZhy{}randkey \PYGZbs{} +\PYGZgt{} \PYGZhy{}keepold krbtgt/ZONE.MIT.EDU\PYGZdq{} +Authenticating as principal root/admin@ZONE.MIT.EDU with password. +Key for \PYGZdq{}krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU\PYGZdq{} randomized. +\end{Verbatim} + +\begin{notice}{note}{Note:} +The new \code{krbtgt@REALM} key should be propagated to slave KDCs +immediately so that TGTs issued by the master KDC can be used to +issue service tickets on slave KDCs. Slave KDCs will refuse requests +using the new TGT kvno until the new krbtgt entry has been propagated +to them. +\end{notice} + +It is necessary to explicitly specify the enctypes for the new database +entry, since \textbf{supported\_enctypes} has not been changed. Leaving +\textbf{supported\_enctypes} unchanged makes a potential rollback operation +easier, since all new keys of new enctypes are the result of explicit +administrator action and can be easily enumerated. +Upgrading the krbtgt key should have minimal user-visible disruption other +than that described in the note above, since only clients which list the +new enctypes as supported will use them, per the procedure +in {\hyperref[admin/enctypes:session-key-selection]{\emph{Session key selection}}}. +Once the krbtgt key is updated, the session and ticket keys for user +TGTs will be strong keys, but subsequent requests +for service tickets will still get DES keys until the service principals +have new keys generated. Application service +remains uninterrupted due to the key-selection procedure on the KDC. + +After the change, the database entry is now: + +\begin{Verbatim}[commandchars=\\\{\}] +[root@casio krb5kdc]\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}getprinc krbtgt/ZONE.MIT.EDU\PYGZsq{} +[...] +Number of keys: 5 +Key: vno 2, aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 +Key: vno 2, aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 +Key: vno 2, des3\PYGZhy{}cbc\PYGZhy{}sha1 +Key: vno 2, des\PYGZhy{}cbc\PYGZhy{}crc +Key: vno 1, des\PYGZhy{}cbc\PYGZhy{}crc:v4 +[...] +\end{Verbatim} + +Since the expected disruptions from rekeying the krbtgt principal are +minor, after a short testing period, it is +appropriate to rekey the other high-value principals, \code{kadmin/admin@REALM} +and \code{kadmin/changepw@REALM}. These are the service principals used for +changing user passwords and updating application keytabs. The kadmin +and password-changing services are regular kerberized services, so the +session-key-selection algorithm described in {\hyperref[admin/enctypes:session-key-selection]{\emph{Session key selection}}} +applies. It is particularly important to have strong session keys for +these services, since user passwords and new long-term keys are conveyed +over the encrypted channel. + +\begin{Verbatim}[commandchars=\\\{\}] +[root@casio krb5kdc]\PYGZsh{} enctypes=aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal,\PYGZbs{} +\PYGZgt{} aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal,des3\PYGZhy{}hmac\PYGZhy{}sha1:normal +[root@casio krb5kdc]\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZdq{}cpw \PYGZhy{}e \PYGZdl{}\PYGZob{}enctypes\PYGZcb{} \PYGZhy{}randkey \PYGZbs{} +\PYGZgt{} kadmin/admin\PYGZdq{} +Authenticating as principal root/admin@ZONE.MIT.EDU with password. +Key for \PYGZdq{}kadmin/admin@ZONE.MIT.EDU\PYGZdq{} randomized. +[root@casio krb5kdc]\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZdq{}cpw \PYGZhy{}e \PYGZdl{}\PYGZob{}enctypes\PYGZcb{} \PYGZhy{}randkey \PYGZbs{} +\PYGZgt{} kadmin/changepw\PYGZdq{} +Authenticating as principal root/admin@ZONE.MIT.EDU with password. +Key for \PYGZdq{}kadmin/changepw@ZONE.MIT.EDU\PYGZdq{} randomized. +\end{Verbatim} + +It is not necessary to retain a single-DES key for these services, since +password changes are not part of normal daily workflow, and disruption +from a client failure is likely to be minimal. Furthermore, if a kerberos +client experiences failure changing a user password or keytab key, +this indicates that that client will become inoperative once services +are rekeyed to non-DES enctypes. Such problems can be detected early +at this stage, giving more time for corrective action. + + +\subsubsection{Adding strong keys to application servers} +\label{admin/advanced/retiring-des:adding-strong-keys-to-application-servers} +Before switching the default enctypes for new keys over to strong enctypes, +it may be desired to test upgrading a handful of services with the +new configuration before flipping the switch for the defaults. This +still requires using the \textbf{-e} argument in {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} to get non-default +enctypes: + +\begin{Verbatim}[commandchars=\\\{\}] +[root@casio krb5kdc]\PYGZsh{} enctypes=aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal,\PYGZbs{} +\PYGZgt{} aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal,des3\PYGZhy{}cbc\PYGZhy{}sha1:normal,des\PYGZhy{}cbc\PYGZhy{}crc:normal +[root@casio krb5kdc]\PYGZsh{} kadmin \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}p zephyr/zephyr@ZONE.MIT.EDU \PYGZhy{}k \PYGZhy{}t \PYGZbs{} +\PYGZgt{} /etc/zephyr/krb5.keytab \PYGZhy{}q \PYGZdq{}ktadd \PYGZhy{}e \PYGZdl{}\PYGZob{}enctypes\PYGZcb{} \PYGZbs{} +\PYGZgt{} \PYGZhy{}k /etc/zephyr/krb5.keytab zephyr/zephyr@ZONE.MIT.EDU\PYGZdq{} +Authenticating as principal zephyr/zephyr@ZONE.MIT.EDU with keytab /etc/zephyr/krb5.keytab. +Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab WRFILE:/etc/zephyr/krb5.keytab. +Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab WRFILE:/etc/zephyr/krb5.keytab. +Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type des3\PYGZhy{}cbc\PYGZhy{}sha1 added to keytab WRFILE:/etc/zephyr/krb5.keytab. +Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type des\PYGZhy{}cbc\PYGZhy{}crc added to keytab WRFILE:/etc/zephyr/krb5.keytab. +\end{Verbatim} + +Be sure to remove the old keys from the application keytab, per best +practice. + +\begin{Verbatim}[commandchars=\\\{\}] +[root@casio krb5kdc]\PYGZsh{} k5srvutil \PYGZhy{}f /etc/zephyr/krb5.keytab delold +Authenticating as principal zephyr/zephyr@ZONE.MIT.EDU with keytab /etc/zephyr/krb5.keytab. +Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 3 removed from keytab WRFILE:/etc/zephyr/krb5.keytab. +\end{Verbatim} + + +\subsubsection{Adding strong keys by default} +\label{admin/advanced/retiring-des:adding-strong-keys-by-default} +Once the high-visibility services have been rekeyed, it is probably +appropriate to change {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} to generate keys with the new +encryption types by default. This enables server administrators to generate +new enctypes with the \textbf{change} subcommand of {\hyperref[admin/admin_commands/k5srvutil:k5srvutil-1]{\emph{k5srvutil}}}, +and causes user password +changes to add new encryption types for their entries. It will probably +be necessary to implement administrative controls to cause all user +principal keys to be updated in a reasonable period of time, whether +by forcing password changes or a password synchronization service that +has access to the current password and can add the new keys. + +\begin{Verbatim}[commandchars=\\\{\}] +[realms] + ZONE.MIT.EDU = \PYGZob{} + supported\PYGZus{}enctypes = aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal des3\PYGZhy{}cbc\PYGZhy{}sha1:normal des3\PYGZhy{}hmac\PYGZhy{}sha1:normal des\PYGZhy{}cbc\PYGZhy{}crc:normal +\end{Verbatim} + +\begin{notice}{note}{Note:} +The krb5kdc process must be restarted for these changes to take effect. +\end{notice} + +At this point, all service administrators can update their services and the +servers behind them to take advantage of strong cryptography. +If necessary, the server's krb5 installation should be configured and/or +upgraded to a version supporting non-DES keys. See {\hyperref[admin/enctypes:enctypes]{\emph{Encryption types}}} for +krb5 version and configuration settings. +Only when the service is configured to accept non-DES keys should +the key version number be incremented and new keys generated +(\code{k5srvutil change \&\& k5srvutil delold}). + +\begin{Verbatim}[commandchars=\\\{\}] +root@dr\PYGZhy{}willy:\PYGZti{}\PYGZsh{} k5srvutil change +Authenticating as principal host/dr\PYGZhy{}willy.xvm.mit.edu@ZONE.MIT.EDU with keytab /etc/krb5.keytab. +Entry for principal host/dr\PYGZhy{}willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type AES\PYGZhy{}256 CTS mode with 96\PYGZhy{}bit SHA\PYGZhy{}1 HMAC added to keytab WRFILE:/etc/krb5.keytab. +Entry for principal host/dr\PYGZhy{}willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type AES\PYGZhy{}128 CTS mode with 96\PYGZhy{}bit SHA\PYGZhy{}1 HMAC added to keytab WRFILE:/etc/krb5.keytab. +Entry for principal host/dr\PYGZhy{}willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. +Entry for principal host/dr\PYGZhy{}willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type DES cbc mode with CRC\PYGZhy{}32 added to keytab WRFILE:/etc/krb5.keytab. +root@dr\PYGZhy{}willy:\PYGZti{}\PYGZsh{} klist \PYGZhy{}e \PYGZhy{}k \PYGZhy{}t /etc/krb5.keytab +Keytab name: WRFILE:/etc/krb5.keytab +KVNO Timestamp Principal +\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{} \PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{} \PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{} + 2 10/10/12 17:03:59 host/dr\PYGZhy{}willy.xvm.mit.edu@ZONE.MIT.EDU (DES cbc mode with CRC\PYGZhy{}32) + 3 12/12/12 15:31:19 host/dr\PYGZhy{}willy.xvm.mit.edu@ZONE.MIT.EDU (AES\PYGZhy{}256 CTS mode with 96\PYGZhy{}bit SHA\PYGZhy{}1 HMAC) + 3 12/12/12 15:31:19 host/dr\PYGZhy{}willy.xvm.mit.edu@ZONE.MIT.EDU (AES\PYGZhy{}128 CTS mode with 96\PYGZhy{}bit SHA\PYGZhy{}1 HMAC) + 3 12/12/12 15:31:19 host/dr\PYGZhy{}willy.xvm.mit.edu@ZONE.MIT.EDU (Triple DES cbc mode with HMAC/sha1) + 3 12/12/12 15:31:19 host/dr\PYGZhy{}willy.xvm.mit.edu@ZONE.MIT.EDU (DES cbc mode with CRC\PYGZhy{}32) +root@dr\PYGZhy{}willy:\PYGZti{}\PYGZsh{} k5srvutil delold +Authenticating as principal host/dr\PYGZhy{}willy.xvm.mit.edu@ZONE.MIT.EDU with keytab /etc/krb5.keytab. +Entry for principal host/dr\PYGZhy{}willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 2 removed from keytab WRFILE:/etc/krb5.keytab. +\end{Verbatim} + +When a single service principal is shared by multiple backend servers in +a load-balanced environment, it may be necessary to schedule downtime +or adjust the population in the load-balanced pool in order to propagate +the updated keytab to all hosts in the pool with minimal service interruption. + + +\subsubsection{Removing DES keys from usage} +\label{admin/advanced/retiring-des:removing-des-keys-from-usage} +This situation remains something of a testing or transitory state, +as new DES keys are still being generated, and will be used if requested +by a client. To make more progress removing DES from the realm, the KDC +should be configured to not generate such keys by default. + +\begin{notice}{note}{Note:} +An attacker posing as a client can implement a brute force attack against +a DES key for any principal, if that key is in the current (highest-kvno) +key list. This attack is only possible if \textbf{allow\_weak\_crypto = true} +is enabled on the KDC. Setting the \textbf{+requires\_preauth} flag on a +principal forces this attack to be an online attack, much slower than +the offline attack otherwise available to the attacker. However, setting +this flag on a service principal is not always advisable; see the entry in +{\hyperref[admin/admin_commands/kadmin_local:add-principal]{\emph{add\_principal}}} for details. +\end{notice} + +The following KDC configuration will not generate DES keys by default: + +\begin{Verbatim}[commandchars=\\\{\}] +[realms] + ZONE.MIT.EDU = \PYGZob{} + supported\PYGZus{}enctypes = aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal des3\PYGZhy{}cbc\PYGZhy{}sha1:normal des3\PYGZhy{}hmac\PYGZhy{}sha1:normal +\end{Verbatim} + +\begin{notice}{note}{Note:} +As before, the KDC process must be restarted for this change to take +effect. It is best practice to update kdc.conf on all KDCs, not just the +master, to avoid unpleasant surprises should the master fail and a slave +need to be promoted. +\end{notice} + +It is now appropriate to remove the legacy single-DES key from the +\code{krbtgt/REALM} entry: + +\begin{Verbatim}[commandchars=\\\{\}] +[root@casio krb5kdc]\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZdq{}cpw \PYGZhy{}randkey \PYGZhy{}keepold \PYGZbs{} +\PYGZgt{} krbtgt/ZONE.MIT.EDU\PYGZdq{} +Authenticating as principal host/admin@ATHENA.MIT.EDU with password. +Key for \PYGZdq{}krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU\PYGZdq{} randomized. +\end{Verbatim} + +After the maximum ticket lifetime has passed, the old database entry +should be removed. + +\begin{Verbatim}[commandchars=\\\{\}] +[root@casio krb5kdc]\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}purgekeys krbtgt/ZONE.MIT.EDU\PYGZsq{} +Authenticating as principal root/admin@ZONE.MIT.EDU with password. +Old keys for principal \PYGZdq{}krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU\PYGZdq{} purged. +\end{Verbatim} + +After the KDC is restarted with the new \textbf{supported\_enctypes}, +all user password changes and application keytab updates will not +generate DES keys by default. + +\begin{Verbatim}[commandchars=\\\{\}] +contents\PYGZhy{}vnder\PYGZhy{}pressvre:\PYGZti{}\PYGZgt{} kpasswd zonetest@ZONE.MIT.EDU +Password for zonetest@ZONE.MIT.EDU: [enter old password] +Enter new password: [enter new password] +Enter it again: [enter new password] +Password changed. +contents\PYGZhy{}vnder\PYGZhy{}pressvre:\PYGZti{}\PYGZgt{} kadmin \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}getprinc zonetest\PYGZsq{} +[...] +Number of keys: 3 +Key: vno 9, aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 +Key: vno 9, aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 +Key: vno 9, des3\PYGZhy{}cbc\PYGZhy{}sha1 +[...] + +[kaduk@glossolalia \PYGZti{}]\PYGZdl{} kadmin \PYGZhy{}p kaduk@ZONE.MIT.EDU \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}k \PYGZbs{} +\PYGZgt{} \PYGZhy{}t kaduk\PYGZhy{}zone.keytab \PYGZhy{}q \PYGZsq{}ktadd \PYGZhy{}k kaduk\PYGZhy{}zone.keytab kaduk@ZONE.MIT.EDU\PYGZsq{} +Authenticating as principal kaduk@ZONE.MIT.EDU with keytab kaduk\PYGZhy{}zone.keytab. +Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab WRFILE:kaduk\PYGZhy{}zone.keytab. +Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab WRFILE:kaduk\PYGZhy{}zone.keytab. +Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type des3\PYGZhy{}cbc\PYGZhy{}sha1 added to keytab WRFILE:kaduk\PYGZhy{}zone.keytab. +\end{Verbatim} + +Once all principals have been re-keyed, DES support can be disabled on the +KDC (\textbf{allow\_weak\_crypto = false}), and client machines can remove +\textbf{allow\_weak\_crypto = true} from their {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} configuration +files, completing the migration. \textbf{allow\_weak\_crypto} takes precedence over +all places where DES enctypes could be explicitly configured. DES keys will +not be used, even if they are present, when \textbf{allow\_weak\_crypto = false}. + + +\subsubsection{Support for legacy services} +\label{admin/advanced/retiring-des:support-for-legacy-services} +If there remain legacy services which do not support non-DES enctypes +(such as older versions of AFS), \textbf{allow\_weak\_crypto} must remain +enabled on the KDC. Client machines need not have this setting, +though---applications which require DES can use API calls to allow +weak crypto on a per-request basis, overriding the system krb5.conf. +However, having \textbf{allow\_weak\_crypto} set on the KDC means that any +principals which have a DES key in the database could still use those +keys. To minimize the use of DES in the realm and restrict it to just +legacy services which require DES, it is necessary to remove all other +DES keys. The realm has been configured such that at password and +keytab change, no DES keys will be generated by default. The task +then reduces to requiring user password changes and having server +administrators update their service keytabs. Administrative outreach +will be necessary, and if the desire to eliminate DES is sufficiently +strong, the KDC administrators may choose to randkey any principals +which have not been rekeyed after some timeout period, forcing the +user to contact the helpdesk for access. + + +\subsection{The Database Master Key} +\label{admin/advanced/retiring-des:the-database-master-key} +This procedure does not alter \code{K/M@REALM}, the key used to encrypt key +material in the Kerberos database. (This is the key stored in the stash file +on the KDC if stash files are used.) However, the security risk of +a single-DES key for \code{K/M} is minimal, given that access to material +encrypted in \code{K/M} (the Kerberos database) is generally tightly controlled. +If an attacker can gain access to the encrypted database, they likely +have access to the stash file as well, rendering the weak cryptography +broken by non-cryptographic means. As such, upgrading \code{K/M} to a stronger +encryption type is unlikely to be a high-priority task. + +Is is possible to upgrade the master key used for the database, if +desired. Using {\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}}`s \textbf{add\_mkey}, \textbf{use\_mkey}, and +\textbf{update\_princ\_encryption} commands, a new master key can be added +and activated for use on new key material, and the existing entries +converted to the new master key. + + +\chapter{Various links} +\label{admin/various_envs:various-links}\label{admin/various_envs::doc} + +\section{Whitepapers} +\label{admin/various_envs:whitepapers}\begin{enumerate} +\item {} +\href{http://kerberos.org/software/whitepapers.html}{http://kerberos.org/software/whitepapers.html} + +\end{enumerate} + + +\section{Tutorials} +\label{admin/various_envs:tutorials}\begin{enumerate} +\item {} +Fulvio Ricciardi \textless{}\href{http://www.kerberos.org/software/tutorial.html}{http://www.kerberos.org/software/tutorial.html}\textgreater{}\_ + +\end{enumerate} + + +\section{Troubleshooting} +\label{admin/various_envs:troubleshooting}\begin{enumerate} +\item {} +\href{http://www.ncsa.illinois.edu/UserInfo/Resources/Software/kerberos/troubleshooting.html}{http://www.ncsa.illinois.edu/UserInfo/Resources/Software/kerberos/troubleshooting.html} + +\item {} +\href{http://nfsv4.bullopensource.org/doc/kerberosnfs/krbnfs\_howto\_v3.pdf}{http://nfsv4.bullopensource.org/doc/kerberosnfs/krbnfs\_howto\_v3.pdf} + +\item {} +\href{http://sysdoc.doors.ch/HP/T1417-90005.pdf}{http://sysdoc.doors.ch/HP/T1417-90005.pdf} + +\item {} +\href{http://www.shrubbery.net/solaris9ab/SUNWaadm/SYSADV6/p27.html}{http://www.shrubbery.net/solaris9ab/SUNWaadm/SYSADV6/p27.html} + +\item {} +\href{http://download.oracle.com/docs/cd/E19253-01/816-4557/trouble-1/index.html}{http://download.oracle.com/docs/cd/E19253-01/816-4557/trouble-1/index.html} + +\item {} +\href{http://technet.microsoft.com/en-us/library/bb463167.aspx\#EBAA}{http://technet.microsoft.com/en-us/library/bb463167.aspx\#EBAA} + +\item {} +\href{https://bugs.launchpad.net/ubuntu/+source/libpam-heimdal/+bug/86528}{https://bugs.launchpad.net/ubuntu/+source/libpam-heimdal/+bug/86528} + +\item {} +\href{http://h71000.www7.hp.com/doc/83final/ba548\_90007/ch06s05.html}{http://h71000.www7.hp.com/doc/83final/ba548\_90007/ch06s05.html} + +\end{enumerate} + + + +\renewcommand{\indexname}{Index} +\printindex +\end{document} diff --git a/doc/pdf/appdev.pdf b/doc/pdf/appdev.pdf Binary files differnew file mode 100644 index 000000000000..58b6eab4334c --- /dev/null +++ b/doc/pdf/appdev.pdf diff --git a/doc/pdf/appdev.tex b/doc/pdf/appdev.tex new file mode 100644 index 000000000000..947b8106d84e --- /dev/null +++ b/doc/pdf/appdev.tex @@ -0,0 +1,23032 @@ +% Generated by Sphinx. +\def\sphinxdocclass{report} +\documentclass[letterpaper,10pt,english]{sphinxmanual} +\usepackage[utf8]{inputenc} +\DeclareUnicodeCharacter{00A0}{\nobreakspace} +\usepackage{cmap} +\usepackage[T1]{fontenc} +\usepackage{babel} +\usepackage{times} +\usepackage[Bjarne]{fncychap} +\usepackage{longtable} +\usepackage{sphinx} +\usepackage{multirow} + + +\title{Kerberos Application Developer Guide} +\date{ } +\release{1.15.1} +\author{MIT} +\newcommand{\sphinxlogo}{} +\renewcommand{\releasename}{Release} +\makeindex + +\makeatletter +\def\PYG@reset{\let\PYG@it=\relax \let\PYG@bf=\relax% + \let\PYG@ul=\relax \let\PYG@tc=\relax% + \let\PYG@bc=\relax \let\PYG@ff=\relax} +\def\PYG@tok#1{\csname PYG@tok@#1\endcsname} +\def\PYG@toks#1+{\ifx\relax#1\empty\else% + \PYG@tok{#1}\expandafter\PYG@toks\fi} +\def\PYG@do#1{\PYG@bc{\PYG@tc{\PYG@ul{% + \PYG@it{\PYG@bf{\PYG@ff{#1}}}}}}} +\def\PYG#1#2{\PYG@reset\PYG@toks#1+\relax+\PYG@do{#2}} + +\expandafter\def\csname PYG@tok@gd\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.63,0.00,0.00}{##1}}} +\expandafter\def\csname PYG@tok@gu\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.50,0.00,0.50}{##1}}} +\expandafter\def\csname PYG@tok@gt\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.27,0.87}{##1}}} +\expandafter\def\csname PYG@tok@gs\endcsname{\let\PYG@bf=\textbf} +\expandafter\def\csname PYG@tok@gr\endcsname{\def\PYG@tc##1{\textcolor[rgb]{1.00,0.00,0.00}{##1}}} +\expandafter\def\csname PYG@tok@cm\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} +\expandafter\def\csname PYG@tok@vg\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} +\expandafter\def\csname PYG@tok@m\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@mh\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@cs\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}\def\PYG@bc##1{\setlength{\fboxsep}{0pt}\colorbox[rgb]{1.00,0.94,0.94}{\strut ##1}}} +\expandafter\def\csname PYG@tok@ge\endcsname{\let\PYG@it=\textit} +\expandafter\def\csname PYG@tok@vc\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} +\expandafter\def\csname PYG@tok@il\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@go\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.20,0.20,0.20}{##1}}} +\expandafter\def\csname PYG@tok@cp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@gi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.63,0.00}{##1}}} +\expandafter\def\csname PYG@tok@gh\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.00,0.50}{##1}}} +\expandafter\def\csname PYG@tok@ni\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.84,0.33,0.22}{##1}}} +\expandafter\def\csname PYG@tok@nl\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.13,0.44}{##1}}} +\expandafter\def\csname PYG@tok@nn\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.05,0.52,0.71}{##1}}} +\expandafter\def\csname PYG@tok@no\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.38,0.68,0.84}{##1}}} +\expandafter\def\csname PYG@tok@na\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@nb\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@nc\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.05,0.52,0.71}{##1}}} +\expandafter\def\csname PYG@tok@nd\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.33,0.33,0.33}{##1}}} +\expandafter\def\csname PYG@tok@ne\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@nf\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.02,0.16,0.49}{##1}}} +\expandafter\def\csname PYG@tok@si\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.44,0.63,0.82}{##1}}} +\expandafter\def\csname PYG@tok@s2\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@vi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} +\expandafter\def\csname PYG@tok@nt\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.02,0.16,0.45}{##1}}} +\expandafter\def\csname PYG@tok@nv\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} +\expandafter\def\csname PYG@tok@s1\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@gp\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.78,0.36,0.04}{##1}}} +\expandafter\def\csname PYG@tok@sh\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@ow\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@sx\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.78,0.36,0.04}{##1}}} +\expandafter\def\csname PYG@tok@bp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@c1\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} +\expandafter\def\csname PYG@tok@kc\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@c\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} +\expandafter\def\csname PYG@tok@mf\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@err\endcsname{\def\PYG@bc##1{\setlength{\fboxsep}{0pt}\fcolorbox[rgb]{1.00,0.00,0.00}{1,1,1}{\strut ##1}}} +\expandafter\def\csname PYG@tok@kd\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@ss\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.32,0.47,0.09}{##1}}} +\expandafter\def\csname PYG@tok@sr\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.14,0.33,0.53}{##1}}} +\expandafter\def\csname PYG@tok@mo\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@mi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@kn\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@o\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.40,0.40,0.40}{##1}}} +\expandafter\def\csname PYG@tok@kr\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@s\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@kp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@w\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.73,0.73}{##1}}} +\expandafter\def\csname PYG@tok@kt\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.56,0.13,0.00}{##1}}} +\expandafter\def\csname PYG@tok@sc\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@sb\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@k\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@se\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@sd\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} + +\def\PYGZbs{\char`\\} +\def\PYGZus{\char`\_} +\def\PYGZob{\char`\{} +\def\PYGZcb{\char`\}} +\def\PYGZca{\char`\^} +\def\PYGZam{\char`\&} +\def\PYGZlt{\char`\<} +\def\PYGZgt{\char`\>} +\def\PYGZsh{\char`\#} +\def\PYGZpc{\char`\%} +\def\PYGZdl{\char`\$} +\def\PYGZhy{\char`\-} +\def\PYGZsq{\char`\'} +\def\PYGZdq{\char`\"} +\def\PYGZti{\char`\~} +% for compatibility with earlier versions +\def\PYGZat{@} +\def\PYGZlb{[} +\def\PYGZrb{]} +\makeatother + +\begin{document} + +\maketitle +\tableofcontents +\phantomsection\label{appdev/index::doc} + + + +\chapter{Developing with GSSAPI} +\label{appdev/gssapi:for-application-developers}\label{appdev/gssapi::doc}\label{appdev/gssapi:developing-with-gssapi} +The GSSAPI (Generic Security Services API) allows applications to +communicate securely using Kerberos 5 or other security mechanisms. +We recommend using the GSSAPI (or a higher-level framework which +encompasses GSSAPI, such as SASL) for secure network communication +over using the libkrb5 API directly. + +GSSAPIv2 is specified in \index{RFC!RFC 2743}\href{http://tools.ietf.org/html/rfc2743.html}{\textbf{RFC 2743}} and \index{RFC!RFC 2744}\href{http://tools.ietf.org/html/rfc2744.html}{\textbf{RFC 2744}}. Also see +\index{RFC!RFC 7546}\href{http://tools.ietf.org/html/rfc7546.html}{\textbf{RFC 7546}} for a description of how to use the GSSAPI in a client or +server program. + +This documentation will describe how various ways of using the +GSSAPI will behave with the krb5 mechanism as implemented in MIT krb5, +as well as krb5-specific extensions to the GSSAPI. + + +\section{Name types} +\label{appdev/gssapi:name-types} +A GSSAPI application can name a local or remote entity by calling +\href{http://tools.ietf.org/html/rfc2744.html\#section-5.16}{gss\_import\_name}, specifying a name type and a value. The following +name types are supported by the krb5 mechanism: +\begin{itemize} +\item {} +\textbf{GSS\_C\_NT\_HOSTBASED\_SERVICE}: The value should be a string of the +form \code{service} or \code{service@hostname}. This is the most common +way to name target services when initiating a security context, and +is the most likely name type to work across multiple mechanisms. + +\item {} +\textbf{GSS\_KRB5\_NT\_PRINCIPAL\_NAME}: The value should be a principal name +string. This name type only works with the krb5 mechanism, and is +defined in the \code{\textless{}gssapi/gssapi\_krb5.h\textgreater{}} header. + +\item {} +\textbf{GSS\_C\_NT\_USER\_NAME} or \textbf{GSS\_C\_NULL\_OID}: The value is treated +as an unparsed principal name string, as above. These name types +may work with mechanisms other than krb5, but will have different +interpretations in those mechanisms. \textbf{GSS\_C\_NT\_USER\_NAME} is +intended to be used with a local username, which will parse into a +single-component principal in the default realm. + +\item {} +\textbf{GSS\_C\_NT\_ANONYMOUS}: The value is ignored. The anonymous +principal is used, allowing a client to authenticate to a server +without asserting a particular identity (which may or may not be +allowed by a particular server or Kerberos realm). + +\item {} +\textbf{GSS\_C\_NT\_MACHINE\_UID\_NAME}: The value is uid\_t object. On +Unix-like systems, the username of the uid is looked up in the +system user database and the resulting username is parsed as a +principal name. + +\item {} +\textbf{GSS\_C\_NT\_STRING\_UID\_NAME}: As above, but the value is a decimal +string representation of the uid. + +\item {} +\textbf{GSS\_C\_NT\_EXPORT\_NAME}: The value must be the result of a +\href{http://tools.ietf.org/html/rfc2744.html\#section-5.13}{gss\_export\_name} call. + +\end{itemize} + + +\section{Initiator credentials} +\label{appdev/gssapi:initiator-credentials} +A GSSAPI client application uses \href{http://tools.ietf.org/html/rfc2744.html\#section-5.19}{gss\_init\_sec\_context} to establish a +security context. The \emph{initiator\_cred\_handle} parameter determines +what tickets are used to establish the connection. An application can +either pass \textbf{GSS\_C\_NO\_CREDENTIAL} to use the default client +credential, or it can use \href{http://tools.ietf.org/html/rfc2744.html\#section-5.2}{gss\_acquire\_cred} beforehand to acquire an +initiator credential. The call to \href{http://tools.ietf.org/html/rfc2744.html\#section-5.2}{gss\_acquire\_cred} may include a +\emph{desired\_name} parameter, or it may pass \textbf{GSS\_C\_NO\_NAME} if it does +not have a specific name preference. + +If the desired name for a krb5 initiator credential is a host-based +name, it is converted to a principal name of the form +\code{service/hostname} in the local realm, where \emph{hostname} is the local +hostname if not specified. The hostname will be canonicalized using +forward name resolution, and possibly also using reverse name +resolution depending on the value of the \textbf{rdns} variable in +\emph{libdefaults}. + +If a desired name is specified in the call to \href{http://tools.ietf.org/html/rfc2744.html\#section-5.2}{gss\_acquire\_cred}, the +krb5 mechanism will attempt to find existing tickets for that client +principal name in the default credential cache or collection. If the +default cache type does not support a collection, and the default +cache contains credentials for a different principal than the desired +name, a \textbf{GSS\_S\_CRED\_UNAVAIL} error will be returned with a minor +code indicating a mismatch. + +If no existing tickets are available for the desired name, but the +name has an entry in the default client \emph{keytab\_definition}, the +krb5 mechanism will acquire initial tickets for the name using the +default client keytab. + +If no desired name is specified, credential acquisition will be +deferred until the credential is used in a call to +\href{http://tools.ietf.org/html/rfc2744.html\#section-5.19}{gss\_init\_sec\_context} or \href{http://tools.ietf.org/html/rfc2744.html\#section-5.21}{gss\_inquire\_cred}. If the call is to +\href{http://tools.ietf.org/html/rfc2744.html\#section-5.19}{gss\_init\_sec\_context}, the target name will be used to choose a client +principal name using the credential cache selection facility. (This +facility might, for instance, try to choose existing tickets for a +client principal in the same realm as the target service). If there +are no existing tickets for the chosen principal, but it is present in +the default client keytab, the krb5 mechanism will acquire initial +tickets using the keytab. + +If the target name cannot be used to select a client principal +(because the credentials are used in a call to \href{http://tools.ietf.org/html/rfc2744.html\#section-5.21}{gss\_inquire\_cred}), or +if the credential cache selection facility cannot choose a principal +for it, the default credential cache will be selected if it exists and +contains tickets. + +If the default credential cache does not exist, but the default client +keytab does, the krb5 mechanism will try to acquire initial tickets +for the first principal in the default client keytab. + +If the krb5 mechanism acquires initial tickets using the default +client keytab, the resulting tickets will be stored in the default +cache or collection, and will be refreshed by future calls to +\href{http://tools.ietf.org/html/rfc2744.html\#section-5.2}{gss\_acquire\_cred} as they approach their expire time. + + +\section{Acceptor names} +\label{appdev/gssapi:acceptor-names} +A GSSAPI server application uses \href{http://tools.ietf.org/html/rfc2744.html\#section-5.1}{gss\_accept\_sec\_context} to establish +a security context based on tokens provided by the client. The +\emph{acceptor\_cred\_handle} parameter determines what +\emph{keytab\_definition} entries may be authenticated to by the +client, if the krb5 mechanism is used. + +The simplest choice is to pass \textbf{GSS\_C\_NO\_CREDENTIAL} as the acceptor +credential. In this case, clients may authenticate to any service +principal in the default keytab (typically \emph{DEFKTNAME}, or the value of +the \textbf{KRB5\_KTNAME} environment variable). This is the recommended +approach if the server application has no specific requirements to the +contrary. + +A server may acquire an acceptor credential with \href{http://tools.ietf.org/html/rfc2744.html\#section-5.2}{gss\_acquire\_cred} and +a \emph{cred\_usage} of \textbf{GSS\_C\_ACCEPT} or \textbf{GSS\_C\_BOTH}. If the +\emph{desired\_name} parameter is \textbf{GSS\_C\_NO\_NAME}, then clients will be +allowed to authenticate to any service principal in the default +keytab, just as if no acceptor credential was supplied. + +If a server wishes to specify a \emph{desired\_name} to \href{http://tools.ietf.org/html/rfc2744.html\#section-5.2}{gss\_acquire\_cred}, +the most common choice is a host-based name. If the host-based +\emph{desired\_name} contains just a \emph{service}, then clients will be allowed +to authenticate to any host-based service principal (that is, a +principal of the form \code{service/hostname@REALM}) for the named +service, regardless of hostname or realm, as long as it is present in +the default keytab. If the input name contains both a \emph{service} and a +\emph{hostname}, clients will be allowed to authenticate to any host-based +principal for the named service and hostname, regardless of realm. + +\begin{notice}{note}{Note:} +If a \emph{hostname} is specified, it will be canonicalized +using forward name resolution, and possibly also using +reverse name resolution depending on the value of the +\textbf{rdns} variable in \emph{libdefaults}. +\end{notice} + +\begin{notice}{note}{Note:} +If the \textbf{ignore\_acceptor\_hostname} variable in +\emph{libdefaults} is enabled, then \emph{hostname} will be +ignored even if one is specified in the input name. +\end{notice} + +\begin{notice}{note}{Note:} +In MIT krb5 versions prior to 1.10, and in Heimdal's +implementation of the krb5 mechanism, an input name with +just a \emph{service} is treated like an input name of +\code{service@localhostname}, where \emph{localhostname} is the +string returned by gethostname(). +\end{notice} + +If the \emph{desired\_name} is a krb5 principal name or a local system name +type which is mapped to a krb5 principal name, clients will only be +allowed to authenticate to that principal in the default keytab. + + +\section{Name Attributes} +\label{appdev/gssapi:name-attributes} +In release 1.8 or later, the \href{http://tools.ietf.org/html/rfc6680.txt\#section-7.4}{gss\_inquire\_name} and +\href{http://tools.ietf.org/html/6680.html\#section-7.5}{gss\_get\_name\_attribute} functions, specified in \index{RFC!RFC 6680}\href{http://tools.ietf.org/html/rfc6680.html}{\textbf{RFC 6680}}, can be +used to retrieve name attributes from the \emph{src\_name} returned by +\href{http://tools.ietf.org/html/rfc2744.html\#section-5.1}{gss\_accept\_sec\_context}. The following attributes are defined when +the krb5 mechanism is used: +\phantomsection\label{appdev/gssapi:gssapi-authind-attr}\begin{itemize} +\item {} +``auth-indicators'' attribute: + +\end{itemize} + +This attribute will be included in the \href{http://tools.ietf.org/html/rfc6680.txt\#section-7.4}{gss\_inquire\_name} output if the +ticket contains \emph{authentication indicators}. +One indicator is returned per invocation of \href{http://tools.ietf.org/html/6680.html\#section-7.5}{gss\_get\_name\_attribute}, +so multiple invocations may be necessary to retrieve all of the +indicators from the ticket. (New in release 1.15.) + + +\section{Importing and exporting credentials} +\label{appdev/gssapi:importing-and-exporting-credentials} +The following GSSAPI extensions can be used to import and export +credentials (declared in \code{\textless{}gssapi/gssapi\_ext.h\textgreater{}}): + +\begin{Verbatim}[commandchars=\\\{\}] +OM\PYGZus{}uint32 gss\PYGZus{}export\PYGZus{}cred(OM\PYGZus{}uint32 *minor\PYGZus{}status, + gss\PYGZus{}cred\PYGZus{}id\PYGZus{}t cred\PYGZus{}handle, + gss\PYGZus{}buffer\PYGZus{}t token); + +OM\PYGZus{}uint32 gss\PYGZus{}import\PYGZus{}cred(OM\PYGZus{}uint32 *minor\PYGZus{}status, + gss\PYGZus{}buffer\PYGZus{}t token, + gss\PYGZus{}cred\PYGZus{}id\PYGZus{}t *cred\PYGZus{}handle); +\end{Verbatim} + +The first function serializes a GSSAPI credential handle into a +buffer; the second unseralizes a buffer into a GSSAPI credential +handle. Serializing a credential does not destroy it. If any of the +mechanisms used in \emph{cred\_handle} do not support serialization, +gss\_export\_cred will return \textbf{GSS\_S\_UNAVAILABLE}. As with other +GSSAPI serialization functions, these extensions are only intended to +work with a matching implementation on the other side; they do not +serialize credentials in a standardized format. + +A serialized credential may contain secret information such as ticket +session keys. The serialization format does not protect this +information from eavesdropping or tampering. The calling application +must take care to protect the serialized credential when communicating +it over an insecure channel or to an untrusted party. + +A krb5 GSSAPI credential may contain references to a credential cache, +a client keytab, an acceptor keytab, and a replay cache. These +resources are normally serialized as references to their external +locations (such as the filename of the credential cache). Because of +this, a serialized krb5 credential can only be imported by a process +with similar privileges to the exporter. A serialized credential +should not be trusted if it originates from a source with lower +privileges than the importer, as it may contain references to external +credential cache, keytab, or replay cache resources not accessible to +the originator. + +An exception to the above rule applies when a krb5 GSSAPI credential +refers to a memory credential cache, as is normally the case for +delegated credentials received by \href{http://tools.ietf.org/html/rfc2744.html\#section-5.1}{gss\_accept\_sec\_context}. In this +case, the contents of the credential cache are serialized, so that the +resulting token may be imported even if the original memory credential +cache no longer exists. + + +\section{Constrained delegation (S4U)} +\label{appdev/gssapi:constrained-delegation-s4u} +The Microsoft S4U2Self and S4U2Proxy Kerberos protocol extensions +allow an intermediate service to acquire credentials from a client to +a target service without requiring the client to delegate a +ticket-granting ticket, if the KDC is configured to allow it. + +To perform a constrained delegation operation, the intermediate +service must submit to the KDC an ``evidence ticket'' from the client to +the intermediate service with the forwardable bit set. An evidence +ticket can be acquired when the client authenticates to the +intermediate service with Kerberos, or with an S4U2Self request if the +KDC allows it. The MIT krb5 GSSAPI library represents an evidence +ticket using a ``proxy credential'', which is a special kind of +gss\_cred\_id\_t object whose underlying credential cache contains the +evidence ticket and a krbtgt ticket for the intermediate service. + +To acquire a proxy credential during client authentication, the +service should first create an acceptor credential using the +\textbf{GSS\_C\_BOTH} usage. The application should then pass this +credential as the \emph{acceptor\_cred\_handle} to \href{http://tools.ietf.org/html/rfc2744.html\#section-5.1}{gss\_accept\_sec\_context}, +and also pass a \emph{delegated\_cred\_handle} output parameter to receive a +proxy credential containing the evidence ticket. The output value of +\emph{delegated\_cred\_handle} may be a delegated ticket-granting ticket if +the client sent one, or a proxy credential if the client authenticated +with a forwardable service ticket, or \textbf{GSS\_C\_NO\_CREDENTIAL} if +neither is the case. + +To acquire a proxy credential using an S4U2Self request, the service +can use the following GSSAPI extension: + +\begin{Verbatim}[commandchars=\\\{\}] +OM\PYGZus{}uint32 gss\PYGZus{}acquire\PYGZus{}cred\PYGZus{}impersonate\PYGZus{}name(OM\PYGZus{}uint32 *minor\PYGZus{}status, + gss\PYGZus{}cred\PYGZus{}id\PYGZus{}t icred, + gss\PYGZus{}name\PYGZus{}t desired\PYGZus{}name, + OM\PYGZus{}uint32 time\PYGZus{}req, + gss\PYGZus{}OID\PYGZus{}set desired\PYGZus{}mechs, + gss\PYGZus{}cred\PYGZus{}usage\PYGZus{}t cred\PYGZus{}usage, + gss\PYGZus{}cred\PYGZus{}id\PYGZus{}t *output\PYGZus{}cred, + gss\PYGZus{}OID\PYGZus{}set *actual\PYGZus{}mechs, + OM\PYGZus{}uint32 *time\PYGZus{}rec); +\end{Verbatim} + +The parameters to this function are similar to those of +\href{http://tools.ietf.org/html/rfc2744.html\#section-5.2}{gss\_acquire\_cred}, except that \emph{icred} is used to make an S4U2Self +request to the KDC for a ticket from \emph{desired\_name} to the +intermediate service. Both \emph{icred} and \emph{desired\_name} are required +for this function; passing \textbf{GSS\_C\_NO\_CREDENTIAL} or +\textbf{GSS\_C\_NO\_NAME} will cause the call to fail. \emph{icred} must contain a +krbtgt ticket for the intermediate service. If the KDC returns a +forwardable ticket, the result of this operation is a proxy +credential; if it is not forwardable, the result is a regular +credential for \emph{desired\_name}. + +A recent KDC will usually allow any service to acquire a ticket from a +client to itself with an S4U2Self request, but the ticket will only be +forwardable if the service has a specific privilege. In the MIT krb5 +KDC, this privilege is determined by the \textbf{ok\_to\_auth\_as\_delegate} +bit on the intermediate service's principal entry, which can be +configured with \emph{kadmin(1)}. + +Once the intermediate service has a proxy credential, it can simply +pass it to \href{http://tools.ietf.org/html/rfc2744.html\#section-5.19}{gss\_init\_sec\_context} as the \emph{initiator\_cred\_handle} +parameter, and the desired service as the \emph{target\_name} parameter. +The GSSAPI library will present the krbtgt ticket and evidence ticket +in the proxy credential to the KDC in an S4U2Proxy request; if the +intermediate service has the appropriate permissions, the KDC will +issue a ticket from the client to the target service. The GSSAPI +library will then use this ticket to authenticate to the target +service. + + +\section{AEAD message wrapping} +\label{appdev/gssapi:aead-message-wrapping} +The following GSSAPI extensions (declared in +\code{\textless{}gssapi/gssapi\_ext.h\textgreater{}}) can be used to wrap and unwrap messages +with additional ``associated data'' which is integrity-checked but is +not included in the output buffer: + +\begin{Verbatim}[commandchars=\\\{\}] +OM\PYGZus{}uint32 gss\PYGZus{}wrap\PYGZus{}aead(OM\PYGZus{}uint32 *minor\PYGZus{}status, + gss\PYGZus{}ctx\PYGZus{}id\PYGZus{}t context\PYGZus{}handle, + int conf\PYGZus{}req\PYGZus{}flag, gss\PYGZus{}qop\PYGZus{}t qop\PYGZus{}req, + gss\PYGZus{}buffer\PYGZus{}t input\PYGZus{}assoc\PYGZus{}buffer, + gss\PYGZus{}buffer\PYGZus{}t input\PYGZus{}payload\PYGZus{}buffer, + int *conf\PYGZus{}state, + gss\PYGZus{}buffer\PYGZus{}t output\PYGZus{}message\PYGZus{}buffer); + +OM\PYGZus{}uint32 gss\PYGZus{}unwrap\PYGZus{}aead(OM\PYGZus{}uint32 *minor\PYGZus{}status, + gss\PYGZus{}ctx\PYGZus{}id\PYGZus{}t context\PYGZus{}handle, + gss\PYGZus{}buffer\PYGZus{}t input\PYGZus{}message\PYGZus{}buffer, + gss\PYGZus{}buffer\PYGZus{}t input\PYGZus{}assoc\PYGZus{}buffer, + gss\PYGZus{}buffer\PYGZus{}t output\PYGZus{}payload\PYGZus{}buffer, + int *conf\PYGZus{}state, + gss\PYGZus{}qop\PYGZus{}t *qop\PYGZus{}state); +\end{Verbatim} + +Wrap tokens created with gss\_wrap\_aead will successfully unwrap only +if the same \emph{input\_assoc\_buffer} contents are presented to +gss\_unwrap\_aead. + + +\section{IOV message wrapping} +\label{appdev/gssapi:iov-message-wrapping} +The following extensions (declared in \code{\textless{}gssapi/gssapi\_ext.h\textgreater{}}) can +be used for in-place encryption, fine-grained control over wrap token +layout, and for constructing wrap tokens compatible with Microsoft DCE +RPC: + +\begin{Verbatim}[commandchars=\\\{\}] +typedef struct gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc\PYGZus{}struct \PYGZob{} + OM\PYGZus{}uint32 type; + gss\PYGZus{}buffer\PYGZus{}desc buffer; +\PYGZcb{} gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc, *gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}t; + +OM\PYGZus{}uint32 gss\PYGZus{}wrap\PYGZus{}iov(OM\PYGZus{}uint32 *minor\PYGZus{}status, + gss\PYGZus{}ctx\PYGZus{}id\PYGZus{}t context\PYGZus{}handle, + int conf\PYGZus{}req\PYGZus{}flag, gss\PYGZus{}qop\PYGZus{}t qop\PYGZus{}req, + int *conf\PYGZus{}state, + gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc *iov, int iov\PYGZus{}count); + +OM\PYGZus{}uint32 gss\PYGZus{}unwrap\PYGZus{}iov(OM\PYGZus{}uint32 *minor\PYGZus{}status, + gss\PYGZus{}ctx\PYGZus{}id\PYGZus{}t context\PYGZus{}handle, + int *conf\PYGZus{}state, gss\PYGZus{}qop\PYGZus{}t *qop\PYGZus{}state, + gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc *iov, int iov\PYGZus{}count); + +OM\PYGZus{}uint32 gss\PYGZus{}wrap\PYGZus{}iov\PYGZus{}length(OM\PYGZus{}uint32 *minor\PYGZus{}status, + gss\PYGZus{}ctx\PYGZus{}id\PYGZus{}t context\PYGZus{}handle, + int conf\PYGZus{}req\PYGZus{}flag, + gss\PYGZus{}qop\PYGZus{}t qop\PYGZus{}req, int *conf\PYGZus{}state, + gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc *iov, + int iov\PYGZus{}count); + +OM\PYGZus{}uint32 gss\PYGZus{}release\PYGZus{}iov\PYGZus{}buffer(OM\PYGZus{}uint32 *minor\PYGZus{}status, + gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc *iov, + int iov\PYGZus{}count); +\end{Verbatim} + +The caller of gss\_wrap\_iov provides an array of gss\_iov\_buffer\_desc +structures, each containing a type and a gss\_buffer\_desc structure. +Valid types include: +\begin{itemize} +\item {} +\textbf{GSS\_C\_BUFFER\_TYPE\_DATA}: A data buffer to be included in the +token, and to be encrypted or decrypted in-place if the token is +confidentiality-protected. + +\item {} +\textbf{GSS\_C\_BUFFER\_TYPE\_HEADER}: The GSSAPI wrap token header and +underlying cryptographic header. + +\item {} +\textbf{GSS\_C\_BUFFER\_TYPE\_TRAILER}: The cryptographic trailer, if one is +required. + +\item {} +\textbf{GSS\_C\_BUFFER\_TYPE\_PADDING}: Padding to be combined with the data +during encryption and decryption. (The implementation may choose to +place padding in the trailer buffer, in which case it will set the +padding buffer length to 0.) + +\item {} +\textbf{GSS\_C\_BUFFER\_TYPE\_STREAM}: For unwrapping only, a buffer +containing a complete wrap token in standard format to be unwrapped. + +\item {} +\textbf{GSS\_C\_BUFFER\_TYPE\_SIGN\_ONLY}: A buffer to be included in the +token's integrity protection checksum, but not to be encrypted or +included in the token itself. + +\end{itemize} + +For gss\_wrap\_iov, the IOV list should contain one HEADER buffer, +followed by zero or more SIGN\_ONLY buffers, followed by one or more +DATA buffers, followed by a TRAILER buffer. The memory pointed to by +the buffers is not required to be contiguous or in any particular +order. If \emph{conf\_req\_flag} is true, DATA buffers will be encrypted +in-place, while SIGN\_ONLY buffers will not be modified. + +The type of an output buffer may be combined with +\textbf{GSS\_C\_BUFFER\_FLAG\_ALLOCATE} to request that gss\_wrap\_iov allocate +the buffer contents. If gss\_wrap\_iov allocates a buffer, it sets the +\textbf{GSS\_C\_BUFFER\_FLAG\_ALLOCATED} flag on the buffer type. +gss\_release\_iov\_buffer can be used to release all allocated buffers +within an iov list and unset their allocated flags. Here is an +example of how gss\_wrap\_iov can be used with allocation requested +(\emph{ctx} is assumed to be a previously established gss\_ctx\_id\_t): + +\begin{Verbatim}[commandchars=\\\{\}] +OM\PYGZus{}uint32 major, minor; +gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc iov[4]; +char str[] = \PYGZdq{}message\PYGZdq{}; + +iov[0].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}HEADER \textbar{} GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}FLAG\PYGZus{}ALLOCATE; +iov[1].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}DATA; +iov[1].buffer.value = str; +iov[1].buffer.length = strlen(str); +iov[2].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}PADDING \textbar{} GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}FLAG\PYGZus{}ALLOCATE; +iov[3].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}TRAILER \textbar{} GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}FLAG\PYGZus{}ALLOCATE; + +major = gss\PYGZus{}wrap\PYGZus{}iov(\PYGZam{}minor, ctx, 1, GSS\PYGZus{}C\PYGZus{}QOP\PYGZus{}DEFAULT, NULL, + iov, 4); +if (GSS\PYGZus{}ERROR(major)) + handle\PYGZus{}error(major, minor); + +/* Transmit or otherwise use resulting buffers. */ + +(void)gss\PYGZus{}release\PYGZus{}iov\PYGZus{}buffer(\PYGZam{}minor, iov, 4); +\end{Verbatim} + +If the caller does not choose to request buffer allocation by +gss\_wrap\_iov, it should first call gss\_wrap\_iov\_length to query the +lengths of the HEADER, PADDING, and TRAILER buffers. DATA buffers +must be provided in the iov list so that padding length can be +computed correctly, but the output buffers need not be initialized. +Here is an example of using gss\_wrap\_iov\_length and gss\_wrap\_iov: + +\begin{Verbatim}[commandchars=\\\{\}] +OM\PYGZus{}uint32 major, minor; +gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc iov[4]; +char str[1024] = \PYGZdq{}message\PYGZdq{}, *ptr; + +iov[0].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}HEADER; +iov[1].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}DATA; +iov[1].buffer.value = str; +iov[1].buffer.length = strlen(str); + +iov[2].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}PADDING; +iov[3].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}TRAILER; + +major = gss\PYGZus{}wrap\PYGZus{}iov\PYGZus{}length(\PYGZam{}minor, ctx, 1, GSS\PYGZus{}C\PYGZus{}QOP\PYGZus{}DEFAULT, + NULL, iov, 4); +if (GSS\PYGZus{}ERROR(major)) + handle\PYGZus{}error(major, minor); +if (strlen(str) + iov[0].buffer.length + iov[2].buffer.length + + iov[3].buffer.length \PYGZgt{} sizeof(str)) + handle\PYGZus{}out\PYGZus{}of\PYGZus{}space\PYGZus{}error(); +ptr = str + strlen(str); +iov[0].buffer.value = ptr; +ptr += iov[0].buffer.length; +iov[2].buffer.value = ptr; +ptr += iov[2].buffer.length; +iov[3].buffer.value = ptr; + +major = gss\PYGZus{}wrap\PYGZus{}iov(\PYGZam{}minor, ctx, 1, GSS\PYGZus{}C\PYGZus{}QOP\PYGZus{}DEFAULT, NULL, + iov, 4); +if (GSS\PYGZus{}ERROR(major)) + handle\PYGZus{}error(major, minor); +\end{Verbatim} + +If the context was established using the \textbf{GSS\_C\_DCE\_STYLE} flag +(described in \index{RFC!RFC 4757}\href{http://tools.ietf.org/html/rfc4757.html}{\textbf{RFC 4757}}), wrap tokens compatible with Microsoft DCE +RPC can be constructed. In this case, the IOV list must include a +SIGN\_ONLY buffer, a DATA buffer, a second SIGN\_ONLY buffer, and a +HEADER buffer in that order (the order of the buffer contents remains +arbitrary). The application must pad the DATA buffer to a multiple of +16 bytes as no padding or trailer buffer is used. + +gss\_unwrap\_iov may be called with an IOV list just like one which +would be provided to gss\_wrap\_iov. DATA buffers will be decrypted +in-place if they were encrypted, and SIGN\_ONLY buffers will not be +modified. + +Alternatively, gss\_unwrap\_iov may be called with a single STREAM +buffer, zero or more SIGN\_ONLY buffers, and a single DATA buffer. The +STREAM buffer is interpreted as a complete wrap token. The STREAM +buffer will be modified in-place to decrypt its contents. The DATA +buffer will be initialized to point to the decrypted data within the +STREAM buffer, unless it has the \textbf{GSS\_C\_BUFFER\_FLAG\_ALLOCATE} flag +set, in which case it will be initialized with a copy of the decrypted +data. Here is an example (\emph{token} and \emph{token\_len} are assumed to be a +pre-existing pointer and length for a modifiable region of data): + +\begin{Verbatim}[commandchars=\\\{\}] +OM\PYGZus{}uint32 major, minor; +gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc iov[2]; + +iov[0].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}STREAM; +iov[0].buffer.value = token; +iov[0].buffer.length = token\PYGZus{}len; +iov[1].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}DATA; +major = gss\PYGZus{}unwrap\PYGZus{}iov(\PYGZam{}minor, ctx, NULL, NULL, iov, 2); +if (GSS\PYGZus{}ERROR(major)) + handle\PYGZus{}error(major, minor); + +/* Decrypted data is in iov[1].buffer, pointing to a subregion of + * token. */ +\end{Verbatim} + + +\section{IOV MIC tokens} +\label{appdev/gssapi:gssapi-mic-token}\label{appdev/gssapi:iov-mic-tokens} +The following extensions (declared in \code{\textless{}gssapi/gssapi\_ext.h\textgreater{}}) can +be used in release 1.12 or later to construct and verify MIC tokens +using an IOV list: + +\begin{Verbatim}[commandchars=\\\{\}] +OM\PYGZus{}uint32 gss\PYGZus{}get\PYGZus{}mic\PYGZus{}iov(OM\PYGZus{}uint32 *minor\PYGZus{}status, + gss\PYGZus{}ctx\PYGZus{}id\PYGZus{}t context\PYGZus{}handle, + gss\PYGZus{}qop\PYGZus{}t qop\PYGZus{}req, + gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc *iov, + int iov\PYGZus{}count); + +OM\PYGZus{}uint32 gss\PYGZus{}get\PYGZus{}mic\PYGZus{}iov\PYGZus{}length(OM\PYGZus{}uint32 *minor\PYGZus{}status, + gss\PYGZus{}ctx\PYGZus{}id\PYGZus{}t context\PYGZus{}handle, + gss\PYGZus{}qop\PYGZus{}t qop\PYGZus{}req, + gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc *iov, + iov\PYGZus{}count); + +OM\PYGZus{}uint32 gss\PYGZus{}verify\PYGZus{}mic\PYGZus{}iov(OM\PYGZus{}uint32 *minor\PYGZus{}status, + gss\PYGZus{}ctx\PYGZus{}id\PYGZus{}t context\PYGZus{}handle, + gss\PYGZus{}qop\PYGZus{}t *qop\PYGZus{}state, + gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc *iov, + int iov\PYGZus{}count); +\end{Verbatim} + +The caller of gss\_get\_mic\_iov provides an array of gss\_iov\_buffer\_desc +structures, each containing a type and a gss\_buffer\_desc structure. +Valid types include: +\begin{itemize} +\item {} +\textbf{GSS\_C\_BUFFER\_TYPE\_DATA} and \textbf{GSS\_C\_BUFFER\_TYPE\_SIGN\_ONLY}: The +corresponding buffer for each of these types will be signed for the +MIC token, in the order provided. + +\item {} +\textbf{GSS\_C\_BUFFER\_TYPE\_MIC\_TOKEN}: The GSSAPI MIC token. + +\end{itemize} + +The type of the MIC\_TOKEN buffer may be combined with +\textbf{GSS\_C\_BUFFER\_FLAG\_ALLOCATE} to request that gss\_get\_mic\_iov +allocate the buffer contents. If gss\_get\_mic\_iov allocates the +buffer, it sets the \textbf{GSS\_C\_BUFFER\_FLAG\_ALLOCATED} flag on the buffer +type. gss\_release\_iov\_buffer can be used to release all allocated +buffers within an iov list and unset their allocated flags. Here is +an example of how gss\_get\_mic\_iov can be used with allocation +requested (\emph{ctx} is assumed to be a previously established +gss\_ctx\_id\_t): + +\begin{Verbatim}[commandchars=\\\{\}] +OM\PYGZus{}uint32 major, minor; +gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc iov[3]; + +iov[0].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}DATA; +iov[0].buffer.value = \PYGZdq{}sign1\PYGZdq{}; +iov[0].buffer.length = 5; +iov[1].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}SIGN\PYGZus{}ONLY; +iov[1].buffer.value = \PYGZdq{}sign2\PYGZdq{}; +iov[1].buffer.length = 5; +iov[2].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}MIC\PYGZus{}TOKEN \textbar{} GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}FLAG\PYGZus{}ALLOCATE; + +major = gss\PYGZus{}get\PYGZus{}mic\PYGZus{}iov(\PYGZam{}minor, ctx, GSS\PYGZus{}C\PYGZus{}QOP\PYGZus{}DEFAULT, iov, 3); +if (GSS\PYGZus{}ERROR(major)) + handle\PYGZus{}error(major, minor); + +/* Transmit or otherwise use iov[2].buffer. */ + +(void)gss\PYGZus{}release\PYGZus{}iov\PYGZus{}buffer(\PYGZam{}minor, iov, 3); +\end{Verbatim} + +If the caller does not choose to request buffer allocation by +gss\_get\_mic\_iov, it should first call gss\_get\_mic\_iov\_length to query +the length of the MIC\_TOKEN buffer. Here is an example of using +gss\_get\_mic\_iov\_length and gss\_get\_mic\_iov: + +\begin{Verbatim}[commandchars=\\\{\}] +OM\PYGZus{}uint32 major, minor; +gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc iov[2]; +char data[1024]; + +iov[0].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}MIC\PYGZus{}TOKEN; +iov[1].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}DATA; +iov[1].buffer.value = \PYGZdq{}message\PYGZdq{}; +iov[1].buffer.length = 7; + +major = gss\PYGZus{}wrap\PYGZus{}iov\PYGZus{}length(\PYGZam{}minor, ctx, 1, GSS\PYGZus{}C\PYGZus{}QOP\PYGZus{}DEFAULT, + NULL, iov, 2); +if (GSS\PYGZus{}ERROR(major)) + handle\PYGZus{}error(major, minor); +if (iov[0].buffer.length \PYGZgt{} sizeof(data)) + handle\PYGZus{}out\PYGZus{}of\PYGZus{}space\PYGZus{}error(); +iov[0].buffer.value = data; + +major = gss\PYGZus{}wrap\PYGZus{}iov(\PYGZam{}minor, ctx, 1, GSS\PYGZus{}C\PYGZus{}QOP\PYGZus{}DEFAULT, NULL, + iov, 2); +if (GSS\PYGZus{}ERROR(major)) + handle\PYGZus{}error(major, minor); +\end{Verbatim} + + +\chapter{Differences between Heimdal and MIT Kerberos API} +\label{appdev/h5l_mit_apidiff:differences-between-heimdal-and-mit-kerberos-api}\label{appdev/h5l_mit_apidiff::doc} +\begin{tabulary}{\linewidth}{|l|l|} +\hline + +{\hyperref[appdev/refs/api/krb5_auth_con_getaddrs:c.krb5_auth_con_getaddrs]{\code{krb5\_auth\_con\_getaddrs()}}} + & +H5l: If either of the pointers to local\_addr +and remote\_addr is not NULL, it is freed +first and then reallocated before being +populated with the content of corresponding +address from authentication context. +\\ +\hline +{\hyperref[appdev/refs/api/krb5_auth_con_setaddrs:c.krb5_auth_con_setaddrs]{\code{krb5\_auth\_con\_setaddrs()}}} + & +H5l: If either address is NULL, the previous +address remains in place +\\ +\hline +{\hyperref[appdev/refs/api/krb5_auth_con_setports:c.krb5_auth_con_setports]{\code{krb5\_auth\_con\_setports()}}} + & +H5l: Not implemented as of version 1.3.3 +\\ +\hline +{\hyperref[appdev/refs/api/krb5_auth_con_setrecvsubkey:c.krb5_auth_con_setrecvsubkey]{\code{krb5\_auth\_con\_setrecvsubkey()}}} + & +H5l: If either port is NULL, the previous +port remains in place +\\ +\hline +{\hyperref[appdev/refs/api/krb5_auth_con_setsendsubkey:c.krb5_auth_con_setsendsubkey]{\code{krb5\_auth\_con\_setsendsubkey()}}} + & +H5l: Not implemented as of version 1.3.3 +\\ +\hline +{\hyperref[appdev/refs/api/krb5_cc_set_config:c.krb5_cc_set_config]{\code{krb5\_cc\_set\_config()}}} + & +MIT: Before version 1.10 it was assumed that +the last argument \emph{data} is ALWAYS non-zero. +\\ +\hline +{\hyperref[appdev/refs/api/krb5_cccol_last_change_time:c.krb5_cccol_last_change_time]{\code{krb5\_cccol\_last\_change\_time()}}} + & +H5l takes 3 arguments: krb5\_context context, +const char *type, krb5\_timestamp *change\_time +MIT takes two arguments: krb5\_context context, +krb5\_timestamp *change\_time +\\ +\hline +{\hyperref[appdev/refs/api/krb5_set_default_realm:c.krb5_set_default_realm]{\code{krb5\_set\_default\_realm()}}} + & +H5l: Caches the computed default realm context +field. If the second argument is NULL, +it tries to retrieve it from libdefaults or DNS. +MIT: Computes the default realm each time +if it wasn't explicitly set in the context +\\ +\hline\end{tabulary} + + + +\chapter{Initial credentials} +\label{appdev/init_creds:initial-credentials}\label{appdev/init_creds::doc} +Software that performs tasks such as logging users into a computer +when they type their Kerberos password needs to get initial +credentials (usually ticket granting tickets) from Kerberos. Such +software shares some behavior with the \emph{kinit(1)} program. + +Whenever a program grants access to a resource (such as a local login +session on a desktop computer) based on a user successfully getting +initial Kerberos credentials, it must verify those credentials against +a secure shared secret (e.g., a host keytab) to ensure that the user +credentials actually originate from a legitimate KDC. Failure to +perform this verification is a critical vulnerability, because a +malicious user can execute the ``Zanarotti attack'': the user constructs +a fake response that appears to come from the legitimate KDC, but +whose contents come from an attacker-controlled KDC. + +Some applications read a Kerberos password over the network (ideally +over a secure channel), which they then verify against the KDC. While +this technique may be the only practical way to integrate Kerberos +into some existing legacy systems, its use is contrary to the original +design goals of Kerberos. + +The function {\hyperref[appdev/refs/api/krb5_get_init_creds_password:c.krb5_get_init_creds_password]{\code{krb5\_get\_init\_creds\_password()}}} will get initial +credentials for a client using a password. An application that needs +to verify the credentials can call {\hyperref[appdev/refs/api/krb5_verify_init_creds:c.krb5_verify_init_creds]{\code{krb5\_verify\_init\_creds()}}}. +Here is an example of code to obtain and verify TGT credentials, given +strings \emph{princname} and \emph{password} for the client principal name and +password: + +\begin{Verbatim}[commandchars=\\\{\}] +krb5\PYGZus{}error\PYGZus{}code ret; +krb5\PYGZus{}creds creds; +krb5\PYGZus{}principal client\PYGZus{}princ = NULL; + +memset(\PYGZam{}creds, 0, sizeof(creds)); +ret = krb5\PYGZus{}parse\PYGZus{}name(context, princname, \PYGZam{}client\PYGZus{}princ); +if (ret) + goto cleanup; +ret = krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}password(context, \PYGZam{}creds, client\PYGZus{}princ, + password, NULL, NULL, 0, NULL, NULL); +if (ret) + goto cleanup; +ret = krb5\PYGZus{}verify\PYGZus{}init\PYGZus{}creds(context, \PYGZam{}creds, NULL, NULL, NULL, NULL); + +cleanup: +krb5\PYGZus{}free\PYGZus{}principal(context, client\PYGZus{}princ); +krb5\PYGZus{}free\PYGZus{}cred\PYGZus{}contents(context, \PYGZam{}creds); +return ret; +\end{Verbatim} + + +\section{Options for get\_init\_creds} +\label{appdev/init_creds:options-for-get-init-creds} +The function {\hyperref[appdev/refs/api/krb5_get_init_creds_password:c.krb5_get_init_creds_password]{\code{krb5\_get\_init\_creds\_password()}}} takes an options +parameter (which can be a null pointer). Use the function +{\hyperref[appdev/refs/api/krb5_get_init_creds_opt_alloc:c.krb5_get_init_creds_opt_alloc]{\code{krb5\_get\_init\_creds\_opt\_alloc()}}} to allocate an options +structure, and {\hyperref[appdev/refs/api/krb5_get_init_creds_opt_free:c.krb5_get_init_creds_opt_free]{\code{krb5\_get\_init\_creds\_opt\_free()}}} to free it. For +example: + +\begin{Verbatim}[commandchars=\\\{\}] +krb5\PYGZus{}error\PYGZus{}code ret; +krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}opt *opt = NULL; +krb5\PYGZus{}creds creds; + +memset(\PYGZam{}creds, 0, sizeof(creds)); +ret = krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}opt\PYGZus{}alloc(context, \PYGZam{}opt); +if (ret) + goto cleanup; +krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}opt\PYGZus{}set\PYGZus{}tkt\PYGZus{}life(opt, 24 * 60 * 60); +ret = krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}password(context, \PYGZam{}creds, client\PYGZus{}princ, + password, NULL, NULL, 0, NULL, opt); +if (ret) + goto cleanup; + +cleanup: +krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}opt\PYGZus{}free(context, opt); +krb5\PYGZus{}free\PYGZus{}cred\PYGZus{}contents(context, \PYGZam{}creds); +return ret; +\end{Verbatim} + + +\section{Getting anonymous credentials} +\label{appdev/init_creds:getting-anonymous-credentials} +As of release 1.8, it is possible to obtain fully anonymous or +partially anonymous (realm-exposed) credentials, if the KDC supports +it. The MIT KDC supports issuing fully anonymous credentials as of +release 1.8 if configured appropriately (see \emph{anonymous\_pkinit}), +but does not support issuing realm-exposed anonymous credentials at +this time. + +To obtain fully anonymous credentials, call +{\hyperref[appdev/refs/api/krb5_get_init_creds_opt_set_anonymous:c.krb5_get_init_creds_opt_set_anonymous]{\code{krb5\_get\_init\_creds\_opt\_set\_anonymous()}}} on the options +structure to set the anonymous flag, and specify a client principal +with the KDC's realm and a single empty data component (the principal +obtained by parsing \code{@}\emph{realmname}). Authentication will take +place using anonymous PKINIT; if successful, the client principal of +the resulting tickets will be +\code{WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS}. Here is an example: + +\begin{Verbatim}[commandchars=\\\{\}] +krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}opt\PYGZus{}set\PYGZus{}anonymous(opt, 1); +ret = krb5\PYGZus{}build\PYGZus{}principal(context, \PYGZam{}client\PYGZus{}princ, strlen(myrealm), + myrealm, \PYGZdq{}\PYGZdq{}, (char *)NULL); +if (ret) + goto cleanup; +ret = krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}password(context, \PYGZam{}creds, client\PYGZus{}princ, + password, NULL, NULL, 0, NULL, opt); +if (ret) + goto cleanup; +\end{Verbatim} + +To obtain realm-exposed anonymous credentials, set the anonymous flag +on the options structure as above, but specify a normal client +principal in order to prove membership in the realm. Authentication +will take place as it normally does; if successful, the client +principal of the resulting tickets will be \code{WELLKNOWN/ANONYMOUS@}\emph{realmname}. + + +\section{User interaction} +\label{appdev/init_creds:user-interaction} +Authenticating a user usually requires the entry of secret +information, such as a password. A password can be supplied directly +to {\hyperref[appdev/refs/api/krb5_get_init_creds_password:c.krb5_get_init_creds_password]{\code{krb5\_get\_init\_creds\_password()}}} via the \emph{password} +parameter, or the application can supply prompter and/or responder +callbacks instead. If callbacks are used, the user can also be +queried for other secret information such as a PIN, informed of +impending password expiration, or prompted to change a password which +has expired. + + +\subsection{Prompter callback} +\label{appdev/init_creds:prompter-callback} +A prompter callback can be specified via the \emph{prompter} and \emph{data} +parameters to {\hyperref[appdev/refs/api/krb5_get_init_creds_password:c.krb5_get_init_creds_password]{\code{krb5\_get\_init\_creds\_password()}}}. The prompter +will be invoked each time the krb5 library has a question to ask or +information to present. When the prompter callback is invoked, the +\emph{banner} argument (if not null) is intended to be displayed to the +user, and the questions to be answered are specified in the \emph{prompts} +array. Each prompt contains a text question in the \emph{prompt} field, a +\emph{hidden} bit to indicate whether the answer should be hidden from +display, and a storage area for the answer in the \emph{reply} field. The +callback should fill in each question's \code{reply-\textgreater{}data} with the +answer, up to a maximum number of \code{reply-\textgreater{}length} bytes, and then +reset \code{reply-\textgreater{}length} to the length of the answer. + +A prompter callback can call {\hyperref[appdev/refs/api/krb5_get_prompt_types:c.krb5_get_prompt_types]{\code{krb5\_get\_prompt\_types()}}} to get an +array of type constants corresponding to the prompts, to get +programmatic information about the semantic meaning of the questions. +{\hyperref[appdev/refs/api/krb5_get_prompt_types:c.krb5_get_prompt_types]{\code{krb5\_get\_prompt\_types()}}} may return a null pointer if no prompt +type information is available. + +Text-based applications can use a built-in text prompter +implementation by supplying {\hyperref[appdev/refs/api/krb5_prompter_posix:c.krb5_prompter_posix]{\code{krb5\_prompter\_posix()}}} as the +\emph{prompter} parameter and a null pointer as the \emph{data} parameter. For +example: + +\begin{Verbatim}[commandchars=\\\{\}] +ret = krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}password(context, \PYGZam{}creds, client\PYGZus{}princ, + NULL, krb5\PYGZus{}prompter\PYGZus{}posix, NULL, 0, + NULL, NULL); +\end{Verbatim} + + +\subsection{Responder callback} +\label{appdev/init_creds:responder-callback} +A responder callback can be specified through the init\_creds options +using the {\hyperref[appdev/refs/api/krb5_get_init_creds_opt_set_responder:c.krb5_get_init_creds_opt_set_responder]{\code{krb5\_get\_init\_creds\_opt\_set\_responder()}}} function. +Responder callbacks can present a more sophisticated user interface +for authentication secrets. The responder callback is usually invoked +only once per authentication, with a list of questions produced by all +of the allowed preauthentication mechanisms. + +When the responder callback is invoked, the \emph{rctx} argument can be +accessed to obtain the list of questions and to answer them. The +{\hyperref[appdev/refs/api/krb5_responder_list_questions:c.krb5_responder_list_questions]{\code{krb5\_responder\_list\_questions()}}} function retrieves an array of +question types. For each question type, the +{\hyperref[appdev/refs/api/krb5_responder_get_challenge:c.krb5_responder_get_challenge]{\code{krb5\_responder\_get\_challenge()}}} function retrieves additional +information about the question, if applicable, and the +{\hyperref[appdev/refs/api/krb5_responder_set_answer:c.krb5_responder_set_answer]{\code{krb5\_responder\_set\_answer()}}} function sets the answer. + +Responder question types, challenges, and answers are UTF-8 strings. +The question type is a well-known string; the meaning of the challenge +and answer depend on the question type. If an application does not +understand a question type, it cannot interpret the challenge or +provide an answer. Failing to answer a question typically results in +the prompter callback being used as a fallback. + + +\subsubsection{Password question} +\label{appdev/init_creds:password-question} +The \code{KRB5\_RESPONDER\_QUESTION\_PASSWORD} (or \code{"password"}) +question type requests the user's password. This question does not +have a challenge, and the response is simply the password string. + + +\subsubsection{One-time password question} +\label{appdev/init_creds:one-time-password-question} +The \code{KRB5\_RESPONDER\_QUESTION\_OTP} (or \code{"otp"}) question +type requests a choice among one-time password tokens and the PIN and +value for the chosen token. The challenge and answer are JSON-encoded +strings, but an application can use convenience functions to avoid +doing any JSON processing itself. + +The {\hyperref[appdev/refs/api/krb5_responder_otp_get_challenge:c.krb5_responder_otp_get_challenge]{\code{krb5\_responder\_otp\_get\_challenge()}}} function decodes the +challenge into a krb5\_responder\_otp\_challenge structure. The +{\hyperref[appdev/refs/api/krb5_responder_otp_set_answer:c.krb5_responder_otp_set_answer]{\code{krb5\_responder\_otp\_set\_answer()}}} function selects one of the +token information elements from the challenge and supplies the value +and pin for that token. + + +\subsubsection{PKINIT password or PIN question} +\label{appdev/init_creds:pkinit-password-or-pin-question} +The \code{KRB5\_RESPONDER\_QUESTION\_PKINIT} (or \code{"pkinit"}) question +type requests PINs for hardware devices and/or passwords for encrypted +credentials which are stored on disk, potentially also supplying +information about the state of the hardware devices. The challenge and +answer are JSON-encoded strings, but an application can use convenience +functions to avoid doing any JSON processing itself. + +The {\hyperref[appdev/refs/api/krb5_responder_pkinit_get_challenge:c.krb5_responder_pkinit_get_challenge]{\code{krb5\_responder\_pkinit\_get\_challenge()}}} function decodes the +challenges into a krb5\_responder\_pkinit\_challenge structure. The +{\hyperref[appdev/refs/api/krb5_responder_pkinit_set_answer:c.krb5_responder_pkinit_set_answer]{\code{krb5\_responder\_pkinit\_set\_answer()}}} function can be used to +supply the PIN or password for a particular client credential, and can +be called multiple times. + + +\subsubsection{Example} +\label{appdev/init_creds:example} +Here is an example of using a responder callback: + +\begin{Verbatim}[commandchars=\\\{\}] +static krb5\PYGZus{}error\PYGZus{}code +my\PYGZus{}responder(krb5\PYGZus{}context context, void *data, + krb5\PYGZus{}responder\PYGZus{}context rctx) +\PYGZob{} + krb5\PYGZus{}error\PYGZus{}code ret; + krb5\PYGZus{}responder\PYGZus{}otp\PYGZus{}challenge *chl; + + if (krb5\PYGZus{}responder\PYGZus{}get\PYGZus{}challenge(context, rctx, + KRB5\PYGZus{}RESPONDER\PYGZus{}QUESTION\PYGZus{}PASSWORD)) \PYGZob{} + ret = krb5\PYGZus{}responder\PYGZus{}set\PYGZus{}answer(context, rctx, + KRB5\PYGZus{}RESPONDER\PYGZus{}QUESTION\PYGZus{}PASSWORD, + \PYGZdq{}open sesame\PYGZdq{}); + if (ret) + return ret; + \PYGZcb{} + ret = krb5\PYGZus{}responder\PYGZus{}otp\PYGZus{}get\PYGZus{}challenge(context, rctx, \PYGZam{}chl); + if (ret == 0 \PYGZam{}\PYGZam{} chl != NULL) \PYGZob{} + ret = krb5\PYGZus{}responder\PYGZus{}otp\PYGZus{}set\PYGZus{}answer(context, rctx, 0, \PYGZdq{}1234\PYGZdq{}, + NULL); + krb5\PYGZus{}responder\PYGZus{}otp\PYGZus{}challenge\PYGZus{}free(context, rctx, chl); + if (ret) + return ret; + \PYGZcb{} + return 0; +\PYGZcb{} + +static krb5\PYGZus{}error\PYGZus{}code +get\PYGZus{}creds(krb5\PYGZus{}context context, krb5\PYGZus{}principal client\PYGZus{}princ) +\PYGZob{} + krb5\PYGZus{}error\PYGZus{}code ret; + krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}opt *opt = NULL; + krb5\PYGZus{}creds creds; + + memset(\PYGZam{}creds, 0, sizeof(creds)); + ret = krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}opt\PYGZus{}alloc(context, \PYGZam{}opt); + if (ret) + goto cleanup; + ret = krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}opt\PYGZus{}set\PYGZus{}responder(context, opt, my\PYGZus{}responder, + NULL); + if (ret) + goto cleanup; + ret = krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}password(context, \PYGZam{}creds, client\PYGZus{}princ, + NULL, NULL, NULL, 0, NULL, opt); + +cleanup: + krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}opt\PYGZus{}free(context, opt); + krb5\PYGZus{}free\PYGZus{}cred\PYGZus{}contents(context, \PYGZam{}creds); + return ret; +\PYGZcb{} +\end{Verbatim} + + +\section{Verifying initial credentials} +\label{appdev/init_creds:verifying-initial-credentials} +Use the function {\hyperref[appdev/refs/api/krb5_verify_init_creds:c.krb5_verify_init_creds]{\code{krb5\_verify\_init\_creds()}}} to verify initial +credentials. It takes an options structure (which can be a null +pointer). Use {\hyperref[appdev/refs/api/krb5_verify_init_creds_opt_init:c.krb5_verify_init_creds_opt_init]{\code{krb5\_verify\_init\_creds\_opt\_init()}}} to initialize +the caller-allocated options structure, and +{\hyperref[appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail:c.krb5_verify_init_creds_opt_set_ap_req_nofail]{\code{krb5\_verify\_init\_creds\_opt\_set\_ap\_req\_nofail()}}} to set the +``nofail'' option. For example: + +\begin{Verbatim}[commandchars=\\\{\}] +krb5\PYGZus{}verify\PYGZus{}init\PYGZus{}creds\PYGZus{}opt vopt; + +krb5\PYGZus{}verify\PYGZus{}init\PYGZus{}creds\PYGZus{}opt\PYGZus{}init(\PYGZam{}vopt); +krb5\PYGZus{}verify\PYGZus{}init\PYGZus{}creds\PYGZus{}opt\PYGZus{}set\PYGZus{}ap\PYGZus{}req\PYGZus{}nofail(\PYGZam{}vopt, 1); +ret = krb5\PYGZus{}verify\PYGZus{}init\PYGZus{}creds(context, \PYGZam{}creds, NULL, NULL, NULL, \PYGZam{}vopt); +\end{Verbatim} + +The confusingly named ``nofail'' option, when set, means that the +verification must actually succeed in order for +{\hyperref[appdev/refs/api/krb5_verify_init_creds:c.krb5_verify_init_creds]{\code{krb5\_verify\_init\_creds()}}} to indicate success. The default +state of this option (cleared) means that if there is no key material +available to verify the user credentials, the verification will +succeed anyway. (The default can be changed by a configuration file +setting.) + +This accommodates a use case where a large number of unkeyed shared +desktop workstations need to allow users to log in using Kerberos. +The security risks from this practice are mitigated by the absence of +valuable state on the shared workstations---any valuable resources +that the users would access reside on networked servers. + + +\chapter{Principal manipulation and parsing} +\label{appdev/princ_handle:principal-manipulation-and-parsing}\label{appdev/princ_handle::doc} +Kerberos principal structure + +{\hyperref[appdev/refs/types/krb5_principal_data:c.krb5_principal_data]{\code{krb5\_principal\_data}}} + +{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{\code{krb5\_principal}}} + +Create and free principal + +{\hyperref[appdev/refs/api/krb5_build_principal:c.krb5_build_principal]{\code{krb5\_build\_principal()}}} + +{\hyperref[appdev/refs/api/krb5_build_principal_alloc_va:c.krb5_build_principal_alloc_va]{\code{krb5\_build\_principal\_alloc\_va()}}} + +{\hyperref[appdev/refs/api/krb5_build_principal_ext:c.krb5_build_principal_ext]{\code{krb5\_build\_principal\_ext()}}} + +{\hyperref[appdev/refs/api/krb5_copy_principal:c.krb5_copy_principal]{\code{krb5\_copy\_principal()}}} + +{\hyperref[appdev/refs/api/krb5_free_principal:c.krb5_free_principal]{\code{krb5\_free\_principal()}}} + +{\hyperref[appdev/refs/api/krb5_cc_get_principal:c.krb5_cc_get_principal]{\code{krb5\_cc\_get\_principal()}}} + +Comparing + +{\hyperref[appdev/refs/api/krb5_principal_compare:c.krb5_principal_compare]{\code{krb5\_principal\_compare()}}} + +{\hyperref[appdev/refs/api/krb5_principal_compare_flags:c.krb5_principal_compare_flags]{\code{krb5\_principal\_compare\_flags()}}} + +{\hyperref[appdev/refs/api/krb5_principal_compare_any_realm:c.krb5_principal_compare_any_realm]{\code{krb5\_principal\_compare\_any\_realm()}}} + +{\hyperref[appdev/refs/api/krb5_sname_match:c.krb5_sname_match]{\code{krb5\_sname\_match()}}} + +{\hyperref[appdev/refs/api/krb5_sname_to_principal:c.krb5_sname_to_principal]{\code{krb5\_sname\_to\_principal()}}} + +Parsing: + +{\hyperref[appdev/refs/api/krb5_parse_name:c.krb5_parse_name]{\code{krb5\_parse\_name()}}} + +{\hyperref[appdev/refs/api/krb5_parse_name_flags:c.krb5_parse_name_flags]{\code{krb5\_parse\_name\_flags()}}} + +{\hyperref[appdev/refs/api/krb5_unparse_name:c.krb5_unparse_name]{\code{krb5\_unparse\_name()}}} + +{\hyperref[appdev/refs/api/krb5_unparse_name_flags:c.krb5_unparse_name_flags]{\code{krb5\_unparse\_name\_flags()}}} + +Utilities: + +{\hyperref[appdev/refs/api/krb5_is_config_principal:c.krb5_is_config_principal]{\code{krb5\_is\_config\_principal()}}} + +{\hyperref[appdev/refs/api/krb5_kuserok:c.krb5_kuserok]{\code{krb5\_kuserok()}}} + +{\hyperref[appdev/refs/api/krb5_set_password:c.krb5_set_password]{\code{krb5\_set\_password()}}} + +{\hyperref[appdev/refs/api/krb5_set_password_using_ccache:c.krb5_set_password_using_ccache]{\code{krb5\_set\_password\_using\_ccache()}}} + +{\hyperref[appdev/refs/api/krb5_set_principal_realm:c.krb5_set_principal_realm]{\code{krb5\_set\_principal\_realm()}}} + +{\hyperref[appdev/refs/api/krb5_realm_compare:c.krb5_realm_compare]{\code{krb5\_realm\_compare()}}} + + +\chapter{Complete reference - API and datatypes} +\label{appdev/refs/index:complete-reference-api-and-datatypes}\label{appdev/refs/index::doc} + +\section{krb5 API} +\label{appdev/refs/api/index:krb5-api}\label{appdev/refs/api/index::doc} + +\subsection{Frequently used public interfaces} +\label{appdev/refs/api/index:frequently-used-public-interfaces} + +\subsubsection{krb5\_build\_principal - Build a principal name using null-terminated strings.} +\label{appdev/refs/api/krb5_build_principal:krb5-build-principal-build-a-principal-name-using-null-terminated-strings}\label{appdev/refs/api/krb5_build_principal::doc}\index{krb5\_build\_principal (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_build_principal:c.krb5_build_principal}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_build\_principal}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} *\emph{ princ}, unsigned int\emph{ rlen}, const char *\emph{ realm}, ...}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}out{]}} \textbf{princ} - Principal name + +\textbf{{[}in{]}} \textbf{rlen} - Realm name length + +\textbf{{[}in{]}} \textbf{realm} - Realm name + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Call {\hyperref[appdev/refs/api/krb5_free_principal:c.krb5_free_principal]{\code{krb5\_free\_principal()}}} to free \emph{princ} when it is no longer needed. + +\begin{notice}{note}{Note:} +{\hyperref[appdev/refs/api/krb5_build_principal:c.krb5_build_principal]{\code{krb5\_build\_principal()}}} and {\hyperref[appdev/refs/api/krb5_build_principal_alloc_va:c.krb5_build_principal_alloc_va]{\code{krb5\_build\_principal\_alloc\_va()}}} perform the same task. {\hyperref[appdev/refs/api/krb5_build_principal:c.krb5_build_principal]{\code{krb5\_build\_principal()}}} takes variadic arguments. {\hyperref[appdev/refs/api/krb5_build_principal_alloc_va:c.krb5_build_principal_alloc_va]{\code{krb5\_build\_principal\_alloc\_va()}}} takes a pre-computed \emph{varargs} pointer. +\end{notice} + + +\subsubsection{krb5\_build\_principal\_alloc\_va - Build a principal name, using a precomputed variable argument list.} +\label{appdev/refs/api/krb5_build_principal_alloc_va:krb5-build-principal-alloc-va-build-a-principal-name-using-a-precomputed-variable-argument-list}\label{appdev/refs/api/krb5_build_principal_alloc_va::doc}\index{krb5\_build\_principal\_alloc\_va (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_build_principal_alloc_va:c.krb5_build_principal_alloc_va}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_build\_principal\_alloc\_va}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} *\emph{ princ}, unsigned int\emph{ rlen}, const char *\emph{ realm}, va\_list\emph{ ap}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}out{]}} \textbf{princ} - Principal structure + +\textbf{{[}in{]}} \textbf{rlen} - Realm name length + +\textbf{{[}in{]}} \textbf{realm} - Realm name + +\textbf{{[}in{]}} \textbf{ap} - List of char * components, ending with NULL + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Similar to {\hyperref[appdev/refs/api/krb5_build_principal:c.krb5_build_principal]{\code{krb5\_build\_principal()}}} , this function builds a principal name, but its name components are specified as a va\_list. + +Use {\hyperref[appdev/refs/api/krb5_free_principal:c.krb5_free_principal]{\code{krb5\_free\_principal()}}} to deallocate \emph{princ} when it is no longer needed. + + +\subsubsection{krb5\_build\_principal\_ext - Build a principal name using length-counted strings.} +\label{appdev/refs/api/krb5_build_principal_ext:krb5-build-principal-ext-build-a-principal-name-using-length-counted-strings}\label{appdev/refs/api/krb5_build_principal_ext::doc}\index{krb5\_build\_principal\_ext (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_build_principal_ext:c.krb5_build_principal_ext}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_build\_principal\_ext}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} *\emph{ princ}, unsigned int\emph{ rlen}, const char *\emph{ realm}, ...}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}out{]}} \textbf{princ} - Principal name + +\textbf{{[}in{]}} \textbf{rlen} - Realm name length + +\textbf{{[}in{]}} \textbf{realm} - Realm name + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function creates a principal from a length-counted string and a variable-length list of length-counted components. The list of components ends with the first 0 length argument (so it is not possible to specify an empty component with this function). Call {\hyperref[appdev/refs/api/krb5_free_principal:c.krb5_free_principal]{\code{krb5\_free\_principal()}}} to free allocated memory for principal when it is no longer needed. + + +\subsubsection{krb5\_cc\_close - Close a credential cache handle.} +\label{appdev/refs/api/krb5_cc_close:krb5-cc-close-close-a-credential-cache-handle}\label{appdev/refs/api/krb5_cc_close::doc}\index{krb5\_cc\_close (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_close:c.krb5_cc_close}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_close}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{cache} - Credential cache handle + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function closes a credential cache handle \emph{cache} without affecting the contents of the cache. + + +\subsubsection{krb5\_cc\_default - Resolve the default credential cache name.} +\label{appdev/refs/api/krb5_cc_default::doc}\label{appdev/refs/api/krb5_cc_default:krb5-cc-default-resolve-the-default-credential-cache-name}\index{krb5\_cc\_default (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_default:c.krb5_cc_default}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_default}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}} *\emph{ ccache}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}out{]}} \textbf{ccache} - Pointer to credential cache name + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\item {} +KV5M\_CONTEXT Bad magic number for \_krb5\_context structure + +\item {} +KRB5\_FCC\_INTERNAL The name of the default credential cache cannot be obtained + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Create a handle to the default credential cache as given by {\hyperref[appdev/refs/api/krb5_cc_default_name:c.krb5_cc_default_name]{\code{krb5\_cc\_default\_name()}}} . + + +\subsubsection{krb5\_cc\_default\_name - Return the name of the default credential cache.} +\label{appdev/refs/api/krb5_cc_default_name::doc}\label{appdev/refs/api/krb5_cc_default_name:krb5-cc-default-name-return-the-name-of-the-default-credential-cache}\index{krb5\_cc\_default\_name (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_default_name:c.krb5_cc_default_name}\pysiglinewithargsret{const char * \bfcode{krb5\_cc\_default\_name}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{return}] \leavevmode\begin{itemize} +\item {} +Name of default credential cache for the current user. + +\end{itemize} + +\end{description}\end{quote} + +Return a pointer to the default credential cache name for \emph{context} , as determined by a prior call to {\hyperref[appdev/refs/api/krb5_cc_set_default_name:c.krb5_cc_set_default_name]{\code{krb5\_cc\_set\_default\_name()}}} , by the KRB5CCNAME environment variable, by the default\_ccache\_name profile variable, or by the operating system or build-time default value. The returned value must not be modified or freed by the caller. The returned value becomes invalid when \emph{context} is destroyed {\hyperref[appdev/refs/api/krb5_free_context:c.krb5_free_context]{\code{krb5\_free\_context()}}} or if a subsequent call to {\hyperref[appdev/refs/api/krb5_cc_set_default_name:c.krb5_cc_set_default_name]{\code{krb5\_cc\_set\_default\_name()}}} is made on \emph{context} . + +The default credential cache name is cached in \emph{context} between calls to this function, so if the value of KRB5CCNAME changes in the process environment after the first call to this function on, that change will not be reflected in later calls with the same context. The caller can invoke {\hyperref[appdev/refs/api/krb5_cc_set_default_name:c.krb5_cc_set_default_name]{\code{krb5\_cc\_set\_default\_name()}}} with a NULL value of \emph{name} to clear the cached value and force the default name to be recomputed. + + +\subsubsection{krb5\_cc\_destroy - Destroy a credential cache.} +\label{appdev/refs/api/krb5_cc_destroy:krb5-cc-destroy-destroy-a-credential-cache}\label{appdev/refs/api/krb5_cc_destroy::doc}\index{krb5\_cc\_destroy (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_destroy:c.krb5_cc_destroy}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_destroy}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{cache} - Credential cache handle + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Permission errors + +\end{itemize} + +\end{description}\end{quote} + +This function destroys any existing contents of \emph{cache} and closes the handle to it. + + +\subsubsection{krb5\_cc\_dup - Duplicate ccache handle.} +\label{appdev/refs/api/krb5_cc_dup:krb5-cc-dup-duplicate-ccache-handle}\label{appdev/refs/api/krb5_cc_dup::doc}\index{krb5\_cc\_dup (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_dup:c.krb5_cc_dup}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_dup}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ in}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}} *\emph{ out}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{in} - Credential cache handle to be duplicated + +\textbf{{[}out{]}} \textbf{out} - Credential cache handle + +\end{description}\end{quote} + +Create a new handle referring to the same cache as \emph{in} . The new handle and \emph{in} can be closed independently. + + +\subsubsection{krb5\_cc\_get\_name - Retrieve the name, but not type of a credential cache.} +\label{appdev/refs/api/krb5_cc_get_name::doc}\label{appdev/refs/api/krb5_cc_get_name:krb5-cc-get-name-retrieve-the-name-but-not-type-of-a-credential-cache}\index{krb5\_cc\_get\_name (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_get_name:c.krb5_cc_get_name}\pysiglinewithargsret{const char * \bfcode{krb5\_cc\_get\_name}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{cache} - Credential cache handle + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{return}] \leavevmode\begin{itemize} +\item {} +On success - the name of the credential cache. + +\end{itemize} + +\end{description}\end{quote} + +\begin{notice}{warning}{Warning:} +Returns the name of the credential cache. The result is an alias into \emph{cache} and should not be freed or modified by the caller. This name does not include the cache type, so should not be used as input to {\hyperref[appdev/refs/api/krb5_cc_resolve:c.krb5_cc_resolve]{\code{krb5\_cc\_resolve()}}} . +\end{notice} + + +\subsubsection{krb5\_cc\_get\_principal - Get the default principal of a credential cache.} +\label{appdev/refs/api/krb5_cc_get_principal:krb5-cc-get-principal-get-the-default-principal-of-a-credential-cache}\label{appdev/refs/api/krb5_cc_get_principal::doc}\index{krb5\_cc\_get\_principal (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_get_principal:c.krb5_cc_get_principal}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_get\_principal}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} *\emph{ principal}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{cache} - Credential cache handle + +\textbf{{[}out{]}} \textbf{principal} - Primary principal + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Returns the default client principal of a credential cache as set by {\hyperref[appdev/refs/api/krb5_cc_initialize:c.krb5_cc_initialize]{\code{krb5\_cc\_initialize()}}} . + +Use {\hyperref[appdev/refs/api/krb5_free_principal:c.krb5_free_principal]{\code{krb5\_free\_principal()}}} to free \emph{principal} when it is no longer needed. + + +\subsubsection{krb5\_cc\_get\_type - Retrieve the type of a credential cache.} +\label{appdev/refs/api/krb5_cc_get_type:krb5-cc-get-type-retrieve-the-type-of-a-credential-cache}\label{appdev/refs/api/krb5_cc_get_type::doc}\index{krb5\_cc\_get\_type (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_get_type:c.krb5_cc_get_type}\pysiglinewithargsret{const char * \bfcode{krb5\_cc\_get\_type}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{cache} - Credential cache handle + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{return}] \leavevmode\begin{itemize} +\item {} +The type of a credential cache as an alias that must not be modified or freed by the caller. + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_cc\_initialize - Initialize a credential cache.} +\label{appdev/refs/api/krb5_cc_initialize::doc}\label{appdev/refs/api/krb5_cc_initialize:krb5-cc-initialize-initialize-a-credential-cache}\index{krb5\_cc\_initialize (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_initialize:c.krb5_cc_initialize}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_initialize}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ principal}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{cache} - Credential cache handle + +\textbf{{[}in{]}} \textbf{principal} - Default principal name + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +System errors; Permission errors; Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Destroy any existing contents of \emph{cache} and initialize it for the default principal \emph{principal} . + + +\subsubsection{krb5\_cc\_new\_unique - Create a new credential cache of the specified type with a unique name.} +\label{appdev/refs/api/krb5_cc_new_unique:krb5-cc-new-unique-create-a-new-credential-cache-of-the-specified-type-with-a-unique-name}\label{appdev/refs/api/krb5_cc_new_unique::doc}\index{krb5\_cc\_new\_unique (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_new_unique:c.krb5_cc_new_unique}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_new\_unique}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ type}, const char *\emph{ hint}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}} *\emph{ id}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{type} - Credential cache type name + +\textbf{{[}in{]}} \textbf{hint} - Unused + +\textbf{{[}out{]}} \textbf{id} - Credential cache handle + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_cc\_resolve - Resolve a credential cache name.} +\label{appdev/refs/api/krb5_cc_resolve:krb5-cc-resolve-resolve-a-credential-cache-name}\label{appdev/refs/api/krb5_cc_resolve::doc}\index{krb5\_cc\_resolve (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_resolve:c.krb5_cc_resolve}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_resolve}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ name}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}} *\emph{ cache}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{name} - Credential cache name to be resolved + +\textbf{{[}out{]}} \textbf{cache} - Credential cache handle + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Fills in \emph{cache} with a \emph{cache} handle that corresponds to the name in \emph{name} . \emph{name} should be of the form \textbf{type:residual} , and \emph{type} must be a type known to the library. If the \emph{name} does not contain a colon, interpret it as a file name. + + +\subsubsection{krb5\_change\_password - Change a password for an existing Kerberos account.} +\label{appdev/refs/api/krb5_change_password:krb5-change-password-change-a-password-for-an-existing-kerberos-account}\label{appdev/refs/api/krb5_change_password::doc}\index{krb5\_change\_password (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_change_password:c.krb5_change_password}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_change\_password}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}, const char *\emph{ newpw}, int *\emph{ result\_code}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ result\_code\_string}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ result\_string}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{creds} - Credentials for kadmin/changepw service + +\textbf{{[}in{]}} \textbf{newpw} - New password + +\textbf{{[}out{]}} \textbf{result\_code} - Numeric error code from server + +\textbf{{[}out{]}} \textbf{result\_code\_string} - String equivalent to \emph{result\_code} + +\textbf{{[}out{]}} \textbf{result\_string} - Change password response from the KDC + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Change the password for the existing principal identified by \emph{creds} . + +The possible values of the output \emph{result\_code} are: +\begin{itemize} +\item {} +{\hyperref[appdev/refs/macros/KRB5_KPASSWD_SUCCESS:KRB5_KPASSWD_SUCCESS]{\code{KRB5\_KPASSWD\_SUCCESS}}} (0) - success + +\item {} +{\hyperref[appdev/refs/macros/KRB5_KPASSWD_MALFORMED:KRB5_KPASSWD_MALFORMED]{\code{KRB5\_KPASSWD\_MALFORMED}}} (1) - Malformed request error + +\item {} +{\hyperref[appdev/refs/macros/KRB5_KPASSWD_HARDERROR:KRB5_KPASSWD_HARDERROR]{\code{KRB5\_KPASSWD\_HARDERROR}}} (2) - Server error + +\item {} +{\hyperref[appdev/refs/macros/KRB5_KPASSWD_AUTHERROR:KRB5_KPASSWD_AUTHERROR]{\code{KRB5\_KPASSWD\_AUTHERROR}}} (3) - Authentication error + +\item {} +{\hyperref[appdev/refs/macros/KRB5_KPASSWD_SOFTERROR:KRB5_KPASSWD_SOFTERROR]{\code{KRB5\_KPASSWD\_SOFTERROR}}} (4) - Password change rejected + +\end{itemize} + + +\subsubsection{krb5\_chpw\_message - Get a result message for changing or setting a password.} +\label{appdev/refs/api/krb5_chpw_message:krb5-chpw-message-get-a-result-message-for-changing-or-setting-a-password}\label{appdev/refs/api/krb5_chpw_message::doc}\index{krb5\_chpw\_message (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_chpw_message:c.krb5_chpw_message}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_chpw\_message}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ server\_string}, char **\emph{ message\_out}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{server\_string} - Data returned from the remote system + +\textbf{{[}out{]}} \textbf{message\_out} - A message displayable to the user + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function processes the \emph{server\_string} returned in the \emph{result\_string} parameter of {\hyperref[appdev/refs/api/krb5_change_password:c.krb5_change_password]{\code{krb5\_change\_password()}}} , {\hyperref[appdev/refs/api/krb5_set_password:c.krb5_set_password]{\code{krb5\_set\_password()}}} , and related functions, and returns a displayable string. If \emph{server\_string} contains Active Directory structured policy information, it will be converted into human-readable text. + +Use {\hyperref[appdev/refs/api/krb5_free_string:c.krb5_free_string]{\code{krb5\_free\_string()}}} to free \emph{message\_out} when it is no longer needed. + +\begin{notice}{note}{Note:} +New in 1.11 +\end{notice} + + +\subsubsection{krb5\_expand\_hostname - Canonicalize a hostname, possibly using name service.} +\label{appdev/refs/api/krb5_expand_hostname:krb5-expand-hostname-canonicalize-a-hostname-possibly-using-name-service}\label{appdev/refs/api/krb5_expand_hostname::doc}\index{krb5\_expand\_hostname (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_expand_hostname:c.krb5_expand_hostname}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_expand\_hostname}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ host}, char **\emph{ canonhost\_out}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{host} - Input hostname + +\textbf{{[}out{]}} \textbf{canonhost\_out} - Canonicalized hostname + +\end{description}\end{quote} + +This function canonicalizes orig\_hostname, possibly using name service lookups if configuration permits. Use {\hyperref[appdev/refs/api/krb5_free_string:c.krb5_free_string]{\code{krb5\_free\_string()}}} to free \emph{canonhost\_out} when it is no longer needed. + +\begin{notice}{note}{Note:} +New in 1.15 +\end{notice} + + +\subsubsection{krb5\_free\_context - Free a krb5 library context.} +\label{appdev/refs/api/krb5_free_context:krb5-free-context-free-a-krb5-library-context}\label{appdev/refs/api/krb5_free_context::doc}\index{krb5\_free\_context (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_free_context:c.krb5_free_context}\pysiglinewithargsret{void \bfcode{krb5\_free\_context}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\end{description}\end{quote} + +This function frees a \emph{context} that was created by {\hyperref[appdev/refs/api/krb5_init_context:c.krb5_init_context]{\code{krb5\_init\_context()}}} or {\hyperref[appdev/refs/api/krb5_init_secure_context:c.krb5_init_secure_context]{\code{krb5\_init\_secure\_context()}}} . + + +\subsubsection{krb5\_free\_error\_message - Free an error message generated by krb5\_get\_error\_message() .} +\label{appdev/refs/api/krb5_free_error_message:krb5-free-error-message-free-an-error-message-generated-by-krb5-get-error-message}\label{appdev/refs/api/krb5_free_error_message::doc}\index{krb5\_free\_error\_message (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_free_error_message:c.krb5_free_error_message}\pysiglinewithargsret{void \bfcode{krb5\_free\_error\_message}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, const char *\emph{ msg}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctx} - Library context + +\textbf{{[}in{]}} \textbf{msg} - Pointer to error message + +\end{description}\end{quote} + + +\subsubsection{krb5\_free\_principal - Free the storage assigned to a principal.} +\label{appdev/refs/api/krb5_free_principal::doc}\label{appdev/refs/api/krb5_free_principal:krb5-free-principal-free-the-storage-assigned-to-a-principal}\index{krb5\_free\_principal (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_free_principal:c.krb5_free_principal}\pysiglinewithargsret{void \bfcode{krb5\_free\_principal}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ val}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{val} - Principal to be freed + +\end{description}\end{quote} + + +\subsubsection{krb5\_fwd\_tgt\_creds - Get a forwarded TGT and format a KRB-CRED message.} +\label{appdev/refs/api/krb5_fwd_tgt_creds:krb5-fwd-tgt-creds-get-a-forwarded-tgt-and-format-a-krb-cred-message}\label{appdev/refs/api/krb5_fwd_tgt_creds::doc}\index{krb5\_fwd\_tgt\_creds (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_fwd_tgt_creds:c.krb5_fwd_tgt_creds}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_fwd\_tgt\_creds}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, char *\emph{ rhost}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ client}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ server}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cc}, int\emph{ forwardable}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ outbuf}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context + +\textbf{{[}in{]}} \textbf{rhost} - Remote host + +\textbf{{[}in{]}} \textbf{client} - Client principal of TGT + +\textbf{{[}in{]}} \textbf{server} - Principal of server to receive TGT + +\textbf{{[}in{]}} \textbf{cc} - Credential cache handle (NULL to use default) + +\textbf{{[}in{]}} \textbf{forwardable} - Whether TGT should be forwardable + +\textbf{{[}out{]}} \textbf{outbuf} - KRB-CRED message + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\item {} +ENOMEM Insufficient memory + +\item {} +KRB5\_PRINC\_NOMATCH Requested principal and ticket do not match + +\item {} +KRB5\_NO\_TKT\_SUPPLIED Request did not supply a ticket + +\item {} +KRB5\_CC\_BADNAME Credential cache name or principal name malformed + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Get a TGT for use at the remote host \emph{rhost} and format it into a KRB-CRED message. If \emph{rhost} is NULL and \emph{server} is of type {\hyperref[appdev/refs/macros/KRB5_NT_SRV_HST:KRB5_NT_SRV_HST]{\code{KRB5\_NT\_SRV\_HST}}} , the second component of \emph{server} will be used. + + +\subsubsection{krb5\_get\_default\_realm - Retrieve the default realm.} +\label{appdev/refs/api/krb5_get_default_realm:krb5-get-default-realm-retrieve-the-default-realm}\label{appdev/refs/api/krb5_get_default_realm::doc}\index{krb5\_get\_default\_realm (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_default_realm:c.krb5_get_default_realm}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_default\_realm}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, char **\emph{ lrealm}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}out{]}} \textbf{lrealm} - Default realm name + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Retrieves the default realm to be used if no user-specified realm is available. + +Use {\hyperref[appdev/refs/api/krb5_free_default_realm:c.krb5_free_default_realm]{\code{krb5\_free\_default\_realm()}}} to free \emph{lrealm} when it is no longer needed. + + +\subsubsection{krb5\_get\_error\_message - Get the (possibly extended) error message for a code.} +\label{appdev/refs/api/krb5_get_error_message::doc}\label{appdev/refs/api/krb5_get_error_message:krb5-get-error-message-get-the-possibly-extended-error-message-for-a-code}\index{krb5\_get\_error\_message (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_error_message:c.krb5_get_error_message}\pysiglinewithargsret{const char * \bfcode{krb5\_get\_error\_message}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}}\emph{ code}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctx} - Library context + +\textbf{{[}in{]}} \textbf{code} - Error code + +\end{description}\end{quote} + +The behavior of {\hyperref[appdev/refs/api/krb5_get_error_message:c.krb5_get_error_message]{\code{krb5\_get\_error\_message()}}} is only defined the first time it is called after a failed call to a krb5 function using the same context, and only when the error code passed in is the same as that returned by the krb5 function. + +This function never returns NULL, so its result may be used unconditionally as a C string. + +The string returned by this function must be freed using {\hyperref[appdev/refs/api/krb5_free_error_message:c.krb5_free_error_message]{\code{krb5\_free\_error\_message()}}} + +\begin{notice}{note}{Note:} +Future versions may return the same string for the second and following calls. +\end{notice} + + +\subsubsection{krb5\_get\_host\_realm - Get the Kerberos realm names for a host.} +\label{appdev/refs/api/krb5_get_host_realm:krb5-get-host-realm-get-the-kerberos-realm-names-for-a-host}\label{appdev/refs/api/krb5_get_host_realm::doc}\index{krb5\_get\_host\_realm (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_host_realm:c.krb5_get_host_realm}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_host\_realm}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ host}, char ***\emph{ realmsp}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{host} - Host name (or NULL) + +\textbf{{[}out{]}} \textbf{realmsp} - Null-terminated list of realm names + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\item {} +ENOMEM Insufficient memory + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Fill in \emph{realmsp} with a pointer to a null-terminated list of realm names. If there are no known realms for the host, a list containing the referral (empty) realm is returned. + +If \emph{host} is NULL, the local host's realms are determined. + +Use {\hyperref[appdev/refs/api/krb5_free_host_realm:c.krb5_free_host_realm]{\code{krb5\_free\_host\_realm()}}} to release \emph{realmsp} when it is no longer needed. + + +\subsubsection{krb5\_get\_credentials - Get an additional ticket.} +\label{appdev/refs/api/krb5_get_credentials:krb5-get-credentials-get-an-additional-ticket}\label{appdev/refs/api/krb5_get_credentials::doc}\index{krb5\_get\_credentials (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_credentials:c.krb5_get_credentials}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_credentials}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ options}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ in\_creds}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} **\emph{ out\_creds}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{options} - Options + +\textbf{{[}in{]}} \textbf{ccache} - Credential cache handle + +\textbf{{[}in{]}} \textbf{in\_creds} - Input credentials + +\textbf{{[}out{]}} \textbf{out\_creds} - Output updated credentials + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Use \emph{ccache} or a TGS exchange to get a service ticket matching \emph{in\_creds} . + +Valid values for \emph{options} are: +\begin{quote} +\begin{itemize} +\item {} +{\hyperref[appdev/refs/macros/KRB5_GC_CACHED:KRB5_GC_CACHED]{\code{KRB5\_GC\_CACHED}}} Search only credential cache for the ticket + +\item {} +{\hyperref[appdev/refs/macros/KRB5_GC_USER_USER:KRB5_GC_USER_USER]{\code{KRB5\_GC\_USER\_USER}}} Return a user to user authentication ticket + +\end{itemize} + +\emph{in\_creds} must be non-null. \emph{in\_creds-\textgreater{}client} and \emph{in\_creds-\textgreater{}server} must be filled in to specify the client and the server respectively. If any authorization data needs to be requested for the service ticket (such as restrictions on how the ticket can be used), specify it in \emph{in\_creds-\textgreater{}authdata} ; otherwise set \emph{in\_creds-\textgreater{}authdata} to NULL. The session key type is specified in \emph{in\_creds-\textgreater{}keyblock.enctype} , if it is nonzero. +\end{quote} + +The expiration date is specified in \emph{in\_creds-\textgreater{}times.endtime} . The KDC may return tickets with an earlier expiration date. If \emph{in\_creds-\textgreater{}times.endtime} is set to 0, the latest possible expiration date will be requested. + +Any returned ticket and intermediate ticket-granting tickets are stored in \emph{ccache} . + +Use {\hyperref[appdev/refs/api/krb5_free_creds:c.krb5_free_creds]{\code{krb5\_free\_creds()}}} to free \emph{out\_creds} when it is no longer needed. + + +\subsubsection{krb5\_get\_fallback\_host\_realm} +\label{appdev/refs/api/krb5_get_fallback_host_realm:krb5-get-fallback-host-realm}\label{appdev/refs/api/krb5_get_fallback_host_realm::doc}\index{krb5\_get\_fallback\_host\_realm (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_fallback_host_realm:c.krb5_get_fallback_host_realm}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_fallback\_host\_realm}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ hdata}, char ***\emph{ realmsp}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{hdata} - Host name (or NULL) + +\textbf{{[}out{]}} \textbf{realmsp} - Null-terminated list of realm names + +\end{description}\end{quote} + +Fill in \emph{realmsp} with a pointer to a null-terminated list of realm names obtained through heuristics or insecure resolution methods which have lower priority than KDC referrals. + +If \emph{host} is NULL, the local host's realms are determined. + +Use {\hyperref[appdev/refs/api/krb5_free_host_realm:c.krb5_free_host_realm]{\code{krb5\_free\_host\_realm()}}} to release \emph{realmsp} when it is no longer needed. + + +\subsubsection{krb5\_get\_init\_creds\_keytab - Get initial credentials using a key table.} +\label{appdev/refs/api/krb5_get_init_creds_keytab:krb5-get-init-creds-keytab-get-initial-credentials-using-a-key-table}\label{appdev/refs/api/krb5_get_init_creds_keytab::doc}\index{krb5\_get\_init\_creds\_keytab (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_init_creds_keytab:c.krb5_get_init_creds_keytab}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_init\_creds\_keytab}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ client}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ arg\_keytab}, {\hyperref[appdev/refs/types/krb5_deltat:c.krb5_deltat]{krb5\_deltat}}\emph{ start\_time}, const char *\emph{ in\_tkt\_service}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ k5\_gic\_options}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}out{]}} \textbf{creds} - New credentials + +\textbf{{[}in{]}} \textbf{client} - Client principal + +\textbf{{[}in{]}} \textbf{arg\_keytab} - Key table handle + +\textbf{{[}in{]}} \textbf{start\_time} - Time when ticket becomes valid (0 for now) + +\textbf{{[}in{]}} \textbf{in\_tkt\_service} - Service name of initial credentials (or NULL) + +\textbf{{[}in{]}} \textbf{k5\_gic\_options} - Initial credential options + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function requests KDC for an initial credentials for \emph{client} using a client key stored in \emph{arg\_keytab} . If \emph{in\_tkt\_service} is specified, it is parsed as a principal name (with the realm ignored) and used as the service principal for the request; otherwise the ticket-granting service is used. + + +\subsubsection{krb5\_get\_init\_creds\_opt\_alloc - Allocate a new initial credential options structure.} +\label{appdev/refs/api/krb5_get_init_creds_opt_alloc:krb5-get-init-creds-opt-alloc-allocate-a-new-initial-credential-options-structure}\label{appdev/refs/api/krb5_get_init_creds_opt_alloc::doc}\index{krb5\_get\_init\_creds\_opt\_alloc (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_alloc:c.krb5_get_init_creds_opt_alloc}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_init\_creds\_opt\_alloc}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} **\emph{ opt}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}out{]}} \textbf{opt} - New options structure + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 - Success; Kerberos errors otherwise. + +\end{itemize} + +\end{description}\end{quote} + +This function is the preferred way to create an options structure for getting initial credentials, and is required to make use of certain options. Use {\hyperref[appdev/refs/api/krb5_get_init_creds_opt_free:c.krb5_get_init_creds_opt_free]{\code{krb5\_get\_init\_creds\_opt\_free()}}} to free \emph{opt} when it is no longer needed. + + +\subsubsection{krb5\_get\_init\_creds\_opt\_free - Free initial credential options.} +\label{appdev/refs/api/krb5_get_init_creds_opt_free::doc}\label{appdev/refs/api/krb5_get_init_creds_opt_free:krb5-get-init-creds-opt-free-free-initial-credential-options}\index{krb5\_get\_init\_creds\_opt\_free (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_free:c.krb5_get_init_creds_opt_free}\pysiglinewithargsret{void \bfcode{krb5\_get\_init\_creds\_opt\_free}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{opt} - Options structure to free + +\end{description}\end{quote} + + +\strong{See also:} + + +{\hyperref[appdev/refs/api/krb5_get_init_creds_opt_alloc:c.krb5_get_init_creds_opt_alloc]{\code{krb5\_get\_init\_creds\_opt\_alloc()}}} + + + + +\subsubsection{krb5\_get\_init\_creds\_opt\_get\_fast\_flags - Retrieve FAST flags from initial credential options.} +\label{appdev/refs/api/krb5_get_init_creds_opt_get_fast_flags::doc}\label{appdev/refs/api/krb5_get_init_creds_opt_get_fast_flags:krb5-get-init-creds-opt-get-fast-flags-retrieve-fast-flags-from-initial-credential-options}\index{krb5\_get\_init\_creds\_opt\_get\_fast\_flags (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_get_fast_flags:c.krb5_get_init_creds_opt_get_fast_flags}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_init\_creds\_opt\_get\_fast\_flags}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}} *\emph{ out\_flags}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{opt} - Options + +\textbf{{[}out{]}} \textbf{out\_flags} - FAST flags + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 - Success; Kerberos errors otherwise. + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_get\_init\_creds\_opt\_set\_address\_list - Set address restrictions in initial credential options.} +\label{appdev/refs/api/krb5_get_init_creds_opt_set_address_list:krb5-get-init-creds-opt-set-address-list-set-address-restrictions-in-initial-credential-options}\label{appdev/refs/api/krb5_get_init_creds_opt_set_address_list::doc}\index{krb5\_get\_init\_creds\_opt\_set\_address\_list (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_address_list:c.krb5_get_init_creds_opt_set_address_list}\pysiglinewithargsret{void \bfcode{krb5\_get\_init\_creds\_opt\_set\_address\_list}}{{\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} **\emph{ addresses}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{opt} - Options structure + +\textbf{{[}in{]}} \textbf{addresses} - Null-terminated array of addresses + +\end{description}\end{quote} + + +\subsubsection{krb5\_get\_init\_creds\_opt\_set\_anonymous - Set or unset the anonymous flag in initial credential options.} +\label{appdev/refs/api/krb5_get_init_creds_opt_set_anonymous:krb5-get-init-creds-opt-set-anonymous-set-or-unset-the-anonymous-flag-in-initial-credential-options}\label{appdev/refs/api/krb5_get_init_creds_opt_set_anonymous::doc}\index{krb5\_get\_init\_creds\_opt\_set\_anonymous (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_anonymous:c.krb5_get_init_creds_opt_set_anonymous}\pysiglinewithargsret{void \bfcode{krb5\_get\_init\_creds\_opt\_set\_anonymous}}{{\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, int\emph{ anonymous}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{opt} - Options structure + +\textbf{{[}in{]}} \textbf{anonymous} - Whether to make an anonymous request + +\end{description}\end{quote} + +This function may be used to request anonymous credentials from the KDC by setting \emph{anonymous} to non-zero. Note that anonymous credentials are only a request; clients must verify that credentials are anonymous if that is a requirement. + + +\subsubsection{krb5\_get\_init\_creds\_opt\_set\_canonicalize - Set or unset the canonicalize flag in initial credential options.} +\label{appdev/refs/api/krb5_get_init_creds_opt_set_canonicalize:krb5-get-init-creds-opt-set-canonicalize-set-or-unset-the-canonicalize-flag-in-initial-credential-options}\label{appdev/refs/api/krb5_get_init_creds_opt_set_canonicalize::doc}\index{krb5\_get\_init\_creds\_opt\_set\_canonicalize (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_canonicalize:c.krb5_get_init_creds_opt_set_canonicalize}\pysiglinewithargsret{void \bfcode{krb5\_get\_init\_creds\_opt\_set\_canonicalize}}{{\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, int\emph{ canonicalize}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{opt} - Options structure + +\textbf{{[}in{]}} \textbf{canonicalize} - Whether to canonicalize client principal + +\end{description}\end{quote} + + +\subsubsection{krb5\_get\_init\_creds\_opt\_set\_change\_password\_prompt - Set or unset change-password-prompt flag in initial credential options.} +\label{appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt::doc}\label{appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt:krb5-get-init-creds-opt-set-change-password-prompt-set-or-unset-change-password-prompt-flag-in-initial-credential-options}\index{krb5\_get\_init\_creds\_opt\_set\_change\_password\_prompt (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt:c.krb5_get_init_creds_opt_set_change_password_prompt}\pysiglinewithargsret{void \bfcode{krb5\_get\_init\_creds\_opt\_set\_change\_password\_prompt}}{{\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, int\emph{ prompt}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{opt} - Options structure + +\textbf{{[}in{]}} \textbf{prompt} - Whether to prompt to change password + +\end{description}\end{quote} + +This flag is on by default. It controls whether {\hyperref[appdev/refs/api/krb5_get_init_creds_password:c.krb5_get_init_creds_password]{\code{krb5\_get\_init\_creds\_password()}}} will react to an expired-password error by prompting for a new password and attempting to change the old one. + + +\subsubsection{krb5\_get\_init\_creds\_opt\_set\_etype\_list - Set allowable encryption types in initial credential options.} +\label{appdev/refs/api/krb5_get_init_creds_opt_set_etype_list:krb5-get-init-creds-opt-set-etype-list-set-allowable-encryption-types-in-initial-credential-options}\label{appdev/refs/api/krb5_get_init_creds_opt_set_etype_list::doc}\index{krb5\_get\_init\_creds\_opt\_set\_etype\_list (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_etype_list:c.krb5_get_init_creds_opt_set_etype_list}\pysiglinewithargsret{void \bfcode{krb5\_get\_init\_creds\_opt\_set\_etype\_list}}{{\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} *\emph{ etype\_list}, int\emph{ etype\_list\_length}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{opt} - Options structure + +\textbf{{[}in{]}} \textbf{etype\_list} - Array of encryption types + +\textbf{{[}in{]}} \textbf{etype\_list\_length} - Length of \emph{etype\_list} + +\end{description}\end{quote} + + +\subsubsection{krb5\_get\_init\_creds\_opt\_set\_expire\_callback - Set an expiration callback in initial credential options.} +\label{appdev/refs/api/krb5_get_init_creds_opt_set_expire_callback::doc}\label{appdev/refs/api/krb5_get_init_creds_opt_set_expire_callback:krb5-get-init-creds-opt-set-expire-callback-set-an-expiration-callback-in-initial-credential-options}\index{krb5\_get\_init\_creds\_opt\_set\_expire\_callback (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_expire_callback:c.krb5_get_init_creds_opt_set_expire_callback}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_init\_creds\_opt\_set\_expire\_callback}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, {\hyperref[appdev/refs/types/krb5_expire_callback_func:c.krb5_expire_callback_func]{krb5\_expire\_callback\_func}}\emph{ cb}, void *\emph{ data}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{opt} - Options structure + +\textbf{{[}in{]}} \textbf{cb} - Callback function + +\textbf{{[}in{]}} \textbf{data} - Callback argument + +\end{description}\end{quote} + +Set a callback to receive password and account expiration times. + +This option only applies to {\hyperref[appdev/refs/api/krb5_get_init_creds_password:c.krb5_get_init_creds_password]{\code{krb5\_get\_init\_creds\_password()}}} . \emph{cb} will be invoked if and only if credentials are successfully acquired. The callback will receive the \emph{context} from the {\hyperref[appdev/refs/api/krb5_get_init_creds_password:c.krb5_get_init_creds_password]{\code{krb5\_get\_init\_creds\_password()}}} call and the \emph{data} argument supplied with this API. The remaining arguments should be interpreted as follows: + +If \emph{is\_last\_req} is true, then the KDC reply contained last-req entries which unambiguously indicated the password expiration, account expiration, or both. (If either value was not present, the corresponding argument will be 0.) Furthermore, a non-zero \emph{password\_expiration} should be taken as a suggestion from the KDC that a warning be displayed. + +If \emph{is\_last\_req} is false, then \emph{account\_expiration} will be 0 and \emph{password\_expiration} will contain the expiration time of either the password or account, or 0 if no expiration time was indicated in the KDC reply. The callback should independently decide whether to display a password expiration warning. + +Note that \emph{cb} may be invoked even if credentials are being acquired for the kadmin/changepw service in order to change the password. It is the caller's responsibility to avoid displaying a password expiry warning in this case. + +\begin{notice}{warning}{Warning:} +Setting an expire callback with this API will cause {\hyperref[appdev/refs/api/krb5_get_init_creds_password:c.krb5_get_init_creds_password]{\code{krb5\_get\_init\_creds\_password()}}} not to send password expiry warnings to the prompter, as it ordinarily may. +\end{notice} + +\begin{notice}{note}{Note:} +New in 1.9 +\end{notice} + + +\subsubsection{krb5\_get\_init\_creds\_opt\_set\_fast\_ccache - Set FAST armor cache in initial credential options.} +\label{appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache::doc}\label{appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache:krb5-get-init-creds-opt-set-fast-ccache-set-fast-armor-cache-in-initial-credential-options}\index{krb5\_get\_init\_creds\_opt\_set\_fast\_ccache (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache:c.krb5_get_init_creds_opt_set_fast_ccache}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_init\_creds\_opt\_set\_fast\_ccache}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{opt} - Options + +\textbf{{[}in{]}} \textbf{ccache} - Credential cache handle + +\end{description}\end{quote} + +This function is similar to {\hyperref[appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name:c.krb5_get_init_creds_opt_set_fast_ccache_name]{\code{krb5\_get\_init\_creds\_opt\_set\_fast\_ccache\_name()}}} , but uses a credential cache handle instead of a name. + +\begin{notice}{note}{Note:} +New in 1.9 +\end{notice} + + +\subsubsection{krb5\_get\_init\_creds\_opt\_set\_fast\_ccache\_name - Set location of FAST armor ccache in initial credential options.} +\label{appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name:krb5-get-init-creds-opt-set-fast-ccache-name-set-location-of-fast-armor-ccache-in-initial-credential-options}\label{appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name::doc}\index{krb5\_get\_init\_creds\_opt\_set\_fast\_ccache\_name (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name:c.krb5_get_init_creds_opt_set_fast_ccache_name}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_init\_creds\_opt\_set\_fast\_ccache\_name}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, const char *\emph{ fast\_ccache\_name}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{opt} - Options + +\textbf{{[}in{]}} \textbf{fast\_ccache\_name} - Credential cache name + +\end{description}\end{quote} + +Sets the location of a credential cache containing an armor ticket to protect an initial credential exchange using the FAST protocol extension. + +In version 1.7, setting an armor ccache requires that FAST be used for the exchange. In version 1.8 or later, setting the armor ccache causes FAST to be used if the KDC supports it; {\hyperref[appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags:c.krb5_get_init_creds_opt_set_fast_flags]{\code{krb5\_get\_init\_creds\_opt\_set\_fast\_flags()}}} must be used to require that FAST be used. + + +\subsubsection{krb5\_get\_init\_creds\_opt\_set\_fast\_flags - Set FAST flags in initial credential options.} +\label{appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags:krb5-get-init-creds-opt-set-fast-flags-set-fast-flags-in-initial-credential-options}\label{appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags::doc}\index{krb5\_get\_init\_creds\_opt\_set\_fast\_flags (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags:c.krb5_get_init_creds_opt_set_fast_flags}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_init\_creds\_opt\_set\_fast\_flags}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ flags}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{opt} - Options + +\textbf{{[}in{]}} \textbf{flags} - FAST flags + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 - Success; Kerberos errors otherwise. + +\end{itemize} + +\end{description}\end{quote} + +The following flag values are valid: +\begin{itemize} +\item {} +{\hyperref[appdev/refs/macros/KRB5_FAST_REQUIRED:KRB5_FAST_REQUIRED]{\code{KRB5\_FAST\_REQUIRED}}} - Require FAST to be used + +\end{itemize} + + +\subsubsection{krb5\_get\_init\_creds\_opt\_set\_forwardable - Set or unset the forwardable flag in initial credential options.} +\label{appdev/refs/api/krb5_get_init_creds_opt_set_forwardable:krb5-get-init-creds-opt-set-forwardable-set-or-unset-the-forwardable-flag-in-initial-credential-options}\label{appdev/refs/api/krb5_get_init_creds_opt_set_forwardable::doc}\index{krb5\_get\_init\_creds\_opt\_set\_forwardable (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_forwardable:c.krb5_get_init_creds_opt_set_forwardable}\pysiglinewithargsret{void \bfcode{krb5\_get\_init\_creds\_opt\_set\_forwardable}}{{\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, int\emph{ forwardable}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{opt} - Options structure + +\textbf{{[}in{]}} \textbf{forwardable} - Whether credentials should be forwardable + +\end{description}\end{quote} + + +\subsubsection{krb5\_get\_init\_creds\_opt\_set\_in\_ccache - Set an input credential cache in initial credential options.} +\label{appdev/refs/api/krb5_get_init_creds_opt_set_in_ccache::doc}\label{appdev/refs/api/krb5_get_init_creds_opt_set_in_ccache:krb5-get-init-creds-opt-set-in-ccache-set-an-input-credential-cache-in-initial-credential-options}\index{krb5\_get\_init\_creds\_opt\_set\_in\_ccache (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_in_ccache:c.krb5_get_init_creds_opt_set_in_ccache}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_init\_creds\_opt\_set\_in\_ccache}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{opt} - Options + +\textbf{{[}in{]}} \textbf{ccache} - Credential cache handle + +\end{description}\end{quote} + +If an input credential cache is set, then the krb5\_get\_init\_creds family of APIs will read settings from it. Setting an input ccache is desirable when the application wishes to perform authentication in the same way (using the same preauthentication mechanisms, and making the same non-security- sensitive choices) as the previous authentication attempt, which stored information in the passed-in ccache. + +\begin{notice}{note}{Note:} +New in 1.11 +\end{notice} + + +\subsubsection{krb5\_get\_init\_creds\_opt\_set\_out\_ccache - Set an output credential cache in initial credential options.} +\label{appdev/refs/api/krb5_get_init_creds_opt_set_out_ccache:krb5-get-init-creds-opt-set-out-ccache-set-an-output-credential-cache-in-initial-credential-options}\label{appdev/refs/api/krb5_get_init_creds_opt_set_out_ccache::doc}\index{krb5\_get\_init\_creds\_opt\_set\_out\_ccache (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_out_ccache:c.krb5_get_init_creds_opt_set_out_ccache}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_init\_creds\_opt\_set\_out\_ccache}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{opt} - Options + +\textbf{{[}in{]}} \textbf{ccache} - Credential cache handle + +\end{description}\end{quote} + +If an output credential cache is set, then the krb5\_get\_init\_creds family of APIs will write credentials to it. Setting an output ccache is desirable both because it simplifies calling code and because it permits the krb5\_get\_init\_creds APIs to write out configuration information about the realm to the ccache. + + +\subsubsection{krb5\_get\_init\_creds\_opt\_set\_pa - Supply options for preauthentication in initial credential options.} +\label{appdev/refs/api/krb5_get_init_creds_opt_set_pa::doc}\label{appdev/refs/api/krb5_get_init_creds_opt_set_pa:krb5-get-init-creds-opt-set-pa-supply-options-for-preauthentication-in-initial-credential-options}\index{krb5\_get\_init\_creds\_opt\_set\_pa (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_pa:c.krb5_get_init_creds_opt_set_pa}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_init\_creds\_opt\_set\_pa}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, const char *\emph{ attr}, const char *\emph{ value}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{opt} - Options structure + +\textbf{{[}in{]}} \textbf{attr} - Preauthentication option name + +\textbf{{[}in{]}} \textbf{value} - Preauthentication option value + +\end{description}\end{quote} + +This function allows the caller to supply options for preauthentication. The values of \emph{attr} and \emph{value} are supplied to each preauthentication module available within \emph{context} . + + +\subsubsection{krb5\_get\_init\_creds\_opt\_set\_pac\_request - Ask the KDC to include or not include a PAC in the ticket.} +\label{appdev/refs/api/krb5_get_init_creds_opt_set_pac_request:krb5-get-init-creds-opt-set-pac-request-ask-the-kdc-to-include-or-not-include-a-pac-in-the-ticket}\label{appdev/refs/api/krb5_get_init_creds_opt_set_pac_request::doc}\index{krb5\_get\_init\_creds\_opt\_set\_pac\_request (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_pac_request:c.krb5_get_init_creds_opt_set_pac_request}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_init\_creds\_opt\_set\_pac\_request}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, {\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}}\emph{ req\_pac}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{opt} - Options structure + +\textbf{{[}in{]}} \textbf{req\_pac} - Whether to request a PAC or not + +\end{description}\end{quote} + +If this option is set, the AS request will include a PAC-REQUEST pa-data item explicitly asking the KDC to either include or not include a privilege attribute certificate in the ticket authorization data. By default, no request is made; typically the KDC will default to including a PAC if it supports them. + +\begin{notice}{note}{Note:} +New in 1.15 +\end{notice} + + +\subsubsection{krb5\_get\_init\_creds\_opt\_set\_preauth\_list - Set preauthentication types in initial credential options.} +\label{appdev/refs/api/krb5_get_init_creds_opt_set_preauth_list:krb5-get-init-creds-opt-set-preauth-list-set-preauthentication-types-in-initial-credential-options}\label{appdev/refs/api/krb5_get_init_creds_opt_set_preauth_list::doc}\index{krb5\_get\_init\_creds\_opt\_set\_preauth\_list (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_preauth_list:c.krb5_get_init_creds_opt_set_preauth_list}\pysiglinewithargsret{void \bfcode{krb5\_get\_init\_creds\_opt\_set\_preauth\_list}}{{\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, {\hyperref[appdev/refs/types/krb5_preauthtype:c.krb5_preauthtype]{krb5\_preauthtype}} *\emph{ preauth\_list}, int\emph{ preauth\_list\_length}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{opt} - Options structure + +\textbf{{[}in{]}} \textbf{preauth\_list} - Array of preauthentication types + +\textbf{{[}in{]}} \textbf{preauth\_list\_length} - Length of \emph{preauth\_list} + +\end{description}\end{quote} + +This function can be used to perform optimistic preauthentication when getting initial credentials, in combination with {\hyperref[appdev/refs/api/krb5_get_init_creds_opt_set_salt:c.krb5_get_init_creds_opt_set_salt]{\code{krb5\_get\_init\_creds\_opt\_set\_salt()}}} and {\hyperref[appdev/refs/api/krb5_get_init_creds_opt_set_pa:c.krb5_get_init_creds_opt_set_pa]{\code{krb5\_get\_init\_creds\_opt\_set\_pa()}}} . + + +\subsubsection{krb5\_get\_init\_creds\_opt\_set\_proxiable - Set or unset the proxiable flag in initial credential options.