| < kadmin-remctl README | Russ Allbery > Software > Orphaned Software > kadmin-remctl | kadmin-backend Manual Page > |
Add a new per-instance configuration option to set the password expiration time for newly-created principals. Be aware that this only controls the initial expiration period. After the first password change, further expiration periods are normally controlled by the KDC configuration or policy.
In the Heimdal backend, map password quality errors on account creation or password reset to a generic error. The kadmin protocol doesn't have a mechanism for passing back the rich error message from the password quality check, so all failures use the same error string. Remap it here, since the error message from Heimdal is of dubious accuracy. This will only apply to sites that have patched Heimdal to do password quality checks on administrative operations.
Update to rra-c-util 5.1:
Increase the timeout for initial authentication during a kpasswd password change to ten seconds, and the timeout for a successful password change to sixty seconds. The previous timeouts of two seconds and thirty seconds was occasionally too short in production. Also fix Perl warnings if the initial authentication or password change time out.
In the Heimdal backend, use get instead of list to check whether a given principal already exists. list requires a complete database traversal and is much more resource-intensive.
In the Heimdal backend, recognize the new form of the Heimdal kpasswd prompt to repeat the new password.
Stop mapping password quality errors in the Heimdal kpasswd backend. Instead, remove any prefix about an external password quality program and pass the rest of the error message back to the user.
Check the existence of the principal before enabling or disabling it in the Heimdal backend so that nonexistent principals report a clearer error message instead of an internal error about getAttributes failure.
Update to rra-c-util 4.10:
Remove some unnecessary includes.
Set the disallow-svr flag on all newly-created principals. This prohibits obtaining service tickets for the principal, which provides some hardening against brute force attacks. Since the create command is designed for creation of user principals, not service principals, and use of service tickets for user principals is quite obscure and rare in Kerberos, this seems like a better default.
Change the default allowed principal regex to allow two-character user principals. This is just a default and can be overridden by setting the allowed key in the configuration.
In the Heimdal version of kadmin-backend, retry the kadmin connection once if the first connection fails. This is a workaround for a transient networking error that we're seeing at Stanford and therefore may not be fully appropriate for other sites, but should hopefully be harmless. Also suppress the standard error output from the Heimdal library during connect since Heimdal::Kadm5 does not.
Clean up error reporting in the Heimdal version of kadmin-backend. Use the correct (rather than the documented) way to tell Heimdal::Kadm5 to throw exceptions, and ensure that all kadmin functions uniformly use the same standard error formatting and exit status for kadmin failures.
Exit with a non-zero status if the check_passwd command rejects the password. Previously, an error would be reported but the backend would always report a successful zero status if the password could be checked, even if it was rejected.
The Heimdal version of kadmin-backend now requires the IPC::Run Perl module (available from CPAN).
Produce a better error message when trying to change the password of a disabled account with the Heimdal backend.
When prompting for a username in passwd_change, strip any surrounding whitespace from that username before proceeding.
Update to rra-c-util 4.8:
Add support for a separate blacklist of principals whose passwords cannot be changed with reset_passwd but who do not themselves have the ability to reset passwords.
Properly handle incorrect password errors from Heimdal's kpasswd. Previously, if change_passwd failed because the original password was incorrect, kadmin-remctl-heim would output a confusing Expect error.
When creating principals for Heimdal, set a default set of attributes before making the principal. Heimdal::Kadm5 doesn't seem to be working properly with the default attributes from the default principal. This currently hard-codes enabling pre-auth for new principals and needs to be revisited.
Update to rra-c-util 3.6:
In the Heimdal backend, don't set KADM5_POLICY_NORMAL_MASK or KADM5_POLICY_CLR as attributes when creating a new principal. These are not valid attribute values and end up setting or clearing large numbers of other attributes.
In the Heimdal backend, don't unconditionally set the preauth required attribute on newly created principals. This should be handled using the "default" principal in Heimdal to configure the desired default principal lifetime and attributes.
kadmin-backend for an MIT Kerberos server no longer has the boolean checking configuration parameter, which said whether to do password checking. Instead, there is a new policy configuration parameter which, if set, sets that password policy for newly created accounts. To duplicate the previous behavior when checking was true, set policy to "standard".
