Add support for synchronizing a key with an AFS kaserver in the keytab

object implementation, extracting the DES key with Authen::Krb5 (since
ktutil doesn't work).

Rename the KEYTAB_CACHE variable to KEYTAB_REMCTL_CACHE to match the
rest of the keytab retrieval configuration and reorganize the
Wallet::Config documentation to group related configuration options for
the keytab backend.

Fix a column name in the keytab_enctypes table to be more consistent
with the rest of the schema.

1 files changed, 17 insertions, 0 deletions

diff --git a/perl/t/data/README b/perl/t/data/README
index 33ec32f..968ec6c 100644
--- a/perl/t/data/README
+++ b/perl/t/data/README
@@ -27,3 +27,20 @@ and <realm> is the Kerberos realm.
 
 Again, I do not recommend using a production realm; the test doesn't need
 a production realm and it's more secure to stick to a test realm.
+
+In order to test the AFS kaserver synchronization, you will need to grant
+the test processes access to a principal with ADMIN rights in a test AFS
+kaserver.  This should not be pointed at a production cell!  Create the
+following files:
+
+    test.admin          Fully-qualified principal of ADMIN user
+    test.cell           AFS kaserver test cell
+
+The ADMIN user will be parsed to determine the default realm for
+principals created in the kaserver.  You cannot use cross-realm
+authentication for this test.  This AFS kaserver Kerberos v4 realm will
+also need to be configured in your local krb.conf (but not krb.realms).
+
+The test process will create the principals wallet.one and wallet.two and
+on success will clean up after itself.  If the test fails, they may be
+left behind in the AFS kaserver.