} +\label{appdev/refs/api/krb5_get_init_creds_opt_set_proxiable::doc}\label{appdev/refs/api/krb5_get_init_creds_opt_set_proxiable:krb5-get-init-creds-opt-set-proxiable-set-or-unset-the-proxiable-flag-in-initial-credential-options}\index{krb5\_get\_init\_creds\_opt\_set\_proxiable (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_proxiable:c.krb5_get_init_creds_opt_set_proxiable}\pysiglinewithargsret{void \bfcode{krb5\_get\_init\_creds\_opt\_set\_proxiable}}{{\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, int\emph{ proxiable}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{opt} - Options structure + +\textbf{{[}in{]}} \textbf{proxiable} - Whether credentials should be proxiable + +\end{description}\end{quote} + + +\subsubsection{krb5\_get\_init\_creds\_opt\_set\_renew\_life - Set the ticket renewal lifetime in initial credential options.} +\label{appdev/refs/api/krb5_get_init_creds_opt_set_renew_life::doc}\label{appdev/refs/api/krb5_get_init_creds_opt_set_renew_life:krb5-get-init-creds-opt-set-renew-life-set-the-ticket-renewal-lifetime-in-initial-credential-options}\index{krb5\_get\_init\_creds\_opt\_set\_renew\_life (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_renew_life:c.krb5_get_init_creds_opt_set_renew_life}\pysiglinewithargsret{void \bfcode{krb5\_get\_init\_creds\_opt\_set\_renew\_life}}{{\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, {\hyperref[appdev/refs/types/krb5_deltat:c.krb5_deltat]{krb5\_deltat}}\emph{ renew\_life}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{opt} - Pointer to \emph{options} field + +\textbf{{[}in{]}} \textbf{renew\_life} - Ticket renewal lifetime + +\end{description}\end{quote} + + +\subsubsection{krb5\_get\_init\_creds\_opt\_set\_responder - Set the responder function in initial credential options.} +\label{appdev/refs/api/krb5_get_init_creds_opt_set_responder:krb5-get-init-creds-opt-set-responder-set-the-responder-function-in-initial-credential-options}\label{appdev/refs/api/krb5_get_init_creds_opt_set_responder::doc}\index{krb5\_get\_init\_creds\_opt\_set\_responder (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_responder:c.krb5_get_init_creds_opt_set_responder}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_init\_creds\_opt\_set\_responder}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, {\hyperref[appdev/refs/types/krb5_responder_fn:c.krb5_responder_fn]{krb5\_responder\_fn}}\emph{ responder}, void *\emph{ data}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{opt} - Options structure + +\textbf{{[}in{]}} \textbf{responder} - Responder function + +\textbf{{[}in{]}} \textbf{data} - Responder data argument + +\end{description}\end{quote} + +\begin{notice}{note}{Note:} +New in 1.11 +\end{notice} + + +\subsubsection{krb5\_get\_init\_creds\_opt\_set\_salt - Set salt for optimistic preauthentication in initial credential options.} +\label{appdev/refs/api/krb5_get_init_creds_opt_set_salt:krb5-get-init-creds-opt-set-salt-set-salt-for-optimistic-preauthentication-in-initial-credential-options}\label{appdev/refs/api/krb5_get_init_creds_opt_set_salt::doc}\index{krb5\_get\_init\_creds\_opt\_set\_salt (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_salt:c.krb5_get_init_creds_opt_set_salt}\pysiglinewithargsret{void \bfcode{krb5\_get\_init\_creds\_opt\_set\_salt}}{{\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ salt}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{opt} - Options structure + +\textbf{{[}in{]}} \textbf{salt} - Salt data + +\end{description}\end{quote} + +When getting initial credentials with a password, a salt string it used to convert the password to a key. Normally this salt is obtained from the first KDC reply, but when performing optimistic preauthentication, the client may need to supply the salt string with this function. + + +\subsubsection{krb5\_get\_init\_creds\_opt\_set\_tkt\_life - Set the ticket lifetime in initial credential options.} +\label{appdev/refs/api/krb5_get_init_creds_opt_set_tkt_life:krb5-get-init-creds-opt-set-tkt-life-set-the-ticket-lifetime-in-initial-credential-options}\label{appdev/refs/api/krb5_get_init_creds_opt_set_tkt_life::doc}\index{krb5\_get\_init\_creds\_opt\_set\_tkt\_life (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_tkt_life:c.krb5_get_init_creds_opt_set_tkt_life}\pysiglinewithargsret{void \bfcode{krb5\_get\_init\_creds\_opt\_set\_tkt\_life}}{{\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, {\hyperref[appdev/refs/types/krb5_deltat:c.krb5_deltat]{krb5\_deltat}}\emph{ tkt\_life}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{opt} - Options structure + +\textbf{{[}in{]}} \textbf{tkt\_life} - Ticket lifetime + +\end{description}\end{quote} + + +\subsubsection{krb5\_get\_init\_creds\_password - Get initial credentials using a password.} +\label{appdev/refs/api/krb5_get_init_creds_password::doc}\label{appdev/refs/api/krb5_get_init_creds_password:krb5-get-init-creds-password-get-initial-credentials-using-a-password}\index{krb5\_get\_init\_creds\_password (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_init_creds_password:c.krb5_get_init_creds_password}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_init\_creds\_password}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ client}, const char *\emph{ password}, {\hyperref[appdev/refs/types/krb5_prompter_fct:c.krb5_prompter_fct]{krb5\_prompter\_fct}}\emph{ prompter}, void *\emph{ data}, {\hyperref[appdev/refs/types/krb5_deltat:c.krb5_deltat]{krb5\_deltat}}\emph{ start\_time}, const char *\emph{ in\_tkt\_service}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ k5\_gic\_options}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}out{]}} \textbf{creds} - New credentials + +\textbf{{[}in{]}} \textbf{client} - Client principal + +\textbf{{[}in{]}} \textbf{password} - Password (or NULL) + +\textbf{{[}in{]}} \textbf{prompter} - Prompter function + +\textbf{{[}in{]}} \textbf{data} - Prompter callback data + +\textbf{{[}in{]}} \textbf{start\_time} - Time when ticket becomes valid (0 for now) + +\textbf{{[}in{]}} \textbf{in\_tkt\_service} - Service name of initial credentials (or NULL) + +\textbf{{[}in{]}} \textbf{k5\_gic\_options} - Initial credential options + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\item {} +EINVAL Invalid argument + +\item {} +KRB5\_KDC\_UNREACH Cannot contact any KDC for requested realm + +\item {} +KRB5\_PREAUTH\_FAILED Generic Pre-athentication failure + +\item {} +KRB5\_LIBOS\_PWDINTR Password read interrupted + +\item {} +KRB5\_REALM\_CANT\_RESOLVE Cannot resolve network address for KDC in requested realm + +\item {} +KRB5KDC\_ERR\_KEY\_EXP Password has expired + +\item {} +KRB5\_LIBOS\_BADPWDMATCH Password mismatch + +\item {} +KRB5\_CHPW\_PWDNULL New password cannot be zero length + +\item {} +KRB5\_CHPW\_FAIL Password change failed + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function requests KDC for an initial credentials for \emph{client} using \emph{password} . If \emph{password} is NULL, a password will be prompted for using \emph{prompter} if necessary. If \emph{in\_tkt\_service} is specified, it is parsed as a principal name (with the realm ignored) and used as the service principal for the request; otherwise the ticket-granting service is used. + + +\subsubsection{krb5\_get\_profile - Retrieve configuration profile from the context.} +\label{appdev/refs/api/krb5_get_profile::doc}\label{appdev/refs/api/krb5_get_profile:krb5-get-profile-retrieve-configuration-profile-from-the-context}\index{krb5\_get\_profile (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_profile:c.krb5_get_profile}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_profile}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, struct \_profile\_t **\emph{ profile}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}out{]}} \textbf{profile} - Pointer to data read from a configuration file + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function creates a new \emph{profile} object that reflects profile in the supplied \emph{context} . + +The \emph{profile} object may be freed with profile\_release() function. See profile.h and profile API for more details. + + +\subsubsection{krb5\_get\_prompt\_types - Get prompt types array from a context.} +\label{appdev/refs/api/krb5_get_prompt_types::doc}\label{appdev/refs/api/krb5_get_prompt_types:krb5-get-prompt-types-get-prompt-types-array-from-a-context}\index{krb5\_get\_prompt\_types (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_prompt_types:c.krb5_get_prompt_types}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_prompt_type:c.krb5_prompt_type]{krb5\_prompt\_type}} * \bfcode{krb5\_get\_prompt\_types}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{return}] \leavevmode\begin{itemize} +\item {} +Pointer to an array of prompt types corresponding to the prompter's prompts arguments. Each type has one of the following values: KRB5\_PROMPT\_TYPE\_PASSWORD KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD\_AGAIN KRB5\_PROMPT\_TYPE\_PREAUTH + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_get\_renewed\_creds - Get renewed credential from KDC using an existing credential.} +\label{appdev/refs/api/krb5_get_renewed_creds:krb5-get-renewed-creds-get-renewed-credential-from-kdc-using-an-existing-credential}\label{appdev/refs/api/krb5_get_renewed_creds::doc}\index{krb5\_get\_renewed\_creds (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_renewed_creds:c.krb5_get_renewed_creds}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_renewed\_creds}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ client}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, const char *\emph{ in\_tkt\_service}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}out{]}} \textbf{creds} - Renewed credentials + +\textbf{{[}in{]}} \textbf{client} - Client principal name + +\textbf{{[}in{]}} \textbf{ccache} - Credential cache + +\textbf{{[}in{]}} \textbf{in\_tkt\_service} - Server principal string (or NULL) + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function gets a renewed credential using an existing one from \emph{ccache} . If \emph{in\_tkt\_service} is specified, it is parsed (with the realm part ignored) and used as the server principal of the credential; otherwise, the ticket-granting service is used. + +If successful, the renewed credential is placed in \emph{creds} . + + +\subsubsection{krb5\_get\_validated\_creds - Get validated credentials from the KDC.} +\label{appdev/refs/api/krb5_get_validated_creds:krb5-get-validated-creds-get-validated-credentials-from-the-kdc}\label{appdev/refs/api/krb5_get_validated_creds::doc}\index{krb5\_get\_validated\_creds (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_validated_creds:c.krb5_get_validated_creds}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_validated\_creds}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ client}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, const char *\emph{ in\_tkt\_service}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}out{]}} \textbf{creds} - Validated credentials + +\textbf{{[}in{]}} \textbf{client} - Client principal name + +\textbf{{[}in{]}} \textbf{ccache} - Credential cache + +\textbf{{[}in{]}} \textbf{in\_tkt\_service} - Server principal string (or NULL) + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\item {} +KRB5\_NO\_2ND\_TKT Request missing second ticket + +\item {} +KRB5\_NO\_TKT\_SUPPLIED Request did not supply a ticket + +\item {} +KRB5\_PRINC\_NOMATCH Requested principal and ticket do not match + +\item {} +KRB5\_KDCREP\_MODIFIED KDC reply did not match expectations + +\item {} +KRB5\_KDCREP\_SKEW Clock skew too great in KDC reply + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function gets a validated credential using a postdated credential from \emph{ccache} . If \emph{in\_tkt\_service} is specified, it is parsed (with the realm part ignored) and used as the server principal of the credential; otherwise, the ticket-granting service is used. + +If successful, the validated credential is placed in \emph{creds} . + + +\subsubsection{krb5\_init\_context - Create a krb5 library context.} +\label{appdev/refs/api/krb5_init_context:krb5-init-context-create-a-krb5-library-context}\label{appdev/refs/api/krb5_init_context::doc}\index{krb5\_init\_context (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_init_context:c.krb5_init_context}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_init\_context}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}} *\emph{ context}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}out{]}} \textbf{context} - Library context + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +The \emph{context} must be released by calling {\hyperref[appdev/refs/api/krb5_free_context:c.krb5_free_context]{\code{krb5\_free\_context()}}} when it is no longer needed. + +\begin{notice}{warning}{Warning:} +Any program or module that needs the Kerberos code to not trust the environment must use {\hyperref[appdev/refs/api/krb5_init_secure_context:c.krb5_init_secure_context]{\code{krb5\_init\_secure\_context()}}} , or clean out the environment. +\end{notice} + + +\subsubsection{krb5\_init\_secure\_context - Create a krb5 library context using only configuration files.} +\label{appdev/refs/api/krb5_init_secure_context::doc}\label{appdev/refs/api/krb5_init_secure_context:krb5-init-secure-context-create-a-krb5-library-context-using-only-configuration-files}\index{krb5\_init\_secure\_context (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_init_secure_context:c.krb5_init_secure_context}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_init\_secure\_context}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}} *\emph{ context}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}out{]}} \textbf{context} - Library context + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Create a context structure, using only system configuration files. All information passed through the environment variables is ignored. + +The \emph{context} must be released by calling {\hyperref[appdev/refs/api/krb5_free_context:c.krb5_free_context]{\code{krb5\_free\_context()}}} when it is no longer needed. + + +\subsubsection{krb5\_is\_config\_principal - Test whether a principal is a configuration principal.} +\label{appdev/refs/api/krb5_is_config_principal:krb5-is-config-principal-test-whether-a-principal-is-a-configuration-principal}\label{appdev/refs/api/krb5_is_config_principal::doc}\index{krb5\_is\_config\_principal (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_is_config_principal:c.krb5_is_config_principal}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_is\_config\_principal}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ principal}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{principal} - Principal to check + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{return}] \leavevmode\begin{itemize} +\item {} +TRUE if the principal is a configuration principal (generated part of krb5\_cc\_set\_config() ); FALSE otherwise. + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_is\_thread\_safe - Test whether the Kerberos library was built with multithread support.} +\label{appdev/refs/api/krb5_is_thread_safe::doc}\label{appdev/refs/api/krb5_is_thread_safe:krb5-is-thread-safe-test-whether-the-kerberos-library-was-built-with-multithread-support}\index{krb5\_is\_thread\_safe (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_is_thread_safe:c.krb5_is_thread_safe}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_is\_thread\_safe}}{void\emph{ None}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{None} + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +TRUE if the library is threadsafe; FALSE otherwise + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_kt\_close - Close a key table handle.} +\label{appdev/refs/api/krb5_kt_close:krb5-kt-close-close-a-key-table-handle}\label{appdev/refs/api/krb5_kt_close::doc}\index{krb5\_kt\_close (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_kt_close:c.krb5_kt_close}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_close}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ keytab}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{keytab} - Key table handle + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 None + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_kt\_client\_default - Resolve the default client key table.} +\label{appdev/refs/api/krb5_kt_client_default::doc}\label{appdev/refs/api/krb5_kt_client_default:krb5-kt-client-default-resolve-the-default-client-key-table}\index{krb5\_kt\_client\_default (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_kt_client_default:c.krb5_kt_client_default}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_client\_default}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}} *\emph{ keytab\_out}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}out{]}} \textbf{keytab\_out} - Key table handle + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Fill \emph{keytab\_out} with a handle to the default client key table. + +\begin{notice}{note}{Note:} +New in 1.11 +\end{notice} + + +\subsubsection{krb5\_kt\_default - Resolve the default key table.} +\label{appdev/refs/api/krb5_kt_default:krb5-kt-default-resolve-the-default-key-table}\label{appdev/refs/api/krb5_kt_default::doc}\index{krb5\_kt\_default (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_kt_default:c.krb5_kt_default}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_default}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}} *\emph{ id}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}out{]}} \textbf{id} - Key table handle + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Set \emph{id} to a handle to the default key table. The key table is not opened. + + +\subsubsection{krb5\_kt\_default\_name - Get the default key table name.} +\label{appdev/refs/api/krb5_kt_default_name::doc}\label{appdev/refs/api/krb5_kt_default_name:krb5-kt-default-name-get-the-default-key-table-name}\index{krb5\_kt\_default\_name (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_kt_default_name:c.krb5_kt_default_name}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_default\_name}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, char *\emph{ name}, int\emph{ name\_size}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}out{]}} \textbf{name} - Default key table name + +\textbf{{[}in{]}} \textbf{name\_size} - Space available in \emph{name} + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\item {} +KRB5\_CONFIG\_NOTENUFSPACE Buffer is too short + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Fill \emph{name} with the name of the default key table for \emph{context} . + + +\subsubsection{krb5\_kt\_dup - Duplicate keytab handle.} +\label{appdev/refs/api/krb5_kt_dup:krb5-kt-dup-duplicate-keytab-handle}\label{appdev/refs/api/krb5_kt_dup::doc}\index{krb5\_kt\_dup (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_kt_dup:c.krb5_kt_dup}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_dup}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ in}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}} *\emph{ out}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{in} - Key table handle to be duplicated + +\textbf{{[}out{]}} \textbf{out} - Key table handle + +\end{description}\end{quote} + +Create a new handle referring to the same key table as \emph{in} . The new handle and \emph{in} can be closed independently. + +\begin{notice}{note}{Note:} +New in 1.12 +\end{notice} + + +\subsubsection{krb5\_kt\_get\_name - Get a key table name.} +\label{appdev/refs/api/krb5_kt_get_name::doc}\label{appdev/refs/api/krb5_kt_get_name:krb5-kt-get-name-get-a-key-table-name}\index{krb5\_kt\_get\_name (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_kt_get_name:c.krb5_kt_get_name}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_get\_name}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ keytab}, char *\emph{ name}, unsigned int\emph{ namelen}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{keytab} - Key table handle + +\textbf{{[}out{]}} \textbf{name} - Key table name + +\textbf{{[}in{]}} \textbf{namelen} - Maximum length to fill in name + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\item {} +KRB5\_KT\_NAME\_TOOLONG Key table name does not fit in namelen bytes + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Fill \emph{name} with the name of \emph{keytab} including the type and delimiter. + + +\subsubsection{krb5\_kt\_get\_type - Return the type of a key table.} +\label{appdev/refs/api/krb5_kt_get_type:krb5-kt-get-type-return-the-type-of-a-key-table}\label{appdev/refs/api/krb5_kt_get_type::doc}\index{krb5\_kt\_get\_type (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_kt_get_type:c.krb5_kt_get_type}\pysiglinewithargsret{const char * \bfcode{krb5\_kt\_get\_type}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ keytab}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{keytab} - Key table handle + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{return}] \leavevmode\begin{itemize} +\item {} +The type of a key table as an alias that must not be modified or freed by the caller. + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_kt\_resolve - Get a handle for a key table.} +\label{appdev/refs/api/krb5_kt_resolve:krb5-kt-resolve-get-a-handle-for-a-key-table}\label{appdev/refs/api/krb5_kt_resolve::doc}\index{krb5\_kt\_resolve (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_kt_resolve:c.krb5_kt_resolve}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_resolve}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ name}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}} *\emph{ ktid}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{name} - Name of the key table + +\textbf{{[}out{]}} \textbf{ktid} - Key table handle + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Resolve the key table name \emph{name} and set \emph{ktid} to a handle identifying the key table. Use {\hyperref[appdev/refs/api/krb5_kt_close:c.krb5_kt_close]{\code{krb5\_kt\_close()}}} to free \emph{ktid} when it is no longer needed. +\begin{quote} + +\emph{name} must be of the form \textbf{type:residual} , where \emph{type} must be a type known to the library and \emph{residual} portion should be specific to the particular keytab type. If no \emph{type} is given, the default is \textbf{FILE} . +\end{quote} + +If \emph{name} is of type \textbf{FILE} , the keytab file is not opened by this call. + + +\subsubsection{krb5\_kuserok - Determine if a principal is authorized to log in as a local user.} +\label{appdev/refs/api/krb5_kuserok:krb5-kuserok-determine-if-a-principal-is-authorized-to-log-in-as-a-local-user}\label{appdev/refs/api/krb5_kuserok::doc}\index{krb5\_kuserok (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_kuserok:c.krb5_kuserok}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_kuserok}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ principal}, const char *\emph{ luser}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{principal} - Principal name + +\textbf{{[}in{]}} \textbf{luser} - Local username + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +TRUE Principal is authorized to log in as user; FALSE otherwise. + +\end{itemize} + +\end{description}\end{quote} + +Determine whether \emph{principal} is authorized to log in as a local user \emph{luser} . + + +\subsubsection{krb5\_parse\_name - Convert a string principal name to a krb5\_principal structure.} +\label{appdev/refs/api/krb5_parse_name::doc}\label{appdev/refs/api/krb5_parse_name:krb5-parse-name-convert-a-string-principal-name-to-a-krb5-principal-structure}\index{krb5\_parse\_name (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_parse_name:c.krb5_parse_name}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_parse\_name}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ name}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} *\emph{ principal\_out}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{name} - String representation of a principal name + +\textbf{{[}out{]}} \textbf{principal\_out} - New principal + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Convert a string representation of a principal name to a krb5\_principal structure. + +A string representation of a Kerberos name consists of one or more principal name components, separated by slashes, optionally followed by the @ character and a realm name. If the realm name is not specified, the local realm is used. + +To use the slash and @ symbols as part of a component (quoted) instead of using them as a component separator or as a realm prefix), put a backslash () character in front of the symbol. Similarly, newline, tab, backspace, and NULL characters can be included in a component by using \textbf{n} , \textbf{t} , \textbf{b} or \textbf{0} , respectively. + +Use {\hyperref[appdev/refs/api/krb5_free_principal:c.krb5_free_principal]{\code{krb5\_free\_principal()}}} to free \emph{principal\_out} when it is no longer needed. + +\begin{notice}{note}{Note:} +The realm in a Kerberos \emph{name} cannot contain slash, colon, or NULL characters. +\end{notice} + + +\subsubsection{krb5\_parse\_name\_flags - Convert a string principal name to a krb5\_principal with flags.} +\label{appdev/refs/api/krb5_parse_name_flags:krb5-parse-name-flags-convert-a-string-principal-name-to-a-krb5-principal-with-flags}\label{appdev/refs/api/krb5_parse_name_flags::doc}\index{krb5\_parse\_name\_flags (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_parse_name_flags:c.krb5_parse_name_flags}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_parse\_name\_flags}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ name}, int\emph{ flags}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} *\emph{ principal\_out}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{name} - String representation of a principal name + +\textbf{{[}in{]}} \textbf{flags} - Flag + +\textbf{{[}out{]}} \textbf{principal\_out} - New principal + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Similar to {\hyperref[appdev/refs/api/krb5_parse_name:c.krb5_parse_name]{\code{krb5\_parse\_name()}}} , this function converts a single-string representation of a principal name to a krb5\_principal structure. + +The following flags are valid: +\begin{quote} +\begin{itemize} +\item {} +{\hyperref[appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM:KRB5_PRINCIPAL_PARSE_NO_REALM]{\code{KRB5\_PRINCIPAL\_PARSE\_NO\_REALM}}} - no realm must be present in \emph{name} + +\item {} +{\hyperref[appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM:KRB5_PRINCIPAL_PARSE_REQUIRE_REALM]{\code{KRB5\_PRINCIPAL\_PARSE\_REQUIRE\_REALM}}} - realm must be present in \emph{name} + +\item {} +{\hyperref[appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE:KRB5_PRINCIPAL_PARSE_ENTERPRISE]{\code{KRB5\_PRINCIPAL\_PARSE\_ENTERPRISE}}} - create single-component enterprise principal + +\item {} +{\hyperref[appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM:KRB5_PRINCIPAL_PARSE_IGNORE_REALM]{\code{KRB5\_PRINCIPAL\_PARSE\_IGNORE\_REALM}}} - ignore realm if present in \emph{name} + +\end{itemize} + +If \textbf{KRB5\_PRINCIPAL\_PARSE\_NO\_REALM} or \textbf{KRB5\_PRINCIPAL\_PARSE\_IGNORE\_REALM} is specified in \emph{flags} , the realm of the new principal will be empty. Otherwise, the default realm for \emph{context} will be used if \emph{name} does not specify a realm. +\end{quote} + +Use {\hyperref[appdev/refs/api/krb5_free_principal:c.krb5_free_principal]{\code{krb5\_free\_principal()}}} to free \emph{principal\_out} when it is no longer needed. + + +\subsubsection{krb5\_principal\_compare - Compare two principals.} +\label{appdev/refs/api/krb5_principal_compare:krb5-principal-compare-compare-two-principals}\label{appdev/refs/api/krb5_principal_compare::doc}\index{krb5\_principal\_compare (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_principal_compare:c.krb5_principal_compare}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_principal\_compare}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ princ1}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ princ2}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{princ1} - First principal + +\textbf{{[}in{]}} \textbf{princ2} - Second principal + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +TRUE if the principals are the same; FALSE otherwise + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_principal\_compare\_any\_realm - Compare two principals ignoring realm components.} +\label{appdev/refs/api/krb5_principal_compare_any_realm:krb5-principal-compare-any-realm-compare-two-principals-ignoring-realm-components}\label{appdev/refs/api/krb5_principal_compare_any_realm::doc}\index{krb5\_principal\_compare\_any\_realm (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_principal_compare_any_realm:c.krb5_principal_compare_any_realm}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_principal\_compare\_any\_realm}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ princ1}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ princ2}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{princ1} - First principal + +\textbf{{[}in{]}} \textbf{princ2} - Second principal + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +TRUE if the principals are the same; FALSE otherwise + +\end{itemize} + +\end{description}\end{quote} + +Similar to {\hyperref[appdev/refs/api/krb5_principal_compare:c.krb5_principal_compare]{\code{krb5\_principal\_compare()}}} , but do not compare the realm components of the principals. + + +\subsubsection{krb5\_principal\_compare\_flags - Compare two principals with additional flags.} +\label{appdev/refs/api/krb5_principal_compare_flags:krb5-principal-compare-flags-compare-two-principals-with-additional-flags}\label{appdev/refs/api/krb5_principal_compare_flags::doc}\index{krb5\_principal\_compare\_flags (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_principal_compare_flags:c.krb5_principal_compare_flags}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_principal\_compare\_flags}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ princ1}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ princ2}, int\emph{ flags}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{princ1} - First principal + +\textbf{{[}in{]}} \textbf{princ2} - Second principal + +\textbf{{[}in{]}} \textbf{flags} - Flags + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +TRUE if the principal names are the same; FALSE otherwise + +\end{itemize} + +\end{description}\end{quote} + +Valid flags are: +\begin{itemize} +\item {} +{\hyperref[appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM:KRB5_PRINCIPAL_COMPARE_IGNORE_REALM]{\code{KRB5\_PRINCIPAL\_COMPARE\_IGNORE\_REALM}}} - ignore realm component + +\item {} +{\hyperref[appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE:KRB5_PRINCIPAL_COMPARE_ENTERPRISE]{\code{KRB5\_PRINCIPAL\_COMPARE\_ENTERPRISE}}} - UPNs as real principals + +\item {} +{\hyperref[appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD:KRB5_PRINCIPAL_COMPARE_CASEFOLD]{\code{KRB5\_PRINCIPAL\_COMPARE\_CASEFOLD}}} case-insensitive + +\item {} +{\hyperref[appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8:KRB5_PRINCIPAL_COMPARE_UTF8]{\code{KRB5\_PRINCIPAL\_COMPARE\_UTF8}}} - treat principals as UTF-8 + +\end{itemize} + + +\strong{See also:} + + +{\hyperref[appdev/refs/api/krb5_principal_compare:c.krb5_principal_compare]{\code{krb5\_principal\_compare()}}} + + + + +\subsubsection{krb5\_prompter\_posix - Prompt user for password.} +\label{appdev/refs/api/krb5_prompter_posix:krb5-prompter-posix-prompt-user-for-password}\label{appdev/refs/api/krb5_prompter_posix::doc}\index{krb5\_prompter\_posix (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_prompter_posix:c.krb5_prompter_posix}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_prompter\_posix}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, void *\emph{ data}, const char *\emph{ name}, const char *\emph{ banner}, int\emph{ num\_prompts}, {\hyperref[appdev/refs/types/krb5_prompt:c.krb5_prompt]{krb5\_prompt}}\emph{ prompts}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{data} - Unused (callback argument) + +\textbf{{[}in{]}} \textbf{name} - Name to output during prompt + +\textbf{{[}in{]}} \textbf{banner} - Banner to output during prompt + +\textbf{{[}in{]}} \textbf{num\_prompts} - Number of prompts in \emph{prompts} + +\textbf{{[}in{]}} \textbf{prompts} - Array of prompts and replies + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function is intended to be used as a prompter callback for {\hyperref[appdev/refs/api/krb5_get_init_creds_password:c.krb5_get_init_creds_password]{\code{krb5\_get\_init\_creds\_password()}}} or {\hyperref[appdev/refs/api/krb5_init_creds_init:c.krb5_init_creds_init]{\code{krb5\_init\_creds\_init()}}} . + +Writes \emph{name} and \emph{banner} to stdout, each followed by a newline, then writes each prompt field in the \emph{prompts} array, followed by'':'', and sets the reply field of the entry to a line of input read from stdin. If the hidden flag is set for a prompt, then terminal echoing is turned off when input is read. + + +\subsubsection{krb5\_realm\_compare - Compare the realms of two principals.} +\label{appdev/refs/api/krb5_realm_compare::doc}\label{appdev/refs/api/krb5_realm_compare:krb5-realm-compare-compare-the-realms-of-two-principals}\index{krb5\_realm\_compare (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_realm_compare:c.krb5_realm_compare}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_realm\_compare}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ princ1}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ princ2}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{princ1} - First principal + +\textbf{{[}in{]}} \textbf{princ2} - Second principal + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +TRUE if the realm names are the same; FALSE otherwise + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_responder\_get\_challenge - Retrieve the challenge data for a given question in the responder context.} +\label{appdev/refs/api/krb5_responder_get_challenge:krb5-responder-get-challenge-retrieve-the-challenge-data-for-a-given-question-in-the-responder-context}\label{appdev/refs/api/krb5_responder_get_challenge::doc}\index{krb5\_responder\_get\_challenge (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_responder_get_challenge:c.krb5_responder_get_challenge}\pysiglinewithargsret{const char * \bfcode{krb5\_responder\_get\_challenge}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_responder_context:c.krb5_responder_context]{krb5\_responder\_context}}\emph{ rctx}, const char *\emph{ question}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctx} - Library context + +\textbf{{[}in{]}} \textbf{rctx} - Responder context + +\textbf{{[}in{]}} \textbf{question} - Question name + +\end{description}\end{quote} + +Return a pointer to a C string containing the challenge for \emph{question} within \emph{rctx} , or NULL if the question is not present in \emph{rctx} . The structure of the question depends on the question name, but will always be printable UTF-8 text. The returned pointer is an alias, valid only as long as the lifetime of \emph{rctx} , and should not be modified or freed by the caller. + +\begin{notice}{note}{Note:} +New in 1.11 +\end{notice} + + +\subsubsection{krb5\_responder\_list\_questions - List the question names contained in the responder context.} +\label{appdev/refs/api/krb5_responder_list_questions::doc}\label{appdev/refs/api/krb5_responder_list_questions:krb5-responder-list-questions-list-the-question-names-contained-in-the-responder-context}\index{krb5\_responder\_list\_questions (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_responder_list_questions:c.krb5_responder_list_questions}\pysiglinewithargsret{const char *const * \bfcode{krb5\_responder\_list\_questions}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_responder_context:c.krb5_responder_context]{krb5\_responder\_context}}\emph{ rctx}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctx} - Library context + +\textbf{{[}in{]}} \textbf{rctx} - Responder context + +\end{description}\end{quote} + +Return a pointer to a null-terminated list of question names which are present in \emph{rctx} . The pointer is an alias, valid only as long as the lifetime of \emph{rctx} , and should not be modified or freed by the caller. A question's challenge can be retrieved using {\hyperref[appdev/refs/api/krb5_responder_get_challenge:c.krb5_responder_get_challenge]{\code{krb5\_responder\_get\_challenge()}}} and answered using {\hyperref[appdev/refs/api/krb5_responder_set_answer:c.krb5_responder_set_answer]{\code{krb5\_responder\_set\_answer()}}} . + +\begin{notice}{note}{Note:} +New in 1.11 +\end{notice} + + +\subsubsection{krb5\_responder\_set\_answer - Answer a named question in the responder context.} +\label{appdev/refs/api/krb5_responder_set_answer:krb5-responder-set-answer-answer-a-named-question-in-the-responder-context}\label{appdev/refs/api/krb5_responder_set_answer::doc}\index{krb5\_responder\_set\_answer (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_responder_set_answer:c.krb5_responder_set_answer}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_responder\_set\_answer}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_responder_context:c.krb5_responder_context]{krb5\_responder\_context}}\emph{ rctx}, const char *\emph{ question}, const char *\emph{ answer}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctx} - Library context + +\textbf{{[}in{]}} \textbf{rctx} - Responder context + +\textbf{{[}in{]}} \textbf{question} - Question name + +\textbf{{[}in{]}} \textbf{answer} - The string to set (MUST be printable UTF-8) + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +EINVAL question is not present within rctx + +\end{itemize} + +\end{description}\end{quote} + +This function supplies an answer to \emph{question} within \emph{rctx} . The appropriate form of the answer depends on the question name. + +\begin{notice}{note}{Note:} +New in 1.11 +\end{notice} + + +\subsubsection{krb5\_responder\_otp\_get\_challenge - Decode the KRB5\_RESPONDER\_QUESTION\_OTP to a C struct.} +\label{appdev/refs/api/krb5_responder_otp_get_challenge:krb5-responder-otp-get-challenge-decode-the-krb5-responder-question-otp-to-a-c-struct}\label{appdev/refs/api/krb5_responder_otp_get_challenge::doc}\index{krb5\_responder\_otp\_get\_challenge (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_responder_otp_get_challenge:c.krb5_responder_otp_get_challenge}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_responder\_otp\_get\_challenge}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_responder_context:c.krb5_responder_context]{krb5\_responder\_context}}\emph{ rctx}, {\hyperref[appdev/refs/types/krb5_responder_otp_challenge:c.krb5_responder_otp_challenge]{krb5\_responder\_otp\_challenge}} **\emph{ chl}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctx} - Library context + +\textbf{{[}in{]}} \textbf{rctx} - Responder context + +\textbf{{[}out{]}} \textbf{chl} - Challenge structure + +\end{description}\end{quote} + +A convenience function which parses the KRB5\_RESPONDER\_QUESTION\_OTP question challenge data, making it available in native C. The main feature of this function is the ability to interact with OTP tokens without parsing the JSON. + +The returned value must be passed to {\hyperref[appdev/refs/api/krb5_responder_otp_challenge_free:c.krb5_responder_otp_challenge_free]{\code{krb5\_responder\_otp\_challenge\_free()}}} to be freed. + +\begin{notice}{note}{Note:} +New in 1.11 +\end{notice} + + +\subsubsection{krb5\_responder\_otp\_set\_answer - Answer the KRB5\_RESPONDER\_QUESTION\_OTP question.} +\label{appdev/refs/api/krb5_responder_otp_set_answer:krb5-responder-otp-set-answer-answer-the-krb5-responder-question-otp-question}\label{appdev/refs/api/krb5_responder_otp_set_answer::doc}\index{krb5\_responder\_otp\_set\_answer (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_responder_otp_set_answer:c.krb5_responder_otp_set_answer}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_responder\_otp\_set\_answer}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_responder_context:c.krb5_responder_context]{krb5\_responder\_context}}\emph{ rctx}, size\_t\emph{ ti}, const char *\emph{ value}, const char *\emph{ pin}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctx} - Library context + +\textbf{{[}in{]}} \textbf{rctx} - Responder context + +\textbf{{[}in{]}} \textbf{ti} - The index of the tokeninfo selected + +\textbf{{[}in{]}} \textbf{value} - The value to set, or NULL for none + +\textbf{{[}in{]}} \textbf{pin} - The pin to set, or NULL for none + +\end{description}\end{quote} + +\begin{notice}{note}{Note:} +New in 1.11 +\end{notice} + + +\subsubsection{krb5\_responder\_otp\_challenge\_free - Free the value returned by krb5\_responder\_otp\_get\_challenge() .} +\label{appdev/refs/api/krb5_responder_otp_challenge_free:krb5-responder-otp-challenge-free-free-the-value-returned-by-krb5-responder-otp-get-challenge}\label{appdev/refs/api/krb5_responder_otp_challenge_free::doc}\index{krb5\_responder\_otp\_challenge\_free (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_responder_otp_challenge_free:c.krb5_responder_otp_challenge_free}\pysiglinewithargsret{void \bfcode{krb5\_responder\_otp\_challenge\_free}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_responder_context:c.krb5_responder_context]{krb5\_responder\_context}}\emph{ rctx}, {\hyperref[appdev/refs/types/krb5_responder_otp_challenge:c.krb5_responder_otp_challenge]{krb5\_responder\_otp\_challenge}} *\emph{ chl}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctx} - Library context + +\textbf{{[}in{]}} \textbf{rctx} - Responder context + +\textbf{{[}in{]}} \textbf{chl} - The challenge to free + +\end{description}\end{quote} + +\begin{notice}{note}{Note:} +New in 1.11 +\end{notice} + + +\subsubsection{krb5\_responder\_pkinit\_get\_challenge - Decode the KRB5\_RESPONDER\_QUESTION\_PKINIT to a C struct.} +\label{appdev/refs/api/krb5_responder_pkinit_get_challenge:krb5-responder-pkinit-get-challenge-decode-the-krb5-responder-question-pkinit-to-a-c-struct}\label{appdev/refs/api/krb5_responder_pkinit_get_challenge::doc}\index{krb5\_responder\_pkinit\_get\_challenge (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_responder_pkinit_get_challenge:c.krb5_responder_pkinit_get_challenge}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_responder\_pkinit\_get\_challenge}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_responder_context:c.krb5_responder_context]{krb5\_responder\_context}}\emph{ rctx}, {\hyperref[appdev/refs/types/krb5_responder_pkinit_challenge:c.krb5_responder_pkinit_challenge]{krb5\_responder\_pkinit\_challenge}} **\emph{ chl\_out}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctx} - Library context + +\textbf{{[}in{]}} \textbf{rctx} - Responder context + +\textbf{{[}out{]}} \textbf{chl\_out} - Challenge structure + +\end{description}\end{quote} + +A convenience function which parses the KRB5\_RESPONDER\_QUESTION\_PKINIT question challenge data, making it available in native C. The main feature of this function is the ability to read the challenge without parsing the JSON. + +The returned value must be passed to {\hyperref[appdev/refs/api/krb5_responder_pkinit_challenge_free:c.krb5_responder_pkinit_challenge_free]{\code{krb5\_responder\_pkinit\_challenge\_free()}}} to be freed. + +\begin{notice}{note}{Note:} +New in 1.12 +\end{notice} + + +\subsubsection{krb5\_responder\_pkinit\_set\_answer - Answer the KRB5\_RESPONDER\_QUESTION\_PKINIT question for one identity.} +\label{appdev/refs/api/krb5_responder_pkinit_set_answer:krb5-responder-pkinit-set-answer-answer-the-krb5-responder-question-pkinit-question-for-one-identity}\label{appdev/refs/api/krb5_responder_pkinit_set_answer::doc}\index{krb5\_responder\_pkinit\_set\_answer (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_responder_pkinit_set_answer:c.krb5_responder_pkinit_set_answer}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_responder\_pkinit\_set\_answer}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_responder_context:c.krb5_responder_context]{krb5\_responder\_context}}\emph{ rctx}, const char *\emph{ identity}, const char *\emph{ pin}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctx} - Library context + +\textbf{{[}in{]}} \textbf{rctx} - Responder context + +\textbf{{[}in{]}} \textbf{identity} - The identity for which a PIN is being supplied + +\textbf{{[}in{]}} \textbf{pin} - The provided PIN, or NULL for none + +\end{description}\end{quote} + +\begin{notice}{note}{Note:} +New in 1.12 +\end{notice} + + +\subsubsection{krb5\_responder\_pkinit\_challenge\_free - Free the value returned by krb5\_responder\_pkinit\_get\_challenge() .} +\label{appdev/refs/api/krb5_responder_pkinit_challenge_free:krb5-responder-pkinit-challenge-free-free-the-value-returned-by-krb5-responder-pkinit-get-challenge}\label{appdev/refs/api/krb5_responder_pkinit_challenge_free::doc}\index{krb5\_responder\_pkinit\_challenge\_free (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_responder_pkinit_challenge_free:c.krb5_responder_pkinit_challenge_free}\pysiglinewithargsret{void \bfcode{krb5\_responder\_pkinit\_challenge\_free}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_responder_context:c.krb5_responder_context]{krb5\_responder\_context}}\emph{ rctx}, {\hyperref[appdev/refs/types/krb5_responder_pkinit_challenge:c.krb5_responder_pkinit_challenge]{krb5\_responder\_pkinit\_challenge}} *\emph{ chl}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctx} - Library context + +\textbf{{[}in{]}} \textbf{rctx} - Responder context + +\textbf{{[}in{]}} \textbf{chl} - The challenge to free + +\end{description}\end{quote} + +\begin{notice}{note}{Note:} +New in 1.12 +\end{notice} + + +\subsubsection{krb5\_set\_default\_realm - Override the default realm for the specified context.} +\label{appdev/refs/api/krb5_set_default_realm::doc}\label{appdev/refs/api/krb5_set_default_realm:krb5-set-default-realm-override-the-default-realm-for-the-specified-context}\index{krb5\_set\_default\_realm (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_set_default_realm:c.krb5_set_default_realm}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_set\_default\_realm}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ lrealm}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{lrealm} - Realm name for the default realm + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +If \emph{lrealm} is NULL, clear the default realm setting. + + +\subsubsection{krb5\_set\_password - Set a password for a principal using specified credentials.} +\label{appdev/refs/api/krb5_set_password:krb5-set-password-set-a-password-for-a-principal-using-specified-credentials}\label{appdev/refs/api/krb5_set_password::doc}\index{krb5\_set\_password (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_set_password:c.krb5_set_password}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_set\_password}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}, const char *\emph{ newpw}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ change\_password\_for}, int *\emph{ result\_code}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ result\_code\_string}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ result\_string}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{creds} - Credentials for kadmin/changepw service + +\textbf{{[}in{]}} \textbf{newpw} - New password + +\textbf{{[}in{]}} \textbf{change\_password\_for} - Change the password for this principal + +\textbf{{[}out{]}} \textbf{result\_code} - Numeric error code from server + +\textbf{{[}out{]}} \textbf{result\_code\_string} - String equivalent to \emph{result\_code} + +\textbf{{[}out{]}} \textbf{result\_string} - Data returned from the remote system + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success and result\_code is set to KRB5\_KPASSWD\_SUCCESS . + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes. + +\end{itemize} + +\end{description}\end{quote} + +This function uses the credentials \emph{creds} to set the password \emph{newpw} for the principal \emph{change\_password\_for} . It implements the set password operation of RFC 3244, for interoperability with Microsoft Windows implementations. + +The error code and strings are returned in \emph{result\_code} , \emph{result\_code\_string} and \emph{result\_string} . + +\begin{notice}{note}{Note:} +If \emph{change\_password\_for} is NULL, the change is performed on the current principal. If \emph{change\_password\_for} is non-null, the change is performed on the principal name passed in \emph{change\_password\_for} . +\end{notice} + + +\subsubsection{krb5\_set\_password\_using\_ccache - Set a password for a principal using cached credentials.} +\label{appdev/refs/api/krb5_set_password_using_ccache:krb5-set-password-using-ccache-set-a-password-for-a-principal-using-cached-credentials}\label{appdev/refs/api/krb5_set_password_using_ccache::doc}\index{krb5\_set\_password\_using\_ccache (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_set_password_using_ccache:c.krb5_set_password_using_ccache}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_set\_password\_using\_ccache}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, const char *\emph{ newpw}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ change\_password\_for}, int *\emph{ result\_code}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ result\_code\_string}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ result\_string}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{ccache} - Credential cache + +\textbf{{[}in{]}} \textbf{newpw} - New password + +\textbf{{[}in{]}} \textbf{change\_password\_for} - Change the password for this principal + +\textbf{{[}out{]}} \textbf{result\_code} - Numeric error code from server + +\textbf{{[}out{]}} \textbf{result\_code\_string} - String equivalent to \emph{result\_code} + +\textbf{{[}out{]}} \textbf{result\_string} - Data returned from the remote system + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function uses the cached credentials from \emph{ccache} to set the password \emph{newpw} for the principal \emph{change\_password\_for} . It implements RFC 3244 set password operation (interoperable with MS Windows implementations) using the credential cache. + +The error code and strings are returned in \emph{result\_code} , \emph{result\_code\_string} and \emph{result\_string} . + +\begin{notice}{note}{Note:} +If \emph{change\_password\_for} is set to NULL, the change is performed on the default principal in \emph{ccache} . If \emph{change\_password\_for} is non null, the change is performed on the specified principal. +\end{notice} + + +\subsubsection{krb5\_set\_principal\_realm - Set the realm field of a principal.} +\label{appdev/refs/api/krb5_set_principal_realm::doc}\label{appdev/refs/api/krb5_set_principal_realm:krb5-set-principal-realm-set-the-realm-field-of-a-principal}\index{krb5\_set\_principal\_realm (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_set_principal_realm:c.krb5_set_principal_realm}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_set\_principal\_realm}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ principal}, const char *\emph{ realm}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{principal} - Principal name + +\textbf{{[}in{]}} \textbf{realm} - Realm name + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Set the realm name part of \emph{principal} to \emph{realm} , overwriting the previous realm. + + +\subsubsection{krb5\_set\_trace\_callback - Specify a callback function for trace events.} +\label{appdev/refs/api/krb5_set_trace_callback:krb5-set-trace-callback-specify-a-callback-function-for-trace-events}\label{appdev/refs/api/krb5_set_trace_callback::doc}\index{krb5\_set\_trace\_callback (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_set_trace_callback:c.krb5_set_trace_callback}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_set\_trace\_callback}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_trace_callback:c.krb5_trace_callback]{krb5\_trace\_callback}}\emph{ fn}, void *\emph{ cb\_data}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{fn} - Callback function + +\textbf{{[}in{]}} \textbf{cb\_data} - Callback data + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{return}] \leavevmode\begin{itemize} +\item {} +Returns KRB5\_TRACE\_NOSUPP if tracing is not supported in the library (unless fn is NULL). + +\end{itemize} + +\end{description}\end{quote} + +Specify a callback for trace events occurring in krb5 operations performed within \emph{context} . \emph{fn} will be invoked with \emph{context} as the first argument, \emph{cb\_data} as the last argument, and a pointer to a krb5\_trace\_info as the second argument. If the trace callback is reset via this function or \emph{context} is destroyed, \emph{fn} will be invoked with a NULL second argument so it can clean up \emph{cb\_data} . Supply a NULL value for \emph{fn} to disable trace callbacks within \emph{context} . + +\begin{notice}{note}{Note:} +This function overrides the information passed through the \emph{KRB5\_TRACE} environment variable. +\end{notice} + +\begin{notice}{note}{Note:} +New in 1.9 +\end{notice} + + +\subsubsection{krb5\_set\_trace\_filename - Specify a file name for directing trace events.} +\label{appdev/refs/api/krb5_set_trace_filename:krb5-set-trace-filename-specify-a-file-name-for-directing-trace-events}\label{appdev/refs/api/krb5_set_trace_filename::doc}\index{krb5\_set\_trace\_filename (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_set_trace_filename:c.krb5_set_trace_filename}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_set\_trace\_filename}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ filename}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{filename} - File name + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +KRB5\_TRACE\_NOSUPP Tracing is not supported in the library. + +\end{itemize} + +\end{description}\end{quote} + +Open \emph{filename} for appending (creating it, if necessary) and set up a callback to write trace events to it. + +\begin{notice}{note}{Note:} +This function overrides the information passed through the \emph{KRB5\_TRACE} environment variable. +\end{notice} + +\begin{notice}{note}{Note:} +New in 1.9 +\end{notice} + + +\subsubsection{krb5\_sname\_match - Test whether a principal matches a matching principal.} +\label{appdev/refs/api/krb5_sname_match::doc}\label{appdev/refs/api/krb5_sname_match:krb5-sname-match-test-whether-a-principal-matches-a-matching-principal}\index{krb5\_sname\_match (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_sname_match:c.krb5_sname_match}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_sname\_match}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ matching}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ princ}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{matching} - Matching principal + +\textbf{{[}in{]}} \textbf{princ} - Principal to test + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{return}] \leavevmode\begin{itemize} +\item {} +TRUE if princ matches matching , FALSE otherwise. + +\end{itemize} + +\end{description}\end{quote} + +If \emph{matching} is NULL, return TRUE. If \emph{matching} is not a matching principal, return the value of krb5\_principal\_compare(context, matching, princ). + +\begin{notice}{note}{Note:} +A matching principal is a host-based principal with an empty realm and/or second data component (hostname). Profile configuration may cause the hostname to be ignored even if it is present. A principal matches a matching principal if the former has the same non-empty (and non-ignored) components of the latter. +\end{notice} + + +\subsubsection{krb5\_sname\_to\_principal - Generate a full principal name from a service name.} +\label{appdev/refs/api/krb5_sname_to_principal:krb5-sname-to-principal-generate-a-full-principal-name-from-a-service-name}\label{appdev/refs/api/krb5_sname_to_principal::doc}\index{krb5\_sname\_to\_principal (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_sname_to_principal:c.krb5_sname_to_principal}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_sname\_to\_principal}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ hostname}, const char *\emph{ sname}, {\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}}\emph{ type}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} *\emph{ ret\_princ}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{hostname} - Host name, or NULL to use local host + +\textbf{{[}in{]}} \textbf{sname} - Service name, or NULL to use \textbf{``host''} + +\textbf{{[}in{]}} \textbf{type} - Principal type + +\textbf{{[}out{]}} \textbf{ret\_princ} - Generated principal + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function converts a \emph{hostname} and \emph{sname} into \emph{krb5\_principal} structure \emph{ret\_princ} . The returned principal will be of the form \emph{sname/hostname@REALM} where REALM is determined by {\hyperref[appdev/refs/api/krb5_get_host_realm:c.krb5_get_host_realm]{\code{krb5\_get\_host\_realm()}}} . In some cases this may be the referral (empty) realm. + +The \emph{type} can be one of the following: +\begin{quote} +\begin{itemize} +\item {} +{\hyperref[appdev/refs/macros/KRB5_NT_SRV_HST:KRB5_NT_SRV_HST]{\code{KRB5\_NT\_SRV\_HST}}} canonicalizes the host name before looking up the realm and generating the principal. + +\item {} +{\hyperref[appdev/refs/macros/KRB5_NT_UNKNOWN:KRB5_NT_UNKNOWN]{\code{KRB5\_NT\_UNKNOWN}}} accepts the hostname as given, and does not canonicalize it. + +\end{itemize} + +Use krb5\_free\_principal to free \emph{ret\_princ} when it is no longer needed. +\end{quote} + + +\subsubsection{krb5\_unparse\_name - Convert a krb5\_principal structure to a string representation.} +\label{appdev/refs/api/krb5_unparse_name:krb5-unparse-name-convert-a-krb5-principal-structure-to-a-string-representation}\label{appdev/refs/api/krb5_unparse_name::doc}\index{krb5\_unparse\_name (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_unparse_name:c.krb5_unparse_name}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_unparse\_name}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ principal}, register char **\emph{ name}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{principal} - Principal + +\textbf{{[}out{]}} \textbf{name} - String representation of principal name + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +The resulting string representation uses the format and quoting conventions described for {\hyperref[appdev/refs/api/krb5_parse_name:c.krb5_parse_name]{\code{krb5\_parse\_name()}}} . + +Use {\hyperref[appdev/refs/api/krb5_free_unparsed_name:c.krb5_free_unparsed_name]{\code{krb5\_free\_unparsed\_name()}}} to free \emph{name} when it is no longer needed. + + +\subsubsection{krb5\_unparse\_name\_ext - Convert krb5\_principal structure to string and length.} +\label{appdev/refs/api/krb5_unparse_name_ext:krb5-unparse-name-ext-convert-krb5-principal-structure-to-string-and-length}\label{appdev/refs/api/krb5_unparse_name_ext::doc}\index{krb5\_unparse\_name\_ext (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_unparse_name_ext:c.krb5_unparse_name_ext}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_unparse\_name\_ext}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ principal}, char **\emph{ name}, unsigned int *\emph{ size}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{principal} - Principal + +\textbf{{[}inout{]}} \textbf{name} - String representation of principal name + +\textbf{{[}inout{]}} \textbf{size} - Size of unparsed name + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes. On failure name is set to NULL + +\end{itemize} + +\end{description}\end{quote} + +This function is similar to {\hyperref[appdev/refs/api/krb5_unparse_name:c.krb5_unparse_name]{\code{krb5\_unparse\_name()}}} , but allows the use of an existing buffer for the result. If size is not NULL, then \emph{name} must point to either NULL or an existing buffer of at least the size pointed to by \emph{size} . The buffer will be allocated or resized if necessary, with the new pointer stored into \emph{name} . Whether or not the buffer is resized, the necessary space for the result, including null terminator, will be stored into \emph{size} . + +If size is NULL, this function behaves exactly as {\hyperref[appdev/refs/api/krb5_unparse_name:c.krb5_unparse_name]{\code{krb5\_unparse\_name()}}} . + + +\subsubsection{krb5\_unparse\_name\_flags - Convert krb5\_principal structure to a string with flags.} +\label{appdev/refs/api/krb5_unparse_name_flags::doc}\label{appdev/refs/api/krb5_unparse_name_flags:krb5-unparse-name-flags-convert-krb5-principal-structure-to-a-string-with-flags}\index{krb5\_unparse\_name\_flags (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_unparse_name_flags:c.krb5_unparse_name_flags}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_unparse\_name\_flags}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ principal}, int\emph{ flags}, char **\emph{ name}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{principal} - Principal + +\textbf{{[}in{]}} \textbf{flags} - Flags + +\textbf{{[}out{]}} \textbf{name} - String representation of principal name + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes. On failure name is set to NULL + +\end{itemize} + +\end{description}\end{quote} + +Similar to {\hyperref[appdev/refs/api/krb5_unparse_name:c.krb5_unparse_name]{\code{krb5\_unparse\_name()}}} , this function converts a krb5\_principal structure to a string representation. + +The following flags are valid: +\begin{quote} +\begin{itemize} +\item {} +{\hyperref[appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT:KRB5_PRINCIPAL_UNPARSE_SHORT]{\code{KRB5\_PRINCIPAL\_UNPARSE\_SHORT}}} - omit realm if it is the local realm + +\item {} +{\hyperref[appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM:KRB5_PRINCIPAL_UNPARSE_NO_REALM]{\code{KRB5\_PRINCIPAL\_UNPARSE\_NO\_REALM}}} - omit realm + +\item {} +{\hyperref[appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY:KRB5_PRINCIPAL_UNPARSE_DISPLAY]{\code{KRB5\_PRINCIPAL\_UNPARSE\_DISPLAY}}} - do not quote special characters + +\end{itemize} + +Use {\hyperref[appdev/refs/api/krb5_free_unparsed_name:c.krb5_free_unparsed_name]{\code{krb5\_free\_unparsed\_name()}}} to free \emph{name} when it is no longer needed. +\end{quote} + + +\subsubsection{krb5\_unparse\_name\_flags\_ext - Convert krb5\_principal structure to string format with flags.} +\label{appdev/refs/api/krb5_unparse_name_flags_ext:krb5-unparse-name-flags-ext-convert-krb5-principal-structure-to-string-format-with-flags}\label{appdev/refs/api/krb5_unparse_name_flags_ext::doc}\index{krb5\_unparse\_name\_flags\_ext (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_unparse_name_flags_ext:c.krb5_unparse_name_flags_ext}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_unparse\_name\_flags\_ext}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ principal}, int\emph{ flags}, char **\emph{ name}, unsigned int *\emph{ size}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{principal} - Principal + +\textbf{{[}in{]}} \textbf{flags} - Flags + +\textbf{{[}out{]}} \textbf{name} - Single string format of principal name + +\textbf{{[}out{]}} \textbf{size} - Size of unparsed name buffer + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes. On failure name is set to NULL + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_us\_timeofday - Retrieve the system time of day, in sec and ms, since the epoch.} +\label{appdev/refs/api/krb5_us_timeofday:krb5-us-timeofday-retrieve-the-system-time-of-day-in-sec-and-ms-since-the-epoch}\label{appdev/refs/api/krb5_us_timeofday::doc}\index{krb5\_us\_timeofday (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_us_timeofday:c.krb5_us_timeofday}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_us\_timeofday}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} *\emph{ seconds}, {\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} *\emph{ microseconds}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}out{]}} \textbf{seconds} - System timeofday, seconds portion + +\textbf{{[}out{]}} \textbf{microseconds} - System timeofday, microseconds portion + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function retrieves the system time of day with the context specific time offset adjustment. + + +\subsubsection{krb5\_verify\_authdata\_kdc\_issued - Unwrap and verify AD-KDCIssued authorization data.} +\label{appdev/refs/api/krb5_verify_authdata_kdc_issued:krb5-verify-authdata-kdc-issued-unwrap-and-verify-ad-kdcissued-authorization-data}\label{appdev/refs/api/krb5_verify_authdata_kdc_issued::doc}\index{krb5\_verify\_authdata\_kdc\_issued (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_verify_authdata_kdc_issued:c.krb5_verify_authdata_kdc_issued}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_verify\_authdata\_kdc\_issued}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}, const {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} *\emph{ ad\_kdcissued}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} *\emph{ issuer}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} ***\emph{ authdata}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{key} - Session key + +\textbf{{[}in{]}} \textbf{ad\_kdcissued} - AD-KDCIssued authorization data to be unwrapped + +\textbf{{[}out{]}} \textbf{issuer} - Name of issuing principal (or NULL) + +\textbf{{[}out{]}} \textbf{authdata} - Unwrapped list of authorization data + +\end{description}\end{quote} + +This function unwraps an AD-KDCIssued authdatum (see RFC 4120 section 5.2.6.2) and verifies its signature against \emph{key} . The issuer field of the authdatum element is returned in \emph{issuer} , and the unwrapped list of authdata is returned in \emph{authdata} . + + +\subsection{Rarely used public interfaces} +\label{appdev/refs/api/index:rarely-used-public-interfaces} + +\subsubsection{krb5\_425\_conv\_principal - Convert a Kerberos V4 principal to a Kerberos V5 principal.} +\label{appdev/refs/api/krb5_425_conv_principal:krb5-425-conv-principal-convert-a-kerberos-v4-principal-to-a-kerberos-v5-principal}\label{appdev/refs/api/krb5_425_conv_principal::doc}\index{krb5\_425\_conv\_principal (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_425_conv_principal:c.krb5_425_conv_principal}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_425\_conv\_principal}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ name}, const char *\emph{ instance}, const char *\emph{ realm}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} *\emph{ princ}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{name} - V4 name + +\textbf{{[}in{]}} \textbf{instance} - V4 instance + +\textbf{{[}in{]}} \textbf{realm} - Realm + +\textbf{{[}out{]}} \textbf{princ} - V5 principal + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function builds a \emph{princ} from V4 specification based on given input \emph{name.instance@realm} . + +Use {\hyperref[appdev/refs/api/krb5_free_principal:c.krb5_free_principal]{\code{krb5\_free\_principal()}}} to free \emph{princ} when it is no longer needed. + + +\subsubsection{krb5\_524\_conv\_principal - Convert a Kerberos V5 principal to a Kerberos V4 principal.} +\label{appdev/refs/api/krb5_524_conv_principal:krb5-524-conv-principal-convert-a-kerberos-v5-principal-to-a-kerberos-v4-principal}\label{appdev/refs/api/krb5_524_conv_principal::doc}\index{krb5\_524\_conv\_principal (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_524_conv_principal:c.krb5_524_conv_principal}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_524\_conv\_principal}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ princ}, char *\emph{ name}, char *\emph{ inst}, char *\emph{ realm}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{princ} - V5 Principal + +\textbf{{[}out{]}} \textbf{name} - V4 principal's name to be filled in + +\textbf{{[}out{]}} \textbf{inst} - V4 principal's instance name to be filled in + +\textbf{{[}out{]}} \textbf{realm} - Principal's realm name to be filled in + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\item {} +KRB5\_INVALID\_PRINCIPAL Invalid principal name + +\item {} +KRB5\_CONFIG\_CANTOPEN Can't open or find Kerberos configuration file + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function separates a V5 principal \emph{princ} into \emph{name} , \emph{instance} , and \emph{realm} . + + +\subsubsection{krb5\_address\_compare - Compare two Kerberos addresses.} +\label{appdev/refs/api/krb5_address_compare:krb5-address-compare-compare-two-kerberos-addresses}\label{appdev/refs/api/krb5_address_compare::doc}\index{krb5\_address\_compare (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_address_compare:c.krb5_address_compare}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_address\_compare}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} *\emph{ addr1}, const {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} *\emph{ addr2}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{addr1} - First address to be compared + +\textbf{{[}in{]}} \textbf{addr2} - Second address to be compared + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{return}] \leavevmode\begin{itemize} +\item {} +TRUE if the addresses are the same, FALSE otherwise + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_address\_order - Return an ordering of the specified addresses.} +\label{appdev/refs/api/krb5_address_order:krb5-address-order-return-an-ordering-of-the-specified-addresses}\label{appdev/refs/api/krb5_address_order::doc}\index{krb5\_address\_order (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_address_order:c.krb5_address_order}\pysiglinewithargsret{int \bfcode{krb5\_address\_order}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} *\emph{ addr1}, const {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} *\emph{ addr2}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{addr1} - First address + +\textbf{{[}in{]}} \textbf{addr2} - Second address + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 The two addresses are the same + +\item {} +\textless{} 0 First address is less than second + +\item {} +\textgreater{} 0 First address is greater than second + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_address\_search - Search a list of addresses for a specified address.} +\label{appdev/refs/api/krb5_address_search:krb5-address-search-search-a-list-of-addresses-for-a-specified-address}\label{appdev/refs/api/krb5_address_search::doc}\index{krb5\_address\_search (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_address_search:c.krb5_address_search}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_address\_search}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} *\emph{ addr}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} *const *\emph{ addrlist}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{addr} - Address to search for + +\textbf{{[}in{]}} \textbf{addrlist} - Address list to be searched (or NULL) + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{return}] \leavevmode\begin{itemize} +\item {} +TRUE if addr is listed in addrlist , or addrlist is NULL; FALSE otherwise + +\end{itemize} + +\end{description}\end{quote} + +\begin{notice}{note}{Note:} +If \emph{addrlist} contains only a NetBIOS addresses, it will be treated as a null list. +\end{notice} + + +\subsubsection{krb5\_allow\_weak\_crypto - Allow the appplication to override the profile's allow\_weak\_crypto setting.} +\label{appdev/refs/api/krb5_allow_weak_crypto::doc}\label{appdev/refs/api/krb5_allow_weak_crypto:krb5-allow-weak-crypto-allow-the-appplication-to-override-the-profile-s-allow-weak-crypto-setting}\index{krb5\_allow\_weak\_crypto (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_allow_weak_crypto:c.krb5_allow_weak_crypto}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_allow\_weak\_crypto}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}}\emph{ enable}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{enable} - Boolean flag + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 (always) + +\end{itemize} + +\end{description}\end{quote} + +This function allows an application to override the allow\_weak\_crypto setting. It is primarily for use by aklog. + + +\subsubsection{krb5\_aname\_to\_localname - Convert a principal name to a local name.} +\label{appdev/refs/api/krb5_aname_to_localname::doc}\label{appdev/refs/api/krb5_aname_to_localname:krb5-aname-to-localname-convert-a-principal-name-to-a-local-name}\index{krb5\_aname\_to\_localname (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_aname_to_localname:c.krb5_aname_to_localname}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_aname\_to\_localname}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ aname}, int\emph{ lnsize\_in}, char *\emph{ lname}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{aname} - Principal name + +\textbf{{[}in{]}} \textbf{lnsize\_in} - Space available in \emph{lname} + +\textbf{{[}out{]}} \textbf{lname} - Local name buffer to be filled in + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\item {} +System errors + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +If \emph{aname} does not correspond to any local account, KRB5\_LNAME\_NOTRANS is returned. If \emph{lnsize\_in} is too small for the local name, KRB5\_CONFIG\_NOTENUFSPACE is returned. + +Local names, rather than principal names, can be used by programs that translate to an environment-specific name (for example, a user account name). + + +\subsubsection{krb5\_anonymous\_principal - Build an anonymous principal.} +\label{appdev/refs/api/krb5_anonymous_principal:krb5-anonymous-principal-build-an-anonymous-principal}\label{appdev/refs/api/krb5_anonymous_principal::doc}\index{krb5\_anonymous\_principal (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_anonymous_principal:c.krb5_anonymous_principal}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}} \bfcode{krb5\_anonymous\_principal}}{void\emph{ None}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{None} + +\end{description}\end{quote} + +This function returns constant storage that must not be freed. + + +\strong{See also:} + + +{\hyperref[appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR:KRB5_ANONYMOUS_PRINCSTR]{\code{KRB5\_ANONYMOUS\_PRINCSTR}}} + + + + +\subsubsection{krb5\_anonymous\_realm - Return an anonymous realm data.} +\label{appdev/refs/api/krb5_anonymous_realm::doc}\label{appdev/refs/api/krb5_anonymous_realm:krb5-anonymous-realm-return-an-anonymous-realm-data}\index{krb5\_anonymous\_realm (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_anonymous_realm:c.krb5_anonymous_realm}\pysiglinewithargsret{const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} * \bfcode{krb5\_anonymous\_realm}}{void\emph{ None}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{None} + +\end{description}\end{quote} + +This function returns constant storage that must not be freed. + + +\strong{See also:} + + +{\hyperref[appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR:KRB5_ANONYMOUS_REALMSTR]{\code{KRB5\_ANONYMOUS\_REALMSTR}}} + + + + +\subsubsection{krb5\_appdefault\_boolean - Retrieve a boolean value from the appdefaults section of krb5.conf.} +\label{appdev/refs/api/krb5_appdefault_boolean::doc}\label{appdev/refs/api/krb5_appdefault_boolean:krb5-appdefault-boolean-retrieve-a-boolean-value-from-the-appdefaults-section-of-krb5-conf}\index{krb5\_appdefault\_boolean (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_appdefault_boolean:c.krb5_appdefault_boolean}\pysiglinewithargsret{void \bfcode{krb5\_appdefault\_boolean}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ appname}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ realm}, const char *\emph{ option}, int\emph{ default\_value}, int *\emph{ ret\_value}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{appname} - Application name + +\textbf{{[}in{]}} \textbf{realm} - Realm name + +\textbf{{[}in{]}} \textbf{option} - Option to be checked + +\textbf{{[}in{]}} \textbf{default\_value} - Default value to return if no match is found + +\textbf{{[}out{]}} \textbf{ret\_value} - Boolean value of \emph{option} + +\end{description}\end{quote} + +This function gets the application defaults for \emph{option} based on the given \emph{appname} and/or \emph{realm} . + + +\strong{See also:} + + +{\hyperref[appdev/refs/api/krb5_appdefault_string:c.krb5_appdefault_string]{\code{krb5\_appdefault\_string()}}} + + + + +\subsubsection{krb5\_appdefault\_string - Retrieve a string value from the appdefaults section of krb5.conf.} +\label{appdev/refs/api/krb5_appdefault_string::doc}\label{appdev/refs/api/krb5_appdefault_string:krb5-appdefault-string-retrieve-a-string-value-from-the-appdefaults-section-of-krb5-conf}\index{krb5\_appdefault\_string (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_appdefault_string:c.krb5_appdefault_string}\pysiglinewithargsret{void \bfcode{krb5\_appdefault\_string}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ appname}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ realm}, const char *\emph{ option}, const char *\emph{ default\_value}, char **\emph{ ret\_value}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{appname} - Application name + +\textbf{{[}in{]}} \textbf{realm} - Realm name + +\textbf{{[}in{]}} \textbf{option} - Option to be checked + +\textbf{{[}in{]}} \textbf{default\_value} - Default value to return if no match is found + +\textbf{{[}out{]}} \textbf{ret\_value} - String value of \emph{option} + +\end{description}\end{quote} + +This function gets the application defaults for \emph{option} based on the given \emph{appname} and/or \emph{realm} . + + +\strong{See also:} + + +{\hyperref[appdev/refs/api/krb5_appdefault_boolean:c.krb5_appdefault_boolean]{\code{krb5\_appdefault\_boolean()}}} + + + + +\subsubsection{krb5\_auth\_con\_free - Free a krb5\_auth\_context structure.} +\label{appdev/refs/api/krb5_auth_con_free:krb5-auth-con-free-free-a-krb5-auth-context-structure}\label{appdev/refs/api/krb5_auth_con_free::doc}\index{krb5\_auth\_con\_free (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_free:c.krb5_auth_con_free}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_free}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context to be freed + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 (always) + +\end{itemize} + +\end{description}\end{quote} + +This function frees an auth context allocated by {\hyperref[appdev/refs/api/krb5_auth_con_init:c.krb5_auth_con_init]{\code{krb5\_auth\_con\_init()}}} . + + +\subsubsection{krb5\_auth\_con\_genaddrs - Generate auth context addresses from a connected socket.} +\label{appdev/refs/api/krb5_auth_con_genaddrs::doc}\label{appdev/refs/api/krb5_auth_con_genaddrs:krb5-auth-con-genaddrs-generate-auth-context-addresses-from-a-connected-socket}\index{krb5\_auth\_con\_genaddrs (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_genaddrs:c.krb5_auth_con_genaddrs}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_genaddrs}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, int\emph{ infd}, int\emph{ flags}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context + +\textbf{{[}in{]}} \textbf{infd} - Connected socket descriptor + +\textbf{{[}in{]}} \textbf{flags} - Flags + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function sets the local and/or remote addresses in \emph{auth\_context} based on the local and remote endpoints of the socket \emph{infd} . The following flags determine the operations performed: +\begin{itemize} +\item {} +{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR:KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR]{\code{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_ADDR}}} Generate local address. + +\item {} +{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR:KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR]{\code{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_ADDR}}} Generate remote address. + +\item {} +{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR:KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR]{\code{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_FULL\_ADDR}}} Generate local address and port. + +\item {} +{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR:KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR]{\code{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_FULL\_ADDR}}} Generate remote address and port. + +\end{itemize} + + +\subsubsection{krb5\_auth\_con\_get\_checksum\_func - Get the checksum callback from an auth context.} +\label{appdev/refs/api/krb5_auth_con_get_checksum_func::doc}\label{appdev/refs/api/krb5_auth_con_get_checksum_func:krb5-auth-con-get-checksum-func-get-the-checksum-callback-from-an-auth-context}\index{krb5\_auth\_con\_get\_checksum\_func (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_get_checksum_func:c.krb5_auth_con_get_checksum_func}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_get\_checksum\_func}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_mk_req_checksum_func:c.krb5_mk_req_checksum_func]{krb5\_mk\_req\_checksum\_func}} *\emph{ func}, void **\emph{ data}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context + +\textbf{{[}out{]}} \textbf{func} - Checksum callback + +\textbf{{[}out{]}} \textbf{data} - Callback argument + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 (always) + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_auth\_con\_getaddrs - Retrieve address fields from an auth context.} +\label{appdev/refs/api/krb5_auth_con_getaddrs:krb5-auth-con-getaddrs-retrieve-address-fields-from-an-auth-context}\label{appdev/refs/api/krb5_auth_con_getaddrs::doc}\index{krb5\_auth\_con\_getaddrs (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_getaddrs:c.krb5_auth_con_getaddrs}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_getaddrs}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} **\emph{ local\_addr}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} **\emph{ remote\_addr}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context + +\textbf{{[}out{]}} \textbf{local\_addr} - Local address (NULL if not needed) + +\textbf{{[}out{]}} \textbf{remote\_addr} - Remote address (NULL if not needed) + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_auth\_con\_getauthenticator - Retrieve the authenticator from an auth context.} +\label{appdev/refs/api/krb5_auth_con_getauthenticator:krb5-auth-con-getauthenticator-retrieve-the-authenticator-from-an-auth-context}\label{appdev/refs/api/krb5_auth_con_getauthenticator::doc}\index{krb5\_auth\_con\_getauthenticator (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_getauthenticator:c.krb5_auth_con_getauthenticator}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_getauthenticator}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_authenticator:c.krb5_authenticator]{krb5\_authenticator}} **\emph{ authenticator}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context + +\textbf{{[}out{]}} \textbf{authenticator} - Authenticator + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success. Otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Use {\hyperref[appdev/refs/api/krb5_free_authenticator:c.krb5_free_authenticator]{\code{krb5\_free\_authenticator()}}} to free \emph{authenticator} when it is no longer needed. + + +\subsubsection{krb5\_auth\_con\_getflags - Retrieve flags from a krb5\_auth\_context structure.} +\label{appdev/refs/api/krb5_auth_con_getflags:krb5-auth-con-getflags-retrieve-flags-from-a-krb5-auth-context-structure}\label{appdev/refs/api/krb5_auth_con_getflags::doc}\index{krb5\_auth\_con\_getflags (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_getflags:c.krb5_auth_con_getflags}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_getflags}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} *\emph{ flags}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context + +\textbf{{[}out{]}} \textbf{flags} - Flags bit mask + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 (always) + +\end{itemize} + +\end{description}\end{quote} + +Valid values for \emph{flags} are: +\begin{itemize} +\item {} +{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME:KRB5_AUTH_CONTEXT_DO_TIME]{\code{KRB5\_AUTH\_CONTEXT\_DO\_TIME}}} Use timestamps + +\item {} +{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME:KRB5_AUTH_CONTEXT_RET_TIME]{\code{KRB5\_AUTH\_CONTEXT\_RET\_TIME}}} Save timestamps + +\item {} +{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE:KRB5_AUTH_CONTEXT_DO_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE}}} Use sequence numbers + +\item {} +{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:KRB5_AUTH_CONTEXT_RET_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE}}} Save sequence numbers + +\end{itemize} + + +\subsubsection{krb5\_auth\_con\_getkey - Retrieve the session key from an auth context as a keyblock.} +\label{appdev/refs/api/krb5_auth_con_getkey::doc}\label{appdev/refs/api/krb5_auth_con_getkey:krb5-auth-con-getkey-retrieve-the-session-key-from-an-auth-context-as-a-keyblock}\index{krb5\_auth\_con\_getkey (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_getkey:c.krb5_auth_con_getkey}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_getkey}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} **\emph{ keyblock}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context + +\textbf{{[}out{]}} \textbf{keyblock} - Session key + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success. Otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function creates a keyblock containing the session key from \emph{auth\_context} . Use {\hyperref[appdev/refs/api/krb5_free_keyblock:c.krb5_free_keyblock]{\code{krb5\_free\_keyblock()}}} to free \emph{keyblock} when it is no longer needed + + +\subsubsection{krb5\_auth\_con\_getkey\_k - Retrieve the session key from an auth context.} +\label{appdev/refs/api/krb5_auth_con_getkey_k:krb5-auth-con-getkey-k-retrieve-the-session-key-from-an-auth-context}\label{appdev/refs/api/krb5_auth_con_getkey_k::doc}\index{krb5\_auth\_con\_getkey\_k (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_getkey_k:c.krb5_auth_con_getkey_k}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_getkey\_k}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}} *\emph{ key}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context + +\textbf{{[}out{]}} \textbf{key} - Session key + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 (always) + +\end{itemize} + +\end{description}\end{quote} + +This function sets \emph{key} to the session key from \emph{auth\_context} . Use {\hyperref[appdev/refs/api/krb5_k_free_key:c.krb5_k_free_key]{\code{krb5\_k\_free\_key()}}} to release \emph{key} when it is no longer needed. + + +\subsubsection{krb5\_auth\_con\_getlocalseqnumber - Retrieve the local sequence number from an auth context.} +\label{appdev/refs/api/krb5_auth_con_getlocalseqnumber::doc}\label{appdev/refs/api/krb5_auth_con_getlocalseqnumber:krb5-auth-con-getlocalseqnumber-retrieve-the-local-sequence-number-from-an-auth-context}\index{krb5\_auth\_con\_getlocalseqnumber (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_getlocalseqnumber:c.krb5_auth_con_getlocalseqnumber}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_getlocalseqnumber}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} *\emph{ seqnumber}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context + +\textbf{{[}out{]}} \textbf{seqnumber} - Local sequence number + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Retrieve the local sequence number from \emph{auth\_context} and return it in \emph{seqnumber} . The {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE:KRB5_AUTH_CONTEXT_DO_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE}}} flag must be set in \emph{auth\_context} for this function to be useful. + + +\subsubsection{krb5\_auth\_con\_getrcache - Retrieve the replay cache from an auth context.} +\label{appdev/refs/api/krb5_auth_con_getrcache:krb5-auth-con-getrcache-retrieve-the-replay-cache-from-an-auth-context}\label{appdev/refs/api/krb5_auth_con_getrcache::doc}\index{krb5\_auth\_con\_getrcache (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_getrcache:c.krb5_auth_con_getrcache}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_getrcache}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_rcache:c.krb5_rcache]{krb5\_rcache}} *\emph{ rcache}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context + +\textbf{{[}out{]}} \textbf{rcache} - Replay cache handle + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 (always) + +\end{itemize} + +\end{description}\end{quote} + +This function fetches the replay cache from \emph{auth\_context} . The caller should not close \emph{rcache} . + + +\subsubsection{krb5\_auth\_con\_getrecvsubkey - Retrieve the receiving subkey from an auth context as a keyblock.} +\label{appdev/refs/api/krb5_auth_con_getrecvsubkey:krb5-auth-con-getrecvsubkey-retrieve-the-receiving-subkey-from-an-auth-context-as-a-keyblock}\label{appdev/refs/api/krb5_auth_con_getrecvsubkey::doc}\index{krb5\_auth\_con\_getrecvsubkey (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_getrecvsubkey:c.krb5_auth_con_getrecvsubkey}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_getrecvsubkey}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ ac}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} **\emph{ keyblock}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctx} - Library context + +\textbf{{[}in{]}} \textbf{ac} - Authentication context + +\textbf{{[}out{]}} \textbf{keyblock} - Receiving subkey + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function creates a keyblock containing the receiving subkey from \emph{auth\_context} . Use {\hyperref[appdev/refs/api/krb5_free_keyblock:c.krb5_free_keyblock]{\code{krb5\_free\_keyblock()}}} to free \emph{keyblock} when it is no longer needed. + + +\subsubsection{krb5\_auth\_con\_getrecvsubkey\_k - Retrieve the receiving subkey from an auth context as a keyblock.} +\label{appdev/refs/api/krb5_auth_con_getrecvsubkey_k:krb5-auth-con-getrecvsubkey-k-retrieve-the-receiving-subkey-from-an-auth-context-as-a-keyblock}\label{appdev/refs/api/krb5_auth_con_getrecvsubkey_k::doc}\index{krb5\_auth\_con\_getrecvsubkey\_k (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_getrecvsubkey_k:c.krb5_auth_con_getrecvsubkey_k}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_getrecvsubkey\_k}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ ac}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}} *\emph{ key}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctx} - Library context + +\textbf{{[}in{]}} \textbf{ac} - Authentication context + +\textbf{{[}out{]}} \textbf{key} - Receiving subkey + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function sets \emph{key} to the receiving subkey from \emph{auth\_context} . Use {\hyperref[appdev/refs/api/krb5_k_free_key:c.krb5_k_free_key]{\code{krb5\_k\_free\_key()}}} to release \emph{key} when it is no longer needed. + + +\subsubsection{krb5\_auth\_con\_getremoteseqnumber - Retrieve the remote sequence number from an auth context.} +\label{appdev/refs/api/krb5_auth_con_getremoteseqnumber:krb5-auth-con-getremoteseqnumber-retrieve-the-remote-sequence-number-from-an-auth-context}\label{appdev/refs/api/krb5_auth_con_getremoteseqnumber::doc}\index{krb5\_auth\_con\_getremoteseqnumber (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_getremoteseqnumber:c.krb5_auth_con_getremoteseqnumber}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_getremoteseqnumber}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} *\emph{ seqnumber}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context + +\textbf{{[}out{]}} \textbf{seqnumber} - Remote sequence number + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Retrieve the remote sequence number from \emph{auth\_context} and return it in \emph{seqnumber} . The {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE:KRB5_AUTH_CONTEXT_DO_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE}}} flag must be set in \emph{auth\_context} for this function to be useful. + + +\subsubsection{krb5\_auth\_con\_getsendsubkey - Retrieve the send subkey from an auth context as a keyblock.} +\label{appdev/refs/api/krb5_auth_con_getsendsubkey:krb5-auth-con-getsendsubkey-retrieve-the-send-subkey-from-an-auth-context-as-a-keyblock}\label{appdev/refs/api/krb5_auth_con_getsendsubkey::doc}\index{krb5\_auth\_con\_getsendsubkey (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_getsendsubkey:c.krb5_auth_con_getsendsubkey}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_getsendsubkey}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ ac}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} **\emph{ keyblock}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctx} - Library context + +\textbf{{[}in{]}} \textbf{ac} - Authentication context + +\textbf{{[}out{]}} \textbf{keyblock} - Send subkey + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function creates a keyblock containing the send subkey from \emph{auth\_context} . Use {\hyperref[appdev/refs/api/krb5_free_keyblock:c.krb5_free_keyblock]{\code{krb5\_free\_keyblock()}}} to free \emph{keyblock} when it is no longer needed. + + +\subsubsection{krb5\_auth\_con\_getsendsubkey\_k - Retrieve the send subkey from an auth context.} +\label{appdev/refs/api/krb5_auth_con_getsendsubkey_k:krb5-auth-con-getsendsubkey-k-retrieve-the-send-subkey-from-an-auth-context}\label{appdev/refs/api/krb5_auth_con_getsendsubkey_k::doc}\index{krb5\_auth\_con\_getsendsubkey\_k (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_getsendsubkey_k:c.krb5_auth_con_getsendsubkey_k}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_getsendsubkey\_k}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ ac}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}} *\emph{ key}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctx} - Library context + +\textbf{{[}in{]}} \textbf{ac} - Authentication context + +\textbf{{[}out{]}} \textbf{key} - Send subkey + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function sets \emph{key} to the send subkey from \emph{auth\_context} . Use {\hyperref[appdev/refs/api/krb5_k_free_key:c.krb5_k_free_key]{\code{krb5\_k\_free\_key()}}} to release \emph{key} when it is no longer needed. + + +\subsubsection{krb5\_auth\_con\_init - Create and initialize an authentication context.} +\label{appdev/refs/api/krb5_auth_con_init:krb5-auth-con-init-create-and-initialize-an-authentication-context}\label{appdev/refs/api/krb5_auth_con_init::doc}\index{krb5\_auth\_con\_init (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_init:c.krb5_auth_con_init}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_init}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}} *\emph{ auth\_context}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}out{]}} \textbf{auth\_context} - Authentication context + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function creates an authentication context to hold configuration and state relevant to krb5 functions for authenticating principals and protecting messages once authentication has occurred. + +By default, flags for the context are set to enable the use of the replay cache ( {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME:KRB5_AUTH_CONTEXT_DO_TIME]{\code{KRB5\_AUTH\_CONTEXT\_DO\_TIME}}} ), but not sequence numbers. Use {\hyperref[appdev/refs/api/krb5_auth_con_setflags:c.krb5_auth_con_setflags]{\code{krb5\_auth\_con\_setflags()}}} to change the flags. + +The allocated \emph{auth\_context} must be freed with {\hyperref[appdev/refs/api/krb5_auth_con_free:c.krb5_auth_con_free]{\code{krb5\_auth\_con\_free()}}} when it is no longer needed. + + +\subsubsection{krb5\_auth\_con\_set\_checksum\_func - Set a checksum callback in an auth context.} +\label{appdev/refs/api/krb5_auth_con_set_checksum_func:krb5-auth-con-set-checksum-func-set-a-checksum-callback-in-an-auth-context}\label{appdev/refs/api/krb5_auth_con_set_checksum_func::doc}\index{krb5\_auth\_con\_set\_checksum\_func (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_set_checksum_func:c.krb5_auth_con_set_checksum_func}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_set\_checksum\_func}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_mk_req_checksum_func:c.krb5_mk_req_checksum_func]{krb5\_mk\_req\_checksum\_func}}\emph{ func}, void *\emph{ data}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context + +\textbf{{[}in{]}} \textbf{func} - Checksum callback + +\textbf{{[}in{]}} \textbf{data} - Callback argument + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 (always) + +\end{itemize} + +\end{description}\end{quote} + +Set a callback to obtain checksum data in {\hyperref[appdev/refs/api/krb5_mk_req:c.krb5_mk_req]{\code{krb5\_mk\_req()}}} . The callback will be invoked after the subkey and local sequence number are stored in \emph{auth\_context} . + + +\subsubsection{krb5\_auth\_con\_set\_req\_cksumtype - Set checksum type in an an auth context.} +\label{appdev/refs/api/krb5_auth_con_set_req_cksumtype:krb5-auth-con-set-req-cksumtype-set-checksum-type-in-an-an-auth-context}\label{appdev/refs/api/krb5_auth_con_set_req_cksumtype::doc}\index{krb5\_auth\_con\_set\_req\_cksumtype (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_set_req_cksumtype:c.krb5_auth_con_set_req_cksumtype}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_set\_req\_cksumtype}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ cksumtype}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context + +\textbf{{[}in{]}} \textbf{cksumtype} - Checksum type + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success. Otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function sets the checksum type in \emph{auth\_context} to be used by {\hyperref[appdev/refs/api/krb5_mk_req:c.krb5_mk_req]{\code{krb5\_mk\_req()}}} for the authenticator checksum. + + +\subsubsection{krb5\_auth\_con\_setaddrs - Set the local and remote addresses in an auth context.} +\label{appdev/refs/api/krb5_auth_con_setaddrs::doc}\label{appdev/refs/api/krb5_auth_con_setaddrs:krb5-auth-con-setaddrs-set-the-local-and-remote-addresses-in-an-auth-context}\index{krb5\_auth\_con\_setaddrs (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_setaddrs:c.krb5_auth_con_setaddrs}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_setaddrs}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} *\emph{ local\_addr}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} *\emph{ remote\_addr}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context + +\textbf{{[}in{]}} \textbf{local\_addr} - Local address + +\textbf{{[}in{]}} \textbf{remote\_addr} - Remote address + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function releases the storage assigned to the contents of the local and remote addresses of \emph{auth\_context} and then sets them to \emph{local\_addr} and \emph{remote\_addr} respectively. + + +\strong{See also:} + + +{\hyperref[appdev/refs/api/krb5_auth_con_genaddrs:c.krb5_auth_con_genaddrs]{\code{krb5\_auth\_con\_genaddrs()}}} + + + + +\subsubsection{krb5\_auth\_con\_setflags - Set a flags field in a krb5\_auth\_context structure.} +\label{appdev/refs/api/krb5_auth_con_setflags:krb5-auth-con-setflags-set-a-flags-field-in-a-krb5-auth-context-structure}\label{appdev/refs/api/krb5_auth_con_setflags::doc}\index{krb5\_auth\_con\_setflags (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_setflags:c.krb5_auth_con_setflags}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_setflags}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}}\emph{ flags}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context + +\textbf{{[}in{]}} \textbf{flags} - Flags bit mask + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 (always) + +\end{itemize} + +\end{description}\end{quote} + +Valid values for \emph{flags} are: +\begin{itemize} +\item {} +{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME:KRB5_AUTH_CONTEXT_DO_TIME]{\code{KRB5\_AUTH\_CONTEXT\_DO\_TIME}}} Use timestamps + +\item {} +{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME:KRB5_AUTH_CONTEXT_RET_TIME]{\code{KRB5\_AUTH\_CONTEXT\_RET\_TIME}}} Save timestamps + +\item {} +{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE:KRB5_AUTH_CONTEXT_DO_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE}}} Use sequence numbers + +\item {} +{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:KRB5_AUTH_CONTEXT_RET_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE}}} Save sequence numbers + +\end{itemize} + + +\subsubsection{krb5\_auth\_con\_setports - Set local and remote port fields in an auth context.} +\label{appdev/refs/api/krb5_auth_con_setports:krb5-auth-con-setports-set-local-and-remote-port-fields-in-an-auth-context}\label{appdev/refs/api/krb5_auth_con_setports::doc}\index{krb5\_auth\_con\_setports (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_setports:c.krb5_auth_con_setports}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_setports}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} *\emph{ local\_port}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} *\emph{ remote\_port}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context + +\textbf{{[}in{]}} \textbf{local\_port} - Local port + +\textbf{{[}in{]}} \textbf{remote\_port} - Remote port + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function releases the storage assigned to the contents of the local and remote ports of \emph{auth\_context} and then sets them to \emph{local\_port} and \emph{remote\_port} respectively. + + +\strong{See also:} + + +{\hyperref[appdev/refs/api/krb5_auth_con_genaddrs:c.krb5_auth_con_genaddrs]{\code{krb5\_auth\_con\_genaddrs()}}} + + + + +\subsubsection{krb5\_auth\_con\_setrcache - Set the replay cache in an auth context.} +\label{appdev/refs/api/krb5_auth_con_setrcache::doc}\label{appdev/refs/api/krb5_auth_con_setrcache:krb5-auth-con-setrcache-set-the-replay-cache-in-an-auth-context}\index{krb5\_auth\_con\_setrcache (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_setrcache:c.krb5_auth_con_setrcache}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_setrcache}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_rcache:c.krb5_rcache]{krb5\_rcache}}\emph{ rcache}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context + +\textbf{{[}in{]}} \textbf{rcache} - Replay cache haddle + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function sets the replay cache in \emph{auth\_context} to \emph{rcache} . \emph{rcache} will be closed when \emph{auth\_context} is freed, so the caller should relinguish that responsibility. + + +\subsubsection{krb5\_auth\_con\_setrecvsubkey - Set the receiving subkey in an auth context with a keyblock.} +\label{appdev/refs/api/krb5_auth_con_setrecvsubkey:krb5-auth-con-setrecvsubkey-set-the-receiving-subkey-in-an-auth-context-with-a-keyblock}\label{appdev/refs/api/krb5_auth_con_setrecvsubkey::doc}\index{krb5\_auth\_con\_setrecvsubkey (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_setrecvsubkey:c.krb5_auth_con_setrecvsubkey}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_setrecvsubkey}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ ac}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ keyblock}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctx} - Library context + +\textbf{{[}in{]}} \textbf{ac} - Authentication context + +\textbf{{[}in{]}} \textbf{keyblock} - Receiving subkey + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function sets the receiving subkey in \emph{ac} to a copy of \emph{keyblock} . + + +\subsubsection{krb5\_auth\_con\_setrecvsubkey\_k - Set the receiving subkey in an auth context.} +\label{appdev/refs/api/krb5_auth_con_setrecvsubkey_k::doc}\label{appdev/refs/api/krb5_auth_con_setrecvsubkey_k:krb5-auth-con-setrecvsubkey-k-set-the-receiving-subkey-in-an-auth-context}\index{krb5\_auth\_con\_setrecvsubkey\_k (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_setrecvsubkey_k:c.krb5_auth_con_setrecvsubkey_k}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_setrecvsubkey\_k}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ ac}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctx} - Library context + +\textbf{{[}in{]}} \textbf{ac} - Authentication context + +\textbf{{[}in{]}} \textbf{key} - Receiving subkey + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function sets the receiving subkey in \emph{ac} to \emph{key} , incrementing its reference count. + +\begin{notice}{note}{Note:} +New in 1.9 +\end{notice} + + +\subsubsection{krb5\_auth\_con\_setsendsubkey - Set the send subkey in an auth context with a keyblock.} +\label{appdev/refs/api/krb5_auth_con_setsendsubkey::doc}\label{appdev/refs/api/krb5_auth_con_setsendsubkey:krb5-auth-con-setsendsubkey-set-the-send-subkey-in-an-auth-context-with-a-keyblock}\index{krb5\_auth\_con\_setsendsubkey (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_setsendsubkey:c.krb5_auth_con_setsendsubkey}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_setsendsubkey}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ ac}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ keyblock}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctx} - Library context + +\textbf{{[}in{]}} \textbf{ac} - Authentication context + +\textbf{{[}in{]}} \textbf{keyblock} - Send subkey + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success. Otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function sets the send subkey in \emph{ac} to a copy of \emph{keyblock} . + + +\subsubsection{krb5\_auth\_con\_setsendsubkey\_k - Set the send subkey in an auth context.} +\label{appdev/refs/api/krb5_auth_con_setsendsubkey_k:krb5-auth-con-setsendsubkey-k-set-the-send-subkey-in-an-auth-context}\label{appdev/refs/api/krb5_auth_con_setsendsubkey_k::doc}\index{krb5\_auth\_con\_setsendsubkey\_k (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_setsendsubkey_k:c.krb5_auth_con_setsendsubkey_k}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_setsendsubkey\_k}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ ac}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctx} - Library context + +\textbf{{[}in{]}} \textbf{ac} - Authentication context + +\textbf{{[}out{]}} \textbf{key} - Send subkey + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function sets the send subkey in \emph{ac} to \emph{key} , incrementing its reference count. + +\begin{notice}{note}{Note:} +New in 1.9 +\end{notice} + + +\subsubsection{krb5\_auth\_con\_setuseruserkey - Set the session key in an auth context.} +\label{appdev/refs/api/krb5_auth_con_setuseruserkey::doc}\label{appdev/refs/api/krb5_auth_con_setuseruserkey:krb5-auth-con-setuseruserkey-set-the-session-key-in-an-auth-context}\index{krb5\_auth\_con\_setuseruserkey (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_setuseruserkey:c.krb5_auth_con_setuseruserkey}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_setuseruserkey}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ keyblock}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context + +\textbf{{[}in{]}} \textbf{keyblock} - User key + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_cc\_cache\_match - Find a credential cache with a specified client principal.} +\label{appdev/refs/api/krb5_cc_cache_match:krb5-cc-cache-match-find-a-credential-cache-with-a-specified-client-principal}\label{appdev/refs/api/krb5_cc_cache_match::doc}\index{krb5\_cc\_cache\_match (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_cache_match:c.krb5_cc_cache_match}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_cache\_match}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ client}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}} *\emph{ cache\_out}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{client} - Client principal + +\textbf{{[}out{]}} \textbf{cache\_out} - Credential cache handle + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\item {} +KRB5\_CC\_NOTFOUND None + +\end{itemize} + +\end{description}\end{quote} + +Find a cache within the collection whose default principal is \emph{client} . Use \emph{krb5\_cc\_close} to close \emph{ccache} when it is no longer needed. + +\begin{notice}{note}{Note:} +New in 1.10 +\end{notice} + + +\subsubsection{krb5\_cc\_copy\_creds - Copy a credential cache.} +\label{appdev/refs/api/krb5_cc_copy_creds::doc}\label{appdev/refs/api/krb5_cc_copy_creds:krb5-cc-copy-creds-copy-a-credential-cache}\index{krb5\_cc\_copy\_creds (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_copy_creds:c.krb5_cc_copy_creds}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_copy\_creds}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ incc}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ outcc}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{incc} - Credential cache to be copied + +\textbf{{[}out{]}} \textbf{outcc} - Copy of credential cache to be filled in + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_cc\_end\_seq\_get - Finish a series of sequential processing credential cache entries.} +\label{appdev/refs/api/krb5_cc_end_seq_get:krb5-cc-end-seq-get-finish-a-series-of-sequential-processing-credential-cache-entries}\label{appdev/refs/api/krb5_cc_end_seq_get::doc}\index{krb5\_cc\_end\_seq\_get (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_end_seq_get:c.krb5_cc_end_seq_get}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_end\_seq\_get}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}, {\hyperref[appdev/refs/types/krb5_cc_cursor:c.krb5_cc_cursor]{krb5\_cc\_cursor}} *\emph{ cursor}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{cache} - Credential cache handle + +\textbf{{[}in{]}} \textbf{cursor} - Cursor + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 (always) + +\end{itemize} + +\end{description}\end{quote} + +This function finishes processing credential cache entries and invalidates \emph{cursor} . + + +\strong{See also:} + + +{\hyperref[appdev/refs/api/krb5_cc_start_seq_get:c.krb5_cc_start_seq_get]{\code{krb5\_cc\_start\_seq\_get()}}} , {\hyperref[appdev/refs/api/krb5_cc_next_cred:c.krb5_cc_next_cred]{\code{krb5\_cc\_next\_cred()}}} + + + + +\subsubsection{krb5\_cc\_get\_config - Get a configuration value from a credential cache.} +\label{appdev/refs/api/krb5_cc_get_config:krb5-cc-get-config-get-a-configuration-value-from-a-credential-cache}\label{appdev/refs/api/krb5_cc_get_config::doc}\index{krb5\_cc\_get\_config (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_get_config:c.krb5_cc_get_config}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_get\_config}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ id}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ principal}, const char *\emph{ key}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ data}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{id} - Credential cache handle + +\textbf{{[}in{]}} \textbf{principal} - Configuration for this principal; if NULL, global for the whole cache + +\textbf{{[}in{]}} \textbf{key} - Name of config variable + +\textbf{{[}out{]}} \textbf{data} - Data to be fetched + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Use {\hyperref[appdev/refs/api/krb5_free_data_contents:c.krb5_free_data_contents]{\code{krb5\_free\_data\_contents()}}} to free \emph{data} when it is no longer needed. + + +\subsubsection{krb5\_cc\_get\_flags - Retrieve flags from a credential cache structure.} +\label{appdev/refs/api/krb5_cc_get_flags:krb5-cc-get-flags-retrieve-flags-from-a-credential-cache-structure}\label{appdev/refs/api/krb5_cc_get_flags::doc}\index{krb5\_cc\_get\_flags (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_get_flags:c.krb5_cc_get_flags}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_get\_flags}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}} *\emph{ flags}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{cache} - Credential cache handle + +\textbf{{[}out{]}} \textbf{flags} - Flag bit mask + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +\begin{notice}{warning}{Warning:} +For memory credential cache always returns a flag mask of 0. +\end{notice} + + +\subsubsection{krb5\_cc\_get\_full\_name - Retrieve the full name of a credential cache.} +\label{appdev/refs/api/krb5_cc_get_full_name::doc}\label{appdev/refs/api/krb5_cc_get_full_name:krb5-cc-get-full-name-retrieve-the-full-name-of-a-credential-cache}\index{krb5\_cc\_get\_full\_name (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_get_full_name:c.krb5_cc_get_full_name}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_get\_full\_name}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}, char **\emph{ fullname\_out}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{cache} - Credential cache handle + +\textbf{{[}out{]}} \textbf{fullname\_out} - Full name of cache + +\end{description}\end{quote} + +Use {\hyperref[appdev/refs/api/krb5_free_string:c.krb5_free_string]{\code{krb5\_free\_string()}}} to free \emph{fullname\_out} when it is no longer needed. + +\begin{notice}{note}{Note:} +New in 1.10 +\end{notice} + + +\subsubsection{krb5\_cc\_last\_change\_time - Return a timestamp of the last modification to a credential cache.} +\label{appdev/refs/api/krb5_cc_last_change_time:krb5-cc-last-change-time-return-a-timestamp-of-the-last-modification-to-a-credential-cache}\label{appdev/refs/api/krb5_cc_last_change_time::doc}\index{krb5\_cc\_last\_change\_time (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_last_change_time:c.krb5_cc_last_change_time}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_last\_change\_time}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, {\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} *\emph{ change\_time}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{ccache} - Credential cache handle + +\textbf{{[}out{]}} \textbf{change\_time} - The last change time of \emph{ccache} + +\end{description}\end{quote} + +If an error occurs, \emph{change\_time} is set to 0. + + +\subsubsection{krb5\_cc\_lock - Lock a credential cache.} +\label{appdev/refs/api/krb5_cc_lock:krb5-cc-lock-lock-a-credential-cache}\label{appdev/refs/api/krb5_cc_lock::doc}\index{krb5\_cc\_lock (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_lock:c.krb5_cc_lock}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_lock}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{ccache} - Credential cache handle + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Use {\hyperref[appdev/refs/api/krb5_cc_unlock:c.krb5_cc_unlock]{\code{krb5\_cc\_unlock()}}} to unlock the lock. + + +\subsubsection{krb5\_cc\_move - Move a credential cache.} +\label{appdev/refs/api/krb5_cc_move:krb5-cc-move-move-a-credential-cache}\label{appdev/refs/api/krb5_cc_move::doc}\index{krb5\_cc\_move (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_move:c.krb5_cc_move}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_move}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ src}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ dst}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{src} - The credential cache to move the content from + +\textbf{{[}in{]}} \textbf{dst} - The credential cache to move the content to + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; src is closed. + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes; src is still allocated. + +\end{itemize} + +\end{description}\end{quote} + +This function reinitializes \emph{dst} and populates it with the credentials and default principal of \emph{src} ; then, if successful, destroys \emph{src} . + + +\subsubsection{krb5\_cc\_next\_cred - Retrieve the next entry from the credential cache.} +\label{appdev/refs/api/krb5_cc_next_cred::doc}\label{appdev/refs/api/krb5_cc_next_cred:krb5-cc-next-cred-retrieve-the-next-entry-from-the-credential-cache}\index{krb5\_cc\_next\_cred (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_next_cred:c.krb5_cc_next_cred}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_next\_cred}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}, {\hyperref[appdev/refs/types/krb5_cc_cursor:c.krb5_cc_cursor]{krb5\_cc\_cursor}} *\emph{ cursor}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{cache} - Credential cache handle + +\textbf{{[}in{]}} \textbf{cursor} - Cursor + +\textbf{{[}out{]}} \textbf{creds} - Next credential cache entry + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function fills in \emph{creds} with the next entry in \emph{cache} and advances \emph{cursor} . + +Use {\hyperref[appdev/refs/api/krb5_free_cred_contents:c.krb5_free_cred_contents]{\code{krb5\_free\_cred\_contents()}}} to free \emph{creds} when it is no longer needed. + + +\strong{See also:} + + +{\hyperref[appdev/refs/api/krb5_cc_start_seq_get:c.krb5_cc_start_seq_get]{\code{krb5\_cc\_start\_seq\_get()}}} , krb5\_end\_seq\_get() + + + + +\subsubsection{krb5\_cc\_remove\_cred - Remove credentials from a credential cache.} +\label{appdev/refs/api/krb5_cc_remove_cred:krb5-cc-remove-cred-remove-credentials-from-a-credential-cache}\label{appdev/refs/api/krb5_cc_remove_cred::doc}\index{krb5\_cc\_remove\_cred (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_remove_cred:c.krb5_cc_remove_cred}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_remove\_cred}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ flags}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{cache} - Credential cache handle + +\textbf{{[}in{]}} \textbf{flags} - Bitwise-ORed search flags + +\textbf{{[}in{]}} \textbf{creds} - Credentials to be matched + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +KRB5\_CC\_NOSUPP Not implemented for this cache type + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +No matches found; Data cannot be deleted; Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function accepts the same flag values as {\hyperref[appdev/refs/api/krb5_cc_retrieve_cred:c.krb5_cc_retrieve_cred]{\code{krb5\_cc\_retrieve\_cred()}}} . + +\begin{notice}{warning}{Warning:} +This function is not implemented for some cache types. +\end{notice} + + +\subsubsection{krb5\_cc\_retrieve\_cred - Retrieve a specified credentials from a credential cache.} +\label{appdev/refs/api/krb5_cc_retrieve_cred:krb5-cc-retrieve-cred-retrieve-a-specified-credentials-from-a-credential-cache}\label{appdev/refs/api/krb5_cc_retrieve_cred::doc}\index{krb5\_cc\_retrieve\_cred (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_retrieve_cred:c.krb5_cc_retrieve_cred}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_retrieve\_cred}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ flags}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ mcreds}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{cache} - Credential cache handle + +\textbf{{[}in{]}} \textbf{flags} - Flags bit mask + +\textbf{{[}in{]}} \textbf{mcreds} - Credentials to match + +\textbf{{[}out{]}} \textbf{creds} - Credentials matching the requested value + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function searches a credential cache for credentials matching \emph{mcreds} and returns it if found. + +Valid values for \emph{flags} are: +\begin{quote} +\begin{itemize} +\item {} +{\hyperref[appdev/refs/macros/KRB5_TC_MATCH_TIMES:KRB5_TC_MATCH_TIMES]{\code{KRB5\_TC\_MATCH\_TIMES}}} The requested lifetime must be at least as great as in \emph{mcreds} . + +\item {} +{\hyperref[appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY:KRB5_TC_MATCH_IS_SKEY]{\code{KRB5\_TC\_MATCH\_IS\_SKEY}}} The \emph{is\_skey} field much match exactly. + +\item {} +{\hyperref[appdev/refs/macros/KRB5_TC_MATCH_FLAGS:KRB5_TC_MATCH_FLAGS]{\code{KRB5\_TC\_MATCH\_FLAGS}}} Flags set in \emph{mcreds} must be set. + +\item {} +{\hyperref[appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT:KRB5_TC_MATCH_TIMES_EXACT]{\code{KRB5\_TC\_MATCH\_TIMES\_EXACT}}} The requested lifetime must match exactly. + +\item {} +{\hyperref[appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT:KRB5_TC_MATCH_FLAGS_EXACT]{\code{KRB5\_TC\_MATCH\_FLAGS\_EXACT}}} Flags must match exactly. + +\item {} +{\hyperref[appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA:KRB5_TC_MATCH_AUTHDATA]{\code{KRB5\_TC\_MATCH\_AUTHDATA}}} The authorization data must match. + +\item {} +{\hyperref[appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY:KRB5_TC_MATCH_SRV_NAMEONLY]{\code{KRB5\_TC\_MATCH\_SRV\_NAMEONLY}}} Only the name portion of the principal name must match, not the realm. + +\item {} +{\hyperref[appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT:KRB5_TC_MATCH_2ND_TKT]{\code{KRB5\_TC\_MATCH\_2ND\_TKT}}} The second tickets must match. + +\item {} +{\hyperref[appdev/refs/macros/KRB5_TC_MATCH_KTYPE:KRB5_TC_MATCH_KTYPE]{\code{KRB5\_TC\_MATCH\_KTYPE}}} The encryption key types must match. + +\item {} +{\hyperref[appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES:KRB5_TC_SUPPORTED_KTYPES]{\code{KRB5\_TC\_SUPPORTED\_KTYPES}}} Check all matching entries that have any supported encryption type and return the one with the encryption type listed earliest. + +\end{itemize} + +Use {\hyperref[appdev/refs/api/krb5_free_cred_contents:c.krb5_free_cred_contents]{\code{krb5\_free\_cred\_contents()}}} to free \emph{creds} when it is no longer needed. +\end{quote} + + +\subsubsection{krb5\_cc\_select - Select a credential cache to use with a server principal.} +\label{appdev/refs/api/krb5_cc_select::doc}\label{appdev/refs/api/krb5_cc_select:krb5-cc-select-select-a-credential-cache-to-use-with-a-server-principal}\index{krb5\_cc\_select (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_select:c.krb5_cc_select}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_select}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ server}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}} *\emph{ cache\_out}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} *\emph{ princ\_out}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{server} - Server principal + +\textbf{{[}out{]}} \textbf{cache\_out} - Credential cache handle + +\textbf{{[}out{]}} \textbf{princ\_out} - Client principal + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{return}] \leavevmode\begin{itemize} +\item {} +If an appropriate cache is found, 0 is returned, cache\_out is set to the selected cache, and princ\_out is set to the default principal of that cache. + +\end{itemize} + +\end{description}\end{quote} + +Select a cache within the collection containing credentials most appropriate for use with \emph{server} , according to configured rules and heuristics. + +Use {\hyperref[appdev/refs/api/krb5_cc_close:c.krb5_cc_close]{\code{krb5\_cc\_close()}}} to release \emph{cache\_out} when it is no longer needed. Use {\hyperref[appdev/refs/api/krb5_free_principal:c.krb5_free_principal]{\code{krb5\_free\_principal()}}} to release \emph{princ\_out} when it is no longer needed. Note that \emph{princ\_out} is set in some error conditions. + +If the appropriate client principal can be authoritatively determined but the cache collection contains no credentials for that principal, then KRB5\_CC\_NOTFOUND is returned, \emph{cache\_out} is set to NULL, and \emph{princ\_out} is set to the appropriate client principal. + +If no configured mechanism can determine the appropriate cache or principal, KRB5\_CC\_NOTFOUND is returned and \emph{cache\_out} and \emph{princ\_out} are set to NULL. + +Any other error code indicates a fatal error in the processing of a cache selection mechanism. + +\begin{notice}{note}{Note:} +New in 1.10 +\end{notice} + + +\subsubsection{krb5\_cc\_set\_config - Store a configuration value in a credential cache.} +\label{appdev/refs/api/krb5_cc_set_config::doc}\label{appdev/refs/api/krb5_cc_set_config:krb5-cc-set-config-store-a-configuration-value-in-a-credential-cache}\index{krb5\_cc\_set\_config (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_set_config:c.krb5_cc_set_config}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_set\_config}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ id}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ principal}, const char *\emph{ key}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ data}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{id} - Credential cache handle + +\textbf{{[}in{]}} \textbf{principal} - Configuration for a specific principal; if NULL, global for the whole cache + +\textbf{{[}in{]}} \textbf{key} - Name of config variable + +\textbf{{[}in{]}} \textbf{data} - Data to store, or NULL to remove + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +\begin{notice}{warning}{Warning:} +Before version 1.10 \emph{data} was assumed to be always non-null. +\end{notice} + +\begin{notice}{note}{Note:} +Existing configuration under the same key is over-written. +\end{notice} + + +\subsubsection{krb5\_cc\_set\_default\_name - Set the default credential cache name.} +\label{appdev/refs/api/krb5_cc_set_default_name:krb5-cc-set-default-name-set-the-default-credential-cache-name}\label{appdev/refs/api/krb5_cc_set_default_name::doc}\index{krb5\_cc\_set\_default\_name (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_set_default_name:c.krb5_cc_set_default_name}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_set\_default\_name}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ name}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{name} - Default credential cache name or NULL + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\item {} +KV5M\_CONTEXT Bad magic number for \_krb5\_context structure + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Set the default credential cache name to \emph{name} for future operations using \emph{context} . If \emph{name} is NULL, clear any previous application-set default name and forget any cached value of the default name for \emph{context} . + +Calls to this function invalidate the result of any previous calls to {\hyperref[appdev/refs/api/krb5_cc_default_name:c.krb5_cc_default_name]{\code{krb5\_cc\_default\_name()}}} using \emph{context} . + + +\subsubsection{krb5\_cc\_set\_flags - Set options flags on a credential cache.} +\label{appdev/refs/api/krb5_cc_set_flags:krb5-cc-set-flags-set-options-flags-on-a-credential-cache}\label{appdev/refs/api/krb5_cc_set_flags::doc}\index{krb5\_cc\_set\_flags (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_set_flags:c.krb5_cc_set_flags}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_set\_flags}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ flags}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{cache} - Credential cache handle + +\textbf{{[}in{]}} \textbf{flags} - Flag bit mask + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function resets \emph{cache} flags to \emph{flags} . + + +\subsubsection{krb5\_cc\_start\_seq\_get - Prepare to sequentially read every credential in a credential cache.} +\label{appdev/refs/api/krb5_cc_start_seq_get::doc}\label{appdev/refs/api/krb5_cc_start_seq_get:krb5-cc-start-seq-get-prepare-to-sequentially-read-every-credential-in-a-credential-cache}\index{krb5\_cc\_start\_seq\_get (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_start_seq_get:c.krb5_cc_start_seq_get}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_start\_seq\_get}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}, {\hyperref[appdev/refs/types/krb5_cc_cursor:c.krb5_cc_cursor]{krb5\_cc\_cursor}} *\emph{ cursor}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{cache} - Credential cache handle + +\textbf{{[}out{]}} \textbf{cursor} - Cursor + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} +\begin{quote} + +{\hyperref[appdev/refs/api/krb5_cc_end_seq_get:c.krb5_cc_end_seq_get]{\code{krb5\_cc\_end\_seq\_get()}}} must be called to complete the retrieve operation. +\end{quote} + +\begin{notice}{note}{Note:} +If \emph{cache} is modified between the time of the call to this function and the time of the final {\hyperref[appdev/refs/api/krb5_cc_end_seq_get:c.krb5_cc_end_seq_get]{\code{krb5\_cc\_end\_seq\_get()}}} , the results are undefined. +\end{notice} + + +\subsubsection{krb5\_cc\_store\_cred - Store credentials in a credential cache.} +\label{appdev/refs/api/krb5_cc_store_cred:krb5-cc-store-cred-store-credentials-in-a-credential-cache}\label{appdev/refs/api/krb5_cc_store_cred::doc}\index{krb5\_cc\_store\_cred (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_store_cred:c.krb5_cc_store_cred}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_store\_cred}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{cache} - Credential cache handle + +\textbf{{[}in{]}} \textbf{creds} - Credentials to be stored in cache + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Permission errors; storage failure errors; Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function stores \emph{creds} into \emph{cache} . If \emph{creds-\textgreater{}server} and the server in the decoded ticket \emph{creds-\textgreater{}ticket} differ, the credentials will be stored under both server principal names. + + +\subsubsection{krb5\_cc\_support\_switch - Determine whether a credential cache type supports switching.} +\label{appdev/refs/api/krb5_cc_support_switch::doc}\label{appdev/refs/api/krb5_cc_support_switch:krb5-cc-support-switch-determine-whether-a-credential-cache-type-supports-switching}\index{krb5\_cc\_support\_switch (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_support_switch:c.krb5_cc_support_switch}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_cc\_support\_switch}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ type}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{type} - Credential cache type + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +TRUE if type supports switching + +\item {} +FALSE if it does not or is not a valid credential cache type. + +\end{itemize} + +\end{description}\end{quote} + +\begin{notice}{note}{Note:} +New in 1.10 +\end{notice} + + +\subsubsection{krb5\_cc\_switch - Make a credential cache the primary cache for its collection.} +\label{appdev/refs/api/krb5_cc_switch::doc}\label{appdev/refs/api/krb5_cc_switch:krb5-cc-switch-make-a-credential-cache-the-primary-cache-for-its-collection}\index{krb5\_cc\_switch (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_switch:c.krb5_cc_switch}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_switch}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{cache} - Credential cache handle + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success, or the type of cache doesn't support switching + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +If the type of \emph{cache} supports it, set \emph{cache} to be the primary credential cache for the collection it belongs to. + + +\subsubsection{krb5\_cc\_unlock - Unlock a credential cache.} +\label{appdev/refs/api/krb5_cc_unlock:krb5-cc-unlock-unlock-a-credential-cache}\label{appdev/refs/api/krb5_cc_unlock::doc}\index{krb5\_cc\_unlock (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_unlock:c.krb5_cc_unlock}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_unlock}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{ccache} - Credential cache handle + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function unlocks the \emph{ccache} locked by {\hyperref[appdev/refs/api/krb5_cc_lock:c.krb5_cc_lock]{\code{krb5\_cc\_lock()}}} . + + +\subsubsection{krb5\_cccol\_cursor\_free - Free a credential cache collection cursor.} +\label{appdev/refs/api/krb5_cccol_cursor_free::doc}\label{appdev/refs/api/krb5_cccol_cursor_free:krb5-cccol-cursor-free-free-a-credential-cache-collection-cursor}\index{krb5\_cccol\_cursor\_free (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cccol_cursor_free:c.krb5_cccol_cursor_free}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cccol\_cursor\_free}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_cccol_cursor:c.krb5_cccol_cursor]{krb5\_cccol\_cursor}} *\emph{ cursor}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{cursor} - Cursor + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + + +\strong{See also:} + + +{\hyperref[appdev/refs/api/krb5_cccol_cursor_new:c.krb5_cccol_cursor_new]{\code{krb5\_cccol\_cursor\_new()}}} , {\hyperref[appdev/refs/api/krb5_cccol_cursor_next:c.krb5_cccol_cursor_next]{\code{krb5\_cccol\_cursor\_next()}}} + + + + +\subsubsection{krb5\_cccol\_cursor\_new - Prepare to iterate over the collection of known credential caches.} +\label{appdev/refs/api/krb5_cccol_cursor_new::doc}\label{appdev/refs/api/krb5_cccol_cursor_new:krb5-cccol-cursor-new-prepare-to-iterate-over-the-collection-of-known-credential-caches}\index{krb5\_cccol\_cursor\_new (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cccol_cursor_new:c.krb5_cccol_cursor_new}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cccol\_cursor\_new}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_cccol_cursor:c.krb5_cccol_cursor]{krb5\_cccol\_cursor}} *\emph{ cursor}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}out{]}} \textbf{cursor} - Cursor + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Get a new cache iteration \emph{cursor} that will iterate over all known credential caches independent of type. + +Use {\hyperref[appdev/refs/api/krb5_cccol_cursor_free:c.krb5_cccol_cursor_free]{\code{krb5\_cccol\_cursor\_free()}}} to release \emph{cursor} when it is no longer needed. + + +\strong{See also:} + + +{\hyperref[appdev/refs/api/krb5_cccol_cursor_next:c.krb5_cccol_cursor_next]{\code{krb5\_cccol\_cursor\_next()}}} + + + + +\subsubsection{krb5\_cccol\_cursor\_next - Get the next credential cache in the collection.