Add an expiration command, which sets the expiration date of a principal. Based on a patch from Garrett Wollman.
Add a pwexpiration command, which sets the expiration date of the password of a principal.
Add a check_expire command, which returns the expiration date of either a principal or a password.
kadmin backend for an MIT Kerberos server now supports the create_opts configuration parameter, which adds additional options that are passed to kadmin addprinc when a principal is created. Based on a patch by Garrett Wollman.
Allow underscores in principal names by default in the examine function.
Update to rra-c-util 2.5:
Add kadmin-backend-heim, which duplicates the kadmin-backend functionality for Heimdal. The examine function of this backend duplicates the output of the MIT getprinc function so that the output is compatible with the output of kadmin-backend. This separate script is a temporary measure until both scripts can be refactored as Perl modules and use a better method to avoid code duplication.
Use the Heimdal external program API for password strength checking in kadmin-backend-heim and check password strength on create if strength checking is enabled for that instance, since the Heimdal kadmin API doesn't enforce password strength on passwords changed by administrators.
Allow - in principal names for the examine function.
Add new config item for each instance, locked. This optional value contains an array of a command and any arguments to it, which is called to determine if the instance is locked for some external policy reason. If so, the enable command will fail for this instance.
Significantly improve the error reporting in ksetpass and passwd_change by using modern Kerberos error functions where available, and avoid Kerberos API calls that are deprecated on Heimdal.
When enabling or disabling accounts in Active Directory via LDAP, send the required "replace: userAccountControl" portion of the LDIF.
Enable Automake silent rules. For a quieter build, pass the --enable-silent-rules option to configure or build with make V=0.
Update to rra-c-util 2.0:
Properly add support for examining principals with instances we don't manage. Previous versions were supposed to support this but didn't due to a bug in argument passing.
Improve the conversion of Kerberos v5 principal names to Kerberos v4 principal names for examine against an AFS kaserver, although it's still not as good as calling the Kerberos library routine would be.
Attempt to determine if the library directory for remctl (and the directory for Kerberos and GSS-API libraries if krb5-config isn't found) is lib32 or lib64 instead of lib and set LDFLAGS accordingly. Based on an idea from the CMU Autoconf macros.
Add --with-remctl-include, --with-remctl-lib, --with-gssapi-include, --with-gssapi-lib, --with-krb5-include, and --with-krb5-lib configure options to allow more specific setting of paths if necessary.
Check at configure time that we can link with the remctl library we found.
As of this release, AFS kaserver support is frozen and no longer tested. It may be removed in a future release if there is significant code restructuring.
Close the kasetkey output file descriptor before checking its exit status so that we get accurate results.
Produce better error messages if REMOTE_USER isn't set in the environment when checking authorization for instance management and document the use of REMOTE_USER in the man page.
kasetkey now supports examine, enable, and disable, so drop all remaining calls to a Kerberos v4 kadmin client and use kasetkey for all AFS kaserver integration.
Honor allowed regex configuration for valid principal names in examine as well.
Improve the library probing and allow for systems where shared library dependencies don't work properly.
If KRB5_CONFIG was explicitly set in the environment, don't use a different krb5-config based on --with-krb4 or --with-krb5. If krb5-config isn't executable, don't use it. This allows one to force library probing by setting KRB5_CONFIG to point to a nonexistent file.
Sanity-check the results of krb5-config before proceeding and error out in configure if they don't work.
Significantly rework kadmin-backend. The configuration variable for instance management has been renamed to %CONFIG and now must be set. It controls both instances and principals without instances. Many of the global settings have been moved into that hash and can be set per-instance. Particular instances may now be configured to only exist in Active Directory and bypass Kerberos v5 entirely.
