diff options
| author | Russ Allbery <rra@stanford.edu> | 2010-02-09 13:37:58 -0800 |
|---|---|---|
| committer | Russ Allbery <rra@stanford.edu> | 2010-02-09 13:37:58 -0800 |
| commit | 2d33440272200cad20a5a4c58e5d8aa0dfad9a1f (patch) | |
| tree | ee0b7718544e6ae054c52b273f5a51a085b228bb /client/wallet.pod | |
| parent | 03889c8b1b3145e5e79a7f05763a55c788ef8672 (diff) | |
Remove kaserver synchronization support from the wallet client
The wallet client no longer enables kaserver synchronization when a
srvtab is requested with -S. Instead, it just extracts the DES key
from the keytab and writes it to a srvtab. It no longer forces the
kvno of the srvtab to 0 (a Stanford-specific action) and instead
preserves the kvno from the key in the keytab. This should now do the
right thing for sites that use a KDC that serves both Kerberos v4 and
Kerberos v5 from the same database.
Diffstat (limited to 'client/wallet.pod')
| -rw-r--r-- | client/wallet.pod | 44 |
1 files changed, 13 insertions, 31 deletions
diff --git a/client/wallet.pod b/client/wallet.pod index 657929b..6451e72 100644 --- a/client/wallet.pod +++ b/client/wallet.pod @@ -114,9 +114,19 @@ C<keytab> object, and must be used in conjunction with the B<-f> flag. After the keytab is saved to the file specified by B<-f>, the DES key for that principal will be extracted and written as a Kerberos v4 srvtab to the file I<srvtab>. Any existing contents of I<srvtab> will be -destroyed. For more information on how the principal is converted to -Kerberos v4, see the description of the B<sync> attribute under -L<ATTRIBUTES>. +destroyed. + +The Kerberos v4 principal name will be generated from the Kerberos v5 +principal name using the krb5_524_conv_principal() function of the +Kerberos libraries. See its documentation for more information, but +briefly (and in the absence of special configuration), the Kerberos v4 +principal name will be the same as the Kerberos v5 principal name except +that the components are separated by C<.> instead of C</>; the second +component is truncated after the first C<.> if the first component is one +of the recognized host-based principals (generally C<host>, C<imap>, +C<pop>, or C<smtp>); and the first component is C<rcmd> if the Kerberos v5 +principal component is C<host>. The principal name must not contain more +than two components. =item B<-s> I<server> @@ -377,34 +387,6 @@ Keytabs retrieved with C<unchanging> set will contain all keys present in the KDC for that Kerberos principal and therefore may contain different enctypes than those requested by this attribute. -=item sync - -Sets the external systems to which the key of a given principal is -synchronized. The only supported value for this attribute is C<kaserver>, -which says to synchronize the key with an AFS Kerberos v4 kaserver. - -If this attribute is set on a keytab, whenever the C<get> command is run -for that keytab, the DES key will be extracted from that keytab and set in -the configured AFS kaserver. If the B<-S> option is given to the -B<wallet> client, the srvtab corresponding to the keytab will be written -to the file specified with that option. The Kerberos v4 principal name -will be the same as the Kerberos v5 principal name except that the -components are separated by C<.> instead of C</>; the second component is -truncated after the first C<.> if the first component is one of C<host>, -C<ident>, C<imap>, C<pop>, or C<smtp>; and the first component is C<rcmd> -if the Kerberos v5 principal component is C<host>. The principal name -must not contain more than two components. - -If this attribute is set, calling C<destroy> will also destroy the -principal from the AFS kaserver, with a principal mapping determined as -above. - -The realm of the srvtab defaults to the same realm as the keytab. You can -change this by setting the v4_realm configuration option in the [realms] -section of krb5.conf for the local realm. The keytab must be for a -principal in the default local realm for the B<-S> option to work -correctly. - =back =head1 CONFIGURATION |