} +\label{appdev/refs/api/krb5_cccol_cursor_next::doc}\label{appdev/refs/api/krb5_cccol_cursor_next:krb5-cccol-cursor-next-get-the-next-credential-cache-in-the-collection}\index{krb5\_cccol\_cursor\_next (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cccol_cursor_next:c.krb5_cccol_cursor_next}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cccol\_cursor\_next}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_cccol_cursor:c.krb5_cccol_cursor]{krb5\_cccol\_cursor}}\emph{ cursor}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}} *\emph{ ccache}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{cursor} - Cursor + +\textbf{{[}out{]}} \textbf{ccache} - Credential cache handle + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Use {\hyperref[appdev/refs/api/krb5_cc_close:c.krb5_cc_close]{\code{krb5\_cc\_close()}}} to close \emph{ccache} when it is no longer needed. + + +\strong{See also:} + + +{\hyperref[appdev/refs/api/krb5_cccol_cursor_new:c.krb5_cccol_cursor_new]{\code{krb5\_cccol\_cursor\_new()}}} , {\hyperref[appdev/refs/api/krb5_cccol_cursor_free:c.krb5_cccol_cursor_free]{\code{krb5\_cccol\_cursor\_free()}}} + + + +\begin{notice}{note}{Note:} +When all caches are iterated over and the end of the list is reached, \emph{ccache} is set to NULL. +\end{notice} + + +\subsubsection{krb5\_cccol\_have\_content - Check if the credential cache collection contains any credentials.} +\label{appdev/refs/api/krb5_cccol_have_content:krb5-cccol-have-content-check-if-the-credential-cache-collection-contains-any-credentials}\label{appdev/refs/api/krb5_cccol_have_content::doc}\index{krb5\_cccol\_have\_content (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cccol_have_content:c.krb5_cccol_have_content}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cccol\_have\_content}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Credentials are available in the collection + +\item {} +KRB5\_CC\_NOTFOUND The collection contains no credentials + +\end{itemize} + +\end{description}\end{quote} + +\begin{notice}{note}{Note:} +New in 1.11 +\end{notice} + + +\subsubsection{krb5\_cccol\_last\_change\_time - Return a timestamp of the last modification of any known credential cache.} +\label{appdev/refs/api/krb5_cccol_last_change_time:krb5-cccol-last-change-time-return-a-timestamp-of-the-last-modification-of-any-known-credential-cache}\label{appdev/refs/api/krb5_cccol_last_change_time::doc}\index{krb5\_cccol\_last\_change\_time (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cccol_last_change_time:c.krb5_cccol_last_change_time}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cccol\_last\_change\_time}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} *\emph{ change\_time}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}out{]}} \textbf{change\_time} - Last modification timestamp + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function returns the most recent modification time of any known credential cache, ignoring any caches which cannot supply a last modification time. + +If there are no known credential caches, \emph{change\_time} is set to 0. + + +\subsubsection{krb5\_cccol\_lock - Acquire a global lock for credential caches.} +\label{appdev/refs/api/krb5_cccol_lock::doc}\label{appdev/refs/api/krb5_cccol_lock:krb5-cccol-lock-acquire-a-global-lock-for-credential-caches}\index{krb5\_cccol\_lock (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cccol_lock:c.krb5_cccol_lock}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cccol\_lock}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function locks the global credential cache collection, ensuring that no ccaches are added to or removed from it until the collection lock is released. + +Use {\hyperref[appdev/refs/api/krb5_cccol_unlock:c.krb5_cccol_unlock]{\code{krb5\_cccol\_unlock()}}} to unlock the lock. + + +\subsubsection{krb5\_cccol\_unlock - Release a global lock for credential caches.} +\label{appdev/refs/api/krb5_cccol_unlock:krb5-cccol-unlock-release-a-global-lock-for-credential-caches}\label{appdev/refs/api/krb5_cccol_unlock::doc}\index{krb5\_cccol\_unlock (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cccol_unlock:c.krb5_cccol_unlock}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cccol\_unlock}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function unlocks the lock from {\hyperref[appdev/refs/api/krb5_cccol_lock:c.krb5_cccol_lock]{\code{krb5\_cccol\_lock()}}} . + + +\subsubsection{krb5\_clear\_error\_message - Clear the extended error message in a context.} +\label{appdev/refs/api/krb5_clear_error_message:krb5-clear-error-message-clear-the-extended-error-message-in-a-context}\label{appdev/refs/api/krb5_clear_error_message::doc}\index{krb5\_clear\_error\_message (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_clear_error_message:c.krb5_clear_error_message}\pysiglinewithargsret{void \bfcode{krb5\_clear\_error\_message}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctx} - Library context + +\end{description}\end{quote} + +This function unsets the extended error message in a context, to ensure that it is not mistakenly applied to another occurrence of the same error code. + + +\subsubsection{krb5\_check\_clockskew - Check if a timestamp is within the allowed clock skew of the current time.} +\label{appdev/refs/api/krb5_check_clockskew:krb5-check-clockskew-check-if-a-timestamp-is-within-the-allowed-clock-skew-of-the-current-time}\label{appdev/refs/api/krb5_check_clockskew::doc}\index{krb5\_check\_clockskew (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_check_clockskew:c.krb5_check_clockskew}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_check\_clockskew}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}}\emph{ date}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{date} - Timestamp to check + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\item {} +KRB5KRB\_AP\_ERR\_SKEW date is not within allowable clock skew + +\end{itemize} + +\end{description}\end{quote} + +This function checks if \emph{date} is close enough to the current time according to the configured allowable clock skew. + +\begin{notice}{note}{Note:} +New in 1.10 +\end{notice} + + +\subsubsection{krb5\_copy\_addresses - Copy an array of addresses.} +\label{appdev/refs/api/krb5_copy_addresses:krb5-copy-addresses-copy-an-array-of-addresses}\label{appdev/refs/api/krb5_copy_addresses::doc}\index{krb5\_copy\_addresses (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_copy_addresses:c.krb5_copy_addresses}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_copy\_addresses}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} *const *\emph{ inaddr}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} ***\emph{ outaddr}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{inaddr} - Array of addresses to be copied + +\textbf{{[}out{]}} \textbf{outaddr} - Copy of array of addresses + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function creates a new address array containing a copy of \emph{inaddr} . Use {\hyperref[appdev/refs/api/krb5_free_addresses:c.krb5_free_addresses]{\code{krb5\_free\_addresses()}}} to free \emph{outaddr} when it is no longer needed. + + +\subsubsection{krb5\_copy\_authdata - Copy an authorization data list.} +\label{appdev/refs/api/krb5_copy_authdata:krb5-copy-authdata-copy-an-authorization-data-list}\label{appdev/refs/api/krb5_copy_authdata::doc}\index{krb5\_copy\_authdata (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_copy_authdata:c.krb5_copy_authdata}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_copy\_authdata}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} *const *\emph{ in\_authdat}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} ***\emph{ out}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{in\_authdat} - List of \emph{krb5\_authdata} structures + +\textbf{{[}out{]}} \textbf{out} - New array of \emph{krb5\_authdata} structures + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function creates a new authorization data list containing a copy of \emph{in\_authdat} , which must be null-terminated. Use {\hyperref[appdev/refs/api/krb5_free_authdata:c.krb5_free_authdata]{\code{krb5\_free\_authdata()}}} to free \emph{out} when it is no longer needed. + +\begin{notice}{note}{Note:} +The last array entry in \emph{in\_authdat} must be a NULL pointer. +\end{notice} + + +\subsubsection{krb5\_copy\_authenticator - Copy a krb5\_authenticator structure.} +\label{appdev/refs/api/krb5_copy_authenticator:krb5-copy-authenticator-copy-a-krb5-authenticator-structure}\label{appdev/refs/api/krb5_copy_authenticator::doc}\index{krb5\_copy\_authenticator (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_copy_authenticator:c.krb5_copy_authenticator}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_copy\_authenticator}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_authenticator:c.krb5_authenticator]{krb5\_authenticator}} *\emph{ authfrom}, {\hyperref[appdev/refs/types/krb5_authenticator:c.krb5_authenticator]{krb5\_authenticator}} **\emph{ authto}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{authfrom} - krb5\_authenticator structure to be copied + +\textbf{{[}out{]}} \textbf{authto} - Copy of krb5\_authenticator structure + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function creates a new krb5\_authenticator structure with the content of \emph{authfrom} . Use {\hyperref[appdev/refs/api/krb5_free_authenticator:c.krb5_free_authenticator]{\code{krb5\_free\_authenticator()}}} to free \emph{authto} when it is no longer needed. + + +\subsubsection{krb5\_copy\_checksum - Copy a krb5\_checksum structure.} +\label{appdev/refs/api/krb5_copy_checksum:krb5-copy-checksum-copy-a-krb5-checksum-structure}\label{appdev/refs/api/krb5_copy_checksum::doc}\index{krb5\_copy\_checksum (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_copy_checksum:c.krb5_copy_checksum}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_copy\_checksum}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_checksum:c.krb5_checksum]{krb5\_checksum}} *\emph{ ckfrom}, {\hyperref[appdev/refs/types/krb5_checksum:c.krb5_checksum]{krb5\_checksum}} **\emph{ ckto}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{ckfrom} - Checksum to be copied + +\textbf{{[}out{]}} \textbf{ckto} - Copy of krb5\_checksum structure + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function creates a new krb5\_checksum structure with the contents of \emph{ckfrom} . Use {\hyperref[appdev/refs/api/krb5_free_checksum:c.krb5_free_checksum]{\code{krb5\_free\_checksum()}}} to free \emph{ckto} when it is no longer needed. + + +\subsubsection{krb5\_copy\_context - Copy a krb5\_context structure.} +\label{appdev/refs/api/krb5_copy_context:krb5-copy-context-copy-a-krb5-context-structure}\label{appdev/refs/api/krb5_copy_context::doc}\index{krb5\_copy\_context (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_copy_context:c.krb5_copy_context}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_copy\_context}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}} *\emph{ nctx\_out}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctx} - Library context + +\textbf{{[}out{]}} \textbf{nctx\_out} - New context structure + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +The newly created context must be released by calling {\hyperref[appdev/refs/api/krb5_free_context:c.krb5_free_context]{\code{krb5\_free\_context()}}} when it is no longer needed. + + +\subsubsection{krb5\_copy\_creds - Copy a krb5\_creds structure.} +\label{appdev/refs/api/krb5_copy_creds:krb5-copy-creds-copy-a-krb5-creds-structure}\label{appdev/refs/api/krb5_copy_creds::doc}\index{krb5\_copy\_creds (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_copy_creds:c.krb5_copy_creds}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_copy\_creds}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ incred}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} **\emph{ outcred}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{incred} - Credentials structure to be copied + +\textbf{{[}out{]}} \textbf{outcred} - Copy of \emph{incred} + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function creates a new credential with the contents of \emph{incred} . Use {\hyperref[appdev/refs/api/krb5_free_creds:c.krb5_free_creds]{\code{krb5\_free\_creds()}}} to free \emph{outcred} when it is no longer needed. + + +\subsubsection{krb5\_copy\_data - Copy a krb5\_data object.} +\label{appdev/refs/api/krb5_copy_data:krb5-copy-data-copy-a-krb5-data-object}\label{appdev/refs/api/krb5_copy_data::doc}\index{krb5\_copy\_data (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_copy_data:c.krb5_copy_data}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_copy\_data}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ indata}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} **\emph{ outdata}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{indata} - Data object to be copied + +\textbf{{[}out{]}} \textbf{outdata} - Copy of \emph{indata} + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function creates a new krb5\_data object with the contents of \emph{indata} . Use {\hyperref[appdev/refs/api/krb5_free_data:c.krb5_free_data]{\code{krb5\_free\_data()}}} to free \emph{outdata} when it is no longer needed. + + +\subsubsection{krb5\_copy\_error\_message - Copy the most recent extended error message from one context to another.} +\label{appdev/refs/api/krb5_copy_error_message:krb5-copy-error-message-copy-the-most-recent-extended-error-message-from-one-context-to-another}\label{appdev/refs/api/krb5_copy_error_message::doc}\index{krb5\_copy\_error\_message (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_copy_error_message:c.krb5_copy_error_message}\pysiglinewithargsret{void \bfcode{krb5\_copy\_error\_message}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ dest\_ctx}, {\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ src\_ctx}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{dest\_ctx} - Library context to copy message to + +\textbf{{[}in{]}} \textbf{src\_ctx} - Library context with current message + +\end{description}\end{quote} + + +\subsubsection{krb5\_copy\_keyblock - Copy a keyblock.} +\label{appdev/refs/api/krb5_copy_keyblock:krb5-copy-keyblock-copy-a-keyblock}\label{appdev/refs/api/krb5_copy_keyblock::doc}\index{krb5\_copy\_keyblock (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_copy_keyblock:c.krb5_copy_keyblock}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_copy\_keyblock}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ from}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} **\emph{ to}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{from} - Keyblock to be copied + +\textbf{{[}out{]}} \textbf{to} - Copy of keyblock \emph{from} + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function creates a new keyblock with the same contents as \emph{from} . Use {\hyperref[appdev/refs/api/krb5_free_keyblock:c.krb5_free_keyblock]{\code{krb5\_free\_keyblock()}}} to free \emph{to} when it is no longer needed. + + +\subsubsection{krb5\_copy\_keyblock\_contents - Copy the contents of a keyblock.} +\label{appdev/refs/api/krb5_copy_keyblock_contents:krb5-copy-keyblock-contents-copy-the-contents-of-a-keyblock}\label{appdev/refs/api/krb5_copy_keyblock_contents::doc}\index{krb5\_copy\_keyblock\_contents (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_copy_keyblock_contents:c.krb5_copy_keyblock_contents}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_copy\_keyblock\_contents}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ from}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ to}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{from} - Key to be copied + +\textbf{{[}out{]}} \textbf{to} - Output key + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function copies the contents of \emph{from} to \emph{to} . Use {\hyperref[appdev/refs/api/krb5_free_keyblock_contents:c.krb5_free_keyblock_contents]{\code{krb5\_free\_keyblock\_contents()}}} to free \emph{to} when it is no longer needed. + + +\subsubsection{krb5\_copy\_principal - Copy a principal.} +\label{appdev/refs/api/krb5_copy_principal:krb5-copy-principal-copy-a-principal}\label{appdev/refs/api/krb5_copy_principal::doc}\index{krb5\_copy\_principal (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_copy_principal:c.krb5_copy_principal}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_copy\_principal}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ inprinc}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} *\emph{ outprinc}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{inprinc} - Principal to be copied + +\textbf{{[}out{]}} \textbf{outprinc} - Copy of \emph{inprinc} + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function creates a new principal structure with the contents of \emph{inprinc} . Use {\hyperref[appdev/refs/api/krb5_free_principal:c.krb5_free_principal]{\code{krb5\_free\_principal()}}} to free \emph{outprinc} when it is no longer needed. + + +\subsubsection{krb5\_copy\_ticket - Copy a krb5\_ticket structure.} +\label{appdev/refs/api/krb5_copy_ticket:krb5-copy-ticket-copy-a-krb5-ticket-structure}\label{appdev/refs/api/krb5_copy_ticket::doc}\index{krb5\_copy\_ticket (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_copy_ticket:c.krb5_copy_ticket}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_copy\_ticket}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_ticket:c.krb5_ticket]{krb5\_ticket}} *\emph{ from}, {\hyperref[appdev/refs/types/krb5_ticket:c.krb5_ticket]{krb5\_ticket}} **\emph{ pto}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{from} - Ticket to be copied + +\textbf{{[}out{]}} \textbf{pto} - Copy of ticket + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function creates a new krb5\_ticket structure containing the contents of \emph{from} . Use {\hyperref[appdev/refs/api/krb5_free_ticket:c.krb5_free_ticket]{\code{krb5\_free\_ticket()}}} to free \emph{pto} when it is no longer needed. + + +\subsubsection{krb5\_find\_authdata - Find authorization data elements.} +\label{appdev/refs/api/krb5_find_authdata:krb5-find-authdata-find-authorization-data-elements}\label{appdev/refs/api/krb5_find_authdata::doc}\index{krb5\_find\_authdata (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_find_authdata:c.krb5_find_authdata}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_find\_authdata}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} *const *\emph{ ticket\_authdata}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} *const *\emph{ ap\_req\_authdata}, {\hyperref[appdev/refs/types/krb5_authdatatype:c.krb5_authdatatype]{krb5\_authdatatype}}\emph{ ad\_type}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} ***\emph{ results}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{ticket\_authdata} - Authorization data list from ticket + +\textbf{{[}in{]}} \textbf{ap\_req\_authdata} - Authorization data list from AP request + +\textbf{{[}in{]}} \textbf{ad\_type} - Authorization data type to find + +\textbf{{[}out{]}} \textbf{results} - List of matching entries + +\end{description}\end{quote} + +This function searches \emph{ticket\_authdata} and \emph{ap\_req\_authdata} for elements of type \emph{ad\_type} . Either input list may be NULL, in which case it will not be searched; otherwise, the input lists must be terminated by NULL entries. This function will search inside AD-IF-RELEVANT containers if found in either list. Use {\hyperref[appdev/refs/api/krb5_free_authdata:c.krb5_free_authdata]{\code{krb5\_free\_authdata()}}} to free \emph{results} when it is no longer needed. + +\begin{notice}{note}{Note:} +New in 1.10 +\end{notice} + + +\subsubsection{krb5\_free\_addresses - Free the data stored in array of addresses.} +\label{appdev/refs/api/krb5_free_addresses:krb5-free-addresses-free-the-data-stored-in-array-of-addresses}\label{appdev/refs/api/krb5_free_addresses::doc}\index{krb5\_free\_addresses (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_free_addresses:c.krb5_free_addresses}\pysiglinewithargsret{void \bfcode{krb5\_free\_addresses}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} **\emph{ val}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{val} - Array of addresses to be freed + +\end{description}\end{quote} + +This function frees the contents of \emph{val} and the array itself. + +\begin{notice}{note}{Note:} +The last entry in the array must be a NULL pointer. +\end{notice} + + +\subsubsection{krb5\_free\_ap\_rep\_enc\_part - Free a krb5\_ap\_rep\_enc\_part structure.} +\label{appdev/refs/api/krb5_free_ap_rep_enc_part:krb5-free-ap-rep-enc-part-free-a-krb5-ap-rep-enc-part-structure}\label{appdev/refs/api/krb5_free_ap_rep_enc_part::doc}\index{krb5\_free\_ap\_rep\_enc\_part (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_free_ap_rep_enc_part:c.krb5_free_ap_rep_enc_part}\pysiglinewithargsret{void \bfcode{krb5\_free\_ap\_rep\_enc\_part}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part]{krb5\_ap\_rep\_enc\_part}} *\emph{ val}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{val} - AP-REP enc part to be freed + +\end{description}\end{quote} + +This function frees the contents of \emph{val} and the structure itself. + + +\subsubsection{krb5\_free\_authdata - Free the storage assigned to array of authentication data.} +\label{appdev/refs/api/krb5_free_authdata::doc}\label{appdev/refs/api/krb5_free_authdata:krb5-free-authdata-free-the-storage-assigned-to-array-of-authentication-data}\index{krb5\_free\_authdata (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_free_authdata:c.krb5_free_authdata}\pysiglinewithargsret{void \bfcode{krb5\_free\_authdata}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} **\emph{ val}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{val} - Array of authentication data to be freed + +\end{description}\end{quote} + +This function frees the contents of \emph{val} and the array itself. + +\begin{notice}{note}{Note:} +The last entry in the array must be a NULL pointer. +\end{notice} + + +\subsubsection{krb5\_free\_authenticator - Free a krb5\_authenticator structure.} +\label{appdev/refs/api/krb5_free_authenticator:krb5-free-authenticator-free-a-krb5-authenticator-structure}\label{appdev/refs/api/krb5_free_authenticator::doc}\index{krb5\_free\_authenticator (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_free_authenticator:c.krb5_free_authenticator}\pysiglinewithargsret{void \bfcode{krb5\_free\_authenticator}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_authenticator:c.krb5_authenticator]{krb5\_authenticator}} *\emph{ val}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{val} - Authenticator structure to be freed + +\end{description}\end{quote} + +This function frees the contents of \emph{val} and the structure itself. + + +\subsubsection{krb5\_free\_cred\_contents - Free the contents of a krb5\_creds structure.} +\label{appdev/refs/api/krb5_free_cred_contents::doc}\label{appdev/refs/api/krb5_free_cred_contents:krb5-free-cred-contents-free-the-contents-of-a-krb5-creds-structure}\index{krb5\_free\_cred\_contents (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_free_cred_contents:c.krb5_free_cred_contents}\pysiglinewithargsret{void \bfcode{krb5\_free\_cred\_contents}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ val}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{val} - Credential structure to free contents of + +\end{description}\end{quote} + +This function frees the contents of \emph{val} , but not the structure itself. + + +\subsubsection{krb5\_free\_creds - Free a krb5\_creds structure.} +\label{appdev/refs/api/krb5_free_creds::doc}\label{appdev/refs/api/krb5_free_creds:krb5-free-creds-free-a-krb5-creds-structure}\index{krb5\_free\_creds (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_free_creds:c.krb5_free_creds}\pysiglinewithargsret{void \bfcode{krb5\_free\_creds}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ val}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{val} - Credential structure to be freed. + +\end{description}\end{quote} + +This function frees the contents of \emph{val} and the structure itself. + + +\subsubsection{krb5\_free\_data - Free a krb5\_data structure.} +\label{appdev/refs/api/krb5_free_data:krb5-free-data-free-a-krb5-data-structure}\label{appdev/refs/api/krb5_free_data::doc}\index{krb5\_free\_data (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_free_data:c.krb5_free_data}\pysiglinewithargsret{void \bfcode{krb5\_free\_data}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ val}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{val} - Data structure to be freed + +\end{description}\end{quote} + +This function frees the contents of \emph{val} and the structure itself. + + +\subsubsection{krb5\_free\_data\_contents - Free the contents of a krb5\_data structure and zero the data field.} +\label{appdev/refs/api/krb5_free_data_contents:krb5-free-data-contents-free-the-contents-of-a-krb5-data-structure-and-zero-the-data-field}\label{appdev/refs/api/krb5_free_data_contents::doc}\index{krb5\_free\_data\_contents (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_free_data_contents:c.krb5_free_data_contents}\pysiglinewithargsret{void \bfcode{krb5\_free\_data\_contents}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ val}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{val} - Data structure to free contents of + +\end{description}\end{quote} + +This function frees the contents of \emph{val} , but not the structure itself. + + +\subsubsection{krb5\_free\_default\_realm - Free a default realm string returned by krb5\_get\_default\_realm() .} +\label{appdev/refs/api/krb5_free_default_realm:krb5-free-default-realm-free-a-default-realm-string-returned-by-krb5-get-default-realm}\label{appdev/refs/api/krb5_free_default_realm::doc}\index{krb5\_free\_default\_realm (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_free_default_realm:c.krb5_free_default_realm}\pysiglinewithargsret{void \bfcode{krb5\_free\_default\_realm}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, char *\emph{ lrealm}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{lrealm} - Realm to be freed + +\end{description}\end{quote} + + +\subsubsection{krb5\_free\_enctypes - Free an array of encryption types.} +\label{appdev/refs/api/krb5_free_enctypes::doc}\label{appdev/refs/api/krb5_free_enctypes:krb5-free-enctypes-free-an-array-of-encryption-types}\index{krb5\_free\_enctypes (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_free_enctypes:c.krb5_free_enctypes}\pysiglinewithargsret{void \bfcode{krb5\_free\_enctypes}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} *\emph{ val}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{val} - Array of enctypes to be freed + +\end{description}\end{quote} + +\begin{notice}{note}{Note:} +New in 1.12 +\end{notice} + + +\subsubsection{krb5\_free\_error - Free an error allocated by krb5\_read\_error() or krb5\_sendauth() .} +\label{appdev/refs/api/krb5_free_error::doc}\label{appdev/refs/api/krb5_free_error:krb5-free-error-free-an-error-allocated-by-krb5-read-error-or-krb5-sendauth}\index{krb5\_free\_error (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_free_error:c.krb5_free_error}\pysiglinewithargsret{void \bfcode{krb5\_free\_error}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, register {\hyperref[appdev/refs/types/krb5_error:c.krb5_error]{krb5\_error}} *\emph{ val}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{val} - Error data structure to be freed + +\end{description}\end{quote} + +This function frees the contents of \emph{val} and the structure itself. + + +\subsubsection{krb5\_free\_host\_realm - Free the memory allocated by krb5\_get\_host\_realm() .} +\label{appdev/refs/api/krb5_free_host_realm::doc}\label{appdev/refs/api/krb5_free_host_realm:krb5-free-host-realm-free-the-memory-allocated-by-krb5-get-host-realm}\index{krb5\_free\_host\_realm (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_free_host_realm:c.krb5_free_host_realm}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_free\_host\_realm}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, char *const *\emph{ realmlist}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{realmlist} - List of realm names to be released + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_free\_keyblock - Free a krb5\_keyblock structure.} +\label{appdev/refs/api/krb5_free_keyblock:krb5-free-keyblock-free-a-krb5-keyblock-structure}\label{appdev/refs/api/krb5_free_keyblock::doc}\index{krb5\_free\_keyblock (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_free_keyblock:c.krb5_free_keyblock}\pysiglinewithargsret{void \bfcode{krb5\_free\_keyblock}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, register {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ val}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{val} - Keyblock to be freed + +\end{description}\end{quote} + +This function frees the contents of \emph{val} and the structure itself. + + +\subsubsection{krb5\_free\_keyblock\_contents - Free the contents of a krb5\_keyblock structure.} +\label{appdev/refs/api/krb5_free_keyblock_contents::doc}\label{appdev/refs/api/krb5_free_keyblock_contents:krb5-free-keyblock-contents-free-the-contents-of-a-krb5-keyblock-structure}\index{krb5\_free\_keyblock\_contents (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_free_keyblock_contents:c.krb5_free_keyblock_contents}\pysiglinewithargsret{void \bfcode{krb5\_free\_keyblock\_contents}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, register {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{key} - Keyblock to be freed + +\end{description}\end{quote} + +This function frees the contents of \emph{key} , but not the structure itself. + + +\subsubsection{krb5\_free\_keytab\_entry\_contents - Free the contents of a key table entry.} +\label{appdev/refs/api/krb5_free_keytab_entry_contents:krb5-free-keytab-entry-contents-free-the-contents-of-a-key-table-entry}\label{appdev/refs/api/krb5_free_keytab_entry_contents::doc}\index{krb5\_free\_keytab\_entry\_contents (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_free_keytab_entry_contents:c.krb5_free_keytab_entry_contents}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_free\_keytab\_entry\_contents}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry]{krb5\_keytab\_entry}} *\emph{ entry}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{entry} - Key table entry whose contents are to be freed + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +\begin{notice}{note}{Note:} +The pointer is not freed. +\end{notice} + + +\subsubsection{krb5\_free\_string - Free a string allocated by a krb5 function.} +\label{appdev/refs/api/krb5_free_string:krb5-free-string-free-a-string-allocated-by-a-krb5-function}\label{appdev/refs/api/krb5_free_string::doc}\index{krb5\_free\_string (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_free_string:c.krb5_free_string}\pysiglinewithargsret{void \bfcode{krb5\_free\_string}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, char *\emph{ val}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{val} - String to be freed + +\end{description}\end{quote} + +\begin{notice}{note}{Note:} +New in 1.10 +\end{notice} + + +\subsubsection{krb5\_free\_ticket - Free a ticket.} +\label{appdev/refs/api/krb5_free_ticket:krb5-free-ticket-free-a-ticket}\label{appdev/refs/api/krb5_free_ticket::doc}\index{krb5\_free\_ticket (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_free_ticket:c.krb5_free_ticket}\pysiglinewithargsret{void \bfcode{krb5\_free\_ticket}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ticket:c.krb5_ticket]{krb5\_ticket}} *\emph{ val}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{val} - Ticket to be freed + +\end{description}\end{quote} + +This function frees the contents of \emph{val} and the structure itself. + + +\subsubsection{krb5\_free\_unparsed\_name - Free a string representation of a principal.} +\label{appdev/refs/api/krb5_free_unparsed_name::doc}\label{appdev/refs/api/krb5_free_unparsed_name:krb5-free-unparsed-name-free-a-string-representation-of-a-principal}\index{krb5\_free\_unparsed\_name (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_free_unparsed_name:c.krb5_free_unparsed_name}\pysiglinewithargsret{void \bfcode{krb5\_free\_unparsed\_name}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, char *\emph{ val}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{val} - Name string to be freed + +\end{description}\end{quote} + + +\subsubsection{krb5\_get\_permitted\_enctypes - Return a list of encryption types permitted for session keys.} +\label{appdev/refs/api/krb5_get_permitted_enctypes:krb5-get-permitted-enctypes-return-a-list-of-encryption-types-permitted-for-session-keys}\label{appdev/refs/api/krb5_get_permitted_enctypes::doc}\index{krb5\_get\_permitted\_enctypes (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_permitted_enctypes:c.krb5_get_permitted_enctypes}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_permitted\_enctypes}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} **\emph{ ktypes}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}out{]}} \textbf{ktypes} - Zero-terminated list of encryption types + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function returns the list of encryption types permitted for session keys within \emph{context} , as determined by configuration or by a previous call to {\hyperref[appdev/refs/api/krb5_set_default_tgs_enctypes:c.krb5_set_default_tgs_enctypes]{\code{krb5\_set\_default\_tgs\_enctypes()}}} . + +Use {\hyperref[appdev/refs/api/krb5_free_enctypes:c.krb5_free_enctypes]{\code{krb5\_free\_enctypes()}}} to free \emph{ktypes} when it is no longer needed. + + +\subsubsection{krb5\_get\_server\_rcache - Generate a replay cache object for server use and open it.} +\label{appdev/refs/api/krb5_get_server_rcache:krb5-get-server-rcache-generate-a-replay-cache-object-for-server-use-and-open-it}\label{appdev/refs/api/krb5_get_server_rcache::doc}\index{krb5\_get\_server\_rcache (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_server_rcache:c.krb5_get_server_rcache}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_server\_rcache}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ piece}, {\hyperref[appdev/refs/types/krb5_rcache:c.krb5_rcache]{krb5\_rcache}} *\emph{ rcptr}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{piece} - Unique identifier for replay cache + +\textbf{{[}out{]}} \textbf{rcptr} - Handle to an open rcache + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function generates a replay cache name based on \emph{piece} and opens a handle to it. Typically \emph{piece} is the first component of the service principal name. Use krb5\_rc\_close() to close \emph{rcptr} when it is no longer needed. + + +\subsubsection{krb5\_get\_time\_offsets - Return the time offsets from the os context.} +\label{appdev/refs/api/krb5_get_time_offsets:krb5-get-time-offsets-return-the-time-offsets-from-the-os-context}\label{appdev/refs/api/krb5_get_time_offsets::doc}\index{krb5\_get\_time\_offsets (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_time_offsets:c.krb5_get_time_offsets}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_time\_offsets}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} *\emph{ seconds}, {\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} *\emph{ microseconds}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}out{]}} \textbf{seconds} - Time offset, seconds portion + +\textbf{{[}out{]}} \textbf{microseconds} - Time offset, microseconds portion + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function returns the time offsets in \emph{context} . + + +\subsubsection{krb5\_init\_context\_profile - Create a krb5 library context using a specified profile.} +\label{appdev/refs/api/krb5_init_context_profile:krb5-init-context-profile-create-a-krb5-library-context-using-a-specified-profile}\label{appdev/refs/api/krb5_init_context_profile::doc}\index{krb5\_init\_context\_profile (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_init_context_profile:c.krb5_init_context_profile}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_init\_context\_profile}}{struct \_profile\_t *\emph{ profile}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ flags}, {\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}} *\emph{ context}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{profile} - Profile object (NULL to create default profile) + +\textbf{{[}in{]}} \textbf{flags} - Context initialization flags + +\textbf{{[}out{]}} \textbf{context} - Library context + +\end{description}\end{quote} + +Create a context structure, optionally using a specified profile and initialization flags. If \emph{profile} is NULL, the default profile will be created from config files. If \emph{profile} is non-null, a copy of it will be made for the new context; the caller should still clean up its copy. Valid flag values are: +\begin{itemize} +\item {} +{\hyperref[appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE:KRB5_INIT_CONTEXT_SECURE]{\code{KRB5\_INIT\_CONTEXT\_SECURE}}} Ignore environment variables + +\item {} +{\hyperref[appdev/refs/macros/KRB5_INIT_CONTEXT_KDC:KRB5_INIT_CONTEXT_KDC]{\code{KRB5\_INIT\_CONTEXT\_KDC}}} Use KDC configuration if creating profile + +\end{itemize} + + +\subsubsection{krb5\_init\_creds\_free - Free an initial credentials context.} +\label{appdev/refs/api/krb5_init_creds_free::doc}\label{appdev/refs/api/krb5_init_creds_free:krb5-init-creds-free-free-an-initial-credentials-context}\index{krb5\_init\_creds\_free (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_init_creds_free:c.krb5_init_creds_free}\pysiglinewithargsret{void \bfcode{krb5\_init\_creds\_free}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context]{krb5\_init\_creds\_context}}\emph{ ctx}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{ctx} - Initial credentials context + +\end{description}\end{quote} + + +\subsubsection{krb5\_init\_creds\_get - Acquire credentials using an initial credentials context.} +\label{appdev/refs/api/krb5_init_creds_get::doc}\label{appdev/refs/api/krb5_init_creds_get:krb5-init-creds-get-acquire-credentials-using-an-initial-credentials-context}\index{krb5\_init\_creds\_get (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_init_creds_get:c.krb5_init_creds_get}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_init\_creds\_get}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context]{krb5\_init\_creds\_context}}\emph{ ctx}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{ctx} - Initial credentials context + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function synchronously obtains credentials using a context created by {\hyperref[appdev/refs/api/krb5_init_creds_init:c.krb5_init_creds_init]{\code{krb5\_init\_creds\_init()}}} . On successful return, the credentials can be retrieved with {\hyperref[appdev/refs/api/krb5_init_creds_get_creds:c.krb5_init_creds_get_creds]{\code{krb5\_init\_creds\_get\_creds()}}} . + + +\subsubsection{krb5\_init\_creds\_get\_creds - Retrieve acquired credentials from an initial credentials context.} +\label{appdev/refs/api/krb5_init_creds_get_creds::doc}\label{appdev/refs/api/krb5_init_creds_get_creds:krb5-init-creds-get-creds-retrieve-acquired-credentials-from-an-initial-credentials-context}\index{krb5\_init\_creds\_get\_creds (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_init_creds_get_creds:c.krb5_init_creds_get_creds}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_init\_creds\_get\_creds}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context]{krb5\_init\_creds\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{ctx} - Initial credentials context + +\textbf{{[}out{]}} \textbf{creds} - Acquired credentials + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function copies the acquired initial credentials from \emph{ctx} into \emph{creds} , after the successful completion of {\hyperref[appdev/refs/api/krb5_init_creds_get:c.krb5_init_creds_get]{\code{krb5\_init\_creds\_get()}}} or {\hyperref[appdev/refs/api/krb5_init_creds_step:c.krb5_init_creds_step]{\code{krb5\_init\_creds\_step()}}} . Use {\hyperref[appdev/refs/api/krb5_free_cred_contents:c.krb5_free_cred_contents]{\code{krb5\_free\_cred\_contents()}}} to free \emph{creds} when it is no longer needed. + + +\subsubsection{krb5\_init\_creds\_get\_error - Get the last error from KDC from an initial credentials context.} +\label{appdev/refs/api/krb5_init_creds_get_error:krb5-init-creds-get-error-get-the-last-error-from-kdc-from-an-initial-credentials-context}\label{appdev/refs/api/krb5_init_creds_get_error::doc}\index{krb5\_init\_creds\_get\_error (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_init_creds_get_error:c.krb5_init_creds_get_error}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_init\_creds\_get\_error}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context]{krb5\_init\_creds\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_error:c.krb5_error]{krb5\_error}} **\emph{ error}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{ctx} - Initial credentials context + +\textbf{{[}out{]}} \textbf{error} - Error from KDC, or NULL if none was received + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_init\_creds\_get\_times - Retrieve ticket times from an initial credentials context.} +\label{appdev/refs/api/krb5_init_creds_get_times::doc}\label{appdev/refs/api/krb5_init_creds_get_times:krb5-init-creds-get-times-retrieve-ticket-times-from-an-initial-credentials-context}\index{krb5\_init\_creds\_get\_times (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_init_creds_get_times:c.krb5_init_creds_get_times}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_init\_creds\_get\_times}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context]{krb5\_init\_creds\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times]{krb5\_ticket\_times}} *\emph{ times}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{ctx} - Initial credentials context + +\textbf{{[}out{]}} \textbf{times} - Ticket times for acquired credentials + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +The initial credentials context must have completed obtaining credentials via either {\hyperref[appdev/refs/api/krb5_init_creds_get:c.krb5_init_creds_get]{\code{krb5\_init\_creds\_get()}}} or {\hyperref[appdev/refs/api/krb5_init_creds_step:c.krb5_init_creds_step]{\code{krb5\_init\_creds\_step()}}} . + + +\subsubsection{krb5\_init\_creds\_init - Create a context for acquiring initial credentials.} +\label{appdev/refs/api/krb5_init_creds_init::doc}\label{appdev/refs/api/krb5_init_creds_init:krb5-init-creds-init-create-a-context-for-acquiring-initial-credentials}\index{krb5\_init\_creds\_init (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_init_creds_init:c.krb5_init_creds_init}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_init\_creds\_init}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ client}, {\hyperref[appdev/refs/types/krb5_prompter_fct:c.krb5_prompter_fct]{krb5\_prompter\_fct}}\emph{ prompter}, void *\emph{ data}, {\hyperref[appdev/refs/types/krb5_deltat:c.krb5_deltat]{krb5\_deltat}}\emph{ start\_time}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ options}, {\hyperref[appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context]{krb5\_init\_creds\_context}} *\emph{ ctx}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{client} - Client principal to get initial creds for + +\textbf{{[}in{]}} \textbf{prompter} - Prompter callback + +\textbf{{[}in{]}} \textbf{data} - Prompter callback argument + +\textbf{{[}in{]}} \textbf{start\_time} - Time when credentials become valid (0 for now) + +\textbf{{[}in{]}} \textbf{options} - Options structure (NULL for default) + +\textbf{{[}out{]}} \textbf{ctx} - New initial credentials context + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function creates a new context for acquiring initial credentials. Use {\hyperref[appdev/refs/api/krb5_init_creds_free:c.krb5_init_creds_free]{\code{krb5\_init\_creds\_free()}}} to free \emph{ctx} when it is no longer needed. + + +\subsubsection{krb5\_init\_creds\_set\_keytab - Specify a keytab to use for acquiring initial credentials.} +\label{appdev/refs/api/krb5_init_creds_set_keytab:krb5-init-creds-set-keytab-specify-a-keytab-to-use-for-acquiring-initial-credentials}\label{appdev/refs/api/krb5_init_creds_set_keytab::doc}\index{krb5\_init\_creds\_set\_keytab (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_init_creds_set_keytab:c.krb5_init_creds_set_keytab}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_init\_creds\_set\_keytab}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context]{krb5\_init\_creds\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ keytab}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{ctx} - Initial credentials context + +\textbf{{[}in{]}} \textbf{keytab} - Key table handle + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function supplies a keytab containing the client key for an initial credentials request. + + +\subsubsection{krb5\_init\_creds\_set\_password - Set a password for acquiring initial credentials.} +\label{appdev/refs/api/krb5_init_creds_set_password:krb5-init-creds-set-password-set-a-password-for-acquiring-initial-credentials}\label{appdev/refs/api/krb5_init_creds_set_password::doc}\index{krb5\_init\_creds\_set\_password (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_init_creds_set_password:c.krb5_init_creds_set_password}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_init\_creds\_set\_password}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context]{krb5\_init\_creds\_context}}\emph{ ctx}, const char *\emph{ password}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{ctx} - Initial credentials context + +\textbf{{[}in{]}} \textbf{password} - Password + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function supplies a password to be used to construct the client key for an initial credentials request. + + +\subsubsection{krb5\_init\_creds\_set\_service - Specify a service principal for acquiring initial credentials.} +\label{appdev/refs/api/krb5_init_creds_set_service::doc}\label{appdev/refs/api/krb5_init_creds_set_service:krb5-init-creds-set-service-specify-a-service-principal-for-acquiring-initial-credentials}\index{krb5\_init\_creds\_set\_service (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_init_creds_set_service:c.krb5_init_creds_set_service}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_init\_creds\_set\_service}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context]{krb5\_init\_creds\_context}}\emph{ ctx}, const char *\emph{ service}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{ctx} - Initial credentials context + +\textbf{{[}in{]}} \textbf{service} - Service principal string + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function supplies a service principal string to acquire initial credentials for instead of the default krbtgt service. \emph{service} is parsed as a principal name; any realm part is ignored. + + +\subsubsection{krb5\_init\_creds\_step - Get the next KDC request for acquiring initial credentials.} +\label{appdev/refs/api/krb5_init_creds_step::doc}\label{appdev/refs/api/krb5_init_creds_step:krb5-init-creds-step-get-the-next-kdc-request-for-acquiring-initial-credentials}\index{krb5\_init\_creds\_step (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_init_creds_step:c.krb5_init_creds_step}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_init\_creds\_step}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context]{krb5\_init\_creds\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ in}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ out}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ realm}, unsigned int *\emph{ flags}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{ctx} - Initial credentials context + +\textbf{{[}in{]}} \textbf{in} - KDC response (empty on the first call) + +\textbf{{[}out{]}} \textbf{out} - Next KDC request + +\textbf{{[}out{]}} \textbf{realm} - Realm for next KDC request + +\textbf{{[}out{]}} \textbf{flags} - Output flags + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function constructs the next KDC request in an initial credential exchange, allowing the caller to control the transport of KDC requests and replies. On the first call, \emph{in} should be set to an empty buffer; on subsequent calls, it should be set to the KDC's reply to the previous request. + +If more requests are needed, \emph{flags} will be set to {\hyperref[appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE:KRB5_INIT_CREDS_STEP_FLAG_CONTINUE]{\code{KRB5\_INIT\_CREDS\_STEP\_FLAG\_CONTINUE}}} and the next request will be placed in \emph{out} . If no more requests are needed, \emph{flags} will not contain {\hyperref[appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE:KRB5_INIT_CREDS_STEP_FLAG_CONTINUE]{\code{KRB5\_INIT\_CREDS\_STEP\_FLAG\_CONTINUE}}} and \emph{out} will be empty. + +If this function returns \textbf{KRB5KRB\_ERR\_RESPONSE\_TOO\_BIG} , the caller should transmit the next request using TCP rather than UDP. If this function returns any other error, the initial credential exchange has failed. + + +\subsubsection{krb5\_init\_keyblock - Initialize an empty krb5\_keyblock .} +\label{appdev/refs/api/krb5_init_keyblock:krb5-init-keyblock-initialize-an-empty-krb5-keyblock}\label{appdev/refs/api/krb5_init_keyblock::doc}\index{krb5\_init\_keyblock (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_init_keyblock:c.krb5_init_keyblock}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_init\_keyblock}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, size\_t\emph{ length}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} **\emph{ out}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{enctype} - Encryption type + +\textbf{{[}in{]}} \textbf{length} - Length of keyblock (or 0) + +\textbf{{[}out{]}} \textbf{out} - New keyblock structure + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Initialize a new keyblock and allocate storage for the contents of the key. It is legal to pass in a length of 0, in which case contents are left unallocated. Use {\hyperref[appdev/refs/api/krb5_free_keyblock:c.krb5_free_keyblock]{\code{krb5\_free\_keyblock()}}} to free \emph{out} when it is no longer needed. + +\begin{notice}{note}{Note:} +If \emph{length} is set to 0, contents are left unallocated. +\end{notice} + + +\subsubsection{krb5\_is\_referral\_realm - Check for a match with KRB5\_REFERRAL\_REALM.} +\label{appdev/refs/api/krb5_is_referral_realm:krb5-is-referral-realm-check-for-a-match-with-krb5-referral-realm}\label{appdev/refs/api/krb5_is_referral_realm::doc}\index{krb5\_is\_referral\_realm (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_is_referral_realm:c.krb5_is_referral_realm}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_is\_referral\_realm}}{const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ r}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{r} - Realm to check + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{return}] \leavevmode\begin{itemize} +\item {} +TRUE if r is zero-length, FALSE otherwise + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_kt\_add\_entry - Add a new entry to a key table.} +\label{appdev/refs/api/krb5_kt_add_entry:krb5-kt-add-entry-add-a-new-entry-to-a-key-table}\label{appdev/refs/api/krb5_kt_add_entry::doc}\index{krb5\_kt\_add\_entry (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_kt_add_entry:c.krb5_kt_add_entry}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_add\_entry}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ id}, {\hyperref[appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry]{krb5\_keytab\_entry}} *\emph{ entry}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{id} - Key table handle + +\textbf{{[}in{]}} \textbf{entry} - Entry to be added + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\item {} +ENOMEM Insufficient memory + +\item {} +KRB5\_KT\_NOWRITE Key table is not writeable + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_kt\_end\_seq\_get - Release a keytab cursor.} +\label{appdev/refs/api/krb5_kt_end_seq_get::doc}\label{appdev/refs/api/krb5_kt_end_seq_get:krb5-kt-end-seq-get-release-a-keytab-cursor}\index{krb5\_kt\_end\_seq\_get (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_kt_end_seq_get:c.krb5_kt_end_seq_get}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_end\_seq\_get}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ keytab}, {\hyperref[appdev/refs/types/krb5_kt_cursor:c.krb5_kt_cursor]{krb5\_kt\_cursor}} *\emph{ cursor}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{keytab} - Key table handle + +\textbf{{[}out{]}} \textbf{cursor} - Cursor + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function should be called to release the cursor created by {\hyperref[appdev/refs/api/krb5_kt_start_seq_get:c.krb5_kt_start_seq_get]{\code{krb5\_kt\_start\_seq\_get()}}} . + + +\subsubsection{krb5\_kt\_get\_entry - Get an entry from a key table.} +\label{appdev/refs/api/krb5_kt_get_entry:krb5-kt-get-entry-get-an-entry-from-a-key-table}\label{appdev/refs/api/krb5_kt_get_entry::doc}\index{krb5\_kt\_get\_entry (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_kt_get_entry:c.krb5_kt_get_entry}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_get\_entry}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ keytab}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ principal}, {\hyperref[appdev/refs/types/krb5_kvno:c.krb5_kvno]{krb5\_kvno}}\emph{ vno}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, {\hyperref[appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry]{krb5\_keytab\_entry}} *\emph{ entry}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{keytab} - Key table handle + +\textbf{{[}in{]}} \textbf{principal} - Principal name + +\textbf{{[}in{]}} \textbf{vno} - Key version number (0 for highest available) + +\textbf{{[}in{]}} \textbf{enctype} - Encryption type (0 zero for any enctype) + +\textbf{{[}out{]}} \textbf{entry} - Returned entry from key table + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\item {} +Kerberos error codes on failure + +\end{itemize} + +\end{description}\end{quote} + +Retrieve an entry from a key table which matches the \emph{keytab} , \emph{principal} , \emph{vno} , and \emph{enctype} . If \emph{vno} is zero, retrieve the highest-numbered kvno matching the other fields. If \emph{enctype} is 0, match any enctype. + +Use {\hyperref[appdev/refs/api/krb5_free_keytab_entry_contents:c.krb5_free_keytab_entry_contents]{\code{krb5\_free\_keytab\_entry\_contents()}}} to free \emph{entry} when it is no longer needed. + +\begin{notice}{note}{Note:} +If \emph{vno} is zero, the function retrieves the highest-numbered-kvno entry that matches the specified principal. +\end{notice} + + +\subsubsection{krb5\_kt\_have\_content - Check if a keytab exists and contains entries.} +\label{appdev/refs/api/krb5_kt_have_content::doc}\label{appdev/refs/api/krb5_kt_have_content:krb5-kt-have-content-check-if-a-keytab-exists-and-contains-entries}\index{krb5\_kt\_have\_content (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_kt_have_content:c.krb5_kt_have_content}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_have\_content}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ keytab}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{keytab} - Key table handle + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Keytab exists and contains entries + +\item {} +KRB5\_KT\_NOTFOUND Keytab does not contain entries + +\end{itemize} + +\end{description}\end{quote} + +\begin{notice}{note}{Note:} +New in 1.11 +\end{notice} + + +\subsubsection{krb5\_kt\_next\_entry - Retrieve the next entry from the key table.} +\label{appdev/refs/api/krb5_kt_next_entry:krb5-kt-next-entry-retrieve-the-next-entry-from-the-key-table}\label{appdev/refs/api/krb5_kt_next_entry::doc}\index{krb5\_kt\_next\_entry (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_kt_next_entry:c.krb5_kt_next_entry}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_next\_entry}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ keytab}, {\hyperref[appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry]{krb5\_keytab\_entry}} *\emph{ entry}, {\hyperref[appdev/refs/types/krb5_kt_cursor:c.krb5_kt_cursor]{krb5\_kt\_cursor}} *\emph{ cursor}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{keytab} - Key table handle + +\textbf{{[}out{]}} \textbf{entry} - Returned key table entry + +\textbf{{[}in{]}} \textbf{cursor} - Key table cursor + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\item {} +KRB5\_KT\_END - if the last entry was reached + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Return the next sequential entry in \emph{keytab} and advance \emph{cursor} . Callers must release the returned entry with {\hyperref[appdev/refs/api/krb5_kt_free_entry:c.krb5_kt_free_entry]{\code{krb5\_kt\_free\_entry()}}} . + + +\subsubsection{krb5\_kt\_read\_service\_key - Retrieve a service key from a key table.} +\label{appdev/refs/api/krb5_kt_read_service_key::doc}\label{appdev/refs/api/krb5_kt_read_service_key:krb5-kt-read-service-key-retrieve-a-service-key-from-a-key-table}\index{krb5\_kt\_read\_service\_key (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_kt_read_service_key:c.krb5_kt_read_service_key}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_read\_service\_key}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_pointer:c.krb5_pointer]{krb5\_pointer}}\emph{ keyprocarg}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ principal}, {\hyperref[appdev/refs/types/krb5_kvno:c.krb5_kvno]{krb5\_kvno}}\emph{ vno}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} **\emph{ key}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{keyprocarg} - Name of a key table (NULL to use default name) + +\textbf{{[}in{]}} \textbf{principal} - Service principal + +\textbf{{[}in{]}} \textbf{vno} - Key version number (0 for highest available) + +\textbf{{[}in{]}} \textbf{enctype} - Encryption type (0 for any type) + +\textbf{{[}out{]}} \textbf{key} - Service key from key table + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error code if not found or keyprocarg is invalid. + +\end{itemize} + +\end{description}\end{quote} + +Open and search the specified key table for the entry identified by \emph{principal} , \emph{enctype} , and \emph{vno} . If no key is found, return an error code. + +The default key table is used, unless \emph{keyprocarg} is non-null. \emph{keyprocarg} designates a specific key table. + +Use {\hyperref[appdev/refs/api/krb5_free_keyblock:c.krb5_free_keyblock]{\code{krb5\_free\_keyblock()}}} to free \emph{key} when it is no longer needed. + + +\subsubsection{krb5\_kt\_remove\_entry - Remove an entry from a key table.} +\label{appdev/refs/api/krb5_kt_remove_entry::doc}\label{appdev/refs/api/krb5_kt_remove_entry:krb5-kt-remove-entry-remove-an-entry-from-a-key-table}\index{krb5\_kt\_remove\_entry (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_kt_remove_entry:c.krb5_kt_remove_entry}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_remove\_entry}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ id}, {\hyperref[appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry]{krb5\_keytab\_entry}} *\emph{ entry}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{id} - Key table handle + +\textbf{{[}in{]}} \textbf{entry} - Entry to remove from key table + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\item {} +KRB5\_KT\_NOWRITE Key table is not writable + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_kt\_start\_seq\_get - Start a sequential retrieval of key table entries.} +\label{appdev/refs/api/krb5_kt_start_seq_get:krb5-kt-start-seq-get-start-a-sequential-retrieval-of-key-table-entries}\label{appdev/refs/api/krb5_kt_start_seq_get::doc}\index{krb5\_kt\_start\_seq\_get (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_kt_start_seq_get:c.krb5_kt_start_seq_get}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_start\_seq\_get}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ keytab}, {\hyperref[appdev/refs/types/krb5_kt_cursor:c.krb5_kt_cursor]{krb5\_kt\_cursor}} *\emph{ cursor}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{keytab} - Key table handle + +\textbf{{[}out{]}} \textbf{cursor} - Cursor + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Prepare to read sequentially every key in the specified key table. Use {\hyperref[appdev/refs/api/krb5_kt_end_seq_get:c.krb5_kt_end_seq_get]{\code{krb5\_kt\_end\_seq\_get()}}} to release the cursor when it is no longer needed. + + +\subsubsection{krb5\_make\_authdata\_kdc\_issued - Encode and sign AD-KDCIssued authorization data.} +\label{appdev/refs/api/krb5_make_authdata_kdc_issued:krb5-make-authdata-kdc-issued-encode-and-sign-ad-kdcissued-authorization-data}\label{appdev/refs/api/krb5_make_authdata_kdc_issued::doc}\index{krb5\_make\_authdata\_kdc\_issued (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_make_authdata_kdc_issued:c.krb5_make_authdata_kdc_issued}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_make\_authdata\_kdc\_issued}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ issuer}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} *const *\emph{ authdata}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} ***\emph{ ad\_kdcissued}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{key} - Session key + +\textbf{{[}in{]}} \textbf{issuer} - The name of the issuing principal + +\textbf{{[}in{]}} \textbf{authdata} - List of authorization data to be signed + +\textbf{{[}out{]}} \textbf{ad\_kdcissued} - List containing AD-KDCIssued authdata + +\end{description}\end{quote} + +This function wraps a list of authorization data entries \emph{authdata} in an AD-KDCIssued container (see RFC 4120 section 5.2.6.2) signed with \emph{key} . The result is returned in \emph{ad\_kdcissued} as a single-element list. + + +\subsubsection{krb5\_merge\_authdata - Merge two authorization data lists into a new list.} +\label{appdev/refs/api/krb5_merge_authdata:krb5-merge-authdata-merge-two-authorization-data-lists-into-a-new-list}\label{appdev/refs/api/krb5_merge_authdata::doc}\index{krb5\_merge\_authdata (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_merge_authdata:c.krb5_merge_authdata}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_merge\_authdata}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} *const *\emph{ inauthdat1}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} *const *\emph{ inauthdat2}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} ***\emph{ outauthdat}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{inauthdat1} - First list of \emph{krb5\_authdata} structures + +\textbf{{[}in{]}} \textbf{inauthdat2} - Second list of \emph{krb5\_authdata} structures + +\textbf{{[}out{]}} \textbf{outauthdat} - Merged list of \emph{krb5\_authdata} structures + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Merge two authdata arrays, such as the array from a ticket and authenticator. Use {\hyperref[appdev/refs/api/krb5_free_authdata:c.krb5_free_authdata]{\code{krb5\_free\_authdata()}}} to free \emph{outauthdat} when it is no longer needed. + +\begin{notice}{note}{Note:} +The last array entry in \emph{inauthdat1} and \emph{inauthdat2} must be a NULL pointer. +\end{notice} + + +\subsubsection{krb5\_mk\_1cred - Format a KRB-CRED message for a single set of credentials.} +\label{appdev/refs/api/krb5_mk_1cred:krb5-mk-1cred-format-a-krb-cred-message-for-a-single-set-of-credentials}\label{appdev/refs/api/krb5_mk_1cred::doc}\index{krb5\_mk\_1cred (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_mk_1cred:c.krb5_mk_1cred}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_mk\_1cred}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ pcreds}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} **\emph{ ppdata}, {\hyperref[appdev/refs/types/krb5_replay_data:c.krb5_replay_data]{krb5\_replay\_data}} *\emph{ outdata}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context + +\textbf{{[}in{]}} \textbf{pcreds} - Pointer to credentials + +\textbf{{[}out{]}} \textbf{ppdata} - Encoded credentials + +\textbf{{[}out{]}} \textbf{outdata} - Replay cache data (NULL if not needed) + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\item {} +ENOMEM Insufficient memory + +\item {} +KRB5\_RC\_REQUIRED Message replay detection requires rcache parameter + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This is a convenience function that calls {\hyperref[appdev/refs/api/krb5_mk_ncred:c.krb5_mk_ncred]{\code{krb5\_mk\_ncred()}}} with a single set of credentials. + + +\subsubsection{krb5\_mk\_error - Format and encode a KRB\_ERROR message.} +\label{appdev/refs/api/krb5_mk_error:krb5-mk-error-format-and-encode-a-krb-error-message}\label{appdev/refs/api/krb5_mk_error::doc}\index{krb5\_mk\_error (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_mk_error:c.krb5_mk_error}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_mk\_error}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_error:c.krb5_error]{krb5\_error}} *\emph{ dec\_err}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ enc\_err}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{dec\_err} - Error structure to be encoded + +\textbf{{[}out{]}} \textbf{enc\_err} - Encoded error structure + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function creates a \textbf{KRB\_ERROR} message in \emph{enc\_err} . Use {\hyperref[appdev/refs/api/krb5_free_data_contents:c.krb5_free_data_contents]{\code{krb5\_free\_data\_contents()}}} to free \emph{enc\_err} when it is no longer needed. + + +\subsubsection{krb5\_mk\_ncred - Format a KRB-CRED message for an array of credentials.} +\label{appdev/refs/api/krb5_mk_ncred::doc}\label{appdev/refs/api/krb5_mk_ncred:krb5-mk-ncred-format-a-krb-cred-message-for-an-array-of-credentials}\index{krb5\_mk\_ncred (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_mk_ncred:c.krb5_mk_ncred}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_mk\_ncred}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} **\emph{ ppcreds}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} **\emph{ ppdata}, {\hyperref[appdev/refs/types/krb5_replay_data:c.krb5_replay_data]{krb5\_replay\_data}} *\emph{ outdata}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context + +\textbf{{[}in{]}} \textbf{ppcreds} - Null-terminated array of credentials + +\textbf{{[}out{]}} \textbf{ppdata} - Encoded credentials + +\textbf{{[}out{]}} \textbf{outdata} - Replay cache information (NULL if not needed) + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\item {} +ENOMEM Insufficient memory + +\item {} +KRB5\_RC\_REQUIRED Message replay detection requires rcache parameter + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function takes an array of credentials \emph{ppcreds} and formats a \textbf{KRB-CRED} message \emph{ppdata} to pass to {\hyperref[appdev/refs/api/krb5_rd_cred:c.krb5_rd_cred]{\code{krb5\_rd\_cred()}}} . + +The message will be encrypted using the send subkey of \emph{auth\_context} if it is present, or the session key otherwise. + +\begin{notice}{note}{Note:} +If the {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME:KRB5_AUTH_CONTEXT_RET_TIME]{\code{KRB5\_AUTH\_CONTEXT\_RET\_TIME}}} or {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:KRB5_AUTH_CONTEXT_RET_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE}}} flag is set in \emph{auth\_context} , \emph{outdata} is required. +\end{notice} + + +\subsubsection{krb5\_mk\_priv - Format a KRB-PRIV message.} +\label{appdev/refs/api/krb5_mk_priv:krb5-mk-priv-format-a-krb-priv-message}\label{appdev/refs/api/krb5_mk_priv::doc}\index{krb5\_mk\_priv (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_mk_priv:c.krb5_mk_priv}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_mk\_priv}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ userdata}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ outbuf}, {\hyperref[appdev/refs/types/krb5_replay_data:c.krb5_replay_data]{krb5\_replay\_data}} *\emph{ outdata}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context + +\textbf{{[}in{]}} \textbf{userdata} - User data for \textbf{KRB-PRIV} message + +\textbf{{[}out{]}} \textbf{outbuf} - Formatted \textbf{KRB-PRIV} message + +\textbf{{[}out{]}} \textbf{outdata} - Replay cache handle (NULL if not needed) + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function is similar to {\hyperref[appdev/refs/api/krb5_mk_safe:c.krb5_mk_safe]{\code{krb5\_mk\_safe()}}} , but the message is encrypted and integrity-protected, not just integrity-protected. + +The local address in \emph{auth\_context} must be set, and is used to form the sender address used in the KRB-SAFE message. The remote address is optional; if specified, it will be used to form the receiver address used in the message. +\begin{itemize} +\item {} +{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME:KRB5_AUTH_CONTEXT_DO_TIME]{\code{KRB5\_AUTH\_CONTEXT\_DO\_TIME}}} - Use timestamps in \emph{outdata} + +\item {} +{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME:KRB5_AUTH_CONTEXT_RET_TIME]{\code{KRB5\_AUTH\_CONTEXT\_RET\_TIME}}} - Copy timestamp to \emph{outdata} . + +\item {} +{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE:KRB5_AUTH_CONTEXT_DO_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE}}} - Use local sequence numbers from \emph{auth\_context} in replay cache. + +\item {} +{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:KRB5_AUTH_CONTEXT_RET_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE}}} - Use local sequence numbers from \emph{auth\_context} as a sequence number in the encrypted message \emph{outbuf} . + +\end{itemize} + +\begin{notice}{note}{Note:} +If the {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME:KRB5_AUTH_CONTEXT_RET_TIME]{\code{KRB5\_AUTH\_CONTEXT\_RET\_TIME}}} or {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:KRB5_AUTH_CONTEXT_RET_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE}}} flag is set in \emph{auth\_context} , the \emph{outdata} is required. + +The flags from \emph{auth\_context} specify whether sequence numbers or timestamps will be used to identify the message. Valid values are: +\end{notice} + + +\subsubsection{krb5\_mk\_rep - Format and encrypt a KRB\_AP\_REP message.} +\label{appdev/refs/api/krb5_mk_rep:krb5-mk-rep-format-and-encrypt-a-krb-ap-rep-message}\label{appdev/refs/api/krb5_mk_rep::doc}\index{krb5\_mk\_rep (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_mk_rep:c.krb5_mk_rep}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_mk\_rep}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ outbuf}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context + +\textbf{{[}out{]}} \textbf{outbuf} - \textbf{AP-REP} message + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function fills in \emph{outbuf} with an AP-REP message using information from \emph{auth\_context} . + +If the flags in \emph{auth\_context} indicate that a sequence number should be used (either {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE:KRB5_AUTH_CONTEXT_DO_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE}}} or {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:KRB5_AUTH_CONTEXT_RET_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE}}} ) and the local sequence number in \emph{auth\_context} is 0, a new number will be generated with krb5\_generate\_seq\_number(). + +Use {\hyperref[appdev/refs/api/krb5_free_data_contents:c.krb5_free_data_contents]{\code{krb5\_free\_data\_contents()}}} to free \emph{outbuf} when it is no longer needed. + + +\subsubsection{krb5\_mk\_rep\_dce - Format and encrypt a KRB\_AP\_REP message for DCE RPC.} +\label{appdev/refs/api/krb5_mk_rep_dce:krb5-mk-rep-dce-format-and-encrypt-a-krb-ap-rep-message-for-dce-rpc}\label{appdev/refs/api/krb5_mk_rep_dce::doc}\index{krb5\_mk\_rep\_dce (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_mk_rep_dce:c.krb5_mk_rep_dce}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_mk\_rep\_dce}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ outbuf}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context + +\textbf{{[}out{]}} \textbf{outbuf} - \textbf{AP-REP} message + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Use {\hyperref[appdev/refs/api/krb5_free_data_contents:c.krb5_free_data_contents]{\code{krb5\_free\_data\_contents()}}} to free \emph{outbuf} when it is no longer needed. + + +\subsubsection{krb5\_mk\_req - Create a KRB\_AP\_REQ message.} +\label{appdev/refs/api/krb5_mk_req:krb5-mk-req-create-a-krb-ap-req-message}\label{appdev/refs/api/krb5_mk_req::doc}\index{krb5\_mk\_req (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_mk_req:c.krb5_mk_req}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_mk\_req}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}} *\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ ap\_req\_options}, char *\emph{ service}, char *\emph{ hostname}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ in\_data}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ outbuf}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}inout{]}} \textbf{auth\_context} - Pre-existing or newly created auth context + +\textbf{{[}in{]}} \textbf{ap\_req\_options} - \code{AP\_OPTS} options + +\textbf{{[}in{]}} \textbf{service} - Service name, or NULL to use \textbf{``host''} + +\textbf{{[}in{]}} \textbf{hostname} - Host name, or NULL to use local hostname + +\textbf{{[}in{]}} \textbf{in\_data} - Application data to be checksummed in the authenticator, or NULL + +\textbf{{[}in{]}} \textbf{ccache} - Credential cache used to obtain credentials for the desired service. + +\textbf{{[}out{]}} \textbf{outbuf} - \textbf{AP-REQ} message + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function is similar to {\hyperref[appdev/refs/api/krb5_mk_req_extended:c.krb5_mk_req_extended]{\code{krb5\_mk\_req\_extended()}}} except that it uses a given \emph{hostname} , \emph{service} , and \emph{ccache} to construct a service principal name and obtain credentials. + +Use {\hyperref[appdev/refs/api/krb5_free_data_contents:c.krb5_free_data_contents]{\code{krb5\_free\_data\_contents()}}} to free \emph{outbuf} when it is no longer needed. + + +\subsubsection{krb5\_mk\_req\_extended - Create a KRB\_AP\_REQ message using supplied credentials.} +\label{appdev/refs/api/krb5_mk_req_extended::doc}\label{appdev/refs/api/krb5_mk_req_extended:krb5-mk-req-extended-create-a-krb-ap-req-message-using-supplied-credentials}\index{krb5\_mk\_req\_extended (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_mk_req_extended:c.krb5_mk_req_extended}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_mk\_req\_extended}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}} *\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ ap\_req\_options}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ in\_data}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ in\_creds}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ outbuf}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}inout{]}} \textbf{auth\_context} - Pre-existing or newly created auth context + +\textbf{{[}in{]}} \textbf{ap\_req\_options} - \code{AP\_OPTS} options + +\textbf{{[}in{]}} \textbf{in\_data} - Application data to be checksummed in the authenticator, or NULL + +\textbf{{[}in{]}} \textbf{in\_creds} - Credentials for the service with valid ticket and key + +\textbf{{[}out{]}} \textbf{outbuf} - \textbf{AP-REQ} message + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Valid \emph{ap\_req\_options} are: +\begin{quote} +\begin{itemize} +\item {} +{\hyperref[appdev/refs/macros/AP_OPTS_USE_SESSION_KEY:AP_OPTS_USE_SESSION_KEY]{\code{AP\_OPTS\_USE\_SESSION\_KEY}}} - Use the session key when creating the request used for user to user authentication. + +\item {} +{\hyperref[appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED:AP_OPTS_MUTUAL_REQUIRED]{\code{AP\_OPTS\_MUTUAL\_REQUIRED}}} - Request a mutual authentication packet from the reciever. + +\item {} +{\hyperref[appdev/refs/macros/AP_OPTS_USE_SUBKEY:AP_OPTS_USE_SUBKEY]{\code{AP\_OPTS\_USE\_SUBKEY}}} - Generate a subsession key from the current session key obtained from the credentials. + +\end{itemize} + +This function creates a KRB\_AP\_REQ message using supplied credentials \emph{in\_creds} . \emph{auth\_context} may point to an existing auth context or to NULL, in which case a new one will be created. If \emph{in\_data} is non-null, a checksum of it will be included in the authenticator contained in the KRB\_AP\_REQ message. Use {\hyperref[appdev/refs/api/krb5_free_data_contents:c.krb5_free_data_contents]{\code{krb5\_free\_data\_contents()}}} to free \emph{outbuf} when it is no longer needed. +\end{quote} + +On successful return, the authenticator is stored in \emph{auth\_context} with the \emph{client} and \emph{checksum} fields nulled out. (This is to prevent pointer-sharing problems; the caller should not need these fields anyway, since the caller supplied them.) + + +\strong{See also:} + + +{\hyperref[appdev/refs/api/krb5_mk_req:c.krb5_mk_req]{\code{krb5\_mk\_req()}}} + + + + +\subsubsection{krb5\_mk\_safe - Format a KRB-SAFE message.} +\label{appdev/refs/api/krb5_mk_safe:krb5-mk-safe-format-a-krb-safe-message}\label{appdev/refs/api/krb5_mk_safe::doc}\index{krb5\_mk\_safe (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_mk_safe:c.krb5_mk_safe}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_mk\_safe}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ userdata}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ outbuf}, {\hyperref[appdev/refs/types/krb5_replay_data:c.krb5_replay_data]{krb5\_replay\_data}} *\emph{ outdata}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context + +\textbf{{[}in{]}} \textbf{userdata} - User data in the message + +\textbf{{[}out{]}} \textbf{outbuf} - Formatted \textbf{KRB-SAFE} buffer + +\textbf{{[}out{]}} \textbf{outdata} - Replay data. Specify NULL if not needed + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function creates an integrity protected \textbf{KRB-SAFE} message using data supplied by the application. + +Fields in \emph{auth\_context} specify the checksum type, the keyblock that can be used to seed the checksum, full addresses (host and port) for the sender and receiver, and \code{KRB5\_AUTH\_CONTEXT} flags. + +The local address in \emph{auth\_context} must be set, and is used to form the sender address used in the KRB-SAFE message. The remote address is optional; if specified, it will be used to form the receiver address used in the message. + +If {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME:KRB5_AUTH_CONTEXT_DO_TIME]{\code{KRB5\_AUTH\_CONTEXT\_DO\_TIME}}} flag is set in the \emph{auth\_context} , an entry describing the message is entered in the replay cache \emph{auth\_context-\textgreater{}rcache} which enables the caller to detect if this message is reflected by an attacker. If {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME:KRB5_AUTH_CONTEXT_DO_TIME]{\code{KRB5\_AUTH\_CONTEXT\_DO\_TIME}}} is not set, the replay cache is not used. + +If either {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE:KRB5_AUTH_CONTEXT_DO_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE}}} or {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:KRB5_AUTH_CONTEXT_RET_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE}}} is set, the \emph{auth\_context} local sequence number will be placed in \emph{outdata} as its sequence number. + +Use {\hyperref[appdev/refs/api/krb5_free_data_contents:c.krb5_free_data_contents]{\code{krb5\_free\_data\_contents()}}} to free \emph{outbuf} when it is no longer needed. + +\begin{notice}{note}{Note:} +The \emph{outdata} argument is required if {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME:KRB5_AUTH_CONTEXT_RET_TIME]{\code{KRB5\_AUTH\_CONTEXT\_RET\_TIME}}} or {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:KRB5_AUTH_CONTEXT_RET_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE}}} flag is set in the \emph{auth\_context} . +\end{notice} + + +\subsubsection{krb5\_os\_localaddr - Return all interface addresses for this host.} +\label{appdev/refs/api/krb5_os_localaddr:krb5-os-localaddr-return-all-interface-addresses-for-this-host}\label{appdev/refs/api/krb5_os_localaddr::doc}\index{krb5\_os\_localaddr (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_os_localaddr:c.krb5_os_localaddr}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_os\_localaddr}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} ***\emph{ addr}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}out{]}} \textbf{addr} - Array of krb5\_address pointers, ending with NULL + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Use {\hyperref[appdev/refs/api/krb5_free_addresses:c.krb5_free_addresses]{\code{krb5\_free\_addresses()}}} to free \emph{addr} when it is no longer needed. + + +\subsubsection{krb5\_pac\_add\_buffer - Add a buffer to a PAC handle.} +\label{appdev/refs/api/krb5_pac_add_buffer:krb5-pac-add-buffer-add-a-buffer-to-a-pac-handle}\label{appdev/refs/api/krb5_pac_add_buffer::doc}\index{krb5\_pac\_add\_buffer (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_pac_add_buffer:c.krb5_pac_add_buffer}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_pac\_add\_buffer}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_pac:c.krb5_pac]{krb5\_pac}}\emph{ pac}, {\hyperref[appdev/refs/types/krb5_ui_4:c.krb5_ui_4]{krb5\_ui\_4}}\emph{ type}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ data}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{pac} - PAC handle + +\textbf{{[}in{]}} \textbf{type} - Buffer type + +\textbf{{[}in{]}} \textbf{data} - contents + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function adds a buffer of type \emph{type} and contents \emph{data} to \emph{pac} if there isn't already a buffer of this type present. + +The valid values of \emph{type} is one of the following: +\begin{itemize} +\item {} +{\hyperref[appdev/refs/macros/KRB5_PAC_LOGON_INFO:KRB5_PAC_LOGON_INFO]{\code{KRB5\_PAC\_LOGON\_INFO}}} - Logon information + +\item {} +{\hyperref[appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO:KRB5_PAC_CREDENTIALS_INFO]{\code{KRB5\_PAC\_CREDENTIALS\_INFO}}} - Credentials information + +\item {} +{\hyperref[appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM:KRB5_PAC_SERVER_CHECKSUM]{\code{KRB5\_PAC\_SERVER\_CHECKSUM}}} - Server checksum + +\item {} +{\hyperref[appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM:KRB5_PAC_PRIVSVR_CHECKSUM]{\code{KRB5\_PAC\_PRIVSVR\_CHECKSUM}}} - KDC checksum + +\item {} +{\hyperref[appdev/refs/macros/KRB5_PAC_CLIENT_INFO:KRB5_PAC_CLIENT_INFO]{\code{KRB5\_PAC\_CLIENT\_INFO}}} - Client name and ticket information + +\item {} +{\hyperref[appdev/refs/macros/KRB5_PAC_DELEGATION_INFO:KRB5_PAC_DELEGATION_INFO]{\code{KRB5\_PAC\_DELEGATION\_INFO}}} - Constrained delegation information + +\item {} +{\hyperref[appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO:KRB5_PAC_UPN_DNS_INFO]{\code{KRB5\_PAC\_UPN\_DNS\_INFO}}} - User principal name and DNS information + +\end{itemize} + + +\subsubsection{krb5\_pac\_free - Free a PAC handle.} +\label{appdev/refs/api/krb5_pac_free:krb5-pac-free-free-a-pac-handle}\label{appdev/refs/api/krb5_pac_free::doc}\index{krb5\_pac\_free (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_pac_free:c.krb5_pac_free}\pysiglinewithargsret{void \bfcode{krb5\_pac\_free}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_pac:c.krb5_pac]{krb5\_pac}}\emph{ pac}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{pac} - PAC to be freed + +\end{description}\end{quote} + +This function frees the contents of \emph{pac} and the structure itself. + + +\subsubsection{krb5\_pac\_get\_buffer - Retrieve a buffer value from a PAC.} +\label{appdev/refs/api/krb5_pac_get_buffer::doc}\label{appdev/refs/api/krb5_pac_get_buffer:krb5-pac-get-buffer-retrieve-a-buffer-value-from-a-pac}\index{krb5\_pac\_get\_buffer (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_pac_get_buffer:c.krb5_pac_get_buffer}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_pac\_get\_buffer}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_pac:c.krb5_pac]{krb5\_pac}}\emph{ pac}, {\hyperref[appdev/refs/types/krb5_ui_4:c.krb5_ui_4]{krb5\_ui\_4}}\emph{ type}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ data}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{pac} - PAC handle + +\textbf{{[}in{]}} \textbf{type} - Type of buffer to retrieve + +\textbf{{[}out{]}} \textbf{data} - Buffer value + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Use {\hyperref[appdev/refs/api/krb5_free_data_contents:c.krb5_free_data_contents]{\code{krb5\_free\_data\_contents()}}} to free \emph{data} when it is no longer needed. + + +\subsubsection{krb5\_pac\_get\_types - Return an array of buffer types in a PAC handle.} +\label{appdev/refs/api/krb5_pac_get_types:krb5-pac-get-types-return-an-array-of-buffer-types-in-a-pac-handle}\label{appdev/refs/api/krb5_pac_get_types::doc}\index{krb5\_pac\_get\_types (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_pac_get_types:c.krb5_pac_get_types}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_pac\_get\_types}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_pac:c.krb5_pac]{krb5\_pac}}\emph{ pac}, size\_t *\emph{ len}, {\hyperref[appdev/refs/types/krb5_ui_4:c.krb5_ui_4]{krb5\_ui\_4}} **\emph{ types}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{pac} - PAC handle + +\textbf{{[}out{]}} \textbf{len} - Number of entries in \emph{types} + +\textbf{{[}out{]}} \textbf{types} - Array of buffer types + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_pac\_init - Create an empty Privilege Attribute Certificate (PAC) handle.} +\label{appdev/refs/api/krb5_pac_init:krb5-pac-init-create-an-empty-privilege-attribute-certificate-pac-handle}\label{appdev/refs/api/krb5_pac_init::doc}\index{krb5\_pac\_init (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_pac_init:c.krb5_pac_init}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_pac\_init}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_pac:c.krb5_pac]{krb5\_pac}} *\emph{ pac}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}out{]}} \textbf{pac} - New PAC handle + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Use {\hyperref[appdev/refs/api/krb5_pac_free:c.krb5_pac_free]{\code{krb5\_pac\_free()}}} to free \emph{pac} when it is no longer needed. + + +\subsubsection{krb5\_pac\_parse - Unparse an encoded PAC into a new handle.} +\label{appdev/refs/api/krb5_pac_parse:krb5-pac-parse-unparse-an-encoded-pac-into-a-new-handle}\label{appdev/refs/api/krb5_pac_parse::doc}\index{krb5\_pac\_parse (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_pac_parse:c.krb5_pac_parse}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_pac\_parse}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const void *\emph{ ptr}, size\_t\emph{ len}, {\hyperref[appdev/refs/types/krb5_pac:c.krb5_pac]{krb5\_pac}} *\emph{ pac}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{ptr} - PAC buffer + +\textbf{{[}in{]}} \textbf{len} - Length of \emph{ptr} + +\textbf{{[}out{]}} \textbf{pac} - PAC handle + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Use {\hyperref[appdev/refs/api/krb5_pac_free:c.krb5_pac_free]{\code{krb5\_pac\_free()}}} to free \emph{pac} when it is no longer needed. + + +\subsubsection{krb5\_pac\_sign - Sign a PAC.} +\label{appdev/refs/api/krb5_pac_sign:krb5-pac-sign-sign-a-pac}\label{appdev/refs/api/krb5_pac_sign::doc}\index{krb5\_pac\_sign (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_pac_sign:c.krb5_pac_sign}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_pac\_sign}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_pac:c.krb5_pac]{krb5\_pac}}\emph{ pac}, {\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}}\emph{ authtime}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ principal}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ server\_key}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ privsvr\_key}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ data}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{pac} - PAC handle + +\textbf{{[}in{]}} \textbf{authtime} - Expected timestamp + +\textbf{{[}in{]}} \textbf{principal} - Expected principal name (or NULL) + +\textbf{{[}in{]}} \textbf{server\_key} - Key for server checksum + +\textbf{{[}in{]}} \textbf{privsvr\_key} - Key for KDC checksum + +\textbf{{[}out{]}} \textbf{data} - Signed PAC encoding + +\end{description}\end{quote} + +This function signs \emph{pac} using the keys \emph{server\_key} and \emph{privsvr\_key} and returns the signed encoding in \emph{data} . \emph{pac} is modified to include the server and KDC checksum buffers. Use {\hyperref[appdev/refs/api/krb5_free_data_contents:c.krb5_free_data_contents]{\code{krb5\_free\_data\_contents()}}} to free \emph{data} when it is no longer needed. + +\begin{notice}{note}{Note:} +New in 1.10 +\end{notice} + + +\subsubsection{krb5\_pac\_verify - Verify a PAC.} +\label{appdev/refs/api/krb5_pac_verify::doc}\label{appdev/refs/api/krb5_pac_verify:krb5-pac-verify-verify-a-pac}\index{krb5\_pac\_verify (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_pac_verify:c.krb5_pac_verify}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_pac\_verify}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_pac:c.krb5_pac]{krb5\_pac}}\emph{ pac}, {\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}}\emph{ authtime}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ principal}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ server}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ privsvr}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{pac} - PAC handle + +\textbf{{[}in{]}} \textbf{authtime} - Expected timestamp + +\textbf{{[}in{]}} \textbf{principal} - Expected principal name (or NULL) + +\textbf{{[}in{]}} \textbf{server} - Key to validate server checksum (or NULL) + +\textbf{{[}in{]}} \textbf{privsvr} - Key to validate KDC checksum (or NULL) + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function validates \emph{pac} against the supplied \emph{server} , \emph{privsvr} , \emph{principal} and \emph{authtime} . If \emph{principal} is NULL, the principal and authtime are not verified. If \emph{server} or \emph{privsvr} is NULL, the corresponding checksum is not verified. + +If successful, \emph{pac} is marked as verified. + +\begin{notice}{note}{Note:} +A checksum mismatch can occur if the PAC was copied from a cross-realm TGT by an ignorant KDC; also Apple Mac OS X Server Open Directory (as of 10.6) generates PACs with no server checksum at all. One should consider not failing the whole authentication because of this reason, but, instead, treating the ticket as if it did not contain a PAC or marking the PAC information as non-verified. +\end{notice} + + +\subsubsection{krb5\_prepend\_error\_message - Add a prefix to the message for an error code.} +\label{appdev/refs/api/krb5_prepend_error_message:krb5-prepend-error-message-add-a-prefix-to-the-message-for-an-error-code}\label{appdev/refs/api/krb5_prepend_error_message::doc}\index{krb5\_prepend\_error\_message (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_prepend_error_message:c.krb5_prepend_error_message}\pysiglinewithargsret{void \bfcode{krb5\_prepend\_error\_message}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}}\emph{ code}, const char *\emph{ fmt}, ...}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctx} - Library context + +\textbf{{[}in{]}} \textbf{code} - Error code + +\textbf{{[}in{]}} \textbf{fmt} - Format string for error message prefix + +\end{description}\end{quote} + +Format a message and prepend it to the current message for \emph{code} . The prefix will be separated from the old message with a colon and space. + + +\subsubsection{krb5\_principal2salt - Convert a principal name into the default salt for that principal.} +\label{appdev/refs/api/krb5_principal2salt:krb5-principal2salt-convert-a-principal-name-into-the-default-salt-for-that-principal}\label{appdev/refs/api/krb5_principal2salt::doc}\index{krb5\_principal2salt (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_principal2salt:c.krb5_principal2salt}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_principal2salt}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, register {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ pr}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ ret}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{pr} - Principal name + +\textbf{{[}out{]}} \textbf{ret} - Default salt for \emph{pr} to be filled in + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_rd\_cred - Read and validate a KRB-CRED message.} +\label{appdev/refs/api/krb5_rd_cred:krb5-rd-cred-read-and-validate-a-krb-cred-message}\label{appdev/refs/api/krb5_rd_cred::doc}\index{krb5\_rd\_cred (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_rd_cred:c.krb5_rd_cred}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_rd\_cred}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ pcreddata}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} ***\emph{ pppcreds}, {\hyperref[appdev/refs/types/krb5_replay_data:c.krb5_replay_data]{krb5\_replay\_data}} *\emph{ outdata}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context + +\textbf{{[}in{]}} \textbf{pcreddata} - \textbf{KRB-CRED} message + +\textbf{{[}out{]}} \textbf{pppcreds} - Null-terminated array of forwarded credentials + +\textbf{{[}out{]}} \textbf{outdata} - Replay data (NULL if not needed) + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} +\begin{quote} + +\emph{pcreddata} will be decrypted using the receiving subkey if it is present in \emph{auth\_context} , or the session key if the receiving subkey is not present or fails to decrypt the message. +\end{quote} + +Use {\hyperref[appdev/refs/api/krb5_free_tgt_creds:c.krb5_free_tgt_creds]{\code{krb5\_free\_tgt\_creds()}}} to free \emph{pppcreds} when it is no longer needed. + +\begin{notice}{note}{Note:} +The \emph{outdata} argument is required if {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME:KRB5_AUTH_CONTEXT_RET_TIME]{\code{KRB5\_AUTH\_CONTEXT\_RET\_TIME}}} or {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:KRB5_AUTH_CONTEXT_RET_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE}}} flag is set in the \emph{auth\_context} .{}` +\end{notice} + + +\subsubsection{krb5\_rd\_error - Decode a KRB-ERROR message.} +\label{appdev/refs/api/krb5_rd_error:krb5-rd-error-decode-a-krb-error-message}\label{appdev/refs/api/krb5_rd_error::doc}\index{krb5\_rd\_error (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_rd_error:c.krb5_rd_error}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_rd\_error}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ enc\_errbuf}, {\hyperref[appdev/refs/types/krb5_error:c.krb5_error]{krb5\_error}} **\emph{ dec\_error}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{enc\_errbuf} - Encoded error message + +\textbf{{[}out{]}} \textbf{dec\_error} - Decoded error message + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function processes \textbf{KRB-ERROR} message \emph{enc\_errbuf} and returns an allocated structure \emph{dec\_error} containing the error message. Use {\hyperref[appdev/refs/api/krb5_free_error:c.krb5_free_error]{\code{krb5\_free\_error()}}} to free \emph{dec\_error} when it is no longer needed. + + +\subsubsection{krb5\_rd\_priv - Process a KRB-PRIV message.} +\label{appdev/refs/api/krb5_rd_priv:krb5-rd-priv-process-a-krb-priv-message}\label{appdev/refs/api/krb5_rd_priv::doc}\index{krb5\_rd\_priv (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_rd_priv:c.krb5_rd_priv}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_rd\_priv}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ inbuf}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ outbuf}, {\hyperref[appdev/refs/types/krb5_replay_data:c.krb5_replay_data]{krb5\_replay\_data}} *\emph{ outdata}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication structure + +\textbf{{[}in{]}} \textbf{inbuf} - \textbf{KRB-PRIV} message to be parsed + +\textbf{{[}out{]}} \textbf{outbuf} - Data parsed from \textbf{KRB-PRIV} message + +\textbf{{[}out{]}} \textbf{outdata} - Replay data. Specify NULL if not needed + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function parses a \textbf{KRB-PRIV} message, verifies its integrity, and stores its unencrypted data into \emph{outbuf} . + +If the {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE:KRB5_AUTH_CONTEXT_DO_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE}}} flag is set in \emph{auth\_context} , the sequence number of the KRB-SAFE message is checked against the remote sequence number field of \emph{auth\_context} . Otherwise, the sequence number is not used. + +If the {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME:KRB5_AUTH_CONTEXT_DO_TIME]{\code{KRB5\_AUTH\_CONTEXT\_DO\_TIME}}} flag is set in \emph{auth\_context} , then two additional checks are performed: +\begin{itemize} +\item {} +The timestamp in the message must be within the permitted clock skew (which is usually five minutes). + +\item {} +The message must not be a replayed message field in \emph{auth\_context} . + +\end{itemize} + +\begin{notice}{note}{Note:} +If the {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME:KRB5_AUTH_CONTEXT_RET_TIME]{\code{KRB5\_AUTH\_CONTEXT\_RET\_TIME}}} or {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:KRB5_AUTH_CONTEXT_RET_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE}}} flag is set in \emph{auth\_context} , \emph{outdata} is required. + +\emph{auth\_context} must have a remote address set. This address will be used to verify the sender address in the KRB-PRIV message. If \emph{auth\_context} has a local address set, it will be used to verify the receiver address in the KRB-PRIV message if the message contains one. Both addresses must use type \textbf{ADDRTYPE\_ADDRPORT} . +\end{notice} + + +\subsubsection{krb5\_rd\_rep - Parse and decrypt a KRB\_AP\_REP message.} +\label{appdev/refs/api/krb5_rd_rep::doc}\label{appdev/refs/api/krb5_rd_rep:krb5-rd-rep-parse-and-decrypt-a-krb-ap-rep-message}\index{krb5\_rd\_rep (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_rd_rep:c.krb5_rd_rep}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_rd\_rep}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ inbuf}, {\hyperref[appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part]{krb5\_ap\_rep\_enc\_part}} **\emph{ repl}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context + +\textbf{{[}in{]}} \textbf{inbuf} - AP-REP message + +\textbf{{[}out{]}} \textbf{repl} - Decrypted reply message + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function parses, decrypts and verifies a message from \emph{inbuf} and fills in \emph{repl} with a pointer to allocated memory containing the fields from the encrypted response. + +Use {\hyperref[appdev/refs/api/krb5_free_ap_rep_enc_part:c.krb5_free_ap_rep_enc_part]{\code{krb5\_free\_ap\_rep\_enc\_part()}}} to free \emph{repl} when it is no longer needed. + + +\subsubsection{krb5\_rd\_rep\_dce - Parse and decrypt a KRB\_AP\_REP message for DCE RPC.} +\label{appdev/refs/api/krb5_rd_rep_dce::doc}\label{appdev/refs/api/krb5_rd_rep_dce:krb5-rd-rep-dce-parse-and-decrypt-a-krb-ap-rep-message-for-dce-rpc}\index{krb5\_rd\_rep\_dce (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_rd_rep_dce:c.krb5_rd_rep_dce}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_rd\_rep\_dce}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ inbuf}, {\hyperref[appdev/refs/types/krb5_ui_4:c.krb5_ui_4]{krb5\_ui\_4}} *\emph{ nonce}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context + +\textbf{{[}in{]}} \textbf{inbuf} - AP-REP message + +\textbf{{[}out{]}} \textbf{nonce} - Sequence number from the decrypted reply + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function parses, decrypts and verifies a message from \emph{inbuf} and fills in \emph{nonce} with a decrypted reply sequence number. + + +\subsubsection{krb5\_rd\_req - Parse and decrypt a KRB\_AP\_REQ message.} +\label{appdev/refs/api/krb5_rd_req::doc}\label{appdev/refs/api/krb5_rd_req:krb5-rd-req-parse-and-decrypt-a-krb-ap-req-message}\index{krb5\_rd\_req (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_rd_req:c.krb5_rd_req}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_rd\_req}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}} *\emph{ auth\_context}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ inbuf}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ server}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ keytab}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}} *\emph{ ap\_req\_options}, {\hyperref[appdev/refs/types/krb5_ticket:c.krb5_ticket]{krb5\_ticket}} **\emph{ ticket}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}inout{]}} \textbf{auth\_context} - Pre-existing or newly created auth context + +\textbf{{[}in{]}} \textbf{inbuf} - AP-REQ message to be parsed + +\textbf{{[}in{]}} \textbf{server} - Matching principal for server, or NULL to allow any principal in keytab + +\textbf{{[}in{]}} \textbf{keytab} - Key table, or NULL to use the default + +\textbf{{[}out{]}} \textbf{ap\_req\_options} - If non-null, the AP-REQ flags on output + +\textbf{{[}out{]}} \textbf{ticket} - If non-null, ticket from the AP-REQ message + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function parses, decrypts and verifies a AP-REQ message from \emph{inbuf} and stores the authenticator in \emph{auth\_context} . + +If a keyblock was specified in \emph{auth\_context} using {\hyperref[appdev/refs/api/krb5_auth_con_setuseruserkey:c.krb5_auth_con_setuseruserkey]{\code{krb5\_auth\_con\_setuseruserkey()}}} , that key is used to decrypt the ticket in AP-REQ message and \emph{keytab} is ignored. In this case, \emph{server} should be specified as a complete principal name to allow for proper transited-path checking and replay cache selection. + +Otherwise, the decryption key is obtained from \emph{keytab} , or from the default keytab if it is NULL. In this case, \emph{server} may be a complete principal name, a matching principal (see {\hyperref[appdev/refs/api/krb5_sname_match:c.krb5_sname_match]{\code{krb5\_sname\_match()}}} ), or NULL to match any principal name. The keys tried against the encrypted part of the ticket are determined as follows: +\begin{itemize} +\item {} +If \emph{server} is a complete principal name, then its entry in \emph{keytab} is tried. + +\item {} +Otherwise, if \emph{keytab} is iterable, then all entries in \emph{keytab} which match \emph{server} are tried. + +\item {} +Otherwise, the server principal in the ticket must match \emph{server} , and its entry in \emph{keytab} is tried. + +\end{itemize} + +The client specified in the decrypted authenticator must match the client specified in the decrypted ticket. + +If the \emph{remote\_addr} field of \emph{auth\_context} is set, the request must come from that address. + +If a replay cache handle is provided in the \emph{auth\_context} , the authenticator and ticket are verified against it. If no conflict is found, the new authenticator is then stored in the replay cache of \emph{auth\_context} . + +Various other checks are performed on the decoded data, including cross-realm policy, clockskew, and ticket validation times. + +On success the authenticator, subkey, and remote sequence number of the request are stored in \emph{auth\_context} . If the {\hyperref[appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED:AP_OPTS_MUTUAL_REQUIRED]{\code{AP\_OPTS\_MUTUAL\_REQUIRED}}} bit is set, the local sequence number is XORed with the remote sequence number in the request. + +Use {\hyperref[appdev/refs/api/krb5_free_ticket:c.krb5_free_ticket]{\code{krb5\_free\_ticket()}}} to free \emph{ticket} when it is no longer needed. + + +\subsubsection{krb5\_rd\_safe - Process KRB-SAFE message.} +\label{appdev/refs/api/krb5_rd_safe:krb5-rd-safe-process-krb-safe-message}\label{appdev/refs/api/krb5_rd_safe::doc}\index{krb5\_rd\_safe (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_rd_safe:c.krb5_rd_safe}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_rd\_safe}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ inbuf}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ outbuf}, {\hyperref[appdev/refs/types/krb5_replay_data:c.krb5_replay_data]{krb5\_replay\_data}} *\emph{ outdata}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context + +\textbf{{[}in{]}} \textbf{inbuf} - \textbf{KRB-SAFE} message to be parsed + +\textbf{{[}out{]}} \textbf{outbuf} - Data parsed from \textbf{KRB-SAFE} message + +\textbf{{[}out{]}} \textbf{outdata} - Replay data. Specify NULL if not needed + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function parses a \textbf{KRB-SAFE} message, verifies its integrity, and stores its data into \emph{outbuf} . + +If the {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE:KRB5_AUTH_CONTEXT_DO_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE}}} flag is set in \emph{auth\_context} , the sequence number of the KRB-SAFE message is checked against the remote sequence number field of \emph{auth\_context} . Otherwise, the sequence number is not used. + +If the {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME:KRB5_AUTH_CONTEXT_DO_TIME]{\code{KRB5\_AUTH\_CONTEXT\_DO\_TIME}}} flag is set in \emph{auth\_context} , then two additional checks are performed: +\begin{quote} +\begin{itemize} +\item {} +The timestamp in the message must be within the permitted clock skew (which is usually five minutes). + +\item {} +The message must not be a replayed message field in \emph{auth\_context} . + +\end{itemize} + +Use {\hyperref[appdev/refs/api/krb5_free_data_contents:c.krb5_free_data_contents]{\code{krb5\_free\_data\_contents()}}} to free \emph{outbuf} when it is no longer needed. +\end{quote} + +\begin{notice}{note}{Note:} +The \emph{outdata} argument is required if {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME:KRB5_AUTH_CONTEXT_RET_TIME]{\code{KRB5\_AUTH\_CONTEXT\_RET\_TIME}}} or {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:KRB5_AUTH_CONTEXT_RET_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE}}} flag is set in the \emph{auth\_context} . + +\emph{auth\_context} must have a remote address set. This address will be used to verify the sender address in the KRB-SAFE message. If \emph{auth\_context} has a local address set, it will be used to verify the receiver address in the KRB-SAFE message if the message contains one. Both addresses must use type \textbf{ADDRTYPE\_ADDRPORT} . +\end{notice} + + +\subsubsection{krb5\_read\_password - Read a password from keyboard input.} +\label{appdev/refs/api/krb5_read_password:krb5-read-password-read-a-password-from-keyboard-input}\label{appdev/refs/api/krb5_read_password::doc}\index{krb5\_read\_password (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_read_password:c.krb5_read_password}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_read\_password}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ prompt}, const char *\emph{ prompt2}, char *\emph{ return\_pwd}, unsigned int *\emph{ size\_return}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{prompt} - First user prompt when reading password + +\textbf{{[}in{]}} \textbf{prompt2} - Second user prompt (NULL to prompt only once) + +\textbf{{[}out{]}} \textbf{return\_pwd} - Returned password + +\textbf{{[}inout{]}} \textbf{size\_return} - On input, maximum size of password; on output, size of password read + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Error in reading or verifying the password Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function reads a password from keyboard input and stores it in \emph{return\_pwd} . \emph{size\_return} should be set by the caller to the amount of storage space available in \emph{return\_pwd} ; on successful return, it will be set to the length of the password read. +\begin{quote} + +\emph{prompt} is printed to the terminal, followed by'':'', and then a password is read from the keyboard. +\end{quote} + +If \emph{prompt2} is NULL, the password is read only once. Otherwise, \emph{prompt2} is printed to the terminal and a second password is read. If the two passwords entered are not identical, KRB5\_LIBOS\_BADPWDMATCH is returned. + +Echoing is turned off when the password is read. + + +\subsubsection{krb5\_salttype\_to\_string - Convert a salt type to a string.} +\label{appdev/refs/api/krb5_salttype_to_string::doc}\label{appdev/refs/api/krb5_salttype_to_string:krb5-salttype-to-string-convert-a-salt-type-to-a-string}\index{krb5\_salttype\_to\_string (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_salttype_to_string:c.krb5_salttype_to_string}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_salttype\_to\_string}}{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}}\emph{ salttype}, char *\emph{ buffer}, size\_t\emph{ buflen}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{salttype} - Salttype to convert + +\textbf{{[}out{]}} \textbf{buffer} - Buffer to receive the converted string + +\textbf{{[}in{]}} \textbf{buflen} - Storage available in \emph{buffer} + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_server\_decrypt\_ticket\_keytab - Decrypt a ticket using the specified key table.} +\label{appdev/refs/api/krb5_server_decrypt_ticket_keytab:krb5-server-decrypt-ticket-keytab-decrypt-a-ticket-using-the-specified-key-table}\label{appdev/refs/api/krb5_server_decrypt_ticket_keytab::doc}\index{krb5\_server\_decrypt\_ticket\_keytab (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_server_decrypt_ticket_keytab:c.krb5_server_decrypt_ticket_keytab}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_server\_decrypt\_ticket\_keytab}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ kt}, {\hyperref[appdev/refs/types/krb5_ticket:c.krb5_ticket]{krb5\_ticket}} *\emph{ ticket}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{kt} - Key table + +\textbf{{[}in{]}} \textbf{ticket} - Ticket to be decrypted + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function takes a \emph{ticket} as input and decrypts it using key data from \emph{kt} . The result is placed into \emph{ticket-\textgreater{}enc\_part2} . + + +\subsubsection{krb5\_set\_default\_tgs\_enctypes - Set default TGS encryption types in a krb5\_context structure.} +\label{appdev/refs/api/krb5_set_default_tgs_enctypes::doc}\label{appdev/refs/api/krb5_set_default_tgs_enctypes:krb5-set-default-tgs-enctypes-set-default-tgs-encryption-types-in-a-krb5-context-structure}\index{krb5\_set\_default\_tgs\_enctypes (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_set_default_tgs_enctypes:c.krb5_set_default_tgs_enctypes}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_set\_default\_tgs\_enctypes}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} *\emph{ etypes}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{etypes} - Encryption type(s) to set + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\item {} +KRB5\_PROG\_ETYPE\_NOSUPP Program lacks support for encryption type + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function sets the default enctype list for TGS requests made using \emph{context} to \emph{etypes} . + +\begin{notice}{note}{Note:} +This overrides the default list (from config file or built-in). +\end{notice} + + +\subsubsection{krb5\_set\_error\_message - Set an extended error message for an error code.} +\label{appdev/refs/api/krb5_set_error_message::doc}\label{appdev/refs/api/krb5_set_error_message:krb5-set-error-message-set-an-extended-error-message-for-an-error-code}\index{krb5\_set\_error\_message (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_set_error_message:c.krb5_set_error_message}\pysiglinewithargsret{void \bfcode{krb5\_set\_error\_message}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}}\emph{ code}, const char *\emph{ fmt}, ...}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctx} - Library context + +\textbf{{[}in{]}} \textbf{code} - Error code + +\textbf{{[}in{]}} \textbf{fmt} - Error string for the error code + +\end{description}\end{quote} + + +\subsubsection{krb5\_set\_kdc\_recv\_hook - Set a KDC post-receive hook function.} +\label{appdev/refs/api/krb5_set_kdc_recv_hook::doc}\label{appdev/refs/api/krb5_set_kdc_recv_hook:krb5-set-kdc-recv-hook-set-a-kdc-post-receive-hook-function}\index{krb5\_set\_kdc\_recv\_hook (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_set_kdc_recv_hook:c.krb5_set_kdc_recv_hook}\pysiglinewithargsret{void \bfcode{krb5\_set\_kdc\_recv\_hook}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_post_recv_fn:c.krb5_post_recv_fn]{krb5\_post\_recv\_fn}}\emph{ recv\_hook}, void *\emph{ data}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - The library context. + +\textbf{{[}in{]}} \textbf{recv\_hook} - Hook function (or NULL to disable the hook) + +\textbf{{[}in{]}} \textbf{data} - Callback data to be passed to \emph{recv\_hook} + +\end{description}\end{quote} +\begin{quote} + +\emph{recv\_hook} will be called after a reply is received from a KDC during a call to a library function such as {\hyperref[appdev/refs/api/krb5_get_credentials:c.krb5_get_credentials]{\code{krb5\_get\_credentials()}}} . The hook function may inspect or override the reply. This hook will not be executed if the pre-send hook returns a synthetic reply. +\end{quote} + +\begin{notice}{note}{Note:} +New in 1.15 +\end{notice} + + +\subsubsection{krb5\_set\_kdc\_send\_hook - Set a KDC pre-send hook function.} +\label{appdev/refs/api/krb5_set_kdc_send_hook:krb5-set-kdc-send-hook-set-a-kdc-pre-send-hook-function}\label{appdev/refs/api/krb5_set_kdc_send_hook::doc}\index{krb5\_set\_kdc\_send\_hook (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_set_kdc_send_hook:c.krb5_set_kdc_send_hook}\pysiglinewithargsret{void \bfcode{krb5\_set\_kdc\_send\_hook}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_pre_send_fn:c.krb5_pre_send_fn]{krb5\_pre\_send\_fn}}\emph{ send\_hook}, void *\emph{ data}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{send\_hook} - Hook function (or NULL to disable the hook) + +\textbf{{[}in{]}} \textbf{data} - Callback data to be passed to \emph{send\_hook} + +\end{description}\end{quote} +\begin{quote} + +\emph{send\_hook} will be called before messages are sent to KDCs by library functions such as {\hyperref[appdev/refs/api/krb5_get_credentials:c.krb5_get_credentials]{\code{krb5\_get\_credentials()}}} . The hook function may inspect, override, or synthesize its own reply to the message. +\end{quote} + +\begin{notice}{note}{Note:} +New in 1.15 +\end{notice} + + +\subsubsection{krb5\_set\_real\_time - Set time offset field in a krb5\_context structure.} +\label{appdev/refs/api/krb5_set_real_time::doc}\label{appdev/refs/api/krb5_set_real_time:krb5-set-real-time-set-time-offset-field-in-a-krb5-context-structure}\index{krb5\_set\_real\_time (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_set_real_time:c.krb5_set_real_time}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_set\_real\_time}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}}\emph{ seconds}, {\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}}\emph{ microseconds}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{seconds} - Real time, seconds portion + +\textbf{{[}in{]}} \textbf{microseconds} - Real time, microseconds portion + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function sets the time offset in \emph{context} to the difference between the system time and the real time as determined by \emph{seconds} and \emph{microseconds} . + + +\subsubsection{krb5\_string\_to\_cksumtype - Convert a string to a checksum type.} +\label{appdev/refs/api/krb5_string_to_cksumtype:krb5-string-to-cksumtype-convert-a-string-to-a-checksum-type}\label{appdev/refs/api/krb5_string_to_cksumtype::doc}\index{krb5\_string\_to\_cksumtype (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_string_to_cksumtype:c.krb5_string_to_cksumtype}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_string\_to\_cksumtype}}{char *\emph{ string}, {\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}} *\emph{ cksumtypep}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{string} - String to be converted + +\textbf{{[}out{]}} \textbf{cksumtypep} - Checksum type to be filled in + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - EINVAL + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_string\_to\_deltat - Convert a string to a delta time value.} +\label{appdev/refs/api/krb5_string_to_deltat::doc}\label{appdev/refs/api/krb5_string_to_deltat:krb5-string-to-deltat-convert-a-string-to-a-delta-time-value}\index{krb5\_string\_to\_deltat (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_string_to_deltat:c.krb5_string_to_deltat}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_string\_to\_deltat}}{char *\emph{ string}, {\hyperref[appdev/refs/types/krb5_deltat:c.krb5_deltat]{krb5\_deltat}} *\emph{ deltatp}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{string} - String to be converted + +\textbf{{[}out{]}} \textbf{deltatp} - Delta time to be filled in + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - KRB5\_DELTAT\_BADFORMAT + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_string\_to\_enctype - Convert a string to an encryption type.} +\label{appdev/refs/api/krb5_string_to_enctype::doc}\label{appdev/refs/api/krb5_string_to_enctype:krb5-string-to-enctype-convert-a-string-to-an-encryption-type}\index{krb5\_string\_to\_enctype (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_string_to_enctype:c.krb5_string_to_enctype}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_string\_to\_enctype}}{char *\emph{ string}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} *\emph{ enctypep}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{string} - String to convert to an encryption type + +\textbf{{[}out{]}} \textbf{enctypep} - Encryption type + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - EINVAL + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_string\_to\_salttype - Convert a string to a salt type.} +\label{appdev/refs/api/krb5_string_to_salttype:krb5-string-to-salttype-convert-a-string-to-a-salt-type}\label{appdev/refs/api/krb5_string_to_salttype::doc}\index{krb5\_string\_to\_salttype (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_string_to_salttype:c.krb5_string_to_salttype}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_string\_to\_salttype}}{char *\emph{ string}, {\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} *\emph{ salttypep}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{string} - String to convert to an encryption type + +\textbf{{[}out{]}} \textbf{salttypep} - Salt type to be filled in + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - EINVAL + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_string\_to\_timestamp - Convert a string to a timestamp.} +\label{appdev/refs/api/krb5_string_to_timestamp::doc}\label{appdev/refs/api/krb5_string_to_timestamp:krb5-string-to-timestamp-convert-a-string-to-a-timestamp}\index{krb5\_string\_to\_timestamp (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_string_to_timestamp:c.krb5_string_to_timestamp}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_string\_to\_timestamp}}{char *\emph{ string}, {\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} *\emph{ timestampp}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{string} - String to be converted + +\textbf{{[}out{]}} \textbf{timestampp} - Pointer to timestamp + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - EINVAL + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_timeofday - Retrieve the current time with context specific time offset adjustment.} +\label{appdev/refs/api/krb5_timeofday:krb5-timeofday-retrieve-the-current-time-with-context-specific-time-offset-adjustment}\label{appdev/refs/api/krb5_timeofday::doc}\index{krb5\_timeofday (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_timeofday:c.krb5_timeofday}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_timeofday}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, register {\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} *\emph{ timeret}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}out{]}} \textbf{timeret} - Timestamp to fill in + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success + +\end{itemize} + +\item[{return}] \leavevmode\begin{itemize} +\item {} +Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function retrieves the system time of day with the context specific time offset adjustment. + + +\subsubsection{krb5\_timestamp\_to\_sfstring - Convert a timestamp to a string, with optional output padding.} +\label{appdev/refs/api/krb5_timestamp_to_sfstring:krb5-timestamp-to-sfstring-convert-a-timestamp-to-a-string-with-optional-output-padding}\label{appdev/refs/api/krb5_timestamp_to_sfstring::doc}\index{krb5\_timestamp\_to\_sfstring (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_timestamp_to_sfstring:c.krb5_timestamp_to_sfstring}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_timestamp\_to\_sfstring}}{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}}\emph{ timestamp}, char *\emph{ buffer}, size\_t\emph{ buflen}, char *\emph{ pad}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{timestamp} - Timestamp to convert + +\textbf{{[}out{]}} \textbf{buffer} - Buffer to hold the converted timestamp + +\textbf{{[}in{]}} \textbf{buflen} - Length of buffer + +\textbf{{[}in{]}} \textbf{pad} - Optional value to pad \emph{buffer} if converted timestamp does not fill it + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +If \emph{pad} is not NULL, \emph{buffer} is padded out to \emph{buflen} - 1 characters with the value of * \emph{pad} . + + +\subsubsection{krb5\_timestamp\_to\_string - Convert a timestamp to a string.} +\label{appdev/refs/api/krb5_timestamp_to_string::doc}\label{appdev/refs/api/krb5_timestamp_to_string:krb5-timestamp-to-string-convert-a-timestamp-to-a-string}\index{krb5\_timestamp\_to\_string (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_timestamp_to_string:c.krb5_timestamp_to_string}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_timestamp\_to\_string}}{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}}\emph{ timestamp}, char *\emph{ buffer}, size\_t\emph{ buflen}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{timestamp} - Timestamp to convert + +\textbf{{[}out{]}} \textbf{buffer} - Buffer to hold converted timestamp + +\textbf{{[}in{]}} \textbf{buflen} - Storage available in \emph{buffer} + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +The string is returned in the locale's appropriate date and time representation. + + +\subsubsection{krb5\_tkt\_creds\_free - Free a TGS request context.} +\label{appdev/refs/api/krb5_tkt_creds_free::doc}\label{appdev/refs/api/krb5_tkt_creds_free:krb5-tkt-creds-free-free-a-tgs-request-context}\index{krb5\_tkt\_creds\_free (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_tkt_creds_free:c.krb5_tkt_creds_free}\pysiglinewithargsret{void \bfcode{krb5\_tkt\_creds\_free}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_tkt_creds_context:c.krb5_tkt_creds_context]{krb5\_tkt\_creds\_context}}\emph{ ctx}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{ctx} - TGS request context + +\end{description}\end{quote} + +\begin{notice}{note}{Note:} +New in 1.9 +\end{notice} + + +\subsubsection{krb5\_tkt\_creds\_get - Synchronously obtain credentials using a TGS request context.} +\label{appdev/refs/api/krb5_tkt_creds_get:krb5-tkt-creds-get-synchronously-obtain-credentials-using-a-tgs-request-context}\label{appdev/refs/api/krb5_tkt_creds_get::doc}\index{krb5\_tkt\_creds\_get (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_tkt_creds_get:c.krb5_tkt_creds_get}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_tkt\_creds\_get}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_tkt_creds_context:c.krb5_tkt_creds_context]{krb5\_tkt\_creds\_context}}\emph{ ctx}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{ctx} - TGS request context + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function synchronously obtains credentials using a context created by {\hyperref[appdev/refs/api/krb5_tkt_creds_init:c.krb5_tkt_creds_init]{\code{krb5\_tkt\_creds\_init()}}} . On successful return, the credentials can be retrieved with {\hyperref[appdev/refs/api/krb5_tkt_creds_get_creds:c.krb5_tkt_creds_get_creds]{\code{krb5\_tkt\_creds\_get\_creds()}}} . + +\begin{notice}{note}{Note:} +New in 1.9 +\end{notice} + + +\subsubsection{krb5\_tkt\_creds\_get\_creds - Retrieve acquired credentials from a TGS request context.} +\label{appdev/refs/api/krb5_tkt_creds_get_creds:krb5-tkt-creds-get-creds-retrieve-acquired-credentials-from-a-tgs-request-context}\label{appdev/refs/api/krb5_tkt_creds_get_creds::doc}\index{krb5\_tkt\_creds\_get\_creds (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_tkt_creds_get_creds:c.krb5_tkt_creds_get_creds}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_tkt\_creds\_get\_creds}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_tkt_creds_context:c.krb5_tkt_creds_context]{krb5\_tkt\_creds\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{ctx} - TGS request context + +\textbf{{[}out{]}} \textbf{creds} - Acquired credentials + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function copies the acquired initial credentials from \emph{ctx} into \emph{creds} , after the successful completion of {\hyperref[appdev/refs/api/krb5_tkt_creds_get:c.krb5_tkt_creds_get]{\code{krb5\_tkt\_creds\_get()}}} or {\hyperref[appdev/refs/api/krb5_tkt_creds_step:c.krb5_tkt_creds_step]{\code{krb5\_tkt\_creds\_step()}}} . Use {\hyperref[appdev/refs/api/krb5_free_cred_contents:c.krb5_free_cred_contents]{\code{krb5\_free\_cred\_contents()}}} to free \emph{creds} when it is no longer needed. + +\begin{notice}{note}{Note:} +New in 1.9 +\end{notice} + + +\subsubsection{krb5\_tkt\_creds\_get\_times - Retrieve ticket times from a TGS request context.} +\label{appdev/refs/api/krb5_tkt_creds_get_times:krb5-tkt-creds-get-times-retrieve-ticket-times-from-a-tgs-request-context}\label{appdev/refs/api/krb5_tkt_creds_get_times::doc}\index{krb5\_tkt\_creds\_get\_times (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_tkt_creds_get_times:c.krb5_tkt_creds_get_times}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_tkt\_creds\_get\_times}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_tkt_creds_context:c.krb5_tkt_creds_context]{krb5\_tkt\_creds\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times]{krb5\_ticket\_times}} *\emph{ times}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{ctx} - TGS request context + +\textbf{{[}out{]}} \textbf{times} - Ticket times for acquired credentials + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +The TGS request context must have completed obtaining credentials via either {\hyperref[appdev/refs/api/krb5_tkt_creds_get:c.krb5_tkt_creds_get]{\code{krb5\_tkt\_creds\_get()}}} or {\hyperref[appdev/refs/api/krb5_tkt_creds_step:c.krb5_tkt_creds_step]{\code{krb5\_tkt\_creds\_step()}}} . + +\begin{notice}{note}{Note:} +New in 1.9 +\end{notice} + + +\subsubsection{krb5\_tkt\_creds\_init - Create a context to get credentials from a KDC's Ticket Granting Service.} +\label{appdev/refs/api/krb5_tkt_creds_init:krb5-tkt-creds-init-create-a-context-to-get-credentials-from-a-kdc-s-ticket-granting-service}\label{appdev/refs/api/krb5_tkt_creds_init::doc}\index{krb5\_tkt\_creds\_init (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_tkt_creds_init:c.krb5_tkt_creds_init}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_tkt\_creds\_init}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ options}, {\hyperref[appdev/refs/types/krb5_tkt_creds_context:c.krb5_tkt_creds_context]{krb5\_tkt\_creds\_context}} *\emph{ ctx}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{ccache} - Credential cache handle + +\textbf{{[}in{]}} \textbf{creds} - Input credentials + +\textbf{{[}in{]}} \textbf{options} - \code{KRB5\_GC} options for this request. + +\textbf{{[}out{]}} \textbf{ctx} - New TGS request context + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function prepares to obtain credentials matching \emph{creds} , either by retrieving them from \emph{ccache} or by making requests to ticket-granting services beginning with a ticket-granting ticket for the client principal's realm. + +The resulting TGS acquisition context can be used asynchronously with {\hyperref[appdev/refs/api/krb5_tkt_creds_step:c.krb5_tkt_creds_step]{\code{krb5\_tkt\_creds\_step()}}} or synchronously with {\hyperref[appdev/refs/api/krb5_tkt_creds_get:c.krb5_tkt_creds_get]{\code{krb5\_tkt\_creds\_get()}}} . See also {\hyperref[appdev/refs/api/krb5_get_credentials:c.krb5_get_credentials]{\code{krb5\_get\_credentials()}}} for synchronous use. + +Use {\hyperref[appdev/refs/api/krb5_tkt_creds_free:c.krb5_tkt_creds_free]{\code{krb5\_tkt\_creds\_free()}}} to free \emph{ctx} when it is no longer needed. + +\begin{notice}{note}{Note:} +New in 1.9 +\end{notice} + + +\subsubsection{krb5\_tkt\_creds\_step - Get the next KDC request in a TGS exchange.} +\label{appdev/refs/api/krb5_tkt_creds_step:krb5-tkt-creds-step-get-the-next-kdc-request-in-a-tgs-exchange}\label{appdev/refs/api/krb5_tkt_creds_step::doc}\index{krb5\_tkt\_creds\_step (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_tkt_creds_step:c.krb5_tkt_creds_step}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_tkt\_creds\_step}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_tkt_creds_context:c.krb5_tkt_creds_context]{krb5\_tkt\_creds\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ in}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ out}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ realm}, unsigned int *\emph{ flags}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{ctx} - TGS request context + +\textbf{{[}in{]}} \textbf{in} - KDC response (empty on the first call) + +\textbf{{[}out{]}} \textbf{out} - Next KDC request + +\textbf{{[}out{]}} \textbf{realm} - Realm for next KDC request + +\textbf{{[}out{]}} \textbf{flags} - Output flags + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function constructs the next KDC request for a TGS exchange, allowing the caller to control the transport of KDC requests and replies. On the first call, \emph{in} should be set to an empty buffer; on subsequent calls, it should be set to the KDC's reply to the previous request. + +If more requests are needed, \emph{flags} will be set to {\hyperref[appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE:KRB5_TKT_CREDS_STEP_FLAG_CONTINUE]{\code{KRB5\_TKT\_CREDS\_STEP\_FLAG\_CONTINUE}}} and the next request will be placed in \emph{out} . If no more requests are needed, \emph{flags} will not contain {\hyperref[appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE:KRB5_TKT_CREDS_STEP_FLAG_CONTINUE]{\code{KRB5\_TKT\_CREDS\_STEP\_FLAG\_CONTINUE}}} and \emph{out} will be empty. + +If this function returns \textbf{KRB5KRB\_ERR\_RESPONSE\_TOO\_BIG} , the caller should transmit the next request using TCP rather than UDP. If this function returns any other error, the TGS exchange has failed. + +\begin{notice}{note}{Note:} +New in 1.9 +\end{notice} + + +\subsubsection{krb5\_verify\_init\_creds - Verify initial credentials against a keytab.} +\label{appdev/refs/api/krb5_verify_init_creds:krb5-verify-init-creds-verify-initial-credentials-against-a-keytab}\label{appdev/refs/api/krb5_verify_init_creds::doc}\index{krb5\_verify\_init\_creds (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_verify_init_creds:c.krb5_verify_init_creds}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_verify\_init\_creds}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ server}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ keytab}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}} *\emph{ ccache}, {\hyperref[appdev/refs/types/krb5_verify_init_creds_opt:c.krb5_verify_init_creds_opt]{krb5\_verify\_init\_creds\_opt}} *\emph{ options}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{creds} - Initial credentials to be verified + +\textbf{{[}in{]}} \textbf{server} - Server principal (or NULL) + +\textbf{{[}in{]}} \textbf{keytab} - Key table (NULL to use default keytab) + +\textbf{{[}in{]}} \textbf{ccache} - Credential cache for fetched creds (or NULL) + +\textbf{{[}in{]}} \textbf{options} - Verification options (NULL for default options) + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function attempts to verify that \emph{creds} were obtained from a KDC with knowledge of a key in \emph{keytab} , or the default keytab if \emph{keytab} is NULL. If \emph{server} is provided, the highest-kvno key entry for that principal name is used to verify the credentials; otherwise, all unique''host''service principals in the keytab are tried. + +If the specified keytab does not exist, or is empty, or cannot be read, or does not contain an entry for \emph{server} , then credential verification may be skipped unless configuration demands that it succeed. The caller can control this behavior by providing a verification options structure; see {\hyperref[appdev/refs/api/krb5_verify_init_creds_opt_init:c.krb5_verify_init_creds_opt_init]{\code{krb5\_verify\_init\_creds\_opt\_init()}}} and {\hyperref[appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail:c.krb5_verify_init_creds_opt_set_ap_req_nofail]{\code{krb5\_verify\_init\_creds\_opt\_set\_ap\_req\_nofail()}}} . + +If \emph{ccache} is NULL, any additional credentials fetched during the verification process will be destroyed. If \emph{ccache} points to NULL, a memory ccache will be created for the additional credentials and returned in \emph{ccache} . If \emph{ccache} points to a valid credential cache handle, the additional credentials will be stored in that cache. + + +\subsubsection{krb5\_verify\_init\_creds\_opt\_init - Initialize a credential verification options structure.} +\label{appdev/refs/api/krb5_verify_init_creds_opt_init:krb5-verify-init-creds-opt-init-initialize-a-credential-verification-options-structure}\label{appdev/refs/api/krb5_verify_init_creds_opt_init::doc}\index{krb5\_verify\_init\_creds\_opt\_init (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_verify_init_creds_opt_init:c.krb5_verify_init_creds_opt_init}\pysiglinewithargsret{void \bfcode{krb5\_verify\_init\_creds\_opt\_init}}{{\hyperref[appdev/refs/types/krb5_verify_init_creds_opt:c.krb5_verify_init_creds_opt]{krb5\_verify\_init\_creds\_opt}} *\emph{ k5\_vic\_options}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{k5\_vic\_options} - Verification options structure + +\end{description}\end{quote} + + +\subsubsection{krb5\_verify\_init\_creds\_opt\_set\_ap\_req\_nofail - Set whether credential verification is required.