Add the ksetpass client, which sets a Kerberos password via the password change protocol using an existing Kerberos ticket cache. Support using it for password resets in Active Directory and to work around a Windows Server 2008 bug that prevents setting passwords at the time of account creation when using GSS-API authentication. Based on work by Dmitri Priimak.
Support enable and disable commands for instance management as well.
Recognize instance list errors from kadmin correctly. kadmin returns errors prefixed by get_principals, not list_principals.
Allow for kadmin binaries that print error messages in two parts by waiting for the end of the line before extracting the error message.
When checking against ACLs, support include commands with the same syntax as remctld.
Change some kadmin-backend defaults to be less Stanford-specific.
Add support for optionally adding principals with instances created in Active Directory to an Active Directory authorization group at the time of creation.
Increase the timeouts in the Expect calls while performing the actual operation, since the propagation to Active Directory can take some time.
When stripping error messages for reporting to the user, don't stop stripping at newlines.
Add a newline after a remctl library error when reporting such errors to the user in passwd_change.
Add the $K5_HOST configuration variable to kadmin-backend which, if set, tells kadmin-backend to contact the given kadmin server instead of the default for the local realm.
Tweak kadmin-backend slightly so that it runs properly with Perl 5.6.1 without warnings.
Use the correct configuration key when reading the LDIF file to find the DN for deleting instances and extract just the DN rather than keeping the "dn: " prefix.
Active Directory expects passwords to be encoded in UCS-2LE. Change the password provided to the LDIF template to match those expectations and move the modules needed for talking to Active Directory to require statements from use statements so that those Perl modules aren't required unless Active Directory integration is desired.
When listing instances, add a wildcard after the instance pattern rather than letting kadmin append the local realm so that we can use the same code on development servers that may be serving different realms than the local realm.
Correctly handle errors on account creation in kadmin-backend. It was treating all Kerberos errors as success.
Kerberos v4 examine output faking was prepending "retstr: " even to error messages. Drop "retstr: " when there is an error.
Standardize across the non-instance functions of kadmin-backend the ordering of error and retstr messages and return retstr for the case of creating an account that already exists instead of just error.
Add support for propagation of instance creation and deletion into Active Directory.
When faking Kerberos v4 examine output in kadmin-backend, strip the time zone information from the Kerberos v5 timestamps. Kerberos v4 kadmin examine didn't include time zone information.
Fix the passwd_change configuration documentation to use the correct krb5.conf parameters.
Add support in passwd_change for reading configuration from the system krb5.conf and only use the compiled-in values as defaults.
Properly handle K4 output faking when the principal doesn't exist.
MIT Kerberos kadmin doesn't return a useful exit status in conjunction with -q. It always exits 0, even if the operation failed. Adjust for this by inspecting its output instead.
Add support for faking K4 kadmin examine output based on the K5 getprinc output, for backwards compatibility for Stanford Registry integration.
Support disabling all Kerberos v4 actions in kadmin-backend by setting one of the Kerberos v4 configuration variables to undef.
Handle CRs in the output of commands run via Expect in kadmin-backend.
Add support for creating and manipulating account instances to kadmin-backend using a separate set of commands.
Add support in kadmin-backend for loading configuration from an external configuration file, which can override the defaults set at the top of the script.
Add support for reserved principals in kadmin-backend (principals that the script will refuse to act on).
For password change and reset, always return both an error: and a retstr: line to match the behavior of the old Kerberos v4 interface. Strip out the kpasswd advice to see its man page, since that text will mostly not be useful to our users.
On password reset, have kadmin-backend exit with a different exit status if the user does not have permission to change passwords for that account and use that exit status as a trigger in passwd_change to break out of the loop and not keep prompting for a new password.
Truncate error messages from kpasswd after the first sentence and replace newlines with spaces to put them on a single line. kpasswd is more verbose about its errors than kadmin.
First public release. Many defaults are hard-coded into source code and synchronization with an AFS kaserver realm is done using Stanford-specific external programs.
| < kadmin-remctl README | Russ Allbery > Software > Orphaned Software > kadmin-remctl | kadmin-backend Manual Page > |