\fBadd_principal\fP [\fIoptions\fP] \fInewprinc\fP
creates the principal
.IR newprinc ,
-prompting twice for a password. This command requires the
+prompting twice for a password. If no policy is specified with the
+-policy option, and the policy named "default" exists, then that
+policy is assigned to the principal; note that the assignment of the
+policy "default" only occurs automatically when a principal is first
+created, so the policy "default" must already exist for the assignment
+to occur. This assignment of "default" can be suppressed with the
+-clearpolicy option. This command requires the
.I add
privilege. This command has the aliases
.B addprinc
explicity set the key version number.
.TP
\fB\-policy\fP \fIpolicy\fP
-policy used by this principal. If no policy is supplied, the principal
-will default to having no policy, and a warning message will be printed.
+policy used by this principal. If no policy is supplied, then if the
+policy "default" exists and the -clearpolicy is not also specified,
+then the policy "default" is used; otherwise, the principal
+will have no policy, and a warning message will be printed.
+.TP
+\fB\-clearpolicy\fP
+.B -clearpolicy
+prevents the policy "default" from being assigned when
+.B -policy
+is not specified. This option has no effect if the policy "default"
+does not exist.
.TP
{\fB\-\fP|\fB+\fP}\fBallow_postdated\fP
.B -allow_postdated
return;
}
-void kadmin_renprinc(argc, argv)
- int argc;
- char *argv[];
-{
- krb5_principal oldprinc, newprinc;
- char *oldcanon, *newcanon;
- char reply[5];
- kadm5_ret_t retval;
-
- if (! (argc == 3 ||
- (argc == 4 && !strcmp("-force", argv[1])))) {
- fprintf(stderr, "usage: rename_principal [-force] old new\n");
- return;
- }
- retval = kadmin_parse_name(argv[argc - 2], &oldprinc);
- if (retval) {
- com_err("rename_principal", retval, "while parsing old principal");
- return;
- }
- retval = kadmin_parse_name(argv[argc - 1], &newprinc);
- if (retval) {
- krb5_free_principal(context, oldprinc);
- com_err("rename_principal", retval, "while parsing new principal");
- return;
- }
- retval = krb5_unparse_name(context, oldprinc, &oldcanon);
- if (retval) {
- com_err("rename_principal", retval,
- "while canonicalizing old principal");
- krb5_free_principal(context, newprinc);
- krb5_free_principal(context, oldprinc);
- return;
- }
- retval = krb5_unparse_name(context, newprinc, &newcanon);
- if (retval) {
- com_err("rename_principal", retval,
- "while canonicalizing new principal");
- free(oldcanon);
- krb5_free_principal(context, newprinc);
- krb5_free_principal(context, oldprinc);
- return;
- }
- if (argc == 3) {
- printf("Are you sure you want to rename the principal \"%s\" to \"%s\"? (yes/no): ",
- oldcanon, newcanon);
- fgets(reply, sizeof (reply), stdin);
- if (strcmp("yes\n", reply)) {
- fprintf(stderr,
- "rename_principal: \"%s\" NOT renamed to \"%s\".\n",
- oldcanon, newcanon);
- free(newcanon);
- free(oldcanon);
- krb5_free_principal(context, newprinc);
- krb5_free_principal(context, oldprinc);
- return;
- }
- }
- retval = kadm5_rename_principal(handle, oldprinc, newprinc);
- krb5_free_principal(context, oldprinc);
- krb5_free_principal(context, newprinc);
- if (retval) {
- com_err("rename_principal", retval,
- "while renaming \"%s\" to \"%s\".", oldcanon,
- newcanon);
- free(newcanon);
- free(oldcanon);
- return;
- }
- printf("Principal \"%s\" renamed to \"%s\".\nMake sure that you have removed \"%s\" from all ACLs before reusing.\n",
- oldcanon, newcanon, oldcanon);
- return;
-}
-
void kadmin_cpw(argc, argv)
int argc;
char *argv[];
char *argv[];
{
kadm5_principal_ent_rec princ;
+ kadm5_policy_ent_rec defpol;
long mask;
int randkey = 0;
char *pass, *canon;
kadmin_addprinc_usage("add_principal");
return;
}
+
retval = krb5_unparse_name(context, princ.principal, &canon);
if (retval) {
com_err("add_principal",
krb5_free_principal(context, princ.principal);
return;
}
+
+ /*
+ * If -policy was not specified, and -clearpolicy was not
+ * specified, and the policy "default" exists, assign it. If
+ * -clearpolicy was specified, then KADM5_POLICY_CLR should be
+ * unset, since it is never valid for kadm5_create_principal.
+ */
+ if ((! (mask & KADM5_POLICY)) &&
+ (! (mask & KADM5_POLICY_CLR)) &&
+ (! (retval = kadm5_get_policy(handle, "default", &defpol)))) {
+ princ.policy = "default";
+ mask |= KADM5_POLICY;
+ (void) kadm5_free_policy_ent(handle, &defpol);
+ }
+ mask &= ~KADM5_POLICY_CLR;
+
if (randkey) { /* do special stuff if -randkey specified */
princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX; /* set notix */
mask |= KADM5_ATTRIBUTES;