} +\label{appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail::doc}\label{appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail:krb5-verify-init-creds-opt-set-ap-req-nofail-set-whether-credential-verification-is-required}\index{krb5\_verify\_init\_creds\_opt\_set\_ap\_req\_nofail (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail:c.krb5_verify_init_creds_opt_set_ap_req_nofail}\pysiglinewithargsret{void \bfcode{krb5\_verify\_init\_creds\_opt\_set\_ap\_req\_nofail}}{{\hyperref[appdev/refs/types/krb5_verify_init_creds_opt:c.krb5_verify_init_creds_opt]{krb5\_verify\_init\_creds\_opt}} *\emph{ k5\_vic\_options}, int\emph{ ap\_req\_nofail}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{k5\_vic\_options} - Verification options structure + +\textbf{{[}in{]}} \textbf{ap\_req\_nofail} - Whether to require successful verification + +\end{description}\end{quote} + +This function determines how {\hyperref[appdev/refs/api/krb5_verify_init_creds:c.krb5_verify_init_creds]{\code{krb5\_verify\_init\_creds()}}} behaves if no keytab information is available. If \emph{ap\_req\_nofail} is \textbf{FALSE} , verification will be skipped in this case and {\hyperref[appdev/refs/api/krb5_verify_init_creds:c.krb5_verify_init_creds]{\code{krb5\_verify\_init\_creds()}}} will return successfully. If \emph{ap\_req\_nofail} is \textbf{TRUE} , {\hyperref[appdev/refs/api/krb5_verify_init_creds:c.krb5_verify_init_creds]{\code{krb5\_verify\_init\_creds()}}} will not return successfully unless verification can be performed. + +If this function is not used, the behavior of {\hyperref[appdev/refs/api/krb5_verify_init_creds:c.krb5_verify_init_creds]{\code{krb5\_verify\_init\_creds()}}} is determined through configuration. + + +\subsubsection{krb5\_vprepend\_error\_message - Add a prefix to the message for an error code using a va\_list.} +\label{appdev/refs/api/krb5_vprepend_error_message::doc}\label{appdev/refs/api/krb5_vprepend_error_message:krb5-vprepend-error-message-add-a-prefix-to-the-message-for-an-error-code-using-a-va-list}\index{krb5\_vprepend\_error\_message (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_vprepend_error_message:c.krb5_vprepend_error_message}\pysiglinewithargsret{void \bfcode{krb5\_vprepend\_error\_message}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}}\emph{ code}, const char *\emph{ fmt}, va\_list\emph{ args}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctx} - Library context + +\textbf{{[}in{]}} \textbf{code} - Error code + +\textbf{{[}in{]}} \textbf{fmt} - Format string for error message prefix + +\textbf{{[}in{]}} \textbf{args} - List of vprintf(3) style arguments + +\end{description}\end{quote} + +This function is similar to {\hyperref[appdev/refs/api/krb5_prepend_error_message:c.krb5_prepend_error_message]{\code{krb5\_prepend\_error\_message()}}} , but uses a va\_list instead of variadic arguments. + + +\subsubsection{krb5\_vset\_error\_message - Set an extended error message for an error code using a va\_list.} +\label{appdev/refs/api/krb5_vset_error_message:krb5-vset-error-message-set-an-extended-error-message-for-an-error-code-using-a-va-list}\label{appdev/refs/api/krb5_vset_error_message::doc}\index{krb5\_vset\_error\_message (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_vset_error_message:c.krb5_vset_error_message}\pysiglinewithargsret{void \bfcode{krb5\_vset\_error\_message}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}}\emph{ code}, const char *\emph{ fmt}, va\_list\emph{ args}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctx} - Library context + +\textbf{{[}in{]}} \textbf{code} - Error code + +\textbf{{[}in{]}} \textbf{fmt} - Error string for the error code + +\textbf{{[}in{]}} \textbf{args} - List of vprintf(3) style arguments + +\end{description}\end{quote} + + +\subsubsection{krb5\_vwrap\_error\_message - Add a prefix to a different error code's message using a va\_list.} +\label{appdev/refs/api/krb5_vwrap_error_message:krb5-vwrap-error-message-add-a-prefix-to-a-different-error-code-s-message-using-a-va-list}\label{appdev/refs/api/krb5_vwrap_error_message::doc}\index{krb5\_vwrap\_error\_message (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_vwrap_error_message:c.krb5_vwrap_error_message}\pysiglinewithargsret{void \bfcode{krb5\_vwrap\_error\_message}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}}\emph{ old\_code}, {\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}}\emph{ code}, const char *\emph{ fmt}, va\_list\emph{ args}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctx} - Library context + +\textbf{{[}in{]}} \textbf{old\_code} - Previous error code + +\textbf{{[}in{]}} \textbf{code} - Error code + +\textbf{{[}in{]}} \textbf{fmt} - Format string for error message prefix + +\textbf{{[}in{]}} \textbf{args} - List of vprintf(3) style arguments + +\end{description}\end{quote} + +This function is similar to {\hyperref[appdev/refs/api/krb5_wrap_error_message:c.krb5_wrap_error_message]{\code{krb5\_wrap\_error\_message()}}} , but uses a va\_list instead of variadic arguments. + + +\subsubsection{krb5\_wrap\_error\_message - Add a prefix to a different error code's message.} +\label{appdev/refs/api/krb5_wrap_error_message:krb5-wrap-error-message-add-a-prefix-to-a-different-error-code-s-message}\label{appdev/refs/api/krb5_wrap_error_message::doc}\index{krb5\_wrap\_error\_message (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_wrap_error_message:c.krb5_wrap_error_message}\pysiglinewithargsret{void \bfcode{krb5\_wrap\_error\_message}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}}\emph{ old\_code}, {\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}}\emph{ code}, const char *\emph{ fmt}, ...}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctx} - Library context + +\textbf{{[}in{]}} \textbf{old\_code} - Previous error code + +\textbf{{[}in{]}} \textbf{code} - Error code + +\textbf{{[}in{]}} \textbf{fmt} - Format string for error message prefix + +\end{description}\end{quote} + +Format a message and prepend it to the message for \emph{old\_code} . The prefix will be separated from the old message with a colon and space. Set the resulting message as the extended error message for \emph{code} . + + +\subsection{Public interfaces that should not be called directly} +\label{appdev/refs/api/index:public-interfaces-that-should-not-be-called-directly} + +\subsubsection{krb5\_c\_block\_size - Return cipher block size.} +\label{appdev/refs/api/krb5_c_block_size:krb5-c-block-size-return-cipher-block-size}\label{appdev/refs/api/krb5_c_block_size::doc}\index{krb5\_c\_block\_size (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_block_size:c.krb5_c_block_size}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_block\_size}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, size\_t *\emph{ blocksize}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{enctype} - Encryption type + +\textbf{{[}out{]}} \textbf{blocksize} - Block size for \emph{enctype} + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_c\_checksum\_length - Return the length of checksums for a checksum type.} +\label{appdev/refs/api/krb5_c_checksum_length:krb5-c-checksum-length-return-the-length-of-checksums-for-a-checksum-type}\label{appdev/refs/api/krb5_c_checksum_length::doc}\index{krb5\_c\_checksum\_length (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_checksum_length:c.krb5_c_checksum_length}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_checksum\_length}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ cksumtype}, size\_t *\emph{ length}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{cksumtype} - Checksum type + +\textbf{{[}out{]}} \textbf{length} - Checksum length + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_c\_crypto\_length - Return a length of a message field specific to the encryption type.} +\label{appdev/refs/api/krb5_c_crypto_length:krb5-c-crypto-length-return-a-length-of-a-message-field-specific-to-the-encryption-type}\label{appdev/refs/api/krb5_c_crypto_length::doc}\index{krb5\_c\_crypto\_length (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_crypto_length:c.krb5_c_crypto_length}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_crypto\_length}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, {\hyperref[appdev/refs/types/krb5_cryptotype:c.krb5_cryptotype]{krb5\_cryptotype}}\emph{ type}, unsigned int *\emph{ size}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{enctype} - Encryption type + +\textbf{{[}in{]}} \textbf{type} - Type field (See \code{KRB5\_CRYPTO\_TYPE} types) + +\textbf{{[}out{]}} \textbf{size} - Length of the \emph{type} specific to \emph{enctype} + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_c\_crypto\_length\_iov - Fill in lengths for header, trailer and padding in a IOV array.} +\label{appdev/refs/api/krb5_c_crypto_length_iov:krb5-c-crypto-length-iov-fill-in-lengths-for-header-trailer-and-padding-in-a-iov-array}\label{appdev/refs/api/krb5_c_crypto_length_iov::doc}\index{krb5\_c\_crypto\_length\_iov (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_crypto_length_iov:c.krb5_c_crypto_length_iov}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_crypto\_length\_iov}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, {\hyperref[appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov]{krb5\_crypto\_iov}} *\emph{ data}, size\_t\emph{ num\_data}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{enctype} - Encryption type + +\textbf{{[}inout{]}} \textbf{data} - IOV array + +\textbf{{[}in{]}} \textbf{num\_data} - Size of \emph{data} + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Padding is set to the actual padding required based on the provided \emph{data} buffers. Typically this API is used after setting up the data buffers and {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY:KRB5_CRYPTO_TYPE_SIGN_ONLY]{\code{KRB5\_CRYPTO\_TYPE\_SIGN\_ONLY}}} buffers, but before actually allocating header, trailer and padding. + + +\subsubsection{krb5\_c\_decrypt - Decrypt data using a key (operates on keyblock).} +\label{appdev/refs/api/krb5_c_decrypt::doc}\label{appdev/refs/api/krb5_c_decrypt:krb5-c-decrypt-decrypt-data-using-a-key-operates-on-keyblock}\index{krb5\_c\_decrypt (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_decrypt:c.krb5_c_decrypt}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_decrypt}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ cipher\_state}, const {\hyperref[appdev/refs/types/krb5_enc_data:c.krb5_enc_data]{krb5\_enc\_data}} *\emph{ input}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ output}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{key} - Encryption key + +\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) + +\textbf{{[}inout{]}} \textbf{cipher\_state} - Cipher state; specify NULL if not needed + +\textbf{{[}in{]}} \textbf{input} - Encrypted data + +\textbf{{[}out{]}} \textbf{output} - Decrypted data + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function decrypts the data block \emph{input} and stores the output into \emph{output} . The actual decryption key will be derived from \emph{key} and \emph{usage} if key derivation is specified for the encryption type. If non-null, \emph{cipher\_state} specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation. + +\begin{notice}{note}{Note:} +The caller must initialize \emph{output} and allocate at least enough space for the result. The usual practice is to allocate an output buffer as long as the ciphertext, and let {\hyperref[appdev/refs/api/krb5_c_decrypt:c.krb5_c_decrypt]{\code{krb5\_c\_decrypt()}}} trim \emph{output-\textgreater{}length} . For some enctypes, the resulting \emph{output-\textgreater{}length} may include padding bytes. +\end{notice} + + +\subsubsection{krb5\_c\_decrypt\_iov - Decrypt data in place supporting AEAD (operates on keyblock).} +\label{appdev/refs/api/krb5_c_decrypt_iov:krb5-c-decrypt-iov-decrypt-data-in-place-supporting-aead-operates-on-keyblock}\label{appdev/refs/api/krb5_c_decrypt_iov::doc}\index{krb5\_c\_decrypt\_iov (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_decrypt_iov:c.krb5_c_decrypt_iov}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_decrypt\_iov}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ keyblock}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ cipher\_state}, {\hyperref[appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov]{krb5\_crypto\_iov}} *\emph{ data}, size\_t\emph{ num\_data}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{keyblock} - Encryption key + +\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) + +\textbf{{[}in{]}} \textbf{cipher\_state} - Cipher state; specify NULL if not needed + +\textbf{{[}inout{]}} \textbf{data} - IOV array. Modified in-place. + +\textbf{{[}in{]}} \textbf{num\_data} - Size of \emph{data} + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function decrypts the data block \emph{data} and stores the output in-place. The actual decryption key will be derived from \emph{keyblock} and \emph{usage} if key derivation is specified for the encryption type. If non-null, \emph{cipher\_state} specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5\_crypto\_iov structures before calling into this API. + + +\strong{See also:} + + +{\hyperref[appdev/refs/api/krb5_c_decrypt_iov:c.krb5_c_decrypt_iov]{\code{krb5\_c\_decrypt\_iov()}}} + + + +\begin{notice}{note}{Note:} +On return from a {\hyperref[appdev/refs/api/krb5_c_decrypt_iov:c.krb5_c_decrypt_iov]{\code{krb5\_c\_decrypt\_iov()}}} call, the \emph{data-\textgreater{}length} in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased. + +This function is similar to {\hyperref[appdev/refs/api/krb5_k_decrypt_iov:c.krb5_k_decrypt_iov]{\code{krb5\_k\_decrypt\_iov()}}} , but operates on keyblock \emph{keyblock} . +\end{notice} + + +\subsubsection{krb5\_c\_derive\_prfplus - Derive a key using some input data (via RFC 6113 PRF+).} +\label{appdev/refs/api/krb5_c_derive_prfplus::doc}\label{appdev/refs/api/krb5_c_derive_prfplus:krb5-c-derive-prfplus-derive-a-key-using-some-input-data-via-rfc-6113-prf}\index{krb5\_c\_derive\_prfplus (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_derive_prfplus:c.krb5_c_derive_prfplus}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_derive\_prfplus}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ k}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ input}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} **\emph{ out}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{k} - KDC contribution key + +\textbf{{[}in{]}} \textbf{input} - Input string + +\textbf{{[}in{]}} \textbf{enctype} - Output key enctype (or \textbf{ENCTYPE\_NULL} ) + +\textbf{{[}out{]}} \textbf{out} - Derived keyblock + +\end{description}\end{quote} + +This function uses PRF+ as defined in RFC 6113 to derive a key from another key and an input string. If \emph{enctype} is \textbf{ENCTYPE\_NULL} , the output key will have the same enctype as the input key. + + +\subsubsection{krb5\_c\_encrypt - Encrypt data using a key (operates on keyblock).} +\label{appdev/refs/api/krb5_c_encrypt::doc}\label{appdev/refs/api/krb5_c_encrypt:krb5-c-encrypt-encrypt-data-using-a-key-operates-on-keyblock}\index{krb5\_c\_encrypt (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_encrypt:c.krb5_c_encrypt}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_encrypt}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ cipher\_state}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ input}, {\hyperref[appdev/refs/types/krb5_enc_data:c.krb5_enc_data]{krb5\_enc\_data}} *\emph{ output}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{key} - Encryption key + +\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) + +\textbf{{[}inout{]}} \textbf{cipher\_state} - Cipher state; specify NULL if not needed + +\textbf{{[}in{]}} \textbf{input} - Data to be encrypted + +\textbf{{[}out{]}} \textbf{output} - Encrypted data + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function encrypts the data block \emph{input} and stores the output into \emph{output} . The actual encryption key will be derived from \emph{key} and \emph{usage} if key derivation is specified for the encryption type. If non-null, \emph{cipher\_state} specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. + +\begin{notice}{note}{Note:} +The caller must initialize \emph{output} and allocate at least enough space for the result (using {\hyperref[appdev/refs/api/krb5_c_encrypt_length:c.krb5_c_encrypt_length]{\code{krb5\_c\_encrypt\_length()}}} to determine the amount of space needed). \emph{output-\textgreater{}length} will be set to the actual length of the ciphertext. +\end{notice} + + +\subsubsection{krb5\_c\_encrypt\_iov - Encrypt data in place supporting AEAD (operates on keyblock).} +\label{appdev/refs/api/krb5_c_encrypt_iov:krb5-c-encrypt-iov-encrypt-data-in-place-supporting-aead-operates-on-keyblock}\label{appdev/refs/api/krb5_c_encrypt_iov::doc}\index{krb5\_c\_encrypt\_iov (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_encrypt_iov:c.krb5_c_encrypt_iov}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_encrypt\_iov}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ keyblock}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ cipher\_state}, {\hyperref[appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov]{krb5\_crypto\_iov}} *\emph{ data}, size\_t\emph{ num\_data}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{keyblock} - Encryption key + +\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) + +\textbf{{[}in{]}} \textbf{cipher\_state} - Cipher state; specify NULL if not needed + +\textbf{{[}inout{]}} \textbf{data} - IOV array. Modified in-place. + +\textbf{{[}in{]}} \textbf{num\_data} - Size of \emph{data} + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function encrypts the data block \emph{data} and stores the output in-place. The actual encryption key will be derived from \emph{keyblock} and \emph{usage} if key derivation is specified for the encryption type. If non-null, \emph{cipher\_state} specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5\_crypto\_iov structures before calling into this API. + + +\strong{See also:} + + +{\hyperref[appdev/refs/api/krb5_c_decrypt_iov:c.krb5_c_decrypt_iov]{\code{krb5\_c\_decrypt\_iov()}}} + + + +\begin{notice}{note}{Note:} +On return from a {\hyperref[appdev/refs/api/krb5_c_encrypt_iov:c.krb5_c_encrypt_iov]{\code{krb5\_c\_encrypt\_iov()}}} call, the \emph{data-\textgreater{}length} in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased. + +This function is similar to {\hyperref[appdev/refs/api/krb5_k_encrypt_iov:c.krb5_k_encrypt_iov]{\code{krb5\_k\_encrypt\_iov()}}} , but operates on keyblock \emph{keyblock} . +\end{notice} + + +\subsubsection{krb5\_c\_encrypt\_length - Compute encrypted data length.} +\label{appdev/refs/api/krb5_c_encrypt_length:krb5-c-encrypt-length-compute-encrypted-data-length}\label{appdev/refs/api/krb5_c_encrypt_length::doc}\index{krb5\_c\_encrypt\_length (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_encrypt_length:c.krb5_c_encrypt_length}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_encrypt\_length}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, size\_t\emph{ inputlen}, size\_t *\emph{ length}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{enctype} - Encryption type + +\textbf{{[}in{]}} \textbf{inputlen} - Length of the data to be encrypted + +\textbf{{[}out{]}} \textbf{length} - Length of the encrypted data + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function computes the length of the ciphertext produced by encrypting \emph{inputlen} bytes including padding, confounder, and checksum. + + +\subsubsection{krb5\_c\_enctype\_compare - Compare two encryption types.} +\label{appdev/refs/api/krb5_c_enctype_compare::doc}\label{appdev/refs/api/krb5_c_enctype_compare:krb5-c-enctype-compare-compare-two-encryption-types}\index{krb5\_c\_enctype\_compare (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_enctype_compare:c.krb5_c_enctype_compare}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_enctype\_compare}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ e1}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ e2}, {\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} *\emph{ similar}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{e1} - First encryption type + +\textbf{{[}in{]}} \textbf{e2} - Second encryption type + +\textbf{{[}out{]}} \textbf{similar} - \textbf{TRUE} if types are similar, \textbf{FALSE} if not + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function determines whether two encryption types use the same kind of keys. + + +\subsubsection{krb5\_c\_free\_state - Free a cipher state previously allocated by krb5\_c\_init\_state() .} +\label{appdev/refs/api/krb5_c_free_state:krb5-c-free-state-free-a-cipher-state-previously-allocated-by-krb5-c-init-state}\label{appdev/refs/api/krb5_c_free_state::doc}\index{krb5\_c\_free\_state (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_free_state:c.krb5_c_free_state}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_free\_state}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ state}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{key} - Key + +\textbf{{[}in{]}} \textbf{state} - Cipher state to be freed + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_c\_fx\_cf2\_simple - Compute the KRB-FX-CF2 combination of two keys and pepper strings.} +\label{appdev/refs/api/krb5_c_fx_cf2_simple:krb5-c-fx-cf2-simple-compute-the-krb-fx-cf2-combination-of-two-keys-and-pepper-strings}\label{appdev/refs/api/krb5_c_fx_cf2_simple::doc}\index{krb5\_c\_fx\_cf2\_simple (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_fx_cf2_simple:c.krb5_c_fx_cf2_simple}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_fx\_cf2\_simple}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ k1}, const char *\emph{ pepper1}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ k2}, const char *\emph{ pepper2}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} **\emph{ out}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{k1} - KDC contribution key + +\textbf{{[}in{]}} \textbf{pepper1} - String''PKINIT'' + +\textbf{{[}in{]}} \textbf{k2} - Reply key + +\textbf{{[}in{]}} \textbf{pepper2} - String''KeyExchange'' + +\textbf{{[}out{]}} \textbf{out} - Output key + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function computes the KRB-FX-CF2 function over its inputs and places the results in a newly allocated keyblock. This function is simple in that it assumes that \emph{pepper1} and \emph{pepper2} are C strings with no internal nulls and that the enctype of the result will be the same as that of \emph{k1} . \emph{k1} and \emph{k2} may be of different enctypes. + + +\subsubsection{krb5\_c\_init\_state - Initialize a new cipher state.} +\label{appdev/refs/api/krb5_c_init_state:krb5-c-init-state-initialize-a-new-cipher-state}\label{appdev/refs/api/krb5_c_init_state::doc}\index{krb5\_c\_init\_state (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_init_state:c.krb5_c_init_state}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_init\_state}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ new\_state}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{key} - Key + +\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) + +\textbf{{[}out{]}} \textbf{new\_state} - New cipher state + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_c\_is\_coll\_proof\_cksum - Test whether a checksum type is collision-proof.} +\label{appdev/refs/api/krb5_c_is_coll_proof_cksum:krb5-c-is-coll-proof-cksum-test-whether-a-checksum-type-is-collision-proof}\label{appdev/refs/api/krb5_c_is_coll_proof_cksum::doc}\index{krb5\_c\_is\_coll\_proof\_cksum (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_is_coll_proof_cksum:c.krb5_c_is_coll_proof_cksum}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_c\_is\_coll\_proof\_cksum}}{{\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ ctype}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctype} - Checksum type + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{return}] \leavevmode\begin{itemize} +\item {} +TRUE if ctype is collision-proof, FALSE if it is not collision-proof or not a valid checksum type. + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_c\_is\_keyed\_cksum - Test whether a checksum type is keyed.} +\label{appdev/refs/api/krb5_c_is_keyed_cksum::doc}\label{appdev/refs/api/krb5_c_is_keyed_cksum:krb5-c-is-keyed-cksum-test-whether-a-checksum-type-is-keyed}\index{krb5\_c\_is\_keyed\_cksum (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_is_keyed_cksum:c.krb5_c_is_keyed_cksum}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_c\_is\_keyed\_cksum}}{{\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ ctype}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctype} - Checksum type + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{return}] \leavevmode\begin{itemize} +\item {} +TRUE if ctype is a keyed checksum type, FALSE otherwise. + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_c\_keyed\_checksum\_types - Return a list of keyed checksum types usable with an encryption type.} +\label{appdev/refs/api/krb5_c_keyed_checksum_types::doc}\label{appdev/refs/api/krb5_c_keyed_checksum_types:krb5-c-keyed-checksum-types-return-a-list-of-keyed-checksum-types-usable-with-an-encryption-type}\index{krb5\_c\_keyed\_checksum\_types (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_keyed_checksum_types:c.krb5_c_keyed_checksum_types}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_keyed\_checksum\_types}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, unsigned int *\emph{ count}, {\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}} **\emph{ cksumtypes}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{enctype} - Encryption type + +\textbf{{[}out{]}} \textbf{count} - Count of allowable checksum types + +\textbf{{[}out{]}} \textbf{cksumtypes} - Array of allowable checksum types + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Use {\hyperref[appdev/refs/api/krb5_free_cksumtypes:c.krb5_free_cksumtypes]{\code{krb5\_free\_cksumtypes()}}} to free \emph{cksumtypes} when it is no longer needed. + + +\subsubsection{krb5\_c\_keylengths - Return length of the specified key in bytes.} +\label{appdev/refs/api/krb5_c_keylengths::doc}\label{appdev/refs/api/krb5_c_keylengths:krb5-c-keylengths-return-length-of-the-specified-key-in-bytes}\index{krb5\_c\_keylengths (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_keylengths:c.krb5_c_keylengths}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_keylengths}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, size\_t *\emph{ keybytes}, size\_t *\emph{ keylength}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{enctype} - Encryption type + +\textbf{{[}out{]}} \textbf{keybytes} - Number of bytes required to make a key + +\textbf{{[}out{]}} \textbf{keylength} - Length of final key + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_c\_make\_checksum - Compute a checksum (operates on keyblock).} +\label{appdev/refs/api/krb5_c_make_checksum::doc}\label{appdev/refs/api/krb5_c_make_checksum:krb5-c-make-checksum-compute-a-checksum-operates-on-keyblock}\index{krb5\_c\_make\_checksum (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_make_checksum:c.krb5_c_make_checksum}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_make\_checksum}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ cksumtype}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ input}, {\hyperref[appdev/refs/types/krb5_checksum:c.krb5_checksum]{krb5\_checksum}} *\emph{ cksum}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{cksumtype} - Checksum type (0 for mandatory type) + +\textbf{{[}in{]}} \textbf{key} - Encryption key for a keyed checksum + +\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) + +\textbf{{[}in{]}} \textbf{input} - Input data + +\textbf{{[}out{]}} \textbf{cksum} - Generated checksum + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function computes a checksum of type \emph{cksumtype} over \emph{input} , using \emph{key} if the checksum type is a keyed checksum. If \emph{cksumtype} is 0 and \emph{key} is non-null, the checksum type will be the mandatory-to-implement checksum type for the key's encryption type. The actual checksum key will be derived from \emph{key} and \emph{usage} if key derivation is specified for the checksum type. The newly created \emph{cksum} must be released by calling {\hyperref[appdev/refs/api/krb5_free_checksum_contents:c.krb5_free_checksum_contents]{\code{krb5\_free\_checksum\_contents()}}} when it is no longer needed. + + +\strong{See also:} + + +{\hyperref[appdev/refs/api/krb5_c_verify_checksum:c.krb5_c_verify_checksum]{\code{krb5\_c\_verify\_checksum()}}} + + + +\begin{notice}{note}{Note:} +This function is similar to {\hyperref[appdev/refs/api/krb5_k_make_checksum:c.krb5_k_make_checksum]{\code{krb5\_k\_make\_checksum()}}} , but operates on keyblock \emph{key} . +\end{notice} + + +\subsubsection{krb5\_c\_make\_checksum\_iov - Fill in a checksum element in IOV array (operates on keyblock)} +\label{appdev/refs/api/krb5_c_make_checksum_iov:krb5-c-make-checksum-iov-fill-in-a-checksum-element-in-iov-array-operates-on-keyblock}\label{appdev/refs/api/krb5_c_make_checksum_iov::doc}\index{krb5\_c\_make\_checksum\_iov (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_make_checksum_iov:c.krb5_c_make_checksum_iov}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_make\_checksum\_iov}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ cksumtype}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, {\hyperref[appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov]{krb5\_crypto\_iov}} *\emph{ data}, size\_t\emph{ num\_data}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{cksumtype} - Checksum type (0 for mandatory type) + +\textbf{{[}in{]}} \textbf{key} - Encryption key for a keyed checksum + +\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) + +\textbf{{[}inout{]}} \textbf{data} - IOV array + +\textbf{{[}in{]}} \textbf{num\_data} - Size of \emph{data} + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Create a checksum in the {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM:KRB5_CRYPTO_TYPE_CHECKSUM]{\code{KRB5\_CRYPTO\_TYPE\_CHECKSUM}}} element over {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA:KRB5_CRYPTO_TYPE_DATA]{\code{KRB5\_CRYPTO\_TYPE\_DATA}}} and {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY:KRB5_CRYPTO_TYPE_SIGN_ONLY]{\code{KRB5\_CRYPTO\_TYPE\_SIGN\_ONLY}}} chunks in \emph{data} . Only the {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM:KRB5_CRYPTO_TYPE_CHECKSUM]{\code{KRB5\_CRYPTO\_TYPE\_CHECKSUM}}} region is modified. + + +\strong{See also:} + + +{\hyperref[appdev/refs/api/krb5_c_verify_checksum_iov:c.krb5_c_verify_checksum_iov]{\code{krb5\_c\_verify\_checksum\_iov()}}} + + + +\begin{notice}{note}{Note:} +This function is similar to {\hyperref[appdev/refs/api/krb5_k_make_checksum_iov:c.krb5_k_make_checksum_iov]{\code{krb5\_k\_make\_checksum\_iov()}}} , but operates on keyblock \emph{key} . +\end{notice} + + +\subsubsection{krb5\_c\_make\_random\_key - Generate an enctype-specific random encryption key.} +\label{appdev/refs/api/krb5_c_make_random_key:krb5-c-make-random-key-generate-an-enctype-specific-random-encryption-key}\label{appdev/refs/api/krb5_c_make_random_key::doc}\index{krb5\_c\_make\_random\_key (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_make_random_key:c.krb5_c_make_random_key}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_make\_random\_key}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ k5\_random\_key}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{enctype} - Encryption type of the generated key + +\textbf{{[}out{]}} \textbf{k5\_random\_key} - An allocated and initialized keyblock + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Use {\hyperref[appdev/refs/api/krb5_free_keyblock_contents:c.krb5_free_keyblock_contents]{\code{krb5\_free\_keyblock\_contents()}}} to free \emph{k5\_random\_key} when no longer needed. + + +\subsubsection{krb5\_c\_padding\_length - Return a number of padding octets.} +\label{appdev/refs/api/krb5_c_padding_length:krb5-c-padding-length-return-a-number-of-padding-octets}\label{appdev/refs/api/krb5_c_padding_length::doc}\index{krb5\_c\_padding\_length (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_padding_length:c.krb5_c_padding_length}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_padding\_length}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, size\_t\emph{ data\_length}, unsigned int *\emph{ size}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{enctype} - Encryption type + +\textbf{{[}in{]}} \textbf{data\_length} - Length of the plaintext to pad + +\textbf{{[}out{]}} \textbf{size} - Number of padding octets + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - KRB5\_BAD\_ENCTYPE + +\end{itemize} + +\end{description}\end{quote} + +This function returns the number of the padding octets required to pad \emph{data\_length} octets of plaintext. + + +\subsubsection{krb5\_c\_prf - Generate enctype-specific pseudo-random bytes.} +\label{appdev/refs/api/krb5_c_prf:krb5-c-prf-generate-enctype-specific-pseudo-random-bytes}\label{appdev/refs/api/krb5_c_prf::doc}\index{krb5\_c\_prf (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_prf:c.krb5_c_prf}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_prf}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ keyblock}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ input}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ output}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{keyblock} - Key + +\textbf{{[}in{]}} \textbf{input} - Input data + +\textbf{{[}out{]}} \textbf{output} - Output data + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function selects a pseudo-random function based on \emph{keyblock} and computes its value over \emph{input} , placing the result into \emph{output} . The caller must preinitialize \emph{output} and allocate space for the result, using {\hyperref[appdev/refs/api/krb5_c_prf_length:c.krb5_c_prf_length]{\code{krb5\_c\_prf\_length()}}} to determine the required length. + + +\subsubsection{krb5\_c\_prfplus - Generate pseudo-random bytes using RFC 6113 PRF+.} +\label{appdev/refs/api/krb5_c_prfplus:krb5-c-prfplus-generate-pseudo-random-bytes-using-rfc-6113-prf}\label{appdev/refs/api/krb5_c_prfplus::doc}\index{krb5\_c\_prfplus (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_prfplus:c.krb5_c_prfplus}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_prfplus}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ k}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ input}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ output}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{k} - KDC contribution key + +\textbf{{[}in{]}} \textbf{input} - Input data + +\textbf{{[}out{]}} \textbf{output} - Pseudo-random output buffer + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{return}] \leavevmode\begin{itemize} +\item {} +0 on success, E2BIG if output-\textgreater{}length is too large for PRF+ to generate, ENOMEM on allocation failure, or an error code from krb5\_c\_prf() + +\end{itemize} + +\end{description}\end{quote} + +This function fills \emph{output} with PRF+(k, input) as defined in RFC 6113 section 5.1. The caller must preinitialize \emph{output} and allocate the desired amount of space. The length of the pseudo-random output will match the length of \emph{output} . + +\begin{notice}{note}{Note:} +RFC 4402 defines a different PRF+ operation. This function does not implement that operation. +\end{notice} + + +\subsubsection{krb5\_c\_prf\_length - Get the output length of pseudo-random functions for an encryption type.} +\label{appdev/refs/api/krb5_c_prf_length::doc}\label{appdev/refs/api/krb5_c_prf_length:krb5-c-prf-length-get-the-output-length-of-pseudo-random-functions-for-an-encryption-type}\index{krb5\_c\_prf\_length (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_prf_length:c.krb5_c_prf_length}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_prf\_length}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, size\_t *\emph{ len}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{enctype} - Encryption type + +\textbf{{[}out{]}} \textbf{len} - Length of PRF output + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_c\_random\_add\_entropy - Add entropy to the pseudo-random number generator.} +\label{appdev/refs/api/krb5_c_random_add_entropy::doc}\label{appdev/refs/api/krb5_c_random_add_entropy:krb5-c-random-add-entropy-add-entropy-to-the-pseudo-random-number-generator}\index{krb5\_c\_random\_add\_entropy (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_random_add_entropy:c.krb5_c_random_add_entropy}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_random\_add\_entropy}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, unsigned int\emph{ randsource}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ data}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{randsource} - Entropy source (see KRB5\_RANDSOURCE types) + +\textbf{{[}in{]}} \textbf{data} - Data + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Contribute entropy to the PRNG used by krb5 crypto operations. This may or may not affect the output of the next crypto operation requiring random data. + + +\subsubsection{krb5\_c\_random\_make\_octets - Generate pseudo-random bytes.} +\label{appdev/refs/api/krb5_c_random_make_octets::doc}\label{appdev/refs/api/krb5_c_random_make_octets:krb5-c-random-make-octets-generate-pseudo-random-bytes}\index{krb5\_c\_random\_make\_octets (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_random_make_octets:c.krb5_c_random_make_octets}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_random\_make\_octets}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ data}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}out{]}} \textbf{data} - Random data + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Fills in \emph{data} with bytes from the PRNG used by krb5 crypto operations. The caller must preinitialize \emph{data} and allocate the desired amount of space. + + +\subsubsection{krb5\_c\_random\_os\_entropy - Collect entropy from the OS if possible.} +\label{appdev/refs/api/krb5_c_random_os_entropy:krb5-c-random-os-entropy-collect-entropy-from-the-os-if-possible}\label{appdev/refs/api/krb5_c_random_os_entropy::doc}\index{krb5\_c\_random\_os\_entropy (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_random_os_entropy:c.krb5_c_random_os_entropy}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_random\_os\_entropy}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, int\emph{ strong}, int *\emph{ success}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{strong} - Strongest available source of entropy + +\textbf{{[}out{]}} \textbf{success} - 1 if OS provides entropy, 0 otherwise + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +If \emph{strong} is non-zero, this function attempts to use the strongest available source of entropy. Setting this flag may cause the function to block on some operating systems. Good uses include seeding the PRNG for kadmind and realm setup. + + +\subsubsection{krb5\_c\_random\_to\_key - Generate an enctype-specific key from random data.} +\label{appdev/refs/api/krb5_c_random_to_key:krb5-c-random-to-key-generate-an-enctype-specific-key-from-random-data}\label{appdev/refs/api/krb5_c_random_to_key::doc}\index{krb5\_c\_random\_to\_key (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_random_to_key:c.krb5_c_random_to_key}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_random\_to\_key}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ random\_data}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ k5\_random\_key}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{enctype} - Encryption type + +\textbf{{[}in{]}} \textbf{random\_data} - Random input data + +\textbf{{[}out{]}} \textbf{k5\_random\_key} - Resulting key + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function takes random input data \emph{random\_data} and produces a valid key \emph{k5\_random\_key} for a given \emph{enctype} . + + +\strong{See also:} + + +{\hyperref[appdev/refs/api/krb5_c_keylengths:c.krb5_c_keylengths]{\code{krb5\_c\_keylengths()}}} + + + +\begin{notice}{note}{Note:} +It is assumed that \emph{k5\_random\_key} has already been initialized and \emph{k5\_random\_key-\textgreater{}contents} has been allocated with the correct length. +\end{notice} + + +\subsubsection{krb5\_c\_string\_to\_key - Convert a string (such a password) to a key.} +\label{appdev/refs/api/krb5_c_string_to_key:krb5-c-string-to-key-convert-a-string-such-a-password-to-a-key}\label{appdev/refs/api/krb5_c_string_to_key::doc}\index{krb5\_c\_string\_to\_key (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_string_to_key:c.krb5_c_string_to_key}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_string\_to\_key}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ string}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ salt}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{enctype} - Encryption type + +\textbf{{[}in{]}} \textbf{string} - String to be converted + +\textbf{{[}in{]}} \textbf{salt} - Salt value + +\textbf{{[}out{]}} \textbf{key} - Generated key + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function converts \emph{string} to a \emph{key} of encryption type \emph{enctype} , using the specified \emph{salt} . The newly created \emph{key} must be released by calling {\hyperref[appdev/refs/api/krb5_free_keyblock_contents:c.krb5_free_keyblock_contents]{\code{krb5\_free\_keyblock\_contents()}}} when it is no longer needed. + + +\subsubsection{krb5\_c\_string\_to\_key\_with\_params - Convert a string (such as a password) to a key with additional parameters.} +\label{appdev/refs/api/krb5_c_string_to_key_with_params::doc}\label{appdev/refs/api/krb5_c_string_to_key_with_params:krb5-c-string-to-key-with-params-convert-a-string-such-as-a-password-to-a-key-with-additional-parameters}\index{krb5\_c\_string\_to\_key\_with\_params (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_string_to_key_with_params:c.krb5_c_string_to_key_with_params}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_string\_to\_key\_with\_params}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ string}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ salt}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ params}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{enctype} - Encryption type + +\textbf{{[}in{]}} \textbf{string} - String to be converted + +\textbf{{[}in{]}} \textbf{salt} - Salt value + +\textbf{{[}in{]}} \textbf{params} - Parameters + +\textbf{{[}out{]}} \textbf{key} - Generated key + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function is similar to {\hyperref[appdev/refs/api/krb5_c_string_to_key:c.krb5_c_string_to_key]{\code{krb5\_c\_string\_to\_key()}}} , but also takes parameters which may affect the algorithm in an enctype-dependent way. The newly created \emph{key} must be released by calling {\hyperref[appdev/refs/api/krb5_free_keyblock_contents:c.krb5_free_keyblock_contents]{\code{krb5\_free\_keyblock\_contents()}}} when it is no longer needed. + + +\subsubsection{krb5\_c\_valid\_cksumtype - Verify that specified checksum type is a valid Kerberos checksum type.} +\label{appdev/refs/api/krb5_c_valid_cksumtype:krb5-c-valid-cksumtype-verify-that-specified-checksum-type-is-a-valid-kerberos-checksum-type}\label{appdev/refs/api/krb5_c_valid_cksumtype::doc}\index{krb5\_c\_valid\_cksumtype (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_valid_cksumtype:c.krb5_c_valid_cksumtype}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_c\_valid\_cksumtype}}{{\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ ctype}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ctype} - Checksum type + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{return}] \leavevmode\begin{itemize} +\item {} +TRUE if ctype is valid, FALSE if not + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_c\_valid\_enctype - Verify that a specified encryption type is a valid Kerberos encryption type.} +\label{appdev/refs/api/krb5_c_valid_enctype:krb5-c-valid-enctype-verify-that-a-specified-encryption-type-is-a-valid-kerberos-encryption-type}\label{appdev/refs/api/krb5_c_valid_enctype::doc}\index{krb5\_c\_valid\_enctype (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_valid_enctype:c.krb5_c_valid_enctype}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_c\_valid\_enctype}}{{\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ ktype}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{ktype} - Encryption type + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{return}] \leavevmode\begin{itemize} +\item {} +TRUE if ktype is valid, FALSE if not + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_c\_verify\_checksum - Verify a checksum (operates on keyblock).} +\label{appdev/refs/api/krb5_c_verify_checksum:krb5-c-verify-checksum-verify-a-checksum-operates-on-keyblock}\label{appdev/refs/api/krb5_c_verify_checksum::doc}\index{krb5\_c\_verify\_checksum (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_verify_checksum:c.krb5_c_verify_checksum}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_verify\_checksum}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ data}, const {\hyperref[appdev/refs/types/krb5_checksum:c.krb5_checksum]{krb5\_checksum}} *\emph{ cksum}, {\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} *\emph{ valid}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{key} - Encryption key for a keyed checksum + +\textbf{{[}in{]}} \textbf{usage} - \emph{key} usage + +\textbf{{[}in{]}} \textbf{data} - Data to be used to compute a new checksum using \emph{key} to compare \emph{cksum} against + +\textbf{{[}in{]}} \textbf{cksum} - Checksum to be verified + +\textbf{{[}out{]}} \textbf{valid} - Non-zero for success, zero for failure + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function verifies that \emph{cksum} is a valid checksum for \emph{data} . If the checksum type of \emph{cksum} is a keyed checksum, \emph{key} is used to verify the checksum. If the checksum type in \emph{cksum} is 0 and \emph{key} is not NULL, the mandatory checksum type for \emph{key} will be used. The actual checksum key will be derived from \emph{key} and \emph{usage} if key derivation is specified for the checksum type. + +\begin{notice}{note}{Note:} +This function is similar to {\hyperref[appdev/refs/api/krb5_k_verify_checksum:c.krb5_k_verify_checksum]{\code{krb5\_k\_verify\_checksum()}}} , but operates on keyblock \emph{key} . +\end{notice} + + +\subsubsection{krb5\_c\_verify\_checksum\_iov - Validate a checksum element in IOV array (operates on keyblock).} +\label{appdev/refs/api/krb5_c_verify_checksum_iov::doc}\label{appdev/refs/api/krb5_c_verify_checksum_iov:krb5-c-verify-checksum-iov-validate-a-checksum-element-in-iov-array-operates-on-keyblock}\index{krb5\_c\_verify\_checksum\_iov (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_verify_checksum_iov:c.krb5_c_verify_checksum_iov}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_verify\_checksum\_iov}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ cksumtype}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, const {\hyperref[appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov]{krb5\_crypto\_iov}} *\emph{ data}, size\_t\emph{ num\_data}, {\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} *\emph{ valid}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{cksumtype} - Checksum type (0 for mandatory type) + +\textbf{{[}in{]}} \textbf{key} - Encryption key for a keyed checksum + +\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) + +\textbf{{[}in{]}} \textbf{data} - IOV array + +\textbf{{[}in{]}} \textbf{num\_data} - Size of \emph{data} + +\textbf{{[}out{]}} \textbf{valid} - Non-zero for success, zero for failure + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Confirm that the checksum in the {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM:KRB5_CRYPTO_TYPE_CHECKSUM]{\code{KRB5\_CRYPTO\_TYPE\_CHECKSUM}}} element is a valid checksum of the {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA:KRB5_CRYPTO_TYPE_DATA]{\code{KRB5\_CRYPTO\_TYPE\_DATA}}} and {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY:KRB5_CRYPTO_TYPE_SIGN_ONLY]{\code{KRB5\_CRYPTO\_TYPE\_SIGN\_ONLY}}} regions in the iov. + + +\strong{See also:} + + +{\hyperref[appdev/refs/api/krb5_c_make_checksum_iov:c.krb5_c_make_checksum_iov]{\code{krb5\_c\_make\_checksum\_iov()}}} + + + +\begin{notice}{note}{Note:} +This function is similar to {\hyperref[appdev/refs/api/krb5_k_verify_checksum_iov:c.krb5_k_verify_checksum_iov]{\code{krb5\_k\_verify\_checksum\_iov()}}} , but operates on keyblock \emph{key} . +\end{notice} + + +\subsubsection{krb5\_cksumtype\_to\_string - Convert a checksum type to a string.} +\label{appdev/refs/api/krb5_cksumtype_to_string::doc}\label{appdev/refs/api/krb5_cksumtype_to_string:krb5-cksumtype-to-string-convert-a-checksum-type-to-a-string}\index{krb5\_cksumtype\_to\_string (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cksumtype_to_string:c.krb5_cksumtype_to_string}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cksumtype\_to\_string}}{{\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ cksumtype}, char *\emph{ buffer}, size\_t\emph{ buflen}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{cksumtype} - Checksum type + +\textbf{{[}out{]}} \textbf{buffer} - Buffer to hold converted checksum type + +\textbf{{[}in{]}} \textbf{buflen} - Storage available in \emph{buffer} + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_decode\_authdata\_container - Unwrap authorization data.} +\label{appdev/refs/api/krb5_decode_authdata_container::doc}\label{appdev/refs/api/krb5_decode_authdata_container:krb5-decode-authdata-container-unwrap-authorization-data}\index{krb5\_decode\_authdata\_container (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_decode_authdata_container:c.krb5_decode_authdata_container}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_decode\_authdata\_container}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_authdatatype:c.krb5_authdatatype]{krb5\_authdatatype}}\emph{ type}, const {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} *\emph{ container}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} ***\emph{ authdata}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{type} - \code{KRB5\_AUTHDATA} type of \emph{container} + +\textbf{{[}in{]}} \textbf{container} - Authorization data to be decoded + +\textbf{{[}out{]}} \textbf{authdata} - List of decoded authorization data + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + + +\strong{See also:} + + +{\hyperref[appdev/refs/api/krb5_encode_authdata_container:c.krb5_encode_authdata_container]{\code{krb5\_encode\_authdata\_container()}}} + + + + +\subsubsection{krb5\_decode\_ticket - Decode an ASN.1-formatted ticket.} +\label{appdev/refs/api/krb5_decode_ticket::doc}\label{appdev/refs/api/krb5_decode_ticket:krb5-decode-ticket-decode-an-asn-1-formatted-ticket}\index{krb5\_decode\_ticket (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_decode_ticket:c.krb5_decode_ticket}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_decode\_ticket}}{const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ code}, {\hyperref[appdev/refs/types/krb5_ticket:c.krb5_ticket]{krb5\_ticket}} **\emph{ rep}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{code} - ASN.1-formatted ticket + +\textbf{{[}out{]}} \textbf{rep} - Decoded ticket information + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_deltat\_to\_string - Convert a relative time value to a string.} +\label{appdev/refs/api/krb5_deltat_to_string::doc}\label{appdev/refs/api/krb5_deltat_to_string:krb5-deltat-to-string-convert-a-relative-time-value-to-a-string}\index{krb5\_deltat\_to\_string (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_deltat_to_string:c.krb5_deltat_to_string}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_deltat\_to\_string}}{{\hyperref[appdev/refs/types/krb5_deltat:c.krb5_deltat]{krb5\_deltat}}\emph{ deltat}, char *\emph{ buffer}, size\_t\emph{ buflen}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{deltat} - Relative time value to convert + +\textbf{{[}out{]}} \textbf{buffer} - Buffer to hold time string + +\textbf{{[}in{]}} \textbf{buflen} - Storage available in \emph{buffer} + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_encode\_authdata\_container - Wrap authorization data in a container.} +\label{appdev/refs/api/krb5_encode_authdata_container::doc}\label{appdev/refs/api/krb5_encode_authdata_container:krb5-encode-authdata-container-wrap-authorization-data-in-a-container}\index{krb5\_encode\_authdata\_container (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_encode_authdata_container:c.krb5_encode_authdata_container}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_encode\_authdata\_container}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_authdatatype:c.krb5_authdatatype]{krb5\_authdatatype}}\emph{ type}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} *const *\emph{ authdata}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} ***\emph{ container}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{type} - \code{KRB5\_AUTHDATA} type of \emph{container} + +\textbf{{[}in{]}} \textbf{authdata} - List of authorization data to be encoded + +\textbf{{[}out{]}} \textbf{container} - List of encoded authorization data + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +The result is returned in \emph{container} as a single-element list. + + +\strong{See also:} + + +{\hyperref[appdev/refs/api/krb5_decode_authdata_container:c.krb5_decode_authdata_container]{\code{krb5\_decode\_authdata\_container()}}} + + + + +\subsubsection{krb5\_enctype\_to\_name - Convert an encryption type to a name or alias.} +\label{appdev/refs/api/krb5_enctype_to_name::doc}\label{appdev/refs/api/krb5_enctype_to_name:krb5-enctype-to-name-convert-an-encryption-type-to-a-name-or-alias}\index{krb5\_enctype\_to\_name (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_enctype_to_name:c.krb5_enctype_to_name}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_enctype\_to\_name}}{{\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, {\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}}\emph{ shortest}, char *\emph{ buffer}, size\_t\emph{ buflen}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{enctype} - Encryption type + +\textbf{{[}in{]}} \textbf{shortest} - Flag + +\textbf{{[}out{]}} \textbf{buffer} - Buffer to hold encryption type string + +\textbf{{[}in{]}} \textbf{buflen} - Storage available in \emph{buffer} + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +If \emph{shortest} is FALSE, this function returns the enctype's canonical name (like''aes128-cts-hmac-sha1-96''). If \emph{shortest} is TRUE, it return the enctype's shortest alias (like''aes128-cts''). + +\begin{notice}{note}{Note:} +New in 1.9 +\end{notice} + + +\subsubsection{krb5\_enctype\_to\_string - Convert an encryption type to a string.} +\label{appdev/refs/api/krb5_enctype_to_string::doc}\label{appdev/refs/api/krb5_enctype_to_string:krb5-enctype-to-string-convert-an-encryption-type-to-a-string}\index{krb5\_enctype\_to\_string (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_enctype_to_string:c.krb5_enctype_to_string}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_enctype\_to\_string}}{{\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, char *\emph{ buffer}, size\_t\emph{ buflen}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{enctype} - Encryption type + +\textbf{{[}out{]}} \textbf{buffer} - Buffer to hold encryption type string + +\textbf{{[}in{]}} \textbf{buflen} - Storage available in \emph{buffer} + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + + +\subsubsection{krb5\_free\_checksum - Free a krb5\_checksum structure.} +\label{appdev/refs/api/krb5_free_checksum:krb5-free-checksum-free-a-krb5-checksum-structure}\label{appdev/refs/api/krb5_free_checksum::doc}\index{krb5\_free\_checksum (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_free_checksum:c.krb5_free_checksum}\pysiglinewithargsret{void \bfcode{krb5\_free\_checksum}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, register {\hyperref[appdev/refs/types/krb5_checksum:c.krb5_checksum]{krb5\_checksum}} *\emph{ val}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{val} - Checksum structure to be freed + +\end{description}\end{quote} + +This function frees the contents of \emph{val} and the structure itself. + + +\subsubsection{krb5\_free\_checksum\_contents - Free the contents of a krb5\_checksum structure.} +\label{appdev/refs/api/krb5_free_checksum_contents:krb5-free-checksum-contents-free-the-contents-of-a-krb5-checksum-structure}\label{appdev/refs/api/krb5_free_checksum_contents::doc}\index{krb5\_free\_checksum\_contents (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_free_checksum_contents:c.krb5_free_checksum_contents}\pysiglinewithargsret{void \bfcode{krb5\_free\_checksum\_contents}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, register {\hyperref[appdev/refs/types/krb5_checksum:c.krb5_checksum]{krb5\_checksum}} *\emph{ val}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{val} - Checksum structure to free contents of + +\end{description}\end{quote} + +This function frees the contents of \emph{val} , but not the structure itself. + + +\subsubsection{krb5\_free\_cksumtypes - Free an array of checksum types.} +\label{appdev/refs/api/krb5_free_cksumtypes:krb5-free-cksumtypes-free-an-array-of-checksum-types}\label{appdev/refs/api/krb5_free_cksumtypes::doc}\index{krb5\_free\_cksumtypes (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_free_cksumtypes:c.krb5_free_cksumtypes}\pysiglinewithargsret{void \bfcode{krb5\_free\_cksumtypes}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}} *\emph{ val}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{val} - Array of checksum types to be freed + +\end{description}\end{quote} + + +\subsubsection{krb5\_free\_tgt\_creds - Free an array of credential structures.} +\label{appdev/refs/api/krb5_free_tgt_creds::doc}\label{appdev/refs/api/krb5_free_tgt_creds:krb5-free-tgt-creds-free-an-array-of-credential-structures}\index{krb5\_free\_tgt\_creds (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_free_tgt_creds:c.krb5_free_tgt_creds}\pysiglinewithargsret{void \bfcode{krb5\_free\_tgt\_creds}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} **\emph{ tgts}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{tgts} - Null-terminated array of credentials to free + +\end{description}\end{quote} + +\begin{notice}{note}{Note:} +The last entry in the array \emph{tgts} must be a NULL pointer. +\end{notice} + + +\subsubsection{krb5\_k\_create\_key - Create a krb5\_key from the enctype and key data in a keyblock.} +\label{appdev/refs/api/krb5_k_create_key::doc}\label{appdev/refs/api/krb5_k_create_key:krb5-k-create-key-create-a-krb5-key-from-the-enctype-and-key-data-in-a-keyblock}\index{krb5\_k\_create\_key (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_k_create_key:c.krb5_k_create_key}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_k\_create\_key}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key\_data}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}} *\emph{ out}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{key\_data} - Keyblock + +\textbf{{[}out{]}} \textbf{out} - Opaque key + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - KRB5\_BAD\_ENCTYPE + +\end{itemize} + +\end{description}\end{quote} + +The reference count on a key \emph{out} is set to 1. Use {\hyperref[appdev/refs/api/krb5_k_free_key:c.krb5_k_free_key]{\code{krb5\_k\_free\_key()}}} to free \emph{out} when it is no longer needed. + + +\subsubsection{krb5\_k\_decrypt - Decrypt data using a key (operates on opaque key).} +\label{appdev/refs/api/krb5_k_decrypt:krb5-k-decrypt-decrypt-data-using-a-key-operates-on-opaque-key}\label{appdev/refs/api/krb5_k_decrypt::doc}\index{krb5\_k\_decrypt (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_k_decrypt:c.krb5_k_decrypt}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_k\_decrypt}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ cipher\_state}, const {\hyperref[appdev/refs/types/krb5_enc_data:c.krb5_enc_data]{krb5\_enc\_data}} *\emph{ input}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ output}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{key} - Encryption key + +\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) + +\textbf{{[}inout{]}} \textbf{cipher\_state} - Cipher state; specify NULL if not needed + +\textbf{{[}in{]}} \textbf{input} - Encrypted data + +\textbf{{[}out{]}} \textbf{output} - Decrypted data + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function decrypts the data block \emph{input} and stores the output into \emph{output} . The actual decryption key will be derived from \emph{key} and \emph{usage} if key derivation is specified for the encryption type. If non-null, \emph{cipher\_state} specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation. + +\begin{notice}{note}{Note:} +The caller must initialize \emph{output} and allocate at least enough space for the result. The usual practice is to allocate an output buffer as long as the ciphertext, and let {\hyperref[appdev/refs/api/krb5_c_decrypt:c.krb5_c_decrypt]{\code{krb5\_c\_decrypt()}}} trim \emph{output-\textgreater{}length} . For some enctypes, the resulting \emph{output-\textgreater{}length} may include padding bytes. +\end{notice} + + +\subsubsection{krb5\_k\_decrypt\_iov - Decrypt data in place supporting AEAD (operates on opaque key).} +\label{appdev/refs/api/krb5_k_decrypt_iov::doc}\label{appdev/refs/api/krb5_k_decrypt_iov:krb5-k-decrypt-iov-decrypt-data-in-place-supporting-aead-operates-on-opaque-key}\index{krb5\_k\_decrypt\_iov (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_k_decrypt_iov:c.krb5_k_decrypt_iov}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_k\_decrypt\_iov}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ cipher\_state}, {\hyperref[appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov]{krb5\_crypto\_iov}} *\emph{ data}, size\_t\emph{ num\_data}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{key} - Encryption key + +\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) + +\textbf{{[}in{]}} \textbf{cipher\_state} - Cipher state; specify NULL if not needed + +\textbf{{[}inout{]}} \textbf{data} - IOV array. Modified in-place. + +\textbf{{[}in{]}} \textbf{num\_data} - Size of \emph{data} + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function decrypts the data block \emph{data} and stores the output in-place. The actual decryption key will be derived from \emph{key} and \emph{usage} if key derivation is specified for the encryption type. If non-null, \emph{cipher\_state} specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5\_crypto\_iov structures before calling into this API. + + +\strong{See also:} + + +{\hyperref[appdev/refs/api/krb5_k_encrypt_iov:c.krb5_k_encrypt_iov]{\code{krb5\_k\_encrypt\_iov()}}} + + + +\begin{notice}{note}{Note:} +On return from a {\hyperref[appdev/refs/api/krb5_c_decrypt_iov:c.krb5_c_decrypt_iov]{\code{krb5\_c\_decrypt\_iov()}}} call, the \emph{data-\textgreater{}length} in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased. + +This function is similar to {\hyperref[appdev/refs/api/krb5_c_decrypt_iov:c.krb5_c_decrypt_iov]{\code{krb5\_c\_decrypt\_iov()}}} , but operates on opaque key \emph{key} . +\end{notice} + + +\subsubsection{krb5\_k\_encrypt - Encrypt data using a key (operates on opaque key).} +\label{appdev/refs/api/krb5_k_encrypt:krb5-k-encrypt-encrypt-data-using-a-key-operates-on-opaque-key}\label{appdev/refs/api/krb5_k_encrypt::doc}\index{krb5\_k\_encrypt (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_k_encrypt:c.krb5_k_encrypt}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_k\_encrypt}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ cipher\_state}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ input}, {\hyperref[appdev/refs/types/krb5_enc_data:c.krb5_enc_data]{krb5\_enc\_data}} *\emph{ output}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{key} - Encryption key + +\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) + +\textbf{{[}inout{]}} \textbf{cipher\_state} - Cipher state; specify NULL if not needed + +\textbf{{[}in{]}} \textbf{input} - Data to be encrypted + +\textbf{{[}out{]}} \textbf{output} - Encrypted data + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function encrypts the data block \emph{input} and stores the output into \emph{output} . The actual encryption key will be derived from \emph{key} and \emph{usage} if key derivation is specified for the encryption type. If non-null, \emph{cipher\_state} specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. + +\begin{notice}{note}{Note:} +The caller must initialize \emph{output} and allocate at least enough space for the result (using {\hyperref[appdev/refs/api/krb5_c_encrypt_length:c.krb5_c_encrypt_length]{\code{krb5\_c\_encrypt\_length()}}} to determine the amount of space needed). \emph{output-\textgreater{}length} will be set to the actual length of the ciphertext. +\end{notice} + + +\subsubsection{krb5\_k\_encrypt\_iov - Encrypt data in place supporting AEAD (operates on opaque key).} +\label{appdev/refs/api/krb5_k_encrypt_iov::doc}\label{appdev/refs/api/krb5_k_encrypt_iov:krb5-k-encrypt-iov-encrypt-data-in-place-supporting-aead-operates-on-opaque-key}\index{krb5\_k\_encrypt\_iov (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_k_encrypt_iov:c.krb5_k_encrypt_iov}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_k\_encrypt\_iov}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ cipher\_state}, {\hyperref[appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov]{krb5\_crypto\_iov}} *\emph{ data}, size\_t\emph{ num\_data}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{key} - Encryption key + +\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) + +\textbf{{[}in{]}} \textbf{cipher\_state} - Cipher state; specify NULL if not needed + +\textbf{{[}inout{]}} \textbf{data} - IOV array. Modified in-place. + +\textbf{{[}in{]}} \textbf{num\_data} - Size of \emph{data} + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function encrypts the data block \emph{data} and stores the output in-place. The actual encryption key will be derived from \emph{key} and \emph{usage} if key derivation is specified for the encryption type. If non-null, \emph{cipher\_state} specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5\_crypto\_iov structures before calling into this API. + + +\strong{See also:} + + +{\hyperref[appdev/refs/api/krb5_k_decrypt_iov:c.krb5_k_decrypt_iov]{\code{krb5\_k\_decrypt\_iov()}}} + + + +\begin{notice}{note}{Note:} +On return from a {\hyperref[appdev/refs/api/krb5_c_encrypt_iov:c.krb5_c_encrypt_iov]{\code{krb5\_c\_encrypt\_iov()}}} call, the \emph{data-\textgreater{}length} in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased. + +This function is similar to {\hyperref[appdev/refs/api/krb5_c_encrypt_iov:c.krb5_c_encrypt_iov]{\code{krb5\_c\_encrypt\_iov()}}} , but operates on opaque key \emph{key} . +\end{notice} + + +\subsubsection{krb5\_k\_free\_key - Decrement the reference count on a key and free it if it hits zero.} +\label{appdev/refs/api/krb5_k_free_key:krb5-k-free-key-decrement-the-reference-count-on-a-key-and-free-it-if-it-hits-zero}\label{appdev/refs/api/krb5_k_free_key::doc}\index{krb5\_k\_free\_key (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_k_free_key:c.krb5_k_free_key}\pysiglinewithargsret{void \bfcode{krb5\_k\_free\_key}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{key} + +\end{description}\end{quote} + + +\subsubsection{krb5\_k\_key\_enctype - Retrieve the enctype of a krb5\_key structure.} +\label{appdev/refs/api/krb5_k_key_enctype::doc}\label{appdev/refs/api/krb5_k_key_enctype:krb5-k-key-enctype-retrieve-the-enctype-of-a-krb5-key-structure}\index{krb5\_k\_key\_enctype (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_k_key_enctype:c.krb5_k_key_enctype}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} \bfcode{krb5\_k\_key\_enctype}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{key} + +\end{description}\end{quote} + + +\subsubsection{krb5\_k\_key\_keyblock - Retrieve a copy of the keyblock from a krb5\_key structure.} +\label{appdev/refs/api/krb5_k_key_keyblock:krb5-k-key-keyblock-retrieve-a-copy-of-the-keyblock-from-a-krb5-key-structure}\label{appdev/refs/api/krb5_k_key_keyblock::doc}\index{krb5\_k\_key\_keyblock (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_k_key_keyblock:c.krb5_k_key_keyblock}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_k\_key\_keyblock}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} **\emph{ key\_data}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{key} + +\textbf{key\_data} + +\end{description}\end{quote} + + +\subsubsection{krb5\_k\_make\_checksum - Compute a checksum (operates on opaque key).} +\label{appdev/refs/api/krb5_k_make_checksum::doc}\label{appdev/refs/api/krb5_k_make_checksum:krb5-k-make-checksum-compute-a-checksum-operates-on-opaque-key}\index{krb5\_k\_make\_checksum (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_k_make_checksum:c.krb5_k_make_checksum}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_k\_make\_checksum}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ cksumtype}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ input}, {\hyperref[appdev/refs/types/krb5_checksum:c.krb5_checksum]{krb5\_checksum}} *\emph{ cksum}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{cksumtype} - Checksum type (0 for mandatory type) + +\textbf{{[}in{]}} \textbf{key} - Encryption key for a keyed checksum + +\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) + +\textbf{{[}in{]}} \textbf{input} - Input data + +\textbf{{[}out{]}} \textbf{cksum} - Generated checksum + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function computes a checksum of type \emph{cksumtype} over \emph{input} , using \emph{key} if the checksum type is a keyed checksum. If \emph{cksumtype} is 0 and \emph{key} is non-null, the checksum type will be the mandatory-to-implement checksum type for the key's encryption type. The actual checksum key will be derived from \emph{key} and \emph{usage} if key derivation is specified for the checksum type. The newly created \emph{cksum} must be released by calling {\hyperref[appdev/refs/api/krb5_free_checksum_contents:c.krb5_free_checksum_contents]{\code{krb5\_free\_checksum\_contents()}}} when it is no longer needed. + + +\strong{See also:} + + +{\hyperref[appdev/refs/api/krb5_c_verify_checksum:c.krb5_c_verify_checksum]{\code{krb5\_c\_verify\_checksum()}}} + + + +\begin{notice}{note}{Note:} +This function is similar to {\hyperref[appdev/refs/api/krb5_c_make_checksum:c.krb5_c_make_checksum]{\code{krb5\_c\_make\_checksum()}}} , but operates on opaque \emph{key} . +\end{notice} + + +\subsubsection{krb5\_k\_make\_checksum\_iov - Fill in a checksum element in IOV array (operates on opaque key)} +\label{appdev/refs/api/krb5_k_make_checksum_iov::doc}\label{appdev/refs/api/krb5_k_make_checksum_iov:krb5-k-make-checksum-iov-fill-in-a-checksum-element-in-iov-array-operates-on-opaque-key}\index{krb5\_k\_make\_checksum\_iov (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_k_make_checksum_iov:c.krb5_k_make_checksum_iov}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_k\_make\_checksum\_iov}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ cksumtype}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, {\hyperref[appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov]{krb5\_crypto\_iov}} *\emph{ data}, size\_t\emph{ num\_data}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{cksumtype} - Checksum type (0 for mandatory type) + +\textbf{{[}in{]}} \textbf{key} - Encryption key for a keyed checksum + +\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) + +\textbf{{[}inout{]}} \textbf{data} - IOV array + +\textbf{{[}in{]}} \textbf{num\_data} - Size of \emph{data} + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Create a checksum in the {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM:KRB5_CRYPTO_TYPE_CHECKSUM]{\code{KRB5\_CRYPTO\_TYPE\_CHECKSUM}}} element over {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA:KRB5_CRYPTO_TYPE_DATA]{\code{KRB5\_CRYPTO\_TYPE\_DATA}}} and {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY:KRB5_CRYPTO_TYPE_SIGN_ONLY]{\code{KRB5\_CRYPTO\_TYPE\_SIGN\_ONLY}}} chunks in \emph{data} . Only the {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM:KRB5_CRYPTO_TYPE_CHECKSUM]{\code{KRB5\_CRYPTO\_TYPE\_CHECKSUM}}} region is modified. + + +\strong{See also:} + + +{\hyperref[appdev/refs/api/krb5_k_verify_checksum_iov:c.krb5_k_verify_checksum_iov]{\code{krb5\_k\_verify\_checksum\_iov()}}} + + + +\begin{notice}{note}{Note:} +This function is similar to {\hyperref[appdev/refs/api/krb5_c_make_checksum_iov:c.krb5_c_make_checksum_iov]{\code{krb5\_c\_make\_checksum\_iov()}}} , but operates on opaque \emph{key} . +\end{notice} + + +\subsubsection{krb5\_k\_prf - Generate enctype-specific pseudo-random bytes (operates on opaque key).} +\label{appdev/refs/api/krb5_k_prf:krb5-k-prf-generate-enctype-specific-pseudo-random-bytes-operates-on-opaque-key}\label{appdev/refs/api/krb5_k_prf::doc}\index{krb5\_k\_prf (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_k_prf:c.krb5_k_prf}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_k\_prf}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ input}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ output}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{key} - Key + +\textbf{{[}in{]}} \textbf{input} - Input data + +\textbf{{[}out{]}} \textbf{output} - Output data + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function selects a pseudo-random function based on \emph{key} and computes its value over \emph{input} , placing the result into \emph{output} . The caller must preinitialize \emph{output} and allocate space for the result. + +\begin{notice}{note}{Note:} +This function is similar to {\hyperref[appdev/refs/api/krb5_c_prf:c.krb5_c_prf]{\code{krb5\_c\_prf()}}} , but operates on opaque \emph{key} . +\end{notice} + + +\subsubsection{krb5\_k\_reference\_key - Increment the reference count on a key.} +\label{appdev/refs/api/krb5_k_reference_key::doc}\label{appdev/refs/api/krb5_k_reference_key:krb5-k-reference-key-increment-the-reference-count-on-a-key}\index{krb5\_k\_reference\_key (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_k_reference_key:c.krb5_k_reference_key}\pysiglinewithargsret{void \bfcode{krb5\_k\_reference\_key}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{key} + +\end{description}\end{quote} + + +\subsubsection{krb5\_k\_verify\_checksum - Verify a checksum (operates on opaque key).} +\label{appdev/refs/api/krb5_k_verify_checksum::doc}\label{appdev/refs/api/krb5_k_verify_checksum:krb5-k-verify-checksum-verify-a-checksum-operates-on-opaque-key}\index{krb5\_k\_verify\_checksum (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_k_verify_checksum:c.krb5_k_verify_checksum}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_k\_verify\_checksum}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ data}, const {\hyperref[appdev/refs/types/krb5_checksum:c.krb5_checksum]{krb5\_checksum}} *\emph{ cksum}, {\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} *\emph{ valid}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{key} - Encryption key for a keyed checksum + +\textbf{{[}in{]}} \textbf{usage} - \emph{key} usage + +\textbf{{[}in{]}} \textbf{data} - Data to be used to compute a new checksum using \emph{key} to compare \emph{cksum} against + +\textbf{{[}in{]}} \textbf{cksum} - Checksum to be verified + +\textbf{{[}out{]}} \textbf{valid} - Non-zero for success, zero for failure + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function verifies that \emph{cksum} is a valid checksum for \emph{data} . If the checksum type of \emph{cksum} is a keyed checksum, \emph{key} is used to verify the checksum. If the checksum type in \emph{cksum} is 0 and \emph{key} is not NULL, the mandatory checksum type for \emph{key} will be used. The actual checksum key will be derived from \emph{key} and \emph{usage} if key derivation is specified for the checksum type. + +\begin{notice}{note}{Note:} +This function is similar to {\hyperref[appdev/refs/api/krb5_c_verify_checksum:c.krb5_c_verify_checksum]{\code{krb5\_c\_verify\_checksum()}}} , but operates on opaque \emph{key} . +\end{notice} + + +\subsubsection{krb5\_k\_verify\_checksum\_iov - Validate a checksum element in IOV array (operates on opaque key).} +\label{appdev/refs/api/krb5_k_verify_checksum_iov:krb5-k-verify-checksum-iov-validate-a-checksum-element-in-iov-array-operates-on-opaque-key}\label{appdev/refs/api/krb5_k_verify_checksum_iov::doc}\index{krb5\_k\_verify\_checksum\_iov (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_k_verify_checksum_iov:c.krb5_k_verify_checksum_iov}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_k\_verify\_checksum\_iov}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ cksumtype}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, const {\hyperref[appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov]{krb5\_crypto\_iov}} *\emph{ data}, size\_t\emph{ num\_data}, {\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} *\emph{ valid}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}in{]}} \textbf{cksumtype} - Checksum type (0 for mandatory type) + +\textbf{{[}in{]}} \textbf{key} - Encryption key for a keyed checksum + +\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) + +\textbf{{[}in{]}} \textbf{data} - IOV array + +\textbf{{[}in{]}} \textbf{num\_data} - Size of \emph{data} + +\textbf{{[}out{]}} \textbf{valid} - Non-zero for success, zero for failure + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +Confirm that the checksum in the {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM:KRB5_CRYPTO_TYPE_CHECKSUM]{\code{KRB5\_CRYPTO\_TYPE\_CHECKSUM}}} element is a valid checksum of the {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA:KRB5_CRYPTO_TYPE_DATA]{\code{KRB5\_CRYPTO\_TYPE\_DATA}}} and {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY:KRB5_CRYPTO_TYPE_SIGN_ONLY]{\code{KRB5\_CRYPTO\_TYPE\_SIGN\_ONLY}}} regions in the iov. + + +\strong{See also:} + + +{\hyperref[appdev/refs/api/krb5_k_make_checksum_iov:c.krb5_k_make_checksum_iov]{\code{krb5\_k\_make\_checksum\_iov()}}} + + + +\begin{notice}{note}{Note:} +This function is similar to {\hyperref[appdev/refs/api/krb5_c_verify_checksum_iov:c.krb5_c_verify_checksum_iov]{\code{krb5\_c\_verify\_checksum\_iov()}}} , but operates on opaque \emph{key} . +\end{notice} + + +\subsection{Legacy convenience interfaces} +\label{appdev/refs/api/index:legacy-convenience-interfaces} + +\subsubsection{krb5\_recvauth - Server function for sendauth protocol.} +\label{appdev/refs/api/krb5_recvauth::doc}\label{appdev/refs/api/krb5_recvauth:krb5-recvauth-server-function-for-sendauth-protocol}\index{krb5\_recvauth (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_recvauth:c.krb5_recvauth}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_recvauth}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}} *\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_pointer:c.krb5_pointer]{krb5\_pointer}}\emph{ fd}, char *\emph{ appl\_version}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ server}, {\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}}\emph{ flags}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ keytab}, {\hyperref[appdev/refs/types/krb5_ticket:c.krb5_ticket]{krb5\_ticket}} **\emph{ ticket}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}inout{]}} \textbf{auth\_context} - Pre-existing or newly created auth context + +\textbf{{[}in{]}} \textbf{fd} - File descriptor + +\textbf{{[}in{]}} \textbf{appl\_version} - Application protocol version to be matched against the client's application version + +\textbf{{[}in{]}} \textbf{server} - Server principal (NULL for any in \emph{keytab} ) + +\textbf{{[}in{]}} \textbf{flags} - Additional specifications + +\textbf{{[}in{]}} \textbf{keytab} - Key table containing service keys + +\textbf{{[}out{]}} \textbf{ticket} - Ticket (NULL if not needed) + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function performs the server side of a sendauth/recvauth exchange by sending and receiving messages over \emph{fd} . + +Use {\hyperref[appdev/refs/api/krb5_free_ticket:c.krb5_free_ticket]{\code{krb5\_free\_ticket()}}} to free \emph{ticket} when it is no longer needed. + + +\strong{See also:} + + +{\hyperref[appdev/refs/api/krb5_sendauth:c.krb5_sendauth]{\code{krb5\_sendauth()}}} + + + + +\subsubsection{krb5\_recvauth\_version - Server function for sendauth protocol with version parameter.} +\label{appdev/refs/api/krb5_recvauth_version::doc}\label{appdev/refs/api/krb5_recvauth_version:krb5-recvauth-version-server-function-for-sendauth-protocol-with-version-parameter}\index{krb5\_recvauth\_version (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_recvauth_version:c.krb5_recvauth_version}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_recvauth\_version}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}} *\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_pointer:c.krb5_pointer]{krb5\_pointer}}\emph{ fd}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ server}, {\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}}\emph{ flags}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ keytab}, {\hyperref[appdev/refs/types/krb5_ticket:c.krb5_ticket]{krb5\_ticket}} **\emph{ ticket}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ version}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}inout{]}} \textbf{auth\_context} - Pre-existing or newly created auth context + +\textbf{{[}in{]}} \textbf{fd} - File descriptor + +\textbf{{[}in{]}} \textbf{server} - Server principal (NULL for any in \emph{keytab} ) + +\textbf{{[}in{]}} \textbf{flags} - Additional specifications + +\textbf{{[}in{]}} \textbf{keytab} - Decryption key + +\textbf{{[}out{]}} \textbf{ticket} - Ticket (NULL if not needed) + +\textbf{{[}out{]}} \textbf{version} - sendauth protocol version (NULL if not needed) + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function is similar to {\hyperref[appdev/refs/api/krb5_recvauth:c.krb5_recvauth]{\code{krb5\_recvauth()}}} with the additional output information place into \emph{version} . + + +\subsubsection{krb5\_sendauth - Client function for sendauth protocol.} +\label{appdev/refs/api/krb5_sendauth:krb5-sendauth-client-function-for-sendauth-protocol}\label{appdev/refs/api/krb5_sendauth::doc}\index{krb5\_sendauth (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_sendauth:c.krb5_sendauth}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_sendauth}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}} *\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_pointer:c.krb5_pointer]{krb5\_pointer}}\emph{ fd}, char *\emph{ appl\_version}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ client}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ server}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ ap\_req\_options}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ in\_data}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ in\_creds}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, {\hyperref[appdev/refs/types/krb5_error:c.krb5_error]{krb5\_error}} **\emph{ error}, {\hyperref[appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part]{krb5\_ap\_rep\_enc\_part}} **\emph{ rep\_result}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} **\emph{ out\_creds}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{{[}in{]}} \textbf{context} - Library context + +\textbf{{[}inout{]}} \textbf{auth\_context} - Pre-existing or newly created auth context + +\textbf{{[}in{]}} \textbf{fd} - File descriptor that describes network socket + +\textbf{{[}in{]}} \textbf{appl\_version} - Application protocol version to be matched with the receiver's application version + +\textbf{{[}in{]}} \textbf{client} - Client principal + +\textbf{{[}in{]}} \textbf{server} - Server principal + +\textbf{{[}in{]}} \textbf{ap\_req\_options} - \code{AP\_OPTS} options + +\textbf{{[}in{]}} \textbf{in\_data} - Data to be sent to the server + +\textbf{{[}in{]}} \textbf{in\_creds} - Input credentials, or NULL to use \emph{ccache} + +\textbf{{[}in{]}} \textbf{ccache} - Credential cache + +\textbf{{[}out{]}} \textbf{error} - If non-null, contains KRB\_ERROR message returned from server + +\textbf{{[}out{]}} \textbf{rep\_result} - If non-null and \emph{ap\_req\_options} is {\hyperref[appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED:AP_OPTS_MUTUAL_REQUIRED]{\code{AP\_OPTS\_MUTUAL\_REQUIRED}}} , contains the result of mutual authentication exchange + +\textbf{{[}out{]}} \textbf{out\_creds} - If non-null, the retrieved credentials + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes + +\end{itemize} + +\end{description}\end{quote} + +This function performs the client side of a sendauth/recvauth exchange by sending and receiving messages over \emph{fd} . + +Credentials may be specified in three ways: +\begin{quote} +\begin{itemize} +\item {} +If \emph{in\_creds} is NULL, credentials are obtained with {\hyperref[appdev/refs/api/krb5_get_credentials:c.krb5_get_credentials]{\code{krb5\_get\_credentials()}}} using the principals \emph{client} and \emph{server} . \emph{server} must be non-null; \emph{client} may NULL to use the default principal of \emph{ccache} . + +\item {} +If \emph{in\_creds} is non-null, but does not contain a ticket, credentials for the exchange are obtained with {\hyperref[appdev/refs/api/krb5_get_credentials:c.krb5_get_credentials]{\code{krb5\_get\_credentials()}}} using \emph{in\_creds} . In this case, the values of \emph{client} and \emph{server} are unused. + +\item {} +If \emph{in\_creds} is a complete credentials structure, it used directly. In this case, the values of \emph{client} , \emph{server} , and \emph{ccache} are unused. + +\end{itemize} + +If the server is using a different application protocol than that specified in \emph{appl\_version} , an error will be returned. +\end{quote} + +Use {\hyperref[appdev/refs/api/krb5_free_creds:c.krb5_free_creds]{\code{krb5\_free\_creds()}}} to free \emph{out\_creds} , {\hyperref[appdev/refs/api/krb5_free_ap_rep_enc_part:c.krb5_free_ap_rep_enc_part]{\code{krb5\_free\_ap\_rep\_enc\_part()}}} to free \emph{rep\_result} , and {\hyperref[appdev/refs/api/krb5_free_error:c.krb5_free_error]{\code{krb5\_free\_error()}}} to free \emph{error} when they are no longer needed. + + +\strong{See also:} + + +{\hyperref[appdev/refs/api/krb5_recvauth:c.krb5_recvauth]{\code{krb5\_recvauth()}}} + + + + +\subsection{Deprecated public interfaces} +\label{appdev/refs/api/index:deprecated-public-interfaces} + +\subsubsection{krb5\_524\_convert\_creds - Convert a Kerberos V5 credentials to a Kerberos V4 credentials.} +\label{appdev/refs/api/krb5_524_convert_creds:krb5-524-convert-creds-convert-a-kerberos-v5-credentials-to-a-kerberos-v4-credentials}\label{appdev/refs/api/krb5_524_convert_creds::doc}\index{krb5\_524\_convert\_creds (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_524_convert_creds:c.krb5_524_convert_creds}\pysiglinewithargsret{int \bfcode{krb5\_524\_convert\_creds}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ v5creds}, struct credentials *\emph{ v4creds}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{v5creds} + +\textbf{v4creds} + +\end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +KRB524\_KRB4\_DISABLED (always) + +\end{itemize} + +\end{description}\end{quote} + +\begin{notice}{note}{Note:} +Not implemented +\end{notice} + + +\subsubsection{krb5\_auth\_con\_getlocalsubkey} +\label{appdev/refs/api/krb5_auth_con_getlocalsubkey::doc}\label{appdev/refs/api/krb5_auth_con_getlocalsubkey:krb5-auth-con-getlocalsubkey}\index{krb5\_auth\_con\_getlocalsubkey (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_getlocalsubkey:c.krb5_auth_con_getlocalsubkey}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_getlocalsubkey}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} **\emph{ keyblock}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{auth\_context} + +\textbf{keyblock} + +\end{description}\end{quote} + +DEPRECATED Replaced by krb5\_auth\_con\_getsendsubkey() . + + +\subsubsection{krb5\_auth\_con\_getremotesubkey} +\label{appdev/refs/api/krb5_auth_con_getremotesubkey::doc}\label{appdev/refs/api/krb5_auth_con_getremotesubkey:krb5-auth-con-getremotesubkey}\index{krb5\_auth\_con\_getremotesubkey (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_getremotesubkey:c.krb5_auth_con_getremotesubkey}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_getremotesubkey}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} **\emph{ keyblock}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{auth\_context} + +\textbf{keyblock} + +\end{description}\end{quote} + +DEPRECATED Replaced by krb5\_auth\_con\_getrecvsubkey() . + + +\subsubsection{krb5\_auth\_con\_initivector} +\label{appdev/refs/api/krb5_auth_con_initivector:krb5-auth-con-initivector}\label{appdev/refs/api/krb5_auth_con_initivector::doc}\index{krb5\_auth\_con\_initivector (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_auth_con_initivector:c.krb5_auth_con_initivector}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_initivector}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{auth\_context} + +\end{description}\end{quote} + +DEPRECATED Not replaced. + +RFC 4120 doesn't have anything like the initvector concept; only really old protocols may need this API. + + +\subsubsection{krb5\_build\_principal\_va} +\label{appdev/refs/api/krb5_build_principal_va:krb5-build-principal-va}\label{appdev/refs/api/krb5_build_principal_va::doc}\index{krb5\_build\_principal\_va (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_build_principal_va:c.krb5_build_principal_va}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_build\_principal\_va}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ princ}, unsigned int\emph{ rlen}, const char *\emph{ realm}, va\_list\emph{ ap}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{princ} + +\textbf{rlen} + +\textbf{realm} + +\textbf{ap} + +\end{description}\end{quote} + +DEPRECATED Replaced by krb5\_build\_principal\_alloc\_va() . + + +\subsubsection{krb5\_c\_random\_seed} +\label{appdev/refs/api/krb5_c_random_seed:krb5-c-random-seed}\label{appdev/refs/api/krb5_c_random_seed::doc}\index{krb5\_c\_random\_seed (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_c_random_seed:c.krb5_c_random_seed}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_random\_seed}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ data}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{data} + +\end{description}\end{quote} + +DEPRECATED Replaced by krb5\_c\_* API family. + + +\subsubsection{krb5\_calculate\_checksum} +\label{appdev/refs/api/krb5_calculate_checksum:krb5-calculate-checksum}\label{appdev/refs/api/krb5_calculate_checksum::doc}\index{krb5\_calculate\_checksum (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_calculate_checksum:c.krb5_calculate_checksum}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_calculate\_checksum}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ ctype}, {\hyperref[appdev/refs/types/krb5_const_pointer:c.krb5_const_pointer]{krb5\_const\_pointer}}\emph{ in}, size\_t\emph{ in\_length}, {\hyperref[appdev/refs/types/krb5_const_pointer:c.krb5_const_pointer]{krb5\_const\_pointer}}\emph{ seed}, size\_t\emph{ seed\_length}, {\hyperref[appdev/refs/types/krb5_checksum:c.krb5_checksum]{krb5\_checksum}} *\emph{ outcksum}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{ctype} + +\textbf{in} + +\textbf{in\_length} + +\textbf{seed} + +\textbf{seed\_length} + +\textbf{outcksum} + +\end{description}\end{quote} + +DEPRECATED See krb5\_c\_make\_checksum() + + +\subsubsection{krb5\_checksum\_size} +\label{appdev/refs/api/krb5_checksum_size:krb5-checksum-size}\label{appdev/refs/api/krb5_checksum_size::doc}\index{krb5\_checksum\_size (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_checksum_size:c.krb5_checksum_size}\pysiglinewithargsret{size\_t \bfcode{krb5\_checksum\_size}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ ctype}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{ctype} + +\end{description}\end{quote} + +DEPRECATED See krb5\_c\_checksum\_length() + + +\subsubsection{krb5\_encrypt} +\label{appdev/refs/api/krb5_encrypt:krb5-encrypt}\label{appdev/refs/api/krb5_encrypt::doc}\index{krb5\_encrypt (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_encrypt:c.krb5_encrypt}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_encrypt}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_pointer:c.krb5_const_pointer]{krb5\_const\_pointer}}\emph{ inptr}, {\hyperref[appdev/refs/types/krb5_pointer:c.krb5_pointer]{krb5\_pointer}}\emph{ outptr}, size\_t\emph{ size}, {\hyperref[appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block]{krb5\_encrypt\_block}} *\emph{ eblock}, {\hyperref[appdev/refs/types/krb5_pointer:c.krb5_pointer]{krb5\_pointer}}\emph{ ivec}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{inptr} + +\textbf{outptr} + +\textbf{size} + +\textbf{eblock} + +\textbf{ivec} + +\end{description}\end{quote} + +DEPRECATED Replaced by krb5\_c\_* API family. + + +\subsubsection{krb5\_decrypt} +\label{appdev/refs/api/krb5_decrypt:krb5-decrypt}\label{appdev/refs/api/krb5_decrypt::doc}\index{krb5\_decrypt (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_decrypt:c.krb5_decrypt}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_decrypt}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_pointer:c.krb5_const_pointer]{krb5\_const\_pointer}}\emph{ inptr}, {\hyperref[appdev/refs/types/krb5_pointer:c.krb5_pointer]{krb5\_pointer}}\emph{ outptr}, size\_t\emph{ size}, {\hyperref[appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block]{krb5\_encrypt\_block}} *\emph{ eblock}, {\hyperref[appdev/refs/types/krb5_pointer:c.krb5_pointer]{krb5\_pointer}}\emph{ ivec}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{inptr} + +\textbf{outptr} + +\textbf{size} + +\textbf{eblock} + +\textbf{ivec} + +\end{description}\end{quote} + +DEPRECATED Replaced by krb5\_c\_* API family. + + +\subsubsection{krb5\_eblock\_enctype} +\label{appdev/refs/api/krb5_eblock_enctype::doc}\label{appdev/refs/api/krb5_eblock_enctype:krb5-eblock-enctype}\index{krb5\_eblock\_enctype (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_eblock_enctype:c.krb5_eblock_enctype}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} \bfcode{krb5\_eblock\_enctype}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block]{krb5\_encrypt\_block}} *\emph{ eblock}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{eblock} + +\end{description}\end{quote} + +DEPRECATED Replaced by krb5\_c\_* API family. + + +\subsubsection{krb5\_encrypt\_size} +\label{appdev/refs/api/krb5_encrypt_size:krb5-encrypt-size}\label{appdev/refs/api/krb5_encrypt_size::doc}\index{krb5\_encrypt\_size (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_encrypt_size:c.krb5_encrypt_size}\pysiglinewithargsret{size\_t \bfcode{krb5\_encrypt\_size}}{size\_t\emph{ length}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ crypto}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{length} + +\textbf{crypto} + +\end{description}\end{quote} + +DEPRECATED Replaced by krb5\_c\_* API family. + + +\subsubsection{krb5\_finish\_key} +\label{appdev/refs/api/krb5_finish_key:krb5-finish-key}\label{appdev/refs/api/krb5_finish_key::doc}\index{krb5\_finish\_key (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_finish_key:c.krb5_finish_key}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_finish\_key}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block]{krb5\_encrypt\_block}} *\emph{ eblock}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{eblock} + +\end{description}\end{quote} + +DEPRECATED Replaced by krb5\_c\_* API family. + + +\subsubsection{krb5\_finish\_random\_key} +\label{appdev/refs/api/krb5_finish_random_key:krb5-finish-random-key}\label{appdev/refs/api/krb5_finish_random_key::doc}\index{krb5\_finish\_random\_key (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_finish_random_key:c.krb5_finish_random_key}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_finish\_random\_key}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block]{krb5\_encrypt\_block}} *\emph{ eblock}, {\hyperref[appdev/refs/types/krb5_pointer:c.krb5_pointer]{krb5\_pointer}} *\emph{ ptr}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{eblock} + +\textbf{ptr} + +\end{description}\end{quote} + +DEPRECATED Replaced by krb5\_c\_* API family. + + +\subsubsection{krb5\_cc\_gen\_new} +\label{appdev/refs/api/krb5_cc_gen_new:krb5-cc-gen-new}\label{appdev/refs/api/krb5_cc_gen_new::doc}\index{krb5\_cc\_gen\_new (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_cc_gen_new:c.krb5_cc_gen_new}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_gen\_new}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}} *\emph{ cache}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{cache} + +\end{description}\end{quote} + + +\subsubsection{krb5\_get\_credentials\_renew} +\label{appdev/refs/api/krb5_get_credentials_renew:krb5-get-credentials-renew}\label{appdev/refs/api/krb5_get_credentials_renew::doc}\index{krb5\_get\_credentials\_renew (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_credentials_renew:c.krb5_get_credentials_renew}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_credentials\_renew}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ options}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ in\_creds}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} **\emph{ out\_creds}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{options} + +\textbf{ccache} + +\textbf{in\_creds} + +\textbf{out\_creds} + +\end{description}\end{quote} + +DEPRECATED Replaced by krb5\_get\_renewed\_creds. + + +\subsubsection{krb5\_get\_credentials\_validate} +\label{appdev/refs/api/krb5_get_credentials_validate:krb5-get-credentials-validate}\label{appdev/refs/api/krb5_get_credentials_validate::doc}\index{krb5\_get\_credentials\_validate (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_credentials_validate:c.krb5_get_credentials_validate}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_credentials\_validate}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ options}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ in\_creds}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} **\emph{ out\_creds}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{options} + +\textbf{ccache} + +\textbf{in\_creds} + +\textbf{out\_creds} + +\end{description}\end{quote} + +DEPRECATED Replaced by krb5\_get\_validated\_creds. + + +\subsubsection{krb5\_get\_in\_tkt\_with\_password} +\label{appdev/refs/api/krb5_get_in_tkt_with_password:krb5-get-in-tkt-with-password}\label{appdev/refs/api/krb5_get_in_tkt_with_password::doc}\index{krb5\_get\_in\_tkt\_with\_password (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_in_tkt_with_password:c.krb5_get_in_tkt_with_password}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_in\_tkt\_with\_password}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ options}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} *const *\emph{ addrs}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} *\emph{ ktypes}, {\hyperref[appdev/refs/types/krb5_preauthtype:c.krb5_preauthtype]{krb5\_preauthtype}} *\emph{ pre\_auth\_types}, const char *\emph{ password}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}, {\hyperref[appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep]{krb5\_kdc\_rep}} **\emph{ ret\_as\_reply}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{options} + +\textbf{addrs} + +\textbf{ktypes} + +\textbf{pre\_auth\_types} + +\textbf{password} + +\textbf{ccache} + +\textbf{creds} + +\textbf{ret\_as\_reply} + +\end{description}\end{quote} + +DEPRECATED Replaced by krb5\_get\_init\_creds\_password() . + + +\subsubsection{krb5\_get\_in\_tkt\_with\_skey} +\label{appdev/refs/api/krb5_get_in_tkt_with_skey:krb5-get-in-tkt-with-skey}\label{appdev/refs/api/krb5_get_in_tkt_with_skey::doc}\index{krb5\_get\_in\_tkt\_with\_skey (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_in_tkt_with_skey:c.krb5_get_in_tkt_with_skey}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_in\_tkt\_with\_skey}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ options}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} *const *\emph{ addrs}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} *\emph{ ktypes}, {\hyperref[appdev/refs/types/krb5_preauthtype:c.krb5_preauthtype]{krb5\_preauthtype}} *\emph{ pre\_auth\_types}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}, {\hyperref[appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep]{krb5\_kdc\_rep}} **\emph{ ret\_as\_reply}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{options} + +\textbf{addrs} + +\textbf{ktypes} + +\textbf{pre\_auth\_types} + +\textbf{key} + +\textbf{ccache} + +\textbf{creds} + +\textbf{ret\_as\_reply} + +\end{description}\end{quote} + +DEPRECATED Replaced by krb5\_get\_init\_creds(). + + +\subsubsection{krb5\_get\_in\_tkt\_with\_keytab} +\label{appdev/refs/api/krb5_get_in_tkt_with_keytab:krb5-get-in-tkt-with-keytab}\label{appdev/refs/api/krb5_get_in_tkt_with_keytab::doc}\index{krb5\_get\_in\_tkt\_with\_keytab (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_in_tkt_with_keytab:c.krb5_get_in_tkt_with_keytab}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_in\_tkt\_with\_keytab}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ options}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} *const *\emph{ addrs}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} *\emph{ ktypes}, {\hyperref[appdev/refs/types/krb5_preauthtype:c.krb5_preauthtype]{krb5\_preauthtype}} *\emph{ pre\_auth\_types}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ arg\_keytab}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}, {\hyperref[appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep]{krb5\_kdc\_rep}} **\emph{ ret\_as\_reply}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{options} + +\textbf{addrs} + +\textbf{ktypes} + +\textbf{pre\_auth\_types} + +\textbf{arg\_keytab} + +\textbf{ccache} + +\textbf{creds} + +\textbf{ret\_as\_reply} + +\end{description}\end{quote} + +DEPRECATED Replaced by krb5\_get\_init\_creds\_keytab() . + + +\subsubsection{krb5\_get\_init\_creds\_opt\_init} +\label{appdev/refs/api/krb5_get_init_creds_opt_init:krb5-get-init-creds-opt-init}\label{appdev/refs/api/krb5_get_init_creds_opt_init::doc}\index{krb5\_get\_init\_creds\_opt\_init (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_init:c.krb5_get_init_creds_opt_init}\pysiglinewithargsret{void \bfcode{krb5\_get\_init\_creds\_opt\_init}}{{\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{opt} + +\end{description}\end{quote} + +DEPRECATED Use krb5\_get\_init\_creds\_opt\_alloc() instead. + + +\subsubsection{krb5\_init\_random\_key} +\label{appdev/refs/api/krb5_init_random_key:krb5-init-random-key}\label{appdev/refs/api/krb5_init_random_key::doc}\index{krb5\_init\_random\_key (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_init_random_key:c.krb5_init_random_key}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_init\_random\_key}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block]{krb5\_encrypt\_block}} *\emph{ eblock}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ keyblock}, {\hyperref[appdev/refs/types/krb5_pointer:c.krb5_pointer]{krb5\_pointer}} *\emph{ ptr}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{eblock} + +\textbf{keyblock} + +\textbf{ptr} + +\end{description}\end{quote} + +DEPRECATED Replaced by krb5\_c\_* API family. + + +\subsubsection{krb5\_kt\_free\_entry} +\label{appdev/refs/api/krb5_kt_free_entry:krb5-kt-free-entry}\label{appdev/refs/api/krb5_kt_free_entry::doc}\index{krb5\_kt\_free\_entry (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_kt_free_entry:c.krb5_kt_free_entry}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_free\_entry}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry]{krb5\_keytab\_entry}} *\emph{ entry}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{entry} + +\end{description}\end{quote} + +DEPRECATED Use krb5\_free\_keytab\_entry\_contents instead. + + +\subsubsection{krb5\_random\_key} +\label{appdev/refs/api/krb5_random_key:krb5-random-key}\label{appdev/refs/api/krb5_random_key::doc}\index{krb5\_random\_key (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_random_key:c.krb5_random_key}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_random\_key}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block]{krb5\_encrypt\_block}} *\emph{ eblock}, {\hyperref[appdev/refs/types/krb5_pointer:c.krb5_pointer]{krb5\_pointer}}\emph{ ptr}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} **\emph{ keyblock}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{eblock} + +\textbf{ptr} + +\textbf{keyblock} + +\end{description}\end{quote} + +DEPRECATED Replaced by krb5\_c\_* API family. + + +\subsubsection{krb5\_process\_key} +\label{appdev/refs/api/krb5_process_key:krb5-process-key}\label{appdev/refs/api/krb5_process_key::doc}\index{krb5\_process\_key (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_process_key:c.krb5_process_key}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_process\_key}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block]{krb5\_encrypt\_block}} *\emph{ eblock}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{eblock} + +\textbf{key} + +\end{description}\end{quote} + +DEPRECATED Replaced by krb5\_c\_* API family. + + +\subsubsection{krb5\_string\_to\_key} +\label{appdev/refs/api/krb5_string_to_key:krb5-string-to-key}\label{appdev/refs/api/krb5_string_to_key::doc}\index{krb5\_string\_to\_key (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_string_to_key:c.krb5_string_to_key}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_string\_to\_key}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block]{krb5\_encrypt\_block}} *\emph{ eblock}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ keyblock}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ data}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ salt}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{eblock} + +\textbf{keyblock} + +\textbf{data} + +\textbf{salt} + +\end{description}\end{quote} + +DEPRECATED See krb5\_c\_string\_to\_key() + + +\subsubsection{krb5\_use\_enctype} +\label{appdev/refs/api/krb5_use_enctype:krb5-use-enctype}\label{appdev/refs/api/krb5_use_enctype::doc}\index{krb5\_use\_enctype (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_use_enctype:c.krb5_use_enctype}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_use\_enctype}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block]{krb5\_encrypt\_block}} *\emph{ eblock}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{eblock} + +\textbf{enctype} + +\end{description}\end{quote} + +DEPRECATED Replaced by krb5\_c\_* API family. + + +\subsubsection{krb5\_verify\_checksum} +\label{appdev/refs/api/krb5_verify_checksum::doc}\label{appdev/refs/api/krb5_verify_checksum:krb5-verify-checksum}\index{krb5\_verify\_checksum (C function)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/api/krb5_verify_checksum:c.krb5_verify_checksum}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_verify\_checksum}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ ctype}, const {\hyperref[appdev/refs/types/krb5_checksum:c.krb5_checksum]{krb5\_checksum}} *\emph{ cksum}, {\hyperref[appdev/refs/types/krb5_const_pointer:c.krb5_const_pointer]{krb5\_const\_pointer}}\emph{ in}, size\_t\emph{ in\_length}, {\hyperref[appdev/refs/types/krb5_const_pointer:c.krb5_const_pointer]{krb5\_const\_pointer}}\emph{ seed}, size\_t\emph{ seed\_length}}{} +\end{fulllineitems} + +\begin{quote}\begin{description} +\item[{param}] \leavevmode +\textbf{context} + +\textbf{ctype} + +\textbf{cksum} + +\textbf{in} + +\textbf{in\_length} + +\textbf{seed} + +\textbf{seed\_length} + +\end{description}\end{quote} + +DEPRECATED See krb5\_c\_verify\_checksum() + + +\section{krb5 types and structures} +\label{appdev/refs/types/index::doc}\label{appdev/refs/types/index:krb5-types-and-structures} + +\subsection{Public} +\label{appdev/refs/types/index:public} + +\subsubsection{krb5\_address} +\label{appdev/refs/types/krb5_address:krb5-address-struct}\label{appdev/refs/types/krb5_address::doc}\label{appdev/refs/types/krb5_address:krb5-address}\index{krb5\_address (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_address:c.krb5_address}\pysigline{\bfcode{krb5\_address}} +\end{fulllineitems} + + +Structure for address. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_address:declaration} +typedef struct \_krb5\_address krb5\_address + + +\paragraph{Members} +\label{appdev/refs/types/krb5_address:members}\index{krb5\_address.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_address:c.krb5_address.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_address.magic}} +\end{fulllineitems} + +\index{krb5\_address.addrtype (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_address:c.krb5_address.addrtype}\pysigline{{\hyperref[appdev/refs/types/krb5_addrtype:c.krb5_addrtype]{krb5\_addrtype}} \bfcode{krb5\_address.addrtype}} +\end{fulllineitems} + +\index{krb5\_address.length (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_address:c.krb5_address.length}\pysigline{unsigned int \bfcode{krb5\_address.length}} +\end{fulllineitems} + +\index{krb5\_address.contents (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_address:c.krb5_address.contents}\pysigline{{\hyperref[appdev/refs/types/krb5_octet:c.krb5_octet]{krb5\_octet}} * \bfcode{krb5\_address.contents}} +\end{fulllineitems} + + + +\subsubsection{krb5\_addrtype} +\label{appdev/refs/types/krb5_addrtype:krb5-addrtype}\label{appdev/refs/types/krb5_addrtype:krb5-addrtype-struct}\label{appdev/refs/types/krb5_addrtype::doc}\index{krb5\_addrtype (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_addrtype:c.krb5_addrtype}\pysigline{\bfcode{krb5\_addrtype}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_addrtype:declaration} +typedef krb5\_int32 krb5\_addrtype + + +\subsubsection{krb5\_ap\_req} +\label{appdev/refs/types/krb5_ap_req:krb5-ap-req}\label{appdev/refs/types/krb5_ap_req::doc}\label{appdev/refs/types/krb5_ap_req:krb5-ap-req-struct}\index{krb5\_ap\_req (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_ap_req:c.krb5_ap_req}\pysigline{\bfcode{krb5\_ap\_req}} +\end{fulllineitems} + + +Authentication header. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_ap_req:declaration} +typedef struct \_krb5\_ap\_req krb5\_ap\_req + + +\paragraph{Members} +\label{appdev/refs/types/krb5_ap_req:members}\index{krb5\_ap\_req.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_ap_req:c.krb5_ap_req.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_ap\_req.magic}} +\end{fulllineitems} + +\index{krb5\_ap\_req.ap\_options (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_ap_req:c.krb5_ap_req.ap_options}\pysigline{{\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}} \bfcode{krb5\_ap\_req.ap\_options}} +Requested options. + +\end{fulllineitems} + +\index{krb5\_ap\_req.ticket (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_ap_req:c.krb5_ap_req.ticket}\pysigline{{\hyperref[appdev/refs/types/krb5_ticket:c.krb5_ticket]{krb5\_ticket}} * \bfcode{krb5\_ap\_req.ticket}} +Ticket. + +\end{fulllineitems} + +\index{krb5\_ap\_req.authenticator (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_ap_req:c.krb5_ap_req.authenticator}\pysigline{{\hyperref[appdev/refs/types/krb5_enc_data:c.krb5_enc_data]{krb5\_enc\_data}} \bfcode{krb5\_ap\_req.authenticator}} +Encrypted authenticator. + +\end{fulllineitems} + + + +\subsubsection{krb5\_ap\_rep} +\label{appdev/refs/types/krb5_ap_rep:krb5-ap-rep-struct}\label{appdev/refs/types/krb5_ap_rep:krb5-ap-rep}\label{appdev/refs/types/krb5_ap_rep::doc}\index{krb5\_ap\_rep (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_ap_rep:c.krb5_ap_rep}\pysigline{\bfcode{krb5\_ap\_rep}} +\end{fulllineitems} + + +C representaton of AP-REP message. + +The server's response to a client's request for mutual authentication. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_ap_rep:declaration} +typedef struct \_krb5\_ap\_rep krb5\_ap\_rep + + +\paragraph{Members} +\label{appdev/refs/types/krb5_ap_rep:members}\index{krb5\_ap\_rep.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_ap_rep:c.krb5_ap_rep.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_ap\_rep.magic}} +\end{fulllineitems} + +\index{krb5\_ap\_rep.enc\_part (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_ap_rep:c.krb5_ap_rep.enc_part}\pysigline{{\hyperref[appdev/refs/types/krb5_enc_data:c.krb5_enc_data]{krb5\_enc\_data}} \bfcode{krb5\_ap\_rep.enc\_part}} +Ciphertext of ApRepEncPart. + +\end{fulllineitems} + + + +\subsubsection{krb5\_ap\_rep\_enc\_part} +\label{appdev/refs/types/krb5_ap_rep_enc_part:krb5-ap-rep-enc-part-struct}\label{appdev/refs/types/krb5_ap_rep_enc_part::doc}\label{appdev/refs/types/krb5_ap_rep_enc_part:krb5-ap-rep-enc-part}\index{krb5\_ap\_rep\_enc\_part (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part}\pysigline{\bfcode{krb5\_ap\_rep\_enc\_part}} +\end{fulllineitems} + + +Cleartext that is encrypted and put into \code{\_krb5\_ap\_rep} . + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_ap_rep_enc_part:declaration} +typedef struct \_krb5\_ap\_rep\_enc\_part krb5\_ap\_rep\_enc\_part + + +\paragraph{Members} +\label{appdev/refs/types/krb5_ap_rep_enc_part:members}\index{krb5\_ap\_rep\_enc\_part.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_ap\_rep\_enc\_part.magic}} +\end{fulllineitems} + +\index{krb5\_ap\_rep\_enc\_part.ctime (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part.ctime}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_ap\_rep\_enc\_part.ctime}} +Client time, seconds portion. + +\end{fulllineitems} + +\index{krb5\_ap\_rep\_enc\_part.cusec (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part.cusec}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_ap\_rep\_enc\_part.cusec}} +Client time, microseconds portion. + +\end{fulllineitems} + +\index{krb5\_ap\_rep\_enc\_part.subkey (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part.subkey}\pysigline{{\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} * \bfcode{krb5\_ap\_rep\_enc\_part.subkey}} +Subkey (optional) + +\end{fulllineitems} + +\index{krb5\_ap\_rep\_enc\_part.seq\_number (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part.seq_number}\pysigline{{\hyperref[appdev/refs/types/krb5_ui_4:c.krb5_ui_4]{krb5\_ui\_4}} \bfcode{krb5\_ap\_rep\_enc\_part.seq\_number}} +Sequence number. + +\end{fulllineitems} + + + +\subsubsection{krb5\_authdata} +\label{appdev/refs/types/krb5_authdata:krb5-authdata}\label{appdev/refs/types/krb5_authdata::doc}\label{appdev/refs/types/krb5_authdata:krb5-authdata-struct}\index{krb5\_authdata (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_authdata:c.krb5_authdata}\pysigline{\bfcode{krb5\_authdata}} +\end{fulllineitems} + + +Structure for auth data. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_authdata:declaration} +typedef struct \_krb5\_authdata krb5\_authdata + + +\paragraph{Members} +\label{appdev/refs/types/krb5_authdata:members}\index{krb5\_authdata.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_authdata:c.krb5_authdata.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_authdata.magic}} +\end{fulllineitems} + +\index{krb5\_authdata.ad\_type (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_authdata:c.krb5_authdata.ad_type}\pysigline{{\hyperref[appdev/refs/types/krb5_authdatatype:c.krb5_authdatatype]{krb5\_authdatatype}} \bfcode{krb5\_authdata.ad\_type}} +ADTYPE. + +\end{fulllineitems} + +\index{krb5\_authdata.length (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_authdata:c.krb5_authdata.length}\pysigline{unsigned int \bfcode{krb5\_authdata.length}} +Length of data. + +\end{fulllineitems} + +\index{krb5\_authdata.contents (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_authdata:c.krb5_authdata.contents}\pysigline{{\hyperref[appdev/refs/types/krb5_octet:c.krb5_octet]{krb5\_octet}} * \bfcode{krb5\_authdata.contents}} +Data. + +\end{fulllineitems} + + + +\subsubsection{krb5\_authdatatype} +\label{appdev/refs/types/krb5_authdatatype:krb5-authdatatype-struct}\label{appdev/refs/types/krb5_authdatatype::doc}\label{appdev/refs/types/krb5_authdatatype:krb5-authdatatype}\index{krb5\_authdatatype (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_authdatatype:c.krb5_authdatatype}\pysigline{\bfcode{krb5\_authdatatype}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_authdatatype:declaration} +typedef krb5\_int32 krb5\_authdatatype + + +\subsubsection{krb5\_authenticator} +\label{appdev/refs/types/krb5_authenticator:krb5-authenticator-struct}\label{appdev/refs/types/krb5_authenticator:krb5-authenticator}\label{appdev/refs/types/krb5_authenticator::doc}\index{krb5\_authenticator (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_authenticator:c.krb5_authenticator}\pysigline{\bfcode{krb5\_authenticator}} +\end{fulllineitems} + + +Ticket authenticator. + +The C representation of an unencrypted authenticator. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_authenticator:declaration} +typedef struct \_krb5\_authenticator krb5\_authenticator + + +\paragraph{Members} +\label{appdev/refs/types/krb5_authenticator:members}\index{krb5\_authenticator.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_authenticator:c.krb5_authenticator.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_authenticator.magic}} +\end{fulllineitems} + +\index{krb5\_authenticator.client (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_authenticator:c.krb5_authenticator.client}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_authenticator.client}} +client name/realm + +\end{fulllineitems} + +\index{krb5\_authenticator.checksum (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_authenticator:c.krb5_authenticator.checksum}\pysigline{{\hyperref[appdev/refs/types/krb5_checksum:c.krb5_checksum]{krb5\_checksum}} * \bfcode{krb5\_authenticator.checksum}} +checksum, includes type, optional + +\end{fulllineitems} + +\index{krb5\_authenticator.cusec (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_authenticator:c.krb5_authenticator.cusec}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_authenticator.cusec}} +client usec portion + +\end{fulllineitems} + +\index{krb5\_authenticator.ctime (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_authenticator:c.krb5_authenticator.ctime}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_authenticator.ctime}} +client sec portion + +\end{fulllineitems} + +\index{krb5\_authenticator.subkey (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_authenticator:c.krb5_authenticator.subkey}\pysigline{{\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} * \bfcode{krb5\_authenticator.subkey}} +true session key, optional + +\end{fulllineitems} + +\index{krb5\_authenticator.seq\_number (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_authenticator:c.krb5_authenticator.seq_number}\pysigline{{\hyperref[appdev/refs/types/krb5_ui_4:c.krb5_ui_4]{krb5\_ui\_4}} \bfcode{krb5\_authenticator.seq\_number}} +sequence \#, optional + +\end{fulllineitems} + +\index{krb5\_authenticator.authorization\_data (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_authenticator:c.krb5_authenticator.authorization_data}\pysigline{{\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} ** \bfcode{krb5\_authenticator.authorization\_data}} +authoriazation data + +\end{fulllineitems} + + + +\subsubsection{krb5\_boolean} +\label{appdev/refs/types/krb5_boolean:krb5-boolean-struct}\label{appdev/refs/types/krb5_boolean::doc}\label{appdev/refs/types/krb5_boolean:krb5-boolean}\index{krb5\_boolean (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_boolean:c.krb5_boolean}\pysigline{\bfcode{krb5\_boolean}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_boolean:declaration} +typedef unsigned int krb5\_boolean + + +\subsubsection{krb5\_checksum} +\label{appdev/refs/types/krb5_checksum::doc}\label{appdev/refs/types/krb5_checksum:krb5-checksum}\label{appdev/refs/types/krb5_checksum:krb5-checksum-struct}\index{krb5\_checksum (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_checksum:c.krb5_checksum}\pysigline{\bfcode{krb5\_checksum}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_checksum:declaration} +typedef struct \_krb5\_checksum krb5\_checksum + + +\paragraph{Members} +\label{appdev/refs/types/krb5_checksum:members}\index{krb5\_checksum.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_checksum:c.krb5_checksum.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_checksum.magic}} +\end{fulllineitems} + +\index{krb5\_checksum.checksum\_type (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_checksum:c.krb5_checksum.checksum_type}\pysigline{{\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}} \bfcode{krb5\_checksum.checksum\_type}} +\end{fulllineitems} + +\index{krb5\_checksum.length (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_checksum:c.krb5_checksum.length}\pysigline{unsigned int \bfcode{krb5\_checksum.length}} +\end{fulllineitems} + +\index{krb5\_checksum.contents (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_checksum:c.krb5_checksum.contents}\pysigline{{\hyperref[appdev/refs/types/krb5_octet:c.krb5_octet]{krb5\_octet}} * \bfcode{krb5\_checksum.contents}} +\end{fulllineitems} + + + +\subsubsection{krb5\_const\_pointer} +\label{appdev/refs/types/krb5_const_pointer:krb5-const-pointer}\label{appdev/refs/types/krb5_const_pointer::doc}\label{appdev/refs/types/krb5_const_pointer:krb5-const-pointer-struct}\index{krb5\_const\_pointer (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_const_pointer:c.krb5_const_pointer}\pysigline{\bfcode{krb5\_const\_pointer}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_const_pointer:declaration} +typedef void const* krb5\_const\_pointer + + +\subsubsection{krb5\_const\_principal} +\label{appdev/refs/types/krb5_const_principal:krb5-const-principal-struct}\label{appdev/refs/types/krb5_const_principal:krb5-const-principal}\label{appdev/refs/types/krb5_const_principal::doc}\index{krb5\_const\_principal (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}\pysigline{\bfcode{krb5\_const\_principal}} +\end{fulllineitems} + + +Constant version of {\hyperref[appdev/refs/types/krb5_principal_data:c.krb5_principal_data]{\code{krb5\_principal\_data}}} . + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_const_principal:declaration} +typedef const krb5\_principal\_data* krb5\_const\_principal + + +\paragraph{Members} +\label{appdev/refs/types/krb5_const_principal:members}\index{krb5\_const\_principal.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_const_principal:c.krb5_const_principal.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_const\_principal.magic}} +\end{fulllineitems} + +\index{krb5\_const\_principal.realm (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_const_principal:c.krb5_const_principal.realm}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} \bfcode{krb5\_const\_principal.realm}} +\end{fulllineitems} + +\index{krb5\_const\_principal.data (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_const_principal:c.krb5_const_principal.data}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} * \bfcode{krb5\_const\_principal.data}} +An array of strings. + +\end{fulllineitems} + +\index{krb5\_const\_principal.length (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_const_principal:c.krb5_const_principal.length}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_const\_principal.length}} +\end{fulllineitems} + +\index{krb5\_const\_principal.type (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_const_principal:c.krb5_const_principal.type}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_const\_principal.type}} +\end{fulllineitems} + + + +\subsubsection{krb5\_cred} +\label{appdev/refs/types/krb5_cred:krb5-cred-struct}\label{appdev/refs/types/krb5_cred::doc}\label{appdev/refs/types/krb5_cred:krb5-cred}\index{krb5\_cred (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_cred:c.krb5_cred}\pysigline{\bfcode{krb5\_cred}} +\end{fulllineitems} + + +Credentials data structure. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_cred:declaration} +typedef struct \_krb5\_cred krb5\_cred + + +\paragraph{Members} +\label{appdev/refs/types/krb5_cred:members}\index{krb5\_cred.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_cred:c.krb5_cred.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_cred.magic}} +\end{fulllineitems} + +\index{krb5\_cred.tickets (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_cred:c.krb5_cred.tickets}\pysigline{{\hyperref[appdev/refs/types/krb5_ticket:c.krb5_ticket]{krb5\_ticket}} ** \bfcode{krb5\_cred.tickets}} +Tickets. + +\end{fulllineitems} + +\index{krb5\_cred.enc\_part (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_cred:c.krb5_cred.enc_part}\pysigline{{\hyperref[appdev/refs/types/krb5_enc_data:c.krb5_enc_data]{krb5\_enc\_data}} \bfcode{krb5\_cred.enc\_part}} +Encrypted part. + +\end{fulllineitems} + +\index{krb5\_cred.enc\_part2 (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_cred:c.krb5_cred.enc_part2}\pysigline{{\hyperref[appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part]{krb5\_cred\_enc\_part}} * \bfcode{krb5\_cred.enc\_part2}} +Unencrypted version, if available. + +\end{fulllineitems} + + + +\subsubsection{krb5\_cred\_enc\_part} +\label{appdev/refs/types/krb5_cred_enc_part::doc}\label{appdev/refs/types/krb5_cred_enc_part:krb5-cred-enc-part}\label{appdev/refs/types/krb5_cred_enc_part:krb5-cred-enc-part-struct}\index{krb5\_cred\_enc\_part (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part}\pysigline{\bfcode{krb5\_cred\_enc\_part}} +\end{fulllineitems} + + +Cleartext credentials information. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_cred_enc_part:declaration} +typedef struct \_krb5\_cred\_enc\_part krb5\_cred\_enc\_part + + +\paragraph{Members} +\label{appdev/refs/types/krb5_cred_enc_part:members}\index{krb5\_cred\_enc\_part.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_cred\_enc\_part.magic}} +\end{fulllineitems} + +\index{krb5\_cred\_enc\_part.nonce (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part.nonce}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_cred\_enc\_part.nonce}} +Nonce (optional) + +\end{fulllineitems} + +\index{krb5\_cred\_enc\_part.timestamp (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part.timestamp}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_cred\_enc\_part.timestamp}} +Generation time, seconds portion. + +\end{fulllineitems} + +\index{krb5\_cred\_enc\_part.usec (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part.usec}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_cred\_enc\_part.usec}} +Generation time, microseconds portion. + +\end{fulllineitems} + +\index{krb5\_cred\_enc\_part.s\_address (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part.s_address}\pysigline{{\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} * \bfcode{krb5\_cred\_enc\_part.s\_address}} +Sender address (optional) + +\end{fulllineitems} + +\index{krb5\_cred\_enc\_part.r\_address (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part.r_address}\pysigline{{\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} * \bfcode{krb5\_cred\_enc\_part.r\_address}} +Recipient address (optional) + +\end{fulllineitems} + +\index{krb5\_cred\_enc\_part.ticket\_info (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part.ticket_info}\pysigline{{\hyperref[appdev/refs/types/krb5_cred_info:c.krb5_cred_info]{krb5\_cred\_info}} ** \bfcode{krb5\_cred\_enc\_part.ticket\_info}} +\end{fulllineitems} + + + +\subsubsection{krb5\_cred\_info} +\label{appdev/refs/types/krb5_cred_info:krb5-cred-info-struct}\label{appdev/refs/types/krb5_cred_info::doc}\label{appdev/refs/types/krb5_cred_info:krb5-cred-info}\index{krb5\_cred\_info (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_cred_info:c.krb5_cred_info}\pysigline{\bfcode{krb5\_cred\_info}} +\end{fulllineitems} + + +Credentials information inserted into \emph{EncKrbCredPart} . + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_cred_info:declaration} +typedef struct \_krb5\_cred\_info krb5\_cred\_info + + +\paragraph{Members} +\label{appdev/refs/types/krb5_cred_info:members}\index{krb5\_cred\_info.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_cred_info:c.krb5_cred_info.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_cred\_info.magic}} +\end{fulllineitems} + +\index{krb5\_cred\_info.session (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_cred_info:c.krb5_cred_info.session}\pysigline{{\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} * \bfcode{krb5\_cred\_info.session}} +Session key used to encrypt ticket. + +\end{fulllineitems} + +\index{krb5\_cred\_info.client (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_cred_info:c.krb5_cred_info.client}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_cred\_info.client}} +Client principal and realm. + +\end{fulllineitems} + +\index{krb5\_cred\_info.server (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_cred_info:c.krb5_cred_info.server}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_cred\_info.server}} +Server principal and realm. + +\end{fulllineitems} + +\index{krb5\_cred\_info.flags (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_cred_info:c.krb5_cred_info.flags}\pysigline{{\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}} \bfcode{krb5\_cred\_info.flags}} +Ticket flags. + +\end{fulllineitems} + +\index{krb5\_cred\_info.times (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_cred_info:c.krb5_cred_info.times}\pysigline{{\hyperref[appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times]{krb5\_ticket\_times}} \bfcode{krb5\_cred\_info.times}} +Auth, start, end, renew\_till. + +\end{fulllineitems} + +\index{krb5\_cred\_info.caddrs (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_cred_info:c.krb5_cred_info.caddrs}\pysigline{{\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} ** \bfcode{krb5\_cred\_info.caddrs}} +Array of pointers to addrs (optional) + +\end{fulllineitems} + + + +\subsubsection{krb5\_creds} +\label{appdev/refs/types/krb5_creds::doc}\label{appdev/refs/types/krb5_creds:krb5-creds}\label{appdev/refs/types/krb5_creds:krb5-creds-struct}\index{krb5\_creds (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_creds:c.krb5_creds}\pysigline{\bfcode{krb5\_creds}} +\end{fulllineitems} + + +Credentials structure including ticket, session key, and lifetime info. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_creds:declaration} +typedef struct \_krb5\_creds krb5\_creds + + +\paragraph{Members} +\label{appdev/refs/types/krb5_creds:members}\index{krb5\_creds.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_creds:c.krb5_creds.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_creds.magic}} +\end{fulllineitems} + +\index{krb5\_creds.client (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_creds:c.krb5_creds.client}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_creds.client}} +client's principal identifier + +\end{fulllineitems} + +\index{krb5\_creds.server (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_creds:c.krb5_creds.server}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_creds.server}} +server's principal identifier + +\end{fulllineitems} + +\index{krb5\_creds.keyblock (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_creds:c.krb5_creds.keyblock}\pysigline{{\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} \bfcode{krb5\_creds.keyblock}} +session encryption key info + +\end{fulllineitems} + +\index{krb5\_creds.times (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_creds:c.krb5_creds.times}\pysigline{{\hyperref[appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times]{krb5\_ticket\_times}} \bfcode{krb5\_creds.times}} +lifetime info + +\end{fulllineitems} + +\index{krb5\_creds.is\_skey (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_creds:c.krb5_creds.is_skey}\pysigline{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_creds.is\_skey}} +true if ticket is encrypted in another ticket's skey + +\end{fulllineitems} + +\index{krb5\_creds.ticket\_flags (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_creds:c.krb5_creds.ticket_flags}\pysigline{{\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}} \bfcode{krb5\_creds.ticket\_flags}} +flags in ticket + +\end{fulllineitems} + +\index{krb5\_creds.addresses (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_creds:c.krb5_creds.addresses}\pysigline{{\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} ** \bfcode{krb5\_creds.addresses}} +addrs in ticket + +\end{fulllineitems} + +\index{krb5\_creds.ticket (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_creds:c.krb5_creds.ticket}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} \bfcode{krb5\_creds.ticket}} +ticket string itself + +\end{fulllineitems} + +\index{krb5\_creds.second\_ticket (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_creds:c.krb5_creds.second_ticket}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} \bfcode{krb5\_creds.second\_ticket}} +second ticket, if related to ticket (via DUPLICATE-SKEY or ENC-TKT-IN-SKEY) + +\end{fulllineitems} + +\index{krb5\_creds.authdata (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_creds:c.krb5_creds.authdata}\pysigline{{\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} ** \bfcode{krb5\_creds.authdata}} +authorization data + +\end{fulllineitems} + + + +\subsubsection{krb5\_crypto\_iov} +\label{appdev/refs/types/krb5_crypto_iov:krb5-crypto-iov}\label{appdev/refs/types/krb5_crypto_iov::doc}\label{appdev/refs/types/krb5_crypto_iov:krb5-crypto-iov-struct}\index{krb5\_crypto\_iov (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov}\pysigline{\bfcode{krb5\_crypto\_iov}} +\end{fulllineitems} + + +Structure to describe a region of text to be encrypted or decrypted. + +The \emph{flags} member describes the type of the iov. The \emph{data} member points to the memory that will be manipulated. All iov APIs take a pointer to the first element of an array of krb5\_crypto\_iov's along with the size of that array. Buffer contents are manipulated in-place; data is overwritten. Callers must allocate the right number of krb5\_crypto\_iov structures before calling into an iov API. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_crypto_iov:declaration} +typedef struct \_krb5\_crypto\_iov krb5\_crypto\_iov + + +\paragraph{Members} +\label{appdev/refs/types/krb5_crypto_iov:members}\index{krb5\_crypto\_iov.flags (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov.flags}\pysigline{{\hyperref[appdev/refs/types/krb5_cryptotype:c.krb5_cryptotype]{krb5\_cryptotype}} \bfcode{krb5\_crypto\_iov.flags}} +\code{KRB5\_CRYPTO\_TYPE} type of the iov + +\end{fulllineitems} + +\index{krb5\_crypto\_iov.data (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov.data}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} \bfcode{krb5\_crypto\_iov.data}} +\end{fulllineitems} + + + +\subsubsection{krb5\_cryptotype} +\label{appdev/refs/types/krb5_cryptotype:krb5-cryptotype}\label{appdev/refs/types/krb5_cryptotype::doc}\label{appdev/refs/types/krb5_cryptotype:krb5-cryptotype-struct}\index{krb5\_cryptotype (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_cryptotype:c.krb5_cryptotype}\pysigline{\bfcode{krb5\_cryptotype}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_cryptotype:declaration} +typedef krb5\_int32 krb5\_cryptotype + + +\subsubsection{krb5\_data} +\label{appdev/refs/types/krb5_data:krb5-data}\label{appdev/refs/types/krb5_data::doc}\label{appdev/refs/types/krb5_data:krb5-data-struct}\index{krb5\_data (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_data:c.krb5_data}\pysigline{\bfcode{krb5\_data}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_data:declaration} +typedef struct \_krb5\_data krb5\_data + + +\paragraph{Members} +\label{appdev/refs/types/krb5_data:members}\index{krb5\_data.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_data:c.krb5_data.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_data.magic}} +\end{fulllineitems} + +\index{krb5\_data.length (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_data:c.krb5_data.length}\pysigline{unsigned int \bfcode{krb5\_data.length}} +\end{fulllineitems} + +\index{krb5\_data.data (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_data:c.krb5_data.data}\pysigline{char * \bfcode{krb5\_data.data}} +\end{fulllineitems} + + + +\subsubsection{krb5\_deltat} +\label{appdev/refs/types/krb5_deltat:krb5-deltat}\label{appdev/refs/types/krb5_deltat:krb5-deltat-struct}\label{appdev/refs/types/krb5_deltat::doc}\index{krb5\_deltat (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_deltat:c.krb5_deltat}\pysigline{\bfcode{krb5\_deltat}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_deltat:declaration} +typedef krb5\_int32 krb5\_deltat + + +\subsubsection{krb5\_enc\_data} +\label{appdev/refs/types/krb5_enc_data::doc}\label{appdev/refs/types/krb5_enc_data:krb5-enc-data}\label{appdev/refs/types/krb5_enc_data:krb5-enc-data-struct}\index{krb5\_enc\_data (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_enc_data:c.krb5_enc_data}\pysigline{\bfcode{krb5\_enc\_data}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_enc_data:declaration} +typedef struct \_krb5\_enc\_data krb5\_enc\_data + + +\paragraph{Members} +\label{appdev/refs/types/krb5_enc_data:members}\index{krb5\_enc\_data.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_enc_data:c.krb5_enc_data.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_enc\_data.magic}} +\end{fulllineitems} + +\index{krb5\_enc\_data.enctype (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_enc_data:c.krb5_enc_data.enctype}\pysigline{{\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} \bfcode{krb5\_enc\_data.enctype}} +\end{fulllineitems} + +\index{krb5\_enc\_data.kvno (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_enc_data:c.krb5_enc_data.kvno}\pysigline{{\hyperref[appdev/refs/types/krb5_kvno:c.krb5_kvno]{krb5\_kvno}} \bfcode{krb5\_enc\_data.kvno}} +\end{fulllineitems} + +\index{krb5\_enc\_data.ciphertext (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_enc_data:c.krb5_enc_data.ciphertext}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} \bfcode{krb5\_enc\_data.ciphertext}} +\end{fulllineitems} + + + +\subsubsection{krb5\_enc\_kdc\_rep\_part} +\label{appdev/refs/types/krb5_enc_kdc_rep_part::doc}\label{appdev/refs/types/krb5_enc_kdc_rep_part:krb5-enc-kdc-rep-part}\label{appdev/refs/types/krb5_enc_kdc_rep_part:krb5-enc-kdc-rep-part-struct}\index{krb5\_enc\_kdc\_rep\_part (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part}\pysigline{\bfcode{krb5\_enc\_kdc\_rep\_part}} +\end{fulllineitems} + + +C representation of \emph{EncKDCRepPart} protocol message. + +This is the cleartext message that is encrypted and inserted in \emph{KDC-REP} . + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_enc_kdc_rep_part:declaration} +typedef struct \_krb5\_enc\_kdc\_rep\_part krb5\_enc\_kdc\_rep\_part + + +\paragraph{Members} +\label{appdev/refs/types/krb5_enc_kdc_rep_part:members}\index{krb5\_enc\_kdc\_rep\_part.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_enc\_kdc\_rep\_part.magic}} +\end{fulllineitems} + +\index{krb5\_enc\_kdc\_rep\_part.msg\_type (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.msg_type}\pysigline{{\hyperref[appdev/refs/types/krb5_msgtype:c.krb5_msgtype]{krb5\_msgtype}} \bfcode{krb5\_enc\_kdc\_rep\_part.msg\_type}} +krb5 message type + +\end{fulllineitems} + +\index{krb5\_enc\_kdc\_rep\_part.session (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.session}\pysigline{{\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} * \bfcode{krb5\_enc\_kdc\_rep\_part.session}} +Session key. + +\end{fulllineitems} + +\index{krb5\_enc\_kdc\_rep\_part.last\_req (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.last_req}\pysigline{{\hyperref[appdev/refs/types/krb5_last_req_entry:c.krb5_last_req_entry]{krb5\_last\_req\_entry}} ** \bfcode{krb5\_enc\_kdc\_rep\_part.last\_req}} +Array of pointers to entries. + +\end{fulllineitems} + +\index{krb5\_enc\_kdc\_rep\_part.nonce (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.nonce}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_enc\_kdc\_rep\_part.nonce}} +Nonce from request. + +\end{fulllineitems} + +\index{krb5\_enc\_kdc\_rep\_part.key\_exp (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.key_exp}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_enc\_kdc\_rep\_part.key\_exp}} +Expiration date. + +\end{fulllineitems} + +\index{krb5\_enc\_kdc\_rep\_part.flags (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.flags}\pysigline{{\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}} \bfcode{krb5\_enc\_kdc\_rep\_part.flags}} +Ticket flags. + +\end{fulllineitems} + +\index{krb5\_enc\_kdc\_rep\_part.times (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.times}\pysigline{{\hyperref[appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times]{krb5\_ticket\_times}} \bfcode{krb5\_enc\_kdc\_rep\_part.times}} +Lifetime info. + +\end{fulllineitems} + +\index{krb5\_enc\_kdc\_rep\_part.server (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.server}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_enc\_kdc\_rep\_part.server}} +Server's principal identifier. + +\end{fulllineitems} + +\index{krb5\_enc\_kdc\_rep\_part.caddrs (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.caddrs}\pysigline{{\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} ** \bfcode{krb5\_enc\_kdc\_rep\_part.caddrs}} +Array of ptrs to addrs, optional. + +\end{fulllineitems} + +\index{krb5\_enc\_kdc\_rep\_part.enc\_padata (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.enc_padata}\pysigline{{\hyperref[appdev/refs/types/krb5_pa_data:c.krb5_pa_data]{krb5\_pa\_data}} ** \bfcode{krb5\_enc\_kdc\_rep\_part.enc\_padata}} +Encrypted preauthentication data. + +\end{fulllineitems} + + + +\subsubsection{krb5\_enc\_tkt\_part} +\label{appdev/refs/types/krb5_enc_tkt_part:krb5-enc-tkt-part}\label{appdev/refs/types/krb5_enc_tkt_part::doc}\label{appdev/refs/types/krb5_enc_tkt_part:krb5-enc-tkt-part-struct}\index{krb5\_enc\_tkt\_part (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part}\pysigline{\bfcode{krb5\_enc\_tkt\_part}} +\end{fulllineitems} + + +Encrypted part of ticket. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_enc_tkt_part:declaration} +typedef struct \_krb5\_enc\_tkt\_part krb5\_enc\_tkt\_part + + +\paragraph{Members} +\label{appdev/refs/types/krb5_enc_tkt_part:members}\index{krb5\_enc\_tkt\_part.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_enc\_tkt\_part.magic}} +\end{fulllineitems} + +\index{krb5\_enc\_tkt\_part.flags (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part.flags}\pysigline{{\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}} \bfcode{krb5\_enc\_tkt\_part.flags}} +flags + +\end{fulllineitems} + +\index{krb5\_enc\_tkt\_part.session (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part.session}\pysigline{{\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} * \bfcode{krb5\_enc\_tkt\_part.session}} +session key: includes enctype + +\end{fulllineitems} + +\index{krb5\_enc\_tkt\_part.client (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part.client}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_enc\_tkt\_part.client}} +client name/realm + +\end{fulllineitems} + +\index{krb5\_enc\_tkt\_part.transited (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part.transited}\pysigline{{\hyperref[appdev/refs/types/krb5_transited:c.krb5_transited]{krb5\_transited}} \bfcode{krb5\_enc\_tkt\_part.transited}} +list of transited realms + +\end{fulllineitems} + +\index{krb5\_enc\_tkt\_part.times (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part.times}\pysigline{{\hyperref[appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times]{krb5\_ticket\_times}} \bfcode{krb5\_enc\_tkt\_part.times}} +auth, start, end, renew\_till + +\end{fulllineitems} + +\index{krb5\_enc\_tkt\_part.caddrs (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part.caddrs}\pysigline{{\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} ** \bfcode{krb5\_enc\_tkt\_part.caddrs}} +array of ptrs to addresses + +\end{fulllineitems} + +\index{krb5\_enc\_tkt\_part.authorization\_data (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part.authorization_data}\pysigline{{\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} ** \bfcode{krb5\_enc\_tkt\_part.authorization\_data}} +auth data + +\end{fulllineitems} + + + +\subsubsection{krb5\_encrypt\_block} +\label{appdev/refs/types/krb5_encrypt_block:krb5-encrypt-block}\label{appdev/refs/types/krb5_encrypt_block:krb5-encrypt-block-struct}\label{appdev/refs/types/krb5_encrypt_block::doc}\index{krb5\_encrypt\_block (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block}\pysigline{\bfcode{krb5\_encrypt\_block}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_encrypt_block:declaration} +typedef struct \_krb5\_encrypt\_block krb5\_encrypt\_block + + +\paragraph{Members} +\label{appdev/refs/types/krb5_encrypt_block:members}\index{krb5\_encrypt\_block.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_encrypt\_block.magic}} +\end{fulllineitems} + +\index{krb5\_encrypt\_block.crypto\_entry (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block.crypto_entry}\pysigline{{\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} \bfcode{krb5\_encrypt\_block.crypto\_entry}} +\end{fulllineitems} + +\index{krb5\_encrypt\_block.key (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block.key}\pysigline{{\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} * \bfcode{krb5\_encrypt\_block.key}} +\end{fulllineitems} + + + +\subsubsection{krb5\_enctype} +\label{appdev/refs/types/krb5_enctype:krb5-enctype-struct}\label{appdev/refs/types/krb5_enctype:krb5-enctype}\label{appdev/refs/types/krb5_enctype::doc}\index{krb5\_enctype (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_enctype:c.krb5_enctype}\pysigline{\bfcode{krb5\_enctype}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_enctype:declaration} +typedef krb5\_int32 krb5\_enctype + + +\subsubsection{krb5\_error} +\label{appdev/refs/types/krb5_error:krb5-error-struct}\label{appdev/refs/types/krb5_error:krb5-error}\label{appdev/refs/types/krb5_error::doc}\index{krb5\_error (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_error:c.krb5_error}\pysigline{\bfcode{krb5\_error}} +\end{fulllineitems} + + +Error message structure. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_error:declaration} +typedef struct \_krb5\_error krb5\_error + + +\paragraph{Members} +\label{appdev/refs/types/krb5_error:members}\index{krb5\_error.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_error:c.krb5_error.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_error.magic}} +\end{fulllineitems} + +\index{krb5\_error.ctime (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_error:c.krb5_error.ctime}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_error.ctime}} +Client sec portion; optional. + +\end{fulllineitems} + +\index{krb5\_error.cusec (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_error:c.krb5_error.cusec}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_error.cusec}} +Client usec portion; optional. + +\end{fulllineitems} + +\index{krb5\_error.susec (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_error:c.krb5_error.susec}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_error.susec}} +Server usec portion. + +\end{fulllineitems} + +\index{krb5\_error.stime (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_error:c.krb5_error.stime}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_error.stime}} +Server sec portion. + +\end{fulllineitems} + +\index{krb5\_error.error (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_error:c.krb5_error.error}\pysigline{{\hyperref[appdev/refs/types/krb5_ui_4:c.krb5_ui_4]{krb5\_ui\_4}} \bfcode{krb5\_error.error}} +Error code (protocol error \#'s) + +\end{fulllineitems} + +\index{krb5\_error.client (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_error:c.krb5_error.client}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_error.client}} +Client principal and realm. + +\end{fulllineitems} + +\index{krb5\_error.server (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_error:c.krb5_error.server}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_error.server}} +Server principal and realm. + +\end{fulllineitems} + +\index{krb5\_error.text (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_error:c.krb5_error.text}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} \bfcode{krb5\_error.text}} +Descriptive text. + +\end{fulllineitems} + +\index{krb5\_error.e\_data (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_error:c.krb5_error.e_data}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} \bfcode{krb5\_error.e\_data}} +Additional error-describing data. + +\end{fulllineitems} + + + +\subsubsection{krb5\_error\_code} +\label{appdev/refs/types/krb5_error_code:krb5-error-code}\label{appdev/refs/types/krb5_error_code::doc}\label{appdev/refs/types/krb5_error_code:krb5-error-code-struct}\index{krb5\_error\_code (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_error_code:c.krb5_error_code}\pysigline{\bfcode{krb5\_error\_code}} +\end{fulllineitems} + + +Used to convey an operation status. + +The value 0 indicates success; any other values are com\_err codes. Use {\hyperref[appdev/refs/api/krb5_get_error_message:c.krb5_get_error_message]{\code{krb5\_get\_error\_message()}}} to obtain a string describing the error. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_error_code:declaration} +typedef krb5\_int32 krb5\_error\_code + + +\subsubsection{krb5\_expire\_callback\_func} +\label{appdev/refs/types/krb5_expire_callback_func:krb5-expire-callback-func}\label{appdev/refs/types/krb5_expire_callback_func::doc}\label{appdev/refs/types/krb5_expire_callback_func:krb5-expire-callback-func-struct}\index{krb5\_expire\_callback\_func (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_expire_callback_func:c.krb5_expire_callback_func}\pysigline{\bfcode{krb5\_expire\_callback\_func}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_expire_callback_func:declaration} +typedef void( * krb5\_expire\_callback\_func)(krb5\_context context, void *data, krb5\_timestamp password\_expiration, krb5\_timestamp account\_expiration, krb5\_boolean is\_last\_req) + + +\subsubsection{krb5\_flags} +\label{appdev/refs/types/krb5_flags:krb5-flags-struct}\label{appdev/refs/types/krb5_flags:krb5-flags}\label{appdev/refs/types/krb5_flags::doc}\index{krb5\_flags (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_flags:c.krb5_flags}\pysigline{\bfcode{krb5\_flags}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_flags:declaration} +typedef krb5\_int32 krb5\_flags + + +\subsubsection{krb5\_get\_init\_creds\_opt} +\label{appdev/refs/types/krb5_get_init_creds_opt:krb5-get-init-creds-opt-struct}\label{appdev/refs/types/krb5_get_init_creds_opt::doc}\label{appdev/refs/types/krb5_get_init_creds_opt:krb5-get-init-creds-opt}\index{krb5\_get\_init\_creds\_opt (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}\pysigline{\bfcode{krb5\_get\_init\_creds\_opt}} +\end{fulllineitems} + + +Store options for \emph{\_krb5\_get\_init\_creds} . + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_get_init_creds_opt:declaration} +typedef struct \_krb5\_get\_init\_creds\_opt krb5\_get\_init\_creds\_opt + + +\paragraph{Members} +\label{appdev/refs/types/krb5_get_init_creds_opt:members}\index{krb5\_get\_init\_creds\_opt.flags (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.flags}\pysigline{{\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}} \bfcode{krb5\_get\_init\_creds\_opt.flags}} +\end{fulllineitems} + +\index{krb5\_get\_init\_creds\_opt.tkt\_life (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.tkt_life}\pysigline{{\hyperref[appdev/refs/types/krb5_deltat:c.krb5_deltat]{krb5\_deltat}} \bfcode{krb5\_get\_init\_creds\_opt.tkt\_life}} +\end{fulllineitems} + +\index{krb5\_get\_init\_creds\_opt.renew\_life (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.renew_life}\pysigline{{\hyperref[appdev/refs/types/krb5_deltat:c.krb5_deltat]{krb5\_deltat}} \bfcode{krb5\_get\_init\_creds\_opt.renew\_life}} +\end{fulllineitems} + +\index{krb5\_get\_init\_creds\_opt.forwardable (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.forwardable}\pysigline{int \bfcode{krb5\_get\_init\_creds\_opt.forwardable}} +\end{fulllineitems} + +\index{krb5\_get\_init\_creds\_opt.proxiable (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.proxiable}\pysigline{int \bfcode{krb5\_get\_init\_creds\_opt.proxiable}} +\end{fulllineitems} + +\index{krb5\_get\_init\_creds\_opt.etype\_list (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.etype_list}\pysigline{{\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} * \bfcode{krb5\_get\_init\_creds\_opt.etype\_list}} +\end{fulllineitems} + +\index{krb5\_get\_init\_creds\_opt.etype\_list\_length (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.etype_list_length}\pysigline{int \bfcode{krb5\_get\_init\_creds\_opt.etype\_list\_length}} +\end{fulllineitems} + +\index{krb5\_get\_init\_creds\_opt.address\_list (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.address_list}\pysigline{{\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} ** \bfcode{krb5\_get\_init\_creds\_opt.address\_list}} +\end{fulllineitems} + +\index{krb5\_get\_init\_creds\_opt.preauth\_list (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.preauth_list}\pysigline{{\hyperref[appdev/refs/types/krb5_preauthtype:c.krb5_preauthtype]{krb5\_preauthtype}} * \bfcode{krb5\_get\_init\_creds\_opt.preauth\_list}} +\end{fulllineitems} + +\index{krb5\_get\_init\_creds\_opt.preauth\_list\_length (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.preauth_list_length}\pysigline{int \bfcode{krb5\_get\_init\_creds\_opt.preauth\_list\_length}} +\end{fulllineitems} + +\index{krb5\_get\_init\_creds\_opt.salt (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.salt}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} * \bfcode{krb5\_get\_init\_creds\_opt.salt}} +\end{fulllineitems} + + + +\subsubsection{krb5\_gic\_opt\_pa\_data} +\label{appdev/refs/types/krb5_gic_opt_pa_data::doc}\label{appdev/refs/types/krb5_gic_opt_pa_data:krb5-gic-opt-pa-data}\label{appdev/refs/types/krb5_gic_opt_pa_data:krb5-gic-opt-pa-data-struct}\index{krb5\_gic\_opt\_pa\_data (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_gic_opt_pa_data:c.krb5_gic_opt_pa_data}\pysigline{\bfcode{krb5\_gic\_opt\_pa\_data}} +\end{fulllineitems} + + +Generic preauth option attribute/value pairs. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_gic_opt_pa_data:declaration} +typedef struct \_krb5\_gic\_opt\_pa\_data krb5\_gic\_opt\_pa\_data + + +\paragraph{Members} +\label{appdev/refs/types/krb5_gic_opt_pa_data:members}\index{krb5\_gic\_opt\_pa\_data.attr (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_gic_opt_pa_data:c.krb5_gic_opt_pa_data.attr}\pysigline{char * \bfcode{krb5\_gic\_opt\_pa\_data.attr}} +\end{fulllineitems} + +\index{krb5\_gic\_opt\_pa\_data.value (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_gic_opt_pa_data:c.krb5_gic_opt_pa_data.value}\pysigline{char * \bfcode{krb5\_gic\_opt\_pa\_data.value}} +\end{fulllineitems} + + + +\subsubsection{krb5\_int16} +\label{appdev/refs/types/krb5_int16:krb5-int16-struct}\label{appdev/refs/types/krb5_int16:krb5-int16}\label{appdev/refs/types/krb5_int16::doc}\index{krb5\_int16 (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_int16:c.krb5_int16}\pysigline{\bfcode{krb5\_int16}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_int16:declaration} +typedef int16\_t krb5\_int16 + + +\subsubsection{krb5\_int32} +\label{appdev/refs/types/krb5_int32:krb5-int32-struct}\label{appdev/refs/types/krb5_int32::doc}\label{appdev/refs/types/krb5_int32:krb5-int32}\index{krb5\_int32 (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_int32:c.krb5_int32}\pysigline{\bfcode{krb5\_int32}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_int32:declaration} +typedef int32\_t krb5\_int32 + + +\subsubsection{krb5\_kdc\_rep} +\label{appdev/refs/types/krb5_kdc_rep::doc}\label{appdev/refs/types/krb5_kdc_rep:krb5-kdc-rep}\label{appdev/refs/types/krb5_kdc_rep:krb5-kdc-rep-struct}\index{krb5\_kdc\_rep (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep}\pysigline{\bfcode{krb5\_kdc\_rep}} +\end{fulllineitems} + + +Representation of the \emph{KDC-REP} protocol message. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_kdc_rep:declaration} +typedef struct \_krb5\_kdc\_rep krb5\_kdc\_rep + + +\paragraph{Members} +\label{appdev/refs/types/krb5_kdc_rep:members}\index{krb5\_kdc\_rep.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_kdc\_rep.magic}} +\end{fulllineitems} + +\index{krb5\_kdc\_rep.msg\_type (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep.msg_type}\pysigline{{\hyperref[appdev/refs/types/krb5_msgtype:c.krb5_msgtype]{krb5\_msgtype}} \bfcode{krb5\_kdc\_rep.msg\_type}} +KRB5\_AS\_REP or KRB5\_KDC\_REP. + +\end{fulllineitems} + +\index{krb5\_kdc\_rep.padata (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep.padata}\pysigline{{\hyperref[appdev/refs/types/krb5_pa_data:c.krb5_pa_data]{krb5\_pa\_data}} ** \bfcode{krb5\_kdc\_rep.padata}} +Preauthentication data from KDC. + +\end{fulllineitems} + +\index{krb5\_kdc\_rep.client (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep.client}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_kdc\_rep.client}} +Client principal and realm. + +\end{fulllineitems} + +\index{krb5\_kdc\_rep.ticket (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep.ticket}\pysigline{{\hyperref[appdev/refs/types/krb5_ticket:c.krb5_ticket]{krb5\_ticket}} * \bfcode{krb5\_kdc\_rep.ticket}} +Ticket. + +\end{fulllineitems} + +\index{krb5\_kdc\_rep.enc\_part (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep.enc_part}\pysigline{{\hyperref[appdev/refs/types/krb5_enc_data:c.krb5_enc_data]{krb5\_enc\_data}} \bfcode{krb5\_kdc\_rep.enc\_part}} +Encrypted part of reply. + +\end{fulllineitems} + +\index{krb5\_kdc\_rep.enc\_part2 (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep.enc_part2}\pysigline{{\hyperref[appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part]{krb5\_enc\_kdc\_rep\_part}} * \bfcode{krb5\_kdc\_rep.enc\_part2}} +Unencrypted version, if available. + +\end{fulllineitems} + + + +\subsubsection{krb5\_kdc\_req} +\label{appdev/refs/types/krb5_kdc_req:krb5-kdc-req-struct}\label{appdev/refs/types/krb5_kdc_req:krb5-kdc-req}\label{appdev/refs/types/krb5_kdc_req::doc}\index{krb5\_kdc\_req (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req}\pysigline{\bfcode{krb5\_kdc\_req}} +\end{fulllineitems} + + +C representation of KDC-REQ protocol message, including KDC-REQ-BODY. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_kdc_req:declaration} +typedef struct \_krb5\_kdc\_req krb5\_kdc\_req + + +\paragraph{Members} +\label{appdev/refs/types/krb5_kdc_req:members}\index{krb5\_kdc\_req.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_kdc\_req.magic}} +\end{fulllineitems} + +\index{krb5\_kdc\_req.msg\_type (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.msg_type}\pysigline{{\hyperref[appdev/refs/types/krb5_msgtype:c.krb5_msgtype]{krb5\_msgtype}} \bfcode{krb5\_kdc\_req.msg\_type}} +KRB5\_AS\_REQ or KRB5\_TGS\_REQ. + +\end{fulllineitems} + +\index{krb5\_kdc\_req.padata (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.padata}\pysigline{{\hyperref[appdev/refs/types/krb5_pa_data:c.krb5_pa_data]{krb5\_pa\_data}} ** \bfcode{krb5\_kdc\_req.padata}} +Preauthentication data. + +\end{fulllineitems} + +\index{krb5\_kdc\_req.kdc\_options (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.kdc_options}\pysigline{{\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}} \bfcode{krb5\_kdc\_req.kdc\_options}} +Requested options. + +\end{fulllineitems} + +\index{krb5\_kdc\_req.client (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.client}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_kdc\_req.client}} +Client principal and realm. + +\end{fulllineitems} + +\index{krb5\_kdc\_req.server (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.server}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_kdc\_req.server}} +Server principal and realm. + +\end{fulllineitems} + +\index{krb5\_kdc\_req.from (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.from}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_kdc\_req.from}} +Requested start time. + +\end{fulllineitems} + +\index{krb5\_kdc\_req.till (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.till}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_kdc\_req.till}} +Requested end time. + +\end{fulllineitems} + +\index{krb5\_kdc\_req.rtime (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.rtime}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_kdc\_req.rtime}} +Requested renewable end time. + +\end{fulllineitems} + +\index{krb5\_kdc\_req.nonce (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.nonce}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_kdc\_req.nonce}} +Nonce to match request and response. + +\end{fulllineitems} + +\index{krb5\_kdc\_req.nktypes (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.nktypes}\pysigline{int \bfcode{krb5\_kdc\_req.nktypes}} +Number of enctypes. + +\end{fulllineitems} + +\index{krb5\_kdc\_req.ktype (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.ktype}\pysigline{{\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} * \bfcode{krb5\_kdc\_req.ktype}} +Requested enctypes. + +\end{fulllineitems} + +\index{krb5\_kdc\_req.addresses (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.addresses}\pysigline{{\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} ** \bfcode{krb5\_kdc\_req.addresses}} +Requested addresses (optional) + +\end{fulllineitems} + +\index{krb5\_kdc\_req.authorization\_data (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.authorization_data}\pysigline{{\hyperref[appdev/refs/types/krb5_enc_data:c.krb5_enc_data]{krb5\_enc\_data}} \bfcode{krb5\_kdc\_req.authorization\_data}} +Encrypted authz data (optional) + +\end{fulllineitems} + +\index{krb5\_kdc\_req.unenc\_authdata (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.unenc_authdata}\pysigline{{\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} ** \bfcode{krb5\_kdc\_req.unenc\_authdata}} +Unencrypted authz data. + +\end{fulllineitems} + +\index{krb5\_kdc\_req.second\_ticket (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.second_ticket}\pysigline{{\hyperref[appdev/refs/types/krb5_ticket:c.krb5_ticket]{krb5\_ticket}} ** \bfcode{krb5\_kdc\_req.second\_ticket}} +Second ticket array (optional) + +\end{fulllineitems} + + + +\subsubsection{krb5\_keyblock} +\label{appdev/refs/types/krb5_keyblock:krb5-keyblock}\label{appdev/refs/types/krb5_keyblock::doc}\label{appdev/refs/types/krb5_keyblock:krb5-keyblock-struct}\index{krb5\_keyblock (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}\pysigline{\bfcode{krb5\_keyblock}} +\end{fulllineitems} + + +Exposed contents of a key. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_keyblock:declaration} +typedef struct \_krb5\_keyblock krb5\_keyblock + + +\paragraph{Members} +\label{appdev/refs/types/krb5_keyblock:members}\index{krb5\_keyblock.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_keyblock:c.krb5_keyblock.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_keyblock.magic}} +\end{fulllineitems} + +\index{krb5\_keyblock.enctype (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_keyblock:c.krb5_keyblock.enctype}\pysigline{{\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} \bfcode{krb5\_keyblock.enctype}} +\end{fulllineitems} + +\index{krb5\_keyblock.length (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_keyblock:c.krb5_keyblock.length}\pysigline{unsigned int \bfcode{krb5\_keyblock.length}} +\end{fulllineitems} + +\index{krb5\_keyblock.contents (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_keyblock:c.krb5_keyblock.contents}\pysigline{{\hyperref[appdev/refs/types/krb5_octet:c.krb5_octet]{krb5\_octet}} * \bfcode{krb5\_keyblock.contents}} +\end{fulllineitems} + + + +\subsubsection{krb5\_keytab\_entry} +\label{appdev/refs/types/krb5_keytab_entry:krb5-keytab-entry}\label{appdev/refs/types/krb5_keytab_entry:krb5-keytab-entry-struct}\label{appdev/refs/types/krb5_keytab_entry::doc}\index{krb5\_keytab\_entry (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry}\pysigline{\bfcode{krb5\_keytab\_entry}} +\end{fulllineitems} + + +A key table entry. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_keytab_entry:declaration} +typedef struct krb5\_keytab\_entry\_st krb5\_keytab\_entry + + +\paragraph{Members} +\label{appdev/refs/types/krb5_keytab_entry:members}\index{krb5\_keytab\_entry.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_keytab\_entry.magic}} +\end{fulllineitems} + +\index{krb5\_keytab\_entry.principal (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry.principal}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_keytab\_entry.principal}} +Principal of this key. + +\end{fulllineitems} + +\index{krb5\_keytab\_entry.timestamp (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry.timestamp}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_keytab\_entry.timestamp}} +Time entry written to keytable. + +\end{fulllineitems} + +\index{krb5\_keytab\_entry.vno (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry.vno}\pysigline{{\hyperref[appdev/refs/types/krb5_kvno:c.krb5_kvno]{krb5\_kvno}} \bfcode{krb5\_keytab\_entry.vno}} +Key version number. + +\end{fulllineitems} + +\index{krb5\_keytab\_entry.key (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry.key}\pysigline{{\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} \bfcode{krb5\_keytab\_entry.key}} +The secret key. + +\end{fulllineitems} + + + +\subsubsection{krb5\_keyusage} +\label{appdev/refs/types/krb5_keyusage:krb5-keyusage}\label{appdev/refs/types/krb5_keyusage::doc}\label{appdev/refs/types/krb5_keyusage:krb5-keyusage-struct}\index{krb5\_keyusage (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_keyusage:c.krb5_keyusage}\pysigline{\bfcode{krb5\_keyusage}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_keyusage:declaration} +typedef krb5\_int32 krb5\_keyusage + + +\subsubsection{krb5\_kt\_cursor} +\label{appdev/refs/types/krb5_kt_cursor:krb5-kt-cursor-struct}\label{appdev/refs/types/krb5_kt_cursor::doc}\label{appdev/refs/types/krb5_kt_cursor:krb5-kt-cursor}\index{krb5\_kt\_cursor (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_kt_cursor:c.krb5_kt_cursor}\pysigline{\bfcode{krb5\_kt\_cursor}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_kt_cursor:declaration} +typedef krb5\_pointer krb5\_kt\_cursor + + +\subsubsection{krb5\_kvno} +\label{appdev/refs/types/krb5_kvno:krb5-kvno}\label{appdev/refs/types/krb5_kvno::doc}\label{appdev/refs/types/krb5_kvno:krb5-kvno-struct}\index{krb5\_kvno (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_kvno:c.krb5_kvno}\pysigline{\bfcode{krb5\_kvno}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_kvno:declaration} +typedef unsigned int krb5\_kvno + + +\subsubsection{krb5\_last\_req\_entry} +\label{appdev/refs/types/krb5_last_req_entry:krb5-last-req-entry}\label{appdev/refs/types/krb5_last_req_entry::doc}\label{appdev/refs/types/krb5_last_req_entry:krb5-last-req-entry-struct}\index{krb5\_last\_req\_entry (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_last_req_entry:c.krb5_last_req_entry}\pysigline{\bfcode{krb5\_last\_req\_entry}} +\end{fulllineitems} + + +Last request entry. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_last_req_entry:declaration} +typedef struct \_krb5\_last\_req\_entry krb5\_last\_req\_entry + + +\paragraph{Members} +\label{appdev/refs/types/krb5_last_req_entry:members}\index{krb5\_last\_req\_entry.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_last_req_entry:c.krb5_last_req_entry.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_last\_req\_entry.magic}} +\end{fulllineitems} + +\index{krb5\_last\_req\_entry.lr\_type (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_last_req_entry:c.krb5_last_req_entry.lr_type}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_last\_req\_entry.lr\_type}} +LR type. + +\end{fulllineitems} + +\index{krb5\_last\_req\_entry.value (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_last_req_entry:c.krb5_last_req_entry.value}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_last\_req\_entry.value}} +Timestamp. + +\end{fulllineitems} + + + +\subsubsection{krb5\_magic} +\label{appdev/refs/types/krb5_magic:krb5-magic}\label{appdev/refs/types/krb5_magic::doc}\label{appdev/refs/types/krb5_magic:krb5-magic-struct}\index{krb5\_magic (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_magic:c.krb5_magic}\pysigline{\bfcode{krb5\_magic}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_magic:declaration} +typedef krb5\_error\_code krb5\_magic + + +\subsubsection{krb5\_mk\_req\_checksum\_func} +\label{appdev/refs/types/krb5_mk_req_checksum_func:krb5-mk-req-checksum-func-struct}\label{appdev/refs/types/krb5_mk_req_checksum_func::doc}\label{appdev/refs/types/krb5_mk_req_checksum_func:krb5-mk-req-checksum-func}\index{krb5\_mk\_req\_checksum\_func (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_mk_req_checksum_func:c.krb5_mk_req_checksum_func}\pysigline{\bfcode{krb5\_mk\_req\_checksum\_func}} +\end{fulllineitems} + + +Type of function used as a callback to generate checksum data for mk\_req. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_mk_req_checksum_func:declaration} +typedef krb5\_error\_code( * krb5\_mk\_req\_checksum\_func)(krb5\_context, krb5\_auth\_context, void *, krb5\_data **) + + +\subsubsection{krb5\_msgtype} +\label{appdev/refs/types/krb5_msgtype:krb5-msgtype}\label{appdev/refs/types/krb5_msgtype::doc}\label{appdev/refs/types/krb5_msgtype:krb5-msgtype-struct}\index{krb5\_msgtype (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_msgtype:c.krb5_msgtype}\pysigline{\bfcode{krb5\_msgtype}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_msgtype:declaration} +typedef unsigned int krb5\_msgtype + + +\subsubsection{krb5\_octet} +\label{appdev/refs/types/krb5_octet:krb5-octet-struct}\label{appdev/refs/types/krb5_octet:krb5-octet}\label{appdev/refs/types/krb5_octet::doc}\index{krb5\_octet (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_octet:c.krb5_octet}\pysigline{\bfcode{krb5\_octet}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_octet:declaration} +typedef uint8\_t krb5\_octet + + +\subsubsection{krb5\_pa\_pac\_req} +\label{appdev/refs/types/krb5_pa_pac_req:krb5-pa-pac-req-struct}\label{appdev/refs/types/krb5_pa_pac_req::doc}\label{appdev/refs/types/krb5_pa_pac_req:krb5-pa-pac-req}\index{krb5\_pa\_pac\_req (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_pa_pac_req:c.krb5_pa_pac_req}\pysigline{\bfcode{krb5\_pa\_pac\_req}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_pa_pac_req:declaration} +typedef struct \_krb5\_pa\_pac\_req krb5\_pa\_pac\_req + + +\paragraph{Members} +\label{appdev/refs/types/krb5_pa_pac_req:members}\index{krb5\_pa\_pac\_req.include\_pac (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_pa_pac_req:c.krb5_pa_pac_req.include_pac}\pysigline{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_pa\_pac\_req.include\_pac}} +TRUE if a PAC should be included in TGS-REP. + +\end{fulllineitems} + + + +\subsubsection{krb5\_pa\_server\_referral\_data} +\label{appdev/refs/types/krb5_pa_server_referral_data:krb5-pa-server-referral-data-struct}\label{appdev/refs/types/krb5_pa_server_referral_data::doc}\label{appdev/refs/types/krb5_pa_server_referral_data:krb5-pa-server-referral-data}\index{krb5\_pa\_server\_referral\_data (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_pa_server_referral_data:c.krb5_pa_server_referral_data}\pysigline{\bfcode{krb5\_pa\_server\_referral\_data}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_pa_server_referral_data:declaration} +typedef struct \_krb5\_pa\_server\_referral\_data krb5\_pa\_server\_referral\_data + + +\paragraph{Members} +\label{appdev/refs/types/krb5_pa_server_referral_data:members}\index{krb5\_pa\_server\_referral\_data.referred\_realm (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_pa_server_referral_data:c.krb5_pa_server_referral_data.referred_realm}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} * \bfcode{krb5\_pa\_server\_referral\_data.referred\_realm}} +\end{fulllineitems} + +\index{krb5\_pa\_server\_referral\_data.true\_principal\_name (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_pa_server_referral_data:c.krb5_pa_server_referral_data.true_principal_name}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_pa\_server\_referral\_data.true\_principal\_name}} +\end{fulllineitems} + +\index{krb5\_pa\_server\_referral\_data.requested\_principal\_name (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_pa_server_referral_data:c.krb5_pa_server_referral_data.requested_principal_name}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_pa\_server\_referral\_data.requested\_principal\_name}} +\end{fulllineitems} + +\index{krb5\_pa\_server\_referral\_data.referral\_valid\_until (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_pa_server_referral_data:c.krb5_pa_server_referral_data.referral_valid_until}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_pa\_server\_referral\_data.referral\_valid\_until}} +\end{fulllineitems} + +\index{krb5\_pa\_server\_referral\_data.rep\_cksum (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_pa_server_referral_data:c.krb5_pa_server_referral_data.rep_cksum}\pysigline{{\hyperref[appdev/refs/types/krb5_checksum:c.krb5_checksum]{krb5\_checksum}} \bfcode{krb5\_pa\_server\_referral\_data.rep\_cksum}} +\end{fulllineitems} + + + +\subsubsection{krb5\_pa\_svr\_referral\_data} +\label{appdev/refs/types/krb5_pa_svr_referral_data:krb5-pa-svr-referral-data}\label{appdev/refs/types/krb5_pa_svr_referral_data::doc}\label{appdev/refs/types/krb5_pa_svr_referral_data:krb5-pa-svr-referral-data-struct}\index{krb5\_pa\_svr\_referral\_data (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_pa_svr_referral_data:c.krb5_pa_svr_referral_data}\pysigline{\bfcode{krb5\_pa\_svr\_referral\_data}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_pa_svr_referral_data:declaration} +typedef struct \_krb5\_pa\_svr\_referral\_data krb5\_pa\_svr\_referral\_data + + +\paragraph{Members} +\label{appdev/refs/types/krb5_pa_svr_referral_data:members}\index{krb5\_pa\_svr\_referral\_data.principal (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_pa_svr_referral_data:c.krb5_pa_svr_referral_data.principal}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_pa\_svr\_referral\_data.principal}} +Referred name, only realm is required. + +\end{fulllineitems} + + + +\subsubsection{krb5\_pa\_data} +\label{appdev/refs/types/krb5_pa_data:krb5-pa-data}\label{appdev/refs/types/krb5_pa_data:krb5-pa-data-struct}\label{appdev/refs/types/krb5_pa_data::doc}\index{krb5\_pa\_data (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_pa_data:c.krb5_pa_data}\pysigline{\bfcode{krb5\_pa\_data}} +\end{fulllineitems} + + +Pre-authentication data. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_pa_data:declaration} +typedef struct \_krb5\_pa\_data krb5\_pa\_data + + +\paragraph{Members} +\label{appdev/refs/types/krb5_pa_data:members}\index{krb5\_pa\_data.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_pa_data:c.krb5_pa_data.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_pa\_data.magic}} +\end{fulllineitems} + +\index{krb5\_pa\_data.pa\_type (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_pa_data:c.krb5_pa_data.pa_type}\pysigline{{\hyperref[appdev/refs/types/krb5_preauthtype:c.krb5_preauthtype]{krb5\_preauthtype}} \bfcode{krb5\_pa\_data.pa\_type}} +Preauthentication data type. + +\end{fulllineitems} + +\index{krb5\_pa\_data.length (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_pa_data:c.krb5_pa_data.length}\pysigline{unsigned int \bfcode{krb5\_pa\_data.length}} +Length of data. + +\end{fulllineitems} + +\index{krb5\_pa\_data.contents (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_pa_data:c.krb5_pa_data.contents}\pysigline{{\hyperref[appdev/refs/types/krb5_octet:c.krb5_octet]{krb5\_octet}} * \bfcode{krb5\_pa\_data.contents}} +Data. + +\end{fulllineitems} + + + +\subsubsection{krb5\_pointer} +\label{appdev/refs/types/krb5_pointer:krb5-pointer-struct}\label{appdev/refs/types/krb5_pointer:krb5-pointer}\label{appdev/refs/types/krb5_pointer::doc}\index{krb5\_pointer (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_pointer:c.krb5_pointer}\pysigline{\bfcode{krb5\_pointer}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_pointer:declaration} +typedef void* krb5\_pointer + + +\subsubsection{krb5\_post\_recv\_fn} +\label{appdev/refs/types/krb5_post_recv_fn:krb5-post-recv-fn}\label{appdev/refs/types/krb5_post_recv_fn:krb5-post-recv-fn-struct}\label{appdev/refs/types/krb5_post_recv_fn::doc}\index{krb5\_post\_recv\_fn (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_post_recv_fn:c.krb5_post_recv_fn}\pysigline{\bfcode{krb5\_post\_recv\_fn}} +\end{fulllineitems} + + +Hook function for inspecting or overriding KDC replies. + +If \emph{code} is non-zero, KDC communication failed and \emph{reply} should be ignored. The hook function may return \emph{code} or a different error code, or may synthesize a reply by setting \emph{new\_reply\_out} and return successfully. +The hook function should use {\hyperref[appdev/refs/api/krb5_copy_data:c.krb5_copy_data]{\code{krb5\_copy\_data()}}} to construct the value for \emph{new\_reply\_out} , to ensure that it can be freed correctly by the library. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_post_recv_fn:declaration} +typedef krb5\_error\_code( * krb5\_post\_recv\_fn)(krb5\_context context, void *data, krb5\_error\_code code, const krb5\_data *realm, const krb5\_data *message, const krb5\_data *reply, krb5\_data **new\_reply\_out) + + +\subsubsection{krb5\_pre\_send\_fn} +\label{appdev/refs/types/krb5_pre_send_fn:krb5-pre-send-fn-struct}\label{appdev/refs/types/krb5_pre_send_fn::doc}\label{appdev/refs/types/krb5_pre_send_fn:krb5-pre-send-fn}\index{krb5\_pre\_send\_fn (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_pre_send_fn:c.krb5_pre_send_fn}\pysigline{\bfcode{krb5\_pre\_send\_fn}} +\end{fulllineitems} + + +Hook function for inspecting or modifying messages sent to KDCs. + +If the hook function sets \emph{reply\_out} , \emph{message} will not be sent to the KDC, and the given reply will used instead. +If the hook function sets \emph{new\_message\_out} , the given message will be sent to the KDC in place of \emph{message} . +If the hook function returns successfully without setting either output, \emph{message} will be sent to the KDC normally. +The hook function should use {\hyperref[appdev/refs/api/krb5_copy_data:c.krb5_copy_data]{\code{krb5\_copy\_data()}}} to construct the value for \emph{new\_message\_out} or \emph{reply\_out} , to ensure that it can be freed correctly by the library. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_pre_send_fn:declaration} +typedef krb5\_error\_code( * krb5\_pre\_send\_fn)(krb5\_context context, void *data, const krb5\_data *realm, const krb5\_data *message, krb5\_data **new\_message\_out, krb5\_data **new\_reply\_out) + + +\subsubsection{krb5\_preauthtype} +\label{appdev/refs/types/krb5_preauthtype::doc}\label{appdev/refs/types/krb5_preauthtype:krb5-preauthtype}\label{appdev/refs/types/krb5_preauthtype:krb5-preauthtype-struct}\index{krb5\_preauthtype (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_preauthtype:c.krb5_preauthtype}\pysigline{\bfcode{krb5\_preauthtype}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_preauthtype:declaration} +typedef krb5\_int32 krb5\_preauthtype + + +\subsubsection{krb5\_principal} +\label{appdev/refs/types/krb5_principal:krb5-principal-struct}\label{appdev/refs/types/krb5_principal:krb5-principal}\label{appdev/refs/types/krb5_principal::doc}\index{krb5\_principal (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_principal:c.krb5_principal}\pysigline{\bfcode{krb5\_principal}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_principal:declaration} +typedef krb5\_principal\_data* krb5\_principal + + +\paragraph{Members} +\label{appdev/refs/types/krb5_principal:members}\index{krb5\_principal.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_principal:c.krb5_principal.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_principal.magic}} +\end{fulllineitems} + +\index{krb5\_principal.realm (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_principal:c.krb5_principal.realm}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} \bfcode{krb5\_principal.realm}} +\end{fulllineitems} + +\index{krb5\_principal.data (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_principal:c.krb5_principal.data}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} * \bfcode{krb5\_principal.data}} +An array of strings. + +\end{fulllineitems} + +\index{krb5\_principal.length (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_principal:c.krb5_principal.length}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_principal.length}} +\end{fulllineitems} + +\index{krb5\_principal.type (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_principal:c.krb5_principal.type}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_principal.type}} +\end{fulllineitems} + + + +\subsubsection{krb5\_principal\_data} +\label{appdev/refs/types/krb5_principal_data:krb5-principal-data}\label{appdev/refs/types/krb5_principal_data::doc}\label{appdev/refs/types/krb5_principal_data:krb5-principal-data-struct}\index{krb5\_principal\_data (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_principal_data:c.krb5_principal_data}\pysigline{\bfcode{krb5\_principal\_data}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_principal_data:declaration} +typedef struct krb5\_principal\_data krb5\_principal\_data + + +\paragraph{Members} +\label{appdev/refs/types/krb5_principal_data:members}\index{krb5\_principal\_data.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_principal_data:c.krb5_principal_data.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_principal\_data.magic}} +\end{fulllineitems} + +\index{krb5\_principal\_data.realm (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_principal_data:c.krb5_principal_data.realm}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} \bfcode{krb5\_principal\_data.realm}} +\end{fulllineitems} + +\index{krb5\_principal\_data.data (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_principal_data:c.krb5_principal_data.data}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} * \bfcode{krb5\_principal\_data.data}} +An array of strings. + +\end{fulllineitems} + +\index{krb5\_principal\_data.length (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_principal_data:c.krb5_principal_data.length}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_principal\_data.length}} +\end{fulllineitems} + +\index{krb5\_principal\_data.type (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_principal_data:c.krb5_principal_data.type}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_principal\_data.type}} +\end{fulllineitems} + + + +\subsubsection{krb5\_const\_principal} +\label{appdev/refs/types/krb5_const_principal:krb5-const-principal-struct}\label{appdev/refs/types/krb5_const_principal:krb5-const-principal}\label{appdev/refs/types/krb5_const_principal::doc}\index{krb5\_const\_principal (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}\pysigline{\bfcode{krb5\_const\_principal}} +\end{fulllineitems} + + +Constant version of {\hyperref[appdev/refs/types/krb5_principal_data:c.krb5_principal_data]{\code{krb5\_principal\_data}}} . + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_const_principal:declaration} +typedef const krb5\_principal\_data* krb5\_const\_principal + + +\paragraph{Members} +\label{appdev/refs/types/krb5_const_principal:members}\index{krb5\_const\_principal.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_const_principal:c.krb5_const_principal.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_const\_principal.magic}} +\end{fulllineitems} + +\index{krb5\_const\_principal.realm (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_const_principal:c.krb5_const_principal.realm}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} \bfcode{krb5\_const\_principal.realm}} +\end{fulllineitems} + +\index{krb5\_const\_principal.data (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_const_principal:c.krb5_const_principal.data}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} * \bfcode{krb5\_const\_principal.data}} +An array of strings. + +\end{fulllineitems} + +\index{krb5\_const\_principal.length (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_const_principal:c.krb5_const_principal.length}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_const\_principal.length}} +\end{fulllineitems} + +\index{krb5\_const\_principal.type (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_const_principal:c.krb5_const_principal.type}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_const\_principal.type}} +\end{fulllineitems} + + + +\subsubsection{krb5\_prompt} +\label{appdev/refs/types/krb5_prompt:krb5-prompt}\label{appdev/refs/types/krb5_prompt::doc}\label{appdev/refs/types/krb5_prompt:krb5-prompt-struct}\index{krb5\_prompt (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_prompt:c.krb5_prompt}\pysigline{\bfcode{krb5\_prompt}} +\end{fulllineitems} + + +Text for prompt used in prompter callback function. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_prompt:declaration} +typedef struct \_krb5\_prompt krb5\_prompt + + +\paragraph{Members} +\label{appdev/refs/types/krb5_prompt:members}\index{krb5\_prompt.prompt (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_prompt:c.krb5_prompt.prompt}\pysigline{char * \bfcode{krb5\_prompt.prompt}} +The prompt to show to the user. + +\end{fulllineitems} + +\index{krb5\_prompt.hidden (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_prompt:c.krb5_prompt.hidden}\pysigline{int \bfcode{krb5\_prompt.hidden}} +Boolean; informative prompt or hidden (e.g. +PIN) + +\end{fulllineitems} + +\index{krb5\_prompt.reply (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_prompt:c.krb5_prompt.reply}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} * \bfcode{krb5\_prompt.reply}} +Must be allocated before call to prompt routine. + +\end{fulllineitems} + + + +\subsubsection{krb5\_prompt\_type} +\label{appdev/refs/types/krb5_prompt_type:krb5-prompt-type-struct}\label{appdev/refs/types/krb5_prompt_type:krb5-prompt-type}\label{appdev/refs/types/krb5_prompt_type::doc}\index{krb5\_prompt\_type (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_prompt_type:c.krb5_prompt_type}\pysigline{\bfcode{krb5\_prompt\_type}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_prompt_type:declaration} +typedef krb5\_int32 krb5\_prompt\_type + + +\subsubsection{krb5\_prompter\_fct} +\label{appdev/refs/types/krb5_prompter_fct:krb5-prompter-fct-struct}\label{appdev/refs/types/krb5_prompter_fct:krb5-prompter-fct}\label{appdev/refs/types/krb5_prompter_fct::doc}\index{krb5\_prompter\_fct (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_prompter_fct:c.krb5_prompter_fct}\pysigline{\bfcode{krb5\_prompter\_fct}} +\end{fulllineitems} + + +Pointer to a prompter callback function. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_prompter_fct:declaration} +typedef krb5\_error\_code( * krb5\_prompter\_fct)(krb5\_context context, void *data, const char *name, const char *banner, int num\_prompts, krb5\_prompt prompts{[}{]}) + + +\subsubsection{krb5\_pwd\_data} +\label{appdev/refs/types/krb5_pwd_data:krb5-pwd-data}\label{appdev/refs/types/krb5_pwd_data::doc}\label{appdev/refs/types/krb5_pwd_data:krb5-pwd-data-struct}\index{krb5\_pwd\_data (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_pwd_data:c.krb5_pwd_data}\pysigline{\bfcode{krb5\_pwd\_data}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_pwd_data:declaration} +typedef struct \_krb5\_pwd\_data krb5\_pwd\_data + + +\paragraph{Members} +\label{appdev/refs/types/krb5_pwd_data:members}\index{krb5\_pwd\_data.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_pwd_data:c.krb5_pwd_data.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_pwd\_data.magic}} +\end{fulllineitems} + +\index{krb5\_pwd\_data.sequence\_count (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_pwd_data:c.krb5_pwd_data.sequence_count}\pysigline{int \bfcode{krb5\_pwd\_data.sequence\_count}} +\end{fulllineitems} + +\index{krb5\_pwd\_data.element (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_pwd_data:c.krb5_pwd_data.element}\pysigline{{\hyperref[appdev/refs/types/passwd_phrase_element:c.passwd_phrase_element]{passwd\_phrase\_element}} ** \bfcode{krb5\_pwd\_data.element}} +\end{fulllineitems} + + + +\subsubsection{krb5\_responder\_context} +\label{appdev/refs/types/krb5_responder_context:krb5-responder-context-struct}\label{appdev/refs/types/krb5_responder_context::doc}\label{appdev/refs/types/krb5_responder_context:krb5-responder-context}\index{krb5\_responder\_context (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_responder_context:c.krb5_responder_context}\pysigline{\bfcode{krb5\_responder\_context}} +\end{fulllineitems} + + +A container for a set of preauthentication questions and answers. + +A responder context is supplied by the krb5 authentication system to a {\hyperref[appdev/refs/types/krb5_responder_fn:c.krb5_responder_fn]{\code{krb5\_responder\_fn}}} callback. It contains a list of questions and can receive answers. Questions contained in a responder context can be listed using {\hyperref[appdev/refs/api/krb5_responder_list_questions:c.krb5_responder_list_questions]{\code{krb5\_responder\_list\_questions()}}} , retrieved using {\hyperref[appdev/refs/api/krb5_responder_get_challenge:c.krb5_responder_get_challenge]{\code{krb5\_responder\_get\_challenge()}}} , or answered using {\hyperref[appdev/refs/api/krb5_responder_set_answer:c.krb5_responder_set_answer]{\code{krb5\_responder\_set\_answer()}}} . The form of a question's challenge and answer depend on the question name. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_responder_context:declaration} +typedef struct krb5\_responder\_context\_st* krb5\_responder\_context + + +\subsubsection{krb5\_responder\_fn} +\label{appdev/refs/types/krb5_responder_fn:krb5-responder-fn-struct}\label{appdev/refs/types/krb5_responder_fn::doc}\label{appdev/refs/types/krb5_responder_fn:krb5-responder-fn}\index{krb5\_responder\_fn (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_responder_fn:c.krb5_responder_fn}\pysigline{\bfcode{krb5\_responder\_fn}} +\end{fulllineitems} + + +Responder function for an initial credential exchange. + +If a required question is unanswered, the prompter may be called. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_responder_fn:declaration} +typedef krb5\_error\_code( * krb5\_responder\_fn)(krb5\_context ctx, void *data, krb5\_responder\_context rctx) + + +\subsubsection{krb5\_responder\_otp\_challenge} +\label{appdev/refs/types/krb5_responder_otp_challenge:krb5-responder-otp-challenge}\label{appdev/refs/types/krb5_responder_otp_challenge:krb5-responder-otp-challenge-struct}\label{appdev/refs/types/krb5_responder_otp_challenge::doc}\index{krb5\_responder\_otp\_challenge (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_responder_otp_challenge:c.krb5_responder_otp_challenge}\pysigline{\bfcode{krb5\_responder\_otp\_challenge}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_responder_otp_challenge:declaration} +typedef struct \_krb5\_responder\_otp\_challenge krb5\_responder\_otp\_challenge + + +\paragraph{Members} +\label{appdev/refs/types/krb5_responder_otp_challenge:members}\index{krb5\_responder\_otp\_challenge.service (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_responder_otp_challenge:c.krb5_responder_otp_challenge.service}\pysigline{char * \bfcode{krb5\_responder\_otp\_challenge.service}} +\end{fulllineitems} + +\index{krb5\_responder\_otp\_challenge.tokeninfo (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_responder_otp_challenge:c.krb5_responder_otp_challenge.tokeninfo}\pysigline{{\hyperref[appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo]{krb5\_responder\_otp\_tokeninfo}} ** \bfcode{krb5\_responder\_otp\_challenge.tokeninfo}} +\end{fulllineitems} + + + +\subsubsection{krb5\_responder\_otp\_tokeninfo} +\label{appdev/refs/types/krb5_responder_otp_tokeninfo:krb5-responder-otp-tokeninfo}\label{appdev/refs/types/krb5_responder_otp_tokeninfo:krb5-responder-otp-tokeninfo-struct}\label{appdev/refs/types/krb5_responder_otp_tokeninfo::doc}\index{krb5\_responder\_otp\_tokeninfo (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo}\pysigline{\bfcode{krb5\_responder\_otp\_tokeninfo}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_responder_otp_tokeninfo:declaration} +typedef struct \_krb5\_responder\_otp\_tokeninfo krb5\_responder\_otp\_tokeninfo + + +\paragraph{Members} +\label{appdev/refs/types/krb5_responder_otp_tokeninfo:members}\index{krb5\_responder\_otp\_tokeninfo.flags (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo.flags}\pysigline{{\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}} \bfcode{krb5\_responder\_otp\_tokeninfo.flags}} +\end{fulllineitems} + +\index{krb5\_responder\_otp\_tokeninfo.format (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo.format}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_responder\_otp\_tokeninfo.format}} +\end{fulllineitems} + +\index{krb5\_responder\_otp\_tokeninfo.length (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo.length}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_responder\_otp\_tokeninfo.length}} +\end{fulllineitems} + +\index{krb5\_responder\_otp\_tokeninfo.vendor (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo.vendor}\pysigline{char * \bfcode{krb5\_responder\_otp\_tokeninfo.vendor}} +\end{fulllineitems} + +\index{krb5\_responder\_otp\_tokeninfo.challenge (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo.challenge}\pysigline{char * \bfcode{krb5\_responder\_otp\_tokeninfo.challenge}} +\end{fulllineitems} + +\index{krb5\_responder\_otp\_tokeninfo.token\_id (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo.token_id}\pysigline{char * \bfcode{krb5\_responder\_otp\_tokeninfo.token\_id}} +\end{fulllineitems} + +\index{krb5\_responder\_otp\_tokeninfo.alg\_id (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo.alg_id}\pysigline{char * \bfcode{krb5\_responder\_otp\_tokeninfo.alg\_id}} +\end{fulllineitems} + + + +\subsubsection{krb5\_responder\_pkinit\_challenge} +\label{appdev/refs/types/krb5_responder_pkinit_challenge:krb5-responder-pkinit-challenge-struct}\label{appdev/refs/types/krb5_responder_pkinit_challenge::doc}\label{appdev/refs/types/krb5_responder_pkinit_challenge:krb5-responder-pkinit-challenge}\index{krb5\_responder\_pkinit\_challenge (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_responder_pkinit_challenge:c.krb5_responder_pkinit_challenge}\pysigline{\bfcode{krb5\_responder\_pkinit\_challenge}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_responder_pkinit_challenge:declaration} +typedef struct \_krb5\_responder\_pkinit\_challenge krb5\_responder\_pkinit\_challenge + + +\paragraph{Members} +\label{appdev/refs/types/krb5_responder_pkinit_challenge:members}\index{krb5\_responder\_pkinit\_challenge.identities (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_responder_pkinit_challenge:c.krb5_responder_pkinit_challenge.identities}\pysigline{{\hyperref[appdev/refs/types/krb5_responder_pkinit_identity:c.krb5_responder_pkinit_identity]{krb5\_responder\_pkinit\_identity}} ** \bfcode{krb5\_responder\_pkinit\_challenge.identities}} +\end{fulllineitems} + + + +\subsubsection{krb5\_responder\_pkinit\_identity} +\label{appdev/refs/types/krb5_responder_pkinit_identity:krb5-responder-pkinit-identity}\label{appdev/refs/types/krb5_responder_pkinit_identity::doc}\label{appdev/refs/types/krb5_responder_pkinit_identity:krb5-responder-pkinit-identity-struct}\index{krb5\_responder\_pkinit\_identity (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_responder_pkinit_identity:c.krb5_responder_pkinit_identity}\pysigline{\bfcode{krb5\_responder\_pkinit\_identity}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_responder_pkinit_identity:declaration} +typedef struct \_krb5\_responder\_pkinit\_identity krb5\_responder\_pkinit\_identity + + +\paragraph{Members} +\label{appdev/refs/types/krb5_responder_pkinit_identity:members}\index{krb5\_responder\_pkinit\_identity.identity (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_responder_pkinit_identity:c.krb5_responder_pkinit_identity.identity}\pysigline{char * \bfcode{krb5\_responder\_pkinit\_identity.identity}} +\end{fulllineitems} + +\index{krb5\_responder\_pkinit\_identity.token\_flags (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_responder_pkinit_identity:c.krb5_responder_pkinit_identity.token_flags}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_responder\_pkinit\_identity.token\_flags}} +\end{fulllineitems} + + + +\subsubsection{krb5\_response} +\label{appdev/refs/types/krb5_response::doc}\label{appdev/refs/types/krb5_response:krb5-response}\label{appdev/refs/types/krb5_response:krb5-response-struct}\index{krb5\_response (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_response:c.krb5_response}\pysigline{\bfcode{krb5\_response}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_response:declaration} +typedef struct \_krb5\_response krb5\_response + + +\paragraph{Members} +\label{appdev/refs/types/krb5_response:members}\index{krb5\_response.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_response:c.krb5_response.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_response.magic}} +\end{fulllineitems} + +\index{krb5\_response.message\_type (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_response:c.krb5_response.message_type}\pysigline{{\hyperref[appdev/refs/types/krb5_octet:c.krb5_octet]{krb5\_octet}} \bfcode{krb5\_response.message\_type}} +\end{fulllineitems} + +\index{krb5\_response.response (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_response:c.krb5_response.response}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} \bfcode{krb5\_response.response}} +\end{fulllineitems} + +\index{krb5\_response.expected\_nonce (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_response:c.krb5_response.expected_nonce}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_response.expected\_nonce}} +\end{fulllineitems} + +\index{krb5\_response.request\_time (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_response:c.krb5_response.request_time}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_response.request\_time}} +\end{fulllineitems} + + + +\subsubsection{krb5\_replay\_data} +\label{appdev/refs/types/krb5_replay_data:krb5-replay-data}\label{appdev/refs/types/krb5_replay_data:krb5-replay-data-struct}\label{appdev/refs/types/krb5_replay_data::doc}\index{krb5\_replay\_data (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_replay_data:c.krb5_replay_data}\pysigline{\bfcode{krb5\_replay\_data}} +\end{fulllineitems} + + +Replay data. + +Sequence number and timestamp information output by {\hyperref[appdev/refs/api/krb5_rd_priv:c.krb5_rd_priv]{\code{krb5\_rd\_priv()}}} and {\hyperref[appdev/refs/api/krb5_rd_safe:c.krb5_rd_safe]{\code{krb5\_rd\_safe()}}} . + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_replay_data:declaration} +typedef struct krb5\_replay\_data krb5\_replay\_data + + +\paragraph{Members} +\label{appdev/refs/types/krb5_replay_data:members}\index{krb5\_replay\_data.timestamp (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_replay_data:c.krb5_replay_data.timestamp}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_replay\_data.timestamp}} +Timestamp, seconds portion. + +\end{fulllineitems} + +\index{krb5\_replay\_data.usec (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_replay_data:c.krb5_replay_data.usec}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_replay\_data.usec}} +Timestamp, microseconds portion. + +\end{fulllineitems} + +\index{krb5\_replay\_data.seq (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_replay_data:c.krb5_replay_data.seq}\pysigline{{\hyperref[appdev/refs/types/krb5_ui_4:c.krb5_ui_4]{krb5\_ui\_4}} \bfcode{krb5\_replay\_data.seq}} +Sequence number. + +\end{fulllineitems} + + + +\subsubsection{krb5\_ticket} +\label{appdev/refs/types/krb5_ticket:krb5-ticket}\label{appdev/refs/types/krb5_ticket::doc}\label{appdev/refs/types/krb5_ticket:krb5-ticket-struct}\index{krb5\_ticket (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_ticket:c.krb5_ticket}\pysigline{\bfcode{krb5\_ticket}} +\end{fulllineitems} + + +Ticket structure. + +The C representation of the ticket message, with a pointer to the C representation of the encrypted part. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_ticket:declaration} +typedef struct \_krb5\_ticket krb5\_ticket + + +\paragraph{Members} +\label{appdev/refs/types/krb5_ticket:members}\index{krb5\_ticket.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_ticket:c.krb5_ticket.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_ticket.magic}} +\end{fulllineitems} + +\index{krb5\_ticket.server (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_ticket:c.krb5_ticket.server}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_ticket.server}} +server name/realm + +\end{fulllineitems} + +\index{krb5\_ticket.enc\_part (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_ticket:c.krb5_ticket.enc_part}\pysigline{{\hyperref[appdev/refs/types/krb5_enc_data:c.krb5_enc_data]{krb5\_enc\_data}} \bfcode{krb5\_ticket.enc\_part}} +encryption type, kvno, encrypted encoding + +\end{fulllineitems} + +\index{krb5\_ticket.enc\_part2 (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_ticket:c.krb5_ticket.enc_part2}\pysigline{{\hyperref[appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part]{krb5\_enc\_tkt\_part}} * \bfcode{krb5\_ticket.enc\_part2}} +ptr to decrypted version, if available + +\end{fulllineitems} + + + +\subsubsection{krb5\_ticket\_times} +\label{appdev/refs/types/krb5_ticket_times:krb5-ticket-times}\label{appdev/refs/types/krb5_ticket_times:krb5-ticket-times-struct}\label{appdev/refs/types/krb5_ticket_times::doc}\index{krb5\_ticket\_times (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times}\pysigline{\bfcode{krb5\_ticket\_times}} +\end{fulllineitems} + + +Ticket start time, end time, and renewal duration. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_ticket_times:declaration} +typedef struct \_krb5\_ticket\_times krb5\_ticket\_times + + +\paragraph{Members} +\label{appdev/refs/types/krb5_ticket_times:members}\index{krb5\_ticket\_times.authtime (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times.authtime}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_ticket\_times.authtime}} +Time at which KDC issued the initial ticket that corresponds to this ticket. + +\end{fulllineitems} + +\index{krb5\_ticket\_times.starttime (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times.starttime}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_ticket\_times.starttime}} +optional in ticket, if not present, use \emph{authtime} + +\end{fulllineitems} + +\index{krb5\_ticket\_times.endtime (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times.endtime}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_ticket\_times.endtime}} +Ticket expiration time. + +\end{fulllineitems} + +\index{krb5\_ticket\_times.renew\_till (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times.renew_till}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_ticket\_times.renew\_till}} +Latest time at which renewal of ticket can be valid. + +\end{fulllineitems} + + + +\subsubsection{krb5\_timestamp} +\label{appdev/refs/types/krb5_timestamp:krb5-timestamp-struct}\label{appdev/refs/types/krb5_timestamp::doc}\label{appdev/refs/types/krb5_timestamp:krb5-timestamp}\index{krb5\_timestamp (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}\pysigline{\bfcode{krb5\_timestamp}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_timestamp:declaration} +typedef krb5\_int32 krb5\_timestamp + + +\subsubsection{krb5\_tkt\_authent} +\label{appdev/refs/types/krb5_tkt_authent:krb5-tkt-authent}\label{appdev/refs/types/krb5_tkt_authent:krb5-tkt-authent-struct}\label{appdev/refs/types/krb5_tkt_authent::doc}\index{krb5\_tkt\_authent (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_tkt_authent:c.krb5_tkt_authent}\pysigline{\bfcode{krb5\_tkt\_authent}} +\end{fulllineitems} + + +Ticket authentication data. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_tkt_authent:declaration} +typedef struct \_krb5\_tkt\_authent krb5\_tkt\_authent + + +\paragraph{Members} +\label{appdev/refs/types/krb5_tkt_authent:members}\index{krb5\_tkt\_authent.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_tkt_authent:c.krb5_tkt_authent.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_tkt\_authent.magic}} +\end{fulllineitems} + +\index{krb5\_tkt\_authent.ticket (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_tkt_authent:c.krb5_tkt_authent.ticket}\pysigline{{\hyperref[appdev/refs/types/krb5_ticket:c.krb5_ticket]{krb5\_ticket}} * \bfcode{krb5\_tkt\_authent.ticket}} +\end{fulllineitems} + +\index{krb5\_tkt\_authent.authenticator (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_tkt_authent:c.krb5_tkt_authent.authenticator}\pysigline{{\hyperref[appdev/refs/types/krb5_authenticator:c.krb5_authenticator]{krb5\_authenticator}} * \bfcode{krb5\_tkt\_authent.authenticator}} +\end{fulllineitems} + +\index{krb5\_tkt\_authent.ap\_options (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_tkt_authent:c.krb5_tkt_authent.ap_options}\pysigline{{\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}} \bfcode{krb5\_tkt\_authent.ap\_options}} +\end{fulllineitems} + + + +\subsubsection{krb5\_trace\_callback} +\label{appdev/refs/types/krb5_trace_callback:krb5-trace-callback-struct}\label{appdev/refs/types/krb5_trace_callback:krb5-trace-callback}\label{appdev/refs/types/krb5_trace_callback::doc}\index{krb5\_trace\_callback (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_trace_callback:c.krb5_trace_callback}\pysigline{\bfcode{krb5\_trace\_callback}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_trace_callback:declaration} +typedef void( * krb5\_trace\_callback)(krb5\_context context, const krb5\_trace\_info *info, void *cb\_data) + + +\subsubsection{krb5\_trace\_info} +\label{appdev/refs/types/krb5_trace_info:krb5-trace-info-struct}\label{appdev/refs/types/krb5_trace_info::doc}\label{appdev/refs/types/krb5_trace_info:krb5-trace-info}\index{krb5\_trace\_info (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_trace_info:c.krb5_trace_info}\pysigline{\bfcode{krb5\_trace\_info}} +\end{fulllineitems} + + +A wrapper for passing information to a \emph{krb5\_trace\_callback} . + +Currently, it only contains the formatted message as determined the the format string and arguments of the tracing macro, but it may be extended to contain more fields in the future. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_trace_info:declaration} +typedef struct \_krb5\_trace\_info krb5\_trace\_info + + +\paragraph{Members} +\label{appdev/refs/types/krb5_trace_info:members}\index{krb5\_trace\_info.message (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_trace_info:c.krb5_trace_info.message}\pysigline{const char * \bfcode{krb5\_trace\_info.message}} +\end{fulllineitems} + + + +\subsubsection{krb5\_transited} +\label{appdev/refs/types/krb5_transited:krb5-transited-struct}\label{appdev/refs/types/krb5_transited::doc}\label{appdev/refs/types/krb5_transited:krb5-transited}\index{krb5\_transited (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_transited:c.krb5_transited}\pysigline{\bfcode{krb5\_transited}} +\end{fulllineitems} + + +Structure for transited encoding. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_transited:declaration} +typedef struct \_krb5\_transited krb5\_transited + + +\paragraph{Members} +\label{appdev/refs/types/krb5_transited:members}\index{krb5\_transited.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_transited:c.krb5_transited.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_transited.magic}} +\end{fulllineitems} + +\index{krb5\_transited.tr\_type (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_transited:c.krb5_transited.tr_type}\pysigline{{\hyperref[appdev/refs/types/krb5_octet:c.krb5_octet]{krb5\_octet}} \bfcode{krb5\_transited.tr\_type}} +Transited encoding type. + +\end{fulllineitems} + +\index{krb5\_transited.tr\_contents (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_transited:c.krb5_transited.tr_contents}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} \bfcode{krb5\_transited.tr\_contents}} +Contents. + +\end{fulllineitems} + + + +\subsubsection{krb5\_typed\_data} +\label{appdev/refs/types/krb5_typed_data:krb5-typed-data-struct}\label{appdev/refs/types/krb5_typed_data::doc}\label{appdev/refs/types/krb5_typed_data:krb5-typed-data}\index{krb5\_typed\_data (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_typed_data:c.krb5_typed_data}\pysigline{\bfcode{krb5\_typed\_data}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_typed_data:declaration} +typedef struct \_krb5\_typed\_data krb5\_typed\_data + + +\paragraph{Members} +\label{appdev/refs/types/krb5_typed_data:members}\index{krb5\_typed\_data.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_typed_data:c.krb5_typed_data.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_typed\_data.magic}} +\end{fulllineitems} + +\index{krb5\_typed\_data.type (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_typed_data:c.krb5_typed_data.type}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_typed\_data.type}} +\end{fulllineitems} + +\index{krb5\_typed\_data.length (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_typed_data:c.krb5_typed_data.length}\pysigline{unsigned int \bfcode{krb5\_typed\_data.length}} +\end{fulllineitems} + +\index{krb5\_typed\_data.data (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_typed_data:c.krb5_typed_data.data}\pysigline{{\hyperref[appdev/refs/types/krb5_octet:c.krb5_octet]{krb5\_octet}} * \bfcode{krb5\_typed\_data.data}} +\end{fulllineitems} + + + +\subsubsection{krb5\_ui\_2} +\label{appdev/refs/types/krb5_ui_2:krb5-ui-2-struct}\label{appdev/refs/types/krb5_ui_2::doc}\label{appdev/refs/types/krb5_ui_2:krb5-ui-2}\index{krb5\_ui\_2 (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_ui_2:c.krb5_ui_2}\pysigline{\bfcode{krb5\_ui\_2}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_ui_2:declaration} +typedef uint16\_t krb5\_ui\_2 + + +\subsubsection{krb5\_ui\_4} +\label{appdev/refs/types/krb5_ui_4:krb5-ui-4}\label{appdev/refs/types/krb5_ui_4:krb5-ui-4-struct}\label{appdev/refs/types/krb5_ui_4::doc}\index{krb5\_ui\_4 (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_ui_4:c.krb5_ui_4}\pysigline{\bfcode{krb5\_ui\_4}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_ui_4:declaration} +typedef uint32\_t krb5\_ui\_4 + + +\subsubsection{krb5\_verify\_init\_creds\_opt} +\label{appdev/refs/types/krb5_verify_init_creds_opt:krb5-verify-init-creds-opt-struct}\label{appdev/refs/types/krb5_verify_init_creds_opt::doc}\label{appdev/refs/types/krb5_verify_init_creds_opt:krb5-verify-init-creds-opt}\index{krb5\_verify\_init\_creds\_opt (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_verify_init_creds_opt:c.krb5_verify_init_creds_opt}\pysigline{\bfcode{krb5\_verify\_init\_creds\_opt}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_verify_init_creds_opt:declaration} +typedef struct \_krb5\_verify\_init\_creds\_opt krb5\_verify\_init\_creds\_opt + + +\paragraph{Members} +\label{appdev/refs/types/krb5_verify_init_creds_opt:members}\index{krb5\_verify\_init\_creds\_opt.flags (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_verify_init_creds_opt:c.krb5_verify_init_creds_opt.flags}\pysigline{{\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}} \bfcode{krb5\_verify\_init\_creds\_opt.flags}} +\end{fulllineitems} + +\index{krb5\_verify\_init\_creds\_opt.ap\_req\_nofail (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_verify_init_creds_opt:c.krb5_verify_init_creds_opt.ap_req_nofail}\pysigline{int \bfcode{krb5\_verify\_init\_creds\_opt.ap\_req\_nofail}} +boolean + +\end{fulllineitems} + + + +\subsubsection{passwd\_phrase\_element} +\label{appdev/refs/types/passwd_phrase_element:passwd-phrase-element-struct}\label{appdev/refs/types/passwd_phrase_element::doc}\label{appdev/refs/types/passwd_phrase_element:passwd-phrase-element}\index{passwd\_phrase\_element (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/passwd_phrase_element:c.passwd_phrase_element}\pysigline{\bfcode{passwd\_phrase\_element}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/passwd_phrase_element:declaration} +typedef struct \_passwd\_phrase\_element passwd\_phrase\_element + + +\paragraph{Members} +\label{appdev/refs/types/passwd_phrase_element:members}\index{passwd\_phrase\_element.magic (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/passwd_phrase_element:c.passwd_phrase_element.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{passwd\_phrase\_element.magic}} +\end{fulllineitems} + +\index{passwd\_phrase\_element.passwd (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/passwd_phrase_element:c.passwd_phrase_element.passwd}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} * \bfcode{passwd\_phrase\_element.passwd}} +\end{fulllineitems} + +\index{passwd\_phrase\_element.phrase (C member)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/passwd_phrase_element:c.passwd_phrase_element.phrase}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} * \bfcode{passwd\_phrase\_element.phrase}} +\end{fulllineitems} + + + +\subsection{Internal} +\label{appdev/refs/types/index:internal} + +\subsubsection{krb5\_auth\_context} +\label{appdev/refs/types/krb5_auth_context:krb5-auth-context}\label{appdev/refs/types/krb5_auth_context::doc}\label{appdev/refs/types/krb5_auth_context:krb5-auth-context-struct}\index{krb5\_auth\_context (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}\pysigline{\bfcode{krb5\_auth\_context}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_auth_context:declaration} +typedef struct \_krb5\_auth\_context* krb5\_auth\_context + + +\subsubsection{krb5\_cksumtype} +\label{appdev/refs/types/krb5_cksumtype:krb5-cksumtype}\label{appdev/refs/types/krb5_cksumtype:krb5-cksumtype-struct}\label{appdev/refs/types/krb5_cksumtype::doc}\index{krb5\_cksumtype (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype}\pysigline{\bfcode{krb5\_cksumtype}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_cksumtype:declaration} +typedef krb5\_int32 krb5\_cksumtype + + +\subsubsection{krb5\_context} +\label{appdev/refs/types/krb5_context:krb5-context}\label{appdev/refs/types/krb5_context:krb5-context-struct}\label{appdev/refs/types/krb5_context::doc}\index{krb5\_context (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_context:c.krb5_context}\pysigline{\bfcode{krb5\_context}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_context:declaration} +typedef struct \_krb5\_context* krb5\_context + + +\subsubsection{krb5\_cc\_cursor} +\label{appdev/refs/types/krb5_cc_cursor:krb5-cc-cursor-struct}\label{appdev/refs/types/krb5_cc_cursor:krb5-cc-cursor}\label{appdev/refs/types/krb5_cc_cursor::doc}\index{krb5\_cc\_cursor (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_cc_cursor:c.krb5_cc_cursor}\pysigline{\bfcode{krb5\_cc\_cursor}} +\end{fulllineitems} + + +Cursor for sequential lookup. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_cc_cursor:declaration} +typedef krb5\_pointer krb5\_cc\_cursor + + +\subsubsection{krb5\_ccache} +\label{appdev/refs/types/krb5_ccache:krb5-ccache-struct}\label{appdev/refs/types/krb5_ccache::doc}\label{appdev/refs/types/krb5_ccache:krb5-ccache}\index{krb5\_ccache (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_ccache:c.krb5_ccache}\pysigline{\bfcode{krb5\_ccache}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_ccache:declaration} +typedef struct \_krb5\_ccache* krb5\_ccache + + +\subsubsection{krb5\_cccol\_cursor} +\label{appdev/refs/types/krb5_cccol_cursor:krb5-cccol-cursor-struct}\label{appdev/refs/types/krb5_cccol_cursor::doc}\label{appdev/refs/types/krb5_cccol_cursor:krb5-cccol-cursor}\index{krb5\_cccol\_cursor (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_cccol_cursor:c.krb5_cccol_cursor}\pysigline{\bfcode{krb5\_cccol\_cursor}} +\end{fulllineitems} + + +Cursor for iterating over all ccaches. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_cccol_cursor:declaration} +typedef struct \_krb5\_cccol\_cursor* krb5\_cccol\_cursor + + +\subsubsection{krb5\_init\_creds\_context} +\label{appdev/refs/types/krb5_init_creds_context:krb5-init-creds-context}\label{appdev/refs/types/krb5_init_creds_context::doc}\label{appdev/refs/types/krb5_init_creds_context:krb5-init-creds-context-struct}\index{krb5\_init\_creds\_context (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context}\pysigline{\bfcode{krb5\_init\_creds\_context}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_init_creds_context:declaration} +typedef struct \_krb5\_init\_creds\_context* krb5\_init\_creds\_context + + +\subsubsection{krb5\_key} +\label{appdev/refs/types/krb5_key::doc}\label{appdev/refs/types/krb5_key:krb5-key}\label{appdev/refs/types/krb5_key:krb5-key-struct}\index{krb5\_key (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_key:c.krb5_key}\pysigline{\bfcode{krb5\_key}} +\end{fulllineitems} + + +Opaque identifier for a key. + +Use with the krb5\_k APIs for better performance for repeated operations with the same key and usage. Key identifiers must not be used simultaneously within multiple threads, as they may contain mutable internal state and are not mutex-protected. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_key:declaration} +typedef struct krb5\_key\_st* krb5\_key + + +\subsubsection{krb5\_keytab} +\label{appdev/refs/types/krb5_keytab:krb5-keytab}\label{appdev/refs/types/krb5_keytab::doc}\label{appdev/refs/types/krb5_keytab:krb5-keytab-struct}\index{krb5\_keytab (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_keytab:c.krb5_keytab}\pysigline{\bfcode{krb5\_keytab}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_keytab:declaration} +typedef struct \_krb5\_kt* krb5\_keytab + + +\subsubsection{krb5\_pac} +\label{appdev/refs/types/krb5_pac:krb5-pac-struct}\label{appdev/refs/types/krb5_pac:krb5-pac}\label{appdev/refs/types/krb5_pac::doc}\index{krb5\_pac (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_pac:c.krb5_pac}\pysigline{\bfcode{krb5\_pac}} +\end{fulllineitems} + + +PAC data structure to convey authorization information. + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_pac:declaration} +typedef struct krb5\_pac\_data* krb5\_pac + + +\subsubsection{krb5\_rcache} +\label{appdev/refs/types/krb5_rcache:krb5-rcache-struct}\label{appdev/refs/types/krb5_rcache::doc}\label{appdev/refs/types/krb5_rcache:krb5-rcache}\index{krb5\_rcache (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_rcache:c.krb5_rcache}\pysigline{\bfcode{krb5\_rcache}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_rcache:declaration} +typedef struct krb5\_rc\_st* krb5\_rcache + + +\subsubsection{krb5\_tkt\_creds\_context} +\label{appdev/refs/types/krb5_tkt_creds_context::doc}\label{appdev/refs/types/krb5_tkt_creds_context:krb5-tkt-creds-context}\label{appdev/refs/types/krb5_tkt_creds_context:krb5-tkt-creds-context-struct}\index{krb5\_tkt\_creds\_context (C type)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/types/krb5_tkt_creds_context:c.krb5_tkt_creds_context}\pysigline{\bfcode{krb5\_tkt\_creds\_context}} +\end{fulllineitems} + + + +\paragraph{Declaration} +\label{appdev/refs/types/krb5_tkt_creds_context:declaration} +typedef struct \_krb5\_tkt\_creds\_context* krb5\_tkt\_creds\_context + + +\section{krb5 simple macros} +\label{appdev/refs/macros/index:krb5-simple-macros}\label{appdev/refs/macros/index::doc} + +\subsection{Public} +\label{appdev/refs/macros/index:public} + +\subsubsection{ADDRTYPE\_ADDRPORT} +\label{appdev/refs/macros/ADDRTYPE_ADDRPORT:addrtype-addrport-data}\label{appdev/refs/macros/ADDRTYPE_ADDRPORT::doc}\label{appdev/refs/macros/ADDRTYPE_ADDRPORT:addrtype-addrport}\index{ADDRTYPE\_ADDRPORT (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ADDRTYPE_ADDRPORT:ADDRTYPE_ADDRPORT}\pysigline{\bfcode{ADDRTYPE\_ADDRPORT}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ADDRTYPE\_ADDRPORT} + & +\code{0x0100} +\\ +\hline\end{tabulary} + + + +\subsubsection{ADDRTYPE\_CHAOS} +\label{appdev/refs/macros/ADDRTYPE_CHAOS:addrtype-chaos}\label{appdev/refs/macros/ADDRTYPE_CHAOS:addrtype-chaos-data}\label{appdev/refs/macros/ADDRTYPE_CHAOS::doc}\index{ADDRTYPE\_CHAOS (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ADDRTYPE_CHAOS:ADDRTYPE_CHAOS}\pysigline{\bfcode{ADDRTYPE\_CHAOS}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ADDRTYPE\_CHAOS} + & +\code{0x0005} +\\ +\hline\end{tabulary} + + + +\subsubsection{ADDRTYPE\_DDP} +\label{appdev/refs/macros/ADDRTYPE_DDP:addrtype-ddp-data}\label{appdev/refs/macros/ADDRTYPE_DDP::doc}\label{appdev/refs/macros/ADDRTYPE_DDP:addrtype-ddp}\index{ADDRTYPE\_DDP (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ADDRTYPE_DDP:ADDRTYPE_DDP}\pysigline{\bfcode{ADDRTYPE\_DDP}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ADDRTYPE\_DDP} + & +\code{0x0010} +\\ +\hline\end{tabulary} + + + +\subsubsection{ADDRTYPE\_INET} +\label{appdev/refs/macros/ADDRTYPE_INET:addrtype-inet}\label{appdev/refs/macros/ADDRTYPE_INET:addrtype-inet-data}\label{appdev/refs/macros/ADDRTYPE_INET::doc}\index{ADDRTYPE\_INET (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ADDRTYPE_INET:ADDRTYPE_INET}\pysigline{\bfcode{ADDRTYPE\_INET}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ADDRTYPE\_INET} + & +\code{0x0002} +\\ +\hline\end{tabulary} + + + +\subsubsection{ADDRTYPE\_INET6} +\label{appdev/refs/macros/ADDRTYPE_INET6:addrtype-inet6-data}\label{appdev/refs/macros/ADDRTYPE_INET6:addrtype-inet6}\label{appdev/refs/macros/ADDRTYPE_INET6::doc}\index{ADDRTYPE\_INET6 (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ADDRTYPE_INET6:ADDRTYPE_INET6}\pysigline{\bfcode{ADDRTYPE\_INET6}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ADDRTYPE\_INET6} + & +\code{0x0018} +\\ +\hline\end{tabulary} + + + +\subsubsection{ADDRTYPE\_IPPORT} +\label{appdev/refs/macros/ADDRTYPE_IPPORT:addrtype-ipport}\label{appdev/refs/macros/ADDRTYPE_IPPORT::doc}\label{appdev/refs/macros/ADDRTYPE_IPPORT:addrtype-ipport-data}\index{ADDRTYPE\_IPPORT (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ADDRTYPE_IPPORT:ADDRTYPE_IPPORT}\pysigline{\bfcode{ADDRTYPE\_IPPORT}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ADDRTYPE\_IPPORT} + & +\code{0x0101} +\\ +\hline\end{tabulary} + + + +\subsubsection{ADDRTYPE\_ISO} +\label{appdev/refs/macros/ADDRTYPE_ISO::doc}\label{appdev/refs/macros/ADDRTYPE_ISO:addrtype-iso}\label{appdev/refs/macros/ADDRTYPE_ISO:addrtype-iso-data}\index{ADDRTYPE\_ISO (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ADDRTYPE_ISO:ADDRTYPE_ISO}\pysigline{\bfcode{ADDRTYPE\_ISO}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ADDRTYPE\_ISO} + & +\code{0x0007} +\\ +\hline\end{tabulary} + + + +\subsubsection{ADDRTYPE\_IS\_LOCAL} +\label{appdev/refs/macros/ADDRTYPE_IS_LOCAL::doc}\label{appdev/refs/macros/ADDRTYPE_IS_LOCAL:addrtype-is-local}\label{appdev/refs/macros/ADDRTYPE_IS_LOCAL:addrtype-is-local-data}\index{ADDRTYPE\_IS\_LOCAL (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ADDRTYPE_IS_LOCAL:ADDRTYPE_IS_LOCAL}\pysigline{\bfcode{ADDRTYPE\_IS\_LOCAL}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ADDRTYPE\_IS\_LOCAL (addrtype)} + & +\code{(addrtype \& 0x8000)} +\\ +\hline\end{tabulary} + + + +\subsubsection{ADDRTYPE\_NETBIOS} +\label{appdev/refs/macros/ADDRTYPE_NETBIOS:addrtype-netbios}\label{appdev/refs/macros/ADDRTYPE_NETBIOS::doc}\label{appdev/refs/macros/ADDRTYPE_NETBIOS:addrtype-netbios-data}\index{ADDRTYPE\_NETBIOS (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ADDRTYPE_NETBIOS:ADDRTYPE_NETBIOS}\pysigline{\bfcode{ADDRTYPE\_NETBIOS}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ADDRTYPE\_NETBIOS} + & +\code{0x0014} +\\ +\hline\end{tabulary} + + + +\subsubsection{ADDRTYPE\_XNS} +\label{appdev/refs/macros/ADDRTYPE_XNS::doc}\label{appdev/refs/macros/ADDRTYPE_XNS:addrtype-xns-data}\label{appdev/refs/macros/ADDRTYPE_XNS:addrtype-xns}\index{ADDRTYPE\_XNS (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ADDRTYPE_XNS:ADDRTYPE_XNS}\pysigline{\bfcode{ADDRTYPE\_XNS}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ADDRTYPE\_XNS} + & +\code{0x0006} +\\ +\hline\end{tabulary} + + + +\subsubsection{AD\_TYPE\_EXTERNAL} +\label{appdev/refs/macros/AD_TYPE_EXTERNAL:ad-type-external-data}\label{appdev/refs/macros/AD_TYPE_EXTERNAL::doc}\label{appdev/refs/macros/AD_TYPE_EXTERNAL:ad-type-external}\index{AD\_TYPE\_EXTERNAL (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/AD_TYPE_EXTERNAL:AD_TYPE_EXTERNAL}\pysigline{\bfcode{AD\_TYPE\_EXTERNAL}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{AD\_TYPE\_EXTERNAL} + & +\code{0x4000} +\\ +\hline\end{tabulary} + + + +\subsubsection{AD\_TYPE\_FIELD\_TYPE\_MASK} +\label{appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK:ad-type-field-type-mask}\label{appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK::doc}\label{appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK:ad-type-field-type-mask-data}\index{AD\_TYPE\_FIELD\_TYPE\_MASK (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK:AD_TYPE_FIELD_TYPE_MASK}\pysigline{\bfcode{AD\_TYPE\_FIELD\_TYPE\_MASK}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{AD\_TYPE\_FIELD\_TYPE\_MASK} + & +\code{0x1fff} +\\ +\hline\end{tabulary} + + + +\subsubsection{AD\_TYPE\_REGISTERED} +\label{appdev/refs/macros/AD_TYPE_REGISTERED:ad-type-registered-data}\label{appdev/refs/macros/AD_TYPE_REGISTERED:ad-type-registered}\label{appdev/refs/macros/AD_TYPE_REGISTERED::doc}\index{AD\_TYPE\_REGISTERED (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/AD_TYPE_REGISTERED:AD_TYPE_REGISTERED}\pysigline{\bfcode{AD\_TYPE\_REGISTERED}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{AD\_TYPE\_REGISTERED} + & +\code{0x2000} +\\ +\hline\end{tabulary} + + + +\subsubsection{AD\_TYPE\_RESERVED} +\label{appdev/refs/macros/AD_TYPE_RESERVED::doc}\label{appdev/refs/macros/AD_TYPE_RESERVED:ad-type-reserved}\label{appdev/refs/macros/AD_TYPE_RESERVED:ad-type-reserved-data}\index{AD\_TYPE\_RESERVED (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/AD_TYPE_RESERVED:AD_TYPE_RESERVED}\pysigline{\bfcode{AD\_TYPE\_RESERVED}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{AD\_TYPE\_RESERVED} + & +\code{0x8000} +\\ +\hline\end{tabulary} + + + +\subsubsection{AP\_OPTS\_ETYPE\_NEGOTIATION} +\label{appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION::doc}\label{appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION:ap-opts-etype-negotiation}\label{appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION:ap-opts-etype-negotiation-data}\index{AP\_OPTS\_ETYPE\_NEGOTIATION (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION:AP_OPTS_ETYPE_NEGOTIATION}\pysigline{\bfcode{AP\_OPTS\_ETYPE\_NEGOTIATION}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{AP\_OPTS\_ETYPE\_NEGOTIATION} + & +\code{0x00000002} +\\ +\hline\end{tabulary} + + + +\subsubsection{AP\_OPTS\_MUTUAL\_REQUIRED} +\label{appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED:ap-opts-mutual-required}\label{appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED:ap-opts-mutual-required-data}\label{appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED::doc}\index{AP\_OPTS\_MUTUAL\_REQUIRED (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED:AP_OPTS_MUTUAL_REQUIRED}\pysigline{\bfcode{AP\_OPTS\_MUTUAL\_REQUIRED}} +\end{fulllineitems} + + +Perform a mutual authentication exchange. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{AP\_OPTS\_MUTUAL\_REQUIRED} + & +\code{0x20000000} +\\ +\hline\end{tabulary} + + + +\subsubsection{AP\_OPTS\_RESERVED} +\label{appdev/refs/macros/AP_OPTS_RESERVED::doc}\label{appdev/refs/macros/AP_OPTS_RESERVED:ap-opts-reserved-data}\label{appdev/refs/macros/AP_OPTS_RESERVED:ap-opts-reserved}\index{AP\_OPTS\_RESERVED (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/AP_OPTS_RESERVED:AP_OPTS_RESERVED}\pysigline{\bfcode{AP\_OPTS\_RESERVED}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{AP\_OPTS\_RESERVED} + & +\code{0x80000000} +\\ +\hline\end{tabulary} + + + +\subsubsection{AP\_OPTS\_USE\_SESSION\_KEY} +\label{appdev/refs/macros/AP_OPTS_USE_SESSION_KEY:ap-opts-use-session-key}\label{appdev/refs/macros/AP_OPTS_USE_SESSION_KEY::doc}\label{appdev/refs/macros/AP_OPTS_USE_SESSION_KEY:ap-opts-use-session-key-data}\index{AP\_OPTS\_USE\_SESSION\_KEY (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/AP_OPTS_USE_SESSION_KEY:AP_OPTS_USE_SESSION_KEY}\pysigline{\bfcode{AP\_OPTS\_USE\_SESSION\_KEY}} +\end{fulllineitems} + + +Use session key. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{AP\_OPTS\_USE\_SESSION\_KEY} + & +\code{0x40000000} +\\ +\hline\end{tabulary} + + + +\subsubsection{AP\_OPTS\_USE\_SUBKEY} +\label{appdev/refs/macros/AP_OPTS_USE_SUBKEY:ap-opts-use-subkey}\label{appdev/refs/macros/AP_OPTS_USE_SUBKEY:ap-opts-use-subkey-data}\label{appdev/refs/macros/AP_OPTS_USE_SUBKEY::doc}\index{AP\_OPTS\_USE\_SUBKEY (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/AP_OPTS_USE_SUBKEY:AP_OPTS_USE_SUBKEY}\pysigline{\bfcode{AP\_OPTS\_USE\_SUBKEY}} +\end{fulllineitems} + + +Generate a subsession key from the current session key obtained from the credentials. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{AP\_OPTS\_USE\_SUBKEY} + & +\code{0x00000001} +\\ +\hline\end{tabulary} + + + +\subsubsection{AP\_OPTS\_WIRE\_MASK} +\label{appdev/refs/macros/AP_OPTS_WIRE_MASK:ap-opts-wire-mask-data}\label{appdev/refs/macros/AP_OPTS_WIRE_MASK:ap-opts-wire-mask}\label{appdev/refs/macros/AP_OPTS_WIRE_MASK::doc}\index{AP\_OPTS\_WIRE\_MASK (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/AP_OPTS_WIRE_MASK:AP_OPTS_WIRE_MASK}\pysigline{\bfcode{AP\_OPTS\_WIRE\_MASK}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{AP\_OPTS\_WIRE\_MASK} + & +\code{0xfffffff0} +\\ +\hline\end{tabulary} + + + +\subsubsection{CKSUMTYPE\_CMAC\_CAMELLIA128} +\label{appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128::doc}\label{appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128:cksumtype-cmac-camellia128}\label{appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128:cksumtype-cmac-camellia128-data}\index{CKSUMTYPE\_CMAC\_CAMELLIA128 (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128:CKSUMTYPE_CMAC_CAMELLIA128}\pysigline{\bfcode{CKSUMTYPE\_CMAC\_CAMELLIA128}} +\end{fulllineitems} + + +RFC 6803. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{CKSUMTYPE\_CMAC\_CAMELLIA128} + & +\code{0x0011} +\\ +\hline\end{tabulary} + + + +\subsubsection{CKSUMTYPE\_CMAC\_CAMELLIA256} +\label{appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256::doc}\label{appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256:cksumtype-cmac-camellia256}\label{appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256:cksumtype-cmac-camellia256-data}\index{CKSUMTYPE\_CMAC\_CAMELLIA256 (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256:CKSUMTYPE_CMAC_CAMELLIA256}\pysigline{\bfcode{CKSUMTYPE\_CMAC\_CAMELLIA256}} +\end{fulllineitems} + + +RFC 6803. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{CKSUMTYPE\_CMAC\_CAMELLIA256} + & +\code{0x0012} +\\ +\hline\end{tabulary} + + + +\subsubsection{CKSUMTYPE\_CRC32} +\label{appdev/refs/macros/CKSUMTYPE_CRC32:cksumtype-crc32-data}\label{appdev/refs/macros/CKSUMTYPE_CRC32::doc}\label{appdev/refs/macros/CKSUMTYPE_CRC32:cksumtype-crc32}\index{CKSUMTYPE\_CRC32 (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/CKSUMTYPE_CRC32:CKSUMTYPE_CRC32}\pysigline{\bfcode{CKSUMTYPE\_CRC32}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{CKSUMTYPE\_CRC32} + & +\code{0x0001} +\\ +\hline\end{tabulary} + + + +\subsubsection{CKSUMTYPE\_DESCBC} +\label{appdev/refs/macros/CKSUMTYPE_DESCBC:cksumtype-descbc-data}\label{appdev/refs/macros/CKSUMTYPE_DESCBC::doc}\label{appdev/refs/macros/CKSUMTYPE_DESCBC:cksumtype-descbc}\index{CKSUMTYPE\_DESCBC (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/CKSUMTYPE_DESCBC:CKSUMTYPE_DESCBC}\pysigline{\bfcode{CKSUMTYPE\_DESCBC}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{CKSUMTYPE\_DESCBC} + & +\code{0x0004} +\\ +\hline\end{tabulary} + + + +\subsubsection{CKSUMTYPE\_HMAC\_MD5\_ARCFOUR} +\label{appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR:cksumtype-hmac-md5-arcfour-data}\label{appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR:cksumtype-hmac-md5-arcfour}\label{appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR::doc}\index{CKSUMTYPE\_HMAC\_MD5\_ARCFOUR (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR:CKSUMTYPE_HMAC_MD5_ARCFOUR}\pysigline{\bfcode{CKSUMTYPE\_HMAC\_MD5\_ARCFOUR}} +\end{fulllineitems} + + +RFC 4757. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{CKSUMTYPE\_HMAC\_MD5\_ARCFOUR} + & +\code{-138} +\\ +\hline\end{tabulary} + + + +\subsubsection{CKSUMTYPE\_HMAC\_SHA1\_96\_AES128} +\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128::doc}\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128:cksumtype-hmac-sha1-96-aes128}\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128:cksumtype-hmac-sha1-96-aes128-data}\index{CKSUMTYPE\_HMAC\_SHA1\_96\_AES128 (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128:CKSUMTYPE_HMAC_SHA1_96_AES128}\pysigline{\bfcode{CKSUMTYPE\_HMAC\_SHA1\_96\_AES128}} +\end{fulllineitems} + + +RFC 3962. + +Used with ENCTYPE\_AES128\_CTS\_HMAC\_SHA1\_96 + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{CKSUMTYPE\_HMAC\_SHA1\_96\_AES128} + & +\code{0x000f} +\\ +\hline\end{tabulary} + + + +\subsubsection{CKSUMTYPE\_HMAC\_SHA1\_96\_AES256} +\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256::doc}\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256:cksumtype-hmac-sha1-96-aes256}\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256:cksumtype-hmac-sha1-96-aes256-data}\index{CKSUMTYPE\_HMAC\_SHA1\_96\_AES256 (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256:CKSUMTYPE_HMAC_SHA1_96_AES256}\pysigline{\bfcode{CKSUMTYPE\_HMAC\_SHA1\_96\_AES256}} +\end{fulllineitems} + + +RFC 3962. + +Used with ENCTYPE\_AES256\_CTS\_HMAC\_SHA1\_96 + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{CKSUMTYPE\_HMAC\_SHA1\_96\_AES256} + & +\code{0x0010} +\\ +\hline\end{tabulary} + + + +\subsubsection{CKSUMTYPE\_HMAC\_SHA256\_128\_AES128} +\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128:cksumtype-hmac-sha256-128-aes128-data}\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128::doc}\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128:cksumtype-hmac-sha256-128-aes128}\index{CKSUMTYPE\_HMAC\_SHA256\_128\_AES128 (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128:CKSUMTYPE_HMAC_SHA256_128_AES128}\pysigline{\bfcode{CKSUMTYPE\_HMAC\_SHA256\_128\_AES128}} +\end{fulllineitems} + + +RFC 8009. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{CKSUMTYPE\_HMAC\_SHA256\_128\_AES128} + & +\code{0x0013} +\\ +\hline\end{tabulary} + + + +\subsubsection{CKSUMTYPE\_HMAC\_SHA384\_192\_AES256} +\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256:cksumtype-hmac-sha384-192-aes256}\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256:cksumtype-hmac-sha384-192-aes256-data}\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256::doc}\index{CKSUMTYPE\_HMAC\_SHA384\_192\_AES256 (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256:CKSUMTYPE_HMAC_SHA384_192_AES256}\pysigline{\bfcode{CKSUMTYPE\_HMAC\_SHA384\_192\_AES256}} +\end{fulllineitems} + + +RFC 8009. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{CKSUMTYPE\_HMAC\_SHA384\_192\_AES256} + & +\code{0x0014} +\\ +\hline\end{tabulary} + + + +\subsubsection{CKSUMTYPE\_HMAC\_SHA1\_DES3} +\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3::doc}\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3:cksumtype-hmac-sha1-des3}\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3:cksumtype-hmac-sha1-des3-data}\index{CKSUMTYPE\_HMAC\_SHA1\_DES3 (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3:CKSUMTYPE_HMAC_SHA1_DES3}\pysigline{\bfcode{CKSUMTYPE\_HMAC\_SHA1\_DES3}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{CKSUMTYPE\_HMAC\_SHA1\_DES3} + & +\code{0x000c} +\\ +\hline\end{tabulary} + + + +\subsubsection{CKSUMTYPE\_MD5\_HMAC\_ARCFOUR} +\label{appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR:cksumtype-md5-hmac-arcfour}\label{appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR:cksumtype-md5-hmac-arcfour-data}\label{appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR::doc}\index{CKSUMTYPE\_MD5\_HMAC\_ARCFOUR (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR:CKSUMTYPE_MD5_HMAC_ARCFOUR}\pysigline{\bfcode{CKSUMTYPE\_MD5\_HMAC\_ARCFOUR}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{CKSUMTYPE\_MD5\_HMAC\_ARCFOUR} + & +\code{-137 /* Microsoft netlogon */} +\\ +\hline\end{tabulary} + + + +\subsubsection{CKSUMTYPE\_NIST\_SHA} +\label{appdev/refs/macros/CKSUMTYPE_NIST_SHA::doc}\label{appdev/refs/macros/CKSUMTYPE_NIST_SHA:cksumtype-nist-sha}\label{appdev/refs/macros/CKSUMTYPE_NIST_SHA:cksumtype-nist-sha-data}\index{CKSUMTYPE\_NIST\_SHA (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/CKSUMTYPE_NIST_SHA:CKSUMTYPE_NIST_SHA}\pysigline{\bfcode{CKSUMTYPE\_NIST\_SHA}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{CKSUMTYPE\_NIST\_SHA} + & +\code{0x0009} +\\ +\hline\end{tabulary} + + + +\subsubsection{CKSUMTYPE\_RSA\_MD4} +\label{appdev/refs/macros/CKSUMTYPE_RSA_MD4::doc}\label{appdev/refs/macros/CKSUMTYPE_RSA_MD4:cksumtype-rsa-md4}\label{appdev/refs/macros/CKSUMTYPE_RSA_MD4:cksumtype-rsa-md4-data}\index{CKSUMTYPE\_RSA\_MD4 (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/CKSUMTYPE_RSA_MD4:CKSUMTYPE_RSA_MD4}\pysigline{\bfcode{CKSUMTYPE\_RSA\_MD4}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{CKSUMTYPE\_RSA\_MD4} + & +\code{0x0002} +\\ +\hline\end{tabulary} + + + +\subsubsection{CKSUMTYPE\_RSA\_MD4\_DES} +\label{appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES::doc}\label{appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES:cksumtype-rsa-md4-des}\label{appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES:cksumtype-rsa-md4-des-data}\index{CKSUMTYPE\_RSA\_MD4\_DES (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES:CKSUMTYPE_RSA_MD4_DES}\pysigline{\bfcode{CKSUMTYPE\_RSA\_MD4\_DES}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{CKSUMTYPE\_RSA\_MD4\_DES} + & +\code{0x0003} +\\ +\hline\end{tabulary} + + + +\subsubsection{CKSUMTYPE\_RSA\_MD5} +\label{appdev/refs/macros/CKSUMTYPE_RSA_MD5:cksumtype-rsa-md5-data}\label{appdev/refs/macros/CKSUMTYPE_RSA_MD5::doc}\label{appdev/refs/macros/CKSUMTYPE_RSA_MD5:cksumtype-rsa-md5}\index{CKSUMTYPE\_RSA\_MD5 (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/CKSUMTYPE_RSA_MD5:CKSUMTYPE_RSA_MD5}\pysigline{\bfcode{CKSUMTYPE\_RSA\_MD5}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{CKSUMTYPE\_RSA\_MD5} + & +\code{0x0007} +\\ +\hline\end{tabulary} + + + +\subsubsection{CKSUMTYPE\_RSA\_MD5\_DES} +\label{appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES:cksumtype-rsa-md5-des-data}\label{appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES::doc}\label{appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES:cksumtype-rsa-md5-des}\index{CKSUMTYPE\_RSA\_MD5\_DES (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES:CKSUMTYPE_RSA_MD5_DES}\pysigline{\bfcode{CKSUMTYPE\_RSA\_MD5\_DES}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{CKSUMTYPE\_RSA\_MD5\_DES} + & +\code{0x0008} +\\ +\hline\end{tabulary} + + + +\subsubsection{ENCTYPE\_AES128\_CTS\_HMAC\_SHA1\_96} +\label{appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96:enctype-aes128-cts-hmac-sha1-96-data}\label{appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96::doc}\label{appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96:enctype-aes128-cts-hmac-sha1-96}\index{ENCTYPE\_AES128\_CTS\_HMAC\_SHA1\_96 (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96:ENCTYPE_AES128_CTS_HMAC_SHA1_96}\pysigline{\bfcode{ENCTYPE\_AES128\_CTS\_HMAC\_SHA1\_96}} +\end{fulllineitems} + + +RFC 3962. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ENCTYPE\_AES128\_CTS\_HMAC\_SHA1\_96} + & +\code{0x0011} +\\ +\hline\end{tabulary} + + + +\subsubsection{ENCTYPE\_AES128\_CTS\_HMAC\_SHA256\_128} +\label{appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128:enctype-aes128-cts-hmac-sha256-128}\label{appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128:enctype-aes128-cts-hmac-sha256-128-data}\label{appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128::doc}\index{ENCTYPE\_AES128\_CTS\_HMAC\_SHA256\_128 (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128:ENCTYPE_AES128_CTS_HMAC_SHA256_128}\pysigline{\bfcode{ENCTYPE\_AES128\_CTS\_HMAC\_SHA256\_128}} +\end{fulllineitems} + + +RFC 8009. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ENCTYPE\_AES128\_CTS\_HMAC\_SHA256\_128} + & +\code{0x0013} +\\ +\hline\end{tabulary} + + + +\subsubsection{ENCTYPE\_AES256\_CTS\_HMAC\_SHA1\_96} +\label{appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96:enctype-aes256-cts-hmac-sha1-96-data}\label{appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96::doc}\label{appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96:enctype-aes256-cts-hmac-sha1-96}\index{ENCTYPE\_AES256\_CTS\_HMAC\_SHA1\_96 (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96:ENCTYPE_AES256_CTS_HMAC_SHA1_96}\pysigline{\bfcode{ENCTYPE\_AES256\_CTS\_HMAC\_SHA1\_96}} +\end{fulllineitems} + + +RFC 3962. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ENCTYPE\_AES256\_CTS\_HMAC\_SHA1\_96} + & +\code{0x0012} +\\ +\hline\end{tabulary} + + + +\subsubsection{ENCTYPE\_AES256\_CTS\_HMAC\_SHA384\_192} +\label{appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192:enctype-aes256-cts-hmac-sha384-192-data}\label{appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192:enctype-aes256-cts-hmac-sha384-192}\label{appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192::doc}\index{ENCTYPE\_AES256\_CTS\_HMAC\_SHA384\_192 (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192:ENCTYPE_AES256_CTS_HMAC_SHA384_192}\pysigline{\bfcode{ENCTYPE\_AES256\_CTS\_HMAC\_SHA384\_192}} +\end{fulllineitems} + + +RFC 8009. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ENCTYPE\_AES256\_CTS\_HMAC\_SHA384\_192} + & +\code{0x0014} +\\ +\hline\end{tabulary} + + + +\subsubsection{ENCTYPE\_ARCFOUR\_HMAC} +\label{appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC:enctype-arcfour-hmac}\label{appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC:enctype-arcfour-hmac-data}\label{appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC::doc}\index{ENCTYPE\_ARCFOUR\_HMAC (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC:ENCTYPE_ARCFOUR_HMAC}\pysigline{\bfcode{ENCTYPE\_ARCFOUR\_HMAC}} +\end{fulllineitems} + + +RFC 4757. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ENCTYPE\_ARCFOUR\_HMAC} + & +\code{0x0017} +\\ +\hline\end{tabulary} + + + +\subsubsection{ENCTYPE\_ARCFOUR\_HMAC\_EXP} +\label{appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP:enctype-arcfour-hmac-exp-data}\label{appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP:enctype-arcfour-hmac-exp}\label{appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP::doc}\index{ENCTYPE\_ARCFOUR\_HMAC\_EXP (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP:ENCTYPE_ARCFOUR_HMAC_EXP}\pysigline{\bfcode{ENCTYPE\_ARCFOUR\_HMAC\_EXP}} +\end{fulllineitems} + + +RFC 4757. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ENCTYPE\_ARCFOUR\_HMAC\_EXP} + & +\code{0x0018} +\\ +\hline\end{tabulary} + + + +\subsubsection{ENCTYPE\_CAMELLIA128\_CTS\_CMAC} +\label{appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC:enctype-camellia128-cts-cmac-data}\label{appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC:enctype-camellia128-cts-cmac}\label{appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC::doc}\index{ENCTYPE\_CAMELLIA128\_CTS\_CMAC (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC:ENCTYPE_CAMELLIA128_CTS_CMAC}\pysigline{\bfcode{ENCTYPE\_CAMELLIA128\_CTS\_CMAC}} +\end{fulllineitems} + + +RFC 6803. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ENCTYPE\_CAMELLIA128\_CTS\_CMAC} + & +\code{0x0019} +\\ +\hline\end{tabulary} + + + +\subsubsection{ENCTYPE\_CAMELLIA256\_CTS\_CMAC} +\label{appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC:enctype-camellia256-cts-cmac-data}\label{appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC:enctype-camellia256-cts-cmac}\label{appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC::doc}\index{ENCTYPE\_CAMELLIA256\_CTS\_CMAC (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC:ENCTYPE_CAMELLIA256_CTS_CMAC}\pysigline{\bfcode{ENCTYPE\_CAMELLIA256\_CTS\_CMAC}} +\end{fulllineitems} + + +RFC 6803. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ENCTYPE\_CAMELLIA256\_CTS\_CMAC} + & +\code{0x001a} +\\ +\hline\end{tabulary} + + + +\subsubsection{ENCTYPE\_DES3\_CBC\_ENV} +\label{appdev/refs/macros/ENCTYPE_DES3_CBC_ENV::doc}\label{appdev/refs/macros/ENCTYPE_DES3_CBC_ENV:enctype-des3-cbc-env}\label{appdev/refs/macros/ENCTYPE_DES3_CBC_ENV:enctype-des3-cbc-env-data}\index{ENCTYPE\_DES3\_CBC\_ENV (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ENCTYPE_DES3_CBC_ENV:ENCTYPE_DES3_CBC_ENV}\pysigline{\bfcode{ENCTYPE\_DES3\_CBC\_ENV}} +\end{fulllineitems} + + +DES-3 cbc mode, CMS enveloped data. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ENCTYPE\_DES3\_CBC\_ENV} + & +\code{0x000f} +\\ +\hline\end{tabulary} + + + +\subsubsection{ENCTYPE\_DES3\_CBC\_RAW} +\label{appdev/refs/macros/ENCTYPE_DES3_CBC_RAW:enctype-des3-cbc-raw}\label{appdev/refs/macros/ENCTYPE_DES3_CBC_RAW::doc}\label{appdev/refs/macros/ENCTYPE_DES3_CBC_RAW:enctype-des3-cbc-raw-data}\index{ENCTYPE\_DES3\_CBC\_RAW (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ENCTYPE_DES3_CBC_RAW:ENCTYPE_DES3_CBC_RAW}\pysigline{\bfcode{ENCTYPE\_DES3\_CBC\_RAW}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ENCTYPE\_DES3\_CBC\_RAW} + & +\code{0x0006} +\\ +\hline\end{tabulary} + + + +\subsubsection{ENCTYPE\_DES3\_CBC\_SHA} +\label{appdev/refs/macros/ENCTYPE_DES3_CBC_SHA:enctype-des3-cbc-sha}\label{appdev/refs/macros/ENCTYPE_DES3_CBC_SHA::doc}\label{appdev/refs/macros/ENCTYPE_DES3_CBC_SHA:enctype-des3-cbc-sha-data}\index{ENCTYPE\_DES3\_CBC\_SHA (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ENCTYPE_DES3_CBC_SHA:ENCTYPE_DES3_CBC_SHA}\pysigline{\bfcode{ENCTYPE\_DES3\_CBC\_SHA}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ENCTYPE\_DES3\_CBC\_SHA} + & +\code{0x0005} +\\ +\hline\end{tabulary} + + + +\subsubsection{ENCTYPE\_DES3\_CBC\_SHA1} +\label{appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1::doc}\label{appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1:enctype-des3-cbc-sha1}\label{appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1:enctype-des3-cbc-sha1-data}\index{ENCTYPE\_DES3\_CBC\_SHA1 (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1:ENCTYPE_DES3_CBC_SHA1}\pysigline{\bfcode{ENCTYPE\_DES3\_CBC\_SHA1}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ENCTYPE\_DES3\_CBC\_SHA1} + & +\code{0x0010} +\\ +\hline\end{tabulary} + + + +\subsubsection{ENCTYPE\_DES\_CBC\_CRC} +\label{appdev/refs/macros/ENCTYPE_DES_CBC_CRC:enctype-des-cbc-crc-data}\label{appdev/refs/macros/ENCTYPE_DES_CBC_CRC:enctype-des-cbc-crc}\label{appdev/refs/macros/ENCTYPE_DES_CBC_CRC::doc}\index{ENCTYPE\_DES\_CBC\_CRC (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ENCTYPE_DES_CBC_CRC:ENCTYPE_DES_CBC_CRC}\pysigline{\bfcode{ENCTYPE\_DES\_CBC\_CRC}} +\end{fulllineitems} + + +DES cbc mode with CRC-32. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ENCTYPE\_DES\_CBC\_CRC} + & +\code{0x0001} +\\ +\hline\end{tabulary} + + + +\subsubsection{ENCTYPE\_DES\_CBC\_MD4} +\label{appdev/refs/macros/ENCTYPE_DES_CBC_MD4:enctype-des-cbc-md4-data}\label{appdev/refs/macros/ENCTYPE_DES_CBC_MD4::doc}\label{appdev/refs/macros/ENCTYPE_DES_CBC_MD4:enctype-des-cbc-md4}\index{ENCTYPE\_DES\_CBC\_MD4 (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ENCTYPE_DES_CBC_MD4:ENCTYPE_DES_CBC_MD4}\pysigline{\bfcode{ENCTYPE\_DES\_CBC\_MD4}} +\end{fulllineitems} + + +DES cbc mode with RSA-MD4. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ENCTYPE\_DES\_CBC\_MD4} + & +\code{0x0002} +\\ +\hline\end{tabulary} + + + +\subsubsection{ENCTYPE\_DES\_CBC\_MD5} +\label{appdev/refs/macros/ENCTYPE_DES_CBC_MD5:enctype-des-cbc-md5-data}\label{appdev/refs/macros/ENCTYPE_DES_CBC_MD5::doc}\label{appdev/refs/macros/ENCTYPE_DES_CBC_MD5:enctype-des-cbc-md5}\index{ENCTYPE\_DES\_CBC\_MD5 (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ENCTYPE_DES_CBC_MD5:ENCTYPE_DES_CBC_MD5}\pysigline{\bfcode{ENCTYPE\_DES\_CBC\_MD5}} +\end{fulllineitems} + + +DES cbc mode with RSA-MD5. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ENCTYPE\_DES\_CBC\_MD5} + & +\code{0x0003} +\\ +\hline\end{tabulary} + + + +\subsubsection{ENCTYPE\_DES\_CBC\_RAW} +\label{appdev/refs/macros/ENCTYPE_DES_CBC_RAW:enctype-des-cbc-raw-data}\label{appdev/refs/macros/ENCTYPE_DES_CBC_RAW:enctype-des-cbc-raw}\label{appdev/refs/macros/ENCTYPE_DES_CBC_RAW::doc}\index{ENCTYPE\_DES\_CBC\_RAW (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ENCTYPE_DES_CBC_RAW:ENCTYPE_DES_CBC_RAW}\pysigline{\bfcode{ENCTYPE\_DES\_CBC\_RAW}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ENCTYPE\_DES\_CBC\_RAW} + & +\code{0x0004} +\\ +\hline\end{tabulary} + + + +\subsubsection{ENCTYPE\_DES\_HMAC\_SHA1} +\label{appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1:enctype-des-hmac-sha1-data}\label{appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1::doc}\label{appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1:enctype-des-hmac-sha1}\index{ENCTYPE\_DES\_HMAC\_SHA1 (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1:ENCTYPE_DES_HMAC_SHA1}\pysigline{\bfcode{ENCTYPE\_DES\_HMAC\_SHA1}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ENCTYPE\_DES\_HMAC\_SHA1} + & +\code{0x0008} +\\ +\hline\end{tabulary} + + + +\subsubsection{ENCTYPE\_DSA\_SHA1\_CMS} +\label{appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS:enctype-dsa-sha1-cms-data}\label{appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS:enctype-dsa-sha1-cms}\label{appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS::doc}\index{ENCTYPE\_DSA\_SHA1\_CMS (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS:ENCTYPE_DSA_SHA1_CMS}\pysigline{\bfcode{ENCTYPE\_DSA\_SHA1\_CMS}} +\end{fulllineitems} + + +DSA with SHA1, CMS signature. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ENCTYPE\_DSA\_SHA1\_CMS} + & +\code{0x0009} +\\ +\hline\end{tabulary} + + + +\subsubsection{ENCTYPE\_MD5\_RSA\_CMS} +\label{appdev/refs/macros/ENCTYPE_MD5_RSA_CMS:enctype-md5-rsa-cms}\label{appdev/refs/macros/ENCTYPE_MD5_RSA_CMS:enctype-md5-rsa-cms-data}\label{appdev/refs/macros/ENCTYPE_MD5_RSA_CMS::doc}\index{ENCTYPE\_MD5\_RSA\_CMS (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ENCTYPE_MD5_RSA_CMS:ENCTYPE_MD5_RSA_CMS}\pysigline{\bfcode{ENCTYPE\_MD5\_RSA\_CMS}} +\end{fulllineitems} + + +MD5 with RSA, CMS signature. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ENCTYPE\_MD5\_RSA\_CMS} + & +\code{0x000a} +\\ +\hline\end{tabulary} + + + +\subsubsection{ENCTYPE\_NULL} +\label{appdev/refs/macros/ENCTYPE_NULL:enctype-null}\label{appdev/refs/macros/ENCTYPE_NULL::doc}\label{appdev/refs/macros/ENCTYPE_NULL:enctype-null-data}\index{ENCTYPE\_NULL (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ENCTYPE_NULL:ENCTYPE_NULL}\pysigline{\bfcode{ENCTYPE\_NULL}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ENCTYPE\_NULL} + & +\code{0x0000} +\\ +\hline\end{tabulary} + + + +\subsubsection{ENCTYPE\_RC2\_CBC\_ENV} +\label{appdev/refs/macros/ENCTYPE_RC2_CBC_ENV:enctype-rc2-cbc-env}\label{appdev/refs/macros/ENCTYPE_RC2_CBC_ENV::doc}\label{appdev/refs/macros/ENCTYPE_RC2_CBC_ENV:enctype-rc2-cbc-env-data}\index{ENCTYPE\_RC2\_CBC\_ENV (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ENCTYPE_RC2_CBC_ENV:ENCTYPE_RC2_CBC_ENV}\pysigline{\bfcode{ENCTYPE\_RC2\_CBC\_ENV}} +\end{fulllineitems} + + +RC2 cbc mode, CMS enveloped data. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ENCTYPE\_RC2\_CBC\_ENV} + & +\code{0x000c} +\\ +\hline\end{tabulary} + + + +\subsubsection{ENCTYPE\_RSA\_ENV} +\label{appdev/refs/macros/ENCTYPE_RSA_ENV:enctype-rsa-env-data}\label{appdev/refs/macros/ENCTYPE_RSA_ENV:enctype-rsa-env}\label{appdev/refs/macros/ENCTYPE_RSA_ENV::doc}\index{ENCTYPE\_RSA\_ENV (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ENCTYPE_RSA_ENV:ENCTYPE_RSA_ENV}\pysigline{\bfcode{ENCTYPE\_RSA\_ENV}} +\end{fulllineitems} + + +RSA encryption, CMS enveloped data. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ENCTYPE\_RSA\_ENV} + & +\code{0x000d} +\\ +\hline\end{tabulary} + + + +\subsubsection{ENCTYPE\_RSA\_ES\_OAEP\_ENV} +\label{appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV::doc}\label{appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV:enctype-rsa-es-oaep-env}\label{appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV:enctype-rsa-es-oaep-env-data}\index{ENCTYPE\_RSA\_ES\_OAEP\_ENV (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV:ENCTYPE_RSA_ES_OAEP_ENV}\pysigline{\bfcode{ENCTYPE\_RSA\_ES\_OAEP\_ENV}} +\end{fulllineitems} + + +RSA w/OEAP encryption, CMS enveloped data. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ENCTYPE\_RSA\_ES\_OAEP\_ENV} + & +\code{0x000e} +\\ +\hline\end{tabulary} + + + +\subsubsection{ENCTYPE\_SHA1\_RSA\_CMS} +\label{appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS::doc}\label{appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS:enctype-sha1-rsa-cms-data}\label{appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS:enctype-sha1-rsa-cms}\index{ENCTYPE\_SHA1\_RSA\_CMS (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS:ENCTYPE_SHA1_RSA_CMS}\pysigline{\bfcode{ENCTYPE\_SHA1\_RSA\_CMS}} +\end{fulllineitems} + + +SHA1 with RSA, CMS signature. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ENCTYPE\_SHA1\_RSA\_CMS} + & +\code{0x000b} +\\ +\hline\end{tabulary} + + + +\subsubsection{ENCTYPE\_UNKNOWN} +\label{appdev/refs/macros/ENCTYPE_UNKNOWN:enctype-unknown}\label{appdev/refs/macros/ENCTYPE_UNKNOWN::doc}\label{appdev/refs/macros/ENCTYPE_UNKNOWN:enctype-unknown-data}\index{ENCTYPE\_UNKNOWN (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/ENCTYPE_UNKNOWN:ENCTYPE_UNKNOWN}\pysigline{\bfcode{ENCTYPE\_UNKNOWN}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{ENCTYPE\_UNKNOWN} + & +\code{0x01ff} +\\ +\hline\end{tabulary} + + + +\subsubsection{KDC\_OPT\_ALLOW\_POSTDATE} +\label{appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE:kdc-opt-allow-postdate}\label{appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE:kdc-opt-allow-postdate-data}\label{appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE::doc}\index{KDC\_OPT\_ALLOW\_POSTDATE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE:KDC_OPT_ALLOW_POSTDATE}\pysigline{\bfcode{KDC\_OPT\_ALLOW\_POSTDATE}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KDC\_OPT\_ALLOW\_POSTDATE} + & +\code{0x04000000} +\\ +\hline\end{tabulary} + + + +\subsubsection{KDC\_OPT\_CANONICALIZE} +\label{appdev/refs/macros/KDC_OPT_CANONICALIZE:kdc-opt-canonicalize}\label{appdev/refs/macros/KDC_OPT_CANONICALIZE:kdc-opt-canonicalize-data}\label{appdev/refs/macros/KDC_OPT_CANONICALIZE::doc}\index{KDC\_OPT\_CANONICALIZE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KDC_OPT_CANONICALIZE:KDC_OPT_CANONICALIZE}\pysigline{\bfcode{KDC\_OPT\_CANONICALIZE}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KDC\_OPT\_CANONICALIZE} + & +\code{0x00010000} +\\ +\hline\end{tabulary} + + + +\subsubsection{KDC\_OPT\_CNAME\_IN\_ADDL\_TKT} +\label{appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT:kdc-opt-cname-in-addl-tkt-data}\label{appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT:kdc-opt-cname-in-addl-tkt}\label{appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT::doc}\index{KDC\_OPT\_CNAME\_IN\_ADDL\_TKT (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT:KDC_OPT_CNAME_IN_ADDL_TKT}\pysigline{\bfcode{KDC\_OPT\_CNAME\_IN\_ADDL\_TKT}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KDC\_OPT\_CNAME\_IN\_ADDL\_TKT} + & +\code{0x00020000} +\\ +\hline\end{tabulary} + + + +\subsubsection{KDC\_OPT\_DISABLE\_TRANSITED\_CHECK} +\label{appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK:kdc-opt-disable-transited-check}\label{appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK::doc}\label{appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK:kdc-opt-disable-transited-check-data}\index{KDC\_OPT\_DISABLE\_TRANSITED\_CHECK (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK:KDC_OPT_DISABLE_TRANSITED_CHECK}\pysigline{\bfcode{KDC\_OPT\_DISABLE\_TRANSITED\_CHECK}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KDC\_OPT\_DISABLE\_TRANSITED\_CHECK} + & +\code{0x00000020} +\\ +\hline\end{tabulary} + + + +\subsubsection{KDC\_OPT\_ENC\_TKT\_IN\_SKEY} +\label{appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY:kdc-opt-enc-tkt-in-skey}\label{appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY::doc}\label{appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY:kdc-opt-enc-tkt-in-skey-data}\index{KDC\_OPT\_ENC\_TKT\_IN\_SKEY (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY:KDC_OPT_ENC_TKT_IN_SKEY}\pysigline{\bfcode{KDC\_OPT\_ENC\_TKT\_IN\_SKEY}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KDC\_OPT\_ENC\_TKT\_IN\_SKEY} + & +\code{0x00000008} +\\ +\hline\end{tabulary} + + + +\subsubsection{KDC\_OPT\_FORWARDABLE} +\label{appdev/refs/macros/KDC_OPT_FORWARDABLE:kdc-opt-forwardable-data}\label{appdev/refs/macros/KDC_OPT_FORWARDABLE::doc}\label{appdev/refs/macros/KDC_OPT_FORWARDABLE:kdc-opt-forwardable}\index{KDC\_OPT\_FORWARDABLE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KDC_OPT_FORWARDABLE:KDC_OPT_FORWARDABLE}\pysigline{\bfcode{KDC\_OPT\_FORWARDABLE}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KDC\_OPT\_FORWARDABLE} + & +\code{0x40000000} +\\ +\hline\end{tabulary} + + + +\subsubsection{KDC\_OPT\_FORWARDED} +\label{appdev/refs/macros/KDC_OPT_FORWARDED::doc}\label{appdev/refs/macros/KDC_OPT_FORWARDED:kdc-opt-forwarded}\label{appdev/refs/macros/KDC_OPT_FORWARDED:kdc-opt-forwarded-data}\index{KDC\_OPT\_FORWARDED (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KDC_OPT_FORWARDED:KDC_OPT_FORWARDED}\pysigline{\bfcode{KDC\_OPT\_FORWARDED}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KDC\_OPT\_FORWARDED} + & +\code{0x20000000} +\\ +\hline\end{tabulary} + + + +\subsubsection{KDC\_OPT\_POSTDATED} +\label{appdev/refs/macros/KDC_OPT_POSTDATED:kdc-opt-postdated-data}\label{appdev/refs/macros/KDC_OPT_POSTDATED:kdc-opt-postdated}\label{appdev/refs/macros/KDC_OPT_POSTDATED::doc}\index{KDC\_OPT\_POSTDATED (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KDC_OPT_POSTDATED:KDC_OPT_POSTDATED}\pysigline{\bfcode{KDC\_OPT\_POSTDATED}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KDC\_OPT\_POSTDATED} + & +\code{0x02000000} +\\ +\hline\end{tabulary} + + + +\subsubsection{KDC\_OPT\_PROXIABLE} +\label{appdev/refs/macros/KDC_OPT_PROXIABLE:kdc-opt-proxiable-data}\label{appdev/refs/macros/KDC_OPT_PROXIABLE::doc}\label{appdev/refs/macros/KDC_OPT_PROXIABLE:kdc-opt-proxiable}\index{KDC\_OPT\_PROXIABLE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KDC_OPT_PROXIABLE:KDC_OPT_PROXIABLE}\pysigline{\bfcode{KDC\_OPT\_PROXIABLE}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KDC\_OPT\_PROXIABLE} + & +\code{0x10000000} +\\ +\hline\end{tabulary} + + + +\subsubsection{KDC\_OPT\_PROXY} +\label{appdev/refs/macros/KDC_OPT_PROXY::doc}\label{appdev/refs/macros/KDC_OPT_PROXY:kdc-opt-proxy}\label{appdev/refs/macros/KDC_OPT_PROXY:kdc-opt-proxy-data}\index{KDC\_OPT\_PROXY (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KDC_OPT_PROXY:KDC_OPT_PROXY}\pysigline{\bfcode{KDC\_OPT\_PROXY}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KDC\_OPT\_PROXY} + & +\code{0x08000000} +\\ +\hline\end{tabulary} + + + +\subsubsection{KDC\_OPT\_RENEW} +\label{appdev/refs/macros/KDC_OPT_RENEW::doc}\label{appdev/refs/macros/KDC_OPT_RENEW:kdc-opt-renew}\label{appdev/refs/macros/KDC_OPT_RENEW:kdc-opt-renew-data}\index{KDC\_OPT\_RENEW (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KDC_OPT_RENEW:KDC_OPT_RENEW}\pysigline{\bfcode{KDC\_OPT\_RENEW}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KDC\_OPT\_RENEW} + & +\code{0x00000002} +\\ +\hline\end{tabulary} + + + +\subsubsection{KDC\_OPT\_RENEWABLE} +\label{appdev/refs/macros/KDC_OPT_RENEWABLE:kdc-opt-renewable}\label{appdev/refs/macros/KDC_OPT_RENEWABLE:kdc-opt-renewable-data}\label{appdev/refs/macros/KDC_OPT_RENEWABLE::doc}\index{KDC\_OPT\_RENEWABLE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KDC_OPT_RENEWABLE:KDC_OPT_RENEWABLE}\pysigline{\bfcode{KDC\_OPT\_RENEWABLE}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KDC\_OPT\_RENEWABLE} + & +\code{0x00800000} +\\ +\hline\end{tabulary} + + + +\subsubsection{KDC\_OPT\_RENEWABLE\_OK} +\label{appdev/refs/macros/KDC_OPT_RENEWABLE_OK::doc}\label{appdev/refs/macros/KDC_OPT_RENEWABLE_OK:kdc-opt-renewable-ok-data}\label{appdev/refs/macros/KDC_OPT_RENEWABLE_OK:kdc-opt-renewable-ok}\index{KDC\_OPT\_RENEWABLE\_OK (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KDC_OPT_RENEWABLE_OK:KDC_OPT_RENEWABLE_OK}\pysigline{\bfcode{KDC\_OPT\_RENEWABLE\_OK}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KDC\_OPT\_RENEWABLE\_OK} + & +\code{0x00000010} +\\ +\hline\end{tabulary} + + + +\subsubsection{KDC\_OPT\_REQUEST\_ANONYMOUS} +\label{appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS:kdc-opt-request-anonymous}\label{appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS:kdc-opt-request-anonymous-data}\label{appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS::doc}\index{KDC\_OPT\_REQUEST\_ANONYMOUS (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS:KDC_OPT_REQUEST_ANONYMOUS}\pysigline{\bfcode{KDC\_OPT\_REQUEST\_ANONYMOUS}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KDC\_OPT\_REQUEST\_ANONYMOUS} + & +\code{0x00008000} +\\ +\hline\end{tabulary} + + + +\subsubsection{KDC\_OPT\_VALIDATE} +\label{appdev/refs/macros/KDC_OPT_VALIDATE:kdc-opt-validate-data}\label{appdev/refs/macros/KDC_OPT_VALIDATE:kdc-opt-validate}\label{appdev/refs/macros/KDC_OPT_VALIDATE::doc}\index{KDC\_OPT\_VALIDATE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KDC_OPT_VALIDATE:KDC_OPT_VALIDATE}\pysigline{\bfcode{KDC\_OPT\_VALIDATE}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KDC\_OPT\_VALIDATE} + & +\code{0x00000001} +\\ +\hline\end{tabulary} + + + +\subsubsection{KDC\_TKT\_COMMON\_MASK} +\label{appdev/refs/macros/KDC_TKT_COMMON_MASK:kdc-tkt-common-mask-data}\label{appdev/refs/macros/KDC_TKT_COMMON_MASK::doc}\label{appdev/refs/macros/KDC_TKT_COMMON_MASK:kdc-tkt-common-mask}\index{KDC\_TKT\_COMMON\_MASK (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KDC_TKT_COMMON_MASK:KDC_TKT_COMMON_MASK}\pysigline{\bfcode{KDC\_TKT\_COMMON\_MASK}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KDC\_TKT\_COMMON\_MASK} + & +\code{0x54800000} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_ALTAUTH\_ATT\_CHALLENGE\_RESPONSE} +\label{appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE:krb5-altauth-att-challenge-response}\label{appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE:krb5-altauth-att-challenge-response-data}\label{appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE::doc}\index{KRB5\_ALTAUTH\_ATT\_CHALLENGE\_RESPONSE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE:KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE}\pysigline{\bfcode{KRB5\_ALTAUTH\_ATT\_CHALLENGE\_RESPONSE}} +\end{fulllineitems} + + +alternate authentication types + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_ALTAUTH\_ATT\_CHALLENGE\_RESPONSE} + & +\code{64} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_ANONYMOUS\_PRINCSTR} +\label{appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR:krb5-anonymous-princstr}\label{appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR:krb5-anonymous-princstr-data}\label{appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR::doc}\index{KRB5\_ANONYMOUS\_PRINCSTR (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR:KRB5_ANONYMOUS_PRINCSTR}\pysigline{\bfcode{KRB5\_ANONYMOUS\_PRINCSTR}} +\end{fulllineitems} + + +Anonymous principal name. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_ANONYMOUS\_PRINCSTR} + & +\code{"ANONYMOUS"} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_ANONYMOUS\_REALMSTR} +\label{appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR:krb5-anonymous-realmstr-data}\label{appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR:krb5-anonymous-realmstr}\label{appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR::doc}\index{KRB5\_ANONYMOUS\_REALMSTR (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR:KRB5_ANONYMOUS_REALMSTR}\pysigline{\bfcode{KRB5\_ANONYMOUS\_REALMSTR}} +\end{fulllineitems} + + +Anonymous realm. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_ANONYMOUS\_REALMSTR} + & +\code{"WELLKNOWN:ANONYMOUS"} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_AP\_REP} +\label{appdev/refs/macros/KRB5_AP_REP:krb5-ap-rep}\label{appdev/refs/macros/KRB5_AP_REP::doc}\label{appdev/refs/macros/KRB5_AP_REP:krb5-ap-rep-data}\index{KRB5\_AP\_REP (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_AP_REP:KRB5_AP_REP}\pysigline{\bfcode{KRB5\_AP\_REP}} +\end{fulllineitems} + + +Response to mutual AP request. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_AP\_REP} + & +\code{((krb5\_msgtype)15)} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_AP\_REQ} +\label{appdev/refs/macros/KRB5_AP_REQ:krb5-ap-req}\label{appdev/refs/macros/KRB5_AP_REQ::doc}\label{appdev/refs/macros/KRB5_AP_REQ:krb5-ap-req-data}\index{KRB5\_AP\_REQ (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_AP_REQ:KRB5_AP_REQ}\pysigline{\bfcode{KRB5\_AP\_REQ}} +\end{fulllineitems} + + +Auth req to application server. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_AP\_REQ} + & +\code{((krb5\_msgtype)14)} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_AS\_REP} +\label{appdev/refs/macros/KRB5_AS_REP:krb5-as-rep}\label{appdev/refs/macros/KRB5_AS_REP:krb5-as-rep-data}\label{appdev/refs/macros/KRB5_AS_REP::doc}\index{KRB5\_AS\_REP (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_AS_REP:KRB5_AS_REP}\pysigline{\bfcode{KRB5\_AS\_REP}} +\end{fulllineitems} + + +Response to AS request. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_AS\_REP} + & +\code{((krb5\_msgtype)11)} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_AS\_REQ} +\label{appdev/refs/macros/KRB5_AS_REQ:krb5-as-req}\label{appdev/refs/macros/KRB5_AS_REQ:krb5-as-req-data}\label{appdev/refs/macros/KRB5_AS_REQ::doc}\index{KRB5\_AS\_REQ (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_AS_REQ:KRB5_AS_REQ}\pysigline{\bfcode{KRB5\_AS\_REQ}} +\end{fulllineitems} + + +Initial authentication request. