| < kadmin-remctl To-Do List | Russ Allbery > Software > kadmin-remctl | kadmin-remctl License > |
As of this release, AFS kaserver support is frozen and no longer tested. It may be removed in a future release if there is significant code restructuring.
Close the kasetkey output file descriptor before checking its exit status so that we get accurate results.
Produce better error messages if REMOTE_USER isn't set in the environment when checking authorization for instance management and document the use of REMOTE_USER in the man page.
kasetkey now supports examine, enable, and disable, so drop all remaining calls to a Kerberos v4 kadmin client and use kasetkey for all AFS kaserver integration.
Honor allowed regex configuration for valid principal names in examine as well.
Improve the library probing and allow for systems where shared library dependencies don't work properly.
If KRB5_CONFIG was explicitly set in the environment, don't use a different krb5-config based on --with-krb4 or --with-krb5. If krb5-config isn't executable, don't use it. This allows one to force library probing by setting KRB5_CONFIG to point to a nonexistent file.
Sanity-check the results of krb5-config before proceeding and error out in configure if they don't work.
Significantly rework kadmin-backend. The configuration variable for instance management has been renamed to %CONFIG and now must be set. It controls both instances and principals without instances. Many of the global settings have been moved into that hash and can be set per-instance. Particular instances may now be configured to only exist in Active Directory and bypass Kerberos v5 entirely.
Add the ksetpass client, which sets a Kerberos password via the password change protocol using an existing Kerberos ticket cache. Support using it for password resets in Active Directory and to work around a Windows Server 2008 bug that prevents setting passwords at the time of account creation when using GSS-API authentication. Based on work by Dmitri Priimak.
Support enable and disable commands for instance management as well.
Recognize instance list errors from kadmin correctly. kadmin returns errors prefixed by get_principals, not list_principals.
Allow for kadmin binaries that print error messages in two parts by waiting for the end of the line before extracting the error message.
When checking against ACLs, support include commands with the same syntax as remctld.
Change some kadmin-backend defaults to be less Stanford-specific.
Add support for optionally adding principals with instances created in Active Directory to an Active Directory authorization group at the time of creation.
Increase the timeouts in the Expect calls while performing the actual operation, since the propagation to Active Directory can take some time.
When stripping error messages for reporting to the user, don't stop stripping at newlines.
Add a newline after a remctl library error when reporting such errors to the user in passwd_change.
Add the $K5_HOST configuration variable to kadmin-backend which, if set, tells kadmin-backend to contact the given kadmin server instead of the default for the local realm.
Tweak kadmin-backend slightly so that it runs properly with Perl 5.6.1 without warnings.
Use the correct configuration key when reading the LDIF file to find the DN for deleting instances and extract just the DN rather than keeping the "dn: " prefix.
Active Directory expects passwords to be encoded in UCS-2LE. Change the password provided to the LDIF template to match those expectations and move the modules needed for talking to Active Directory to require statements from use statements so that those Perl modules aren't required unless Active Directory integration is desired.
When listing instances, add a wildcard after the instance pattern rather than letting kadmin append the local realm so that we can use the same code on development servers that may be serving different realms than the local realm.
Correctly handle errors on account creation in kadmin-backend. It was treating all Kerberos errors as success.
Kerberos v4 examine output faking was prepending "retstr: " even to error messages. Drop "retstr: " when there is an error.
Standardize across the non-instance functions of kadmin-backend the ordering of error and retstr messages and return retstr for the case of creating an account that already exists instead of just error.
Add support for propagation of instance creation and deletion into Active Directory.
When faking Kerberos v4 examine output in kadmin-backend, strip the time zone information from the Kerberos v5 timestamps. Kerberos v4 kadmin examine didn't include time zone information.
Fix the passwd_change configuration documentation to use the correct krb5.conf parameters.
Add support in passwd_change for reading configuration from the system krb5.conf and only use the compiled-in values as defaults.
Properly handle K4 output faking when the principal doesn't exist.
MIT Kerberos kadmin doesn't return a useful exit status in conjunction with -q. It always exits 0, even if the operation failed. Adjust for this by inspecting its output instead.
Add support for faking K4 kadmin examine output based on the K5 getprinc output, for backwards compatibility for Stanford Registry integration.
Support disabling all Kerberos v4 actions in kadmin-backend by setting one of the Kerberos v4 configuration variables to undef.
Handle CRs in the output of commands run via Expect in kadmin-backend.
Add support for creating and manipulating account instances to kadmin-backend using a separate set of commands.
Add support in kadmin-backend for loading configuration from an external configuration file, which can override the defaults set at the top of the script.
Add support for reserved principals in kadmin-backend (principals that the script will refuse to act on).
For password change and reset, always return both an error: and a retstr: line to match the behavior of the old Kerberos v4 interface. Strip out the kpasswd advice to see its man page, since that text will mostly not be useful to our users.
On password reset, have kadmin-backend exit with a different exit status if the user does not have permission to change passwords for that account and use that exit status as a trigger in passwd_change to break out of the loop and not keep prompting for a new password.
Truncate error messages from kpasswd after the first sentence and replace newlines with spaces to put them on a single line. kpasswd is more verbose about its errors than kadmin.
First public release. Many defaults are hard-coded into source code and synchronization with an AFS kaserver realm is done using Stanford-specific external programs.
| < kadmin-remctl To-Do List | Russ Allbery > Software > kadmin-remctl | kadmin-remctl License > |