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_AS\_REQ} + & +\code{((krb5\_msgtype)10)} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_AUTHDATA\_AND\_OR} +\label{appdev/refs/macros/KRB5_AUTHDATA_AND_OR::doc}\label{appdev/refs/macros/KRB5_AUTHDATA_AND_OR:krb5-authdata-and-or-data}\label{appdev/refs/macros/KRB5_AUTHDATA_AND_OR:krb5-authdata-and-or}\index{KRB5\_AUTHDATA\_AND\_OR (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_AUTHDATA_AND_OR:KRB5_AUTHDATA_AND_OR}\pysigline{\bfcode{KRB5\_AUTHDATA\_AND\_OR}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_AUTHDATA\_AND\_OR} + & +\code{5} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_AUTHDATA\_AUTH\_INDICATOR} +\label{appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR:krb5-authdata-auth-indicator}\label{appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR::doc}\label{appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR:krb5-authdata-auth-indicator-data}\index{KRB5\_AUTHDATA\_AUTH\_INDICATOR (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR:KRB5_AUTHDATA_AUTH_INDICATOR}\pysigline{\bfcode{KRB5\_AUTHDATA\_AUTH\_INDICATOR}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_AUTHDATA\_AUTH\_INDICATOR} + & +\code{97} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_AUTHDATA\_CAMMAC} +\label{appdev/refs/macros/KRB5_AUTHDATA_CAMMAC:krb5-authdata-cammac}\label{appdev/refs/macros/KRB5_AUTHDATA_CAMMAC::doc}\label{appdev/refs/macros/KRB5_AUTHDATA_CAMMAC:krb5-authdata-cammac-data}\index{KRB5\_AUTHDATA\_CAMMAC (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_AUTHDATA_CAMMAC:KRB5_AUTHDATA_CAMMAC}\pysigline{\bfcode{KRB5\_AUTHDATA\_CAMMAC}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_AUTHDATA\_CAMMAC} + & +\code{96} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_AUTHDATA\_ETYPE\_NEGOTIATION} +\label{appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION:krb5-authdata-etype-negotiation}\label{appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION::doc}\label{appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION:krb5-authdata-etype-negotiation-data}\index{KRB5\_AUTHDATA\_ETYPE\_NEGOTIATION (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION:KRB5_AUTHDATA_ETYPE_NEGOTIATION}\pysigline{\bfcode{KRB5\_AUTHDATA\_ETYPE\_NEGOTIATION}} +\end{fulllineitems} + + +RFC 4537. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_AUTHDATA\_ETYPE\_NEGOTIATION} + & +\code{129} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_AUTHDATA\_FX\_ARMOR} +\label{appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR::doc}\label{appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR:krb5-authdata-fx-armor}\label{appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR:krb5-authdata-fx-armor-data}\index{KRB5\_AUTHDATA\_FX\_ARMOR (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR:KRB5_AUTHDATA_FX_ARMOR}\pysigline{\bfcode{KRB5\_AUTHDATA\_FX\_ARMOR}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_AUTHDATA\_FX\_ARMOR} + & +\code{71} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_AUTHDATA\_IF\_RELEVANT} +\label{appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT:krb5-authdata-if-relevant-data}\label{appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT:krb5-authdata-if-relevant}\label{appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT::doc}\index{KRB5\_AUTHDATA\_IF\_RELEVANT (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT:KRB5_AUTHDATA_IF_RELEVANT}\pysigline{\bfcode{KRB5\_AUTHDATA\_IF\_RELEVANT}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_AUTHDATA\_IF\_RELEVANT} + & +\code{1} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_AUTHDATA\_INITIAL\_VERIFIED\_CAS} +\label{appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS:krb5-authdata-initial-verified-cas-data}\label{appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS:krb5-authdata-initial-verified-cas}\label{appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS::doc}\index{KRB5\_AUTHDATA\_INITIAL\_VERIFIED\_CAS (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS:KRB5_AUTHDATA_INITIAL_VERIFIED_CAS}\pysigline{\bfcode{KRB5\_AUTHDATA\_INITIAL\_VERIFIED\_CAS}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_AUTHDATA\_INITIAL\_VERIFIED\_CAS} + & +\code{9} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_AUTHDATA\_KDC\_ISSUED} +\label{appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED:krb5-authdata-kdc-issued-data}\label{appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED::doc}\label{appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED:krb5-authdata-kdc-issued}\index{KRB5\_AUTHDATA\_KDC\_ISSUED (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED:KRB5_AUTHDATA_KDC_ISSUED}\pysigline{\bfcode{KRB5\_AUTHDATA\_KDC\_ISSUED}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_AUTHDATA\_KDC\_ISSUED} + & +\code{4} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_AUTHDATA\_MANDATORY\_FOR\_KDC} +\label{appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC:krb5-authdata-mandatory-for-kdc}\label{appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC::doc}\label{appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC:krb5-authdata-mandatory-for-kdc-data}\index{KRB5\_AUTHDATA\_MANDATORY\_FOR\_KDC (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC:KRB5_AUTHDATA_MANDATORY_FOR_KDC}\pysigline{\bfcode{KRB5\_AUTHDATA\_MANDATORY\_FOR\_KDC}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_AUTHDATA\_MANDATORY\_FOR\_KDC} + & +\code{8} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_AUTHDATA\_OSF\_DCE} +\label{appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE:krb5-authdata-osf-dce-data}\label{appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE::doc}\label{appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE:krb5-authdata-osf-dce}\index{KRB5\_AUTHDATA\_OSF\_DCE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE:KRB5_AUTHDATA_OSF_DCE}\pysigline{\bfcode{KRB5\_AUTHDATA\_OSF\_DCE}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_AUTHDATA\_OSF\_DCE} + & +\code{64} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_AUTHDATA\_SESAME} +\label{appdev/refs/macros/KRB5_AUTHDATA_SESAME:krb5-authdata-sesame}\label{appdev/refs/macros/KRB5_AUTHDATA_SESAME::doc}\label{appdev/refs/macros/KRB5_AUTHDATA_SESAME:krb5-authdata-sesame-data}\index{KRB5\_AUTHDATA\_SESAME (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_AUTHDATA_SESAME:KRB5_AUTHDATA_SESAME}\pysigline{\bfcode{KRB5\_AUTHDATA\_SESAME}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_AUTHDATA\_SESAME} + & +\code{65} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_AUTHDATA\_SIGNTICKET} +\label{appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET:krb5-authdata-signticket-data}\label{appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET:krb5-authdata-signticket}\label{appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET::doc}\index{KRB5\_AUTHDATA\_SIGNTICKET (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET:KRB5_AUTHDATA_SIGNTICKET}\pysigline{\bfcode{KRB5\_AUTHDATA\_SIGNTICKET}} +\end{fulllineitems} + + +formerly 142 in krb5 1.8 + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_AUTHDATA\_SIGNTICKET} + & +\code{512} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_AUTHDATA\_WIN2K\_PAC} +\label{appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC:krb5-authdata-win2k-pac-data}\label{appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC::doc}\label{appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC:krb5-authdata-win2k-pac}\index{KRB5\_AUTHDATA\_WIN2K\_PAC (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC:KRB5_AUTHDATA_WIN2K_PAC}\pysigline{\bfcode{KRB5\_AUTHDATA\_WIN2K\_PAC}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_AUTHDATA\_WIN2K\_PAC} + & +\code{128} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE} +\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE:krb5-auth-context-do-sequence-data}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE:krb5-auth-context-do-sequence}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE::doc}\index{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE:KRB5_AUTH_CONTEXT_DO_SEQUENCE}\pysigline{\bfcode{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE}} +\end{fulllineitems} + + +Prevent replays with sequence numbers. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE} + & +\code{0x00000004} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_AUTH\_CONTEXT\_DO\_TIME} +\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME:krb5-auth-context-do-time-data}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME:krb5-auth-context-do-time}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME::doc}\index{KRB5\_AUTH\_CONTEXT\_DO\_TIME (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME:KRB5_AUTH_CONTEXT_DO_TIME}\pysigline{\bfcode{KRB5\_AUTH\_CONTEXT\_DO\_TIME}} +\end{fulllineitems} + + +Prevent replays with timestamps and replay cache. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_AUTH\_CONTEXT\_DO\_TIME} + & +\code{0x00000001} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_ADDR} +\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR::doc}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR:krb5-auth-context-generate-local-addr}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR:krb5-auth-context-generate-local-addr-data}\index{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_ADDR (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR:KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR}\pysigline{\bfcode{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_ADDR}} +\end{fulllineitems} + + +Generate the local network address. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_ADDR} + & +\code{0x00000001} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_FULL\_ADDR} +\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR:krb5-auth-context-generate-local-full-addr}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR:krb5-auth-context-generate-local-full-addr-data}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR::doc}\index{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_FULL\_ADDR (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR:KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR}\pysigline{\bfcode{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_FULL\_ADDR}} +\end{fulllineitems} + + +Generate the local network address and the local port. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_FULL\_ADDR} + & +\code{0x00000004} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_ADDR} +\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR:krb5-auth-context-generate-remote-addr-data}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR:krb5-auth-context-generate-remote-addr}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR::doc}\index{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_ADDR (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR:KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR}\pysigline{\bfcode{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_ADDR}} +\end{fulllineitems} + + +Generate the remote network address. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_ADDR} + & +\code{0x00000002} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_FULL\_ADDR} +\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR:krb5-auth-context-generate-remote-full-addr}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR::doc}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR:krb5-auth-context-generate-remote-full-addr-data}\index{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_FULL\_ADDR (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR:KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR}\pysigline{\bfcode{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_FULL\_ADDR}} +\end{fulllineitems} + + +Generate the remote network address and the remote port. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_FULL\_ADDR} + & +\code{0x00000008} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_AUTH\_CONTEXT\_PERMIT\_ALL} +\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL:krb5-auth-context-permit-all}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL:krb5-auth-context-permit-all-data}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL::doc}\index{KRB5\_AUTH\_CONTEXT\_PERMIT\_ALL (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL:KRB5_AUTH_CONTEXT_PERMIT_ALL}\pysigline{\bfcode{KRB5\_AUTH\_CONTEXT\_PERMIT\_ALL}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_AUTH\_CONTEXT\_PERMIT\_ALL} + & +\code{0x00000010} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE} +\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE::doc}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:krb5-auth-context-ret-sequence}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:krb5-auth-context-ret-sequence-data}\index{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:KRB5_AUTH_CONTEXT_RET_SEQUENCE}\pysigline{\bfcode{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE}} +\end{fulllineitems} + + +Save sequence numbers for application. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE} + & +\code{0x00000008} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_AUTH\_CONTEXT\_RET\_TIME} +\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME::doc}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME:krb5-auth-context-ret-time}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME:krb5-auth-context-ret-time-data}\index{KRB5\_AUTH\_CONTEXT\_RET\_TIME (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME:KRB5_AUTH_CONTEXT_RET_TIME}\pysigline{\bfcode{KRB5\_AUTH\_CONTEXT\_RET\_TIME}} +\end{fulllineitems} + + +Save timestamps for application. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_AUTH\_CONTEXT\_RET\_TIME} + & +\code{0x00000002} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_AUTH\_CONTEXT\_USE\_SUBKEY} +\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY::doc}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY:krb5-auth-context-use-subkey-data}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY:krb5-auth-context-use-subkey}\index{KRB5\_AUTH\_CONTEXT\_USE\_SUBKEY (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY:KRB5_AUTH_CONTEXT_USE_SUBKEY}\pysigline{\bfcode{KRB5\_AUTH\_CONTEXT\_USE\_SUBKEY}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_AUTH\_CONTEXT\_USE\_SUBKEY} + & +\code{0x00000020} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_CRED} +\label{appdev/refs/macros/KRB5_CRED:krb5-cred-data}\label{appdev/refs/macros/KRB5_CRED::doc}\label{appdev/refs/macros/KRB5_CRED:krb5-cred}\index{KRB5\_CRED (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_CRED:KRB5_CRED}\pysigline{\bfcode{KRB5\_CRED}} +\end{fulllineitems} + + +Cred forwarding message. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_CRED} + & +\code{((krb5\_msgtype)22)} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_CRYPTO\_TYPE\_CHECKSUM} +\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM:krb5-crypto-type-checksum-data}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM:krb5-crypto-type-checksum}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM::doc}\index{KRB5\_CRYPTO\_TYPE\_CHECKSUM (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM:KRB5_CRYPTO_TYPE_CHECKSUM}\pysigline{\bfcode{KRB5\_CRYPTO\_TYPE\_CHECKSUM}} +\end{fulllineitems} + + +{[}out{]} checksum for MIC + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_CRYPTO\_TYPE\_CHECKSUM} + & +\code{6} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_CRYPTO\_TYPE\_DATA} +\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA::doc}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA:krb5-crypto-type-data}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA:krb5-crypto-type-data-data}\index{KRB5\_CRYPTO\_TYPE\_DATA (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA:KRB5_CRYPTO_TYPE_DATA}\pysigline{\bfcode{KRB5\_CRYPTO\_TYPE\_DATA}} +\end{fulllineitems} + + +{[}in, out{]} plaintext + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_CRYPTO\_TYPE\_DATA} + & +\code{2} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_CRYPTO\_TYPE\_EMPTY} +\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY::doc}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY:krb5-crypto-type-empty}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY:krb5-crypto-type-empty-data}\index{KRB5\_CRYPTO\_TYPE\_EMPTY (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY:KRB5_CRYPTO_TYPE_EMPTY}\pysigline{\bfcode{KRB5\_CRYPTO\_TYPE\_EMPTY}} +\end{fulllineitems} + + +{[}in{]} ignored + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_CRYPTO\_TYPE\_EMPTY} + & +\code{0} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_CRYPTO\_TYPE\_HEADER} +\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER:krb5-crypto-type-header}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER:krb5-crypto-type-header-data}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER::doc}\index{KRB5\_CRYPTO\_TYPE\_HEADER (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER:KRB5_CRYPTO_TYPE_HEADER}\pysigline{\bfcode{KRB5\_CRYPTO\_TYPE\_HEADER}} +\end{fulllineitems} + + +{[}out{]} header + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_CRYPTO\_TYPE\_HEADER} + & +\code{1} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_CRYPTO\_TYPE\_PADDING} +\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING::doc}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING:krb5-crypto-type-padding-data}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING:krb5-crypto-type-padding}\index{KRB5\_CRYPTO\_TYPE\_PADDING (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING:KRB5_CRYPTO_TYPE_PADDING}\pysigline{\bfcode{KRB5\_CRYPTO\_TYPE\_PADDING}} +\end{fulllineitems} + + +{[}out{]} padding + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_CRYPTO\_TYPE\_PADDING} + & +\code{4} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_CRYPTO\_TYPE\_SIGN\_ONLY} +\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY:krb5-crypto-type-sign-only}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY:krb5-crypto-type-sign-only-data}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY::doc}\index{KRB5\_CRYPTO\_TYPE\_SIGN\_ONLY (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY:KRB5_CRYPTO_TYPE_SIGN_ONLY}\pysigline{\bfcode{KRB5\_CRYPTO\_TYPE\_SIGN\_ONLY}} +\end{fulllineitems} + + +{[}in{]} associated data + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_CRYPTO\_TYPE\_SIGN\_ONLY} + & +\code{3} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_CRYPTO\_TYPE\_STREAM} +\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM:krb5-crypto-type-stream-data}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM::doc}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM:krb5-crypto-type-stream}\index{KRB5\_CRYPTO\_TYPE\_STREAM (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM:KRB5_CRYPTO_TYPE_STREAM}\pysigline{\bfcode{KRB5\_CRYPTO\_TYPE\_STREAM}} +\end{fulllineitems} + + +{[}in{]} entire message without decomposing the structure into header, data and trailer buffers + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_CRYPTO\_TYPE\_STREAM} + & +\code{7} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_CRYPTO\_TYPE\_TRAILER} +\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER:krb5-crypto-type-trailer}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER:krb5-crypto-type-trailer-data}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER::doc}\index{KRB5\_CRYPTO\_TYPE\_TRAILER (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER:KRB5_CRYPTO_TYPE_TRAILER}\pysigline{\bfcode{KRB5\_CRYPTO\_TYPE\_TRAILER}} +\end{fulllineitems} + + +{[}out{]} checksum for encrypt + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_CRYPTO\_TYPE\_TRAILER} + & +\code{5} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_CYBERSAFE\_SECUREID} +\label{appdev/refs/macros/KRB5_CYBERSAFE_SECUREID:krb5-cybersafe-secureid}\label{appdev/refs/macros/KRB5_CYBERSAFE_SECUREID::doc}\label{appdev/refs/macros/KRB5_CYBERSAFE_SECUREID:krb5-cybersafe-secureid-data}\index{KRB5\_CYBERSAFE\_SECUREID (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_CYBERSAFE_SECUREID:KRB5_CYBERSAFE_SECUREID}\pysigline{\bfcode{KRB5\_CYBERSAFE\_SECUREID}} +\end{fulllineitems} + + +Cybersafe. + +RFC 4120 + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_CYBERSAFE\_SECUREID} + & +\code{9} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_DOMAIN\_X500\_COMPRESS} +\label{appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS::doc}\label{appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS:krb5-domain-x500-compress}\label{appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS:krb5-domain-x500-compress-data}\index{KRB5\_DOMAIN\_X500\_COMPRESS (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS:KRB5_DOMAIN_X500_COMPRESS}\pysigline{\bfcode{KRB5\_DOMAIN\_X500\_COMPRESS}} +\end{fulllineitems} + + +Transited encoding types. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_DOMAIN\_X500\_COMPRESS} + & +\code{1} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_ENCPADATA\_REQ\_ENC\_PA\_REP} +\label{appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP:krb5-encpadata-req-enc-pa-rep}\label{appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP:krb5-encpadata-req-enc-pa-rep-data}\label{appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP::doc}\index{KRB5\_ENCPADATA\_REQ\_ENC\_PA\_REP (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP:KRB5_ENCPADATA_REQ_ENC_PA_REP}\pysigline{\bfcode{KRB5\_ENCPADATA\_REQ\_ENC\_PA\_REP}} +\end{fulllineitems} + + +RFC 6806. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_ENCPADATA\_REQ\_ENC\_PA\_REP} + & +\code{149} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_ERROR} +\label{appdev/refs/macros/KRB5_ERROR:krb5-error-data}\label{appdev/refs/macros/KRB5_ERROR:krb5-error}\label{appdev/refs/macros/KRB5_ERROR::doc}\index{KRB5\_ERROR (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_ERROR:KRB5_ERROR}\pysigline{\bfcode{KRB5\_ERROR}} +\end{fulllineitems} + + +Error response. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_ERROR} + & +\code{((krb5\_msgtype)30)} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_FAST\_REQUIRED} +\label{appdev/refs/macros/KRB5_FAST_REQUIRED:krb5-fast-required}\label{appdev/refs/macros/KRB5_FAST_REQUIRED:krb5-fast-required-data}\label{appdev/refs/macros/KRB5_FAST_REQUIRED::doc}\index{KRB5\_FAST\_REQUIRED (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_FAST_REQUIRED:KRB5_FAST_REQUIRED}\pysigline{\bfcode{KRB5\_FAST\_REQUIRED}} +\end{fulllineitems} + + +Require KDC to support FAST. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_FAST\_REQUIRED} + & +\code{0x0001} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_GC\_CACHED} +\label{appdev/refs/macros/KRB5_GC_CACHED:krb5-gc-cached}\label{appdev/refs/macros/KRB5_GC_CACHED:krb5-gc-cached-data}\label{appdev/refs/macros/KRB5_GC_CACHED::doc}\index{KRB5\_GC\_CACHED (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_GC_CACHED:KRB5_GC_CACHED}\pysigline{\bfcode{KRB5\_GC\_CACHED}} +\end{fulllineitems} + + +Want cached ticket only. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_GC\_CACHED} + & +\code{2} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_GC\_CANONICALIZE} +\label{appdev/refs/macros/KRB5_GC_CANONICALIZE:krb5-gc-canonicalize-data}\label{appdev/refs/macros/KRB5_GC_CANONICALIZE:krb5-gc-canonicalize}\label{appdev/refs/macros/KRB5_GC_CANONICALIZE::doc}\index{KRB5\_GC\_CANONICALIZE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_GC_CANONICALIZE:KRB5_GC_CANONICALIZE}\pysigline{\bfcode{KRB5\_GC\_CANONICALIZE}} +\end{fulllineitems} + + +Set canonicalize KDC option. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_GC\_CANONICALIZE} + & +\code{4} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_GC\_CONSTRAINED\_DELEGATION} +\label{appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION:krb5-gc-constrained-delegation}\label{appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION:krb5-gc-constrained-delegation-data}\label{appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION::doc}\index{KRB5\_GC\_CONSTRAINED\_DELEGATION (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION:KRB5_GC_CONSTRAINED_DELEGATION}\pysigline{\bfcode{KRB5\_GC\_CONSTRAINED\_DELEGATION}} +\end{fulllineitems} + + +Constrained delegation. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_GC\_CONSTRAINED\_DELEGATION} + & +\code{64} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_GC\_FORWARDABLE} +\label{appdev/refs/macros/KRB5_GC_FORWARDABLE:krb5-gc-forwardable-data}\label{appdev/refs/macros/KRB5_GC_FORWARDABLE:krb5-gc-forwardable}\label{appdev/refs/macros/KRB5_GC_FORWARDABLE::doc}\index{KRB5\_GC\_FORWARDABLE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_GC_FORWARDABLE:KRB5_GC_FORWARDABLE}\pysigline{\bfcode{KRB5\_GC\_FORWARDABLE}} +\end{fulllineitems} + + +Acquire forwardable tickets. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_GC\_FORWARDABLE} + & +\code{16} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_GC\_NO\_STORE} +\label{appdev/refs/macros/KRB5_GC_NO_STORE::doc}\label{appdev/refs/macros/KRB5_GC_NO_STORE:krb5-gc-no-store}\label{appdev/refs/macros/KRB5_GC_NO_STORE:krb5-gc-no-store-data}\index{KRB5\_GC\_NO\_STORE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_GC_NO_STORE:KRB5_GC_NO_STORE}\pysigline{\bfcode{KRB5\_GC\_NO\_STORE}} +\end{fulllineitems} + + +Do not store in credential cache. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_GC\_NO\_STORE} + & +\code{8} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_GC\_NO\_TRANSIT\_CHECK} +\label{appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK:krb5-gc-no-transit-check-data}\label{appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK:krb5-gc-no-transit-check}\label{appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK::doc}\index{KRB5\_GC\_NO\_TRANSIT\_CHECK (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK:KRB5_GC_NO_TRANSIT_CHECK}\pysigline{\bfcode{KRB5\_GC\_NO\_TRANSIT\_CHECK}} +\end{fulllineitems} + + +Disable transited check. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_GC\_NO\_TRANSIT\_CHECK} + & +\code{32} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_GC\_USER\_USER} +\label{appdev/refs/macros/KRB5_GC_USER_USER::doc}\label{appdev/refs/macros/KRB5_GC_USER_USER:krb5-gc-user-user}\label{appdev/refs/macros/KRB5_GC_USER_USER:krb5-gc-user-user-data}\index{KRB5\_GC\_USER\_USER (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_GC_USER_USER:KRB5_GC_USER_USER}\pysigline{\bfcode{KRB5\_GC\_USER\_USER}} +\end{fulllineitems} + + +Want user-user ticket. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_GC\_USER\_USER} + & +\code{1} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_ADDRESS\_LIST} +\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST:krb5-get-init-creds-opt-address-list}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST::doc}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST:krb5-get-init-creds-opt-address-list-data}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_ADDRESS\_LIST (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST:KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST}\pysigline{\bfcode{KRB5\_GET\_INIT\_CREDS\_OPT\_ADDRESS\_LIST}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_GET\_INIT\_CREDS\_OPT\_ADDRESS\_LIST} + & +\code{0x0020} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_ANONYMOUS} +\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS:krb5-get-init-creds-opt-anonymous-data}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS::doc}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS:krb5-get-init-creds-opt-anonymous}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_ANONYMOUS (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS:KRB5_GET_INIT_CREDS_OPT_ANONYMOUS}\pysigline{\bfcode{KRB5\_GET\_INIT\_CREDS\_OPT\_ANONYMOUS}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_GET\_INIT\_CREDS\_OPT\_ANONYMOUS} + & +\code{0x0400} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_CANONICALIZE} +\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE::doc}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE:krb5-get-init-creds-opt-canonicalize-data}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE:krb5-get-init-creds-opt-canonicalize}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_CANONICALIZE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE:KRB5_GET_INIT_CREDS_OPT_CANONICALIZE}\pysigline{\bfcode{KRB5\_GET\_INIT\_CREDS\_OPT\_CANONICALIZE}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_GET\_INIT\_CREDS\_OPT\_CANONICALIZE} + & +\code{0x0200} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_CHG\_PWD\_PRMPT} +\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT::doc}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT:krb5-get-init-creds-opt-chg-pwd-prmpt}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT:krb5-get-init-creds-opt-chg-pwd-prmpt-data}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_CHG\_PWD\_PRMPT (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT:KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT}\pysigline{\bfcode{KRB5\_GET\_INIT\_CREDS\_OPT\_CHG\_PWD\_PRMPT}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_GET\_INIT\_CREDS\_OPT\_CHG\_PWD\_PRMPT} + & +\code{0x0100} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_ETYPE\_LIST} +\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST:krb5-get-init-creds-opt-etype-list-data}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST:krb5-get-init-creds-opt-etype-list}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST::doc}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_ETYPE\_LIST (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST:KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST}\pysigline{\bfcode{KRB5\_GET\_INIT\_CREDS\_OPT\_ETYPE\_LIST}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_GET\_INIT\_CREDS\_OPT\_ETYPE\_LIST} + & +\code{0x0010} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_FORWARDABLE} +\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE::doc}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE:krb5-get-init-creds-opt-forwardable}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE:krb5-get-init-creds-opt-forwardable-data}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_FORWARDABLE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE:KRB5_GET_INIT_CREDS_OPT_FORWARDABLE}\pysigline{\bfcode{KRB5\_GET\_INIT\_CREDS\_OPT\_FORWARDABLE}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_GET\_INIT\_CREDS\_OPT\_FORWARDABLE} + & +\code{0x0004} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_PREAUTH\_LIST} +\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST:krb5-get-init-creds-opt-preauth-list}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST:krb5-get-init-creds-opt-preauth-list-data}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST::doc}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_PREAUTH\_LIST (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST:KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST}\pysigline{\bfcode{KRB5\_GET\_INIT\_CREDS\_OPT\_PREAUTH\_LIST}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_GET\_INIT\_CREDS\_OPT\_PREAUTH\_LIST} + & +\code{0x0040} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_PROXIABLE} +\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE:krb5-get-init-creds-opt-proxiable-data}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE:krb5-get-init-creds-opt-proxiable}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE::doc}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_PROXIABLE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE:KRB5_GET_INIT_CREDS_OPT_PROXIABLE}\pysigline{\bfcode{KRB5\_GET\_INIT\_CREDS\_OPT\_PROXIABLE}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_GET\_INIT\_CREDS\_OPT\_PROXIABLE} + & +\code{0x0008} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_RENEW\_LIFE} +\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE::doc}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE:krb5-get-init-creds-opt-renew-life-data}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE:krb5-get-init-creds-opt-renew-life}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_RENEW\_LIFE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE:KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE}\pysigline{\bfcode{KRB5\_GET\_INIT\_CREDS\_OPT\_RENEW\_LIFE}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_GET\_INIT\_CREDS\_OPT\_RENEW\_LIFE} + & +\code{0x0002} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_SALT} +\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT:krb5-get-init-creds-opt-salt-data}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT:krb5-get-init-creds-opt-salt}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT::doc}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_SALT (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT:KRB5_GET_INIT_CREDS_OPT_SALT}\pysigline{\bfcode{KRB5\_GET\_INIT\_CREDS\_OPT\_SALT}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_GET\_INIT\_CREDS\_OPT\_SALT} + & +\code{0x0080} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_TKT\_LIFE} +\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE::doc}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE:krb5-get-init-creds-opt-tkt-life-data}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE:krb5-get-init-creds-opt-tkt-life}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_TKT\_LIFE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE:KRB5_GET_INIT_CREDS_OPT_TKT_LIFE}\pysigline{\bfcode{KRB5\_GET\_INIT\_CREDS\_OPT\_TKT\_LIFE}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_GET\_INIT\_CREDS\_OPT\_TKT\_LIFE} + & +\code{0x0001} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_INIT\_CONTEXT\_SECURE} +\label{appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE::doc}\label{appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE:krb5-init-context-secure}\label{appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE:krb5-init-context-secure-data}\index{KRB5\_INIT\_CONTEXT\_SECURE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE:KRB5_INIT_CONTEXT_SECURE}\pysigline{\bfcode{KRB5\_INIT\_CONTEXT\_SECURE}} +\end{fulllineitems} + + +Use secure context configuration. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_INIT\_CONTEXT\_SECURE} + & +\code{0x1} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_INIT\_CONTEXT\_KDC} +\label{appdev/refs/macros/KRB5_INIT_CONTEXT_KDC:krb5-init-context-kdc}\label{appdev/refs/macros/KRB5_INIT_CONTEXT_KDC::doc}\label{appdev/refs/macros/KRB5_INIT_CONTEXT_KDC:krb5-init-context-kdc-data}\index{KRB5\_INIT\_CONTEXT\_KDC (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_INIT_CONTEXT_KDC:KRB5_INIT_CONTEXT_KDC}\pysigline{\bfcode{KRB5\_INIT\_CONTEXT\_KDC}} +\end{fulllineitems} + + +Use KDC configuration if available. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_INIT\_CONTEXT\_KDC} + & +\code{0x2} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_INIT\_CREDS\_STEP\_FLAG\_CONTINUE} +\label{appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE:krb5-init-creds-step-flag-continue-data}\label{appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE:krb5-init-creds-step-flag-continue}\label{appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE::doc}\index{KRB5\_INIT\_CREDS\_STEP\_FLAG\_CONTINUE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE:KRB5_INIT_CREDS_STEP_FLAG_CONTINUE}\pysigline{\bfcode{KRB5\_INIT\_CREDS\_STEP\_FLAG\_CONTINUE}} +\end{fulllineitems} + + +More responses needed. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_INIT\_CREDS\_STEP\_FLAG\_CONTINUE} + & +\code{0x1} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_INT16\_MAX} +\label{appdev/refs/macros/KRB5_INT16_MAX:krb5-int16-max-data}\label{appdev/refs/macros/KRB5_INT16_MAX::doc}\label{appdev/refs/macros/KRB5_INT16_MAX:krb5-int16-max}\index{KRB5\_INT16\_MAX (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_INT16_MAX:KRB5_INT16_MAX}\pysigline{\bfcode{KRB5\_INT16\_MAX}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_INT16\_MAX} + & +\code{65535} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_INT16\_MIN} +\label{appdev/refs/macros/KRB5_INT16_MIN:krb5-int16-min-data}\label{appdev/refs/macros/KRB5_INT16_MIN:krb5-int16-min}\label{appdev/refs/macros/KRB5_INT16_MIN::doc}\index{KRB5\_INT16\_MIN (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_INT16_MIN:KRB5_INT16_MIN}\pysigline{\bfcode{KRB5\_INT16\_MIN}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_INT16\_MIN} + & +\code{(-KRB5\_INT16\_MAX-1)} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_INT32\_MAX} +\label{appdev/refs/macros/KRB5_INT32_MAX:krb5-int32-max-data}\label{appdev/refs/macros/KRB5_INT32_MAX:krb5-int32-max}\label{appdev/refs/macros/KRB5_INT32_MAX::doc}\index{KRB5\_INT32\_MAX (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_INT32_MAX:KRB5_INT32_MAX}\pysigline{\bfcode{KRB5\_INT32\_MAX}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_INT32\_MAX} + & +\code{2147483647} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_INT32\_MIN} +\label{appdev/refs/macros/KRB5_INT32_MIN:krb5-int32-min-data}\label{appdev/refs/macros/KRB5_INT32_MIN::doc}\label{appdev/refs/macros/KRB5_INT32_MIN:krb5-int32-min}\index{KRB5\_INT32\_MIN (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_INT32_MIN:KRB5_INT32_MIN}\pysigline{\bfcode{KRB5\_INT32\_MIN}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_INT32\_MIN} + & +\code{(-KRB5\_INT32\_MAX-1)} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_AD\_ITE} +\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE:krb5-keyusage-ad-ite-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE:krb5-keyusage-ad-ite}\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE::doc}\index{KRB5\_KEYUSAGE\_AD\_ITE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE:KRB5_KEYUSAGE_AD_ITE}\pysigline{\bfcode{KRB5\_KEYUSAGE\_AD\_ITE}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_AD\_ITE} + & +\code{21} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_AD\_KDCISSUED\_CKSUM} +\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM:krb5-keyusage-ad-kdcissued-cksum-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM:krb5-keyusage-ad-kdcissued-cksum}\index{KRB5\_KEYUSAGE\_AD\_KDCISSUED\_CKSUM (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM:KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM}\pysigline{\bfcode{KRB5\_KEYUSAGE\_AD\_KDCISSUED\_CKSUM}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_AD\_KDCISSUED\_CKSUM} + & +\code{19} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_AD\_MTE} +\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE:krb5-keyusage-ad-mte-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE:krb5-keyusage-ad-mte}\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE::doc}\index{KRB5\_KEYUSAGE\_AD\_MTE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE:KRB5_KEYUSAGE_AD_MTE}\pysigline{\bfcode{KRB5\_KEYUSAGE\_AD\_MTE}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_AD\_MTE} + & +\code{20} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_AD\_SIGNEDPATH} +\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH:krb5-keyusage-ad-signedpath-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH:krb5-keyusage-ad-signedpath}\index{KRB5\_KEYUSAGE\_AD\_SIGNEDPATH (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH:KRB5_KEYUSAGE_AD_SIGNEDPATH}\pysigline{\bfcode{KRB5\_KEYUSAGE\_AD\_SIGNEDPATH}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_AD\_SIGNEDPATH} + & +\code{-21} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_APP\_DATA\_CKSUM} +\label{appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM:krb5-keyusage-app-data-cksum-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM:krb5-keyusage-app-data-cksum}\index{KRB5\_KEYUSAGE\_APP\_DATA\_CKSUM (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM:KRB5_KEYUSAGE_APP_DATA_CKSUM}\pysigline{\bfcode{KRB5\_KEYUSAGE\_APP\_DATA\_CKSUM}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_APP\_DATA\_CKSUM} + & +\code{17} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_APP\_DATA\_ENCRYPT} +\label{appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT:krb5-keyusage-app-data-encrypt}\label{appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT:krb5-keyusage-app-data-encrypt-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT::doc}\index{KRB5\_KEYUSAGE\_APP\_DATA\_ENCRYPT (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT:KRB5_KEYUSAGE_APP_DATA_ENCRYPT}\pysigline{\bfcode{KRB5\_KEYUSAGE\_APP\_DATA\_ENCRYPT}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_APP\_DATA\_ENCRYPT} + & +\code{16} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_AP\_REP\_ENCPART} +\label{appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART:krb5-keyusage-ap-rep-encpart}\label{appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART:krb5-keyusage-ap-rep-encpart-data}\index{KRB5\_KEYUSAGE\_AP\_REP\_ENCPART (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART:KRB5_KEYUSAGE_AP_REP_ENCPART}\pysigline{\bfcode{KRB5\_KEYUSAGE\_AP\_REP\_ENCPART}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_AP\_REP\_ENCPART} + & +\code{12} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_AP\_REQ\_AUTH} +\label{appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH:krb5-keyusage-ap-req-auth}\label{appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH:krb5-keyusage-ap-req-auth-data}\index{KRB5\_KEYUSAGE\_AP\_REQ\_AUTH (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH:KRB5_KEYUSAGE_AP_REQ_AUTH}\pysigline{\bfcode{KRB5\_KEYUSAGE\_AP\_REQ\_AUTH}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_AP\_REQ\_AUTH} + & +\code{11} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_AP\_REQ\_AUTH\_CKSUM} +\label{appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM:krb5-keyusage-ap-req-auth-cksum-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM:krb5-keyusage-ap-req-auth-cksum}\label{appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM::doc}\index{KRB5\_KEYUSAGE\_AP\_REQ\_AUTH\_CKSUM (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM:KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM}\pysigline{\bfcode{KRB5\_KEYUSAGE\_AP\_REQ\_AUTH\_CKSUM}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_AP\_REQ\_AUTH\_CKSUM} + & +\code{10} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_AS\_REP\_ENCPART} +\label{appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART:krb5-keyusage-as-rep-encpart-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART:krb5-keyusage-as-rep-encpart}\index{KRB5\_KEYUSAGE\_AS\_REP\_ENCPART (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART:KRB5_KEYUSAGE_AS_REP_ENCPART}\pysigline{\bfcode{KRB5\_KEYUSAGE\_AS\_REP\_ENCPART}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_AS\_REP\_ENCPART} + & +\code{3} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_AS\_REQ} +\label{appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ:krb5-keyusage-as-req-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ:krb5-keyusage-as-req}\label{appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ::doc}\index{KRB5\_KEYUSAGE\_AS\_REQ (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ:KRB5_KEYUSAGE_AS_REQ}\pysigline{\bfcode{KRB5\_KEYUSAGE\_AS\_REQ}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_AS\_REQ} + & +\code{56} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_AS\_REQ\_PA\_ENC\_TS} +\label{appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS:krb5-keyusage-as-req-pa-enc-ts-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS:krb5-keyusage-as-req-pa-enc-ts}\index{KRB5\_KEYUSAGE\_AS\_REQ\_PA\_ENC\_TS (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS:KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS}\pysigline{\bfcode{KRB5\_KEYUSAGE\_AS\_REQ\_PA\_ENC\_TS}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_AS\_REQ\_PA\_ENC\_TS} + & +\code{1} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_CAMMAC} +\label{appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC:krb5-keyusage-cammac}\label{appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC:krb5-keyusage-cammac-data}\index{KRB5\_KEYUSAGE\_CAMMAC (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC:KRB5_KEYUSAGE_CAMMAC}\pysigline{\bfcode{KRB5\_KEYUSAGE\_CAMMAC}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_CAMMAC} + & +\code{64} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_ENC\_CHALLENGE\_CLIENT} +\label{appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT:krb5-keyusage-enc-challenge-client-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT:krb5-keyusage-enc-challenge-client}\index{KRB5\_KEYUSAGE\_ENC\_CHALLENGE\_CLIENT (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT:KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT}\pysigline{\bfcode{KRB5\_KEYUSAGE\_ENC\_CHALLENGE\_CLIENT}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_ENC\_CHALLENGE\_CLIENT} + & +\code{54} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_ENC\_CHALLENGE\_KDC} +\label{appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC:krb5-keyusage-enc-challenge-kdc-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC:krb5-keyusage-enc-challenge-kdc}\label{appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC::doc}\index{KRB5\_KEYUSAGE\_ENC\_CHALLENGE\_KDC (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC:KRB5_KEYUSAGE_ENC_CHALLENGE_KDC}\pysigline{\bfcode{KRB5\_KEYUSAGE\_ENC\_CHALLENGE\_KDC}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_ENC\_CHALLENGE\_KDC} + & +\code{55} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_FAST\_ENC} +\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC:krb5-keyusage-fast-enc-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC:krb5-keyusage-fast-enc}\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC::doc}\index{KRB5\_KEYUSAGE\_FAST\_ENC (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC:KRB5_KEYUSAGE_FAST_ENC}\pysigline{\bfcode{KRB5\_KEYUSAGE\_FAST\_ENC}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_FAST\_ENC} + & +\code{51} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_FAST\_FINISHED} +\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED:krb5-keyusage-fast-finished-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED:krb5-keyusage-fast-finished}\index{KRB5\_KEYUSAGE\_FAST\_FINISHED (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED:KRB5_KEYUSAGE_FAST_FINISHED}\pysigline{\bfcode{KRB5\_KEYUSAGE\_FAST\_FINISHED}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_FAST\_FINISHED} + & +\code{53} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_FAST\_REP} +\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP:krb5-keyusage-fast-rep-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP:krb5-keyusage-fast-rep}\index{KRB5\_KEYUSAGE\_FAST\_REP (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP:KRB5_KEYUSAGE_FAST_REP}\pysigline{\bfcode{KRB5\_KEYUSAGE\_FAST\_REP}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_FAST\_REP} + & +\code{52} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_FAST\_REQ\_CHKSUM} +\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM:krb5-keyusage-fast-req-chksum-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM:krb5-keyusage-fast-req-chksum}\index{KRB5\_KEYUSAGE\_FAST\_REQ\_CHKSUM (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM:KRB5_KEYUSAGE_FAST_REQ_CHKSUM}\pysigline{\bfcode{KRB5\_KEYUSAGE\_FAST\_REQ\_CHKSUM}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_FAST\_REQ\_CHKSUM} + & +\code{50} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_GSS\_TOK\_MIC} +\label{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC:krb5-keyusage-gss-tok-mic}\label{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC:krb5-keyusage-gss-tok-mic-data}\index{KRB5\_KEYUSAGE\_GSS\_TOK\_MIC (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC:KRB5_KEYUSAGE_GSS_TOK_MIC}\pysigline{\bfcode{KRB5\_KEYUSAGE\_GSS\_TOK\_MIC}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_GSS\_TOK\_MIC} + & +\code{22} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_GSS\_TOK\_WRAP\_INTEG} +\label{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG:krb5-keyusage-gss-tok-wrap-integ}\label{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG:krb5-keyusage-gss-tok-wrap-integ-data}\index{KRB5\_KEYUSAGE\_GSS\_TOK\_WRAP\_INTEG (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG:KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG}\pysigline{\bfcode{KRB5\_KEYUSAGE\_GSS\_TOK\_WRAP\_INTEG}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_GSS\_TOK\_WRAP\_INTEG} + & +\code{23} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_GSS\_TOK\_WRAP\_PRIV} +\label{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV:krb5-keyusage-gss-tok-wrap-priv-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV:krb5-keyusage-gss-tok-wrap-priv}\index{KRB5\_KEYUSAGE\_GSS\_TOK\_WRAP\_PRIV (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV:KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV}\pysigline{\bfcode{KRB5\_KEYUSAGE\_GSS\_TOK\_WRAP\_PRIV}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_GSS\_TOK\_WRAP\_PRIV} + & +\code{24} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_IAKERB\_FINISHED} +\label{appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED:krb5-keyusage-iakerb-finished-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED:krb5-keyusage-iakerb-finished}\index{KRB5\_KEYUSAGE\_IAKERB\_FINISHED (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED:KRB5_KEYUSAGE_IAKERB_FINISHED}\pysigline{\bfcode{KRB5\_KEYUSAGE\_IAKERB\_FINISHED}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_IAKERB\_FINISHED} + & +\code{42} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_KDC\_REP\_TICKET} +\label{appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET:krb5-keyusage-kdc-rep-ticket-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET:krb5-keyusage-kdc-rep-ticket}\index{KRB5\_KEYUSAGE\_KDC\_REP\_TICKET (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET:KRB5_KEYUSAGE_KDC_REP_TICKET}\pysigline{\bfcode{KRB5\_KEYUSAGE\_KDC\_REP\_TICKET}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_KDC\_REP\_TICKET} + & +\code{2} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_KRB\_CRED\_ENCPART} +\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART:krb5-keyusage-krb-cred-encpart-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART:krb5-keyusage-krb-cred-encpart}\index{KRB5\_KEYUSAGE\_KRB\_CRED\_ENCPART (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART:KRB5_KEYUSAGE_KRB_CRED_ENCPART}\pysigline{\bfcode{KRB5\_KEYUSAGE\_KRB\_CRED\_ENCPART}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_KRB\_CRED\_ENCPART} + & +\code{14} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_KRB\_ERROR\_CKSUM} +\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM:krb5-keyusage-krb-error-cksum-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM:krb5-keyusage-krb-error-cksum}\index{KRB5\_KEYUSAGE\_KRB\_ERROR\_CKSUM (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM:KRB5_KEYUSAGE_KRB_ERROR_CKSUM}\pysigline{\bfcode{KRB5\_KEYUSAGE\_KRB\_ERROR\_CKSUM}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_KRB\_ERROR\_CKSUM} + & +\code{18} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_KRB\_PRIV\_ENCPART} +\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART:krb5-keyusage-krb-priv-encpart}\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART:krb5-keyusage-krb-priv-encpart-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART::doc}\index{KRB5\_KEYUSAGE\_KRB\_PRIV\_ENCPART (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART:KRB5_KEYUSAGE_KRB_PRIV_ENCPART}\pysigline{\bfcode{KRB5\_KEYUSAGE\_KRB\_PRIV\_ENCPART}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_KRB\_PRIV\_ENCPART} + & +\code{13} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_KRB\_SAFE\_CKSUM} +\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM:krb5-keyusage-krb-safe-cksum-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM:krb5-keyusage-krb-safe-cksum}\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM::doc}\index{KRB5\_KEYUSAGE\_KRB\_SAFE\_CKSUM (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM:KRB5_KEYUSAGE_KRB_SAFE_CKSUM}\pysigline{\bfcode{KRB5\_KEYUSAGE\_KRB\_SAFE\_CKSUM}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_KRB\_SAFE\_CKSUM} + & +\code{15} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_PA\_FX\_COOKIE} +\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE:krb5-keyusage-pa-fx-cookie}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE:krb5-keyusage-pa-fx-cookie-data}\index{KRB5\_KEYUSAGE\_PA\_FX\_COOKIE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE:KRB5_KEYUSAGE_PA_FX_COOKIE}\pysigline{\bfcode{KRB5\_KEYUSAGE\_PA\_FX\_COOKIE}} +\end{fulllineitems} + + +Used for encrypted FAST cookies. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_PA\_FX\_COOKIE} + & +\code{513} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_PA\_OTP\_REQUEST} +\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST:krb5-keyusage-pa-otp-request}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST:krb5-keyusage-pa-otp-request-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST::doc}\index{KRB5\_KEYUSAGE\_PA\_OTP\_REQUEST (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST:KRB5_KEYUSAGE_PA_OTP_REQUEST}\pysigline{\bfcode{KRB5\_KEYUSAGE\_PA\_OTP\_REQUEST}} +\end{fulllineitems} + + +See RFC 6560 section 4.2. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_PA\_OTP\_REQUEST} + & +\code{45} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_PA\_PKINIT\_KX} +\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX:krb5-keyusage-pa-pkinit-kx-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX:krb5-keyusage-pa-pkinit-kx}\index{KRB5\_KEYUSAGE\_PA\_PKINIT\_KX (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX:KRB5_KEYUSAGE_PA_PKINIT_KX}\pysigline{\bfcode{KRB5\_KEYUSAGE\_PA\_PKINIT\_KX}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_PA\_PKINIT\_KX} + & +\code{44} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REPLY} +\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY:krb5-keyusage-pa-s4u-x509-user-reply-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY:krb5-keyusage-pa-s4u-x509-user-reply}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY::doc}\index{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REPLY (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY:KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY}\pysigline{\bfcode{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REPLY}} +\end{fulllineitems} + + +Note conflict with \code{KRB5\_KEYUSAGE\_PA\_SAM\_RESPONSE} . + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REPLY} + & +\code{27} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REQUEST} +\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST:krb5-keyusage-pa-s4u-x509-user-request}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST:krb5-keyusage-pa-s4u-x509-user-request-data}\index{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REQUEST (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST:KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST}\pysigline{\bfcode{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REQUEST}} +\end{fulllineitems} + + +Note conflict with \code{KRB5\_KEYUSAGE\_PA\_SAM\_CHALLENGE\_TRACKID} . + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REQUEST} + & +\code{26} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_PA\_SAM\_CHALLENGE\_CKSUM} +\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM:krb5-keyusage-pa-sam-challenge-cksum-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM:krb5-keyusage-pa-sam-challenge-cksum}\index{KRB5\_KEYUSAGE\_PA\_SAM\_CHALLENGE\_CKSUM (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM:KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM}\pysigline{\bfcode{KRB5\_KEYUSAGE\_PA\_SAM\_CHALLENGE\_CKSUM}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_PA\_SAM\_CHALLENGE\_CKSUM} + & +\code{25} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_PA\_SAM\_CHALLENGE\_TRACKID} +\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID:krb5-keyusage-pa-sam-challenge-trackid}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID:krb5-keyusage-pa-sam-challenge-trackid-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID::doc}\index{KRB5\_KEYUSAGE\_PA\_SAM\_CHALLENGE\_TRACKID (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID:KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID}\pysigline{\bfcode{KRB5\_KEYUSAGE\_PA\_SAM\_CHALLENGE\_TRACKID}} +\end{fulllineitems} + + +Note conflict with \code{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REQUEST} . + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_PA\_SAM\_CHALLENGE\_TRACKID} + & +\code{26} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_PA\_SAM\_RESPONSE} +\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE:krb5-keyusage-pa-sam-response-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE:krb5-keyusage-pa-sam-response}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE::doc}\index{KRB5\_KEYUSAGE\_PA\_SAM\_RESPONSE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE:KRB5_KEYUSAGE_PA_SAM_RESPONSE}\pysigline{\bfcode{KRB5\_KEYUSAGE\_PA\_SAM\_RESPONSE}} +\end{fulllineitems} + + +Note conflict with \code{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REPLY} . + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_PA\_SAM\_RESPONSE} + & +\code{27} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_TGS\_REP\_ENCPART\_SESSKEY} +\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY:krb5-keyusage-tgs-rep-encpart-sesskey}\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY:krb5-keyusage-tgs-rep-encpart-sesskey-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY::doc}\index{KRB5\_KEYUSAGE\_TGS\_REP\_ENCPART\_SESSKEY (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY:KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY}\pysigline{\bfcode{KRB5\_KEYUSAGE\_TGS\_REP\_ENCPART\_SESSKEY}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_TGS\_REP\_ENCPART\_SESSKEY} + & +\code{8} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_TGS\_REP\_ENCPART\_SUBKEY} +\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY:krb5-keyusage-tgs-rep-encpart-subkey-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY:krb5-keyusage-tgs-rep-encpart-subkey}\index{KRB5\_KEYUSAGE\_TGS\_REP\_ENCPART\_SUBKEY (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY:KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY}\pysigline{\bfcode{KRB5\_KEYUSAGE\_TGS\_REP\_ENCPART\_SUBKEY}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_TGS\_REP\_ENCPART\_SUBKEY} + & +\code{9} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_TGS\_REQ\_AD\_SESSKEY} +\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY:krb5-keyusage-tgs-req-ad-sesskey}\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY:krb5-keyusage-tgs-req-ad-sesskey-data}\index{KRB5\_KEYUSAGE\_TGS\_REQ\_AD\_SESSKEY (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY:KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY}\pysigline{\bfcode{KRB5\_KEYUSAGE\_TGS\_REQ\_AD\_SESSKEY}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_TGS\_REQ\_AD\_SESSKEY} + & +\code{4} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_TGS\_REQ\_AD\_SUBKEY} +\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY:krb5-keyusage-tgs-req-ad-subkey}\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY:krb5-keyusage-tgs-req-ad-subkey-data}\index{KRB5\_KEYUSAGE\_TGS\_REQ\_AD\_SUBKEY (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY:KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY}\pysigline{\bfcode{KRB5\_KEYUSAGE\_TGS\_REQ\_AD\_SUBKEY}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_TGS\_REQ\_AD\_SUBKEY} + & +\code{5} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_TGS\_REQ\_AUTH} +\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH:krb5-keyusage-tgs-req-auth}\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH:krb5-keyusage-tgs-req-auth-data}\index{KRB5\_KEYUSAGE\_TGS\_REQ\_AUTH (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH:KRB5_KEYUSAGE_TGS_REQ_AUTH}\pysigline{\bfcode{KRB5\_KEYUSAGE\_TGS\_REQ\_AUTH}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_TGS\_REQ\_AUTH} + & +\code{7} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KEYUSAGE\_TGS\_REQ\_AUTH\_CKSUM} +\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM:krb5-keyusage-tgs-req-auth-cksum-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM:krb5-keyusage-tgs-req-auth-cksum}\index{KRB5\_KEYUSAGE\_TGS\_REQ\_AUTH\_CKSUM (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM:KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM}\pysigline{\bfcode{KRB5\_KEYUSAGE\_TGS\_REQ\_AUTH\_CKSUM}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KEYUSAGE\_TGS\_REQ\_AUTH\_CKSUM} + & +\code{6} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KPASSWD\_ACCESSDENIED} +\label{appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED:krb5-kpasswd-accessdenied}\label{appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED:krb5-kpasswd-accessdenied-data}\label{appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED::doc}\index{KRB5\_KPASSWD\_ACCESSDENIED (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED:KRB5_KPASSWD_ACCESSDENIED}\pysigline{\bfcode{KRB5\_KPASSWD\_ACCESSDENIED}} +\end{fulllineitems} + + +Not authorized. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KPASSWD\_ACCESSDENIED} + & +\code{5} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KPASSWD\_AUTHERROR} +\label{appdev/refs/macros/KRB5_KPASSWD_AUTHERROR:krb5-kpasswd-autherror-data}\label{appdev/refs/macros/KRB5_KPASSWD_AUTHERROR:krb5-kpasswd-autherror}\label{appdev/refs/macros/KRB5_KPASSWD_AUTHERROR::doc}\index{KRB5\_KPASSWD\_AUTHERROR (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KPASSWD_AUTHERROR:KRB5_KPASSWD_AUTHERROR}\pysigline{\bfcode{KRB5\_KPASSWD\_AUTHERROR}} +\end{fulllineitems} + + +Authentication error. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KPASSWD\_AUTHERROR} + & +\code{3} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KPASSWD\_BAD\_VERSION} +\label{appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION:krb5-kpasswd-bad-version-data}\label{appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION:krb5-kpasswd-bad-version}\label{appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION::doc}\index{KRB5\_KPASSWD\_BAD\_VERSION (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION:KRB5_KPASSWD_BAD_VERSION}\pysigline{\bfcode{KRB5\_KPASSWD\_BAD\_VERSION}} +\end{fulllineitems} + + +Unknown RPC version. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KPASSWD\_BAD\_VERSION} + & +\code{6} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KPASSWD\_HARDERROR} +\label{appdev/refs/macros/KRB5_KPASSWD_HARDERROR:krb5-kpasswd-harderror}\label{appdev/refs/macros/KRB5_KPASSWD_HARDERROR:krb5-kpasswd-harderror-data}\label{appdev/refs/macros/KRB5_KPASSWD_HARDERROR::doc}\index{KRB5\_KPASSWD\_HARDERROR (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KPASSWD_HARDERROR:KRB5_KPASSWD_HARDERROR}\pysigline{\bfcode{KRB5\_KPASSWD\_HARDERROR}} +\end{fulllineitems} + + +Server error. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KPASSWD\_HARDERROR} + & +\code{2} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KPASSWD\_INITIAL\_FLAG\_NEEDED} +\label{appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED:krb5-kpasswd-initial-flag-needed}\label{appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED::doc}\label{appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED:krb5-kpasswd-initial-flag-needed-data}\index{KRB5\_KPASSWD\_INITIAL\_FLAG\_NEEDED (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED:KRB5_KPASSWD_INITIAL_FLAG_NEEDED}\pysigline{\bfcode{KRB5\_KPASSWD\_INITIAL\_FLAG\_NEEDED}} +\end{fulllineitems} + + +The presented credentials were not obtained using a password directly. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KPASSWD\_INITIAL\_FLAG\_NEEDED} + & +\code{7} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KPASSWD\_MALFORMED} +\label{appdev/refs/macros/KRB5_KPASSWD_MALFORMED:krb5-kpasswd-malformed-data}\label{appdev/refs/macros/KRB5_KPASSWD_MALFORMED:krb5-kpasswd-malformed}\label{appdev/refs/macros/KRB5_KPASSWD_MALFORMED::doc}\index{KRB5\_KPASSWD\_MALFORMED (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KPASSWD_MALFORMED:KRB5_KPASSWD_MALFORMED}\pysigline{\bfcode{KRB5\_KPASSWD\_MALFORMED}} +\end{fulllineitems} + + +Malformed request. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KPASSWD\_MALFORMED} + & +\code{1} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KPASSWD\_SOFTERROR} +\label{appdev/refs/macros/KRB5_KPASSWD_SOFTERROR::doc}\label{appdev/refs/macros/KRB5_KPASSWD_SOFTERROR:krb5-kpasswd-softerror}\label{appdev/refs/macros/KRB5_KPASSWD_SOFTERROR:krb5-kpasswd-softerror-data}\index{KRB5\_KPASSWD\_SOFTERROR (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KPASSWD_SOFTERROR:KRB5_KPASSWD_SOFTERROR}\pysigline{\bfcode{KRB5\_KPASSWD\_SOFTERROR}} +\end{fulllineitems} + + +Password change rejected. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KPASSWD\_SOFTERROR} + & +\code{4} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_KPASSWD\_SUCCESS} +\label{appdev/refs/macros/KRB5_KPASSWD_SUCCESS:krb5-kpasswd-success-data}\label{appdev/refs/macros/KRB5_KPASSWD_SUCCESS::doc}\label{appdev/refs/macros/KRB5_KPASSWD_SUCCESS:krb5-kpasswd-success}\index{KRB5\_KPASSWD\_SUCCESS (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_KPASSWD_SUCCESS:KRB5_KPASSWD_SUCCESS}\pysigline{\bfcode{KRB5\_KPASSWD\_SUCCESS}} +\end{fulllineitems} + + +Success. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_KPASSWD\_SUCCESS} + & +\code{0} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_LRQ\_ALL\_ACCT\_EXPTIME} +\label{appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME::doc}\label{appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME:krb5-lrq-all-acct-exptime}\label{appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME:krb5-lrq-all-acct-exptime-data}\index{KRB5\_LRQ\_ALL\_ACCT\_EXPTIME (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME:KRB5_LRQ_ALL_ACCT_EXPTIME}\pysigline{\bfcode{KRB5\_LRQ\_ALL\_ACCT\_EXPTIME}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_LRQ\_ALL\_ACCT\_EXPTIME} + & +\code{7} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_LRQ\_ALL\_LAST\_INITIAL} +\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL::doc}\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL:krb5-lrq-all-last-initial}\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL:krb5-lrq-all-last-initial-data}\index{KRB5\_LRQ\_ALL\_LAST\_INITIAL (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL:KRB5_LRQ_ALL_LAST_INITIAL}\pysigline{\bfcode{KRB5\_LRQ\_ALL\_LAST\_INITIAL}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_LRQ\_ALL\_LAST\_INITIAL} + & +\code{2} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_LRQ\_ALL\_LAST\_RENEWAL} +\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL:krb5-lrq-all-last-renewal}\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL:krb5-lrq-all-last-renewal-data}\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL::doc}\index{KRB5\_LRQ\_ALL\_LAST\_RENEWAL (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL:KRB5_LRQ_ALL_LAST_RENEWAL}\pysigline{\bfcode{KRB5\_LRQ\_ALL\_LAST\_RENEWAL}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_LRQ\_ALL\_LAST\_RENEWAL} + & +\code{4} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_LRQ\_ALL\_LAST\_REQ} +\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ::doc}\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ:krb5-lrq-all-last-req}\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ:krb5-lrq-all-last-req-data}\index{KRB5\_LRQ\_ALL\_LAST\_REQ (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ:KRB5_LRQ_ALL_LAST_REQ}\pysigline{\bfcode{KRB5\_LRQ\_ALL\_LAST\_REQ}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_LRQ\_ALL\_LAST\_REQ} + & +\code{5} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_LRQ\_ALL\_LAST\_TGT} +\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT:krb5-lrq-all-last-tgt-data}\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT:krb5-lrq-all-last-tgt}\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT::doc}\index{KRB5\_LRQ\_ALL\_LAST\_TGT (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT:KRB5_LRQ_ALL_LAST_TGT}\pysigline{\bfcode{KRB5\_LRQ\_ALL\_LAST\_TGT}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_LRQ\_ALL\_LAST\_TGT} + & +\code{1} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_LRQ\_ALL\_LAST\_TGT\_ISSUED} +\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED::doc}\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED:krb5-lrq-all-last-tgt-issued}\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED:krb5-lrq-all-last-tgt-issued-data}\index{KRB5\_LRQ\_ALL\_LAST\_TGT\_ISSUED (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED:KRB5_LRQ_ALL_LAST_TGT_ISSUED}\pysigline{\bfcode{KRB5\_LRQ\_ALL\_LAST\_TGT\_ISSUED}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_LRQ\_ALL\_LAST\_TGT\_ISSUED} + & +\code{3} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_LRQ\_ALL\_PW\_EXPTIME} +\label{appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME:krb5-lrq-all-pw-exptime-data}\label{appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME::doc}\label{appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME:krb5-lrq-all-pw-exptime}\index{KRB5\_LRQ\_ALL\_PW\_EXPTIME (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME:KRB5_LRQ_ALL_PW_EXPTIME}\pysigline{\bfcode{KRB5\_LRQ\_ALL\_PW\_EXPTIME}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_LRQ\_ALL\_PW\_EXPTIME} + & +\code{6} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_LRQ\_NONE} +\label{appdev/refs/macros/KRB5_LRQ_NONE:krb5-lrq-none-data}\label{appdev/refs/macros/KRB5_LRQ_NONE::doc}\label{appdev/refs/macros/KRB5_LRQ_NONE:krb5-lrq-none}\index{KRB5\_LRQ\_NONE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_LRQ_NONE:KRB5_LRQ_NONE}\pysigline{\bfcode{KRB5\_LRQ\_NONE}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_LRQ\_NONE} + & +\code{0} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_LRQ\_ONE\_ACCT\_EXPTIME} +\label{appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME::doc}\label{appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME:krb5-lrq-one-acct-exptime}\label{appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME:krb5-lrq-one-acct-exptime-data}\index{KRB5\_LRQ\_ONE\_ACCT\_EXPTIME (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME:KRB5_LRQ_ONE_ACCT_EXPTIME}\pysigline{\bfcode{KRB5\_LRQ\_ONE\_ACCT\_EXPTIME}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_LRQ\_ONE\_ACCT\_EXPTIME} + & +\code{(-7)} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_LRQ\_ONE\_LAST\_INITIAL} +\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL:krb5-lrq-one-last-initial-data}\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL::doc}\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL:krb5-lrq-one-last-initial}\index{KRB5\_LRQ\_ONE\_LAST\_INITIAL (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL:KRB5_LRQ_ONE_LAST_INITIAL}\pysigline{\bfcode{KRB5\_LRQ\_ONE\_LAST\_INITIAL}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_LRQ\_ONE\_LAST\_INITIAL} + & +\code{(-2)} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_LRQ\_ONE\_LAST\_RENEWAL} +\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL:krb5-lrq-one-last-renewal-data}\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL::doc}\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL:krb5-lrq-one-last-renewal}\index{KRB5\_LRQ\_ONE\_LAST\_RENEWAL (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL:KRB5_LRQ_ONE_LAST_RENEWAL}\pysigline{\bfcode{KRB5\_LRQ\_ONE\_LAST\_RENEWAL}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_LRQ\_ONE\_LAST\_RENEWAL} + & +\code{(-4)} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_LRQ\_ONE\_LAST\_REQ} +\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ::doc}\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ:krb5-lrq-one-last-req}\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ:krb5-lrq-one-last-req-data}\index{KRB5\_LRQ\_ONE\_LAST\_REQ (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ:KRB5_LRQ_ONE_LAST_REQ}\pysigline{\bfcode{KRB5\_LRQ\_ONE\_LAST\_REQ}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_LRQ\_ONE\_LAST\_REQ} + & +\code{(-5)} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_LRQ\_ONE\_LAST\_TGT} +\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT:krb5-lrq-one-last-tgt-data}\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT::doc}\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT:krb5-lrq-one-last-tgt}\index{KRB5\_LRQ\_ONE\_LAST\_TGT (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT:KRB5_LRQ_ONE_LAST_TGT}\pysigline{\bfcode{KRB5\_LRQ\_ONE\_LAST\_TGT}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_LRQ\_ONE\_LAST\_TGT} + & +\code{(-1)} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_LRQ\_ONE\_LAST\_TGT\_ISSUED} +\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED:krb5-lrq-one-last-tgt-issued}\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED:krb5-lrq-one-last-tgt-issued-data}\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED::doc}\index{KRB5\_LRQ\_ONE\_LAST\_TGT\_ISSUED (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED:KRB5_LRQ_ONE_LAST_TGT_ISSUED}\pysigline{\bfcode{KRB5\_LRQ\_ONE\_LAST\_TGT\_ISSUED}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_LRQ\_ONE\_LAST\_TGT\_ISSUED} + & +\code{(-3)} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_LRQ\_ONE\_PW\_EXPTIME} +\label{appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME:krb5-lrq-one-pw-exptime}\label{appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME:krb5-lrq-one-pw-exptime-data}\label{appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME::doc}\index{KRB5\_LRQ\_ONE\_PW\_EXPTIME (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME:KRB5_LRQ_ONE_PW_EXPTIME}\pysigline{\bfcode{KRB5\_LRQ\_ONE\_PW\_EXPTIME}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_LRQ\_ONE\_PW\_EXPTIME} + & +\code{(-6)} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_NT\_ENTERPRISE\_PRINCIPAL} +\label{appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL:krb5-nt-enterprise-principal-data}\label{appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL:krb5-nt-enterprise-principal}\label{appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL::doc}\index{KRB5\_NT\_ENTERPRISE\_PRINCIPAL (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL:KRB5_NT_ENTERPRISE_PRINCIPAL}\pysigline{\bfcode{KRB5\_NT\_ENTERPRISE\_PRINCIPAL}} +\end{fulllineitems} + + +Windows 2000 UPN. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_NT\_ENTERPRISE\_PRINCIPAL} + & +\code{10} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_NT\_ENT\_PRINCIPAL\_AND\_ID} +\label{appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID:krb5-nt-ent-principal-and-id-data}\label{appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID::doc}\label{appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID:krb5-nt-ent-principal-and-id}\index{KRB5\_NT\_ENT\_PRINCIPAL\_AND\_ID (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID:KRB5_NT_ENT_PRINCIPAL_AND_ID}\pysigline{\bfcode{KRB5\_NT\_ENT\_PRINCIPAL\_AND\_ID}} +\end{fulllineitems} + + +NT 4 style name and SID. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_NT\_ENT\_PRINCIPAL\_AND\_ID} + & +\code{-130} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_NT\_MS\_PRINCIPAL} +\label{appdev/refs/macros/KRB5_NT_MS_PRINCIPAL::doc}\label{appdev/refs/macros/KRB5_NT_MS_PRINCIPAL:krb5-nt-ms-principal}\label{appdev/refs/macros/KRB5_NT_MS_PRINCIPAL:krb5-nt-ms-principal-data}\index{KRB5\_NT\_MS\_PRINCIPAL (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_NT_MS_PRINCIPAL:KRB5_NT_MS_PRINCIPAL}\pysigline{\bfcode{KRB5\_NT\_MS\_PRINCIPAL}} +\end{fulllineitems} + + +Windows 2000 UPN and SID. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_NT\_MS\_PRINCIPAL} + & +\code{-128} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_NT\_MS\_PRINCIPAL\_AND\_ID} +\label{appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID:krb5-nt-ms-principal-and-id-data}\label{appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID::doc}\label{appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID:krb5-nt-ms-principal-and-id}\index{KRB5\_NT\_MS\_PRINCIPAL\_AND\_ID (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID:KRB5_NT_MS_PRINCIPAL_AND_ID}\pysigline{\bfcode{KRB5\_NT\_MS\_PRINCIPAL\_AND\_ID}} +\end{fulllineitems} + + +NT 4 style name. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_NT\_MS\_PRINCIPAL\_AND\_ID} + & +\code{-129} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_NT\_PRINCIPAL} +\label{appdev/refs/macros/KRB5_NT_PRINCIPAL:krb5-nt-principal}\label{appdev/refs/macros/KRB5_NT_PRINCIPAL::doc}\label{appdev/refs/macros/KRB5_NT_PRINCIPAL:krb5-nt-principal-data}\index{KRB5\_NT\_PRINCIPAL (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_NT_PRINCIPAL:KRB5_NT_PRINCIPAL}\pysigline{\bfcode{KRB5\_NT\_PRINCIPAL}} +\end{fulllineitems} + + +Just the name of the principal as in DCE, or for users. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_NT\_PRINCIPAL} + & +\code{1} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_NT\_SMTP\_NAME} +\label{appdev/refs/macros/KRB5_NT_SMTP_NAME:krb5-nt-smtp-name}\label{appdev/refs/macros/KRB5_NT_SMTP_NAME:krb5-nt-smtp-name-data}\label{appdev/refs/macros/KRB5_NT_SMTP_NAME::doc}\index{KRB5\_NT\_SMTP\_NAME (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_NT_SMTP_NAME:KRB5_NT_SMTP_NAME}\pysigline{\bfcode{KRB5\_NT\_SMTP\_NAME}} +\end{fulllineitems} + + +Name in form of SMTP email name. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_NT\_SMTP\_NAME} + & +\code{7} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_NT\_SRV\_HST} +\label{appdev/refs/macros/KRB5_NT_SRV_HST:krb5-nt-srv-hst-data}\label{appdev/refs/macros/KRB5_NT_SRV_HST::doc}\label{appdev/refs/macros/KRB5_NT_SRV_HST:krb5-nt-srv-hst}\index{KRB5\_NT\_SRV\_HST (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_NT_SRV_HST:KRB5_NT_SRV_HST}\pysigline{\bfcode{KRB5\_NT\_SRV\_HST}} +\end{fulllineitems} + + +Service with host name as instance (telnet, rcommands) + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_NT\_SRV\_HST} + & +\code{3} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_NT\_SRV\_INST} +\label{appdev/refs/macros/KRB5_NT_SRV_INST:krb5-nt-srv-inst-data}\label{appdev/refs/macros/KRB5_NT_SRV_INST::doc}\label{appdev/refs/macros/KRB5_NT_SRV_INST:krb5-nt-srv-inst}\index{KRB5\_NT\_SRV\_INST (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_NT_SRV_INST:KRB5_NT_SRV_INST}\pysigline{\bfcode{KRB5\_NT\_SRV\_INST}} +\end{fulllineitems} + + +Service and other unique instance (krbtgt) + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_NT\_SRV\_INST} + & +\code{2} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_NT\_SRV\_XHST} +\label{appdev/refs/macros/KRB5_NT_SRV_XHST:krb5-nt-srv-xhst}\label{appdev/refs/macros/KRB5_NT_SRV_XHST:krb5-nt-srv-xhst-data}\label{appdev/refs/macros/KRB5_NT_SRV_XHST::doc}\index{KRB5\_NT\_SRV\_XHST (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_NT_SRV_XHST:KRB5_NT_SRV_XHST}\pysigline{\bfcode{KRB5\_NT\_SRV\_XHST}} +\end{fulllineitems} + + +Service with host as remaining components. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_NT\_SRV\_XHST} + & +\code{4} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_NT\_UID} +\label{appdev/refs/macros/KRB5_NT_UID:krb5-nt-uid}\label{appdev/refs/macros/KRB5_NT_UID:krb5-nt-uid-data}\label{appdev/refs/macros/KRB5_NT_UID::doc}\index{KRB5\_NT\_UID (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_NT_UID:KRB5_NT_UID}\pysigline{\bfcode{KRB5\_NT\_UID}} +\end{fulllineitems} + + +Unique ID. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_NT\_UID} + & +\code{5} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_NT\_UNKNOWN} +\label{appdev/refs/macros/KRB5_NT_UNKNOWN::doc}\label{appdev/refs/macros/KRB5_NT_UNKNOWN:krb5-nt-unknown}\label{appdev/refs/macros/KRB5_NT_UNKNOWN:krb5-nt-unknown-data}\index{KRB5\_NT\_UNKNOWN (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_NT_UNKNOWN:KRB5_NT_UNKNOWN}\pysigline{\bfcode{KRB5\_NT\_UNKNOWN}} +\end{fulllineitems} + + +Name type not known. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_NT\_UNKNOWN} + & +\code{0} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_NT\_WELLKNOWN} +\label{appdev/refs/macros/KRB5_NT_WELLKNOWN:krb5-nt-wellknown-data}\label{appdev/refs/macros/KRB5_NT_WELLKNOWN:krb5-nt-wellknown}\label{appdev/refs/macros/KRB5_NT_WELLKNOWN::doc}\index{KRB5\_NT\_WELLKNOWN (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_NT_WELLKNOWN:KRB5_NT_WELLKNOWN}\pysigline{\bfcode{KRB5\_NT\_WELLKNOWN}} +\end{fulllineitems} + + +Well-known (special) principal. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_NT\_WELLKNOWN} + & +\code{11} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_NT\_X500\_PRINCIPAL} +\label{appdev/refs/macros/KRB5_NT_X500_PRINCIPAL:krb5-nt-x500-principal-data}\label{appdev/refs/macros/KRB5_NT_X500_PRINCIPAL::doc}\label{appdev/refs/macros/KRB5_NT_X500_PRINCIPAL:krb5-nt-x500-principal}\index{KRB5\_NT\_X500\_PRINCIPAL (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_NT_X500_PRINCIPAL:KRB5_NT_X500_PRINCIPAL}\pysigline{\bfcode{KRB5\_NT\_X500\_PRINCIPAL}} +\end{fulllineitems} + + +PKINIT. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_NT\_X500\_PRINCIPAL} + & +\code{6} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PAC\_CLIENT\_INFO} +\label{appdev/refs/macros/KRB5_PAC_CLIENT_INFO:krb5-pac-client-info}\label{appdev/refs/macros/KRB5_PAC_CLIENT_INFO::doc}\label{appdev/refs/macros/KRB5_PAC_CLIENT_INFO:krb5-pac-client-info-data}\index{KRB5\_PAC\_CLIENT\_INFO (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PAC_CLIENT_INFO:KRB5_PAC_CLIENT_INFO}\pysigline{\bfcode{KRB5\_PAC\_CLIENT\_INFO}} +\end{fulllineitems} + + +Client name and ticket info. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PAC\_CLIENT\_INFO} + & +\code{10} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PAC\_CREDENTIALS\_INFO} +\label{appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO::doc}\label{appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO:krb5-pac-credentials-info}\label{appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO:krb5-pac-credentials-info-data}\index{KRB5\_PAC\_CREDENTIALS\_INFO (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO:KRB5_PAC_CREDENTIALS_INFO}\pysigline{\bfcode{KRB5\_PAC\_CREDENTIALS\_INFO}} +\end{fulllineitems} + + +Credentials information. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PAC\_CREDENTIALS\_INFO} + & +\code{2} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PAC\_DELEGATION\_INFO} +\label{appdev/refs/macros/KRB5_PAC_DELEGATION_INFO::doc}\label{appdev/refs/macros/KRB5_PAC_DELEGATION_INFO:krb5-pac-delegation-info-data}\label{appdev/refs/macros/KRB5_PAC_DELEGATION_INFO:krb5-pac-delegation-info}\index{KRB5\_PAC\_DELEGATION\_INFO (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PAC_DELEGATION_INFO:KRB5_PAC_DELEGATION_INFO}\pysigline{\bfcode{KRB5\_PAC\_DELEGATION\_INFO}} +\end{fulllineitems} + + +Constrained delegation info. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PAC\_DELEGATION\_INFO} + & +\code{11} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PAC\_LOGON\_INFO} +\label{appdev/refs/macros/KRB5_PAC_LOGON_INFO:krb5-pac-logon-info}\label{appdev/refs/macros/KRB5_PAC_LOGON_INFO:krb5-pac-logon-info-data}\label{appdev/refs/macros/KRB5_PAC_LOGON_INFO::doc}\index{KRB5\_PAC\_LOGON\_INFO (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PAC_LOGON_INFO:KRB5_PAC_LOGON_INFO}\pysigline{\bfcode{KRB5\_PAC\_LOGON\_INFO}} +\end{fulllineitems} + + +Logon information. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PAC\_LOGON\_INFO} + & +\code{1} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PAC\_PRIVSVR\_CHECKSUM} +\label{appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM:krb5-pac-privsvr-checksum-data}\label{appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM::doc}\label{appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM:krb5-pac-privsvr-checksum}\index{KRB5\_PAC\_PRIVSVR\_CHECKSUM (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM:KRB5_PAC_PRIVSVR_CHECKSUM}\pysigline{\bfcode{KRB5\_PAC\_PRIVSVR\_CHECKSUM}} +\end{fulllineitems} + + +KDC checksum. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PAC\_PRIVSVR\_CHECKSUM} + & +\code{7} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PAC\_SERVER\_CHECKSUM} +\label{appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM:krb5-pac-server-checksum-data}\label{appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM:krb5-pac-server-checksum}\label{appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM::doc}\index{KRB5\_PAC\_SERVER\_CHECKSUM (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM:KRB5_PAC_SERVER_CHECKSUM}\pysigline{\bfcode{KRB5\_PAC\_SERVER\_CHECKSUM}} +\end{fulllineitems} + + +Server checksum. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PAC\_SERVER\_CHECKSUM} + & +\code{6} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PAC\_UPN\_DNS\_INFO} +\label{appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO:krb5-pac-upn-dns-info-data}\label{appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO::doc}\label{appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO:krb5-pac-upn-dns-info}\index{KRB5\_PAC\_UPN\_DNS\_INFO (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO:KRB5_PAC_UPN_DNS_INFO}\pysigline{\bfcode{KRB5\_PAC\_UPN\_DNS\_INFO}} +\end{fulllineitems} + + +User principal name and DNS info. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PAC\_UPN\_DNS\_INFO} + & +\code{12} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_AFS3\_SALT} +\label{appdev/refs/macros/KRB5_PADATA_AFS3_SALT::doc}\label{appdev/refs/macros/KRB5_PADATA_AFS3_SALT:krb5-padata-afs3-salt}\label{appdev/refs/macros/KRB5_PADATA_AFS3_SALT:krb5-padata-afs3-salt-data}\index{KRB5\_PADATA\_AFS3\_SALT (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_AFS3_SALT:KRB5_PADATA_AFS3_SALT}\pysigline{\bfcode{KRB5\_PADATA\_AFS3\_SALT}} +\end{fulllineitems} + + +Cygnus. + +RFC 4120, 3961 + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_AFS3\_SALT} + & +\code{10} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_AP\_REQ} +\label{appdev/refs/macros/KRB5_PADATA_AP_REQ::doc}\label{appdev/refs/macros/KRB5_PADATA_AP_REQ:krb5-padata-ap-req-data}\label{appdev/refs/macros/KRB5_PADATA_AP_REQ:krb5-padata-ap-req}\index{KRB5\_PADATA\_AP\_REQ (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_AP_REQ:KRB5_PADATA_AP_REQ}\pysigline{\bfcode{KRB5\_PADATA\_AP\_REQ}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_AP\_REQ} + & +\code{1} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_AS\_CHECKSUM} +\label{appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM:krb5-padata-as-checksum}\label{appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM:krb5-padata-as-checksum-data}\label{appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM::doc}\index{KRB5\_PADATA\_AS\_CHECKSUM (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM:KRB5_PADATA_AS_CHECKSUM}\pysigline{\bfcode{KRB5\_PADATA\_AS\_CHECKSUM}} +\end{fulllineitems} + + +AS checksum. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_AS\_CHECKSUM} + & +\code{132} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_ENCRYPTED\_CHALLENGE} +\label{appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE:krb5-padata-encrypted-challenge-data}\label{appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE:krb5-padata-encrypted-challenge}\label{appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE::doc}\index{KRB5\_PADATA\_ENCRYPTED\_CHALLENGE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE:KRB5_PADATA_ENCRYPTED_CHALLENGE}\pysigline{\bfcode{KRB5\_PADATA\_ENCRYPTED\_CHALLENGE}} +\end{fulllineitems} + + +RFC 6113. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_ENCRYPTED\_CHALLENGE} + & +\code{138} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_ENC\_SANDIA\_SECURID} +\label{appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID:krb5-padata-enc-sandia-securid-data}\label{appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID:krb5-padata-enc-sandia-securid}\label{appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID::doc}\index{KRB5\_PADATA\_ENC\_SANDIA\_SECURID (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID:KRB5_PADATA_ENC_SANDIA_SECURID}\pysigline{\bfcode{KRB5\_PADATA\_ENC\_SANDIA\_SECURID}} +\end{fulllineitems} + + +SecurId passcode. + +RFC 4120 + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_ENC\_SANDIA\_SECURID} + & +\code{6} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_ENC\_TIMESTAMP} +\label{appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP::doc}\label{appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP:krb5-padata-enc-timestamp}\label{appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP:krb5-padata-enc-timestamp-data}\index{KRB5\_PADATA\_ENC\_TIMESTAMP (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP:KRB5_PADATA_ENC_TIMESTAMP}\pysigline{\bfcode{KRB5\_PADATA\_ENC\_TIMESTAMP}} +\end{fulllineitems} + + +RFC 4120. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_ENC\_TIMESTAMP} + & +\code{2} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_ENC\_UNIX\_TIME} +\label{appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME:krb5-padata-enc-unix-time}\label{appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME:krb5-padata-enc-unix-time-data}\label{appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME::doc}\index{KRB5\_PADATA\_ENC\_UNIX\_TIME (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME:KRB5_PADATA_ENC_UNIX_TIME}\pysigline{\bfcode{KRB5\_PADATA\_ENC\_UNIX\_TIME}} +\end{fulllineitems} + + +timestamp encrypted in key. + +RFC 4120 + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_ENC\_UNIX\_TIME} + & +\code{5} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_ETYPE\_INFO} +\label{appdev/refs/macros/KRB5_PADATA_ETYPE_INFO::doc}\label{appdev/refs/macros/KRB5_PADATA_ETYPE_INFO:krb5-padata-etype-info}\label{appdev/refs/macros/KRB5_PADATA_ETYPE_INFO:krb5-padata-etype-info-data}\index{KRB5\_PADATA\_ETYPE\_INFO (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_ETYPE_INFO:KRB5_PADATA_ETYPE_INFO}\pysigline{\bfcode{KRB5\_PADATA\_ETYPE\_INFO}} +\end{fulllineitems} + + +Etype info for preauth. + +RFC 4120 + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_ETYPE\_INFO} + & +\code{11} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_ETYPE\_INFO2} +\label{appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2:krb5-padata-etype-info2-data}\label{appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2:krb5-padata-etype-info2}\label{appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2::doc}\index{KRB5\_PADATA\_ETYPE\_INFO2 (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2:KRB5_PADATA_ETYPE_INFO2}\pysigline{\bfcode{KRB5\_PADATA\_ETYPE\_INFO2}} +\end{fulllineitems} + + +RFC 4120. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_ETYPE\_INFO2} + & +\code{19} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_FOR\_USER} +\label{appdev/refs/macros/KRB5_PADATA_FOR_USER:krb5-padata-for-user}\label{appdev/refs/macros/KRB5_PADATA_FOR_USER::doc}\label{appdev/refs/macros/KRB5_PADATA_FOR_USER:krb5-padata-for-user-data}\index{KRB5\_PADATA\_FOR\_USER (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_FOR_USER:KRB5_PADATA_FOR_USER}\pysigline{\bfcode{KRB5\_PADATA\_FOR\_USER}} +\end{fulllineitems} + + +username protocol transition request + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_FOR\_USER} + & +\code{129} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_FX\_COOKIE} +\label{appdev/refs/macros/KRB5_PADATA_FX_COOKIE:krb5-padata-fx-cookie}\label{appdev/refs/macros/KRB5_PADATA_FX_COOKIE::doc}\label{appdev/refs/macros/KRB5_PADATA_FX_COOKIE:krb5-padata-fx-cookie-data}\index{KRB5\_PADATA\_FX\_COOKIE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_FX_COOKIE:KRB5_PADATA_FX_COOKIE}\pysigline{\bfcode{KRB5\_PADATA\_FX\_COOKIE}} +\end{fulllineitems} + + +RFC 6113. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_FX\_COOKIE} + & +\code{133} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_FX\_ERROR} +\label{appdev/refs/macros/KRB5_PADATA_FX_ERROR:krb5-padata-fx-error}\label{appdev/refs/macros/KRB5_PADATA_FX_ERROR::doc}\label{appdev/refs/macros/KRB5_PADATA_FX_ERROR:krb5-padata-fx-error-data}\index{KRB5\_PADATA\_FX\_ERROR (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_FX_ERROR:KRB5_PADATA_FX_ERROR}\pysigline{\bfcode{KRB5\_PADATA\_FX\_ERROR}} +\end{fulllineitems} + + +RFC 6113. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_FX\_ERROR} + & +\code{137} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_FX\_FAST} +\label{appdev/refs/macros/KRB5_PADATA_FX_FAST::doc}\label{appdev/refs/macros/KRB5_PADATA_FX_FAST:krb5-padata-fx-fast}\label{appdev/refs/macros/KRB5_PADATA_FX_FAST:krb5-padata-fx-fast-data}\index{KRB5\_PADATA\_FX\_FAST (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_FX_FAST:KRB5_PADATA_FX_FAST}\pysigline{\bfcode{KRB5\_PADATA\_FX\_FAST}} +\end{fulllineitems} + + +RFC 6113. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_FX\_FAST} + & +\code{136} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_GET\_FROM\_TYPED\_DATA} +\label{appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA:krb5-padata-get-from-typed-data-data}\label{appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA::doc}\label{appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA:krb5-padata-get-from-typed-data}\index{KRB5\_PADATA\_GET\_FROM\_TYPED\_DATA (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA:KRB5_PADATA_GET_FROM_TYPED_DATA}\pysigline{\bfcode{KRB5\_PADATA\_GET\_FROM\_TYPED\_DATA}} +\end{fulllineitems} + + +Embedded in typed data. + +RFC 4120 + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_GET\_FROM\_TYPED\_DATA} + & +\code{22} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_NONE} +\label{appdev/refs/macros/KRB5_PADATA_NONE:krb5-padata-none-data}\label{appdev/refs/macros/KRB5_PADATA_NONE:krb5-padata-none}\label{appdev/refs/macros/KRB5_PADATA_NONE::doc}\index{KRB5\_PADATA\_NONE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_NONE:KRB5_PADATA_NONE}\pysigline{\bfcode{KRB5\_PADATA\_NONE}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_NONE} + & +\code{0} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_OSF\_DCE} +\label{appdev/refs/macros/KRB5_PADATA_OSF_DCE:krb5-padata-osf-dce}\label{appdev/refs/macros/KRB5_PADATA_OSF_DCE::doc}\label{appdev/refs/macros/KRB5_PADATA_OSF_DCE:krb5-padata-osf-dce-data}\index{KRB5\_PADATA\_OSF\_DCE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_OSF_DCE:KRB5_PADATA_OSF_DCE}\pysigline{\bfcode{KRB5\_PADATA\_OSF\_DCE}} +\end{fulllineitems} + + +OSF DCE. + +RFC 4120 + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_OSF\_DCE} + & +\code{8} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_OTP\_CHALLENGE} +\label{appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE::doc}\label{appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE:krb5-padata-otp-challenge}\label{appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE:krb5-padata-otp-challenge-data}\index{KRB5\_PADATA\_OTP\_CHALLENGE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE:KRB5_PADATA_OTP_CHALLENGE}\pysigline{\bfcode{KRB5\_PADATA\_OTP\_CHALLENGE}} +\end{fulllineitems} + + +RFC 6560 section 4.1. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_OTP\_CHALLENGE} + & +\code{141} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_OTP\_PIN\_CHANGE} +\label{appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE::doc}\label{appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE:krb5-padata-otp-pin-change}\label{appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE:krb5-padata-otp-pin-change-data}\index{KRB5\_PADATA\_OTP\_PIN\_CHANGE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE:KRB5_PADATA_OTP_PIN_CHANGE}\pysigline{\bfcode{KRB5\_PADATA\_OTP\_PIN\_CHANGE}} +\end{fulllineitems} + + +RFC 6560 section 4.3. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_OTP\_PIN\_CHANGE} + & +\code{144} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_OTP\_REQUEST} +\label{appdev/refs/macros/KRB5_PADATA_OTP_REQUEST:krb5-padata-otp-request}\label{appdev/refs/macros/KRB5_PADATA_OTP_REQUEST::doc}\label{appdev/refs/macros/KRB5_PADATA_OTP_REQUEST:krb5-padata-otp-request-data}\index{KRB5\_PADATA\_OTP\_REQUEST (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_OTP_REQUEST:KRB5_PADATA_OTP_REQUEST}\pysigline{\bfcode{KRB5\_PADATA\_OTP\_REQUEST}} +\end{fulllineitems} + + +RFC 6560 section 4.2. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_OTP\_REQUEST} + & +\code{142} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_PAC\_REQUEST} +\label{appdev/refs/macros/KRB5_PADATA_PAC_REQUEST:krb5-padata-pac-request-data}\label{appdev/refs/macros/KRB5_PADATA_PAC_REQUEST:krb5-padata-pac-request}\label{appdev/refs/macros/KRB5_PADATA_PAC_REQUEST::doc}\index{KRB5\_PADATA\_PAC\_REQUEST (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_PAC_REQUEST:KRB5_PADATA_PAC_REQUEST}\pysigline{\bfcode{KRB5\_PADATA\_PAC\_REQUEST}} +\end{fulllineitems} + + +include Windows PAC + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_PAC\_REQUEST} + & +\code{128} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_PKINIT\_KX} +\label{appdev/refs/macros/KRB5_PADATA_PKINIT_KX:krb5-padata-pkinit-kx}\label{appdev/refs/macros/KRB5_PADATA_PKINIT_KX:krb5-padata-pkinit-kx-data}\label{appdev/refs/macros/KRB5_PADATA_PKINIT_KX::doc}\index{KRB5\_PADATA\_PKINIT\_KX (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_PKINIT_KX:KRB5_PADATA_PKINIT_KX}\pysigline{\bfcode{KRB5\_PADATA\_PKINIT\_KX}} +\end{fulllineitems} + + +RFC 6112. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_PKINIT\_KX} + & +\code{147} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_PK\_AS\_REP} +\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REP:krb5-padata-pk-as-rep-data}\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REP:krb5-padata-pk-as-rep}\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REP::doc}\index{KRB5\_PADATA\_PK\_AS\_REP (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REP:KRB5_PADATA_PK_AS_REP}\pysigline{\bfcode{KRB5\_PADATA\_PK\_AS\_REP}} +\end{fulllineitems} + + +PKINIT. + +RFC 4556 + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_PK\_AS\_REP} + & +\code{17} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_PK\_AS\_REP\_OLD} +\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD:krb5-padata-pk-as-rep-old-data}\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD::doc}\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD:krb5-padata-pk-as-rep-old}\index{KRB5\_PADATA\_PK\_AS\_REP\_OLD (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD:KRB5_PADATA_PK_AS_REP_OLD}\pysigline{\bfcode{KRB5\_PADATA\_PK\_AS\_REP\_OLD}} +\end{fulllineitems} + + +PKINIT. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_PK\_AS\_REP\_OLD} + & +\code{15} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_PK\_AS\_REQ} +\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REQ::doc}\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REQ:krb5-padata-pk-as-req}\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REQ:krb5-padata-pk-as-req-data}\index{KRB5\_PADATA\_PK\_AS\_REQ (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REQ:KRB5_PADATA_PK_AS_REQ}\pysigline{\bfcode{KRB5\_PADATA\_PK\_AS\_REQ}} +\end{fulllineitems} + + +PKINIT. + +RFC 4556 + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_PK\_AS\_REQ} + & +\code{16} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_PK\_AS\_REQ\_OLD} +\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD:krb5-padata-pk-as-req-old}\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD:krb5-padata-pk-as-req-old-data}\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD::doc}\index{KRB5\_PADATA\_PK\_AS\_REQ\_OLD (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD:KRB5_PADATA_PK_AS_REQ_OLD}\pysigline{\bfcode{KRB5\_PADATA\_PK\_AS\_REQ\_OLD}} +\end{fulllineitems} + + +PKINIT. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_PK\_AS\_REQ\_OLD} + & +\code{14} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_PW\_SALT} +\label{appdev/refs/macros/KRB5_PADATA_PW_SALT:krb5-padata-pw-salt-data}\label{appdev/refs/macros/KRB5_PADATA_PW_SALT:krb5-padata-pw-salt}\label{appdev/refs/macros/KRB5_PADATA_PW_SALT::doc}\index{KRB5\_PADATA\_PW\_SALT (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_PW_SALT:KRB5_PADATA_PW_SALT}\pysigline{\bfcode{KRB5\_PADATA\_PW\_SALT}} +\end{fulllineitems} + + +RFC 4120. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_PW\_SALT} + & +\code{3} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_REFERRAL} +\label{appdev/refs/macros/KRB5_PADATA_REFERRAL:krb5-padata-referral}\label{appdev/refs/macros/KRB5_PADATA_REFERRAL::doc}\label{appdev/refs/macros/KRB5_PADATA_REFERRAL:krb5-padata-referral-data}\index{KRB5\_PADATA\_REFERRAL (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_REFERRAL:KRB5_PADATA_REFERRAL}\pysigline{\bfcode{KRB5\_PADATA\_REFERRAL}} +\end{fulllineitems} + + +draft referral system + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_REFERRAL} + & +\code{25} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_S4U\_X509\_USER} +\label{appdev/refs/macros/KRB5_PADATA_S4U_X509_USER:krb5-padata-s4u-x509-user-data}\label{appdev/refs/macros/KRB5_PADATA_S4U_X509_USER::doc}\label{appdev/refs/macros/KRB5_PADATA_S4U_X509_USER:krb5-padata-s4u-x509-user}\index{KRB5\_PADATA\_S4U\_X509\_USER (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_S4U_X509_USER:KRB5_PADATA_S4U_X509_USER}\pysigline{\bfcode{KRB5\_PADATA\_S4U\_X509\_USER}} +\end{fulllineitems} + + +certificate protocol transition request + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_S4U\_X509\_USER} + & +\code{130} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_SAM\_CHALLENGE} +\label{appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE:krb5-padata-sam-challenge-data}\label{appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE::doc}\label{appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE:krb5-padata-sam-challenge}\index{KRB5\_PADATA\_SAM\_CHALLENGE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE:KRB5_PADATA_SAM_CHALLENGE}\pysigline{\bfcode{KRB5\_PADATA\_SAM\_CHALLENGE}} +\end{fulllineitems} + + +SAM/OTP. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_SAM\_CHALLENGE} + & +\code{12} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_SAM\_CHALLENGE\_2} +\label{appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2:krb5-padata-sam-challenge-2-data}\label{appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2:krb5-padata-sam-challenge-2}\label{appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2::doc}\index{KRB5\_PADATA\_SAM\_CHALLENGE\_2 (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2:KRB5_PADATA_SAM_CHALLENGE_2}\pysigline{\bfcode{KRB5\_PADATA\_SAM\_CHALLENGE\_2}} +\end{fulllineitems} + + +draft challenge system, updated + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_SAM\_CHALLENGE\_2} + & +\code{30} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_SAM\_REDIRECT} +\label{appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT::doc}\label{appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT:krb5-padata-sam-redirect-data}\label{appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT:krb5-padata-sam-redirect}\index{KRB5\_PADATA\_SAM\_REDIRECT (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT:KRB5_PADATA_SAM_REDIRECT}\pysigline{\bfcode{KRB5\_PADATA\_SAM\_REDIRECT}} +\end{fulllineitems} + + +SAM/OTP. + +RFC 4120 + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_SAM\_REDIRECT} + & +\code{21} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_SAM\_RESPONSE} +\label{appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE:krb5-padata-sam-response-data}\label{appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE::doc}\label{appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE:krb5-padata-sam-response}\index{KRB5\_PADATA\_SAM\_RESPONSE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE:KRB5_PADATA_SAM_RESPONSE}\pysigline{\bfcode{KRB5\_PADATA\_SAM\_RESPONSE}} +\end{fulllineitems} + + +SAM/OTP. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_SAM\_RESPONSE} + & +\code{13} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_SAM\_RESPONSE\_2} +\label{appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2::doc}\label{appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2:krb5-padata-sam-response-2}\label{appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2:krb5-padata-sam-response-2-data}\index{KRB5\_PADATA\_SAM\_RESPONSE\_2 (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2:KRB5_PADATA_SAM_RESPONSE_2}\pysigline{\bfcode{KRB5\_PADATA\_SAM\_RESPONSE\_2}} +\end{fulllineitems} + + +draft challenge system, updated + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_SAM\_RESPONSE\_2} + & +\code{31} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_SESAME} +\label{appdev/refs/macros/KRB5_PADATA_SESAME::doc}\label{appdev/refs/macros/KRB5_PADATA_SESAME:krb5-padata-sesame}\label{appdev/refs/macros/KRB5_PADATA_SESAME:krb5-padata-sesame-data}\index{KRB5\_PADATA\_SESAME (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_SESAME:KRB5_PADATA_SESAME}\pysigline{\bfcode{KRB5\_PADATA\_SESAME}} +\end{fulllineitems} + + +Sesame project. + +RFC 4120 + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_SESAME} + & +\code{7} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_SVR\_REFERRAL\_INFO} +\label{appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO::doc}\label{appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO:krb5-padata-svr-referral-info}\label{appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO:krb5-padata-svr-referral-info-data}\index{KRB5\_PADATA\_SVR\_REFERRAL\_INFO (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO:KRB5_PADATA_SVR_REFERRAL_INFO}\pysigline{\bfcode{KRB5\_PADATA\_SVR\_REFERRAL\_INFO}} +\end{fulllineitems} + + +Windows 2000 referrals. + +RFC 6820 + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_SVR\_REFERRAL\_INFO} + & +\code{20} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_TGS\_REQ} +\label{appdev/refs/macros/KRB5_PADATA_TGS_REQ::doc}\label{appdev/refs/macros/KRB5_PADATA_TGS_REQ:krb5-padata-tgs-req}\label{appdev/refs/macros/KRB5_PADATA_TGS_REQ:krb5-padata-tgs-req-data}\index{KRB5\_PADATA\_TGS\_REQ (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_TGS_REQ:KRB5_PADATA_TGS_REQ}\pysigline{\bfcode{KRB5\_PADATA\_TGS\_REQ}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_TGS\_REQ} + & +\code{KRB5\_PADATA\_AP\_REQ} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PADATA\_USE\_SPECIFIED\_KVNO} +\label{appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO:krb5-padata-use-specified-kvno}\label{appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO:krb5-padata-use-specified-kvno-data}\label{appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO::doc}\index{KRB5\_PADATA\_USE\_SPECIFIED\_KVNO (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO:KRB5_PADATA_USE_SPECIFIED_KVNO}\pysigline{\bfcode{KRB5\_PADATA\_USE\_SPECIFIED\_KVNO}} +\end{fulllineitems} + + +RFC 4120. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PADATA\_USE\_SPECIFIED\_KVNO} + & +\code{20} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PRINCIPAL\_COMPARE\_CASEFOLD} +\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD:krb5-principal-compare-casefold-data}\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD::doc}\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD:krb5-principal-compare-casefold}\index{KRB5\_PRINCIPAL\_COMPARE\_CASEFOLD (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD:KRB5_PRINCIPAL_COMPARE_CASEFOLD}\pysigline{\bfcode{KRB5\_PRINCIPAL\_COMPARE\_CASEFOLD}} +\end{fulllineitems} + + +case-insensitive + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PRINCIPAL\_COMPARE\_CASEFOLD} + & +\code{4} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PRINCIPAL\_COMPARE\_ENTERPRISE} +\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE:krb5-principal-compare-enterprise}\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE:krb5-principal-compare-enterprise-data}\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE::doc}\index{KRB5\_PRINCIPAL\_COMPARE\_ENTERPRISE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE:KRB5_PRINCIPAL_COMPARE_ENTERPRISE}\pysigline{\bfcode{KRB5\_PRINCIPAL\_COMPARE\_ENTERPRISE}} +\end{fulllineitems} + + +UPNs as real principals. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PRINCIPAL\_COMPARE\_ENTERPRISE} + & +\code{2} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PRINCIPAL\_COMPARE\_IGNORE\_REALM} +\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM:krb5-principal-compare-ignore-realm}\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM::doc}\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM:krb5-principal-compare-ignore-realm-data}\index{KRB5\_PRINCIPAL\_COMPARE\_IGNORE\_REALM (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM:KRB5_PRINCIPAL_COMPARE_IGNORE_REALM}\pysigline{\bfcode{KRB5\_PRINCIPAL\_COMPARE\_IGNORE\_REALM}} +\end{fulllineitems} + + +ignore realm component + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PRINCIPAL\_COMPARE\_IGNORE\_REALM} + & +\code{1} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PRINCIPAL\_COMPARE\_UTF8} +\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8:krb5-principal-compare-utf8-data}\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8::doc}\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8:krb5-principal-compare-utf8}\index{KRB5\_PRINCIPAL\_COMPARE\_UTF8 (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8:KRB5_PRINCIPAL_COMPARE_UTF8}\pysigline{\bfcode{KRB5\_PRINCIPAL\_COMPARE\_UTF8}} +\end{fulllineitems} + + +treat principals as UTF-8 + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PRINCIPAL\_COMPARE\_UTF8} + & +\code{8} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PRINCIPAL\_PARSE\_ENTERPRISE} +\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE:krb5-principal-parse-enterprise-data}\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE::doc}\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE:krb5-principal-parse-enterprise}\index{KRB5\_PRINCIPAL\_PARSE\_ENTERPRISE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE:KRB5_PRINCIPAL_PARSE_ENTERPRISE}\pysigline{\bfcode{KRB5\_PRINCIPAL\_PARSE\_ENTERPRISE}} +\end{fulllineitems} + + +Create single-component enterprise principle. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PRINCIPAL\_PARSE\_ENTERPRISE} + & +\code{0x4} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PRINCIPAL\_PARSE\_IGNORE\_REALM} +\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM::doc}\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM:krb5-principal-parse-ignore-realm}\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM:krb5-principal-parse-ignore-realm-data}\index{KRB5\_PRINCIPAL\_PARSE\_IGNORE\_REALM (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM:KRB5_PRINCIPAL_PARSE_IGNORE_REALM}\pysigline{\bfcode{KRB5\_PRINCIPAL\_PARSE\_IGNORE\_REALM}} +\end{fulllineitems} + + +Ignore realm if present. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PRINCIPAL\_PARSE\_IGNORE\_REALM} + & +\code{0x8} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PRINCIPAL\_PARSE\_NO\_REALM} +\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM:krb5-principal-parse-no-realm-data}\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM::doc}\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM:krb5-principal-parse-no-realm}\index{KRB5\_PRINCIPAL\_PARSE\_NO\_REALM (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM:KRB5_PRINCIPAL_PARSE_NO_REALM}\pysigline{\bfcode{KRB5\_PRINCIPAL\_PARSE\_NO\_REALM}} +\end{fulllineitems} + + +Error if realm is present. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PRINCIPAL\_PARSE\_NO\_REALM} + & +\code{0x1} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PRINCIPAL\_PARSE\_REQUIRE\_REALM} +\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM::doc}\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM:krb5-principal-parse-require-realm}\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM:krb5-principal-parse-require-realm-data}\index{KRB5\_PRINCIPAL\_PARSE\_REQUIRE\_REALM (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM:KRB5_PRINCIPAL_PARSE_REQUIRE_REALM}\pysigline{\bfcode{KRB5\_PRINCIPAL\_PARSE\_REQUIRE\_REALM}} +\end{fulllineitems} + + +Error if realm is not present. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PRINCIPAL\_PARSE\_REQUIRE\_REALM} + & +\code{0x2} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PRINCIPAL\_UNPARSE\_DISPLAY} +\label{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY::doc}\label{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY:krb5-principal-unparse-display-data}\label{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY:krb5-principal-unparse-display}\index{KRB5\_PRINCIPAL\_UNPARSE\_DISPLAY (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY:KRB5_PRINCIPAL_UNPARSE_DISPLAY}\pysigline{\bfcode{KRB5\_PRINCIPAL\_UNPARSE\_DISPLAY}} +\end{fulllineitems} + + +Don't escape special characters. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PRINCIPAL\_UNPARSE\_DISPLAY} + & +\code{0x4} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PRINCIPAL\_UNPARSE\_NO\_REALM} +\label{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM:krb5-principal-unparse-no-realm}\label{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM:krb5-principal-unparse-no-realm-data}\label{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM::doc}\index{KRB5\_PRINCIPAL\_UNPARSE\_NO\_REALM (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM:KRB5_PRINCIPAL_UNPARSE_NO_REALM}\pysigline{\bfcode{KRB5\_PRINCIPAL\_UNPARSE\_NO\_REALM}} +\end{fulllineitems} + + +Omit realm always. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PRINCIPAL\_UNPARSE\_NO\_REALM} + & +\code{0x2} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PRINCIPAL\_UNPARSE\_SHORT} +\label{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT::doc}\label{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT:krb5-principal-unparse-short}\label{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT:krb5-principal-unparse-short-data}\index{KRB5\_PRINCIPAL\_UNPARSE\_SHORT (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT:KRB5_PRINCIPAL_UNPARSE_SHORT}\pysigline{\bfcode{KRB5\_PRINCIPAL\_UNPARSE\_SHORT}} +\end{fulllineitems} + + +Omit realm if it is the local realm. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PRINCIPAL\_UNPARSE\_SHORT} + & +\code{0x1} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PRIV} +\label{appdev/refs/macros/KRB5_PRIV:krb5-priv-data}\label{appdev/refs/macros/KRB5_PRIV::doc}\label{appdev/refs/macros/KRB5_PRIV:krb5-priv}\index{KRB5\_PRIV (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PRIV:KRB5_PRIV}\pysigline{\bfcode{KRB5\_PRIV}} +\end{fulllineitems} + + +Private application message. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PRIV} + & +\code{((krb5\_msgtype)21)} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD} +\label{appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD:krb5-prompt-type-new-password-data}\label{appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD:krb5-prompt-type-new-password}\label{appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD::doc}\index{KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD:KRB5_PROMPT_TYPE_NEW_PASSWORD}\pysigline{\bfcode{KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD}} +\end{fulllineitems} + + +Prompt for new password (during password change) + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD} + & +\code{0x2} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD\_AGAIN} +\label{appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN:krb5-prompt-type-new-password-again}\label{appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN:krb5-prompt-type-new-password-again-data}\label{appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN::doc}\index{KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD\_AGAIN (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN:KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN}\pysigline{\bfcode{KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD\_AGAIN}} +\end{fulllineitems} + + +Prompt for new password again. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD\_AGAIN} + & +\code{0x3} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PROMPT\_TYPE\_PASSWORD} +\label{appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD:krb5-prompt-type-password-data}\label{appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD::doc}\label{appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD:krb5-prompt-type-password}\index{KRB5\_PROMPT\_TYPE\_PASSWORD (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD:KRB5_PROMPT_TYPE_PASSWORD}\pysigline{\bfcode{KRB5\_PROMPT\_TYPE\_PASSWORD}} +\end{fulllineitems} + + +Prompt for password. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PROMPT\_TYPE\_PASSWORD} + & +\code{0x1} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PROMPT\_TYPE\_PREAUTH} +\label{appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH:krb5-prompt-type-preauth-data}\label{appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH::doc}\label{appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH:krb5-prompt-type-preauth}\index{KRB5\_PROMPT\_TYPE\_PREAUTH (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH:KRB5_PROMPT_TYPE_PREAUTH}\pysigline{\bfcode{KRB5\_PROMPT\_TYPE\_PREAUTH}} +\end{fulllineitems} + + +Prompt for preauthentication data (such as an OTP value) + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PROMPT\_TYPE\_PREAUTH} + & +\code{0x4} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_PVNO} +\label{appdev/refs/macros/KRB5_PVNO:krb5-pvno-data}\label{appdev/refs/macros/KRB5_PVNO::doc}\label{appdev/refs/macros/KRB5_PVNO:krb5-pvno}\index{KRB5\_PVNO (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_PVNO:KRB5_PVNO}\pysigline{\bfcode{KRB5\_PVNO}} +\end{fulllineitems} + + +Protocol version number. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_PVNO} + & +\code{5} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_REALM\_BRANCH\_CHAR} +\label{appdev/refs/macros/KRB5_REALM_BRANCH_CHAR::doc}\label{appdev/refs/macros/KRB5_REALM_BRANCH_CHAR:krb5-realm-branch-char}\label{appdev/refs/macros/KRB5_REALM_BRANCH_CHAR:krb5-realm-branch-char-data}\index{KRB5\_REALM\_BRANCH\_CHAR (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_REALM_BRANCH_CHAR:KRB5_REALM_BRANCH_CHAR}\pysigline{\bfcode{KRB5\_REALM\_BRANCH\_CHAR}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_REALM\_BRANCH\_CHAR} + & +\code{'.'} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_RECVAUTH\_BADAUTHVERS} +\label{appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS:krb5-recvauth-badauthvers-data}\label{appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS:krb5-recvauth-badauthvers}\label{appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS::doc}\index{KRB5\_RECVAUTH\_BADAUTHVERS (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS:KRB5_RECVAUTH_BADAUTHVERS}\pysigline{\bfcode{KRB5\_RECVAUTH\_BADAUTHVERS}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_RECVAUTH\_BADAUTHVERS} + & +\code{0x0002} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_RECVAUTH\_SKIP\_VERSION} +\label{appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION:krb5-recvauth-skip-version}\label{appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION:krb5-recvauth-skip-version-data}\label{appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION::doc}\index{KRB5\_RECVAUTH\_SKIP\_VERSION (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION:KRB5_RECVAUTH_SKIP_VERSION}\pysigline{\bfcode{KRB5\_RECVAUTH\_SKIP\_VERSION}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_RECVAUTH\_SKIP\_VERSION} + & +\code{0x0001} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_REFERRAL\_REALM} +\label{appdev/refs/macros/KRB5_REFERRAL_REALM:krb5-referral-realm-data}\label{appdev/refs/macros/KRB5_REFERRAL_REALM::doc}\label{appdev/refs/macros/KRB5_REFERRAL_REALM:krb5-referral-realm}\index{KRB5\_REFERRAL\_REALM (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_REFERRAL_REALM:KRB5_REFERRAL_REALM}\pysigline{\bfcode{KRB5\_REFERRAL\_REALM}} +\end{fulllineitems} + + +Constant for realm referrals. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_REFERRAL\_REALM} + & +\code{""} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_COUNT\_LOW} +\label{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW:krb5-responder-pkinit-flags-token-user-pin-count-low-data}\label{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW::doc}\label{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW:krb5-responder-pkinit-flags-token-user-pin-count-low}\index{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_COUNT\_LOW (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW:KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW}\pysigline{\bfcode{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_COUNT\_LOW}} +\end{fulllineitems} + + +This flag indicates that an incorrect PIN was supplied at least once since the last time the correct PIN was supplied. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_COUNT\_LOW} + & +\code{(1 \textless{}\textless{} 0)} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_FINAL\_TRY} +\label{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY:krb5-responder-pkinit-flags-token-user-pin-final-try}\label{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY::doc}\label{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY:krb5-responder-pkinit-flags-token-user-pin-final-try-data}\index{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_FINAL\_TRY (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY:KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY}\pysigline{\bfcode{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_FINAL\_TRY}} +\end{fulllineitems} + + +This flag indicates that supplying an incorrect PIN will cause the token to lock itself. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_FINAL\_TRY} + & +\code{(1 \textless{}\textless{} 1)} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_LOCKED} +\label{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED::doc}\label{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED:krb5-responder-pkinit-flags-token-user-pin-locked}\label{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED:krb5-responder-pkinit-flags-token-user-pin-locked-data}\index{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_LOCKED (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED:KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED}\pysigline{\bfcode{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_LOCKED}} +\end{fulllineitems} + + +This flag indicates that the user PIN is locked, and you can't log in to the token with it. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_LOCKED} + & +\code{(1 \textless{}\textless{} 2)} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_RESPONDER\_QUESTION\_PKINIT} +\label{appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT:krb5-responder-question-pkinit}\label{appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT:krb5-responder-question-pkinit-data}\label{appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT::doc}\index{KRB5\_RESPONDER\_QUESTION\_PKINIT (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT:KRB5_RESPONDER_QUESTION_PKINIT}\pysigline{\bfcode{KRB5\_RESPONDER\_QUESTION\_PKINIT}} +\end{fulllineitems} + + +PKINIT responder question. + +The PKINIT responder question is asked when the client needs a password that's being used to protect key information, and is formatted as a JSON object. A specific identity's flags value, if not zero, is the bitwise-OR of one or more of the KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_* flags defined below, and possibly other flags to be added later. Any resemblance to similarly-named CKF\_* values in the PKCS\#11 API should not be depended on. + +\emph{\{} + +\emph{identity \textless{}string\textgreater{} : flags \textless{}number\textgreater{},} + +\emph{...} + +\emph{\}} + +The answer to the question MUST be JSON formatted: + +\emph{\{} + +\emph{identity \textless{}string\textgreater{} : password \textless{}string\textgreater{},} + +\emph{...} + +\emph{\}} + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_RESPONDER\_QUESTION\_PKINIT} + & +\code{"pkinit"} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_RESPONDER\_OTP\_FLAGS\_COLLECT\_PIN} +\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN:krb5-responder-otp-flags-collect-pin-data}\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN::doc}\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN:krb5-responder-otp-flags-collect-pin}\index{KRB5\_RESPONDER\_OTP\_FLAGS\_COLLECT\_PIN (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN:KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN}\pysigline{\bfcode{KRB5\_RESPONDER\_OTP\_FLAGS\_COLLECT\_PIN}} +\end{fulllineitems} + + +This flag indicates that the PIN value MUST be collected. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_RESPONDER\_OTP\_FLAGS\_COLLECT\_PIN} + & +\code{0x0002} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_RESPONDER\_OTP\_FLAGS\_COLLECT\_TOKEN} +\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN:krb5-responder-otp-flags-collect-token-data}\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN:krb5-responder-otp-flags-collect-token}\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN::doc}\index{KRB5\_RESPONDER\_OTP\_FLAGS\_COLLECT\_TOKEN (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN:KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN}\pysigline{\bfcode{KRB5\_RESPONDER\_OTP\_FLAGS\_COLLECT\_TOKEN}} +\end{fulllineitems} + + +This flag indicates that the token value MUST be collected. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_RESPONDER\_OTP\_FLAGS\_COLLECT\_TOKEN} + & +\code{0x0001} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_RESPONDER\_OTP\_FLAGS\_NEXTOTP} +\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP:krb5-responder-otp-flags-nextotp-data}\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP::doc}\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP:krb5-responder-otp-flags-nextotp}\index{KRB5\_RESPONDER\_OTP\_FLAGS\_NEXTOTP (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP:KRB5_RESPONDER_OTP_FLAGS_NEXTOTP}\pysigline{\bfcode{KRB5\_RESPONDER\_OTP\_FLAGS\_NEXTOTP}} +\end{fulllineitems} + + +This flag indicates that the token is now in re-synchronization mode with the server. + +The user is expected to reply with the next code displayed on the token. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_RESPONDER\_OTP\_FLAGS\_NEXTOTP} + & +\code{0x0004} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_RESPONDER\_OTP\_FLAGS\_SEPARATE\_PIN} +\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN:krb5-responder-otp-flags-separate-pin}\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN:krb5-responder-otp-flags-separate-pin-data}\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN::doc}\index{KRB5\_RESPONDER\_OTP\_FLAGS\_SEPARATE\_PIN (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN:KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN}\pysigline{\bfcode{KRB5\_RESPONDER\_OTP\_FLAGS\_SEPARATE\_PIN}} +\end{fulllineitems} + + +This flag indicates that the PIN MUST be returned as a separate item. + +This flag only takes effect if KRB5\_RESPONDER\_OTP\_FLAGS\_COLLECT\_PIN is set. If this flag is not set, the responder may either concatenate PIN + token value and store it as ``value'' in the answer or it may return them separately. If they are returned separately, they will be concatenated internally. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_RESPONDER\_OTP\_FLAGS\_SEPARATE\_PIN} + & +\code{0x0008} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_RESPONDER\_OTP\_FORMAT\_ALPHANUMERIC} +\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC:krb5-responder-otp-format-alphanumeric-data}\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC:krb5-responder-otp-format-alphanumeric}\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC::doc}\index{KRB5\_RESPONDER\_OTP\_FORMAT\_ALPHANUMERIC (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC:KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC}\pysigline{\bfcode{KRB5\_RESPONDER\_OTP\_FORMAT\_ALPHANUMERIC}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_RESPONDER\_OTP\_FORMAT\_ALPHANUMERIC} + & +\code{2} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_RESPONDER\_OTP\_FORMAT\_DECIMAL} +\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL:krb5-responder-otp-format-decimal-data}\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL::doc}\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL:krb5-responder-otp-format-decimal}\index{KRB5\_RESPONDER\_OTP\_FORMAT\_DECIMAL (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL:KRB5_RESPONDER_OTP_FORMAT_DECIMAL}\pysigline{\bfcode{KRB5\_RESPONDER\_OTP\_FORMAT\_DECIMAL}} +\end{fulllineitems} + + +These format constants identify the format of the token value. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_RESPONDER\_OTP\_FORMAT\_DECIMAL} + & +\code{0} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_RESPONDER\_OTP\_FORMAT\_HEXADECIMAL} +\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL:krb5-responder-otp-format-hexadecimal-data}\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL::doc}\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL:krb5-responder-otp-format-hexadecimal}\index{KRB5\_RESPONDER\_OTP\_FORMAT\_HEXADECIMAL (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL:KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL}\pysigline{\bfcode{KRB5\_RESPONDER\_OTP\_FORMAT\_HEXADECIMAL}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_RESPONDER\_OTP\_FORMAT\_HEXADECIMAL} + & +\code{1} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_RESPONDER\_QUESTION\_OTP} +\label{appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP:krb5-responder-question-otp}\label{appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP:krb5-responder-question-otp-data}\label{appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP::doc}\index{KRB5\_RESPONDER\_QUESTION\_OTP (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP:KRB5_RESPONDER_QUESTION_OTP}\pysigline{\bfcode{KRB5\_RESPONDER\_QUESTION\_OTP}} +\end{fulllineitems} + + +OTP responder question. + +The OTP responder question is asked when the KDC indicates that an OTP value is required in order to complete the authentication. The JSON format of the challenge is: + +\emph{\{} + +\emph{``service'': \textless{}string (optional)\textgreater{},} + +\emph{``tokenInfo'': {[}} + +\emph{\{} + +\emph{``flags'': \textless{}number\textgreater{},} + +\emph{``vendor'': \textless{}string (optional)\textgreater{},} + +\emph{``challenge'': \textless{}string (optional)\textgreater{},} + +\emph{``length'': \textless{}number (optional)\textgreater{},} + +\emph{``format'': \textless{}number (optional)\textgreater{},} + +\emph{``tokenID'': \textless{}string (optional)\textgreater{},} + +\emph{``algID'': \textless{}string (optional)\textgreater{},} + +\emph{\},} + +\emph{...} + +\emph{{]}} + +\emph{\}} + +The answer to the question MUST be JSON formatted: + +\emph{\{} + +\emph{``tokeninfo'': \textless{}number\textgreater{},} + +\emph{``value'': \textless{}string (optional)\textgreater{},} + +\emph{``pin'': \textless{}string (optional)\textgreater{},} + +\emph{\}} + +For more detail, please see RFC 6560. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_RESPONDER\_QUESTION\_OTP} + & +\code{"otp"} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_RESPONDER\_QUESTION\_PASSWORD} +\label{appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD:krb5-responder-question-password-data}\label{appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD:krb5-responder-question-password}\label{appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD::doc}\index{KRB5\_RESPONDER\_QUESTION\_PASSWORD (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD:KRB5_RESPONDER_QUESTION_PASSWORD}\pysigline{\bfcode{KRB5\_RESPONDER\_QUESTION\_PASSWORD}} +\end{fulllineitems} + + +Long-term password responder question. + +This question is asked when the long-term password is needed. It has no challenge and the response is simply the password string. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_RESPONDER\_QUESTION\_PASSWORD} + & +\code{"password"} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_SAFE} +\label{appdev/refs/macros/KRB5_SAFE:krb5-safe}\label{appdev/refs/macros/KRB5_SAFE::doc}\label{appdev/refs/macros/KRB5_SAFE:krb5-safe-data}\index{KRB5\_SAFE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_SAFE:KRB5_SAFE}\pysigline{\bfcode{KRB5\_SAFE}} +\end{fulllineitems} + + +Safe application message. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_SAFE} + & +\code{((krb5\_msgtype)20)} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_SAM\_MUST\_PK\_ENCRYPT\_SAD} +\label{appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD:krb5-sam-must-pk-encrypt-sad}\label{appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD:krb5-sam-must-pk-encrypt-sad-data}\label{appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD::doc}\index{KRB5\_SAM\_MUST\_PK\_ENCRYPT\_SAD (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD:KRB5_SAM_MUST_PK_ENCRYPT_SAD}\pysigline{\bfcode{KRB5\_SAM\_MUST\_PK\_ENCRYPT\_SAD}} +\end{fulllineitems} + + +currently must be zero + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_SAM\_MUST\_PK\_ENCRYPT\_SAD} + & +\code{0x20000000} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_SAM\_SEND\_ENCRYPTED\_SAD} +\label{appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD:krb5-sam-send-encrypted-sad}\label{appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD::doc}\label{appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD:krb5-sam-send-encrypted-sad-data}\index{KRB5\_SAM\_SEND\_ENCRYPTED\_SAD (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD:KRB5_SAM_SEND_ENCRYPTED_SAD}\pysigline{\bfcode{KRB5\_SAM\_SEND\_ENCRYPTED\_SAD}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_SAM\_SEND\_ENCRYPTED\_SAD} + & +\code{0x40000000} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_SAM\_USE\_SAD\_AS\_KEY} +\label{appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY::doc}\label{appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY:krb5-sam-use-sad-as-key}\label{appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY:krb5-sam-use-sad-as-key-data}\index{KRB5\_SAM\_USE\_SAD\_AS\_KEY (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY:KRB5_SAM_USE_SAD_AS_KEY}\pysigline{\bfcode{KRB5\_SAM\_USE\_SAD\_AS\_KEY}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_SAM\_USE\_SAD\_AS\_KEY} + & +\code{0x80000000} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_TC\_MATCH\_2ND\_TKT} +\label{appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT:krb5-tc-match-2nd-tkt-data}\label{appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT::doc}\label{appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT:krb5-tc-match-2nd-tkt}\index{KRB5\_TC\_MATCH\_2ND\_TKT (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT:KRB5_TC_MATCH_2ND_TKT}\pysigline{\bfcode{KRB5\_TC\_MATCH\_2ND\_TKT}} +\end{fulllineitems} + + +The second ticket must match. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_TC\_MATCH\_2ND\_TKT} + & +\code{0x00000080} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_TC\_MATCH\_AUTHDATA} +\label{appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA::doc}\label{appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA:krb5-tc-match-authdata-data}\label{appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA:krb5-tc-match-authdata}\index{KRB5\_TC\_MATCH\_AUTHDATA (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA:KRB5_TC_MATCH_AUTHDATA}\pysigline{\bfcode{KRB5\_TC\_MATCH\_AUTHDATA}} +\end{fulllineitems} + + +The authorization data must match. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_TC\_MATCH\_AUTHDATA} + & +\code{0x00000020} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_TC\_MATCH\_FLAGS} +\label{appdev/refs/macros/KRB5_TC_MATCH_FLAGS:krb5-tc-match-flags}\label{appdev/refs/macros/KRB5_TC_MATCH_FLAGS::doc}\label{appdev/refs/macros/KRB5_TC_MATCH_FLAGS:krb5-tc-match-flags-data}\index{KRB5\_TC\_MATCH\_FLAGS (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_TC_MATCH_FLAGS:KRB5_TC_MATCH_FLAGS}\pysigline{\bfcode{KRB5\_TC\_MATCH\_FLAGS}} +\end{fulllineitems} + + +All the flags set in the match credentials must be set. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_TC\_MATCH\_FLAGS} + & +\code{0x00000004} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_TC\_MATCH\_FLAGS\_EXACT} +\label{appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT:krb5-tc-match-flags-exact}\label{appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT::doc}\label{appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT:krb5-tc-match-flags-exact-data}\index{KRB5\_TC\_MATCH\_FLAGS\_EXACT (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT:KRB5_TC_MATCH_FLAGS_EXACT}\pysigline{\bfcode{KRB5\_TC\_MATCH\_FLAGS\_EXACT}} +\end{fulllineitems} + + +All the flags must match exactly. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_TC\_MATCH\_FLAGS\_EXACT} + & +\code{0x00000010} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_TC\_MATCH\_IS\_SKEY} +\label{appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY:krb5-tc-match-is-skey}\label{appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY:krb5-tc-match-is-skey-data}\label{appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY::doc}\index{KRB5\_TC\_MATCH\_IS\_SKEY (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY:KRB5_TC_MATCH_IS_SKEY}\pysigline{\bfcode{KRB5\_TC\_MATCH\_IS\_SKEY}} +\end{fulllineitems} + + +The is\_skey field must match exactly. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_TC\_MATCH\_IS\_SKEY} + & +\code{0x00000002} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_TC\_MATCH\_KTYPE} +\label{appdev/refs/macros/KRB5_TC_MATCH_KTYPE:krb5-tc-match-ktype}\label{appdev/refs/macros/KRB5_TC_MATCH_KTYPE:krb5-tc-match-ktype-data}\label{appdev/refs/macros/KRB5_TC_MATCH_KTYPE::doc}\index{KRB5\_TC\_MATCH\_KTYPE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_TC_MATCH_KTYPE:KRB5_TC_MATCH_KTYPE}\pysigline{\bfcode{KRB5\_TC\_MATCH\_KTYPE}} +\end{fulllineitems} + + +The encryption key type must match. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_TC\_MATCH\_KTYPE} + & +\code{0x00000100} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_TC\_MATCH\_SRV\_NAMEONLY} +\label{appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY::doc}\label{appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY:krb5-tc-match-srv-nameonly}\label{appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY:krb5-tc-match-srv-nameonly-data}\index{KRB5\_TC\_MATCH\_SRV\_NAMEONLY (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY:KRB5_TC_MATCH_SRV_NAMEONLY}\pysigline{\bfcode{KRB5\_TC\_MATCH\_SRV\_NAMEONLY}} +\end{fulllineitems} + + +Only the name portion of the principal name must match. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_TC\_MATCH\_SRV\_NAMEONLY} + & +\code{0x00000040} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_TC\_MATCH\_TIMES} +\label{appdev/refs/macros/KRB5_TC_MATCH_TIMES:krb5-tc-match-times}\label{appdev/refs/macros/KRB5_TC_MATCH_TIMES:krb5-tc-match-times-data}\label{appdev/refs/macros/KRB5_TC_MATCH_TIMES::doc}\index{KRB5\_TC\_MATCH\_TIMES (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_TC_MATCH_TIMES:KRB5_TC_MATCH_TIMES}\pysigline{\bfcode{KRB5\_TC\_MATCH\_TIMES}} +\end{fulllineitems} + + +The requested lifetime must be at least as great as the time specified. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_TC\_MATCH\_TIMES} + & +\code{0x00000001} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_TC\_MATCH\_TIMES\_EXACT} +\label{appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT:krb5-tc-match-times-exact-data}\label{appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT::doc}\label{appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT:krb5-tc-match-times-exact}\index{KRB5\_TC\_MATCH\_TIMES\_EXACT (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT:KRB5_TC_MATCH_TIMES_EXACT}\pysigline{\bfcode{KRB5\_TC\_MATCH\_TIMES\_EXACT}} +\end{fulllineitems} + + +All the time fields must match exactly. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_TC\_MATCH\_TIMES\_EXACT} + & +\code{0x00000008} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_TC\_NOTICKET} +\label{appdev/refs/macros/KRB5_TC_NOTICKET:krb5-tc-noticket}\label{appdev/refs/macros/KRB5_TC_NOTICKET::doc}\label{appdev/refs/macros/KRB5_TC_NOTICKET:krb5-tc-noticket-data}\index{KRB5\_TC\_NOTICKET (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_TC_NOTICKET:KRB5_TC_NOTICKET}\pysigline{\bfcode{KRB5\_TC\_NOTICKET}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_TC\_NOTICKET} + & +\code{0x00000002} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_TC\_OPENCLOSE} +\label{appdev/refs/macros/KRB5_TC_OPENCLOSE:krb5-tc-openclose}\label{appdev/refs/macros/KRB5_TC_OPENCLOSE:krb5-tc-openclose-data}\label{appdev/refs/macros/KRB5_TC_OPENCLOSE::doc}\index{KRB5\_TC\_OPENCLOSE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_TC_OPENCLOSE:KRB5_TC_OPENCLOSE}\pysigline{\bfcode{KRB5\_TC\_OPENCLOSE}} +\end{fulllineitems} + + +Open and close the file for each cache operation. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_TC\_OPENCLOSE} + & +\code{0x00000001} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_TC\_SUPPORTED\_KTYPES} +\label{appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES:krb5-tc-supported-ktypes-data}\label{appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES::doc}\label{appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES:krb5-tc-supported-ktypes}\index{KRB5\_TC\_SUPPORTED\_KTYPES (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES:KRB5_TC_SUPPORTED_KTYPES}\pysigline{\bfcode{KRB5\_TC\_SUPPORTED\_KTYPES}} +\end{fulllineitems} + + +The supported key types must match. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_TC\_SUPPORTED\_KTYPES} + & +\code{0x00000200} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_TGS\_NAME} +\label{appdev/refs/macros/KRB5_TGS_NAME:krb5-tgs-name-data}\label{appdev/refs/macros/KRB5_TGS_NAME::doc}\label{appdev/refs/macros/KRB5_TGS_NAME:krb5-tgs-name}\index{KRB5\_TGS\_NAME (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_TGS_NAME:KRB5_TGS_NAME}\pysigline{\bfcode{KRB5\_TGS\_NAME}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_TGS\_NAME} + & +\code{"krbtgt"} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_TGS\_NAME\_SIZE} +\label{appdev/refs/macros/KRB5_TGS_NAME_SIZE:krb5-tgs-name-size}\label{appdev/refs/macros/KRB5_TGS_NAME_SIZE:krb5-tgs-name-size-data}\label{appdev/refs/macros/KRB5_TGS_NAME_SIZE::doc}\index{KRB5\_TGS\_NAME\_SIZE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_TGS_NAME_SIZE:KRB5_TGS_NAME_SIZE}\pysigline{\bfcode{KRB5\_TGS\_NAME\_SIZE}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_TGS\_NAME\_SIZE} + & +\code{6} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_TGS\_REP} +\label{appdev/refs/macros/KRB5_TGS_REP::doc}\label{appdev/refs/macros/KRB5_TGS_REP:krb5-tgs-rep-data}\label{appdev/refs/macros/KRB5_TGS_REP:krb5-tgs-rep}\index{KRB5\_TGS\_REP (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_TGS_REP:KRB5_TGS_REP}\pysigline{\bfcode{KRB5\_TGS\_REP}} +\end{fulllineitems} + + +Response to TGS request. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_TGS\_REP} + & +\code{((krb5\_msgtype)13)} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_TGS\_REQ} +\label{appdev/refs/macros/KRB5_TGS_REQ:krb5-tgs-req-data}\label{appdev/refs/macros/KRB5_TGS_REQ::doc}\label{appdev/refs/macros/KRB5_TGS_REQ:krb5-tgs-req}\index{KRB5\_TGS\_REQ (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_TGS_REQ:KRB5_TGS_REQ}\pysigline{\bfcode{KRB5\_TGS\_REQ}} +\end{fulllineitems} + + +Ticket granting server request. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_TGS\_REQ} + & +\code{((krb5\_msgtype)12)} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_TKT\_CREDS\_STEP\_FLAG\_CONTINUE} +\label{appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE:krb5-tkt-creds-step-flag-continue-data}\label{appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE::doc}\label{appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE:krb5-tkt-creds-step-flag-continue}\index{KRB5\_TKT\_CREDS\_STEP\_FLAG\_CONTINUE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE:KRB5_TKT_CREDS_STEP_FLAG_CONTINUE}\pysigline{\bfcode{KRB5\_TKT\_CREDS\_STEP\_FLAG\_CONTINUE}} +\end{fulllineitems} + + +More responses needed. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_TKT\_CREDS\_STEP\_FLAG\_CONTINUE} + & +\code{0x1} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_VERIFY\_INIT\_CREDS\_OPT\_AP\_REQ\_NOFAIL} +\label{appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL:krb5-verify-init-creds-opt-ap-req-nofail}\label{appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL::doc}\label{appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL:krb5-verify-init-creds-opt-ap-req-nofail-data}\index{KRB5\_VERIFY\_INIT\_CREDS\_OPT\_AP\_REQ\_NOFAIL (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL:KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL}\pysigline{\bfcode{KRB5\_VERIFY\_INIT\_CREDS\_OPT\_AP\_REQ\_NOFAIL}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_VERIFY\_INIT\_CREDS\_OPT\_AP\_REQ\_NOFAIL} + & +\code{0x0001} +\\ +\hline\end{tabulary} + + + +\subsubsection{KRB5\_WELLKNOWN\_NAMESTR} +\label{appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR::doc}\label{appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR:krb5-wellknown-namestr}\label{appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR:krb5-wellknown-namestr-data}\index{KRB5\_WELLKNOWN\_NAMESTR (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR:KRB5_WELLKNOWN_NAMESTR}\pysigline{\bfcode{KRB5\_WELLKNOWN\_NAMESTR}} +\end{fulllineitems} + + +First component of NT\_WELLKNOWN principals. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{KRB5\_WELLKNOWN\_NAMESTR} + & +\code{"WELLKNOWN"} +\\ +\hline\end{tabulary} + + + +\subsubsection{LR\_TYPE\_INTERPRETATION\_MASK} +\label{appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK:lr-type-interpretation-mask-data}\label{appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK:lr-type-interpretation-mask}\label{appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK::doc}\index{LR\_TYPE\_INTERPRETATION\_MASK (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK:LR_TYPE_INTERPRETATION_MASK}\pysigline{\bfcode{LR\_TYPE\_INTERPRETATION\_MASK}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{LR\_TYPE\_INTERPRETATION\_MASK} + & +\code{0x7fff} +\\ +\hline\end{tabulary} + + + +\subsubsection{LR\_TYPE\_THIS\_SERVER\_ONLY} +\label{appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY:lr-type-this-server-only-data}\label{appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY:lr-type-this-server-only}\label{appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY::doc}\index{LR\_TYPE\_THIS\_SERVER\_ONLY (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY:LR_TYPE_THIS_SERVER_ONLY}\pysigline{\bfcode{LR\_TYPE\_THIS\_SERVER\_ONLY}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{LR\_TYPE\_THIS\_SERVER\_ONLY} + & +\code{0x8000} +\\ +\hline\end{tabulary} + + + +\subsubsection{MAX\_KEYTAB\_NAME\_LEN} +\label{appdev/refs/macros/MAX_KEYTAB_NAME_LEN:max-keytab-name-len-data}\label{appdev/refs/macros/MAX_KEYTAB_NAME_LEN::doc}\label{appdev/refs/macros/MAX_KEYTAB_NAME_LEN:max-keytab-name-len}\index{MAX\_KEYTAB\_NAME\_LEN (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/MAX_KEYTAB_NAME_LEN:MAX_KEYTAB_NAME_LEN}\pysigline{\bfcode{MAX\_KEYTAB\_NAME\_LEN}} +\end{fulllineitems} + + +Long enough for MAXPATHLEN + some extra. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{MAX\_KEYTAB\_NAME\_LEN} + & +\code{1100} +\\ +\hline\end{tabulary} + + + +\subsubsection{MSEC\_DIRBIT} +\label{appdev/refs/macros/MSEC_DIRBIT:msec-dirbit}\label{appdev/refs/macros/MSEC_DIRBIT:msec-dirbit-data}\label{appdev/refs/macros/MSEC_DIRBIT::doc}\index{MSEC\_DIRBIT (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/MSEC_DIRBIT:MSEC_DIRBIT}\pysigline{\bfcode{MSEC\_DIRBIT}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{MSEC\_DIRBIT} + & +\code{0x8000} +\\ +\hline\end{tabulary} + + + +\subsubsection{MSEC\_VAL\_MASK} +\label{appdev/refs/macros/MSEC_VAL_MASK:msec-val-mask-data}\label{appdev/refs/macros/MSEC_VAL_MASK::doc}\label{appdev/refs/macros/MSEC_VAL_MASK:msec-val-mask}\index{MSEC\_VAL\_MASK (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/MSEC_VAL_MASK:MSEC_VAL_MASK}\pysigline{\bfcode{MSEC\_VAL\_MASK}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{MSEC\_VAL\_MASK} + & +\code{0x7fff} +\\ +\hline\end{tabulary} + + + +\subsubsection{SALT\_TYPE\_AFS\_LENGTH} +\label{appdev/refs/macros/SALT_TYPE_AFS_LENGTH::doc}\label{appdev/refs/macros/SALT_TYPE_AFS_LENGTH:salt-type-afs-length-data}\label{appdev/refs/macros/SALT_TYPE_AFS_LENGTH:salt-type-afs-length}\index{SALT\_TYPE\_AFS\_LENGTH (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/SALT_TYPE_AFS_LENGTH:SALT_TYPE_AFS_LENGTH}\pysigline{\bfcode{SALT\_TYPE\_AFS\_LENGTH}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{SALT\_TYPE\_AFS\_LENGTH} + & +\code{UINT\_MAX} +\\ +\hline\end{tabulary} + + + +\subsubsection{SALT\_TYPE\_NO\_LENGTH} +\label{appdev/refs/macros/SALT_TYPE_NO_LENGTH:salt-type-no-length-data}\label{appdev/refs/macros/SALT_TYPE_NO_LENGTH::doc}\label{appdev/refs/macros/SALT_TYPE_NO_LENGTH:salt-type-no-length}\index{SALT\_TYPE\_NO\_LENGTH (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/SALT_TYPE_NO_LENGTH:SALT_TYPE_NO_LENGTH}\pysigline{\bfcode{SALT\_TYPE\_NO\_LENGTH}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{SALT\_TYPE\_NO\_LENGTH} + & +\code{UINT\_MAX} +\\ +\hline\end{tabulary} + + + +\subsubsection{THREEPARAMOPEN} +\label{appdev/refs/macros/THREEPARAMOPEN:threeparamopen}\label{appdev/refs/macros/THREEPARAMOPEN:threeparamopen-data}\label{appdev/refs/macros/THREEPARAMOPEN::doc}\index{THREEPARAMOPEN (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/THREEPARAMOPEN:THREEPARAMOPEN}\pysigline{\bfcode{THREEPARAMOPEN}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{THREEPARAMOPEN (x, y, z)} + & +\code{open(x,y,z)} +\\ +\hline\end{tabulary} + + + +\subsubsection{TKT\_FLG\_ANONYMOUS} +\label{appdev/refs/macros/TKT_FLG_ANONYMOUS::doc}\label{appdev/refs/macros/TKT_FLG_ANONYMOUS:tkt-flg-anonymous}\label{appdev/refs/macros/TKT_FLG_ANONYMOUS:tkt-flg-anonymous-data}\index{TKT\_FLG\_ANONYMOUS (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/TKT_FLG_ANONYMOUS:TKT_FLG_ANONYMOUS}\pysigline{\bfcode{TKT\_FLG\_ANONYMOUS}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{TKT\_FLG\_ANONYMOUS} + & +\code{0x00008000} +\\ +\hline\end{tabulary} + + + +\subsubsection{TKT\_FLG\_ENC\_PA\_REP} +\label{appdev/refs/macros/TKT_FLG_ENC_PA_REP:tkt-flg-enc-pa-rep}\label{appdev/refs/macros/TKT_FLG_ENC_PA_REP:tkt-flg-enc-pa-rep-data}\label{appdev/refs/macros/TKT_FLG_ENC_PA_REP::doc}\index{TKT\_FLG\_ENC\_PA\_REP (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/TKT_FLG_ENC_PA_REP:TKT_FLG_ENC_PA_REP}\pysigline{\bfcode{TKT\_FLG\_ENC\_PA\_REP}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{TKT\_FLG\_ENC\_PA\_REP} + & +\code{0x00010000} +\\ +\hline\end{tabulary} + + + +\subsubsection{TKT\_FLG\_FORWARDABLE} +\label{appdev/refs/macros/TKT_FLG_FORWARDABLE:tkt-flg-forwardable-data}\label{appdev/refs/macros/TKT_FLG_FORWARDABLE:tkt-flg-forwardable}\label{appdev/refs/macros/TKT_FLG_FORWARDABLE::doc}\index{TKT\_FLG\_FORWARDABLE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/TKT_FLG_FORWARDABLE:TKT_FLG_FORWARDABLE}\pysigline{\bfcode{TKT\_FLG\_FORWARDABLE}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{TKT\_FLG\_FORWARDABLE} + & +\code{0x40000000} +\\ +\hline\end{tabulary} + + + +\subsubsection{TKT\_FLG\_FORWARDED} +\label{appdev/refs/macros/TKT_FLG_FORWARDED::doc}\label{appdev/refs/macros/TKT_FLG_FORWARDED:tkt-flg-forwarded}\label{appdev/refs/macros/TKT_FLG_FORWARDED:tkt-flg-forwarded-data}\index{TKT\_FLG\_FORWARDED (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/TKT_FLG_FORWARDED:TKT_FLG_FORWARDED}\pysigline{\bfcode{TKT\_FLG\_FORWARDED}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{TKT\_FLG\_FORWARDED} + & +\code{0x20000000} +\\ +\hline\end{tabulary} + + + +\subsubsection{TKT\_FLG\_HW\_AUTH} +\label{appdev/refs/macros/TKT_FLG_HW_AUTH::doc}\label{appdev/refs/macros/TKT_FLG_HW_AUTH:tkt-flg-hw-auth}\label{appdev/refs/macros/TKT_FLG_HW_AUTH:tkt-flg-hw-auth-data}\index{TKT\_FLG\_HW\_AUTH (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/TKT_FLG_HW_AUTH:TKT_FLG_HW_AUTH}\pysigline{\bfcode{TKT\_FLG\_HW\_AUTH}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{TKT\_FLG\_HW\_AUTH} + & +\code{0x00100000} +\\ +\hline\end{tabulary} + + + +\subsubsection{TKT\_FLG\_INITIAL} +\label{appdev/refs/macros/TKT_FLG_INITIAL:tkt-flg-initial}\label{appdev/refs/macros/TKT_FLG_INITIAL::doc}\label{appdev/refs/macros/TKT_FLG_INITIAL:tkt-flg-initial-data}\index{TKT\_FLG\_INITIAL (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/TKT_FLG_INITIAL:TKT_FLG_INITIAL}\pysigline{\bfcode{TKT\_FLG\_INITIAL}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{TKT\_FLG\_INITIAL} + & +\code{0x00400000} +\\ +\hline\end{tabulary} + + + +\subsubsection{TKT\_FLG\_INVALID} +\label{appdev/refs/macros/TKT_FLG_INVALID:tkt-flg-invalid-data}\label{appdev/refs/macros/TKT_FLG_INVALID::doc}\label{appdev/refs/macros/TKT_FLG_INVALID:tkt-flg-invalid}\index{TKT\_FLG\_INVALID (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/TKT_FLG_INVALID:TKT_FLG_INVALID}\pysigline{\bfcode{TKT\_FLG\_INVALID}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{TKT\_FLG\_INVALID} + & +\code{0x01000000} +\\ +\hline\end{tabulary} + + + +\subsubsection{TKT\_FLG\_MAY\_POSTDATE} +\label{appdev/refs/macros/TKT_FLG_MAY_POSTDATE:tkt-flg-may-postdate}\label{appdev/refs/macros/TKT_FLG_MAY_POSTDATE::doc}\label{appdev/refs/macros/TKT_FLG_MAY_POSTDATE:tkt-flg-may-postdate-data}\index{TKT\_FLG\_MAY\_POSTDATE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/TKT_FLG_MAY_POSTDATE:TKT_FLG_MAY_POSTDATE}\pysigline{\bfcode{TKT\_FLG\_MAY\_POSTDATE}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{TKT\_FLG\_MAY\_POSTDATE} + & +\code{0x04000000} +\\ +\hline\end{tabulary} + + + +\subsubsection{TKT\_FLG\_OK\_AS\_DELEGATE} +\label{appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE:tkt-flg-ok-as-delegate-data}\label{appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE:tkt-flg-ok-as-delegate}\label{appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE::doc}\index{TKT\_FLG\_OK\_AS\_DELEGATE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE:TKT_FLG_OK_AS_DELEGATE}\pysigline{\bfcode{TKT\_FLG\_OK\_AS\_DELEGATE}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{TKT\_FLG\_OK\_AS\_DELEGATE} + & +\code{0x00040000} +\\ +\hline\end{tabulary} + + + +\subsubsection{TKT\_FLG\_POSTDATED} +\label{appdev/refs/macros/TKT_FLG_POSTDATED:tkt-flg-postdated}\label{appdev/refs/macros/TKT_FLG_POSTDATED::doc}\label{appdev/refs/macros/TKT_FLG_POSTDATED:tkt-flg-postdated-data}\index{TKT\_FLG\_POSTDATED (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/TKT_FLG_POSTDATED:TKT_FLG_POSTDATED}\pysigline{\bfcode{TKT\_FLG\_POSTDATED}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{TKT\_FLG\_POSTDATED} + & +\code{0x02000000} +\\ +\hline\end{tabulary} + + + +\subsubsection{TKT\_FLG\_PRE\_AUTH} +\label{appdev/refs/macros/TKT_FLG_PRE_AUTH:tkt-flg-pre-auth-data}\label{appdev/refs/macros/TKT_FLG_PRE_AUTH::doc}\label{appdev/refs/macros/TKT_FLG_PRE_AUTH:tkt-flg-pre-auth}\index{TKT\_FLG\_PRE\_AUTH (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/TKT_FLG_PRE_AUTH:TKT_FLG_PRE_AUTH}\pysigline{\bfcode{TKT\_FLG\_PRE\_AUTH}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{TKT\_FLG\_PRE\_AUTH} + & +\code{0x00200000} +\\ +\hline\end{tabulary} + + + +\subsubsection{TKT\_FLG\_PROXIABLE} +\label{appdev/refs/macros/TKT_FLG_PROXIABLE:tkt-flg-proxiable}\label{appdev/refs/macros/TKT_FLG_PROXIABLE:tkt-flg-proxiable-data}\label{appdev/refs/macros/TKT_FLG_PROXIABLE::doc}\index{TKT\_FLG\_PROXIABLE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/TKT_FLG_PROXIABLE:TKT_FLG_PROXIABLE}\pysigline{\bfcode{TKT\_FLG\_PROXIABLE}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{TKT\_FLG\_PROXIABLE} + & +\code{0x10000000} +\\ +\hline\end{tabulary} + + + +\subsubsection{TKT\_FLG\_PROXY} +\label{appdev/refs/macros/TKT_FLG_PROXY::doc}\label{appdev/refs/macros/TKT_FLG_PROXY:tkt-flg-proxy}\label{appdev/refs/macros/TKT_FLG_PROXY:tkt-flg-proxy-data}\index{TKT\_FLG\_PROXY (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/TKT_FLG_PROXY:TKT_FLG_PROXY}\pysigline{\bfcode{TKT\_FLG\_PROXY}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{TKT\_FLG\_PROXY} + & +\code{0x08000000} +\\ +\hline\end{tabulary} + + + +\subsubsection{TKT\_FLG\_RENEWABLE} +\label{appdev/refs/macros/TKT_FLG_RENEWABLE::doc}\label{appdev/refs/macros/TKT_FLG_RENEWABLE:tkt-flg-renewable}\label{appdev/refs/macros/TKT_FLG_RENEWABLE:tkt-flg-renewable-data}\index{TKT\_FLG\_RENEWABLE (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/TKT_FLG_RENEWABLE:TKT_FLG_RENEWABLE}\pysigline{\bfcode{TKT\_FLG\_RENEWABLE}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{TKT\_FLG\_RENEWABLE} + & +\code{0x00800000} +\\ +\hline\end{tabulary} + + + +\subsubsection{TKT\_FLG\_TRANSIT\_POLICY\_CHECKED} +\label{appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED::doc}\label{appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED:tkt-flg-transit-policy-checked}\label{appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED:tkt-flg-transit-policy-checked-data}\index{TKT\_FLG\_TRANSIT\_POLICY\_CHECKED (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED:TKT_FLG_TRANSIT_POLICY_CHECKED}\pysigline{\bfcode{TKT\_FLG\_TRANSIT\_POLICY\_CHECKED}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{TKT\_FLG\_TRANSIT\_POLICY\_CHECKED} + & +\code{0x00080000} +\\ +\hline\end{tabulary} + + + +\subsubsection{VALID\_INT\_BITS} +\label{appdev/refs/macros/VALID_INT_BITS:valid-int-bits}\label{appdev/refs/macros/VALID_INT_BITS:valid-int-bits-data}\label{appdev/refs/macros/VALID_INT_BITS::doc}\index{VALID\_INT\_BITS (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/VALID_INT_BITS:VALID_INT_BITS}\pysigline{\bfcode{VALID\_INT\_BITS}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{VALID\_INT\_BITS} + & +\code{INT\_MAX} +\\ +\hline\end{tabulary} + + + +\subsubsection{VALID\_UINT\_BITS} +\label{appdev/refs/macros/VALID_UINT_BITS:valid-uint-bits}\label{appdev/refs/macros/VALID_UINT_BITS::doc}\label{appdev/refs/macros/VALID_UINT_BITS:valid-uint-bits-data}\index{VALID\_UINT\_BITS (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/VALID_UINT_BITS:VALID_UINT_BITS}\pysigline{\bfcode{VALID\_UINT\_BITS}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{VALID\_UINT\_BITS} + & +\code{UINT\_MAX} +\\ +\hline\end{tabulary} + + + +\subsubsection{krb5\_const} +\label{appdev/refs/macros/krb5_const:krb5-const}\label{appdev/refs/macros/krb5_const:krb5-const-data}\label{appdev/refs/macros/krb5_const::doc}\index{krb5\_const (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/krb5_const:krb5_const}\pysigline{\bfcode{krb5\_const}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{krb5\_const} + & +\code{const} +\\ +\hline\end{tabulary} + + + +\subsubsection{krb5\_princ\_component} +\label{appdev/refs/macros/krb5_princ_component::doc}\label{appdev/refs/macros/krb5_princ_component:krb5-princ-component-data}\label{appdev/refs/macros/krb5_princ_component:krb5-princ-component}\index{krb5\_princ\_component (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/krb5_princ_component:krb5_princ_component}\pysigline{\bfcode{krb5\_princ\_component}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{krb5\_princ\_component (context, princ, i)} + & +\code{(((i) \textless{} krb5\_princ\_size(context, princ)) ? (princ)-\textgreater{}data + (i) : NULL)} +\\ +\hline\end{tabulary} + + + +\subsubsection{krb5\_princ\_name} +\label{appdev/refs/macros/krb5_princ_name:krb5-princ-name-data}\label{appdev/refs/macros/krb5_princ_name:krb5-princ-name}\label{appdev/refs/macros/krb5_princ_name::doc}\index{krb5\_princ\_name (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/krb5_princ_name:krb5_princ_name}\pysigline{\bfcode{krb5\_princ\_name}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{krb5\_princ\_name (context, princ)} + & +\code{(princ)-\textgreater{}data} +\\ +\hline\end{tabulary} + + + +\subsubsection{krb5\_princ\_realm} +\label{appdev/refs/macros/krb5_princ_realm::doc}\label{appdev/refs/macros/krb5_princ_realm:krb5-princ-realm-data}\label{appdev/refs/macros/krb5_princ_realm:krb5-princ-realm}\index{krb5\_princ\_realm (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/krb5_princ_realm:krb5_princ_realm}\pysigline{\bfcode{krb5\_princ\_realm}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{krb5\_princ\_realm (context, princ)} + & +\code{(\&(princ)-\textgreater{}realm)} +\\ +\hline\end{tabulary} + + + +\subsubsection{krb5\_princ\_set\_realm} +\label{appdev/refs/macros/krb5_princ_set_realm:krb5-princ-set-realm-data}\label{appdev/refs/macros/krb5_princ_set_realm::doc}\label{appdev/refs/macros/krb5_princ_set_realm:krb5-princ-set-realm}\index{krb5\_princ\_set\_realm (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/krb5_princ_set_realm:krb5_princ_set_realm}\pysigline{\bfcode{krb5\_princ\_set\_realm}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{krb5\_princ\_set\_realm (context, princ, value)} + & +\code{((princ)-\textgreater{}realm = *(value))} +\\ +\hline\end{tabulary} + + + +\subsubsection{krb5\_princ\_set\_realm\_data} +\label{appdev/refs/macros/krb5_princ_set_realm_data:krb5-princ-set-realm-data-data}\label{appdev/refs/macros/krb5_princ_set_realm_data::doc}\label{appdev/refs/macros/krb5_princ_set_realm_data:krb5-princ-set-realm-data}\index{krb5\_princ\_set\_realm\_data (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/krb5_princ_set_realm_data:krb5_princ_set_realm_data}\pysigline{\bfcode{krb5\_princ\_set\_realm\_data}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{krb5\_princ\_set\_realm\_data (context, princ, value)} + & +\code{(princ)-\textgreater{}realm.data = (value)} +\\ +\hline\end{tabulary} + + + +\subsubsection{krb5\_princ\_set\_realm\_length} +\label{appdev/refs/macros/krb5_princ_set_realm_length:krb5-princ-set-realm-length-data}\label{appdev/refs/macros/krb5_princ_set_realm_length::doc}\label{appdev/refs/macros/krb5_princ_set_realm_length:krb5-princ-set-realm-length}\index{krb5\_princ\_set\_realm\_length (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/krb5_princ_set_realm_length:krb5_princ_set_realm_length}\pysigline{\bfcode{krb5\_princ\_set\_realm\_length}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{krb5\_princ\_set\_realm\_length (context, princ, value)} + & +\code{(princ)-\textgreater{}realm.length = (value)} +\\ +\hline\end{tabulary} + + + +\subsubsection{krb5\_princ\_size} +\label{appdev/refs/macros/krb5_princ_size:krb5-princ-size-data}\label{appdev/refs/macros/krb5_princ_size::doc}\label{appdev/refs/macros/krb5_princ_size:krb5-princ-size}\index{krb5\_princ\_size (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/krb5_princ_size:krb5_princ_size}\pysigline{\bfcode{krb5\_princ\_size}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{krb5\_princ\_size (context, princ)} + & +\code{(princ)-\textgreater{}length} +\\ +\hline\end{tabulary} + + + +\subsubsection{krb5\_princ\_type} +\label{appdev/refs/macros/krb5_princ_type:krb5-princ-type}\label{appdev/refs/macros/krb5_princ_type:krb5-princ-type-data}\label{appdev/refs/macros/krb5_princ_type::doc}\index{krb5\_princ\_type (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/krb5_princ_type:krb5_princ_type}\pysigline{\bfcode{krb5\_princ\_type}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{krb5\_princ\_type (context, princ)} + & +\code{(princ)-\textgreater{}type} +\\ +\hline\end{tabulary} + + + +\subsubsection{krb5\_roundup} +\label{appdev/refs/macros/krb5_roundup:krb5-roundup-data}\label{appdev/refs/macros/krb5_roundup:krb5-roundup}\label{appdev/refs/macros/krb5_roundup::doc}\index{krb5\_roundup (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/krb5_roundup:krb5_roundup}\pysigline{\bfcode{krb5\_roundup}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{krb5\_roundup (x, y)} + & +\code{((((x) + (y) - 1)/(y))*(y))} +\\ +\hline\end{tabulary} + + + +\subsubsection{krb5\_x} +\label{appdev/refs/macros/krb5_x::doc}\label{appdev/refs/macros/krb5_x:krb5-x}\label{appdev/refs/macros/krb5_x:krb5-x-data}\index{krb5\_x (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/krb5_x:krb5_x}\pysigline{\bfcode{krb5\_x}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{krb5\_x (ptr, args)} + & +\code{((ptr)?((*(ptr)) args):(abort(),1))} +\\ +\hline\end{tabulary} + + + +\subsubsection{krb5\_xc} +\label{appdev/refs/macros/krb5_xc::doc}\label{appdev/refs/macros/krb5_xc:krb5-xc}\label{appdev/refs/macros/krb5_xc:krb5-xc-data}\index{krb5\_xc (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/krb5_xc:krb5_xc}\pysigline{\bfcode{krb5\_xc}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{krb5\_xc (ptr, args)} + & +\code{((ptr)?((*(ptr)) args):(abort(),(char*)0))} +\\ +\hline\end{tabulary} + + + +\subsection{Deprecated macros} +\label{appdev/refs/macros/index:deprecated-macros} + +\subsubsection{krb524\_convert\_creds\_kdc} +\label{appdev/refs/macros/krb524_convert_creds_kdc:krb524-convert-creds-kdc-data}\label{appdev/refs/macros/krb524_convert_creds_kdc:krb524-convert-creds-kdc}\label{appdev/refs/macros/krb524_convert_creds_kdc::doc}\index{krb524\_convert\_creds\_kdc (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/krb524_convert_creds_kdc:krb524_convert_creds_kdc}\pysigline{\bfcode{krb524\_convert\_creds\_kdc}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{krb524\_convert\_creds\_kdc} + & +\code{krb5\_524\_convert\_creds} +\\ +\hline\end{tabulary} + + + +\subsubsection{krb524\_init\_ets} +\label{appdev/refs/macros/krb524_init_ets:krb524-init-ets-data}\label{appdev/refs/macros/krb524_init_ets::doc}\label{appdev/refs/macros/krb524_init_ets:krb524-init-ets}\index{krb524\_init\_ets (built-in variable)} + +\begin{fulllineitems} +\phantomsection\label{appdev/refs/macros/krb524_init_ets:krb524_init_ets}\pysigline{\bfcode{krb524\_init\_ets}} +\end{fulllineitems} + + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +\code{krb524\_init\_ets (x)} + & +\code{(0)} +\\ +\hline\end{tabulary} + + + + +\renewcommand{\indexname}{Index} +\printindex +\end{document} diff --git a/doc/pdf/basic.pdf b/doc/pdf/basic.pdf Binary files differnew file mode 100644 index 000000000000..65aa43c9fe4f --- /dev/null +++ b/doc/pdf/basic.pdf diff --git a/doc/pdf/basic.tex b/doc/pdf/basic.tex new file mode 100644 index 000000000000..d13762e98d6d --- /dev/null +++ b/doc/pdf/basic.tex @@ -0,0 +1,751 @@ +% Generated by Sphinx. +\def\sphinxdocclass{report} +\documentclass[letterpaper,10pt,english]{sphinxmanual} +\usepackage[utf8]{inputenc} +\DeclareUnicodeCharacter{00A0}{\nobreakspace} +\usepackage{cmap} +\usepackage[T1]{fontenc} +\usepackage{babel} +\usepackage{times} +\usepackage[Bjarne]{fncychap} +\usepackage{longtable} +\usepackage{sphinx} +\usepackage{multirow} + + +\title{Kerberos Concepts} +\date{ } +\release{1.15.1} +\author{MIT} +\newcommand{\sphinxlogo}{} +\renewcommand{\releasename}{Release} +\makeindex + +\makeatletter +\def\PYG@reset{\let\PYG@it=\relax \let\PYG@bf=\relax% + \let\PYG@ul=\relax \let\PYG@tc=\relax% + \let\PYG@bc=\relax \let\PYG@ff=\relax} +\def\PYG@tok#1{\csname PYG@tok@#1\endcsname} +\def\PYG@toks#1+{\ifx\relax#1\empty\else% + \PYG@tok{#1}\expandafter\PYG@toks\fi} +\def\PYG@do#1{\PYG@bc{\PYG@tc{\PYG@ul{% + \PYG@it{\PYG@bf{\PYG@ff{#1}}}}}}} +\def\PYG#1#2{\PYG@reset\PYG@toks#1+\relax+\PYG@do{#2}} + +\expandafter\def\csname PYG@tok@gd\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.63,0.00,0.00}{##1}}} +\expandafter\def\csname PYG@tok@gu\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.50,0.00,0.50}{##1}}} +\expandafter\def\csname PYG@tok@gt\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.27,0.87}{##1}}} +\expandafter\def\csname PYG@tok@gs\endcsname{\let\PYG@bf=\textbf} +\expandafter\def\csname PYG@tok@gr\endcsname{\def\PYG@tc##1{\textcolor[rgb]{1.00,0.00,0.00}{##1}}} +\expandafter\def\csname PYG@tok@cm\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} +\expandafter\def\csname PYG@tok@vg\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} +\expandafter\def\csname PYG@tok@m\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@mh\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@cs\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}\def\PYG@bc##1{\setlength{\fboxsep}{0pt}\colorbox[rgb]{1.00,0.94,0.94}{\strut ##1}}} +\expandafter\def\csname PYG@tok@ge\endcsname{\let\PYG@it=\textit} +\expandafter\def\csname PYG@tok@vc\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} +\expandafter\def\csname PYG@tok@il\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@go\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.20,0.20,0.20}{##1}}} +\expandafter\def\csname PYG@tok@cp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@gi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.63,0.00}{##1}}} +\expandafter\def\csname PYG@tok@gh\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.00,0.50}{##1}}} +\expandafter\def\csname PYG@tok@ni\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.84,0.33,0.22}{##1}}} +\expandafter\def\csname PYG@tok@nl\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.13,0.44}{##1}}} +\expandafter\def\csname PYG@tok@nn\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.05,0.52,0.71}{##1}}} +\expandafter\def\csname PYG@tok@no\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.38,0.68,0.84}{##1}}} +\expandafter\def\csname PYG@tok@na\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@nb\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@nc\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.05,0.52,0.71}{##1}}} +\expandafter\def\csname PYG@tok@nd\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.33,0.33,0.33}{##1}}} +\expandafter\def\csname PYG@tok@ne\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@nf\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.02,0.16,0.49}{##1}}} +\expandafter\def\csname PYG@tok@si\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.44,0.63,0.82}{##1}}} +\expandafter\def\csname PYG@tok@s2\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@vi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} +\expandafter\def\csname PYG@tok@nt\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.02,0.16,0.45}{##1}}} +\expandafter\def\csname PYG@tok@nv\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} +\expandafter\def\csname PYG@tok@s1\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@gp\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.78,0.36,0.04}{##1}}} +\expandafter\def\csname PYG@tok@sh\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@ow\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@sx\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.78,0.36,0.04}{##1}}} +\expandafter\def\csname PYG@tok@bp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@c1\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} +\expandafter\def\csname PYG@tok@kc\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@c\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} +\expandafter\def\csname PYG@tok@mf\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@err\endcsname{\def\PYG@bc##1{\setlength{\fboxsep}{0pt}\fcolorbox[rgb]{1.00,0.00,0.00}{1,1,1}{\strut ##1}}} +\expandafter\def\csname PYG@tok@kd\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@ss\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.32,0.47,0.09}{##1}}} +\expandafter\def\csname PYG@tok@sr\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.14,0.33,0.53}{##1}}} +\expandafter\def\csname PYG@tok@mo\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@mi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@kn\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@o\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.40,0.40,0.40}{##1}}} +\expandafter\def\csname PYG@tok@kr\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@s\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@kp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@w\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.73,0.73}{##1}}} +\expandafter\def\csname PYG@tok@kt\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.56,0.13,0.00}{##1}}} +\expandafter\def\csname PYG@tok@sc\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@sb\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@k\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@se\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@sd\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} + +\def\PYGZbs{\char`\\} +\def\PYGZus{\char`\_} +\def\PYGZob{\char`\{} +\def\PYGZcb{\char`\}} +\def\PYGZca{\char`\^} +\def\PYGZam{\char`\&} +\def\PYGZlt{\char`\<} +\def\PYGZgt{\char`\>} +\def\PYGZsh{\char`\#} +\def\PYGZpc{\char`\%} +\def\PYGZdl{\char`\$} +\def\PYGZhy{\char`\-} +\def\PYGZsq{\char`\'} +\def\PYGZdq{\char`\"} +\def\PYGZti{\char`\~} +% for compatibility with earlier versions +\def\PYGZat{@} +\def\PYGZlb{[} +\def\PYGZrb{]} +\makeatother + +\begin{document} + +\maketitle +\tableofcontents +\phantomsection\label{basic/index::doc} + + + +\chapter{Credential cache} +\label{basic/ccache_def:basic-concepts}\label{basic/ccache_def::doc}\label{basic/ccache_def:credential-cache}\label{basic/ccache_def:ccache-definition}\label{basic/ccache_def:kerberos-v5-concepts} +A credential cache (or ``ccache'') holds Kerberos credentials while they +remain valid and, generally, while the user's session lasts, so that +authenticating to a service multiple times (e.g., connecting to a web +or mail server more than once) doesn't require contacting the KDC +every time. + +A credential cache usually contains one initial ticket which is +obtained using a password or another form of identity verification. +If this ticket is a ticket-granting ticket, it can be used to obtain +additional credentials without the password. Because the credential +cache does not store the password, less long-term damage can be done +to the user's account if the machine is compromised. + +A credentials cache stores a default client principal name, set when +the cache is created. This is the name shown at the top of the +\emph{klist(1)} \emph{-A} output. + +Each normal cache entry includes a service principal name, a client +principal name (which, in some ccache types, need not be the same as +the default), lifetime information, and flags, along with the +credential itself. There are also other entries, indicated by special +names, that store additional information. + + +\section{ccache types} +\label{basic/ccache_def:ccache-types} +The credential cache interface, like the {\hyperref[basic/keytab_def:keytab-definition]{\emph{keytab}}} and +{\hyperref[basic/rcache_def:rcache-definition]{\emph{replay cache}}} interfaces, uses \emph{TYPE:value} strings to +indicate the type of credential cache and any associated cache naming +data to use. + +There are several kinds of credentials cache supported in the MIT +Kerberos library. Not all are supported on every platform. In most +cases, it should be correct to use the default type built into the +library. +\begin{enumerate} +\item {} +\textbf{API} is only implemented on Windows. It communicates with a +server process that holds the credentials in memory for the user, +rather than writing them to disk. + +\item {} +\textbf{DIR} points to the storage location of the collection of the +credential caches in \emph{FILE:} format. It is most useful when dealing +with multiple Kerberos realms and KDCs. For release 1.10 the +directory must already exist. In post-1.10 releases the +requirement is for parent directory to exist and the current +process must have permissions to create the directory if it does +not exist. See {\hyperref[basic/ccache_def:col-ccache]{\emph{Collections of caches}}} for details. New in release 1.10. + +\item {} +\textbf{FILE} caches are the simplest and most portable. A simple flat +file format is used to store one credential after another. This is +the default ccache type if no type is specified in a ccache name. + +\item {} +\textbf{KCM} caches work by contacting a daemon process called \code{kcm} +to perform cache operations. If the cache name is just \code{KCM:}, +the default cache as determined by the KCM daemon will be used. +Newly created caches must generally be named \code{KCM:uid:name}, +where \emph{uid} is the effective user ID of the running process. + +KCM client support is new in release 1.13. A KCM daemon has not +yet been implemented in MIT krb5, but the client will interoperate +with the KCM daemon implemented by Heimdal. OS X 10.7 and higher +provides a KCM daemon as part of the operating system, and the +\textbf{KCM} cache type is used as the default cache on that platform in +a default build. + +\item {} +\textbf{KEYRING} is Linux-specific, and uses the kernel keyring support +to store credential data in unswappable kernel memory where only +the current user should be able to access it. The following +residual forms are supported: +\begin{itemize} +\item {} +KEYRING:name + +\item {} +KEYRING:process:name - process keyring + +\item {} +KEYRING:thread:name - thread keyring + +\end{itemize} + +Starting with release 1.12 the \emph{KEYRING} type supports collections. +The following new residual forms were added: +\begin{itemize} +\item {} +KEYRING:session:name - session keyring + +\item {} +KEYRING:user:name - user keyring + +\item {} +KEYRING:persistent:uidnumber - persistent per-UID collection. +Unlike the user keyring, this collection survives after the user +logs out, until the cache credentials expire. This type of +ccache requires support from the kernel; otherwise, it will fall +back to the user keyring. + +\end{itemize} + +See {\hyperref[basic/ccache_def:col-ccache]{\emph{Collections of caches}}} for details. + +\item {} +\textbf{MEMORY} caches are for storage of credentials that don't need to +be made available outside of the current process. For example, a +memory ccache is used by \emph{kadmin(1)} to store the +administrative ticket used to contact the admin server. Memory +ccaches are faster than file ccaches and are automatically +destroyed when the process exits. + +\item {} +\textbf{MSLSA} is a Windows-specific cache type that accesses the +Windows credential store. + +\end{enumerate} + + +\section{Collections of caches} +\label{basic/ccache_def:collections-of-caches}\label{basic/ccache_def:col-ccache} +Some credential cache types can support collections of multiple +caches. One of the caches in the collection is designated as the +\emph{primary} and will be used when the collection is resolved as a cache. +When a collection-enabled cache type is the default cache for a +process, applications can search the specified collection for a +specific client principal, and GSSAPI applications will automatically +select between the caches in the collection based on criteria such as +the target service realm. + +Credential cache collections are new in release 1.10, with support +from the \textbf{DIR} and \textbf{API} ccache types. Starting in release 1.12, +collections are also supported by the \textbf{KEYRING} ccache type. +Collections are supported by the \textbf{KCM} ccache type in release 1.13. + + +\subsection{Tool alterations to use cache collection} +\label{basic/ccache_def:tool-alterations-to-use-cache-collection}\begin{itemize} +\item {} +\emph{kdestroy(1)} \emph{-A} will destroy all caches in the collection. + +\item {} +If the default cache type supports switching, \emph{kinit(1)} +\emph{princname} will search the collection for a matching cache and +store credentials there, or will store credentials in a new unique +cache of the default type if no existing cache for the principal +exists. Either way, kinit will switch to the selected cache. + +\item {} +\emph{klist(1)} \emph{-l} will list the caches in the collection. + +\item {} +\emph{klist(1)} \emph{-A} will show the content of all caches in the +collection. + +\item {} +\emph{kswitch(1)} \emph{-p princname} will search the collection for a +matching cache and switch to it. + +\item {} +\emph{kswitch(1)} \emph{-c cachename} will switch to a specified cache. + +\end{itemize} + + +\section{Default ccache name} +\label{basic/ccache_def:default-ccache-name} +The default credential cache name is determined by the following, in +descending order of priority: +\begin{enumerate} +\item {} +The \textbf{KRB5CCNAME} environment variable. For example, +\code{KRB5CCNAME=DIR:/mydir/}. + +\item {} +The \textbf{default\_ccache\_name} profile variable in \emph{libdefaults}. + +\item {} +The hardcoded default, \emph{DEFCCNAME}. + +\end{enumerate} + + +\chapter{keytab} +\label{basic/keytab_def:keytab}\label{basic/keytab_def::doc}\label{basic/keytab_def:keytab-definition} +A keytab (short for ``key table'') stores long-term keys for one or more +principals. Keytabs are normally represented by files in a standard +format, although in rare cases they can be represented in other ways. +Keytabs are used most often to allow server applications to accept +authentications from clients, but can also be used to obtain initial +credentials for client applications. + +Keytabs are named using the format \emph{type}\code{:}\emph{value}. Usually +\emph{type} is \code{FILE} and \emph{value} is the absolute pathname of the file. +Other possible values for \emph{type} are \code{SRVTAB}, which indicates a +file in the deprecated Kerberos 4 srvtab format, and \code{MEMORY}, which +indicates a temporary keytab stored in the memory of the current +process. + +A keytab contains one or more entries, where each entry consists of a +timestamp (indicating when the entry was written to the keytab), a +principal name, a key version number, an encryption type, and the +encryption key itself. + +A keytab can be displayed using the \emph{klist(1)} command with the +\code{-k} option. Keytabs can be created or appended to by extracting +keys from the KDC database using the \emph{kadmin(1)} \emph{ktadd} +command. Keytabs can be manipulated using the \emph{ktutil(1)} and +\emph{k5srvutil(1)} commands. + + +\section{Default keytab} +\label{basic/keytab_def:default-keytab} +The default keytab is used by server applications if the application +does not request a specific keytab. The name of the default keytab is +determined by the following, in decreasing order of preference: +\begin{enumerate} +\item {} +The \textbf{KRB5\_KTNAME} environment variable. + +\item {} +The \textbf{default\_keytab\_name} profile variable in \emph{libdefaults}. + +\item {} +The hardcoded default, \emph{DEFKTNAME}. + +\end{enumerate} + + +\section{Default client keytab} +\label{basic/keytab_def:default-client-keytab} +The default client keytab is used, if it is present and readable, to +automatically obtain initial credentials for GSSAPI client +applications. The principal name of the first entry in the client +keytab is used by default when obtaining initial credentials. The +name of the default client keytab is determined by the following, in +decreasing order of preference: +\begin{enumerate} +\item {} +The \textbf{KRB5\_CLIENT\_KTNAME} environment variable. + +\item {} +The \textbf{default\_client\_keytab\_name} profile variable in +\emph{libdefaults}. + +\item {} +The hardcoded default, \emph{DEFCKTNAME}. + +\end{enumerate} + + +\chapter{replay cache} +\label{basic/rcache_def:replay-cache}\label{basic/rcache_def:rcache-definition}\label{basic/rcache_def::doc} +A replay cache (or ``rcache'') keeps track of all authenticators +recently presented to a service. If a duplicate authentication +request is detected in the replay cache, an error message is sent to +the application program. + +The replay cache interface, like the credential cache and +{\hyperref[basic/keytab_def:keytab-definition]{\emph{keytab}}} interfaces, uses \emph{type:value} strings to +indicate the type of replay cache and any associated cache naming +data to use. + + +\section{Background information} +\label{basic/rcache_def:background-information} +Some Kerberos or GSSAPI services use a simple authentication mechanism +where a message is sent containing an authenticator, which establishes +the encryption key that the client will use for talking to the +service. But nothing about that prevents an eavesdropper from +recording the messages sent by the client, establishing a new +connection, and re-sending or ``replaying'' the same messages; the +replayed authenticator will establish the same encryption key for the +new session, and the following messages will be decrypted and +processed. The attacker may not know what the messages say, and can't +generate new messages under the same encryption key, but in some +instances it may be harmful to the user (or helpful to the attacker) +to cause the server to see the same messages again a second time. For +example, if the legitimate client sends ``delete first message in +mailbox'', a replay from an attacker may delete another, different +``first'' message. (Protocol design to guard against such problems has +been discussed in \index{RFC!RFC 4120\#section-10}\href{http://tools.ietf.org/html/rfc4120.html\#section-10}{\textbf{RFC 4120}}.) + +Even if one protocol uses further protection to verify that the client +side of the connection actually knows the encryption keys (and thus is +presumably a legitimate user), if another service uses the same +service principal name, it may be possible to record an authenticator +used with the first protocol and ``replay'' it against the second. + +The replay cache mitigates these attacks somewhat, by keeping track of +authenticators that have been seen until their five-minute window +expires. Different authenticators generated by multiple connections +from the same legitimate client will generally have different +timestamps, and thus will not be considered the same. + +This mechanism isn't perfect. If a message is sent to one application +server but a man-in-the-middle attacker can prevent it from actually +arriving at that server, the attacker could then use the authenticator +(once!) against a different service on the same host. This could be a +problem if the message from the client included something more than +authentication in the first message that could be useful to the +attacker (which is uncommon; in most protocols the server has to +indicate a successful authentication before the client sends +additional messages), or if the simple act of presenting the +authenticator triggers some interesting action in the service being +attacked. + + +\section{Default rcache type} +\label{basic/rcache_def:default-rcache-type} +There is currently only one implemented kind of replay cache, called +\textbf{dfl}. It stores replay data in one file, occasionally rewriting it +to purge old, expired entries. + +The default type can be overridden by the \textbf{KRB5RCACHETYPE} +environment variable. + +The placement of the replay cache file is determined by the following: +\begin{enumerate} +\item {} +The \textbf{KRB5RCACHEDIR} environment variable; + +\item {} +If KRB5RCACHEDIR is unspecified, on UNIX, the library +will fall back to the environment variable \textbf{TMPDIR}, and then to +a temporary directory determined at configuration time such as +\emph{/tmp} or \emph{/var/tmp}; on Windows, it will check the environment +variables \emph{TEMP} and \emph{TMP}, and fall back to the directory C:\textbackslash{}. + +\end{enumerate} + + +\section{Performance issues} +\label{basic/rcache_def:performance-issues} +Several known minor performance issues that may occur when replay +cache is enabled on the Kerberos system include: delays due to writing +the authenticator data to disk slowing down response time for very +heavily loaded servers, and delays during the rewrite that may be +unacceptable to high-performance services. + +For use cases where replays are adequately defended against for all +protocols using a given service principal name, or where performance +or other considerations outweigh the risk of replays, the special +replay cache type ``none'' can be specified: + +\begin{Verbatim}[commandchars=\\\{\}] +\PYG{n}{KRB5RCACHETYPE}\PYG{o}{=}\PYG{n}{none} +\end{Verbatim} + +It doesn't record any information about authenticators, and reports +that any authenticator seen is not a replay. + + +\chapter{stash file} +\label{basic/stash_file_def:stash-file}\label{basic/stash_file_def::doc}\label{basic/stash_file_def:stash-definition} +The stash file is a local copy of the master key that resides in +encrypted form on the KDC's local disk. The stash file is used to +authenticate the KDC to itself automatically before starting the +\emph{kadmind(8)} and \emph{krb5kdc(8)} daemons (e.g., as part of the +machine's boot sequence). The stash file, like the keytab file (see +\emph{keytab\_file}) is a potential point-of-entry for a break-in, and +if compromised, would allow unrestricted access to the Kerberos +database. If you choose to install a stash file, it should be +readable only by root, and should exist only on the KDC's local disk. +The file should not be part of any backup of the machine, unless +access to the backup data is secured as tightly as access to the +master password itself. + +\begin{notice}{note}{Note:} +If you choose not to install a stash file, the KDC will prompt you for the master key each time it starts up. +This means that the KDC will not be able to start automatically, such as after a system reboot. +\end{notice} + + +\chapter{Supported date and time formats} +\label{basic/date_format:supported-date-and-time-formats}\label{basic/date_format::doc}\label{basic/date_format:datetime} + +\section{Time duration} +\label{basic/date_format:duration}\label{basic/date_format:time-duration} +This format is used to express a time duration in the Kerberos +configuration files and user commands. The allowed formats are: +\begin{quote} + +\begin{tabulary}{\linewidth}{|L|L|L|} +\hline + +Format + & +Example + & +Value +\\ +\hline +h:m{[}:s{]} + & +36:00 + & +36 hours +\\ +\hline +NdNhNmNs + & +8h30s + & +8 hours 30 seconds +\\ +\hline +N (number of seconds) + & +3600 + & +1 hour +\\ +\hline\end{tabulary} + +\end{quote} + +Here \emph{N} denotes a number, \emph{d} - days, \emph{h} - hours, \emph{m} - minutes, +\emph{s} - seconds. + +\begin{notice}{note}{Note:} +The time interval should not exceed 2147483647 seconds. +\end{notice} + +Examples: + +\begin{Verbatim}[commandchars=\\\{\}] +Request a ticket valid for one hour, five hours, 30 minutes +and 10 days respectively: + + kinit \PYGZhy{}l 3600 + kinit \PYGZhy{}l 5:00 + kinit \PYGZhy{}l 30m + kinit \PYGZhy{}l \PYGZdq{}10d 0h 0m 0s\PYGZdq{} +\end{Verbatim} + + +\section{getdate time} +\label{basic/date_format:getdate-time}\label{basic/date_format:getdate} +Some of the kadmin and kdb5\_util commands take a date-time in a +human-readable format. Some of the acceptable date-time +strings are: +\begin{quote} + +\begin{tabulary}{\linewidth}{|L|L|L|} +\hline +\textsf{\relax } & \textsf{\relax +Format +} & \textsf{\relax +Example +}\\ +\hline \multirow{3}{*}{ +Date +} & +mm/dd/yy + & +07/27/12 +\\ +\hline & +month dd, yyyy + & +Jul 27, 2012 +\\ +\hline & +yyyy-mm-dd + & +2012-07-27 +\\ +\hline \multirow{2}{*}{ +Absolute +time +} & +HH:mm{[}:ss{]}pp + & +08:30 PM +\\ +\hline & +hh:mm{[}:ss{]} + & +20:30 +\\ +\hline +Relative +time + & +N tt + & +30 sec +\\ +\hline \multirow{2}{*}{ +Time zone +} & +Z + & +EST +\\ +\hline & +z + & +-0400 +\\ +\hline\end{tabulary} + +\end{quote} + +(See {\hyperref[basic/date_format:abbreviation]{\emph{Abbreviations used in this document}}}.) + +Examples: + +\begin{Verbatim}[commandchars=\\\{\}] +Create a principal that expires on the date indicated: + addprinc test1 \PYGZhy{}expire \PYGZdq{}3/27/12 10:00:07 EST\PYGZdq{} + addprinc test2 \PYGZhy{}expire \PYGZdq{}January 23, 2015 10:05pm\PYGZdq{} + addprinc test3 \PYGZhy{}expire \PYGZdq{}22:00 GMT\PYGZdq{} +Add a principal that will expire in 30 minutes: + addprinc test4 \PYGZhy{}expire \PYGZdq{}30 minutes\PYGZdq{} +\end{Verbatim} + + +\section{Absolute time} +\label{basic/date_format:abstime}\label{basic/date_format:absolute-time} +This rarely used date-time format can be noted in one of the +following ways: +\begin{quote} + +\begin{tabulary}{\linewidth}{|L|L|L|} +\hline +\textsf{\relax +Format +} & \textsf{\relax +Example +} & \textsf{\relax +Value +}\\ +\hline +yyyymmddhhmmss + & +20141231235900 + & \multirow{5}{*}{ +One minute +before 2015 +}\\ +\hline +yyyy.mm.dd.hh.mm.ss + & +2014.12.31.23.59.00 + & \\ +\hline +yymmddhhmmss + & +141231235900 + & \\ +\hline +yy.mm.dd.hh.mm.ss + & +14.12.31.23.59.00 + & \\ +\hline +dd-month-yyyy:hh:mm:ss + & +31-Dec-2014:23:59:00 + & \\ +\hline +hh:mm:ss + & +20:00:00 + & \multirow{2}{*}{ +8 o'clock in +the evening +}\\ +\hline +hhmmss + & +200000 + & \\ +\hline\end{tabulary} + +\end{quote} + +(See {\hyperref[basic/date_format:abbreviation]{\emph{Abbreviations used in this document}}}.) + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +Set the default expiration date to July 27, 2012 at 20:30 +default\PYGZus{}principal\PYGZus{}expiration = 20120727203000 +\end{Verbatim} + + +\subsection{Abbreviations used in this document} +\label{basic/date_format:abbreviation}\label{basic/date_format:abbreviations-used-in-this-document} +\begin{DUlineblock}{0em} +\item[] \emph{month} : locale’s month name or its abbreviation; +\item[] \emph{dd} : day of month (01-31); +\item[] \emph{HH} : hours (00-12); +\item[] \emph{hh} : hours (00-23); +\item[] \emph{mm} : in time - minutes (00-59); in date - month (01-12); +\item[] \emph{N} : number; +\item[] \emph{pp} : AM or PM; +\item[] \emph{ss} : seconds (00-60); +\item[] \emph{tt} : time units (hours, minutes, min, seconds, sec); +\item[] \emph{yyyy} : year; +\item[] \emph{yy} : last two digits of the year; +\item[] \emph{Z} : alphabetic time zone abbreviation; +\item[] \emph{z} : numeric time zone; +\end{DUlineblock} + +\begin{notice}{note}{Note:}\begin{itemize} +\item {} +If the date specification contains spaces, you may need to +enclose it in double quotes; + +\item {} +All keywords are case-insensitive. + +\end{itemize} +\end{notice} + + + +\renewcommand{\indexname}{Index} +\printindex +\end{document} diff --git a/doc/pdf/build.pdf b/doc/pdf/build.pdf Binary files differnew file mode 100644 index 000000000000..4313a70dca43 --- /dev/null +++ b/doc/pdf/build.pdf diff --git a/doc/pdf/build.tex b/doc/pdf/build.tex new file mode 100644 index 000000000000..43c9d606edb1 --- /dev/null +++ b/doc/pdf/build.tex @@ -0,0 +1,993 @@ +% Generated by Sphinx. +\def\sphinxdocclass{report} +\documentclass[letterpaper,10pt,english]{sphinxmanual} +\usepackage[utf8]{inputenc} +\DeclareUnicodeCharacter{00A0}{\nobreakspace} +\usepackage{cmap} +\usepackage[T1]{fontenc} +\usepackage{babel} +\usepackage{times} +\usepackage[Bjarne]{fncychap} +\usepackage{longtable} +\usepackage{sphinx} +\usepackage{multirow} + + +\title{Building MIT Kerberos} +\date{ } +\release{1.15.1} +\author{MIT} +\newcommand{\sphinxlogo}{} +\renewcommand{\releasename}{Release} +\makeindex + +\makeatletter +\def\PYG@reset{\let\PYG@it=\relax \let\PYG@bf=\relax% + \let\PYG@ul=\relax \let\PYG@tc=\relax% + \let\PYG@bc=\relax \let\PYG@ff=\relax} +\def\PYG@tok#1{\csname PYG@tok@#1\endcsname} +\def\PYG@toks#1+{\ifx\relax#1\empty\else% + \PYG@tok{#1}\expandafter\PYG@toks\fi} +\def\PYG@do#1{\PYG@bc{\PYG@tc{\PYG@ul{% + \PYG@it{\PYG@bf{\PYG@ff{#1}}}}}}} +\def\PYG#1#2{\PYG@reset\PYG@toks#1+\relax+\PYG@do{#2}} + +\expandafter\def\csname PYG@tok@gd\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.63,0.00,0.00}{##1}}} +\expandafter\def\csname PYG@tok@gu\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.50,0.00,0.50}{##1}}} +\expandafter\def\csname PYG@tok@gt\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.27,0.87}{##1}}} +\expandafter\def\csname PYG@tok@gs\endcsname{\let\PYG@bf=\textbf} +\expandafter\def\csname PYG@tok@gr\endcsname{\def\PYG@tc##1{\textcolor[rgb]{1.00,0.00,0.00}{##1}}} +\expandafter\def\csname PYG@tok@cm\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} +\expandafter\def\csname PYG@tok@vg\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} +\expandafter\def\csname PYG@tok@m\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@mh\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@cs\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}\def\PYG@bc##1{\setlength{\fboxsep}{0pt}\colorbox[rgb]{1.00,0.94,0.94}{\strut ##1}}} +\expandafter\def\csname PYG@tok@ge\endcsname{\let\PYG@it=\textit} +\expandafter\def\csname PYG@tok@vc\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} +\expandafter\def\csname PYG@tok@il\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@go\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.20,0.20,0.20}{##1}}} +\expandafter\def\csname PYG@tok@cp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@gi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.63,0.00}{##1}}} +\expandafter\def\csname PYG@tok@gh\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.00,0.50}{##1}}} +\expandafter\def\csname PYG@tok@ni\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.84,0.33,0.22}{##1}}} +\expandafter\def\csname PYG@tok@nl\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.13,0.44}{##1}}} +\expandafter\def\csname PYG@tok@nn\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.05,0.52,0.71}{##1}}} +\expandafter\def\csname PYG@tok@no\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.38,0.68,0.84}{##1}}} +\expandafter\def\csname PYG@tok@na\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@nb\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@nc\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.05,0.52,0.71}{##1}}} +\expandafter\def\csname PYG@tok@nd\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.33,0.33,0.33}{##1}}} +\expandafter\def\csname PYG@tok@ne\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@nf\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.02,0.16,0.49}{##1}}} +\expandafter\def\csname PYG@tok@si\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.44,0.63,0.82}{##1}}} +\expandafter\def\csname PYG@tok@s2\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@vi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} +\expandafter\def\csname PYG@tok@nt\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.02,0.16,0.45}{##1}}} +\expandafter\def\csname PYG@tok@nv\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} +\expandafter\def\csname PYG@tok@s1\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@gp\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.78,0.36,0.04}{##1}}} +\expandafter\def\csname PYG@tok@sh\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@ow\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@sx\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.78,0.36,0.04}{##1}}} +\expandafter\def\csname PYG@tok@bp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@c1\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} +\expandafter\def\csname PYG@tok@kc\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@c\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} +\expandafter\def\csname PYG@tok@mf\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@err\endcsname{\def\PYG@bc##1{\setlength{\fboxsep}{0pt}\fcolorbox[rgb]{1.00,0.00,0.00}{1,1,1}{\strut ##1}}} +\expandafter\def\csname PYG@tok@kd\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@ss\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.32,0.47,0.09}{##1}}} +\expandafter\def\csname PYG@tok@sr\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.14,0.33,0.53}{##1}}} +\expandafter\def\csname PYG@tok@mo\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@mi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@kn\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@o\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.40,0.40,0.40}{##1}}} +\expandafter\def\csname PYG@tok@kr\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@s\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@kp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@w\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.73,0.73}{##1}}} +\expandafter\def\csname PYG@tok@kt\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.56,0.13,0.00}{##1}}} +\expandafter\def\csname PYG@tok@sc\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@sb\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@k\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@se\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@sd\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} + +\def\PYGZbs{\char`\\} +\def\PYGZus{\char`\_} +\def\PYGZob{\char`\{} +\def\PYGZcb{\char`\}} +\def\PYGZca{\char`\^} +\def\PYGZam{\char`\&} +\def\PYGZlt{\char`\<} +\def\PYGZgt{\char`\>} +\def\PYGZsh{\char`\#} +\def\PYGZpc{\char`\%} +\def\PYGZdl{\char`\$} +\def\PYGZhy{\char`\-} +\def\PYGZsq{\char`\'} +\def\PYGZdq{\char`\"} +\def\PYGZti{\char`\~} +% for compatibility with earlier versions +\def\PYGZat{@} +\def\PYGZlb{[} +\def\PYGZrb{]} +\makeatother + +\begin{document} + +\maketitle +\tableofcontents +\phantomsection\label{build/index::doc} + + +This section details how to build and install MIT Kerberos software +from the source. + + +\chapter{Prerequisites} +\label{build/index:building-kerberos-v5}\label{build/index:prerequisites}\label{build/index:build-v5} +In order to build Kerberos V5, you will need approximately 60-70 +megabytes of disk space. The exact amount will vary depending on the +platform and whether the distribution is compiled with debugging +symbol tables or not. + +Your C compiler must conform to ANSI C (ISO/IEC 9899:1990, ``c89''). +Some operating systems do not have an ANSI C compiler, or their +default compiler requires extra command-line options to enable ANSI C +conformance. + +If you wish to keep a separate build tree, which contains the compiled +*.o file and executables, separate from your source tree, you will +need a make program which supports \textbf{VPATH}, or you will need to use +a tool such as lndir to produce a symbolic link tree for your build +tree. + + +\chapter{Obtaining the software} +\label{build/index:obtaining-the-software} +The source code can be obtained from MIT Kerberos Distribution page, +at \href{http://web.mit.edu/kerberos/dist/index.html}{http://web.mit.edu/kerberos/dist/index.html}. +The MIT Kerberos distribution comes in an archive file, generally +named krb5-VERSION-signed.tar, where \emph{VERSION} is a placeholder for +the major and minor versions of MIT Kerberos. (For example, MIT +Kerberos 1.9 has major version ``1'' and minor version ``9''.) + +The krb5-VERSION-signed.tar contains a compressed tar file consisting +of the sources for all of Kerberos (generally named +krb5-VERSION.tar.gz) and a PGP signature file for this source tree +(generally named krb5-VERSION.tar.gz.asc). MIT highly recommends that +you verify the integrity of the source code using this signature, +e.g., by running: + +\begin{Verbatim}[commandchars=\\\{\}] +tar xf krb5\PYGZhy{}VERSION\PYGZhy{}signed.tar +gpg \PYGZhy{}\PYGZhy{}verify krb5\PYGZhy{}VERSION.tar.gz.asc +\end{Verbatim} + +Unpack krb5-VERSION.tar.gz in some directory. In this section we will assume +that you have chosen the top directory of the distribution the directory +\code{/u1/krb5-VERSION}. + +Review the README file for the license, copyright and other sprecific to the +distribution information. + + +\chapter{Contents} +\label{build/index:contents} + +\section{Organization of the source directory} +\label{build/directory_org::doc}\label{build/directory_org:organization-of-the-source-directory} +Below is a brief overview of the organization of the complete source +directory. More detailed descriptions follow. + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +appl + & +Kerberos application client and server programs +\\ +\hline +ccapi + & +Credential cache services +\\ +\hline +clients + & +Kerberos V5 user programs (See \emph{user\_commands}) +\\ +\hline +config + & +Configure scripts +\\ +\hline +config-files + & +Sample Kerberos configuration files +\\ +\hline +include + & +include files needed to build the Kerberos system +\\ +\hline +kadmin + & +Administrative interface to the Kerberos master database: \emph{kadmin(1)}, \emph{kdb5\_util(8)}, \emph{ktutil(1)}. +\\ +\hline +kdc + & +Kerberos V5 Authentication Service and Key Distribution Center +\\ +\hline +{\hyperref[build/directory_org:lib]{lib}} + & +Libraries for use with/by Kerberos V5 +\\ +\hline +plugins + & +Kerberos plugins directory +\\ +\hline +po + & +Localization infrastructure +\\ +\hline +prototype + & +Templates files containing the MIT copyright message and a placeholder for the title and description of the file. +\\ +\hline +slave + & +Utilities for propagating the database to slave KDCs \emph{kprop(8)} and \emph{kpropd(8)} +\\ +\hline +tests + & +Test suite +\\ +\hline +{\hyperref[build/directory_org:util]{util}} + & +Various utilities for building/configuring the code, sending bug reports, etc. +\\ +\hline +windows + & +Source code for building Kerberos V5 on Windows (see windows/README) +\\ +\hline\end{tabulary} + + + +\subsection{lib} +\label{build/directory_org:lib}\label{build/directory_org:id1} +The lib directory contain several subdirectories as well as some +definition and glue files. +\begin{itemize} +\item {} +The apputils directory contains the code for the generic network +servicing. + +\item {} +The crypto subdirectory contains the Kerberos V5 encryption +library. + +\item {} +The gssapi library contains the Generic Security Services API, +which is a library of commands to be used in secure client-server +communication. + +\item {} +The kadm5 directory contains the libraries for the KADM5 +administration utilities. + +\item {} +The Kerberos 5 database libraries are contained in kdb. + +\item {} +The krb5 directory contains Kerberos 5 API. + +\item {} +The rpc directory contains the API for the Kerberos Remote +Procedure Call protocol. + +\end{itemize} + + +\subsection{util} +\label{build/directory_org:util}\label{build/directory_org:id2}\begin{description} +\item[{The util directory contains several utility programs and libraries.}] \leavevmode\begin{itemize} +\item {} +the programs used to configure and build the code, such as +autoconf, lndir, kbuild, reconf, and makedepend, are in this +directory. + +\item {} +the profile directory contains most of the functions which parse +the Kerberos configuration files (krb5.conf and kdc.conf). + +\item {} +the Kerberos error table library and utilities (et); + +\item {} +the Sub-system library and utilities (ss); + +\item {} +database utilities (db2); + +\item {} +pseudo-terminal utilities (pty); + +\item {} +bug-reporting program send-pr; + +\item {} +a generic support library support used by several of our other +libraries; + +\item {} +the build infrastructure for building lightweight Kerberos client +(collected-client-lib) + +\item {} +the tool for validating Kerberos configuration files +(confvalidator); + +\item {} +the toolkit for kernel integrators for building krb5 code subsets +(gss-kernel-lib); + +\item {} +source code for building Kerberos V5 on MacOS (mac) + +\item {} +Windows getopt operations (windows) + +\end{itemize} + +\end{description} + + +\section{Doing the build} +\label{build/doing_build::doc}\label{build/doing_build:doing-the-build} + +\subsection{Building within a single tree} +\label{build/doing_build:do-build}\label{build/doing_build:building-within-a-single-tree} +If you only need to build Kerberos for one platform, using a single +directory tree which contains both the source files and the object +files is the simplest. However, if you need to maintain Kerberos for +a large number of platforms, you will probably want to use separate +build trees for each platform. We recommend that you look at OS +Incompatibilities, for notes that we have on particular operating +systems. + +If you don't want separate build trees for each architecture, then use +the following abbreviated procedure: + +\begin{Verbatim}[commandchars=\\\{\}] +cd /u1/krb5\PYGZhy{}VERSION/src +./configure +make +\end{Verbatim} + +That's it! + + +\subsection{Building with separate build directories} +\label{build/doing_build:building-with-separate-build-directories} +If you wish to keep separate build directories for each platform, you +can do so using the following procedure. (Note, this requires that +your make program support VPATH. GNU's make will provide this +functionality, for example.) If your make program does not support +this, see the next section. + +For example, if you wish to store the binaries in \code{tmpbuild} build +directory you might use the following procedure: + +\begin{Verbatim}[commandchars=\\\{\}] +mkdir /u1/tmpbuild +cd /u1/tmpbuild +/u1/krb5\PYGZhy{}VERSION/src/configure +make +\end{Verbatim} + + +\subsection{Building using lndir} +\label{build/doing_build:building-using-lndir} +If you wish to keep separate build directories for each platform, and +you do not have access to a make program which supports VPATH, all is +not lost. You can use the lndir program to create symbolic link trees +in your build directory. + +For example, if you wish to create a build directory for solaris +binaries you might use the following procedure: + +\begin{Verbatim}[commandchars=\\\{\}] +mkdir /u1/krb5\PYGZhy{}VERSION/solaris +cd /u1/krb5\PYGZhy{}VERSION/solaris +/u1/krb5\PYGZhy{}VERSION/src/util/lndir {}`pwd{}`/../src +./configure +make +\end{Verbatim} + +You must give an absolute pathname to lndir because it has a bug that +makes it fail for relative pathnames. Note that this version differs +from the latest version as distributed and installed by the +XConsortium with X11R6. Either version should be acceptable. + + +\subsection{Installing the binaries} +\label{build/doing_build:installing-the-binaries} +Once you have built Kerberos, you should install the binaries. You can +do this by running: + +\begin{Verbatim}[commandchars=\\\{\}] +make install +\end{Verbatim} + +If you want to install the binaries into a destination directory that +is not their final destination, which may be convenient if you want to +build a binary distribution to be deployed on multiple hosts, you may +use: + +\begin{Verbatim}[commandchars=\\\{\}] +make install DESTDIR=/path/to/destdir +\end{Verbatim} + +This will install the binaries under \emph{DESTDIR/PREFIX}, e.g., the user +programs will install into \emph{DESTDIR/PREFIX/bin}, the libraries into +\emph{DESTDIR/PREFIX/lib}, etc. + +Some implementations of make allow multiple commands to be run in +parallel, for faster builds. We test our Makefiles in parallel builds +with GNU make only; they may not be compatible with other parallel +build implementations. + + +\subsection{Testing the build} +\label{build/doing_build:testing-the-build} +The Kerberos V5 distribution comes with built-in regression tests. To +run them, simply type the following command while in the top-level +build directory (i.e., the directory where you sent typed make to +start building Kerberos; see {\hyperref[build/doing_build:do-build]{\emph{Building within a single tree}}}): + +\begin{Verbatim}[commandchars=\\\{\}] +make check +\end{Verbatim} + +However, there are several prerequisites that must be satisfied first: +\begin{itemize} +\item {} +Configure and build Kerberos with Tcl support. Tcl is used to drive +the test suite. This often means passing \textbf{-}\textbf{-with-tcl} to +configure to tell it the location of the Tcl configuration +script. (See {\hyperref[build/options2configure:options2configure]{\emph{Options to configure}}}.) + +\item {} +In addition to Tcl, DejaGnu must be available on the system for some +of the tests to run. The test suite will still run the other tests +if DejaGnu is not present, but the test coverage will be reduced +accordingly. + +\item {} +On some operating systems, you have to run \code{make install} before +running \code{make check}, or the test suite will pick up installed +versions of Kerberos libraries rather than the newly built ones. +You can install into a prefix that isn't in the system library +search path, though. Alternatively, you can configure with +\textbf{-}\textbf{-disable-rpath}, which renders the build tree less suitable for +installation, but allows testing without interference from +previously installed libraries. + +\end{itemize} + +There are additional regression tests available, which are not run +by \code{make check}. These tests require manual setup and teardown of +support infrastructure which is not easily automated, or require +excessive resources for ordinary use. The procedure for running +the manual tests is documented at +\href{http://k5wiki.kerberos.org/wiki/Manual\_Testing}{http://k5wiki.kerberos.org/wiki/Manual\_Testing}. + + +\subsection{Cleaning up the build} +\label{build/doing_build:cleaning-up-the-build}\begin{itemize} +\item {} +Use \code{make clean} to remove all files generated by running make +command. + +\item {} +Use \code{make distclean} to remove all files generated by running +./configure script. After running \code{make distclean} your source +tree (ideally) should look like the raw (just un-tarred) source +tree. + +\end{itemize} + + +\subsection{Using autoconf} +\label{build/doing_build:using-autoconf} +(If you are not a developer, you can ignore this section.) + +In the Kerberos V5 source directory, there is a configure script which +automatically determines the compilation environment and creates the +proper Makefiles for a particular platform. This configure script is +generated using autoconf, which you should already have installed if +you will be making changes to \code{src/configure.in}. + +Normal users will not need to worry about running autoconf; the +distribution comes with the configure script already prebuilt. + +The autoconf package comes with a script called \code{autoreconf} that +will automatically run \code{autoconf} and \code{autoheader} as needed. You +should run \code{autoreconf} from the top source directory, e.g.: + +\begin{Verbatim}[commandchars=\\\{\}] +\PYG{n}{cd} \PYG{o}{/}\PYG{n}{u1}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{\PYGZhy{}}\PYG{n}{VERSION}\PYG{o}{/}\PYG{n}{src} +\PYG{n}{autoreconf} \PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{n}{verbose} +\end{Verbatim} + + +\section{Options to \emph{configure}} +\label{build/options2configure:options2configure}\label{build/options2configure::doc}\label{build/options2configure:options-to-configure} +There are a number of options to configure which you can use to +control how the Kerberos distribution is built. + + +\subsection{Most commonly used options} +\label{build/options2configure:most-commonly-used-options}\begin{description} +\item[{\textbf{-}\textbf{-help}}] \leavevmode +Provides help to configure. This will list the set of commonly +used options for building Kerberos. + +\item[{\textbf{-}\textbf{-prefix=}\emph{PREFIX}}] \leavevmode +By default, Kerberos will install the package's files rooted at +\code{/usr/local}. If you desire to place the binaries into the +directory \emph{PREFIX}, use this option. + +\item[{\textbf{-}\textbf{-exec-prefix=}\emph{EXECPREFIX}}] \leavevmode +This option allows one to separate the architecture independent +programs from the host-dependent files (configuration files, +manual pages). Use this option to install architecture-dependent +programs in \emph{EXECPREFIX}. The default location is the value of +specified by \textbf{-}\textbf{-prefix} option. + +\item[{\textbf{-}\textbf{-localstatedir=}\emph{LOCALSTATEDIR}}] \leavevmode +This option sets the directory for locally modifiable +single-machine data. In Kerberos, this mostly is useful for +setting a location for the KDC data files, as they will be +installed in \code{LOCALSTATEDIR/krb5kdc}, which is by default +\code{PREFIX/var/krb5kdc}. + +\item[{\textbf{-}\textbf{-with-netlib}{[}=\emph{libs}{]}}] \leavevmode +Allows for suppression of or replacement of network libraries. By +default, Kerberos V5 configuration will look for \code{-lnsl} and +\code{-lsocket}. If your operating system has a broken resolver +library or fails to pass the tests in \code{src/tests/resolv}, you +will need to use this option. + +\item[{\textbf{-}\textbf{-with-tcl=}\emph{TCLPATH}}] \leavevmode +Some of the unit-tests in the build tree rely upon using a program +in Tcl. The directory specified by \emph{TCLPATH} specifies where the +Tcl header file (TCLPATH/include/tcl.h) as well as where the Tcl +library (TCLPATH/lib) should be found. + +\item[{\textbf{-}\textbf{-enable-dns-for-realm}}] \leavevmode +Enable the use of DNS to look up a host's Kerberos realm, +if the information is not provided in +\emph{krb5.conf(5)}. See \emph{mapping\_hostnames} +for information about using DNS to determine the default realm. +DNS lookups for realm names are disabled by default. + +\item[{\textbf{-}\textbf{-with-system-et}}] \leavevmode +Use an installed version of the error-table (et) support software, +the compile\_et program, the com\_err.h header file and the com\_err +library. If these are not in the default locations, you may wish +to specify \code{CPPFLAGS=-I/some/dir} and +\code{LDFLAGS=-L/some/other/dir} options at configuration time as +well. + +If this option is not given, a version supplied with the Kerberos +sources will be built and installed along with the rest of the +Kerberos tree, for Kerberos applications to link against. + +\item[{\textbf{-}\textbf{-with-system-ss}}] \leavevmode +Use an installed version of the subsystem command-line interface +software, the mk\_cmds program, the \code{ss/ss.h} header file and the +ss library. If these are not in the default locations, you may +wish to specify \code{CPPFLAGS=-I/some/dir} and +\code{LDFLAGS=-L/some/other/dir} options at configuration time as +well. See also the \textbf{SS\_LIB} option. + +If this option is not given, the ss library supplied with the +Kerberos sources will be compiled and linked into those programs +that need it; it will not be installed separately. + +\item[{\textbf{-}\textbf{-with-system-db}}] \leavevmode +Use an installed version of the Berkeley DB package, which must +provide an API compatible with version 1.85. This option is +unsupported and untested. In particular, we do not know if the +database-rename code used in the dumpfile load operation will +behave properly. + +If this option is not given, a version supplied with the Kerberos +sources will be built and installed. (We are not updating this +version at this time because of licensing issues with newer +versions that we haven't investigated sufficiently yet.) + +\end{description} + + +\subsection{Environment variables} +\label{build/options2configure:environment-variables}\begin{description} +\item[{\textbf{CC=}\emph{COMPILER}}] \leavevmode +Use \emph{COMPILER} as the C compiler. + +\item[{\textbf{CFLAGS=}\emph{FLAGS}}] \leavevmode +Use \emph{FLAGS} as the default set of C compiler flags. + +\item[{\textbf{CPP=}\emph{CPP}}] \leavevmode +C preprocessor to use. (e.g., \code{CPP='gcc -E'}) + +\item[{\textbf{CPPFLAGS=}\emph{CPPOPTS}}] \leavevmode +Use \emph{CPPOPTS} as the default set of C preprocessor flags. The +most common use of this option is to select certain \#define's for +use with the operating system's include files. + +\item[{\textbf{DB\_HEADER=}\emph{headername}}] \leavevmode +If db.h is not the correct header file to include to compile +against the Berkeley DB 1.85 API, specify the correct header file +name with this option. For example, \code{DB\_HEADER=db3/db\_185.h}. + +\item[{\textbf{DB\_LIB=}\emph{libs}...}] \leavevmode +If \code{-ldb} is not the correct library specification for the +Berkeley DB library version to be used, override it with this +option. For example, \code{DB\_LIB=-ldb-3.3}. + +\item[{\textbf{DEFCCNAME=}\emph{ccachename}}] \leavevmode +Override the built-in default credential cache name. +For example, \code{DEFCCNAME=DIR:/var/run/user/\%\{USERID\}/ccache} +See \emph{parameter\_expansion} for information about supported +parameter expansions. + +\item[{\textbf{DEFCKTNAME=}\emph{keytabname}}] \leavevmode +Override the built-in default client keytab name. +The format is the same as for \emph{DEFCCNAME}. + +\item[{\textbf{DEFKTNAME=}\emph{keytabname}}] \leavevmode +Override the built-in default keytab name. +The format is the same as for \emph{DEFCCNAME}. + +\item[{\textbf{LD=}\emph{LINKER}}] \leavevmode +Use \emph{LINKER} as the default loader if it should be different from +C compiler as specified above. + +\item[{\textbf{LDFLAGS=}\emph{LDOPTS}}] \leavevmode +This option informs the linker where to get additional libraries +(e.g., \code{-L\textless{}lib dir\textgreater{}}). + +\item[{\textbf{LIBS=}\emph{LDNAME}}] \leavevmode +This option allows one to specify libraries to be passed to the +linker (e.g., \code{-l\textless{}library\textgreater{}}) + +\item[{\textbf{SS\_LIB=}\emph{libs}...}] \leavevmode +If \code{-lss} is not the correct way to link in your installed ss +library, for example if additional support libraries are needed, +specify the correct link options here. Some variants of this +library are around which allow for Emacs-like line editing, but +different versions require different support libraries to be +explicitly specified. + +This option is ignored if \textbf{-}\textbf{-with-system-ss} is not specified. + +\item[{\textbf{YACC}}] \leavevmode +The `Yet Another C Compiler' implementation to use. Defaults to +the first program found out of: `\emph{bison -y}`, `\emph{byacc}`, +`\emph{yacc}`. + +\item[{\textbf{YFLAGS}}] \leavevmode +The list of arguments that will be passed by default to \$YACC. +This script will default YFLAGS to the empty string to avoid a +default value of \code{-d} given by some make applications. + +\end{description} + + +\subsection{Fine tuning of the installation directories} +\label{build/options2configure:fine-tuning-of-the-installation-directories}\begin{description} +\item[{\textbf{-}\textbf{-bindir=}\emph{DIR}}] \leavevmode +User executables. Defaults to \code{EXECPREFIX/bin}, where +\emph{EXECPREFIX} is the path specified by \textbf{-}\textbf{-exec-prefix} +configuration option. + +\item[{\textbf{-}\textbf{-sbindir=}\emph{DIR}}] \leavevmode +System admin executables. Defaults to \code{EXECPREFIX/sbin}, where +\emph{EXECPREFIX} is the path specified by \textbf{-}\textbf{-exec-prefix} +configuration option. + +\item[{\textbf{-}\textbf{-sysconfdir=}\emph{DIR}}] \leavevmode +Read-only single-machine data such as krb5.conf. +Defaults to \code{PREFIX/etc}, where +\emph{PREFIX} is the path specified by \textbf{-}\textbf{-prefix} configuration +option. + +\item[{\textbf{-}\textbf{-libdir=}\emph{DIR}}] \leavevmode +Object code libraries. Defaults to \code{EXECPREFIX/lib}, where +\emph{EXECPREFIX} is the path specified by \textbf{-}\textbf{-exec-prefix} +configuration option. + +\item[{\textbf{-}\textbf{-includedir=}\emph{DIR}}] \leavevmode +C header files. Defaults to \code{PREFIX/include}, where \emph{PREFIX} is +the path specified by \textbf{-}\textbf{-prefix} configuration option. + +\item[{\textbf{-}\textbf{-datarootdir=}\emph{DATAROOTDIR}}] \leavevmode +Read-only architecture-independent data root. Defaults to +\code{PREFIX/share}, where \emph{PREFIX} is the path specified by +\textbf{-}\textbf{-prefix} configuration option. + +\item[{\textbf{-}\textbf{-datadir=}\emph{DIR}}] \leavevmode +Read-only architecture-independent data. Defaults to path +specified by \textbf{-}\textbf{-datarootdir} configuration option. + +\item[{\textbf{-}\textbf{-localedir=}\emph{DIR}}] \leavevmode +Locale-dependent data. Defaults to \code{DATAROOTDIR/locale}, where +\emph{DATAROOTDIR} is the path specified by \textbf{-}\textbf{-datarootdir} +configuration option. + +\item[{\textbf{-}\textbf{-mandir=}\emph{DIR}}] \leavevmode +Man documentation. Defaults to \code{DATAROOTDIR/man}, where +\emph{DATAROOTDIR} is the path specified by \textbf{-}\textbf{-datarootdir} +configuration option. + +\end{description} + + +\subsection{Program names} +\label{build/options2configure:program-names}\begin{description} +\item[{\textbf{-}\textbf{-program-prefix=}\emph{PREFIX}}] \leavevmode +Prepend \emph{PREFIX} to the names of the programs when installing +them. For example, specifying \code{-{-}program-prefix=mit-} at the +configure time will cause the program named \code{abc} to be +installed as \code{mit-abc}. + +\item[{\textbf{-}\textbf{-program-suffix=}\emph{SUFFIX}}] \leavevmode +Append \emph{SUFFIX} to the names of the programs when installing them. +For example, specifying \code{-{-}program-suffix=-mit} at the configure +time will cause the program named \code{abc} to be installed as +\code{abc-mit}. + +\item[{\textbf{-}\textbf{-program-transform-name=}\emph{PROGRAM}}] \leavevmode +Run \code{sed -e PROGRAM} on installed program names. (\emph{PROGRAM} is a +sed script). + +\end{description} + + +\subsection{System types} +\label{build/options2configure:system-types}\begin{description} +\item[{\textbf{-}\textbf{-build=}\emph{BUILD}}] \leavevmode +Configure for building on \emph{BUILD} +(e.g., \code{-{-}build=x86\_64-linux-gnu}). + +\item[{\textbf{-}\textbf{-host=}\emph{HOST}}] \leavevmode +Cross-compile to build programs to run on \emph{HOST} +(e.g., \code{-{-}host=x86\_64-linux-gnu}). By default, Kerberos V5 +configuration will look for ``build'' option. + +\end{description} + + +\subsection{Optional features} +\label{build/options2configure:optional-features}\begin{description} +\item[{\textbf{-}\textbf{-disable-option-checking}}] \leavevmode +Ignore unrecognized --enable/--with options. + +\item[{\textbf{-}\textbf{-disable-}\emph{FEATURE}}] \leavevmode +Do not include \emph{FEATURE} (same as --enable-FEATURE=no). + +\item[{\textbf{-}\textbf{-enable-}\emph{FEATURE}{[}=\emph{ARG}{]}}] \leavevmode +Include \emph{FEATURE} {[}ARG=yes{]}. + +\item[{\textbf{-}\textbf{-enable-maintainer-mode}}] \leavevmode +Enable rebuilding of source files, Makefiles, etc. + +\item[{\textbf{-}\textbf{-disable-delayed-initialization}}] \leavevmode +Initialize library code when loaded. Defaults to delay until +first use. + +\item[{\textbf{-}\textbf{-disable-thread-support}}] \leavevmode +Don't enable thread support. Defaults to enabled. + +\item[{\textbf{-}\textbf{-disable-rpath}}] \leavevmode +Suppress run path flags in link lines. + +\item[{\textbf{-}\textbf{-enable-athena}}] \leavevmode +Build with MIT Project Athena configuration. + +\item[{\textbf{-}\textbf{-disable-kdc-lookaside-cache}}] \leavevmode +Disable the cache which detects client retransmits. + +\item[{\textbf{-}\textbf{-disable-pkinit}}] \leavevmode +Disable PKINIT plugin support. + +\item[{\textbf{-}\textbf{-disable-aesni}}] \leavevmode +Disable support for using AES instructions on x86 platforms. + +\item[{\textbf{-}\textbf{-enable-asan}{[}=\emph{ARG}{]}}] \leavevmode +Enable building with asan memory error checking. If \emph{ARG} is +given, it controls the -fsanitize compilation flag value (the +default is ``address''). + +\end{description} + + +\subsection{Optional packages} +\label{build/options2configure:optional-packages}\begin{description} +\item[{\textbf{-}\textbf{-with-}\emph{PACKAGE}{[}=ARG{]}}] \leavevmode +Use \emph{PACKAGE} (e.g., \code{-{-}with-imap}). The default value of \emph{ARG} +is \code{yes}. + +\item[{\textbf{-}\textbf{-without-}\emph{PACKAGE}}] \leavevmode +Do not use \emph{PACKAGE} (same as \code{-{-}with-PACKAGE=no}) +(e.g., \code{-{-}without-libedit}). + +\item[{\textbf{-}\textbf{-with-size-optimizations}}] \leavevmode +Enable a few optimizations to reduce code size possibly at some +run-time cost. + +\item[{\textbf{-}\textbf{-with-system-et}}] \leavevmode +Use the com\_err library and compile\_et utility that are already +installed on the system, instead of building and installing +local versions. + +\item[{\textbf{-}\textbf{-with-system-ss}}] \leavevmode +Use the ss library and mk\_cmds utility that are already installed +on the system, instead of building and using private versions. + +\item[{\textbf{-}\textbf{-with-system-db}}] \leavevmode +Use the berkeley db utility already installed on the system, +instead of using a private version. This option is not +recommended; enabling it may result in incompatibility with key +databases originating on other systems. + +\item[{\textbf{-}\textbf{-with-netlib=}\emph{LIBS}}] \leavevmode +Use the resolver library specified in \emph{LIBS}. Use this variable +if the C library resolver is insufficient or broken. + +\item[{\textbf{-}\textbf{-with-hesiod=}\emph{path}}] \leavevmode +Compile with Hesiod support. The \emph{path} points to the Hesiod +directory. By default Hesiod is unsupported. + +\item[{\textbf{-}\textbf{-with-ldap}}] \leavevmode +Compile OpenLDAP database backend module. + +\item[{\textbf{-}\textbf{-with-tcl=}\emph{path}}] \leavevmode +Specifies that \emph{path} is the location of a Tcl installation. +Tcl is needed for some of the tests run by `make check'; such tests +will be skipped if this option is not set. + +\item[{\textbf{-}\textbf{-with-vague-errors}}] \leavevmode +Do not send helpful errors to client. For example, if the KDC +should return only vague error codes to clients. + +\item[{\textbf{-}\textbf{-with-crypto-impl=}\emph{IMPL}}] \leavevmode +Use specified crypto implementation (e.g., \textbf{-}\textbf{-with-crypto-impl=}\emph{openssl}). The default is the native MIT +Kerberos implementation \code{builtin}. The other currently +implemented crypto backend is \code{openssl}. (See +\emph{mitK5features}) + +\item[{\textbf{-}\textbf{-with-prng-alg=}\emph{ALG}}] \leavevmode +Use specified PRNG algorithm. For example, to use the OS native +prng specify \code{-{-}with-prng-alg=os}. The default is \code{fortuna}. +(See \emph{mitK5features}) + +\item[{\textbf{-}\textbf{-with-pkinit-crypto-impl=}\emph{IMPL}}] \leavevmode +Use the specified pkinit crypto implementation \emph{IMPL}. +Defaults to using OpenSSL. + +\item[{\textbf{-}\textbf{-without-libedit}}] \leavevmode +Do not compile and link against libedit. Some utilities will no +longer offer command history or completion in interactive mode if +libedit is disabled. + +\item[{\textbf{-}\textbf{-with-readline}}] \leavevmode +Compile and link against GNU readline, as an alternative to libedit. +Building with readline breaks the dejagnu test suite, which is a +subset of the tests run by `make check'. + +\item[{\textbf{-}\textbf{-with-system-verto}}] \leavevmode +Use an installed version of libverto. If the libverto header and +library are not in default locations, you may wish to specify +\code{CPPFLAGS=-I/some/dir} and \code{LDFLAGS=-L/some/other/dir} options +at configuration time as well. + +If this option is not given, the build system will try to detect +an installed version of libverto and use it if it is found. +Otherwise, a version supplied with the Kerberos sources will be +built and installed. The built-in version does not contain the +full set of back-end modules and is not a suitable general +replacement for the upstream version, but will work for the +purposes of Kerberos. + +Specifying \textbf{-}\textbf{-without-system-verto} will cause the built-in +version of libverto to be used unconditionally. + +\item[{\textbf{-}\textbf{-with-krb5-config=}\emph{PATH}}] \leavevmode +Use the krb5-config program at \emph{PATH} to obtain the build-time +default credential cache, keytab, and client keytab names. The +default is to use \code{krb5-config} from the program path. Specify +\code{-{-}without-krb5-config} to disable the use of krb5-config and +use the usual built-in defaults. + +\end{description} + + +\subsection{Examples} +\label{build/options2configure:examples} +For example, in order to configure Kerberos on a Solaris machine using +the suncc compiler with the optimizer turned on, run the configure +script with the following options: + +\begin{Verbatim}[commandchars=\\\{\}] +\PYGZpc{} ./configure CC=suncc CFLAGS=\PYGZhy{}O +\end{Verbatim} + +For a slightly more complicated example, consider a system where +several packages to be used by Kerberos are installed in +\code{/usr/foobar}, including Berkeley DB 3.3, and an ss library that +needs to link against the curses library. The configuration of +Kerberos might be done thus: + +\begin{Verbatim}[commandchars=\\\{\}] +./configure CPPFLAGS=\PYGZhy{}I/usr/foobar/include LDFLAGS=\PYGZhy{}L/usr/foobar/lib \PYGZbs{} +\PYGZhy{}\PYGZhy{}with\PYGZhy{}system\PYGZhy{}et \PYGZhy{}\PYGZhy{}with\PYGZhy{}system\PYGZhy{}ss \PYGZhy{}\PYGZhy{}with\PYGZhy{}system\PYGZhy{}db \PYGZbs{} +SS\PYGZus{}LIB=\PYGZsq{}\PYGZhy{}lss \PYGZhy{}lcurses\PYGZsq{} DB\PYGZus{}HEADER=db3/db\PYGZus{}185.h DB\PYGZus{}LIB=\PYGZhy{}ldb\PYGZhy{}3.3 +\end{Verbatim} + + +\section{osconf.hin} +\label{build/osconf:osconf-hin}\label{build/osconf::doc} +There is one configuration file which you may wish to edit to control +various compile-time parameters in the Kerberos distribution: + +\begin{Verbatim}[commandchars=\\\{\}] +\PYG{n}{include}\PYG{o}{/}\PYG{n}{osconf}\PYG{o}{.}\PYG{n}{hin} +\end{Verbatim} + +The list that follows is by no means complete, just some of the more +interesting variables. +\begin{description} +\item[{\textbf{DEFAULT\_PROFILE\_PATH}}] \leavevmode +The pathname to the file which contains the profiles for the known +realms, their KDCs, etc. The default value is \code{/etc/krb5.conf}. + +\item[{\textbf{DEFAULT\_KEYTAB\_NAME}}] \leavevmode +The type and pathname to the default server keytab file. The +default is \emph{DEFKTNAME}. + +\item[{\textbf{DEFAULT\_KDC\_ENCTYPE}}] \leavevmode +The default encryption type for the KDC database master key. The +default value is \code{aes256-cts-hmac-sha1-96}. + +\item[{\textbf{RCTMPDIR}}] \leavevmode +The directory which stores replay caches. The default is +\code{/var/tmp}. + +\item[{\textbf{DEFAULT\_KDB\_FILE}}] \leavevmode +The location of the default database. The default value is +\emph{LOCALSTATEDIR}\code{/krb5kdc}\code{/principal}. + +\end{description} + + + +\renewcommand{\indexname}{Index} +\printindex +\end{document} diff --git a/doc/pdf/fncychap.sty b/doc/pdf/fncychap.sty new file mode 100644 index 000000000000..9a56c04ed422 --- /dev/null +++ b/doc/pdf/fncychap.sty @@ -0,0 +1,683 @@ +%%% Copyright Ulf A. Lindgren +%%% +%%% Note Premission is granted to modify this file under +%%% the condition that it is saved using another +%%% file and package name. +%%% +%%% Revision 1.1 (1997) +%%% +%%% Jan. 8th Modified package name base date option +%%% Jan. 22th Modified FmN and FmTi for error in book.cls +%%% \MakeUppercase{#}->{\MakeUppercase#} +%%% Apr. 6th Modified Lenny option to prevent undesired +%%% skip of line. +%%% Nov. 8th Fixed \@chapapp for AMS +%%% +%%% Revision 1.2 (1998) +%%% +%%% Feb. 11th Fixed appendix problem related to Bjarne +%%% Aug. 11th Fixed problem related to 11pt and 12pt +%%% suggested by Tomas Lundberg. THANKS! +%%% +%%% Revision 1.3 (2004) +%%% Sep. 20th problem with frontmatter, mainmatter and +%%% backmatter, pointed out by Lapo Mori +%%% +%%% Revision 1.31 (2004) +%%% Sep. 21th problem with the Rejne definition streched text +%%% caused ugly gaps in the vrule aligned with the title +%%% text. Kindly pointed out to me by Hendri Adriaens +%%% +%%% Revision 1.32 (2005) +%%% Jun. 23th compatibility problem with the KOMA class 'scrbook.cls' +%%% a remedy is a redefinition of '\@schapter' in +%%% line with that used in KOMA. The problem was pointed +%%% out to me by Mikkel Holm Olsen +%%% +%%% Revision 1.33 (2005) +%%% Aug. 9th misspelled ``TWELV'' corrected, the error was pointed +%%% out to me by George Pearson +%%% +%%% Revision 1.34 (2007) +%%% Added an alternative to Lenny provided by Peter +%%% Osborne (2005-11-28) +%%% Corrected front, main and back matter, based on input +%%% from Bas van Gils (2006-04-24) +%%% Jul. 30th Added Bjornstrup option provided by Jean-Marc +%%% Francois (2007-01-05). +%%% Reverted to \MakeUppercase{#} see rev 1.1, solved +%%% problem with MakeUppercase and MakeLowercase pointed +%%% out by Marco Feuerstein (2007-06-06) + + +%%% Last modified Jul. 2007 + +\NeedsTeXFormat{LaTeX2e}[1995/12/01] +\ProvidesPackage{fncychap} + [2007/07/30 v1.34 + LaTeX package (Revised chapters)] + +%%%% For conditional inclusion of color +\newif\ifusecolor +\usecolorfalse + + + +%%%% DEFINITION OF Chapapp variables +\newcommand{\CNV}{\huge\bfseries} +\newcommand{\ChNameVar}[1]{\renewcommand{\CNV}{#1}} + + +%%%% DEFINITION OF TheChapter variables +\newcommand{\CNoV}{\huge\bfseries} +\newcommand{\ChNumVar}[1]{\renewcommand{\CNoV}{#1}} + +\newif\ifUCN +\UCNfalse +\newif\ifLCN +\LCNfalse +\def\ChNameLowerCase{\LCNtrue\UCNfalse} +\def\ChNameUpperCase{\UCNtrue\LCNfalse} +\def\ChNameAsIs{\UCNfalse\LCNfalse} + +%%%%% Fix for AMSBook 971008 + +\@ifundefined{@chapapp}{\let\@chapapp\chaptername}{} + + +%%%%% Fix for Bjarne and appendix 980211 + +\newif\ifinapp +\inappfalse +\renewcommand\appendix{\par + \setcounter{chapter}{0}% + \setcounter{section}{0}% + \inapptrue% + \renewcommand\@chapapp{\appendixname}% + \renewcommand\thechapter{\@Alph\c@chapter}} + +%%%%% Fix for frontmatter, mainmatter, and backmatter 040920 + +\@ifundefined{@mainmatter}{\newif\if@mainmatter \@mainmattertrue}{} + +%%%%% + + + +\newcommand{\FmN}[1]{% +\ifUCN + {\MakeUppercase{#1}}\LCNfalse +\else + \ifLCN + {\MakeLowercase{#1}}\UCNfalse + \else #1 + \fi +\fi} + + +%%%% DEFINITION OF Title variables +\newcommand{\CTV}{\Huge\bfseries} +\newcommand{\ChTitleVar}[1]{\renewcommand{\CTV}{#1}} + +%%%% DEFINITION OF the basic rule width +\newlength{\RW} +\setlength{\RW}{1pt} +\newcommand{\ChRuleWidth}[1]{\setlength{\RW}{#1}} + +\newif\ifUCT +\UCTfalse +\newif\ifLCT +\LCTfalse +\def\ChTitleLowerCase{\LCTtrue\UCTfalse} +\def\ChTitleUpperCase{\UCTtrue\LCTfalse} +\def\ChTitleAsIs{\UCTfalse\LCTfalse} +\newcommand{\FmTi}[1]{% +\ifUCT + {\MakeUppercase{#1}}\LCTfalse +\else + \ifLCT + {\MakeLowercase{#1}}\UCTfalse + \else {#1} + \fi +\fi} + + + +\newlength{\mylen} +\newlength{\myhi} +\newlength{\px} +\newlength{\py} +\newlength{\pyy} +\newlength{\pxx} + + +\def\mghrulefill#1{\leavevmode\leaders\hrule\@height #1\hfill\kern\z@} + +\newcommand{\DOCH}{% + \CNV\FmN{\@chapapp}\space \CNoV\thechapter + \par\nobreak + \vskip 20\p@ + } +\newcommand{\DOTI}[1]{% + \CTV\FmTi{#1}\par\nobreak + \vskip 40\p@ + } +\newcommand{\DOTIS}[1]{% + \CTV\FmTi{#1}\par\nobreak + \vskip 40\p@ + } + +%%%%%% SONNY DEF + +\DeclareOption{Sonny}{% + \ChNameVar{\Large\sf} + \ChNumVar{\Huge} + \ChTitleVar{\Large\sf} + \ChRuleWidth{0.5pt} + \ChNameUpperCase + \renewcommand{\DOCH}{% + \raggedleft + \CNV\FmN{\@chapapp}\space \CNoV\thechapter + \par\nobreak + \vskip 40\p@} + \renewcommand{\DOTI}[1]{% + \CTV\raggedleft\mghrulefill{\RW}\par\nobreak + \vskip 5\p@ + \CTV\FmTi{#1}\par\nobreak + \mghrulefill{\RW}\par\nobreak + \vskip 40\p@} + \renewcommand{\DOTIS}[1]{% + \CTV\raggedleft\mghrulefill{\RW}\par\nobreak + \vskip 5\p@ + \CTV\FmTi{#1}\par\nobreak + \mghrulefill{\RW}\par\nobreak + \vskip 40\p@} +} + +%%%%%% LENNY DEF + +\DeclareOption{Lenny}{% + + \ChNameVar{\fontsize{14}{16}\usefont{OT1}{phv}{m}{n}\selectfont} + \ChNumVar{\fontsize{60}{62}\usefont{OT1}{ptm}{m}{n}\selectfont} + \ChTitleVar{\Huge\bfseries\rm} + \ChRuleWidth{1pt} + \renewcommand{\DOCH}{% + \settowidth{\px}{\CNV\FmN{\@chapapp}} + \addtolength{\px}{2pt} + \settoheight{\py}{\CNV\FmN{\@chapapp}} + \addtolength{\py}{1pt} + + \settowidth{\mylen}{\CNV\FmN{\@chapapp}\space\CNoV\thechapter} + \addtolength{\mylen}{1pt} + \settowidth{\pxx}{\CNoV\thechapter} + \addtolength{\pxx}{-1pt} + + \settoheight{\pyy}{\CNoV\thechapter} + \addtolength{\pyy}{-2pt} + \setlength{\myhi}{\pyy} + \addtolength{\myhi}{-1\py} + \par + \parbox[b]{\textwidth}{% + \rule[\py]{\RW}{\myhi}% + \hskip -\RW% + \rule[\pyy]{\px}{\RW}% + \hskip -\px% + \raggedright% + \CNV\FmN{\@chapapp}\space\CNoV\thechapter% + \hskip1pt% + \mghrulefill{\RW}% + \rule{\RW}{\pyy}\par\nobreak% + \vskip -\baselineskip% + \vskip -\pyy% + \hskip \mylen% + \mghrulefill{\RW}\par\nobreak% + \vskip \pyy}% + \vskip 20\p@} + + + \renewcommand{\DOTI}[1]{% + \raggedright + \CTV\FmTi{#1}\par\nobreak + \vskip 40\p@} + + \renewcommand{\DOTIS}[1]{% + \raggedright + \CTV\FmTi{#1}\par\nobreak + \vskip 40\p@} + } + +%%%%%% Peter Osbornes' version of LENNY DEF + +\DeclareOption{PetersLenny}{% + +% five new lengths +\newlength{\bl} % bottom left : orig \space +\setlength{\bl}{6pt} +\newcommand{\BL}[1]{\setlength{\bl}{#1}} +\newlength{\br} % bottom right : orig 1pt +\setlength{\br}{1pt} +\newcommand{\BR}[1]{\setlength{\br}{#1}} +\newlength{\tl} % top left : orig 2pt +\setlength{\tl}{2pt} +\newcommand{\TL}[1]{\setlength{\tl}{#1}} +\newlength{\trr} % top right :orig 1pt +\setlength{\trr}{1pt} +\newcommand{\TR}[1]{\setlength{\trr}{#1}} +\newlength{\blrule} % top right :orig 1pt +\setlength{\trr}{0pt} +\newcommand{\BLrule}[1]{\setlength{\blrule}{#1}} + + + \ChNameVar{\fontsize{14}{16}\usefont{OT1}{phv}{m}{n}\selectfont} + \ChNumVar{\fontsize{60}{62}\usefont{OT1}{ptm}{m}{n}\selectfont} + \ChTitleVar{\Huge\bfseries\rm} + \ChRuleWidth{1pt} +\renewcommand{\DOCH}{% + + +%%%%%%% tweaks for 1--9 and A--Z +\ifcase\c@chapter\relax% +\or\BL{-3pt}\TL{-4pt}\BR{0pt}\TR{-6pt}%1 +\or\BL{0pt}\TL{-4pt}\BR{2pt}\TR{-4pt}%2 +\or\BL{0pt}\TL{-4pt}\BR{2pt}\TR{-4pt}%3 +\or\BL{0pt}\TL{5pt}\BR{2pt}\TR{-4pt}%4 +\or\BL{0pt}\TL{3pt}\BR{2pt}\TR{-4pt}%5 +\or\BL{-1pt}\TL{0pt}\BR{2pt}\TR{-2pt}%6 +\or\BL{0pt}\TL{-3pt}\BR{2pt}\TR{-2pt}%7 +\or\BL{0pt}\TL{-3pt}\BR{2pt}\TR{-2pt}%8 +\or\BL{0pt}\TL{-3pt}\BR{-4pt}\TR{-2pt}%9 +\or\BL{-3pt}\TL{-3pt}\BR{2pt}\TR{-7pt}%10 +\or\BL{-6pt}\TL{-6pt}\BR{0pt}\TR{-9pt}%11 +\or\BL{-6pt}\TL{-6pt}\BR{2pt}\TR{-7pt}%12 +\or\BL{-5pt}\TL{-5pt}\BR{0pt}\TR{-9pt}%13 +\or\BL{-6pt}\TL{-6pt}\BR{0pt}\TR{-9pt}%14 +\or\BL{-3pt}\TL{-3pt}\BR{3pt}\TR{-6pt}%15 +\or\BL{-3pt}\TL{-3pt}\BR{3pt}\TR{-6pt}%16 +\or\BL{-5pt}\TL{-3pt}\BR{-8pt}\TR{-6pt}%17 +\or\BL{-5pt}\TL{-5pt}\BR{0pt}\TR{-9pt}%18 +\or\BL{-3pt}\TL{-3pt}\BR{-6pt}\TR{-9pt}%19 +\or\BL{0pt}\TL{0pt}\BR{0pt}\TR{-5pt}%20 +\fi + +\ifinapp\ifcase\c@chapter\relax% +\or\BL{0pt}\TL{14pt}\BR{5pt}\TR{-19pt}%A +\or\BL{0pt}\TL{-5pt}\BR{-3pt}\TR{-8pt}%B +\or\BL{-3pt}\TL{-2pt}\BR{1pt}\TR{-6pt}\BLrule{0pt}%C +\or\BL{0pt}\TL{-5pt}\BR{-3pt}\TR{-8pt}\BLrule{0pt}%D +\or\BL{0pt}\TL{-5pt}\BR{2pt}\TR{-3pt}%E +\or\BL{0pt}\TL{-5pt}\BR{-10pt}\TR{-1pt}%F +\or\BL{-3pt}\TL{0pt}\BR{0pt}\TR{-7pt}%G +\or\BL{0pt}\TL{-5pt}\BR{3pt}\TR{-1pt}%H +\or\BL{0pt}\TL{-5pt}\BR{3pt}\TR{-1pt}%I +\or\BL{2pt}\TL{0pt}\BR{-3pt}\TR{1pt}%J +\or\BL{0pt}\TL{-5pt}\BR{3pt}\TR{-1pt}%K +\or\BL{0pt}\TL{-5pt}\BR{2pt}\TR{-19pt}%L +\or\BL{0pt}\TL{-5pt}\BR{3pt}\TR{-1pt}%M +\or\BL{0pt}\TL{-5pt}\BR{-2pt}\TR{-1pt}%N +\or\BL{-3pt}\TL{-2pt}\BR{-3pt}\TR{-11pt}%O +\or\BL{0pt}\TL{-5pt}\BR{-9pt}\TR{-3pt}%P +\or\BL{-3pt}\TL{-2pt}\BR{-3pt}\TR{-11pt}%Q +\or\BL{0pt}\TL{-5pt}\BR{4pt}\TR{-8pt}%R +\or\BL{-2pt}\TL{-2pt}\BR{-2pt}\TR{-7pt}%S +\or\BL{-3pt}\TL{0pt}\BR{-5pt}\TR{4pt}\BLrule{8pt}%T +\or\BL{-7pt}\TL{-11pt}\BR{-5pt}\TR{-7pt}\BLrule{0pt}%U +\or\BL{-14pt}\TL{-5pt}\BR{-14pt}\TR{-1pt}\BLrule{14pt}%V +\or\BL{-10pt}\TL{-9pt}\BR{-13pt}\TR{-3pt}\BLrule{7pt}%W +\or\BL{0pt}\TL{-5pt}\BR{3pt}\TR{-1pt}\BLrule{0pt}%X +\or\BL{-6pt}\TL{-4pt}\BR{-7pt}\TR{1pt}\BLrule{7pt}%Y +\or\BL{0pt}\TL{-5pt}\BR{3pt}\TR{-1pt}\BLrule{0pt}%Z +\fi\fi +%%%%%%% + \settowidth{\px}{\CNV\FmN{\@chapapp}} + \addtolength{\px}{\tl} %MOD change 2pt to \tl + \settoheight{\py}{\CNV\FmN{\@chapapp}} + \addtolength{\py}{1pt} + + \settowidth{\mylen}{\CNV\FmN{\@chapapp}\space\CNoV\thechapter} + \addtolength{\mylen}{\trr}% MOD change 1pt to \tr + \settowidth{\pxx}{\CNoV\thechapter} + \addtolength{\pxx}{-1pt} + + \settoheight{\pyy}{\CNoV\thechapter} + \addtolength{\pyy}{-2pt} + \setlength{\myhi}{\pyy} + \addtolength{\myhi}{-1\py} + \par + \parbox[b]{\textwidth}{% + \rule[\py]{\RW}{\myhi}% + \hskip -\RW% + \rule[\pyy]{\px}{\RW}% + \hskip -\px% + \raggedright% + \CNV\FmN{\@chapapp}\rule{\blrule}{\RW}\hskip\bl\CNoV\thechapter%MOD +% \CNV\FmN{\@chapapp}\space\CNoV\thechapter %ORIGINAL + \hskip\br% %MOD 1pt to \br + \mghrulefill{\RW}% + \rule{\RW}{\pyy}\par\nobreak% + \vskip -\baselineskip% + \vskip -\pyy% + \hskip \mylen% + \mghrulefill{\RW}\par\nobreak% + \vskip \pyy}% + \vskip 20\p@} + + + \renewcommand{\DOTI}[1]{% + \raggedright + \CTV\FmTi{#1}\par\nobreak + \vskip 40\p@} + + \renewcommand{\DOTIS}[1]{% + \raggedright + \CTV\FmTi{#1}\par\nobreak + \vskip 40\p@} + } + + +% + + +%%%%%% BJORNSTRUP DEF + +\DeclareOption{Bjornstrup}{% + \usecolortrue + % pzc (Zapf Chancelery) is nice. ppl (Palatino) is cool too. + \ChNumVar{\fontsize{76}{80}\usefont{OT1}{pzc}{m}{n}\selectfont} + \ChTitleVar{\raggedleft\Large\sffamily\bfseries} + + \setlength{\myhi}{10pt} % Space between grey box border and text + \setlength{\mylen}{\textwidth} + \addtolength{\mylen}{-2\myhi} + \renewcommand{\DOCH}{% + \settowidth{\py}{\CNoV\thechapter} + \addtolength{\py}{-10pt} % Amount of space by which the +% % number is shifted right + \fboxsep=0pt% + \colorbox[gray]{.85}{\rule{0pt}{40pt}\parbox[b]{\textwidth}{\hfill}}% + \kern-\py\raise20pt% + \hbox{\color[gray]{.5}\CNoV\thechapter}\\% + } + + \renewcommand{\DOTI}[1]{% + \nointerlineskip\raggedright% + \fboxsep=\myhi% + \vskip-1ex% + \colorbox[gray]{.85}{\parbox[t]{\mylen}{\CTV\FmTi{#1}}}\par\nobreak% + \vskip 40\p@% + } + + \renewcommand{\DOTIS}[1]{% + \fboxsep=0pt + \colorbox[gray]{.85}{\rule{0pt}{40pt}\parbox[b]{\textwidth}{\hfill}}\\% + \nointerlineskip\raggedright% + \fboxsep=\myhi% + \colorbox[gray]{.85}{\parbox[t]{\mylen}{\CTV\FmTi{#1}}}\par\nobreak% + \vskip 40\p@% + } +} + + +%%%%%%% GLENN DEF + + +\DeclareOption{Glenn}{% + \ChNameVar{\bfseries\Large\sf} + \ChNumVar{\Huge} + \ChTitleVar{\bfseries\Large\rm} + \ChRuleWidth{1pt} + \ChNameUpperCase + \ChTitleUpperCase + \renewcommand{\DOCH}{% + \settoheight{\myhi}{\CTV\FmTi{Test}} + \setlength{\py}{\baselineskip} + \addtolength{\py}{\RW} + \addtolength{\py}{\myhi} + \setlength{\pyy}{\py} + \addtolength{\pyy}{-1\RW} + + \raggedright + \CNV\FmN{\@chapapp}\space\CNoV\thechapter + \hskip 3pt\mghrulefill{\RW}\rule[-1\pyy]{2\RW}{\py}\par\nobreak} + + \renewcommand{\DOTI}[1]{% + \addtolength{\pyy}{-4pt} + \settoheight{\myhi}{\CTV\FmTi{#1}} + \addtolength{\myhi}{\py} + \addtolength{\myhi}{-1\RW} + \vskip -1\pyy + \rule{2\RW}{\myhi}\mghrulefill{\RW}\hskip 2pt + \raggedleft\CTV\FmTi{#1}\par\nobreak + \vskip 80\p@} + +\newlength{\backskip} + \renewcommand{\DOTIS}[1]{% +% \setlength{\py}{10pt} +% \setlength{\pyy}{\py} +% \addtolength{\pyy}{\RW} +% \setlength{\myhi}{\baselineskip} +% \addtolength{\myhi}{\pyy} +% \mghrulefill{\RW}\rule[-1\py]{2\RW}{\pyy}\par\nobreak +% \addtolength{}{} +%\vskip -1\baselineskip +% \rule{2\RW}{\myhi}\mghrulefill{\RW}\hskip 2pt +% \raggedleft\CTV\FmTi{#1}\par\nobreak +% \vskip 60\p@} +%% Fix suggested by Tomas Lundberg + \setlength{\py}{25pt} % eller vad man vill + \setlength{\pyy}{\py} + \setlength{\backskip}{\py} + \addtolength{\backskip}{2pt} + \addtolength{\pyy}{\RW} + \setlength{\myhi}{\baselineskip} + \addtolength{\myhi}{\pyy} + \mghrulefill{\RW}\rule[-1\py]{2\RW}{\pyy}\par\nobreak + \vskip -1\backskip + \rule{2\RW}{\myhi}\mghrulefill{\RW}\hskip 3pt % + \raggedleft\CTV\FmTi{#1}\par\nobreak + \vskip 40\p@} + } + +%%%%%%% CONNY DEF + +\DeclareOption{Conny}{% + \ChNameUpperCase + \ChTitleUpperCase + \ChNameVar{\centering\Huge\rm\bfseries} + \ChNumVar{\Huge} + \ChTitleVar{\centering\Huge\rm} + \ChRuleWidth{2pt} + + \renewcommand{\DOCH}{% + \mghrulefill{3\RW}\par\nobreak + \vskip -0.5\baselineskip + \mghrulefill{\RW}\par\nobreak + \CNV\FmN{\@chapapp}\space \CNoV\thechapter + \par\nobreak + \vskip -0.5\baselineskip + } + \renewcommand{\DOTI}[1]{% + \mghrulefill{\RW}\par\nobreak + \CTV\FmTi{#1}\par\nobreak + \vskip 60\p@ + } + \renewcommand{\DOTIS}[1]{% + \mghrulefill{\RW}\par\nobreak + \CTV\FmTi{#1}\par\nobreak + \vskip 60\p@ + } + } + +%%%%%%% REJNE DEF + +\DeclareOption{Rejne}{% + + \ChNameUpperCase + \ChTitleUpperCase + \ChNameVar{\centering\Large\rm} + \ChNumVar{\Huge} + \ChTitleVar{\centering\Huge\rm} + \ChRuleWidth{1pt} + \renewcommand{\DOCH}{% + \settoheight{\py}{\CNoV\thechapter} + \parskip=0pt plus 1pt % Set parskip to default, just in case v1.31 + \addtolength{\py}{-1pt} + \CNV\FmN{\@chapapp}\par\nobreak + \vskip 20\p@ + \setlength{\myhi}{2\baselineskip} + \setlength{\px}{\myhi} + \addtolength{\px}{-1\RW} + \rule[-1\px]{\RW}{\myhi}\mghrulefill{\RW}\hskip + 10pt\raisebox{-0.5\py}{\CNoV\thechapter}\hskip 10pt\mghrulefill{\RW}\rule[-1\px]{\RW}{\myhi}\par\nobreak + \vskip -3\p@% Added -2pt vskip to correct for streched text v1.31 + } + \renewcommand{\DOTI}[1]{% + \setlength{\mylen}{\textwidth} + \parskip=0pt plus 1pt % Set parskip to default, just in case v1.31 + \addtolength{\mylen}{-2\RW} + {\vrule width\RW}\parbox{\mylen}{\CTV\FmTi{#1}}{\vrule width\RW}\par\nobreak% + \vskip -3pt\rule{\RW}{2\baselineskip}\mghrulefill{\RW}\rule{\RW}{2\baselineskip}% + \vskip 60\p@% Added -2pt in vskip to correct for streched text v1.31 + } + \renewcommand{\DOTIS}[1]{% + \setlength{\py}{\fboxrule} + \setlength{\fboxrule}{\RW} + \setlength{\mylen}{\textwidth} + \addtolength{\mylen}{-2\RW} + \fbox{\parbox{\mylen}{\vskip 2\baselineskip\CTV\FmTi{#1}\par\nobreak\vskip \baselineskip}} + \setlength{\fboxrule}{\py} + \vskip 60\p@ + } + } + + +%%%%%%% BJARNE DEF + +\DeclareOption{Bjarne}{% + \ChNameUpperCase + \ChTitleUpperCase + \ChNameVar{\raggedleft\normalsize\rm} + \ChNumVar{\raggedleft \bfseries\Large} + \ChTitleVar{\raggedleft \Large\rm} + \ChRuleWidth{1pt} + + +%% Note thechapter -> c@chapter fix appendix bug +%% Fixed misspelled 12 + + \newcounter{AlphaCnt} + \newcounter{AlphaDecCnt} + \newcommand{\AlphaNo}{% + \ifcase\number\theAlphaCnt + \ifnum\c@chapter=0 + ZERO\else{}\fi + \or ONE\or TWO\or THREE\or FOUR\or FIVE + \or SIX\or SEVEN\or EIGHT\or NINE\or TEN + \or ELEVEN\or TWELVE\or THIRTEEN\or FOURTEEN\or FIFTEEN + \or SIXTEEN\or SEVENTEEN\or EIGHTEEN\or NINETEEN\fi +} + + \newcommand{\AlphaDecNo}{% + \setcounter{AlphaDecCnt}{0} + \@whilenum\number\theAlphaCnt>0\do + {\addtocounter{AlphaCnt}{-10} + \addtocounter{AlphaDecCnt}{1}} + \ifnum\number\theAlphaCnt=0 + \else + \addtocounter{AlphaDecCnt}{-1} + \addtocounter{AlphaCnt}{10} + \fi + + + \ifcase\number\theAlphaDecCnt\or TEN\or TWENTY\or THIRTY\or + FORTY\or FIFTY\or SIXTY\or SEVENTY\or EIGHTY\or NINETY\fi + } + \newcommand{\TheAlphaChapter}{% + + \ifinapp + \thechapter + \else + \setcounter{AlphaCnt}{\c@chapter} + \ifnum\c@chapter<20 + \AlphaNo + \else + \AlphaDecNo\AlphaNo + \fi + \fi + } + \renewcommand{\DOCH}{% + \mghrulefill{\RW}\par\nobreak + \CNV\FmN{\@chapapp}\par\nobreak + \CNoV\TheAlphaChapter\par\nobreak + \vskip -1\baselineskip\vskip 5pt\mghrulefill{\RW}\par\nobreak + \vskip 20\p@ + } + \renewcommand{\DOTI}[1]{% + \CTV\FmTi{#1}\par\nobreak + \vskip 40\p@ + } + \renewcommand{\DOTIS}[1]{% + \CTV\FmTi{#1}\par\nobreak + \vskip 40\p@ + } +} + +\DeclareOption*{% + \PackageWarning{fancychapter}{unknown style option} + } + +\ProcessOptions* \relax + +\ifusecolor + \RequirePackage{color} +\fi +\def\@makechapterhead#1{% + \vspace*{50\p@}% + {\parindent \z@ \raggedright \normalfont + \ifnum \c@secnumdepth >\m@ne + \if@mainmatter%%%%% Fix for frontmatter, mainmatter, and backmatter 040920 + \DOCH + \fi + \fi + \interlinepenalty\@M + \if@mainmatter%%%%% Fix for frontmatter, mainmatter, and backmatter 060424 + \DOTI{#1}% + \else% + \DOTIS{#1}% + \fi + }} + + +%%% Begin: To avoid problem with scrbook.cls (fncychap version 1.32) + +%%OUT: +%\def\@schapter#1{\if@twocolumn +% \@topnewpage[\@makeschapterhead{#1}]% +% \else +% \@makeschapterhead{#1}% +% \@afterheading +% \fi} + +%%IN: +\def\@schapter#1{% +\if@twocolumn% + \@makeschapterhead{#1}% +\else% + \@makeschapterhead{#1}% + \@afterheading% +\fi} + +%%% End: To avoid problem with scrbook.cls (fncychap version 1.32) + +\def\@makeschapterhead#1{% + \vspace*{50\p@}% + {\parindent \z@ \raggedright + \normalfont + \interlinepenalty\@M + \DOTIS{#1} + \vskip 40\p@ + }} + +\endinput + + diff --git a/doc/pdf/plugindev.pdf b/doc/pdf/plugindev.pdf Binary files differnew file mode 100644 index 000000000000..12756fcca9b4 --- /dev/null +++ b/doc/pdf/plugindev.pdf diff --git a/doc/pdf/plugindev.tex b/doc/pdf/plugindev.tex new file mode 100644 index 000000000000..4e3b805923ac --- /dev/null +++ b/doc/pdf/plugindev.tex @@ -0,0 +1,801 @@ +% Generated by Sphinx. +\def\sphinxdocclass{report} +\documentclass[letterpaper,10pt,english]{sphinxmanual} +\usepackage[utf8]{inputenc} +\DeclareUnicodeCharacter{00A0}{\nobreakspace} +\usepackage{cmap} +\usepackage[T1]{fontenc} +\usepackage{babel} +\usepackage{times} +\usepackage[Bjarne]{fncychap} +\usepackage{longtable} +\usepackage{sphinx} +\usepackage{multirow} + + +\title{Kerberos Plugin Module Developer Guide} +\date{ } +\release{1.15.1} +\author{MIT} +\newcommand{\sphinxlogo}{} +\renewcommand{\releasename}{Release} +\makeindex + +\makeatletter +\def\PYG@reset{\let\PYG@it=\relax \let\PYG@bf=\relax% + \let\PYG@ul=\relax \let\PYG@tc=\relax% + \let\PYG@bc=\relax \let\PYG@ff=\relax} +\def\PYG@tok#1{\csname PYG@tok@#1\endcsname} +\def\PYG@toks#1+{\ifx\relax#1\empty\else% + \PYG@tok{#1}\expandafter\PYG@toks\fi} +\def\PYG@do#1{\PYG@bc{\PYG@tc{\PYG@ul{% + \PYG@it{\PYG@bf{\PYG@ff{#1}}}}}}} +\def\PYG#1#2{\PYG@reset\PYG@toks#1+\relax+\PYG@do{#2}} + +\expandafter\def\csname PYG@tok@gd\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.63,0.00,0.00}{##1}}} +\expandafter\def\csname PYG@tok@gu\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.50,0.00,0.50}{##1}}} +\expandafter\def\csname PYG@tok@gt\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.27,0.87}{##1}}} +\expandafter\def\csname PYG@tok@gs\endcsname{\let\PYG@bf=\textbf} +\expandafter\def\csname PYG@tok@gr\endcsname{\def\PYG@tc##1{\textcolor[rgb]{1.00,0.00,0.00}{##1}}} +\expandafter\def\csname PYG@tok@cm\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} +\expandafter\def\csname PYG@tok@vg\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} +\expandafter\def\csname PYG@tok@m\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@mh\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@cs\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}\def\PYG@bc##1{\setlength{\fboxsep}{0pt}\colorbox[rgb]{1.00,0.94,0.94}{\strut ##1}}} +\expandafter\def\csname PYG@tok@ge\endcsname{\let\PYG@it=\textit} +\expandafter\def\csname PYG@tok@vc\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} +\expandafter\def\csname PYG@tok@il\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@go\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.20,0.20,0.20}{##1}}} +\expandafter\def\csname PYG@tok@cp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@gi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.63,0.00}{##1}}} +\expandafter\def\csname PYG@tok@gh\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.00,0.50}{##1}}} +\expandafter\def\csname PYG@tok@ni\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.84,0.33,0.22}{##1}}} +\expandafter\def\csname PYG@tok@nl\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.13,0.44}{##1}}} +\expandafter\def\csname PYG@tok@nn\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.05,0.52,0.71}{##1}}} +\expandafter\def\csname PYG@tok@no\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.38,0.68,0.84}{##1}}} +\expandafter\def\csname PYG@tok@na\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@nb\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@nc\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.05,0.52,0.71}{##1}}} +\expandafter\def\csname PYG@tok@nd\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.33,0.33,0.33}{##1}}} +\expandafter\def\csname PYG@tok@ne\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@nf\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.02,0.16,0.49}{##1}}} +\expandafter\def\csname PYG@tok@si\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.44,0.63,0.82}{##1}}} +\expandafter\def\csname PYG@tok@s2\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@vi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} +\expandafter\def\csname PYG@tok@nt\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.02,0.16,0.45}{##1}}} +\expandafter\def\csname PYG@tok@nv\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} +\expandafter\def\csname PYG@tok@s1\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@gp\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.78,0.36,0.04}{##1}}} +\expandafter\def\csname PYG@tok@sh\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@ow\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@sx\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.78,0.36,0.04}{##1}}} +\expandafter\def\csname PYG@tok@bp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@c1\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} +\expandafter\def\csname PYG@tok@kc\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@c\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} +\expandafter\def\csname PYG@tok@mf\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@err\endcsname{\def\PYG@bc##1{\setlength{\fboxsep}{0pt}\fcolorbox[rgb]{1.00,0.00,0.00}{1,1,1}{\strut ##1}}} +\expandafter\def\csname PYG@tok@kd\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@ss\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.32,0.47,0.09}{##1}}} +\expandafter\def\csname PYG@tok@sr\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.14,0.33,0.53}{##1}}} +\expandafter\def\csname PYG@tok@mo\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@mi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@kn\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@o\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.40,0.40,0.40}{##1}}} +\expandafter\def\csname PYG@tok@kr\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@s\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@kp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@w\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.73,0.73}{##1}}} +\expandafter\def\csname PYG@tok@kt\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.56,0.13,0.00}{##1}}} +\expandafter\def\csname PYG@tok@sc\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@sb\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@k\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@se\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@sd\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} + +\def\PYGZbs{\char`\\} +\def\PYGZus{\char`\_} +\def\PYGZob{\char`\{} +\def\PYGZcb{\char`\}} +\def\PYGZca{\char`\^} +\def\PYGZam{\char`\&} +\def\PYGZlt{\char`\<} +\def\PYGZgt{\char`\>} +\def\PYGZsh{\char`\#} +\def\PYGZpc{\char`\%} +\def\PYGZdl{\char`\$} +\def\PYGZhy{\char`\-} +\def\PYGZsq{\char`\'} +\def\PYGZdq{\char`\"} +\def\PYGZti{\char`\~} +% for compatibility with earlier versions +\def\PYGZat{@} +\def\PYGZlb{[} +\def\PYGZrb{]} +\makeatother + +\begin{document} + +\maketitle +\tableofcontents +\phantomsection\label{plugindev/index::doc} + + +Kerberos plugin modules allow increased control over MIT krb5 library +and server behavior. This guide describes how to create dynamic +plugin modules and the currently available pluggable interfaces. + +See \emph{plugin\_config} for information on how to register dynamic +plugin modules and how to enable and disable modules via +\emph{krb5.conf(5)}. + + +\chapter{Contents} +\label{plugindev/index:for-plugin-module-developers}\label{plugindev/index:contents} + +\section{General plugin concepts} +\label{plugindev/general:general-plugin-concepts}\label{plugindev/general::doc} +A krb5 dynamic plugin module is a Unix shared object or Windows DLL. +Typically, the source code for a dynamic plugin module should live in +its own project with a build system using \href{http://www.gnu.org/software/automake/}{automake} and \href{http://www.gnu.org/software/libtool/}{libtool}, or +tools with similar functionality. + +A plugin module must define a specific symbol name, which depends on +the pluggable interface and module name. For most pluggable +interfaces, the exported symbol is a function named +\code{INTERFACE\_MODULE\_initvt}, where \emph{INTERFACE} is the name of the +pluggable interface and \emph{MODULE} is the name of the module. For these +interfaces, it is possible for one shared object or DLL to implement +multiple plugin modules, either for the same pluggable interface or +for different ones. For example, a shared object could implement both +KDC and client preauthentication mechanisms, by exporting functions +named \code{kdcpreauth\_mymech\_initvt} and \code{clpreauth\_mymech\_initvt}. + +A plugin module implementation should include the header file +\code{\textless{}krb5/INTERFACE\_plugin.h\textgreater{}}, where \emph{INTERFACE} is the name of the +pluggable interface. For instance, a ccselect plugin module +implementation should use \code{\#include \textless{}krb5/ccselect\_plugin.h\textgreater{}}. + +initvt functions have the following prototype: + +\begin{Verbatim}[commandchars=\\\{\}] +krb5\PYGZus{}error\PYGZus{}code interface\PYGZus{}modname\PYGZus{}initvt(krb5\PYGZus{}context context, + int maj\PYGZus{}ver, int min\PYGZus{}ver, + krb5\PYGZus{}plugin\PYGZus{}vtable vtable); +\end{Verbatim} + +and should do the following: +\begin{enumerate} +\item {} +Check that the supplied maj\_ver argument is supported by the +module. If it is not supported, the function should return +KRB5\_PLUGIN\_VER\_NOTSUPP. + +\item {} +Cast the supplied vtable pointer to the structure type +corresponding to the major version, as documented in the pluggable +interface header file. + +\item {} +Fill in the structure fields with pointers to method functions and +static data, stopping at the field indicated by the supplied minor +version. Fields for unimplemented optional methods can be left +alone; it is not necessary to initialize them to NULL. + +\end{enumerate} + +In most cases, the context argument will not be used. The initvt +function should not allocate memory; think of it as a glorified +structure initializer. Each pluggable interface defines methods for +allocating and freeing module state if doing so is necessary for the +interface. + +Pluggable interfaces typically include a \textbf{name} field in the vtable +structure, which should be filled in with a pointer to a string +literal containing the module name. + +Here is an example of what an initvt function might look like for a +fictional pluggable interface named fences, for a module named +``wicker'': + +\begin{Verbatim}[commandchars=\\\{\}] +krb5\PYGZus{}error\PYGZus{}code +fences\PYGZus{}wicker\PYGZus{}initvt(krb5\PYGZus{}context context, int maj\PYGZus{}ver, + int min\PYGZus{}ver, krb5\PYGZus{}plugin\PYGZus{}vtable vtable) +\PYGZob{} + krb5\PYGZus{}ccselect\PYGZus{}vtable vt; + + if (maj\PYGZus{}ver == 1) \PYGZob{} + krb5\PYGZus{}fences\PYGZus{}vtable vt = (krb5\PYGZus{}fences\PYGZus{}vtable)vtable; + vt\PYGZhy{}\PYGZgt{}name = \PYGZdq{}wicker\PYGZdq{}; + vt\PYGZhy{}\PYGZgt{}slats = wicker\PYGZus{}slats; + vt\PYGZhy{}\PYGZgt{}braces = wicker\PYGZus{}braces; + \PYGZcb{} else if (maj\PYGZus{}ver == 2) \PYGZob{} + krb5\PYGZus{}fences\PYGZus{}vtable\PYGZus{}v2 vt = (krb5\PYGZus{}fences\PYGZus{}vtable\PYGZus{}v2)vtable; + vt\PYGZhy{}\PYGZgt{}name = \PYGZdq{}wicker\PYGZdq{}; + vt\PYGZhy{}\PYGZgt{}material = wicker\PYGZus{}material; + vt\PYGZhy{}\PYGZgt{}construction = wicker\PYGZus{}construction; + if (min\PYGZus{}ver \PYGZlt{} 2) + return 0; + vt\PYGZhy{}\PYGZgt{}footing = wicker\PYGZus{}footing; + if (min\PYGZus{}ver \PYGZlt{} 3) + return 0; + vt\PYGZhy{}\PYGZgt{}appearance = wicker\PYGZus{}appearance; + \PYGZcb{} else \PYGZob{} + return KRB5\PYGZus{}PLUGIN\PYGZus{}VER\PYGZus{}NOTSUPP; + \PYGZcb{} + return 0; +\PYGZcb{} +\end{Verbatim} + + +\section{Client preauthentication interface (clpreauth)} +\label{plugindev/clpreauth:client-preauthentication-interface-clpreauth}\label{plugindev/clpreauth::doc} +During an initial ticket request, a KDC may ask a client to prove its +knowledge of the password before issuing an encrypted ticket, or to +use credentials other than a password. This process is called +preauthentication, and is described in \index{RFC!RFC 4120}\href{http://tools.ietf.org/html/rfc4120.html}{\textbf{RFC 4120}} and \index{RFC!RFC 6113}\href{http://tools.ietf.org/html/rfc6113.html}{\textbf{RFC 6113}}. +The clpreauth interface allows the addition of client support for +preauthentication mechanisms beyond those included in the core MIT +krb5 code base. For a detailed description of the clpreauth +interface, see the header file \code{\textless{}krb5/clpreauth\_plugin.h\textgreater{}} (or +\code{\textless{}krb5/preauth\_plugin.h\textgreater{}} before release 1.12). + +A clpreauth module is generally responsible for: +\begin{itemize} +\item {} +Supplying a list of preauth type numbers used by the module in the +\textbf{pa\_type\_list} field of the vtable structure. + +\item {} +Indicating what kind of preauthentication mechanism it implements, +with the \textbf{flags} method. In the most common case, this method +just returns \code{PA\_REAL}, indicating that it implements a normal +preauthentication type. + +\item {} +Examining the padata information included in a PREAUTH\_REQUIRED or +MORE\_PREAUTH\_DATA\_REQUIRED error and producing padata values for the +next AS request. This is done with the \textbf{process} method. + +\item {} +Examining the padata information included in a successful ticket +reply, possibly verifying the KDC identity and computing a reply +key. This is also done with the \textbf{process} method. + +\item {} +For preauthentication types which support it, recovering from errors +by examining the error data from the KDC and producing a padata +value for another AS request. This is done with the \textbf{tryagain} +method. + +\item {} +Receiving option information (supplied by \code{kinit -X} or by an +application), with the \textbf{gic\_opts} method. + +\end{itemize} + +A clpreauth module can create and destroy per-library-context and +per-request state objects by implementing the \textbf{init}, \textbf{fini}, +\textbf{request\_init}, and \textbf{request\_fini} methods. Per-context state +objects have the type krb5\_clpreauth\_moddata, and per-request state +objects have the type krb5\_clpreauth\_modreq. These are abstract +pointer types; a module should typically cast these to internal +types for the state objects. + +The \textbf{process} and \textbf{tryagain} methods have access to a callback +function and handle (called a ``rock'') which can be used to get +additional information about the current request, including the +expected enctype of the AS reply, the FAST armor key, and the client +long-term key (prompting for the user password if necessary). A +callback can also be used to replace the AS reply key if the +preauthentication mechanism computes one. + + +\section{KDC preauthentication interface (kdcpreauth)} +\label{plugindev/kdcpreauth:kdc-preauthentication-interface-kdcpreauth}\label{plugindev/kdcpreauth::doc} +The kdcpreauth interface allows the addition of KDC support for +preauthentication mechanisms beyond those included in the core MIT +krb5 code base. For a detailed description of the kdcpreauth +interface, see the header file \code{\textless{}krb5/kdcpreauth\_plugin.h\textgreater{}} (or +\code{\textless{}krb5/preauth\_plugin.h\textgreater{}} before release 1.12). + +A kdcpreauth module is generally responsible for: +\begin{itemize} +\item {} +Supplying a list of preauth type numbers used by the module in the +\textbf{pa\_type\_list} field of the vtable structure. + +\item {} +Indicating what kind of preauthentication mechanism it implements, +with the \textbf{flags} method. If the mechanism computes a new reply +key, it must specify the \code{PA\_REPLACES\_KEY} flag. If the mechanism +is generally only used with hardware tokens, the \code{PA\_HARDWARE} +flag allows the mechanism to work with principals which have the +\textbf{requires\_hwauth} flag set. + +\item {} +Producing a padata value to be sent with a preauth\_required error, +with the \textbf{edata} method. + +\item {} +Examining a padata value sent by a client and verifying that it +proves knowledge of the appropriate client credential information. +This is done with the \textbf{verify} method. + +\item {} +Producing a padata response value for the client, and possibly +computing a reply key. This is done with the \textbf{return\_padata} +method. + +\end{itemize} + +A module can create and destroy per-KDC state objects by implementing +the \textbf{init} and \textbf{fini} methods. Per-KDC state objects have the +type krb5\_kdcpreauth\_moddata, which is an abstract pointer types. A +module should typically cast this to an internal type for the state +object. + +A module can create a per-request state object by returning one in the +\textbf{verify} method, receiving it in the \textbf{return\_padata} method, and +destroying it in the \textbf{free\_modreq} method. Note that these state +objects only apply to the processing of a single AS request packet, +not to an entire authentication exchange (since an authentication +exchange may remain unfinished by the client or may involve multiple +different KDC hosts). Per-request state objects have the type +krb5\_kdcpreauth\_modreq, which is an abstract pointer type. + +The \textbf{edata}, \textbf{verify}, and \textbf{return\_padata} methods have access +to a callback function and handle (called a ``rock'') which can be used +to get additional information about the current request, including the +maximum allowable clock skew, the client's long-term keys, the +DER-encoded request body, the FAST armor key, string attributes on the +client's database entry, and the client's database entry itself. The +\textbf{verify} method can assert one or more authentication indicators to +be included in the issued ticket using the \code{add\_auth\_indicator} +callback (new in release 1.14). + +A module can generate state information to be included with the next +client request using the \code{set\_cookie} callback (new in release +1.14). On the next request, the module can read this state +information using the \code{get\_cookie} callback. Cookie information is +encrypted, timestamped, and transmitted to the client in a +\code{PA-FX-COOKIE} pa-data item. Older clients may not support cookies +and therefore may not transmit the cookie in the next request; in this +case, \code{get\_cookie} will not yield the saved information. + +If a module implements a mechanism which requires multiple round +trips, its \textbf{verify} method can respond with the code +\code{KRB5KDC\_ERR\_MORE\_PREAUTH\_DATA\_REQUIRED} and a list of pa-data in +the \emph{e\_data} parameter to be processed by the client. + +The \textbf{edata} and \textbf{verify} methods can be implemented +asynchronously. Because of this, they do not return values directly +to the caller, but must instead invoke responder functions with their +results. A synchronous implementation can invoke the responder +function immediately. An asynchronous implementation can use the +callback to get an event context for use with the \href{https://fedorahosted.org/libverto/}{libverto} API. + + +\section{Credential cache selection interface (ccselect)} +\label{plugindev/ccselect:credential-cache-selection-interface-ccselect}\label{plugindev/ccselect::doc}\label{plugindev/ccselect:ccselect-plugin} +The ccselect interface allows modules to control how credential caches +are chosen when a GSSAPI client contacts a service. For a detailed +description of the ccselect interface, see the header file +\code{\textless{}krb5/ccselect\_plugin.h\textgreater{}}. + +The primary ccselect method is \textbf{choose}, which accepts a server +principal as input and returns a ccache and/or principal name as +output. A module can use the krb5\_cccol APIs to iterate over the +cache collection in order to find an appropriate ccache to use. + +A module can create and destroy per-library-context state objects by +implementing the \textbf{init} and \textbf{fini} methods. State objects have +the type krb5\_ccselect\_moddata, which is an abstract pointer type. A +module should typically cast this to an internal type for the state +object. + +A module can have one of two priorities, ``authoritative'' or +``heuristic''. Results from authoritative modules, if any are +available, will take priority over results from heuristic modules. A +module communicates its priority as a result of the \textbf{init} method. + + +\section{Password quality interface (pwqual)} +\label{plugindev/pwqual::doc}\label{plugindev/pwqual:password-quality-interface-pwqual}\label{plugindev/pwqual:pwqual-plugin} +The pwqual interface allows modules to control what passwords are +allowed when a user changes passwords. For a detailed description of +the pwqual interface, see the header file \code{\textless{}krb5/pwqual\_plugin.h\textgreater{}}. + +The primary pwqual method is \textbf{check}, which receives a password as +input and returns success (0) or a \code{KADM5\_PASS\_Q\_} failure code +depending on whether the password is allowed. The \textbf{check} method +also receives the principal name and the name of the principal's +password policy as input; although there is no stable interface for +the module to obtain the fields of the password policy, it can define +its own configuration or data store based on the policy name. + +A module can create and destroy per-process state objects by +implementing the \textbf{open} and \textbf{close} methods. State objects have +the type krb5\_pwqual\_moddata, which is an abstract pointer type. A +module should typically cast this to an internal type for the state +object. The \textbf{open} method also receives the name of the realm's +dictionary file (as configured by the \textbf{dict\_file} variable in the +\emph{kdc\_realms} section of \emph{kdc.conf(5)}) if it wishes to use +it. + + +\section{KADM5 hook interface (kadm5\_hook)} +\label{plugindev/kadm5_hook:kadm5-hook-interface-kadm5-hook}\label{plugindev/kadm5_hook::doc}\label{plugindev/kadm5_hook:kadm5-hook-plugin} +The kadm5\_hook interface allows modules to perform actions when +changes are made to the Kerberos database through \emph{kadmin(1)}. +For a detailed description of the kadm5\_hook interface, see the header +file \code{\textless{}krb5/kadm5\_hook\_plugin.h\textgreater{}}. + +The kadm5\_hook interface has five primary methods: \textbf{chpass}, +\textbf{create}, \textbf{modify}, \textbf{remove}, and \textbf{rename}. (The \textbf{rename} +method was introduced in release 1.14.) Each of these methods is +called twice when the corresponding administrative action takes place, +once before the action is committed and once afterwards. A module can +prevent the action from taking place by returning an error code during +the pre-commit stage. + +A module can create and destroy per-process state objects by +implementing the \textbf{init} and \textbf{fini} methods. State objects have +the type kadm5\_hook\_modinfo, which is an abstract pointer type. A +module should typically cast this to an internal type for the state +object. + +Because the kadm5\_hook interface is tied closely to the kadmin +interface (which is explicitly unstable), it may not remain as stable +across versions as other public pluggable interfaces. + + +\section{Host-to-realm interface (hostrealm)} +\label{plugindev/hostrealm:hostrealm-plugin}\label{plugindev/hostrealm::doc}\label{plugindev/hostrealm:host-to-realm-interface-hostrealm} +The host-to-realm interface was first introduced in release 1.12. It +allows modules to control the local mapping of hostnames to realm +names as well as the default realm. For a detailed description of the +hostrealm interface, see the header file +\code{\textless{}krb5/hostrealm\_plugin.h\textgreater{}}. + +Although the mapping methods in the hostrealm interface return a list +of one or more realms, only the first realm in the list is currently +used by callers. Callers may begin using later responses in the +future. + +Any mapping method may return KRB5\_PLUGIN\_NO\_HANDLE to defer +processing to a later module. + +A module can create and destroy per-library-context state objects +using the \textbf{init} and \textbf{fini} methods. If the module does not need +any state, it does not need to implement these methods. + +The optional \textbf{host\_realm} method allows a module to determine +authoritative realm mappings for a hostname. The first authoritative +mapping is used in preference to KDC referrals when getting service +credentials. + +The optional \textbf{fallback\_realm} method allows a module to determine +fallback mappings for a hostname. The first fallback mapping is tried +if there is no authoritative mapping for a realm, and KDC referrals +failed to produce a successful result. + +The optional \textbf{default\_realm} method allows a module to determine the +local default realm. + +If a module implements any of the above methods, it must also +implement \textbf{free\_list} to ensure that memory is allocated and +deallocated consistently. + + +\section{Local authorization interface (localauth)} +\label{plugindev/localauth:local-authorization-interface-localauth}\label{plugindev/localauth:localauth-plugin}\label{plugindev/localauth::doc} +The localauth interface was first introduced in release 1.12. It +allows modules to control the relationship between Kerberos principals +and local system accounts. When an application calls +\code{krb5\_kuserok()} or \code{krb5\_aname\_to\_localname()}, localauth +modules are consulted to determine the result. For a detailed +description of the localauth interface, see the header file +\code{\textless{}krb5/localauth\_plugin.h\textgreater{}}. + +A module can create and destroy per-library-context state objects +using the \textbf{init} and \textbf{fini} methods. If the module does not need +any state, it does not need to implement these methods. + +The optional \textbf{userok} method allows a module to control the behavior +of \code{krb5\_kuserok()}. The module receives the authenticated name +and the local account name as inputs, and can return either 0 to +authorize access, KRB5\_PLUGIN\_NO\_HANDLE to defer the decision to other +modules, or another error (canonically EPERM) to authoritatively deny +access. Access is granted if at least one module grants access and no +module authoritatively denies access. + +The optional \textbf{an2ln} method can work in two different ways. If the +module sets an array of uppercase type names in \textbf{an2ln\_types}, then +the module's \textbf{an2ln} method will only be invoked by +\code{krb5\_aname\_to\_localname()} if an \textbf{auth\_to\_local} value in +\emph{krb5.conf(5)} refers to one of the module's types. In this +case, the \emph{type} and \emph{residual} arguments will give the type name and +residual string of the \textbf{auth\_to\_local} value. + +If the module does not set \textbf{an2ln\_types} but does implement +\textbf{an2ln}, the module's \textbf{an2ln} method will be invoked for all +\code{krb5\_aname\_to\_localname()} operations unless an earlier module +determines a mapping, with \emph{type} and \emph{residual} set to NULL. The +module can return KRB5\_LNAME\_NO\_TRANS to defer mapping to later +modules. + +If a module implements \textbf{an2ln}, it must also implement +\textbf{free\_string} to ensure that memory is allocated and deallocated +consistently. + + +\section{Server location interface (locate)} +\label{plugindev/locate:server-location-interface-locate}\label{plugindev/locate::doc} +The locate interface allows modules to control how KDCs and similar +services are located by clients. For a detailed description of the +ccselect interface, see the header file \code{\textless{}krb5/locate\_plugin.h\textgreater{}}. + +A locate module exports a structure object of type +krb5plugin\_service\_locate\_ftable, with the name \code{service\_locator}. +The structure contains a minor version and pointers to the module's +methods. + +The primary locate method is \textbf{lookup}, which accepts a service type, +realm name, desired socket type, and desired address family (which +will be AF\_UNSPEC if no specific address family is desired). The +method should invoke the callback function once for each server +address it wants to return, passing a socket type (SOCK\_STREAM for TCP +or SOCK\_DGRAM for UDP) and socket address. The \textbf{lookup} method +should return 0 if it has authoritatively determined the server +addresses for the realm, KRB5\_PLUGIN\_NO\_HANDLE if it wants to let +other location mechanisms determine the server addresses, or another +code if it experienced a failure which should abort the location +process. + +A module can create and destroy per-library-context state objects by +implementing the \textbf{init} and \textbf{fini} methods. State objects have +the type void *, and should be cast to an internal type for the state +object. + + +\section{Configuration interface (profile)} +\label{plugindev/profile:configuration-interface-profile}\label{plugindev/profile::doc}\label{plugindev/profile:profile-plugin} +The profile interface allows a module to control how krb5 +configuration information is obtained by the Kerberos library and +applications. For a detailed description of the profile interface, +see the header file \code{\textless{}profile.h\textgreater{}}. + +\begin{notice}{note}{Note:} +The profile interface does not follow the normal conventions +for MIT krb5 pluggable interfaces, because it is part of a +lower-level component of the krb5 library. +\end{notice} + +As with other types of plugin modules, a profile module is a Unix +shared object or Windows DLL, built separately from the krb5 tree. +The krb5 library will dynamically load and use a profile plugin module +if it reads a \code{module} directive at the beginning of krb5.conf, as +described in \emph{profile\_plugin\_config}. + +A profile module exports a function named \code{profile\_module\_init} +matching the signature of the profile\_module\_init\_fn type. This +function accepts a residual string, which may be used to help locate +the configuration source. The function fills in a vtable and may also +create a per-profile state object. If the module uses state objects, +it should implement the \textbf{copy} and \textbf{cleanup} methods to manage +them. + +A basic read-only profile module need only implement the +\textbf{get\_values} and \textbf{free\_values} methods. The \textbf{get\_values} method +accepts a null-terminated list of C string names (e.g., an array +containing ``libdefaults'', ``clockskew'', and NULL for the \textbf{clockskew} +variable in the \emph{libdefaults} section) and returns a +null-terminated list of values, which will be cleaned up with the +\textbf{free\_values} method when the caller is done with them. + +Iterable profile modules must also define the \textbf{iterator\_create}, +\textbf{iterator}, \textbf{iterator\_free}, and \textbf{free\_string} methods. The +core krb5 code does not require profiles to be iterable, but some +applications may iterate over the krb5 profile object in order to +present configuration interfaces. + +Writable profile modules must also define the \textbf{writable}, +\textbf{modified}, \textbf{update\_relation}, \textbf{rename\_section}, +\textbf{add\_relation}, and \textbf{flush} methods. The core krb5 code does not +require profiles to be writable, but some applications may write to +the krb5 profile in order to present configuration interfaces. + +The following is an example of a very basic read-only profile module +which returns a hardcoded value for the \textbf{default\_realm} variable in +\emph{libdefaults}, and provides no other configuration information. +(For conciseness, the example omits code for checking the return +values of malloc and strdup.) + +\begin{Verbatim}[commandchars=\\\{\}] +\PYGZsh{}include \PYGZlt{}stdlib.h\PYGZgt{} +\PYGZsh{}include \PYGZlt{}string.h\PYGZgt{} +\PYGZsh{}include \PYGZlt{}profile.h\PYGZgt{} + +static long +get\PYGZus{}values(void *cbdata, const char *const *names, char ***values) +\PYGZob{} + if (names[0] != NULL \PYGZam{}\PYGZam{} strcmp(names[0], \PYGZdq{}libdefaults\PYGZdq{}) == 0 \PYGZam{}\PYGZam{} + names[1] != NULL \PYGZam{}\PYGZam{} strcmp(names[1], \PYGZdq{}default\PYGZus{}realm\PYGZdq{}) == 0) \PYGZob{} + *values = malloc(2 * sizeof(char *)); + (*values)[0] = strdup(\PYGZdq{}ATHENA.MIT.EDU\PYGZdq{}); + (*values)[1] = NULL; + return 0; + \PYGZcb{} + return PROF\PYGZus{}NO\PYGZus{}RELATION; +\PYGZcb{} + +static void +free\PYGZus{}values(void *cbdata, char **values) +\PYGZob{} + char **v; + + for (v = values; *v; v++) + free(*v); + free(values); +\PYGZcb{} + +long +profile\PYGZus{}module\PYGZus{}init(const char *residual, struct profile\PYGZus{}vtable *vtable, + void **cb\PYGZus{}ret); + +long +profile\PYGZus{}module\PYGZus{}init(const char *residual, struct profile\PYGZus{}vtable *vtable, + void **cb\PYGZus{}ret) +\PYGZob{} + *cb\PYGZus{}ret = NULL; + vtable\PYGZhy{}\PYGZgt{}get\PYGZus{}values = get\PYGZus{}values; + vtable\PYGZhy{}\PYGZgt{}free\PYGZus{}values = free\PYGZus{}values; + return 0; +\PYGZcb{} +\end{Verbatim} + + +\section{GSSAPI mechanism interface} +\label{plugindev/gssapi::doc}\label{plugindev/gssapi:gssapi-mechanism-interface} +The GSSAPI library in MIT krb5 can load mechanism modules to augment +the set of built-in mechanisms. + +A mechanism module is a Unix shared object or Windows DLL, built +separately from the krb5 tree. Modules are loaded according to the +\code{/etc/gss/mech} or \code{/etc/gss/mech.d/*.conf} config files, as +described in \emph{gssapi\_plugin\_config}. + +For the most part, a GSSAPI mechanism module exports the same +functions as would a GSSAPI implementation itself, with the same +function signatures. The mechanism selection layer within the GSSAPI +library (called the ``mechglue'') will dispatch calls from the +application to the module if the module's mechanism is requested. If +a module does not wish to implement a GSSAPI extension, it can simply +refrain from exporting it, and the mechglue will fail gracefully if +the application calls that function. + +The mechglue does not invoke a module's \textbf{gss\_add\_cred}, +\textbf{gss\_add\_cred\_from}, \textbf{gss\_add\_cred\_impersonate\_name}, or +\textbf{gss\_add\_cred\_with\_password} function. A mechanism only needs to +implement the ``acquire'' variants of those functions. + +A module does not need to coordinate its minor status codes with those +of other mechanisms. If the mechglue detects conflicts, it will map +the mechanism's status codes onto unique values, and then map them +back again when \textbf{gss\_display\_status} is called. + + +\subsection{Interposer modules} +\label{plugindev/gssapi:interposer-modules} +The mechglue also supports a kind of loadable module, called an +interposer module, which intercepts calls to existing mechanisms +rather than implementing a new mechanism. + +An interposer module must export the symbol \textbf{gss\_mech\_interposer} +with the following signature: + +\begin{Verbatim}[commandchars=\\\{\}] +gss\PYGZus{}OID\PYGZus{}set gss\PYGZus{}mech\PYGZus{}interposer(gss\PYGZus{}OID mech\PYGZus{}type); +\end{Verbatim} + +This function is invoked with the OID of the interposer mechanism as +specified in \code{/etc/gss/mech} or in a \code{/etc/gss/mech.d/*.conf} +file, and returns a set of mechanism OIDs to be interposed. The +returned OID set must have been created using the mechglue's +gss\_create\_empty\_oid\_set and gss\_add\_oid\_set\_member functions. + +An interposer module must use the prefix \code{gssi\_} for the GSSAPI +functions it exports, instead of the prefix \code{gss\_}. + +An interposer module can link against the GSSAPI library in order to +make calls to the original mechanism. To do so, it must specify a +special mechanism OID which is the concatention of the interposer's +own OID byte string and the original mechanism's OID byte string. + +Since \textbf{gss\_accept\_sec\_context} does not accept a mechanism argument, +an interposer mechanism must, in order to invoke the original +mechanism's function, acquire a credential for the concatenated OID +and pass that as the \emph{verifier\_cred\_handle} parameter. + +Since \textbf{gss\_import\_name}, \textbf{gss\_import\_cred}, and +\textbf{gss\_import\_sec\_context} do not accept mechanism parameters, the SPI +has been extended to include variants which do. This allows the +interposer module to know which mechanism should be used to interpret +the token. These functions have the following signatures: + +\begin{Verbatim}[commandchars=\\\{\}] +OM\PYGZus{}uint32 gssi\PYGZus{}import\PYGZus{}sec\PYGZus{}context\PYGZus{}by\PYGZus{}mech(OM\PYGZus{}uint32 *minor\PYGZus{}status, + gss\PYGZus{}OID desired\PYGZus{}mech, gss\PYGZus{}buffer\PYGZus{}t interprocess\PYGZus{}token, + gss\PYGZus{}ctx\PYGZus{}id\PYGZus{}t *context\PYGZus{}handle); + +OM\PYGZus{}uint32 gssi\PYGZus{}import\PYGZus{}name\PYGZus{}by\PYGZus{}mech(OM\PYGZus{}uint32 *minor\PYGZus{}status, + gss\PYGZus{}OID mech\PYGZus{}type, gss\PYGZus{}buffer\PYGZus{}t input\PYGZus{}name\PYGZus{}buffer, + gss\PYGZus{}OID input\PYGZus{}name\PYGZus{}type, gss\PYGZus{}name\PYGZus{}t output\PYGZus{}name); + +OM\PYGZus{}uint32 gssi\PYGZus{}import\PYGZus{}cred\PYGZus{}by\PYGZus{}mech(OM\PYGZus{}uint32 *minor\PYGZus{}status, + gss\PYGZus{}OID mech\PYGZus{}type, gss\PYGZus{}buffer\PYGZus{}t token, + gss\PYGZus{}cred\PYGZus{}id\PYGZus{}t *cred\PYGZus{}handle); +\end{Verbatim} + +To re-enter the original mechanism when importing tokens for the above +functions, the interposer module must wrap the mechanism token in the +mechglue's format, using the concatenated OID. The mechglue token +formats are: +\begin{itemize} +\item {} +For \textbf{gss\_import\_sec\_context}, a four-byte OID length in big-endian +order, followed by the mechanism OID, followed by the mechanism +token. + +\item {} +For \textbf{gss\_import\_name}, the bytes 04 01, followed by a two-byte OID +length in big-endian order, followed by the mechanism OID, followed +by the bytes 06, followed by the OID length as a single byte, +followed by the mechanism OID, followed by the mechanism token. + +\item {} +For \textbf{gss\_import\_cred}, a four-byte OID length in big-endian order, +followed by the mechanism OID, followed by a four-byte token length +in big-endian order, followed by the mechanism token. This sequence +may be repeated multiple times. + +\end{itemize} + + +\section{Internal pluggable interfaces} +\label{plugindev/internal::doc}\label{plugindev/internal:internal-pluggable-interfaces} +Following are brief discussions of pluggable interfaces which have not +yet been made public. These interfaces are functional, but the +interfaces are likely to change in incompatible ways from release to +release. In some cases, it may be necessary to copy header files from +the krb5 source tree to use an internal interface. Use these with +care, and expect to need to update your modules for each new release +of MIT krb5. + + +\subsection{Kerberos database interface (KDB)} +\label{plugindev/internal:kerberos-database-interface-kdb} +A KDB module implements a database back end for KDC principal and +policy information, and can also control many aspects of KDC behavior. +For a full description of the interface, see the header file +\code{\textless{}kdb.h\textgreater{}}. + +The KDB pluggable interface is often referred to as the DAL (Database +Access Layer). + + +\subsection{Authorization data interface (authdata)} +\label{plugindev/internal:authorization-data-interface-authdata} +The authdata interface allows a module to provide (from the KDC) or +consume (in application servers) authorization data of types beyond +those handled by the core MIT krb5 code base. The interface is +defined in the header file \code{\textless{}krb5/authdata\_plugin.h\textgreater{}}, which is not +installed by the build. + + + +\renewcommand{\indexname}{Index} +\printindex +\end{document} diff --git a/doc/pdf/python.ist b/doc/pdf/python.ist new file mode 100644 index 000000000000..9ffa0f959f9e --- /dev/null +++ b/doc/pdf/python.ist @@ -0,0 +1,11 @@ +line_max 100 +headings_flag 1 +heading_prefix " \\bigletter " + +preamble "\\begin{theindex} +\\def\\bigletter#1{{\\Large\\sffamily#1}\\nopagebreak\\vspace{1mm}} + +" + +symhead_positive "{Symbols}" +numhead_positive "{Numbers}" diff --git a/doc/pdf/sphinx.sty b/doc/pdf/sphinx.sty new file mode 100644 index 000000000000..554845f83532 --- /dev/null +++ b/doc/pdf/sphinx.sty @@ -0,0 +1,522 @@ +% +% sphinx.sty +% +% Adapted from the old python.sty, mostly written by Fred Drake, +% by Georg Brandl. +% + +\NeedsTeXFormat{LaTeX2e}[1995/12/01] +\ProvidesPackage{sphinx}[2010/01/15 LaTeX package (Sphinx markup)] + +\@ifclassloaded{memoir}{}{\RequirePackage{fancyhdr}} + +\RequirePackage{textcomp} +\RequirePackage{fancybox} +\RequirePackage{titlesec} +\RequirePackage{tabulary} +\RequirePackage{amsmath} % for \text +\RequirePackage{makeidx} +\RequirePackage{framed} +\RequirePackage{ifthen} +\RequirePackage{color} +% For highlighted code. +\RequirePackage{fancyvrb} +% For table captions. +\RequirePackage{threeparttable} +% Handle footnotes in tables. +\RequirePackage{footnote} +\makesavenoteenv{tabulary} +% For floating figures in the text. +\RequirePackage{wrapfig} +% Separate paragraphs by space by default. +\RequirePackage{parskip} +% For parsed-literal blocks. +\RequirePackage{alltt} + +% Redefine these colors to your liking in the preamble. +\definecolor{TitleColor}{rgb}{0.126,0.263,0.361} +\definecolor{InnerLinkColor}{rgb}{0.208,0.374,0.486} +\definecolor{OuterLinkColor}{rgb}{0.216,0.439,0.388} +% Redefine these colors to something not white if you want to have colored +% background and border for code examples. +\definecolor{VerbatimColor}{rgb}{1,1,1} +\definecolor{VerbatimBorderColor}{rgb}{1,1,1} + +% Uncomment these two lines to ignore the paper size and make the page +% size more like a typical published manual. +%\renewcommand{\paperheight}{9in} +%\renewcommand{\paperwidth}{8.5in} % typical squarish manual +%\renewcommand{\paperwidth}{7in} % O'Reilly ``Programmming Python'' + +% use pdfoutput for pTeX and dvipdfmx +\ifx\kanjiskip\undefined\else + \ifx\Gin@driver{dvipdfmx.def}\undefined\else + \newcount\pdfoutput\pdfoutput=0 + \fi +\fi + +% For graphicx, check if we are compiling under latex or pdflatex. +\ifx\pdftexversion\undefined + \usepackage{graphicx} +\else + \usepackage[pdftex]{graphicx} +\fi + +% for PDF output, use colors and maximal compression +\newif\ifsphinxpdfoutput\sphinxpdfoutputfalse +\ifx\pdfoutput\undefined\else\ifcase\pdfoutput + \let\py@NormalColor\relax + \let\py@TitleColor\relax +\else + \sphinxpdfoutputtrue + \input{pdfcolor} + \def\py@NormalColor{\color[rgb]{0.0,0.0,0.0}} + \def\py@TitleColor{\color{TitleColor}} + \pdfcompresslevel=9 +\fi\fi + +% XeLaTeX can do colors, too +\ifx\XeTeXrevision\undefined\else + \def\py@NormalColor{\color[rgb]{0.0,0.0,0.0}} + \def\py@TitleColor{\color{TitleColor}} +\fi + +% Increase printable page size (copied from fullpage.sty) +\topmargin 0pt +\advance \topmargin by -\headheight +\advance \topmargin by -\headsep + +% attempt to work a little better for A4 users +\textheight \paperheight +\advance\textheight by -2in + +\oddsidemargin 0pt +\evensidemargin 0pt +%\evensidemargin -.25in % for ``manual size'' documents +\marginparwidth 0.5in + +\textwidth \paperwidth +\advance\textwidth by -2in + + +% Style parameters and macros used by most documents here +\raggedbottom +\sloppy +\hbadness = 5000 % don't print trivial gripes + +\pagestyle{empty} % start this way + +% Use this to set the font family for headers and other decor: +\newcommand{\py@HeaderFamily}{\sffamily\bfseries} + +% Redefine the 'normal' header/footer style when using "fancyhdr" package: +\@ifundefined{fancyhf}{}{ + % Use \pagestyle{normal} as the primary pagestyle for text. + \fancypagestyle{normal}{ + \fancyhf{} + \fancyfoot[LE,RO]{{\py@HeaderFamily\thepage}} + \fancyfoot[LO]{{\py@HeaderFamily\nouppercase{\rightmark}}} + \fancyfoot[RE]{{\py@HeaderFamily\nouppercase{\leftmark}}} + \fancyhead[LE,RO]{{\py@HeaderFamily \@title, \py@release}} + \renewcommand{\headrulewidth}{0.4pt} + \renewcommand{\footrulewidth}{0.4pt} + % define chaptermark with \@chappos when \@chappos is available for Japanese + \ifx\@chappos\undefined\else + \def\chaptermark##1{\markboth{\@chapapp\space\thechapter\space\@chappos\space ##1}{}} + \fi + } + % Update the plain style so we get the page number & footer line, + % but not a chapter or section title. This is to keep the first + % page of a chapter and the blank page between chapters `clean.' + \fancypagestyle{plain}{ + \fancyhf{} + \fancyfoot[LE,RO]{{\py@HeaderFamily\thepage}} + \renewcommand{\headrulewidth}{0pt} + \renewcommand{\footrulewidth}{0.4pt} + } +} + +% Some custom font markup commands. +% +\newcommand{\strong}[1]{{\textbf{#1}}} +\newcommand{\code}[1]{\texttt{#1}} +\newcommand{\bfcode}[1]{\code{\bfseries#1}} +\newcommand{\email}[1]{\textsf{#1}} + +% Redefine the Verbatim environment to allow border and background colors. +% The original environment is still used for verbatims within tables. +\let\OriginalVerbatim=\Verbatim +\let\endOriginalVerbatim=\endVerbatim + +% Play with vspace to be able to keep the indentation. +\newlength\distancetoright +\def\mycolorbox#1{% + \setlength\distancetoright{\linewidth}% + \advance\distancetoright -\@totalleftmargin % + \fcolorbox{VerbatimBorderColor}{VerbatimColor}{% + \begin{minipage}{\distancetoright}% + #1 + \end{minipage}% + }% +} +\def\FrameCommand{\mycolorbox} + +\renewcommand{\Verbatim}[1][1]{% + % list starts new par, but we don't want it to be set apart vertically + \bgroup\parskip=0pt% + \smallskip% + % The list environement is needed to control perfectly the vertical + % space. + \list{}{% + \setlength\parskip{0pt}% + \setlength\itemsep{0ex}% + \setlength\topsep{0ex}% + \setlength\partopsep{0pt}% + \setlength\leftmargin{0pt}% + }% + \item\MakeFramed {\FrameRestore}% + \small% + \OriginalVerbatim[#1]% +} +\renewcommand{\endVerbatim}{% + \endOriginalVerbatim% + \endMakeFramed% + \endlist% + % close group to restore \parskip + \egroup% +} + + +% \moduleauthor{name}{email} +\newcommand{\moduleauthor}[2]{} + +% \sectionauthor{name}{email} +\newcommand{\sectionauthor}[2]{} + +% Augment the sectioning commands used to get our own font family in place, +% and reset some internal data items: +\titleformat{\section}{\Large\py@HeaderFamily}% + {\py@TitleColor\thesection}{0.5em}{\py@TitleColor}{\py@NormalColor} +\titleformat{\subsection}{\large\py@HeaderFamily}% + {\py@TitleColor\thesubsection}{0.5em}{\py@TitleColor}{\py@NormalColor} +\titleformat{\subsubsection}{\py@HeaderFamily}% + {\py@TitleColor\thesubsubsection}{0.5em}{\py@TitleColor}{\py@NormalColor} +\titleformat{\paragraph}{\small\py@HeaderFamily}% + {\py@TitleColor}{0em}{\py@TitleColor}{\py@NormalColor} + +% {fulllineitems} is the main environment for object descriptions. +% +\newcommand{\py@itemnewline}[1]{% + \@tempdima\linewidth% + \advance\@tempdima \leftmargin\makebox[\@tempdima][l]{#1}% +} + +\newenvironment{fulllineitems}{ + \begin{list}{}{\labelwidth \leftmargin \labelsep 0pt + \rightmargin 0pt \topsep -\parskip \partopsep \parskip + \itemsep -\parsep + \let\makelabel=\py@itemnewline} +}{\end{list}} + +% \optional is used for ``[, arg]``, i.e. desc_optional nodes. +\newcommand{\optional}[1]{% + {\textnormal{\Large[}}{#1}\hspace{0.5mm}{\textnormal{\Large]}}} + +\newlength{\py@argswidth} +\newcommand{\py@sigparams}[2]{% + \parbox[t]{\py@argswidth}{#1\code{)}#2}} +\newcommand{\pysigline}[1]{\item[#1]\nopagebreak} +\newcommand{\pysiglinewithargsret}[3]{% + \settowidth{\py@argswidth}{#1\code{(}}% + \addtolength{\py@argswidth}{-2\py@argswidth}% + \addtolength{\py@argswidth}{\linewidth}% + \item[#1\code{(}\py@sigparams{#2}{#3}]} + +% Production lists +% +\newenvironment{productionlist}{ +% \def\optional##1{{\Large[}##1{\Large]}} + \def\production##1##2{\\\code{##1}&::=&\code{##2}} + \def\productioncont##1{\\& &\code{##1}} + \parindent=2em + \indent + \setlength{\LTpre}{0pt} + \setlength{\LTpost}{0pt} + \begin{longtable}[l]{lcl} +}{% + \end{longtable} +} + +% Notices / Admonitions +% +\newlength{\py@noticelength} + +\newcommand{\py@heavybox}{ + \setlength{\fboxrule}{1pt} + \setlength{\fboxsep}{6pt} + \setlength{\py@noticelength}{\linewidth} + \addtolength{\py@noticelength}{-2\fboxsep} + \addtolength{\py@noticelength}{-2\fboxrule} + %\setlength{\shadowsize}{3pt} + \noindent\Sbox + \minipage{\py@noticelength} +} +\newcommand{\py@endheavybox}{ + \endminipage + \endSbox + \fbox{\TheSbox} +} + +\newcommand{\py@lightbox}{{% + \setlength\parskip{0pt}\par + \noindent\rule[0ex]{\linewidth}{0.5pt}% + \par\noindent\vspace{-0.5ex}% + }} +\newcommand{\py@endlightbox}{{% + \setlength{\parskip}{0pt}% + \par\noindent\rule[0.5ex]{\linewidth}{0.5pt}% + \par\vspace{-0.5ex}% + }} + +% Some are quite plain: +\newcommand{\py@noticestart@note}{\py@lightbox} +\newcommand{\py@noticeend@note}{\py@endlightbox} +\newcommand{\py@noticestart@hint}{\py@lightbox} +\newcommand{\py@noticeend@hint}{\py@endlightbox} +\newcommand{\py@noticestart@important}{\py@lightbox} +\newcommand{\py@noticeend@important}{\py@endlightbox} +\newcommand{\py@noticestart@tip}{\py@lightbox} +\newcommand{\py@noticeend@tip}{\py@endlightbox} + +% Others gets more visible distinction: +\newcommand{\py@noticestart@warning}{\py@heavybox} +\newcommand{\py@noticeend@warning}{\py@endheavybox} +\newcommand{\py@noticestart@caution}{\py@heavybox} +\newcommand{\py@noticeend@caution}{\py@endheavybox} +\newcommand{\py@noticestart@attention}{\py@heavybox} +\newcommand{\py@noticeend@attention}{\py@endheavybox} +\newcommand{\py@noticestart@danger}{\py@heavybox} +\newcommand{\py@noticeend@danger}{\py@endheavybox} +\newcommand{\py@noticestart@error}{\py@heavybox} +\newcommand{\py@noticeend@error}{\py@endheavybox} + +\newenvironment{notice}[2]{ + \def\py@noticetype{#1} + \csname py@noticestart@#1\endcsname + \strong{#2} +}{\csname py@noticeend@\py@noticetype\endcsname} + +% Allow the release number to be specified independently of the +% \date{}. This allows the date to reflect the document's date and +% release to specify the release that is documented. +% +\newcommand{\py@release}{} +\newcommand{\version}{} +\newcommand{\shortversion}{} +\newcommand{\releaseinfo}{} +\newcommand{\releasename}{Release} +\newcommand{\release}[1]{% + \renewcommand{\py@release}{\releasename\space\version}% + \renewcommand{\version}{#1}} +\newcommand{\setshortversion}[1]{% + \renewcommand{\shortversion}{#1}} +\newcommand{\setreleaseinfo}[1]{% + \renewcommand{\releaseinfo}{#1}} + +% Allow specification of the author's address separately from the +% author's name. This can be used to format them differently, which +% is a good thing. +% +\newcommand{\py@authoraddress}{} +\newcommand{\authoraddress}[1]{\renewcommand{\py@authoraddress}{#1}} + +% This sets up the fancy chapter headings that make the documents look +% at least a little better than the usual LaTeX output. +% +\@ifundefined{ChTitleVar}{}{ + \ChNameVar{\raggedleft\normalsize\py@HeaderFamily} + \ChNumVar{\raggedleft \bfseries\Large\py@HeaderFamily} + \ChTitleVar{\raggedleft \textrm{\Huge\py@HeaderFamily}} + % This creates chapter heads without the leading \vspace*{}: + \def\@makechapterhead#1{% + {\parindent \z@ \raggedright \normalfont + \ifnum \c@secnumdepth >\m@ne + \DOCH + \fi + \interlinepenalty\@M + \DOTI{#1} + } + } +} + +% Redefine description environment so that it is usable inside fulllineitems. +% +\renewcommand{\description}{% + \list{}{\labelwidth\z@% + \itemindent-\leftmargin% + \labelsep5pt% + \let\makelabel=\descriptionlabel}} + +% Definition lists; requested by AMK for HOWTO documents. Probably useful +% elsewhere as well, so keep in in the general style support. +% +\newenvironment{definitions}{% + \begin{description}% + \def\term##1{\item[##1]\mbox{}\\*[0mm]} +}{% + \end{description}% +} + +% Tell TeX about pathological hyphenation cases: +\hyphenation{Base-HTTP-Re-quest-Hand-ler} + + +% The following is stuff copied from docutils' latex writer. +% +\newcommand{\optionlistlabel}[1]{\bf #1 \hfill} +\newenvironment{optionlist}[1] +{\begin{list}{} + {\setlength{\labelwidth}{#1} + \setlength{\rightmargin}{1cm} + \setlength{\leftmargin}{\rightmargin} + \addtolength{\leftmargin}{\labelwidth} + \addtolength{\leftmargin}{\labelsep} + \renewcommand{\makelabel}{\optionlistlabel}} +}{\end{list}} + +\newlength{\lineblockindentation} +\setlength{\lineblockindentation}{2.5em} +\newenvironment{lineblock}[1] +{\begin{list}{} + {\setlength{\partopsep}{\parskip} + \addtolength{\partopsep}{\baselineskip} + \topsep0pt\itemsep0.15\baselineskip\parsep0pt + \leftmargin#1} + \raggedright} +{\end{list}} + +% Redefine includgraphics for avoiding images larger than the screen size +% If the size is not specified. +\let\py@Oldincludegraphics\includegraphics + +\newbox\image@box% +\newdimen\image@width% +\renewcommand\includegraphics[2][\@empty]{% + \ifx#1\@empty% + \setbox\image@box=\hbox{\py@Oldincludegraphics{#2}}% + \image@width\wd\image@box% + \ifdim \image@width>\linewidth% + \setbox\image@box=\hbox{\py@Oldincludegraphics[width=\linewidth]{#2}}% + \box\image@box% + \else% + \py@Oldincludegraphics{#2}% + \fi% + \else% + \py@Oldincludegraphics[#1]{#2}% + \fi% +} + +% to make pdf with correct encoded bookmarks in Japanese +% this should precede the hyperref package +\ifx\kanjiskip\undefined\else + \usepackage{atbegshi} + \ifx\ucs\undefined + \ifnum 42146=\euc"A4A2 + \AtBeginShipoutFirst{\special{pdf:tounicode EUC-UCS2}} + \else + \AtBeginShipoutFirst{\special{pdf:tounicode 90ms-RKSJ-UCS2}} + \fi + \else + \AtBeginShipoutFirst{\special{pdf:tounicode UTF8-UCS2}} + \fi +\fi + +% Include hyperref last. +\RequirePackage[colorlinks,breaklinks, + linkcolor=InnerLinkColor,filecolor=OuterLinkColor, + menucolor=OuterLinkColor,urlcolor=OuterLinkColor, + citecolor=InnerLinkColor]{hyperref} +% Fix anchor placement for figures with captions. +% (Note: we don't use a package option here; instead, we give an explicit +% \capstart for figures that actually have a caption.) +\RequirePackage{hypcap} + +% From docutils.writers.latex2e +\providecommand{\DUspan}[2]{% + {% group ("span") to limit the scope of styling commands + \@for\node@class@name:=#1\do{% + \ifcsname docutilsrole\node@class@name\endcsname% + \csname docutilsrole\node@class@name\endcsname% + \fi% + }% + {#2}% node content + }% close "span" +} + +\providecommand*{\DUprovidelength}[2]{ + \ifthenelse{\isundefined{#1}}{\newlength{#1}\setlength{#1}{#2}}{} +} + +\DUprovidelength{\DUlineblockindent}{2.5em} +\ifthenelse{\isundefined{\DUlineblock}}{ + \newenvironment{DUlineblock}[1]{% + \list{}{\setlength{\partopsep}{\parskip} + \addtolength{\partopsep}{\baselineskip} + \setlength{\topsep}{0pt} + \setlength{\itemsep}{0.15\baselineskip} + \setlength{\parsep}{0pt} + \setlength{\leftmargin}{#1}} + \raggedright + } + {\endlist} +}{} + + +% From footmisc.sty: allows footnotes in titles +\let\FN@sf@@footnote\footnote +\def\footnote{\ifx\protect\@typeset@protect + \expandafter\FN@sf@@footnote + \else + \expandafter\FN@sf@gobble@opt + \fi +} +\edef\FN@sf@gobble@opt{\noexpand\protect + \expandafter\noexpand\csname FN@sf@gobble@opt \endcsname} +\expandafter\def\csname FN@sf@gobble@opt \endcsname{% + \@ifnextchar[%] + \FN@sf@gobble@twobracket + \@gobble +} +\def\FN@sf@gobble@twobracket[#1]#2{} + +% adjust the margins for footer, +% this works with the jsclasses only (Japanese standard document classes) +\ifx\@jsc@uplatextrue\undefined\else + \hypersetup{setpagesize=false} + \setlength\footskip{2\baselineskip} + \addtolength{\textheight}{-2\baselineskip} +\fi + +% fix the double index and bibliography on the table of contents +% in jsclasses (Japanese standard document classes) +\ifx\@jsc@uplatextrue\undefined\else + \renewcommand{\theindex}{ + \cleardoublepage + \phantomsection + \py@OldTheindex + } + \renewcommand{\thebibliography}[1]{ + \cleardoublepage + \phantomsection + \py@OldThebibliography{1} + } +\fi + +% disable \@chappos in Appendix in pTeX +\ifx\kanjiskip\undefined\else + \let\py@OldAppendix=\appendix + \renewcommand{\appendix}{ + \py@OldAppendix + \gdef\@chappos{} + } +\fi diff --git a/doc/pdf/sphinxhowto.cls b/doc/pdf/sphinxhowto.cls new file mode 100644 index 000000000000..26e63a7ee48f --- /dev/null +++ b/doc/pdf/sphinxhowto.cls @@ -0,0 +1,104 @@ +% +% sphinxhowto.cls for Sphinx (http://sphinx-doc.org/) +% + +\NeedsTeXFormat{LaTeX2e}[1995/12/01] +\ProvidesClass{sphinxhowto}[2009/06/02 Document class (Sphinx HOWTO)] + +% 'oneside' option overriding the 'twoside' default +\newif\if@oneside +\DeclareOption{oneside}{\@onesidetrue} +% Pass remaining document options to the parent class. +\DeclareOption*{\PassOptionsToClass{\CurrentOption}{\sphinxdocclass}} +\ProcessOptions\relax + +% Default to two-side document +\if@oneside +% nothing to do (oneside is the default) +\else +\PassOptionsToClass{twoside}{\sphinxdocclass} +\fi + +\LoadClass{\sphinxdocclass} + +% Set some sane defaults for section numbering depth and TOC depth. You can +% reset these counters in your preamble. +% +\setcounter{secnumdepth}{2} + +% Change the title page to look a bit better, and fit in with the fncychap +% ``Bjarne'' style a bit better. +% +\renewcommand{\maketitle}{ + \rule{\textwidth}{1pt} + \ifsphinxpdfoutput + \begingroup + % These \defs are required to deal with multi-line authors; it + % changes \\ to ', ' (comma-space), making it pass muster for + % generating document info in the PDF file. + \def\\{, } + \def\and{and } + \pdfinfo{ + /Author (\@author) + /Title (\@title) + } + \endgroup + \fi + \begin{flushright} + \sphinxlogo% + {\rm\Huge\py@HeaderFamily \@title} \par + {\em\large\py@HeaderFamily \py@release\releaseinfo} \par + \vspace{25pt} + {\Large\py@HeaderFamily + \begin{tabular}[t]{c} + \@author + \end{tabular}} \par + \vspace{25pt} + \@date \par + \py@authoraddress \par + \end{flushright} + \@thanks + \setcounter{footnote}{0} + \let\thanks\relax\let\maketitle\relax + %\gdef\@thanks{}\gdef\@author{}\gdef\@title{} +} + +\let\py@OldTableofcontents=\tableofcontents +\renewcommand{\tableofcontents}{ + \begingroup + \parskip = 0mm + \py@OldTableofcontents + \endgroup + \rule{\textwidth}{1pt} + \vspace{12pt} +} + +\@ifundefined{fancyhf}{ + \pagestyle{plain}}{ + \pagestyle{normal}} % start this way; change for +\pagenumbering{arabic} % ToC & chapters + +\thispagestyle{empty} + +% Fix the bibliography environment to add an entry to the Table of +% Contents. +% For an article document class this environment is a section, +% so no page break before it. +\let\py@OldThebibliography=\thebibliography +\renewcommand{\thebibliography}[1]{ + \phantomsection + \py@OldThebibliography{1} + \addcontentsline{toc}{section}{\bibname} +} + +% Same for the indices. +% The memoir class already does this, so we don't duplicate it in that case. +% +\@ifclassloaded{memoir}{}{ + \let\py@OldTheindex=\theindex + \renewcommand{\theindex}{ + \phantomsection + \py@OldTheindex + \addcontentsline{toc}{section}{\indexname} + } +} diff --git a/doc/pdf/sphinxmanual.cls b/doc/pdf/sphinxmanual.cls new file mode 100644 index 000000000000..a6b9b392859c --- /dev/null +++ b/doc/pdf/sphinxmanual.cls @@ -0,0 +1,148 @@ +% +% sphinxmanual.cls for Sphinx (http://sphinx-doc.org/) +% + +\NeedsTeXFormat{LaTeX2e}[1995/12/01] +\ProvidesClass{sphinxmanual}[2009/06/02 Document class (Sphinx manual)] + +% chapters starting at odd pages (overridden by 'openany' document option) +\PassOptionsToClass{openright}{\sphinxdocclass} + +% 'oneside' option overriding the 'twoside' default +\newif\if@oneside +\DeclareOption{oneside}{\@onesidetrue} +% Pass remaining document options to the parent class. +\DeclareOption*{\PassOptionsToClass{\CurrentOption}{\sphinxdocclass}} +\ProcessOptions\relax + +% Defaults two-side document +\if@oneside +% nothing to do (oneside is the default) +\else +\PassOptionsToClass{twoside}{\sphinxdocclass} +\fi + +\LoadClass{\sphinxdocclass} + +% Set some sane defaults for section numbering depth and TOC depth. You can +% reset these counters in your preamble. +% +\setcounter{secnumdepth}{2} +\setcounter{tocdepth}{1} + +% Change the title page to look a bit better, and fit in with the fncychap +% ``Bjarne'' style a bit better. +% +\renewcommand{\maketitle}{% + \begin{titlepage}% + \let\footnotesize\small + \let\footnoterule\relax + \rule{\textwidth}{1pt}% + \ifsphinxpdfoutput + \begingroup + % These \defs are required to deal with multi-line authors; it + % changes \\ to ', ' (comma-space), making it pass muster for + % generating document info in the PDF file. + \def\\{, } + \def\and{and } + \pdfinfo{ + /Author (\@author) + /Title (\@title) + } + \endgroup + \fi + \begin{flushright}% + \sphinxlogo% + {\rm\Huge\py@HeaderFamily \@title \par}% + {\em\LARGE\py@HeaderFamily \py@release\releaseinfo \par} + \vfill + {\LARGE\py@HeaderFamily + \begin{tabular}[t]{c} + \@author + \end{tabular} + \par} + \vfill\vfill + {\large + \@date \par + \vfill + \py@authoraddress \par + }% + \end{flushright}%\par + \@thanks + \end{titlepage}% + \cleardoublepage% + \setcounter{footnote}{0}% + \let\thanks\relax\let\maketitle\relax + %\gdef\@thanks{}\gdef\@author{}\gdef\@title{} +} + + +% Catch the end of the {abstract} environment, but here make sure the abstract +% is followed by a blank page if the 'openright' option is used. +% +\let\py@OldEndAbstract=\endabstract +\renewcommand{\endabstract}{ + \if@openright + \ifodd\value{page} + \typeout{Adding blank page after the abstract.} + \vfil\pagebreak + \fi + \fi + \py@OldEndAbstract +} + +% This wraps the \tableofcontents macro with all the magic to get the spacing +% right and have the right number of pages if the 'openright' option has been +% used. This eliminates a fair amount of crud in the individual document files. +% +\let\py@OldTableofcontents=\tableofcontents +\renewcommand{\tableofcontents}{% + \pagenumbering{roman}% + \setcounter{page}{1}% + \pagebreak% + \pagestyle{plain}% + {% + \parskip = 0mm% + \py@OldTableofcontents% + \if@openright% + \ifodd\value{page}% + \typeout{Adding blank page after the table of contents.}% + \pagebreak\hspace{0pt}% + \fi% + \fi% + \cleardoublepage% + }% + \pagenumbering{arabic}% + \@ifundefined{fancyhf}{}{\pagestyle{normal}}% +} +\pagenumbering{alph} + +% This is needed to get the width of the section # area wide enough in the +% library reference. Doing it here keeps it the same for all the manuals. +% +\renewcommand*\l@section{\@dottedtocline{1}{1.5em}{2.6em}} +\renewcommand*\l@subsection{\@dottedtocline{2}{4.1em}{3.5em}} + +% Fix the bibliography environment to add an entry to the Table of +% Contents. +% For a report document class this environment is a chapter. +\let\py@OldThebibliography=\thebibliography +\renewcommand{\thebibliography}[1]{ + \cleardoublepage + \phantomsection + \py@OldThebibliography{1} + \addcontentsline{toc}{chapter}{\bibname} +} + +% Same for the indices. +% The memoir class already does this, so we don't duplicate it in that case. +% +\@ifclassloaded{memoir}{}{ + \let\py@OldTheindex=\theindex + \renewcommand{\theindex}{ + \cleardoublepage + \phantomsection + \py@OldTheindex + \addcontentsline{toc}{chapter}{\indexname} + } +} diff --git a/doc/pdf/tabulary.sty b/doc/pdf/tabulary.sty new file mode 100644 index 000000000000..7ea572c1213b --- /dev/null +++ b/doc/pdf/tabulary.sty @@ -0,0 +1,449 @@ +%% +%% This is file `tabulary.sty', +%% generated with the docstrip utility. +%% +%% The original source files were: +%% +%% tabulary.dtx (with options: `package') +%% DRAFT VERSION +%% +%% File `tabulary.dtx'. +%% Copyright (C) 1995 1996 2003 2008 David Carlisle +%% This file may be distributed under the terms of the LPPL. +%% See 00readme.txt for details. +%% +\NeedsTeXFormat{LaTeX2e} +\ProvidesPackage{tabulary} + [2008/12/01 v0.9 tabulary package (DPC)] +\RequirePackage{array} +\catcode`\Z=14 +\DeclareOption{debugshow}{\catcode`\Z=9\relax} +\ProcessOptions +\def\arraybackslash{\let\\=\@arraycr} +\def\@finalstrut#1{% + \unskip\ifhmode\nobreak\fi\vrule\@width\z@\@height\z@\@depth\dp#1} +\newcount\TY@count +\def\tabulary{% + \let\TY@final\tabular + \let\endTY@final\endtabular + \TY@tabular} +\def\TY@tabular#1{% + \edef\TY@{\@currenvir}% + {\ifnum0=`}\fi + \@ovxx\TY@linewidth + \@ovyy\TY@tablewidth + \count@\z@ + \@tempswatrue + \@whilesw\if@tempswa\fi{% + \advance\count@\@ne + \expandafter\ifx\csname TY@F\the\count@\endcsname\relax + \@tempswafalse + \else + \expandafter\let\csname TY@SF\the\count@\expandafter\endcsname + \csname TY@F\the\count@\endcsname + \global\expandafter\let\csname TY@F\the\count@\endcsname\relax + \expandafter\let\csname TY@S\the\count@\expandafter\endcsname + \csname TY@\the\count@\endcsname + \fi}% + \global\TY@count\@ne + \TY@width\xdef{0pt}% + \global\TY@tablewidth\z@ + \global\TY@linewidth#1\relax +Z\message{^^J^^JTable^^J% +Z Target Width: \the\TY@linewidth^^J% +Z \string\tabcolsep: \the\tabcolsep\space +Z \string\arrayrulewidth: \the\arrayrulewidth\space +Z \string\doublerulesep: \the\doublerulesep^^J% +Z \string\tymin: \the\tymin\space +Z \string\tymax: \the\tymax^^J}% + \let\@classz\TY@classz + \let\verb\TX@verb + \toks@{}\TY@get@body} +\let\TY@@mkpream\@mkpream +\def\TY@mkpream{% + \def\@addamp{% + \if@firstamp \@firstampfalse \else + \global\advance\TY@count\@ne + \edef\@preamble{\@preamble &}\fi + \TY@width\xdef{0pt}}% + \def\@acol{% + \TY@subwidth\col@sep + \@addtopreamble{\hskip\col@sep}}% + \let\@arrayrule\TY@arrayrule + \let\@classvi\TY@classvi + \def\@classv{\save@decl + \expandafter\NC@ecs\@nextchar\extracolsep{}\extracolsep\@@@ + \sbox\z@{\d@llarbegin\@nextchar\d@llarend}% + \TY@subwidth{\wd\z@}% + \@addtopreamble{\d@llarbegin\the@toks\the\count@\relax\d@llarend}% + \prepnext@tok}% + \global\let\@mkpream\TY@@mkpream + \TY@@mkpream} +\def\TY@arrayrule{% + \TY@subwidth\arrayrulewidth + \@addtopreamble \vline} +\def\TY@classvi{\ifcase \@lastchclass + \@acol \or + \TY@subwidth\doublerulesep + \@addtopreamble{\hskip \doublerulesep}\or + \@acol \or + \@classvii + \fi} +\def\TY@tab{% + \setbox\z@\hbox\bgroup + \let\[$\let\]$% + \let\equation$\let\endequation$% + \col@sep\tabcolsep + \let\d@llarbegin\begingroup\let\d@llarend\endgroup + \let\@mkpream\TY@mkpream + \def\multicolumn##1##2##3{\multispan##1\relax}% + \CT@start\TY@tabarray} +\def\TY@tabarray{\@ifnextchar[{\TY@array}{\@array[t]}} +\def\TY@array[#1]{\@array[t]} +\def\TY@width#1{% + \expandafter#1\csname TY@\the\TY@count\endcsname} +\def\TY@subwidth#1{% + \TY@width\dimen@ + \advance\dimen@-#1\relax + \TY@width\xdef{\the\dimen@}% + \global\advance\TY@linewidth-#1\relax} +\def\endtabulary{% + \gdef\@halignto{}% + \expandafter\TY@tab\the\toks@ + \crcr\omit + {\xdef\TY@save@row{}% + \loop + \advance\TY@count\m@ne + \ifnum\TY@count>\z@ + \xdef\TY@save@row{\TY@save@row&\omit}% + \repeat}\TY@save@row + \endarray\global\setbox1=\lastbox\setbox0=\vbox{\unvbox1 + \unskip\global\setbox1=\lastbox}\egroup + \dimen@\TY@linewidth + \divide\dimen@\TY@count + \ifdim\dimen@<\tymin + \TY@warn{tymin too large (\the\tymin), resetting to \the\dimen@}% + \tymin\dimen@ + \fi + \setbox\tw@=\hbox{\unhbox\@ne + \loop +\@tempdima=\lastskip +\ifdim\@tempdima>\z@ +Z \message{ecs=\the\@tempdima^^J}% + \global\advance\TY@linewidth-\@tempdima +\fi + \unskip + \setbox\tw@=\lastbox + \ifhbox\tw@ +Z \message{Col \the\TY@count: Initial=\the\wd\tw@\space}% + \ifdim\wd\tw@>\tymax + \wd\tw@\tymax +Z \message{> max\space}% +Z \else +Z \message{ \@spaces\space}% + \fi + \TY@width\dimen@ +Z \message{\the\dimen@\space}% + \advance\dimen@\wd\tw@ +Z \message{Final=\the\dimen@\space}% + \TY@width\xdef{\the\dimen@}% + \ifdim\dimen@<\tymin +Z \message{< tymin}% + \global\advance\TY@linewidth-\dimen@ + \expandafter\xdef\csname TY@F\the\TY@count\endcsname + {\the\dimen@}% + \else + \expandafter\ifx\csname TY@F\the\TY@count\endcsname\z@ +Z \message{***}% + \global\advance\TY@linewidth-\dimen@ + \expandafter\xdef\csname TY@F\the\TY@count\endcsname + {\the\dimen@}% + \else +Z \message{> tymin}% + \global\advance\TY@tablewidth\dimen@ + \global\expandafter\let\csname TY@F\the\TY@count\endcsname + \maxdimen + \fi\fi + \advance\TY@count\m@ne + \repeat}% + \TY@checkmin + \TY@checkmin + \TY@checkmin + \TY@checkmin + \TY@count\z@ + \let\TY@box\TY@box@v + {\expandafter\TY@final\the\toks@\endTY@final}% + \count@\z@ + \@tempswatrue + \@whilesw\if@tempswa\fi{% + \advance\count@\@ne + \expandafter\ifx\csname TY@SF\the\count@\endcsname\relax + \@tempswafalse + \else + \global\expandafter\let\csname TY@F\the\count@\expandafter\endcsname + \csname TY@SF\the\count@\endcsname + \global\expandafter\let\csname TY@\the\count@\expandafter\endcsname + \csname TY@S\the\count@\endcsname + \fi}% + \TY@linewidth\@ovxx + \TY@tablewidth\@ovyy + \ifnum0=`{\fi}} +\def\TY@checkmin{% + \let\TY@checkmin\relax +\ifdim\TY@tablewidth>\z@ + \Gscale@div\TY@ratio\TY@linewidth\TY@tablewidth + \ifdim\TY@tablewidth <\TY@linewidth + \def\TY@ratio{1}% + \fi +\else + \TY@warn{No suitable columns!}% + \def\TY@ratio{1}% +\fi +\count@\z@ +Z \message{^^JLine Width: \the\TY@linewidth, +Z Natural Width: \the\TY@tablewidth, +Z Ratio: \TY@ratio^^J}% +\@tempdima\z@ +\loop +\ifnum\count@<\TY@count +\advance\count@\@ne + \ifdim\csname TY@F\the\count@\endcsname>\tymin + \dimen@\csname TY@\the\count@\endcsname + \dimen@\TY@ratio\dimen@ + \ifdim\dimen@<\tymin +Z \message{Column \the\count@\space ->}% + \global\expandafter\let\csname TY@F\the\count@\endcsname\tymin + \global\advance\TY@linewidth-\tymin + \global\advance\TY@tablewidth-\csname TY@\the\count@\endcsname + \let\TY@checkmin\TY@@checkmin + \else + \expandafter\xdef\csname TY@F\the\count@\endcsname{\the\dimen@}% + \advance\@tempdima\csname TY@F\the\count@\endcsname + \fi + \fi +Z \dimen@\csname TY@F\the\count@\endcsname\message{\the\dimen@, }% +\repeat +Z \message{^^JTotal:\the\@tempdima^^J}% +} +\let\TY@@checkmin\TY@checkmin +\newdimen\TY@linewidth +\def\tyformat{\everypar{{\nobreak\hskip\z@skip}}} +\newdimen\tymin +\tymin=10pt +\newdimen\tymax +\tymax=2\textwidth +\def\@testpach{\@chclass + \ifnum \@lastchclass=6 \@ne \@chnum \@ne \else + \ifnum \@lastchclass=7 5 \else + \ifnum \@lastchclass=8 \tw@ \else + \ifnum \@lastchclass=9 \thr@@ + \else \z@ + \ifnum \@lastchclass = 10 \else + \edef\@nextchar{\expandafter\string\@nextchar}% + \@chnum + \if \@nextchar c\z@ \else + \if \@nextchar l\@ne \else + \if \@nextchar r\tw@ \else + \if \@nextchar C7 \else + \if \@nextchar L8 \else + \if \@nextchar R9 \else + \if \@nextchar J10 \else + \z@ \@chclass + \if\@nextchar |\@ne \else + \if \@nextchar !6 \else + \if \@nextchar @7 \else + \if \@nextchar <8 \else + \if \@nextchar >9 \else + 10 + \@chnum + \if \@nextchar m\thr@@\else + \if \@nextchar p4 \else + \if \@nextchar b5 \else + \z@ \@chclass \z@ \@preamerr \z@ \fi \fi \fi \fi\fi \fi \fi\fi \fi + \fi \fi \fi \fi \fi \fi \fi \fi \fi \fi \fi} +\def\TY@classz{% + \@classx + \@tempcnta\count@ + \ifx\TY@box\TY@box@v + \global\advance\TY@count\@ne + \fi + \let\centering c% + \let\raggedright\noindent + \let\raggedleft\indent + \let\arraybackslash\relax + \prepnext@tok + \ifnum\@chnum<4 + \global\expandafter\let\csname TY@F\the\TY@count\endcsname\z@ + \fi + \ifnum\@chnum=6 + \global\expandafter\let\csname TY@F\the\TY@count\endcsname\z@ + \fi + \@addtopreamble{% + \ifcase\@chnum + \hfil \d@llarbegin\insert@column\d@llarend \hfil \or + \kern\z@ + \d@llarbegin \insert@column \d@llarend \hfil \or + \hfil\kern\z@ \d@llarbegin \insert@column \d@llarend \or + $\vcenter\@startpbox{\@nextchar}\insert@column \@endpbox $\or + \vtop \@startpbox{\@nextchar}\insert@column \@endpbox \or + \vbox \@startpbox{\@nextchar}\insert@column \@endpbox \or + \d@llarbegin \insert@column \d@llarend \or% dubious "s" case + \TY@box\centering\or + \TY@box\raggedright\or + \TY@box\raggedleft\or + \TY@box\relax + \fi}\prepnext@tok} +\def\TY@box#1{% + \ifx\centering#1% + \hfil \d@llarbegin\insert@column\d@llarend \hfil \else + \ifx\raggedright#1% + \kern\z@%<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< + \d@llarbegin \insert@column \d@llarend \hfil \else + \ifx\raggedleft#1% + \hfil\kern\z@ \d@llarbegin \insert@column \d@llarend \else + \ifx\relax#1% + \d@llarbegin \insert@column \d@llarend + \fi \fi \fi \fi} +\def\TY@box@v#1{% + \vtop \@startpbox{\csname TY@F\the\TY@count\endcsname}% + #1\arraybackslash\tyformat + \insert@column\@endpbox} +\newdimen\TY@tablewidth +\def\Gscale@div#1#2#3{% + \setlength\dimen@{#3}% + \ifdim\dimen@=\z@ + \PackageError{graphics}{Division by 0}\@eha + \dimen@#2% + \fi + \edef\@tempd{\the\dimen@}% + \setlength\dimen@{#2}% + \count@65536\relax + \ifdim\dimen@<\z@ + \dimen@-\dimen@ + \count@-\count@ + \fi + \loop + \ifdim\dimen@<8192\p@ + \dimen@\tw@\dimen@ + \divide\count@\tw@ + \repeat + \dimen@ii=\@tempd\relax + \divide\dimen@ii\count@ + \divide\dimen@\dimen@ii + \edef#1{\strip@pt\dimen@}} +\long\def\TY@get@body#1\end + {\toks@\expandafter{\the\toks@#1}\TY@find@end} +\def\TY@find@end#1{% + \def\@tempa{#1}% + \ifx\@tempa\TY@\def\@tempa{\end{#1}}\expandafter\@tempa + \else\toks@\expandafter + {\the\toks@\end{#1}}\expandafter\TY@get@body\fi} +\def\TY@warn{% + \PackageWarning{tabulary}} +\catcode`\Z=11 +\AtBeginDocument{ +\@ifpackageloaded{colortbl}{% +\expandafter\def\expandafter\@mkpream\expandafter#\expandafter1% + \expandafter{% + \expandafter\let\expandafter\CT@setup\expandafter\relax + \expandafter\let\expandafter\CT@color\expandafter\relax + \expandafter\let\expandafter\CT@do@color\expandafter\relax + \expandafter\let\expandafter\color\expandafter\relax + \expandafter\let\expandafter\CT@column@color\expandafter\relax + \expandafter\let\expandafter\CT@row@color\expandafter\relax + \@mkpream{#1}} +\let\TY@@mkpream\@mkpream +\def\TY@classz{% + \@classx + \@tempcnta\count@ + \ifx\TY@box\TY@box@v + \global\advance\TY@count\@ne + \fi + \let\centering c% + \let\raggedright\noindent + \let\raggedleft\indent + \let\arraybackslash\relax + \prepnext@tok +\expandafter\CT@extract\the\toks\@tempcnta\columncolor!\@nil + \ifnum\@chnum<4 + \global\expandafter\let\csname TY@F\the\TY@count\endcsname\z@ + \fi + \ifnum\@chnum=6 + \global\expandafter\let\csname TY@F\the\TY@count\endcsname\z@ + \fi + \@addtopreamble{% + \setbox\z@\hbox\bgroup\bgroup + \ifcase\@chnum + \hskip\stretch{.5}\kern\z@ + \d@llarbegin\insert@column\d@llarend\hskip\stretch{.5}\or + \kern\z@%<<<<<<<<<<<<<<<<<<<<<<<<<<< + \d@llarbegin \insert@column \d@llarend \hfill \or + \hfill\kern\z@ \d@llarbegin \insert@column \d@llarend \or + $\vcenter\@startpbox{\@nextchar}\insert@column \@endpbox $\or + \vtop \@startpbox{\@nextchar}\insert@column \@endpbox \or + \vbox \@startpbox{\@nextchar}\insert@column \@endpbox \or + \d@llarbegin \insert@column \d@llarend \or% dubious s case + \TY@box\centering\or + \TY@box\raggedright\or + \TY@box\raggedleft\or + \TY@box\relax + \fi + \egroup\egroup +\begingroup + \CT@setup + \CT@column@color + \CT@row@color + \CT@do@color +\endgroup + \@tempdima\ht\z@ + \advance\@tempdima\minrowclearance + \vrule\@height\@tempdima\@width\z@ +\unhbox\z@ +}\prepnext@tok}% + \def\TY@arrayrule{% + \TY@subwidth\arrayrulewidth + \@addtopreamble{{\CT@arc@\vline}}}% + \def\TY@classvi{\ifcase \@lastchclass + \@acol \or + \TY@subwidth\doublerulesep + \ifx\CT@drsc@\relax + \@addtopreamble{\hskip\doublerulesep}% + \else + \@addtopreamble{{\CT@drsc@\vrule\@width\doublerulesep}}% + \fi\or + \@acol \or + \@classvii + \fi}% +}{% +\let\CT@start\relax +} +} +{\uccode`\*=`\ % +\uppercase{\gdef\TX@verb{% + \leavevmode\null\TX@vwarn + {\ifnum0=`}\fi\ttfamily\let\\\ignorespaces + \@ifstar{\let~*\TX@vb}{\TX@vb}}}} +\def\TX@vb#1{\def\@tempa##1#1{\toks@{##1}\edef\@tempa{\the\toks@}% + \expandafter\TX@v\meaning\@tempa\\ \\\ifnum0=`{\fi}}\@tempa!} +\def\TX@v#1!{\afterassignment\TX@vfirst\let\@tempa= } +\begingroup +\catcode`\*=\catcode`\# +\catcode`\#=12 +\gdef\TX@vfirst{% + \if\@tempa#% + \def\@tempb{\TX@v@#}% + \else + \let\@tempb\TX@v@ + \if\@tempa\space~\else\@tempa\fi + \fi + \@tempb} +\gdef\TX@v@*1 *2{% + \TX@v@hash*1##\relax\if*2\\\else~\expandafter\TX@v@\fi*2} +\gdef\TX@v@hash*1##*2{*1\ifx*2\relax\else#\expandafter\TX@v@hash\fi*2} +\endgroup +\def\TX@vwarn{% + \@warning{\noexpand\verb may be unreliable inside tabularx/y}% + \global\let\TX@vwarn\@empty} +\endinput +%% +%% End of file `tabulary.sty'. diff --git a/doc/pdf/user.pdf b/doc/pdf/user.pdf Binary files differnew file mode 100644 index 000000000000..ee40d417d3e7 --- /dev/null +++ b/doc/pdf/user.pdf diff --git a/doc/pdf/user.tex b/doc/pdf/user.tex new file mode 100644 index 000000000000..ffe97ebf4ca3 --- /dev/null +++ b/doc/pdf/user.tex @@ -0,0 +1,1923 @@ +% Generated by Sphinx. +\def\sphinxdocclass{report} +\documentclass[letterpaper,10pt,english]{sphinxmanual} +\usepackage[utf8]{inputenc} +\DeclareUnicodeCharacter{00A0}{\nobreakspace} +\usepackage{cmap} +\usepackage[T1]{fontenc} +\usepackage{babel} +\usepackage{times} +\usepackage[Bjarne]{fncychap} +\usepackage{longtable} +\usepackage{sphinx} +\usepackage{multirow} + + +\title{Kerberos User Guide} +\date{ } +\release{1.15.1} +\author{MIT} +\newcommand{\sphinxlogo}{} +\renewcommand{\releasename}{Release} +\makeindex + +\makeatletter +\def\PYG@reset{\let\PYG@it=\relax \let\PYG@bf=\relax% + \let\PYG@ul=\relax \let\PYG@tc=\relax% + \let\PYG@bc=\relax \let\PYG@ff=\relax} +\def\PYG@tok#1{\csname PYG@tok@#1\endcsname} +\def\PYG@toks#1+{\ifx\relax#1\empty\else% + \PYG@tok{#1}\expandafter\PYG@toks\fi} +\def\PYG@do#1{\PYG@bc{\PYG@tc{\PYG@ul{% + \PYG@it{\PYG@bf{\PYG@ff{#1}}}}}}} +\def\PYG#1#2{\PYG@reset\PYG@toks#1+\relax+\PYG@do{#2}} + +\expandafter\def\csname PYG@tok@gd\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.63,0.00,0.00}{##1}}} +\expandafter\def\csname PYG@tok@gu\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.50,0.00,0.50}{##1}}} +\expandafter\def\csname PYG@tok@gt\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.27,0.87}{##1}}} +\expandafter\def\csname PYG@tok@gs\endcsname{\let\PYG@bf=\textbf} +\expandafter\def\csname PYG@tok@gr\endcsname{\def\PYG@tc##1{\textcolor[rgb]{1.00,0.00,0.00}{##1}}} +\expandafter\def\csname PYG@tok@cm\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} +\expandafter\def\csname PYG@tok@vg\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} +\expandafter\def\csname PYG@tok@m\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@mh\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@cs\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}\def\PYG@bc##1{\setlength{\fboxsep}{0pt}\colorbox[rgb]{1.00,0.94,0.94}{\strut ##1}}} +\expandafter\def\csname PYG@tok@ge\endcsname{\let\PYG@it=\textit} +\expandafter\def\csname PYG@tok@vc\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} +\expandafter\def\csname PYG@tok@il\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@go\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.20,0.20,0.20}{##1}}} +\expandafter\def\csname PYG@tok@cp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@gi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.63,0.00}{##1}}} +\expandafter\def\csname PYG@tok@gh\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.00,0.50}{##1}}} +\expandafter\def\csname PYG@tok@ni\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.84,0.33,0.22}{##1}}} +\expandafter\def\csname PYG@tok@nl\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.13,0.44}{##1}}} +\expandafter\def\csname PYG@tok@nn\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.05,0.52,0.71}{##1}}} +\expandafter\def\csname PYG@tok@no\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.38,0.68,0.84}{##1}}} +\expandafter\def\csname PYG@tok@na\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@nb\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@nc\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.05,0.52,0.71}{##1}}} +\expandafter\def\csname PYG@tok@nd\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.33,0.33,0.33}{##1}}} +\expandafter\def\csname PYG@tok@ne\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@nf\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.02,0.16,0.49}{##1}}} +\expandafter\def\csname PYG@tok@si\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.44,0.63,0.82}{##1}}} +\expandafter\def\csname PYG@tok@s2\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@vi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} +\expandafter\def\csname PYG@tok@nt\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.02,0.16,0.45}{##1}}} +\expandafter\def\csname PYG@tok@nv\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} +\expandafter\def\csname PYG@tok@s1\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@gp\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.78,0.36,0.04}{##1}}} +\expandafter\def\csname PYG@tok@sh\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@ow\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@sx\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.78,0.36,0.04}{##1}}} +\expandafter\def\csname PYG@tok@bp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@c1\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} +\expandafter\def\csname PYG@tok@kc\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@c\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} +\expandafter\def\csname PYG@tok@mf\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@err\endcsname{\def\PYG@bc##1{\setlength{\fboxsep}{0pt}\fcolorbox[rgb]{1.00,0.00,0.00}{1,1,1}{\strut ##1}}} +\expandafter\def\csname PYG@tok@kd\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@ss\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.32,0.47,0.09}{##1}}} +\expandafter\def\csname PYG@tok@sr\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.14,0.33,0.53}{##1}}} +\expandafter\def\csname PYG@tok@mo\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@mi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@kn\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@o\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.40,0.40,0.40}{##1}}} +\expandafter\def\csname PYG@tok@kr\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@s\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@kp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@w\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.73,0.73}{##1}}} +\expandafter\def\csname PYG@tok@kt\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.56,0.13,0.00}{##1}}} +\expandafter\def\csname PYG@tok@sc\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@sb\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@k\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@se\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@sd\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} + +\def\PYGZbs{\char`\\} +\def\PYGZus{\char`\_} +\def\PYGZob{\char`\{} +\def\PYGZcb{\char`\}} +\def\PYGZca{\char`\^} +\def\PYGZam{\char`\&} +\def\PYGZlt{\char`\<} +\def\PYGZgt{\char`\>} +\def\PYGZsh{\char`\#} +\def\PYGZpc{\char`\%} +\def\PYGZdl{\char`\$} +\def\PYGZhy{\char`\-} +\def\PYGZsq{\char`\'} +\def\PYGZdq{\char`\"} +\def\PYGZti{\char`\~} +% for compatibility with earlier versions +\def\PYGZat{@} +\def\PYGZlb{[} +\def\PYGZrb{]} +\makeatother + +\begin{document} + +\maketitle +\tableofcontents +\phantomsection\label{user/index::doc} + + + +\chapter{Password management} +\label{user/pwd_mgmt:for-users}\label{user/pwd_mgmt::doc}\label{user/pwd_mgmt:password-management} +Your password is the only way Kerberos has of verifying your identity. +If someone finds out your password, that person can masquerade as +you---send email that comes from you, read, edit, or delete your files, +or log into other hosts as you---and no one will be able to tell the +difference. For this reason, it is important that you choose a good +password, and keep it secret. If you need to give access to your +account to someone else, you can do so through Kerberos (see +{\hyperref[user/pwd_mgmt:grant-access]{\emph{Granting access to your account}}}). You should never tell your password to anyone, +including your system administrator, for any reason. You should +change your password frequently, particularly any time you think +someone may have found out what it is. + + +\section{Changing your password} +\label{user/pwd_mgmt:changing-your-password} +To change your Kerberos password, use the {\hyperref[user/user_commands/kpasswd:kpasswd-1]{\emph{kpasswd}}} command. +It will ask you for your old password (to prevent someone else from +walking up to your computer when you're not there and changing your +password), and then prompt you for the new one twice. (The reason you +have to type it twice is to make sure you have typed it correctly.) +For example, user \code{david} would do the following: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} kpasswd +Password for david: \PYGZlt{}\PYGZhy{} Type your old password. +Enter new password: \PYGZlt{}\PYGZhy{} Type your new password. +Enter it again: \PYGZlt{}\PYGZhy{} Type the new password again. +Password changed. +shell\PYGZpc{} +\end{Verbatim} + +If \code{david} typed the incorrect old password, he would get the +following message: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} kpasswd +Password for david: \PYGZlt{}\PYGZhy{} Type the incorrect old password. +kpasswd: Password incorrect while getting initial ticket +shell\PYGZpc{} +\end{Verbatim} + +If you make a mistake and don't type the new password the same way +twice, kpasswd will ask you to try again: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} kpasswd +Password for david: \PYGZlt{}\PYGZhy{} Type the old password. +Enter new password: \PYGZlt{}\PYGZhy{} Type the new password. +Enter it again: \PYGZlt{}\PYGZhy{} Type a different new password. +kpasswd: Password mismatch while reading password +shell\PYGZpc{} +\end{Verbatim} + +Once you change your password, it takes some time for the change to +propagate through the system. Depending on how your system is set up, +this might be anywhere from a few minutes to an hour or more. If you +need to get new Kerberos tickets shortly after changing your password, +try the new password. If the new password doesn't work, try again +using the old one. + + +\section{Granting access to your account} +\label{user/pwd_mgmt:grant-access}\label{user/pwd_mgmt:granting-access-to-your-account} +If you need to give someone access to log into your account, you can +do so through Kerberos, without telling the person your password. +Simply create a file called {\hyperref[user/user_config/k5login:k5login-5]{\emph{.k5login}}} in your home directory. +This file should contain the Kerberos principal of each person to whom +you wish to give access. Each principal must be on a separate line. +Here is a sample .k5login file: + +\begin{Verbatim}[commandchars=\\\{\}] +jennifer@ATHENA.MIT.EDU +david@EXAMPLE.COM +\end{Verbatim} + +This file would allow the users \code{jennifer} and \code{david} to use your +user ID, provided that they had Kerberos tickets in their respective +realms. If you will be logging into other hosts across a network, you +will want to include your own Kerberos principal in your .k5login file +on each of these hosts. + +Using a .k5login file is much safer than giving out your password, +because: +\begin{itemize} +\item {} +You can take access away any time simply by removing the principal +from your .k5login file. + +\item {} +Although the user has full access to your account on one particular +host (or set of hosts if your .k5login file is shared, e.g., over +NFS), that user does not inherit your network privileges. + +\item {} +Kerberos keeps a log of who obtains tickets, so a system +administrator could find out, if necessary, who was capable of using +your user ID at a particular time. + +\end{itemize} + +One common application is to have a .k5login file in root's home +directory, giving root access to that machine to the Kerberos +principals listed. This allows system administrators to allow users +to become root locally, or to log in remotely as root, without their +having to give out the root password, and without anyone having to +type the root password over the network. + + +\section{Password quality verification} +\label{user/pwd_mgmt:password-quality-verification} +TODO + + +\chapter{Ticket management} +\label{user/tkt_mgmt:ticket-management}\label{user/tkt_mgmt::doc} +On many systems, Kerberos is built into the login program, and you get +tickets automatically when you log in. Other programs, such as ssh, +can forward copies of your tickets to a remote host. Most of these +programs also automatically destroy your tickets when they exit. +However, MIT recommends that you explicitly destroy your Kerberos +tickets when you are through with them, just to be sure. One way to +help ensure that this happens is to add the {\hyperref[user/user_commands/kdestroy:kdestroy-1]{\emph{kdestroy}}} command +to your .logout file. Additionally, if you are going to be away from +your machine and are concerned about an intruder using your +permissions, it is safest to either destroy all copies of your +tickets, or use a screensaver that locks the screen. + + +\section{Kerberos ticket properties} +\label{user/tkt_mgmt:kerberos-ticket-properties} +There are various properties that Kerberos tickets can have: + +If a ticket is \textbf{forwardable}, then the KDC can issue a new ticket +(with a different network address, if necessary) based on the +forwardable ticket. This allows for authentication forwarding without +requiring a password to be typed in again. For example, if a user +with a forwardable TGT logs into a remote system, the KDC could issue +a new TGT for that user with the network address of the remote system, +allowing authentication on that host to work as though the user were +logged in locally. + +When the KDC creates a new ticket based on a forwardable ticket, it +sets the \textbf{forwarded} flag on that new ticket. Any tickets that are +created based on a ticket with the forwarded flag set will also have +their forwarded flags set. + +A \textbf{proxiable} ticket is similar to a forwardable ticket in that it +allows a service to take on the identity of the client. Unlike a +forwardable ticket, however, a proxiable ticket is only issued for +specific services. In other words, a ticket-granting ticket cannot be +issued based on a ticket that is proxiable but not forwardable. + +A \textbf{proxy} ticket is one that was issued based on a proxiable ticket. + +A \textbf{postdated} ticket is issued with the invalid flag set. After the +starting time listed on the ticket, it can be presented to the KDC to +obtain valid tickets. + +Ticket-granting tickets with the \textbf{postdateable} flag set can be used +to obtain postdated service tickets. + +\textbf{Renewable} tickets can be used to obtain new session keys without +the user entering their password again. A renewable ticket has two +expiration times. The first is the time at which this particular +ticket expires. The second is the latest possible expiration time for +any ticket issued based on this renewable ticket. + +A ticket with the \textbf{initial flag} set was issued based on the +authentication protocol, and not on a ticket-granting ticket. +Application servers that wish to ensure that the user's key has been +recently presented for verification could specify that this flag must +be set to accept the ticket. + +An \textbf{invalid} ticket must be rejected by application servers. +Postdated tickets are usually issued with this flag set, and must be +validated by the KDC before they can be used. + +A \textbf{preauthenticated} ticket is one that was only issued after the +client requesting the ticket had authenticated itself to the KDC. + +The \textbf{hardware authentication} flag is set on a ticket which required +the use of hardware for authentication. The hardware is expected to +be possessed only by the client which requested the tickets. + +If a ticket has the \textbf{transit policy} checked flag set, then the KDC +that issued this ticket implements the transited-realm check policy +and checked the transited-realms list on the ticket. The +transited-realms list contains a list of all intermediate realms +between the realm of the KDC that issued the first ticket and that of +the one that issued the current ticket. If this flag is not set, then +the application server must check the transited realms itself or else +reject the ticket. + +The \textbf{okay as delegate} flag indicates that the server specified in +the ticket is suitable as a delegate as determined by the policy of +that realm. Some client applications may use this flag to decide +whether to forward tickets to a remote host, although many +applications do not honor it. + +An \textbf{anonymous} ticket is one in which the named principal is a +generic principal for that realm; it does not actually specify the +individual that will be using the ticket. This ticket is meant only +to securely distribute a session key. + + +\section{Obtaining tickets with kinit} +\label{user/tkt_mgmt:obtaining-tickets-with-kinit}\label{user/tkt_mgmt:obtain-tkt} +If your site has integrated Kerberos V5 with the login system, you +will get Kerberos tickets automatically when you log in. Otherwise, +you may need to explicitly obtain your Kerberos tickets, using the +{\hyperref[user/user_commands/kinit:kinit-1]{\emph{kinit}}} program. Similarly, if your Kerberos tickets expire, +use the kinit program to obtain new ones. + +To use the kinit program, simply type \code{kinit} and then type your +password at the prompt. For example, Jennifer (whose username is +\code{jennifer}) works for Bleep, Inc. (a fictitious company with the +domain name mit.edu and the Kerberos realm ATHENA.MIT.EDU). She would +type: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} kinit +Password for jennifer@ATHENA.MIT.EDU: \PYGZlt{}\PYGZhy{}\PYGZhy{} [Type jennifer\PYGZsq{}s password here.] +shell\PYGZpc{} +\end{Verbatim} + +If you type your password incorrectly, kinit will give you the +following error message: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} kinit +Password for jennifer@ATHENA.MIT.EDU: \PYGZlt{}\PYGZhy{}\PYGZhy{} [Type the wrong password here.] +kinit: Password incorrect +shell\PYGZpc{} +\end{Verbatim} + +and you won't get Kerberos tickets. + +By default, kinit assumes you want tickets for your own username in +your default realm. Suppose Jennifer's friend David is visiting, and +he wants to borrow a window to check his mail. David needs to get +tickets for himself in his own realm, EXAMPLE.COM. He would type: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} kinit david@EXAMPLE.COM +Password for david@EXAMPLE.COM: \PYGZlt{}\PYGZhy{}\PYGZhy{} [Type david\PYGZsq{}s password here.] +shell\PYGZpc{} +\end{Verbatim} + +David would then have tickets which he could use to log onto his own +machine. Note that he typed his password locally on Jennifer's +machine, but it never went over the network. Kerberos on the local +host performed the authentication to the KDC in the other realm. + +If you want to be able to forward your tickets to another host, you +need to request forwardable tickets. You do this by specifying the +\textbf{-f} option: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} kinit \PYGZhy{}f +Password for jennifer@ATHENA.MIT.EDU: \PYGZlt{}\PYGZhy{}\PYGZhy{} [Type your password here.] +shell\PYGZpc{} +\end{Verbatim} + +Note that kinit does not tell you that it obtained forwardable +tickets; you can verify this using the {\hyperref[user/user_commands/klist:klist-1]{\emph{klist}}} command (see +{\hyperref[user/tkt_mgmt:view-tkt]{\emph{Viewing tickets with klist}}}). + +Normally, your tickets are good for your system's default ticket +lifetime, which is ten hours on many systems. You can specify a +different ticket lifetime with the \textbf{-l} option. Add the letter +\textbf{s} to the value for seconds, \textbf{m} for minutes, \textbf{h} for hours, or +\textbf{d} for days. For example, to obtain forwardable tickets for +\code{david@EXAMPLE.COM} that would be good for three hours, you would +type: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} kinit \PYGZhy{}f \PYGZhy{}l 3h david@EXAMPLE.COM +Password for david@EXAMPLE.COM: \PYGZlt{}\PYGZhy{}\PYGZhy{} [Type david\PYGZsq{}s password here.] +shell\PYGZpc{} +\end{Verbatim} + +\begin{notice}{note}{Note:} +You cannot mix units; specifying a lifetime of 3h30m would +result in an error. Note also that most systems specify a +maximum ticket lifetime. If you request a longer ticket +lifetime, it will be automatically truncated to the maximum +lifetime. +\end{notice} + + +\section{Viewing tickets with klist} +\label{user/tkt_mgmt:viewing-tickets-with-klist}\label{user/tkt_mgmt:view-tkt} +The {\hyperref[user/user_commands/klist:klist-1]{\emph{klist}}} command shows your tickets. When you first obtain +tickets, you will have only the ticket-granting ticket. The listing +would look like this: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} klist +Ticket cache: /tmp/krb5cc\PYGZus{}ttypa +Default principal: jennifer@ATHENA.MIT.EDU + +Valid starting Expires Service principal +06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU +shell\PYGZpc{} +\end{Verbatim} + +The ticket cache is the location of your ticket file. In the above +example, this file is named \code{/tmp/krb5cc\_ttypa}. The default +principal is your Kerberos principal. + +The ``valid starting'' and ``expires'' fields describe the period of time +during which the ticket is valid. The ``service principal'' describes +each ticket. The ticket-granting ticket has a first component +\code{krbtgt}, and a second component which is the realm name. + +Now, if \code{jennifer} connected to the machine \code{daffodil.mit.edu}, +and then typed ``klist'' again, she would have gotten the following +result: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} klist +Ticket cache: /tmp/krb5cc\PYGZus{}ttypa +Default principal: jennifer@ATHENA.MIT.EDU + +Valid starting Expires Service principal +06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU +06/07/04 20:22:30 06/08/04 05:49:19 host/daffodil.mit.edu@ATHENA.MIT.EDU +shell\PYGZpc{} +\end{Verbatim} + +Here's what happened: when \code{jennifer} used ssh to connect to the +host \code{daffodil.mit.edu}, the ssh program presented her +ticket-granting ticket to the KDC and requested a host ticket for the +host \code{daffodil.mit.edu}. The KDC sent the host ticket, which ssh +then presented to the host \code{daffodil.mit.edu}, and she was allowed +to log in without typing her password. + +Suppose your Kerberos tickets allow you to log into a host in another +domain, such as \code{trillium.example.com}, which is also in another +Kerberos realm, \code{EXAMPLE.COM}. If you ssh to this host, you will +receive a ticket-granting ticket for the realm \code{EXAMPLE.COM}, plus +the new host ticket for \code{trillium.example.com}. klist will now +show: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} klist +Ticket cache: /tmp/krb5cc\PYGZus{}ttypa +Default principal: jennifer@ATHENA.MIT.EDU + +Valid starting Expires Service principal +06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU +06/07/04 20:22:30 06/08/04 05:49:19 host/daffodil.mit.edu@ATHENA.MIT.EDU +06/07/04 20:24:18 06/08/04 05:49:19 krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU +06/07/04 20:24:18 06/08/04 05:49:19 host/trillium.example.com@EXAMPLE.COM +shell\PYGZpc{} +\end{Verbatim} + +Depending on your host's and realm's configuration, you may also see a +ticket with the service principal \code{host/trillium.example.com@}. If +so, this means that your host did not know what realm +trillium.example.com is in, so it asked the \code{ATHENA.MIT.EDU} KDC for +a referral. The next time you connect to \code{trillium.example.com}, +the odd-looking entry will be used to avoid needing to ask for a +referral again. + +You can use the \textbf{-f} option to view the flags that apply to your +tickets. The flags are: + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +F + & +Forwardable +\\ +\hline +f + & +forwarded +\\ +\hline +P + & +Proxiable +\\ +\hline +p + & +proxy +\\ +\hline +D + & +postDateable +\\ +\hline +d + & +postdated +\\ +\hline +R + & +Renewable +\\ +\hline +I + & +Initial +\\ +\hline +i + & +invalid +\\ +\hline +H + & +Hardware authenticated +\\ +\hline +A + & +preAuthenticated +\\ +\hline +T + & +Transit policy checked +\\ +\hline +O + & +Okay as delegate +\\ +\hline +a + & +anonymous +\\ +\hline\end{tabulary} + + +Here is a sample listing. In this example, the user \emph{jennifer} +obtained her initial tickets (\textbf{I}), which are forwardable (\textbf{F}) +and postdated (\textbf{d}) but not yet validated (\textbf{i}): + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} klist \PYGZhy{}f +Ticket cache: /tmp/krb5cc\PYGZus{}320 +Default principal: jennifer@ATHENA.MIT.EDU + +Valid starting Expires Service principal +31/07/05 19:06:25 31/07/05 19:16:25 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU + Flags: FdiI +shell\PYGZpc{} +\end{Verbatim} + +In the following example, the user \emph{david}`s tickets were forwarded +(\textbf{f}) to this host from another host. The tickets are reforwardable +(\textbf{F}): + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} klist \PYGZhy{}f +Ticket cache: /tmp/krb5cc\PYGZus{}p11795 +Default principal: david@EXAMPLE.COM + +Valid starting Expires Service principal +07/31/05 11:52:29 07/31/05 21:11:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM + Flags: Ff +07/31/05 12:03:48 07/31/05 21:11:23 host/trillium.example.com@EXAMPLE.COM + Flags: Ff +shell\PYGZpc{} +\end{Verbatim} + + +\section{Destroying tickets with kdestroy} +\label{user/tkt_mgmt:destroying-tickets-with-kdestroy} +Your Kerberos tickets are proof that you are indeed yourself, and +tickets could be stolen if someone gains access to a computer where +they are stored. If this happens, the person who has them can +masquerade as you until they expire. For this reason, you should +destroy your Kerberos tickets when you are away from your computer. + +Destroying your tickets is easy. Simply type kdestroy: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} kdestroy +shell\PYGZpc{} +\end{Verbatim} + +If {\hyperref[user/user_commands/kdestroy:kdestroy-1]{\emph{kdestroy}}} fails to destroy your tickets, it will beep and +give an error message. For example, if kdestroy can't find any +tickets to destroy, it will give the following message: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} kdestroy +kdestroy: No credentials cache file found while destroying cache +shell\PYGZpc{} +\end{Verbatim} + + +\chapter{User config files} +\label{user/user_config/index::doc}\label{user/user_config/index:user-config-files} +The following files in your home directory can be used to control the +behavior of Kerberos as it applies to your account (unless they have +been disabled by your host's configuration): + + +\section{.k5login} +\label{user/user_config/k5login:k5login-5}\label{user/user_config/k5login:k5login}\label{user/user_config/k5login::doc} + +\subsection{DESCRIPTION} +\label{user/user_config/k5login:description} +The .k5login file, which resides in a user's home directory, contains +a list of the Kerberos principals. Anyone with valid tickets for a +principal in the file is allowed host access with the UID of the user +in whose home directory the file resides. One common use is to place +a .k5login file in root's home directory, thereby granting system +administrators remote root access to the host via Kerberos. + + +\subsection{EXAMPLES} +\label{user/user_config/k5login:examples} +Suppose the user \code{alice} had a .k5login file in her home directory +containing just the following line: + +\begin{Verbatim}[commandchars=\\\{\}] +bob@FOOBAR.ORG +\end{Verbatim} + +This would allow \code{bob} to use Kerberos network applications, such as +ssh(1), to access \code{alice}`s account, using \code{bob}`s Kerberos +tickets. In a default configuration (with \textbf{k5login\_authoritative} set +to true in \emph{krb5.conf(5)}), this .k5login file would not let +\code{alice} use those network applications to access her account, since +she is not listed! With no .k5login file, or with \textbf{k5login\_authoritative} +set to false, a default rule would permit the principal \code{alice} in the +machine's default realm to access the \code{alice} account. + +Let us further suppose that \code{alice} is a system administrator. +Alice and the other system administrators would have their principals +in root's .k5login file on each host: + +\begin{Verbatim}[commandchars=\\\{\}] +alice@BLEEP.COM + +joeadmin/root@BLEEP.COM +\end{Verbatim} + +This would allow either system administrator to log in to these hosts +using their Kerberos tickets instead of having to type the root +password. Note that because \code{bob} retains the Kerberos tickets for +his own principal, \code{bob@FOOBAR.ORG}, he would not have any of the +privileges that require \code{alice}`s tickets, such as root access to +any of the site's hosts, or the ability to change \code{alice}`s +password. + + +\subsection{SEE ALSO} +\label{user/user_config/k5login:see-also} +kerberos(1) + + +\section{.k5identity} +\label{user/user_config/k5identity:k5identity-5}\label{user/user_config/k5identity:k5identity}\label{user/user_config/k5identity::doc} + +\subsection{DESCRIPTION} +\label{user/user_config/k5identity:description} +The .k5identity file, which resides in a user's home directory, +contains a list of rules for selecting a client principals based on +the server being accessed. These rules are used to choose a +credential cache within the cache collection when possible. + +Blank lines and lines beginning with \code{\#} are ignored. Each line has +the form: +\begin{quote} + +\emph{principal} \emph{field}=\emph{value} ... +\end{quote} + +If the server principal meets all of the field constraints, then +principal is chosen as the client principal. The following fields are +recognized: +\begin{description} +\item[{\textbf{realm}}] \leavevmode +If the realm of the server principal is known, it is matched +against \emph{value}, which may be a pattern using shell wildcards. +For host-based server principals, the realm will generally only be +known if there is a \emph{domain\_realm} section in +\emph{krb5.conf(5)} with a mapping for the hostname. + +\item[{\textbf{service}}] \leavevmode +If the server principal is a host-based principal, its service +component is matched against \emph{value}, which may be a pattern using +shell wildcards. + +\item[{\textbf{host}}] \leavevmode +If the server principal is a host-based principal, its hostname +component is converted to lower case and matched against \emph{value}, +which may be a pattern using shell wildcards. + +If the server principal matches the constraints of multiple lines +in the .k5identity file, the principal from the first matching +line is used. If no line matches, credentials will be selected +some other way, such as the realm heuristic or the current primary +cache. + +\end{description} + + +\subsection{EXAMPLE} +\label{user/user_config/k5identity:example} +The following example .k5identity file selects the client principal +\code{alice@KRBTEST.COM} if the server principal is within that realm, +the principal \code{alice/root@EXAMPLE.COM} if the server host is within +a servers subdomain, and the principal \code{alice/mail@EXAMPLE.COM} when +accessing the IMAP service on \code{mail.example.com}: + +\begin{Verbatim}[commandchars=\\\{\}] +alice@KRBTEST.COM realm=KRBTEST.COM +alice/root@EXAMPLE.COM host=*.servers.example.com +alice/mail@EXAMPLE.COM host=mail.example.com service=imap +\end{Verbatim} + + +\subsection{SEE ALSO} +\label{user/user_config/k5identity:see-also} +kerberos(1), \emph{krb5.conf(5)} + + +\chapter{User commands} +\label{user/user_commands/index::doc}\label{user/user_commands/index:user-commands}\label{user/user_commands/index:id1} + +\section{kdestroy} +\label{user/user_commands/kdestroy:kdestroy}\label{user/user_commands/kdestroy::doc}\label{user/user_commands/kdestroy:kdestroy-1} + +\subsection{SYNOPSIS} +\label{user/user_commands/kdestroy:synopsis} +\textbf{kdestroy} +{[}\textbf{-A}{]} +{[}\textbf{-q}{]} +{[}\textbf{-c} \emph{cache\_name}{]} + + +\subsection{DESCRIPTION} +\label{user/user_commands/kdestroy:description} +The kdestroy utility destroys the user's active Kerberos authorization +tickets by overwriting and deleting the credentials cache that +contains them. If the credentials cache is not specified, the default +credentials cache is destroyed. + + +\subsection{OPTIONS} +\label{user/user_commands/kdestroy:options}\begin{description} +\item[{\textbf{-A}}] \leavevmode +Destroys all caches in the collection, if a cache collection is +available. + +\item[{\textbf{-q}}] \leavevmode +Run quietly. Normally kdestroy beeps if it fails to destroy the +user's tickets. The \textbf{-q} flag suppresses this behavior. + +\item[{\textbf{-c} \emph{cache\_name}}] \leavevmode +Use \emph{cache\_name} as the credentials (ticket) cache name and +location; if this option is not used, the default cache name and +location are used. + +The default credentials cache may vary between systems. If the +\textbf{KRB5CCNAME} environment variable is set, its value is used to +name the default ticket cache. + +\end{description} + + +\subsection{NOTE} +\label{user/user_commands/kdestroy:note} +Most installations recommend that you place the kdestroy command in +your .logout file, so that your tickets are destroyed automatically +when you log out. + + +\subsection{ENVIRONMENT} +\label{user/user_commands/kdestroy:environment} +kdestroy uses the following environment variable: +\begin{description} +\item[{\textbf{KRB5CCNAME}}] \leavevmode +Location of the default Kerberos 5 credentials (ticket) cache, in +the form \emph{type}:\emph{residual}. If no \emph{type} prefix is present, the +\textbf{FILE} type is assumed. The type of the default cache may +determine the availability of a cache collection; for instance, a +default cache of type \textbf{DIR} causes caches within the directory +to be present in the collection. + +\end{description} + + +\subsection{FILES} +\label{user/user_commands/kdestroy:files}\begin{description} +\item[{\emph{DEFCCNAME}}] \leavevmode +Default location of Kerberos 5 credentials cache + +\end{description} + + +\subsection{SEE ALSO} +\label{user/user_commands/kdestroy:see-also} +{\hyperref[user/user_commands/kinit:kinit-1]{\emph{kinit}}}, {\hyperref[user/user_commands/klist:klist-1]{\emph{klist}}} + + +\section{kinit} +\label{user/user_commands/kinit:kinit-1}\label{user/user_commands/kinit:kinit}\label{user/user_commands/kinit::doc} + +\subsection{SYNOPSIS} +\label{user/user_commands/kinit:synopsis} +\textbf{kinit} +{[}\textbf{-V}{]} +{[}\textbf{-l} \emph{lifetime}{]} +{[}\textbf{-s} \emph{start\_time}{]} +{[}\textbf{-r} \emph{renewable\_life}{]} +{[}\textbf{-p} \textbar{} -\textbf{P}{]} +{[}\textbf{-f} \textbar{} -\textbf{F}{]} +{[}\textbf{-a}{]} +{[}\textbf{-A}{]} +{[}\textbf{-C}{]} +{[}\textbf{-E}{]} +{[}\textbf{-v}{]} +{[}\textbf{-R}{]} +{[}\textbf{-k} {[}-\textbf{t} \emph{keytab\_file}{]}{]} +{[}\textbf{-c} \emph{cache\_name}{]} +{[}\textbf{-n}{]} +{[}\textbf{-S} \emph{service\_name}{]} +{[}\textbf{-I} \emph{input\_ccache}{]} +{[}\textbf{-T} \emph{armor\_ccache}{]} +{[}\textbf{-X} \emph{attribute}{[}=\emph{value}{]}{]} +{[}\emph{principal}{]} + + +\subsection{DESCRIPTION} +\label{user/user_commands/kinit:description} +kinit obtains and caches an initial ticket-granting ticket for +\emph{principal}. If \emph{principal} is absent, kinit chooses an appropriate +principal name based on existing credential cache contents or the +local username of the user invoking kinit. Some options modify the +choice of principal name. + + +\subsection{OPTIONS} +\label{user/user_commands/kinit:options}\begin{description} +\item[{\textbf{-V}}] \leavevmode +display verbose output. + +\item[{\textbf{-l} \emph{lifetime}}] \leavevmode +(\emph{duration} string.) Requests a ticket with the lifetime +\emph{lifetime}. + +For example, \code{kinit -l 5:30} or \code{kinit -l 5h30m}. + +If the \textbf{-l} option is not specified, the default ticket lifetime +(configured by each site) is used. Specifying a ticket lifetime +longer than the maximum ticket lifetime (configured by each site) +will not override the configured maximum ticket lifetime. + +\item[{\textbf{-s} \emph{start\_time}}] \leavevmode +(\emph{duration} string.) Requests a postdated ticket. Postdated +tickets are issued with the \textbf{invalid} flag set, and need to be +resubmitted to the KDC for validation before use. + +\emph{start\_time} specifies the duration of the delay before the ticket +can become valid. + +\item[{\textbf{-r} \emph{renewable\_life}}] \leavevmode +(\emph{duration} string.) Requests renewable tickets, with a total +lifetime of \emph{renewable\_life}. + +\item[{\textbf{-f}}] \leavevmode +requests forwardable tickets. + +\item[{\textbf{-F}}] \leavevmode +requests non-forwardable tickets. + +\item[{\textbf{-p}}] \leavevmode +requests proxiable tickets. + +\item[{\textbf{-P}}] \leavevmode +requests non-proxiable tickets. + +\item[{\textbf{-a}}] \leavevmode +requests tickets restricted to the host's local address{[}es{]}. + +\item[{\textbf{-A}}] \leavevmode +requests tickets not restricted by address. + +\item[{\textbf{-C}}] \leavevmode +requests canonicalization of the principal name, and allows the +KDC to reply with a different client principal from the one +requested. + +\item[{\textbf{-E}}] \leavevmode +treats the principal name as an enterprise name (implies the +\textbf{-C} option). + +\item[{\textbf{-v}}] \leavevmode +requests that the ticket-granting ticket in the cache (with the +\textbf{invalid} flag set) be passed to the KDC for validation. If the +ticket is within its requested time range, the cache is replaced +with the validated ticket. + +\item[{\textbf{-R}}] \leavevmode +requests renewal of the ticket-granting ticket. Note that an +expired ticket cannot be renewed, even if the ticket is still +within its renewable life. + +Note that renewable tickets that have expired as reported by +{\hyperref[user/user_commands/klist:klist-1]{\emph{klist}}} may sometimes be renewed using this option, +because the KDC applies a grace period to account for client-KDC +clock skew. See \emph{krb5.conf(5)} \textbf{clockskew} setting. + +\item[{\textbf{-k} {[}\textbf{-i} \textbar{} \textbf{-t} \emph{keytab\_file}{]}}] \leavevmode +requests a ticket, obtained from a key in the local host's keytab. +The location of the keytab may be specified with the \textbf{-t} +\emph{keytab\_file} option, or with the \textbf{-i} option to specify the use +of the default client keytab; otherwise the default keytab will be +used. By default, a host ticket for the local host is requested, +but any principal may be specified. On a KDC, the special keytab +location \code{KDB:} can be used to indicate that kinit should open +the KDC database and look up the key directly. This permits an +administrator to obtain tickets as any principal that supports +authentication based on the key. + +\item[{\textbf{-n}}] \leavevmode +Requests anonymous processing. Two types of anonymous principals +are supported. + +For fully anonymous Kerberos, configure pkinit on the KDC and +configure \textbf{pkinit\_anchors} in the client's \emph{krb5.conf(5)}. +Then use the \textbf{-n} option with a principal of the form \code{@REALM} +(an empty principal name followed by the at-sign and a realm +name). If permitted by the KDC, an anonymous ticket will be +returned. + +A second form of anonymous tickets is supported; these +realm-exposed tickets hide the identity of the client but not the +client's realm. For this mode, use \code{kinit -n} with a normal +principal name. If supported by the KDC, the principal (but not +realm) will be replaced by the anonymous principal. + +As of release 1.8, the MIT Kerberos KDC only supports fully +anonymous operation. + +\end{description} + +\textbf{-I} \emph{input\_ccache} +\begin{quote} + +Specifies the name of a credentials cache that already contains a +ticket. When obtaining that ticket, if information about how that +ticket was obtained was also stored to the cache, that information +will be used to affect how new credentials are obtained, including +preselecting the same methods of authenticating to the KDC. +\end{quote} +\begin{description} +\item[{\textbf{-T} \emph{armor\_ccache}}] \leavevmode +Specifies the name of a credentials cache that already contains a +ticket. If supported by the KDC, this cache will be used to armor +the request, preventing offline dictionary attacks and allowing +the use of additional preauthentication mechanisms. Armoring also +makes sure that the response from the KDC is not modified in +transit. + +\item[{\textbf{-c} \emph{cache\_name}}] \leavevmode +use \emph{cache\_name} as the Kerberos 5 credentials (ticket) cache +location. If this option is not used, the default cache location +is used. + +The default cache location may vary between systems. If the +\textbf{KRB5CCNAME} environment variable is set, its value is used to +locate the default cache. If a principal name is specified and +the type of the default cache supports a collection (such as the +DIR type), an existing cache containing credentials for the +principal is selected or a new one is created and becomes the new +primary cache. Otherwise, any existing contents of the default +cache are destroyed by kinit. + +\item[{\textbf{-S} \emph{service\_name}}] \leavevmode +specify an alternate service name to use when getting initial +tickets. + +\item[{\textbf{-X} \emph{attribute}{[}=\emph{value}{]}}] \leavevmode +specify a pre-authentication \emph{attribute} and \emph{value} to be +interpreted by pre-authentication modules. The acceptable +attribute and value values vary from module to module. This +option may be specified multiple times to specify multiple +attributes. If no value is specified, it is assumed to be ``yes''. + +The following attributes are recognized by the PKINIT +pre-authentication mechanism: +\begin{description} +\item[{\textbf{X509\_user\_identity}=\emph{value}}] \leavevmode +specify where to find user's X509 identity information + +\item[{\textbf{X509\_anchors}=\emph{value}}] \leavevmode +specify where to find trusted X509 anchor information + +\item[{\textbf{flag\_RSA\_PROTOCOL}{[}\textbf{=yes}{]}}] \leavevmode +specify use of RSA, rather than the default Diffie-Hellman +protocol + +\end{description} + +\end{description} + + +\subsection{ENVIRONMENT} +\label{user/user_commands/kinit:environment} +kinit uses the following environment variables: +\begin{description} +\item[{\textbf{KRB5CCNAME}}] \leavevmode +Location of the default Kerberos 5 credentials cache, in the form +\emph{type}:\emph{residual}. If no \emph{type} prefix is present, the \textbf{FILE} +type is assumed. The type of the default cache may determine the +availability of a cache collection; for instance, a default cache +of type \textbf{DIR} causes caches within the directory to be present +in the collection. + +\end{description} + + +\subsection{FILES} +\label{user/user_commands/kinit:files}\begin{description} +\item[{\emph{DEFCCNAME}}] \leavevmode +default location of Kerberos 5 credentials cache + +\item[{\emph{DEFKTNAME}}] \leavevmode +default location for the local host's keytab. + +\end{description} + + +\subsection{SEE ALSO} +\label{user/user_commands/kinit:see-also} +{\hyperref[user/user_commands/klist:klist-1]{\emph{klist}}}, {\hyperref[user/user_commands/kdestroy:kdestroy-1]{\emph{kdestroy}}}, kerberos(1) + + +\section{klist} +\label{user/user_commands/klist:klist}\label{user/user_commands/klist::doc}\label{user/user_commands/klist:klist-1} + +\subsection{SYNOPSIS} +\label{user/user_commands/klist:synopsis} +\textbf{klist} +{[}\textbf{-e}{]} +{[}{[}\textbf{-c}{]} {[}\textbf{-l}{]} {[}\textbf{-A}{]} {[}\textbf{-f}{]} {[}\textbf{-s}{]} {[}\textbf{-a} {[}\textbf{-n}{]}{]}{]} +{[}\textbf{-C}{]} +{[}\textbf{-k} {[}\textbf{-t}{]} {[}\textbf{-K}{]}{]} +{[}\textbf{-V}{]} +{[}\emph{cache\_name}\textbar{}\emph{keytab\_name}{]} + + +\subsection{DESCRIPTION} +\label{user/user_commands/klist:description} +klist lists the Kerberos principal and Kerberos tickets held in a +credentials cache, or the keys held in a keytab file. + + +\subsection{OPTIONS} +\label{user/user_commands/klist:options}\begin{description} +\item[{\textbf{-e}}] \leavevmode +Displays the encryption types of the session key and the ticket +for each credential in the credential cache, or each key in the +keytab file. + +\item[{\textbf{-l}}] \leavevmode +If a cache collection is available, displays a table summarizing +the caches present in the collection. + +\item[{\textbf{-A}}] \leavevmode +If a cache collection is available, displays the contents of all +of the caches in the collection. + +\item[{\textbf{-c}}] \leavevmode +List tickets held in a credentials cache. This is the default if +neither \textbf{-c} nor \textbf{-k} is specified. + +\item[{\textbf{-f}}] \leavevmode +Shows the flags present in the credentials, using the following +abbreviations: + +\begin{Verbatim}[commandchars=\\\{\}] +F Forwardable +f forwarded +P Proxiable +p proxy +D postDateable +d postdated +R Renewable +I Initial +i invalid +H Hardware authenticated +A preAuthenticated +T Transit policy checked +O Okay as delegate +a anonymous +\end{Verbatim} + +\item[{\textbf{-s}}] \leavevmode +Causes klist to run silently (produce no output). klist will exit +with status 1 if the credentials cache cannot be read or is +expired, and with status 0 otherwise. + +\item[{\textbf{-a}}] \leavevmode +Display list of addresses in credentials. + +\item[{\textbf{-n}}] \leavevmode +Show numeric addresses instead of reverse-resolving addresses. + +\item[{\textbf{-C}}] \leavevmode +List configuration data that has been stored in the credentials +cache when klist encounters it. By default, configuration data +is not listed. + +\item[{\textbf{-k}}] \leavevmode +List keys held in a keytab file. + +\item[{\textbf{-i}}] \leavevmode +In combination with \textbf{-k}, defaults to using the default client +keytab instead of the default acceptor keytab, if no name is +given. + +\item[{\textbf{-t}}] \leavevmode +Display the time entry timestamps for each keytab entry in the +keytab file. + +\item[{\textbf{-K}}] \leavevmode +Display the value of the encryption key in each keytab entry in +the keytab file. + +\item[{\textbf{-V}}] \leavevmode +Display the Kerberos version number and exit. + +\end{description} + +If \emph{cache\_name} or \emph{keytab\_name} is not specified, klist will display +the credentials in the default credentials cache or keytab file as +appropriate. If the \textbf{KRB5CCNAME} environment variable is set, its +value is used to locate the default ticket cache. + + +\subsection{ENVIRONMENT} +\label{user/user_commands/klist:environment} +klist uses the following environment variable: +\begin{description} +\item[{\textbf{KRB5CCNAME}}] \leavevmode +Location of the default Kerberos 5 credentials (ticket) cache, in +the form \emph{type}:\emph{residual}. If no \emph{type} prefix is present, the +\textbf{FILE} type is assumed. The type of the default cache may +determine the availability of a cache collection; for instance, a +default cache of type \textbf{DIR} causes caches within the directory +to be present in the collection. + +\end{description} + + +\subsection{FILES} +\label{user/user_commands/klist:files}\begin{description} +\item[{\emph{DEFCCNAME}}] \leavevmode +Default location of Kerberos 5 credentials cache + +\item[{\emph{DEFKTNAME}}] \leavevmode +Default location for the local host's keytab file. + +\end{description} + + +\subsection{SEE ALSO} +\label{user/user_commands/klist:see-also} +{\hyperref[user/user_commands/kinit:kinit-1]{\emph{kinit}}}, {\hyperref[user/user_commands/kdestroy:kdestroy-1]{\emph{kdestroy}}} + + +\section{kpasswd} +\label{user/user_commands/kpasswd:kpasswd}\label{user/user_commands/kpasswd::doc}\label{user/user_commands/kpasswd:kpasswd-1} + +\subsection{SYNOPSIS} +\label{user/user_commands/kpasswd:synopsis} +\textbf{kpasswd} {[}\emph{principal}{]} + + +\subsection{DESCRIPTION} +\label{user/user_commands/kpasswd:description} +The kpasswd command is used to change a Kerberos principal's password. +kpasswd first prompts for the current Kerberos password, then prompts +the user twice for the new password, and the password is changed. + +If the principal is governed by a policy that specifies the length +and/or number of character classes required in the new password, the +new password must conform to the policy. (The five character classes +are lower case, upper case, numbers, punctuation, and all other +characters.) + + +\subsection{OPTIONS} +\label{user/user_commands/kpasswd:options}\begin{description} +\item[{\emph{principal}}] \leavevmode +Change the password for the Kerberos principal principal. +Otherwise, kpasswd uses the principal name from an existing ccache +if there is one; if not, the principal is derived from the +identity of the user invoking the kpasswd command. + +\end{description} + + +\subsection{SEE ALSO} +\label{user/user_commands/kpasswd:see-also} +\emph{kadmin(1)}, \emph{kadmind(8)} + + +\section{krb5-config} +\label{user/user_commands/krb5-config:krb5-config-1}\label{user/user_commands/krb5-config:krb5-config}\label{user/user_commands/krb5-config::doc} + +\subsection{SYNOPSIS} +\label{user/user_commands/krb5-config:synopsis} +\textbf{krb5-config} +{[}\textbf{-}\textbf{-help} \textbar{} \textbf{-}\textbf{-all} \textbar{} \textbf{-}\textbf{-version} \textbar{} \textbf{-}\textbf{-vendor} \textbar{} \textbf{-}\textbf{-prefix} \textbar{} \textbf{-}\textbf{-exec-prefix} \textbar{} \textbf{-}\textbf{-defccname} \textbar{} \textbf{-}\textbf{-defktname} \textbar{} \textbf{-}\textbf{-defcktname} \textbar{} \textbf{-}\textbf{-cflags} \textbar{} \textbf{-}\textbf{-libs} {[}\emph{libraries}{]}{]} + + +\subsection{DESCRIPTION} +\label{user/user_commands/krb5-config:description} +krb5-config tells the application programmer what flags to use to compile +and link programs against the installed Kerberos libraries. + + +\subsection{OPTIONS} +\label{user/user_commands/krb5-config:options}\begin{description} +\item[{\textbf{-}\textbf{-help}}] \leavevmode +prints a usage message. This is the default behavior when no options +are specified. + +\item[{\textbf{-}\textbf{-all}}] \leavevmode +prints the version, vendor, prefix, and exec-prefix. + +\item[{\textbf{-}\textbf{-version}}] \leavevmode +prints the version number of the Kerberos installation. + +\item[{\textbf{-}\textbf{-vendor}}] \leavevmode +prints the name of the vendor of the Kerberos installation. + +\item[{\textbf{-}\textbf{-prefix}}] \leavevmode +prints the prefix for which the Kerberos installation was built. + +\item[{\textbf{-}\textbf{-exec-prefix}}] \leavevmode +prints the prefix for executables for which the Kerberos installation +was built. + +\item[{\textbf{-}\textbf{-defccname}}] \leavevmode +prints the built-in default credentials cache location. + +\item[{\textbf{-}\textbf{-defktname}}] \leavevmode +prints the built-in default keytab location. + +\item[{\textbf{-}\textbf{-defcktname}}] \leavevmode +prints the built-in default client (initiator) keytab location. + +\item[{\textbf{-}\textbf{-cflags}}] \leavevmode +prints the compilation flags used to build the Kerberos installation. + +\item[{\textbf{-}\textbf{-libs} {[}\emph{library}{]}}] \leavevmode +prints the compiler options needed to link against \emph{library}. +Allowed values for \emph{library} are: + +\begin{tabulary}{\linewidth}{|L|L|} +\hline + +krb5 + & +Kerberos 5 applications (default) +\\ +\hline +gssapi + & +GSSAPI applications with Kerberos 5 bindings +\\ +\hline +kadm-client + & +Kadmin client +\\ +\hline +kadm-server + & +Kadmin server +\\ +\hline +kdb + & +Applications that access the Kerberos database +\\ +\hline\end{tabulary} + + +\end{description} + + +\subsection{EXAMPLES} +\label{user/user_commands/krb5-config:examples} +krb5-config is particularly useful for compiling against a Kerberos +installation that was installed in a non-standard location. For example, +a Kerberos installation that is installed in \code{/opt/krb5/} but uses +libraries in \code{/usr/local/lib/} for text localization would produce +the following output: + +\begin{Verbatim}[commandchars=\\\{\}] +shell\PYGZpc{} krb5\PYGZhy{}config \PYGZhy{}\PYGZhy{}libs krb5 +\PYGZhy{}L/opt/krb5/lib \PYGZhy{}Wl,\PYGZhy{}rpath \PYGZhy{}Wl,/opt/krb5/lib \PYGZhy{}L/usr/local/lib \PYGZhy{}lkrb5 \PYGZhy{}lk5crypto \PYGZhy{}lcom\PYGZus{}err +\end{Verbatim} + + +\subsection{SEE ALSO} +\label{user/user_commands/krb5-config:see-also} +kerberos(1), cc(1) + + +\section{ksu} +\label{user/user_commands/ksu:ksu-1}\label{user/user_commands/ksu:ksu}\label{user/user_commands/ksu::doc} + +\subsection{SYNOPSIS} +\label{user/user_commands/ksu:synopsis} +\textbf{ksu} +{[} \emph{target\_user} {]} +{[} \textbf{-n} \emph{target\_principal\_name} {]} +{[} \textbf{-c} \emph{source\_cache\_name} {]} +{[} \textbf{-k} {]} +{[} \textbf{-r} time {]} +{[} \textbf{-pf} {]} +{[} \textbf{-l} \emph{lifetime} {]} +{[} \textbf{-z \textbar{} Z} {]} +{[} \textbf{-q} {]} +{[} \textbf{-e} \emph{command} {[} args ... {]} {]} {[} \textbf{-a} {[} args ... {]} {]} + + +\subsection{REQUIREMENTS} +\label{user/user_commands/ksu:requirements} +Must have Kerberos version 5 installed to compile ksu. Must have a +Kerberos version 5 server running to use ksu. + + +\subsection{DESCRIPTION} +\label{user/user_commands/ksu:description} +ksu is a Kerberized version of the su program that has two missions: +one is to securely change the real and effective user ID to that of +the target user, and the other is to create a new security context. + +\begin{notice}{note}{Note:} +For the sake of clarity, all references to and attributes of +the user invoking the program will start with ``source'' +(e.g., ``source user'', ``source cache'', etc.). + +Likewise, all references to and attributes of the target +account will start with ``target''. +\end{notice} + + +\subsection{AUTHENTICATION} +\label{user/user_commands/ksu:authentication} +To fulfill the first mission, ksu operates in two phases: +authentication and authorization. Resolving the target principal name +is the first step in authentication. The user can either specify his +principal name with the \textbf{-n} option (e.g., \code{-n jqpublic@USC.EDU}) +or a default principal name will be assigned using a heuristic +described in the OPTIONS section (see \textbf{-n} option). The target user +name must be the first argument to ksu; if not specified root is the +default. If \code{.} is specified then the target user will be the +source user (e.g., \code{ksu .}). If the source user is root or the +target user is the source user, no authentication or authorization +takes place. Otherwise, ksu looks for an appropriate Kerberos ticket +in the source cache. + +The ticket can either be for the end-server or a ticket granting +ticket (TGT) for the target principal's realm. If the ticket for the +end-server is already in the cache, it's decrypted and verified. If +it's not in the cache but the TGT is, the TGT is used to obtain the +ticket for the end-server. The end-server ticket is then verified. +If neither ticket is in the cache, but ksu is compiled with the +\textbf{GET\_TGT\_VIA\_PASSWD} define, the user will be prompted for a +Kerberos password which will then be used to get a TGT. If the user +is logged in remotely and does not have a secure channel, the password +may be exposed. If neither ticket is in the cache and +\textbf{GET\_TGT\_VIA\_PASSWD} is not defined, authentication fails. + + +\subsection{AUTHORIZATION} +\label{user/user_commands/ksu:authorization} +This section describes authorization of the source user when ksu is +invoked without the \textbf{-e} option. For a description of the \textbf{-e} +option, see the OPTIONS section. + +Upon successful authentication, ksu checks whether the target +principal is authorized to access the target account. In the target +user's home directory, ksu attempts to access two authorization files: +{\hyperref[user/user_config/k5login:k5login-5]{\emph{.k5login}}} and .k5users. In the .k5login file each line +contains the name of a principal that is authorized to access the +account. + +For example: + +\begin{Verbatim}[commandchars=\\\{\}] +jqpublic@USC.EDU +jqpublic/secure@USC.EDU +jqpublic/admin@USC.EDU +\end{Verbatim} + +The format of .k5users is the same, except the principal name may be +followed by a list of commands that the principal is authorized to +execute (see the \textbf{-e} option in the OPTIONS section for details). + +Thus if the target principal name is found in the .k5login file the +source user is authorized to access the target account. Otherwise ksu +looks in the .k5users file. If the target principal name is found +without any trailing commands or followed only by \code{*} then the +source user is authorized. If either .k5login or .k5users exist but +an appropriate entry for the target principal does not exist then +access is denied. If neither file exists then the principal will be +granted access to the account according to the aname-\textgreater{}lname mapping +rules. Otherwise, authorization fails. + + +\subsection{EXECUTION OF THE TARGET SHELL} +\label{user/user_commands/ksu:execution-of-the-target-shell} +Upon successful authentication and authorization, ksu proceeds in a +similar fashion to su. The environment is unmodified with the +exception of USER, HOME and SHELL variables. If the target user is +not root, USER gets set to the target user name. Otherwise USER +remains unchanged. Both HOME and SHELL are set to the target login's +default values. In addition, the environment variable \textbf{KRB5CCNAME} +gets set to the name of the target cache. The real and effective user +ID are changed to that of the target user. The target user's shell is +then invoked (the shell name is specified in the password file). Upon +termination of the shell, ksu deletes the target cache (unless ksu is +invoked with the \textbf{-k} option). This is implemented by first doing a +fork and then an exec, instead of just exec, as done by su. + + +\subsection{CREATING A NEW SECURITY CONTEXT} +\label{user/user_commands/ksu:creating-a-new-security-context} +ksu can be used to create a new security context for the target +program (either the target shell, or command specified via the \textbf{-e} +option). The target program inherits a set of credentials from the +source user. By default, this set includes all of the credentials in +the source cache plus any additional credentials obtained during +authentication. The source user is able to limit the credentials in +this set by using \textbf{-z} or \textbf{-Z} option. \textbf{-z} restricts the copy +of tickets from the source cache to the target cache to only the +tickets where client == the target principal name. The \textbf{-Z} option +provides the target user with a fresh target cache (no creds in the +cache). Note that for security reasons, when the source user is root +and target user is non-root, \textbf{-z} option is the default mode of +operation. + +While no authentication takes place if the source user is root or is +the same as the target user, additional tickets can still be obtained +for the target cache. If \textbf{-n} is specified and no credentials can +be copied to the target cache, the source user is prompted for a +Kerberos password (unless \textbf{-Z} specified or \textbf{GET\_TGT\_VIA\_PASSWD} +is undefined). If successful, a TGT is obtained from the Kerberos +server and stored in the target cache. Otherwise, if a password is +not provided (user hit return) ksu continues in a normal mode of +operation (the target cache will not contain the desired TGT). If the +wrong password is typed in, ksu fails. + +\begin{notice}{note}{Note:} +During authentication, only the tickets that could be +obtained without providing a password are cached in in the +source cache. +\end{notice} + + +\subsection{OPTIONS} +\label{user/user_commands/ksu:options}\begin{description} +\item[{\textbf{-n} \emph{target\_principal\_name}}] \leavevmode +Specify a Kerberos target principal name. Used in authentication +and authorization phases of ksu. + +If ksu is invoked without \textbf{-n}, a default principal name is +assigned via the following heuristic: +\begin{itemize} +\item {} +Case 1: source user is non-root. + +If the target user is the source user the default principal name +is set to the default principal of the source cache. If the +cache does not exist then the default principal name is set to +\code{target\_user@local\_realm}. If the source and target users are +different and neither \code{\textasciitilde{}target\_user/.k5users} nor +\code{\textasciitilde{}target\_user/.k5login} exist then the default principal name +is \code{target\_user\_login\_name@local\_realm}. Otherwise, starting +with the first principal listed below, ksu checks if the +principal is authorized to access the target account and whether +there is a legitimate ticket for that principal in the source +cache. If both conditions are met that principal becomes the +default target principal, otherwise go to the next principal. +\begin{enumerate} +\item {} +default principal of the source cache + +\item {} +target\_user@local\_realm + +\item {} +source\_user@local\_realm + +\end{enumerate} + +If a-c fails try any principal for which there is a ticket in +the source cache and that is authorized to access the target +account. If that fails select the first principal that is +authorized to access the target account from the above list. If +none are authorized and ksu is configured with +\textbf{PRINC\_LOOK\_AHEAD} turned on, select the default principal as +follows: + +For each candidate in the above list, select an authorized +principal that has the same realm name and first part of the +principal name equal to the prefix of the candidate. For +example if candidate a) is \code{jqpublic@ISI.EDU} and +\code{jqpublic/secure@ISI.EDU} is authorized to access the target +account then the default principal is set to +\code{jqpublic/secure@ISI.EDU}. + +\item {} +Case 2: source user is root. + +If the target user is non-root then the default principal name +is \code{target\_user@local\_realm}. Else, if the source cache +exists the default principal name is set to the default +principal of the source cache. If the source cache does not +exist, default principal name is set to \code{root\textbackslash{}@local\_realm}. + +\end{itemize} + +\end{description} + +\textbf{-c} \emph{source\_cache\_name} +\begin{quote} + +Specify source cache name (e.g., \code{-c FILE:/tmp/my\_cache}). If +\textbf{-c} option is not used then the name is obtained from +\textbf{KRB5CCNAME} environment variable. If \textbf{KRB5CCNAME} is not +defined the source cache name is set to \code{krb5cc\_\textless{}source uid\textgreater{}}. +The target cache name is automatically set to \code{krb5cc\_\textless{}target +uid\textgreater{}.(gen\_sym())}, where gen\_sym generates a new number such that +the resulting cache does not already exist. For example: + +\begin{Verbatim}[commandchars=\\\{\}] +krb5cc\PYGZus{}1984.2 +\end{Verbatim} +\end{quote} +\begin{description} +\item[{\textbf{-k}}] \leavevmode +Do not delete the target cache upon termination of the target +shell or a command (\textbf{-e} command). Without \textbf{-k}, ksu deletes +the target cache. + +\item[{\textbf{-z}}] \leavevmode +Restrict the copy of tickets from the source cache to the target +cache to only the tickets where client == the target principal +name. Use the \textbf{-n} option if you want the tickets for other then +the default principal. Note that the \textbf{-z} option is mutually +exclusive with the \textbf{-Z} option. + +\item[{\textbf{-Z}}] \leavevmode +Don't copy any tickets from the source cache to the target cache. +Just create a fresh target cache, where the default principal name +of the cache is initialized to the target principal name. Note +that the \textbf{-Z} option is mutually exclusive with the \textbf{-z} +option. + +\item[{\textbf{-q}}] \leavevmode +Suppress the printing of status messages. + +\end{description} + +Ticket granting ticket options: +\begin{description} +\item[{\textbf{-l} \emph{lifetime} \textbf{-r} \emph{time} \textbf{-pf}}] \leavevmode +The ticket granting ticket options only apply to the case where +there are no appropriate tickets in the cache to authenticate the +source user. In this case if ksu is configured to prompt users +for a Kerberos password (\textbf{GET\_TGT\_VIA\_PASSWD} is defined), the +ticket granting ticket options that are specified will be used +when getting a ticket granting ticket from the Kerberos server. + +\item[{\textbf{-l} \emph{lifetime}}] \leavevmode +(\emph{duration} string.) Specifies the lifetime to be requested +for the ticket; if this option is not specified, the default ticket +lifetime (12 hours) is used instead. + +\item[{\textbf{-r} \emph{time}}] \leavevmode +(\emph{duration} string.) Specifies that the \textbf{renewable} option +should be requested for the ticket, and specifies the desired +total lifetime of the ticket. + +\item[{\textbf{-p}}] \leavevmode +specifies that the \textbf{proxiable} option should be requested for +the ticket. + +\item[{\textbf{-f}}] \leavevmode +option specifies that the \textbf{forwardable} option should be +requested for the ticket. + +\item[{\textbf{-e} \emph{command} {[}\emph{args} ...{]}}] \leavevmode +ksu proceeds exactly the same as if it was invoked without the +\textbf{-e} option, except instead of executing the target shell, ksu +executes the specified command. Example of usage: + +\begin{Verbatim}[commandchars=\\\{\}] +ksu bob \PYGZhy{}e ls \PYGZhy{}lag +\end{Verbatim} + +The authorization algorithm for \textbf{-e} is as follows: + +If the source user is root or source user == target user, no +authorization takes place and the command is executed. If source +user id != 0, and \code{\textasciitilde{}target\_user/.k5users} file does not exist, +authorization fails. Otherwise, \code{\textasciitilde{}target\_user/.k5users} file +must have an appropriate entry for target principal to get +authorized. + +The .k5users file format: + +A single principal entry on each line that may be followed by a +list of commands that the principal is authorized to execute. A +principal name followed by a \code{*} means that the user is +authorized to execute any command. Thus, in the following +example: + +\begin{Verbatim}[commandchars=\\\{\}] +jqpublic@USC.EDU ls mail /local/kerberos/klist +jqpublic/secure@USC.EDU * +jqpublic/admin@USC.EDU +\end{Verbatim} + +\code{jqpublic@USC.EDU} is only authorized to execute \code{ls}, +\code{mail} and \code{klist} commands. \code{jqpublic/secure@USC.EDU} is +authorized to execute any command. \code{jqpublic/admin@USC.EDU} is +not authorized to execute any command. Note, that +\code{jqpublic/admin@USC.EDU} is authorized to execute the target +shell (regular ksu, without the \textbf{-e} option) but +\code{jqpublic@USC.EDU} is not. + +The commands listed after the principal name must be either a full +path names or just the program name. In the second case, +\textbf{CMD\_PATH} specifying the location of authorized programs must +be defined at the compilation time of ksu. Which command gets +executed? + +If the source user is root or the target user is the source user +or the user is authorized to execute any command (\code{*} entry) +then command can be either a full or a relative path leading to +the target program. Otherwise, the user must specify either a +full path or just the program name. + +\item[{\textbf{-a} \emph{args}}] \leavevmode +Specify arguments to be passed to the target shell. Note that all +flags and parameters following -a will be passed to the shell, +thus all options intended for ksu must precede \textbf{-a}. + +The \textbf{-a} option can be used to simulate the \textbf{-e} option if +used as follows: + +\begin{Verbatim}[commandchars=\\\{\}] +\PYGZhy{}a \PYGZhy{}c [command [arguments]]. +\end{Verbatim} + +\textbf{-c} is interpreted by the c-shell to execute the command. + +\end{description} + + +\subsection{INSTALLATION INSTRUCTIONS} +\label{user/user_commands/ksu:installation-instructions} +ksu can be compiled with the following four flags: +\begin{description} +\item[{\textbf{GET\_TGT\_VIA\_PASSWD}}] \leavevmode +In case no appropriate tickets are found in the source cache, the +user will be prompted for a Kerberos password. The password is +then used to get a ticket granting ticket from the Kerberos +server. The danger of configuring ksu with this macro is if the +source user is logged in remotely and does not have a secure +channel, the password may get exposed. + +\item[{\textbf{PRINC\_LOOK\_AHEAD}}] \leavevmode +During the resolution of the default principal name, +\textbf{PRINC\_LOOK\_AHEAD} enables ksu to find principal names in +the .k5users file as described in the OPTIONS section +(see \textbf{-n} option). + +\item[{\textbf{CMD\_PATH}}] \leavevmode +Specifies a list of directories containing programs that users are +authorized to execute (via .k5users file). + +\item[{\textbf{HAVE\_GETUSERSHELL}}] \leavevmode +If the source user is non-root, ksu insists that the target user's +shell to be invoked is a ``legal shell''. \emph{getusershell(3)} is +called to obtain the names of ``legal shells''. Note that the +target user's shell is obtained from the passwd file. + +\end{description} + +Sample configuration: + +\begin{Verbatim}[commandchars=\\\{\}] +KSU\PYGZus{}OPTS = \PYGZhy{}DGET\PYGZus{}TGT\PYGZus{}VIA\PYGZus{}PASSWD \PYGZhy{}DPRINC\PYGZus{}LOOK\PYGZus{}AHEAD \PYGZhy{}DCMD\PYGZus{}PATH=\PYGZsq{}\PYGZdq{}/bin /usr/ucb /local/bin\PYGZdq{} +\end{Verbatim} + +ksu should be owned by root and have the set user id bit turned on. + +ksu attempts to get a ticket for the end server just as Kerberized +telnet and rlogin. Thus, there must be an entry for the server in the +Kerberos database (e.g., \code{host/nii.isi.edu@ISI.EDU}). The keytab +file must be in an appropriate location. + + +\subsection{SIDE EFFECTS} +\label{user/user_commands/ksu:side-effects} +ksu deletes all expired tickets from the source cache. + + +\subsection{AUTHOR OF KSU} +\label{user/user_commands/ksu:author-of-ksu} +GENNADY (ARI) MEDVINSKY + + +\section{kswitch} +\label{user/user_commands/kswitch:kswitch-1}\label{user/user_commands/kswitch:kswitch}\label{user/user_commands/kswitch::doc} + +\subsection{SYNOPSIS} +\label{user/user_commands/kswitch:synopsis} +\textbf{kswitch} +\{\textbf{-c} \emph{cachename}\textbar{}\textbf{-p} \emph{principal}\} + + +\subsection{DESCRIPTION} +\label{user/user_commands/kswitch:description} +kswitch makes the specified credential cache the primary cache for the +collection, if a cache collection is available. + + +\subsection{OPTIONS} +\label{user/user_commands/kswitch:options}\begin{description} +\item[{\textbf{-c} \emph{cachename}}] \leavevmode +Directly specifies the credential cache to be made primary. + +\item[{\textbf{-p} \emph{principal}}] \leavevmode +Causes the cache collection to be searched for a cache containing +credentials for \emph{principal}. If one is found, that collection is +made primary. + +\end{description} + + +\subsection{ENVIRONMENT} +\label{user/user_commands/kswitch:environment} +kswitch uses the following environment variables: +\begin{description} +\item[{\textbf{KRB5CCNAME}}] \leavevmode +Location of the default Kerberos 5 credentials (ticket) cache, in +the form \emph{type}:\emph{residual}. If no \emph{type} prefix is present, the +\textbf{FILE} type is assumed. The type of the default cache may +determine the availability of a cache collection; for instance, a +default cache of type \textbf{DIR} causes caches within the directory +to be present in the collection. + +\end{description} + + +\subsection{FILES} +\label{user/user_commands/kswitch:files}\begin{description} +\item[{\emph{DEFCCNAME}}] \leavevmode +Default location of Kerberos 5 credentials cache + +\end{description} + + +\subsection{SEE ALSO} +\label{user/user_commands/kswitch:see-also} +{\hyperref[user/user_commands/kinit:kinit-1]{\emph{kinit}}}, {\hyperref[user/user_commands/kdestroy:kdestroy-1]{\emph{kdestroy}}}, {\hyperref[user/user_commands/klist:klist-1]{\emph{klist}}}), kerberos(1) + + +\section{kvno} +\label{user/user_commands/kvno:kvno-1}\label{user/user_commands/kvno::doc}\label{user/user_commands/kvno:kvno} + +\subsection{SYNOPSIS} +\label{user/user_commands/kvno:synopsis} +\textbf{kvno} +{[}\textbf{-c} \emph{ccache}{]} +{[}\textbf{-e} \emph{etype}{]} +{[}\textbf{-q}{]} +{[}\textbf{-h}{]} +{[}\textbf{-P}{]} +{[}\textbf{-S} \emph{sname}{]} +{[}\textbf{-U} \emph{for\_user}{]} +\emph{service1 service2} ... + + +\subsection{DESCRIPTION} +\label{user/user_commands/kvno:description} +kvno acquires a service ticket for the specified Kerberos principals +and prints out the key version numbers of each. + + +\subsection{OPTIONS} +\label{user/user_commands/kvno:options}\begin{description} +\item[{\textbf{-c} \emph{ccache}}] \leavevmode +Specifies the name of a credentials cache to use (if not the +default) + +\item[{\textbf{-e} \emph{etype}}] \leavevmode +Specifies the enctype which will be requested for the session key +of all the services named on the command line. This is useful in +certain backward compatibility situations. + +\item[{\textbf{-q}}] \leavevmode +Suppress printing output when successful. If a service ticket +cannot be obtained, an error message will still be printed and +kvno will exit with nonzero status. + +\item[{\textbf{-h}}] \leavevmode +Prints a usage statement and exits. + +\item[{\textbf{-P}}] \leavevmode +Specifies that the \emph{service1 service2} ... arguments are to be +treated as services for which credentials should be acquired using +constrained delegation. This option is only valid when used in +conjunction with protocol transition. + +\item[{\textbf{-S} \emph{sname}}] \leavevmode +Specifies that the \emph{service1 service2} ... arguments are +interpreted as hostnames, and the service principals are to be +constructed from those hostnames and the service name \emph{sname}. +The service hostnames will be canonicalized according to the usual +rules for constructing service principals. + +\item[{\textbf{-U} \emph{for\_user}}] \leavevmode +Specifies that protocol transition (S4U2Self) is to be used to +acquire a ticket on behalf of \emph{for\_user}. If constrained +delegation is not requested, the service name must match the +credentials cache client principal. + +\end{description} + + +\subsection{ENVIRONMENT} +\label{user/user_commands/kvno:environment} +kvno uses the following environment variable: +\begin{description} +\item[{\textbf{KRB5CCNAME}}] \leavevmode +Location of the credentials (ticket) cache. + +\end{description} + + +\subsection{FILES} +\label{user/user_commands/kvno:files}\begin{description} +\item[{\emph{DEFCCNAME}}] \leavevmode +Default location of the credentials cache + +\end{description} + + +\subsection{SEE ALSO} +\label{user/user_commands/kvno:see-also} +{\hyperref[user/user_commands/kinit:kinit-1]{\emph{kinit}}}, {\hyperref[user/user_commands/kdestroy:kdestroy-1]{\emph{kdestroy}}} + + +\section{sclient} +\label{user/user_commands/sclient:sclient}\label{user/user_commands/sclient::doc}\label{user/user_commands/sclient:sclient-1} + +\subsection{SYNOPSIS} +\label{user/user_commands/sclient:synopsis} +\textbf{sclient} \emph{remotehost} + + +\subsection{DESCRIPTION} +\label{user/user_commands/sclient:description} +sclient is a sample application, primarily useful for testing +purposes. It contacts a sample server \emph{sserver(8)} and +authenticates to it using Kerberos version 5 tickets, then displays +the server's response. + + +\subsection{SEE ALSO} +\label{user/user_commands/sclient:see-also} +{\hyperref[user/user_commands/kinit:kinit-1]{\emph{kinit}}}, \emph{sserver(8)} + + + +\renewcommand{\indexname}{Index} +\printindex +\end{document} |