From: Greg Hudson Date: Sun, 4 Mar 2012 00:38:48 +0000 (+0000) Subject: Remove admin_keytab references in code and docs X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=f938afd6b6f61a96a0aa72c57a280aa721566fe6;p=krb5.git Remove admin_keytab references in code and docs The admin keytab hasn't been needed or used by kadmind since 1.4 (except possibly by legacy admin daemons which we no longer ship). Eliminate remaining references to it in code, test cases, and documentation. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25729 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/doc/admin.texinfo b/doc/admin.texinfo index cf39f187c..33a53e156 100644 --- a/doc/admin.texinfo +++ b/doc/admin.texinfo @@ -1635,11 +1635,6 @@ subsection: uses to determine which principals are allowed which permissions on the database. The default is @code{@value{DefaultAclFile}}. -@itemx admin_keytab -(String.) Location of the keytab file that the legacy administration -daemons @code{kadmind4} and @code{v5passwdd} use to authenticate to -the database. The default is @code{@value{DefaultAdminKeytab}}. - @itemx default_principal_expiration (Absolute time string.) Specifies the default expiration date of principals created in this realm. The default value for this tag is diff --git a/doc/rst_source/krb_admins/admin_commands/kadmind.rst b/doc/rst_source/krb_admins/admin_commands/kadmind.rst index 9554a6f53..6228f1601 100644 --- a/doc/rst_source/krb_admins/admin_commands/kadmind.rst +++ b/doc/rst_source/krb_admins/admin_commands/kadmind.rst @@ -36,14 +36,6 @@ for it to work: some of which are optional. See the CONFIGURATION VALUES section below. -keytab - kadmind requires a keytab containing correct entries for the - ``kadmin/admin`` and ``kadmin/changepw`` principals for every - realm that kadmind will answer requests for. The keytab can be - created with the :ref:`kadmin(1)` client. The location of the - keytab is determined by the **admin_keytab** configuration - variable (see CONFIGURATION VALUES). - ACL file kadmind's ACL (access control list) tells it which principals are allowed to perform KADM5 administration actions. The path of the @@ -137,12 +129,6 @@ understands the following relations, all of which should appear in the **acl_file** The path of kadmind's ACL file. **Mandatory**. No default. -**admin_keytab** - The name of the keytab containing entries for the principals - ``kadmin/admin`` and ``kadmin/changepw`` in each realm that - kadmind will serve. The default is the value of the KRB5_KTNAME - environment variable, if defined. **Mandatory**. - **dict_file** The path of kadmind's password dictionary. A principal with any password policy will not be allowed to select any password in the diff --git a/doc/rst_source/krb_admins/conf_files/kdc_conf.rst b/doc/rst_source/krb_admins/conf_files/kdc_conf.rst index 40d29b06d..013e8b3ec 100644 --- a/doc/rst_source/krb_admins/conf_files/kdc_conf.rst +++ b/doc/rst_source/krb_admins/conf_files/kdc_conf.rst @@ -97,12 +97,6 @@ subsection: which permissions on the database. The default is ``/usr/local/var/krb5kdc/kadm5.acl``. -**admin_keytab** - (String.) Location of the keytab file that the legacy - administration daemons kadmind4 and v5passwdd use to authenticate - to the database. The default is - ``/usr/local/var/krb5kdc/kadm5.keytab``. - **database_name** This string specifies the location of the Kerberos database for this realm. diff --git a/doc/rst_source/krb_admins/install_kdc.rst b/doc/rst_source/krb_admins/install_kdc.rst index 65580da74..634c82aa1 100644 --- a/doc/rst_source/krb_admins/install_kdc.rst +++ b/doc/rst_source/krb_admins/install_kdc.rst @@ -126,7 +126,6 @@ An example kdc.conf file:: # explicitly configure the following four values: # database_name = /var/krb5kdc/principal # key_stash_file = /var/krb5kdc/.k5.ATHENA.MIT.EDU - # admin_keytab = FILE:/var/krb5kdc/kadm5.keytab # acl_file = /var/krb5kdc/kadm5.acl } @@ -142,7 +141,7 @@ your Kerberos realm and server respectively. .. note:: You have to have write permission on the target directories (these directories must exist) used by **database_name**, - **key_stash_file**, **admin_keytab**, and **acl_file**. + **key_stash_file**, and **acl_file**. .. _create_db: diff --git a/src/config-files/kdc.conf b/src/config-files/kdc.conf index 3355699ff..b17f3aaf9 100644 --- a/src/config-files/kdc.conf +++ b/src/config-files/kdc.conf @@ -4,7 +4,6 @@ [realms] ATHENA.MIT.EDU = { database_name = /usr/local/var/krb5kdc/principal - admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab acl_file = /usr/local/var/krb5kdc/kadm5.acl key_stash_file = /usr/local/var/krb5kdc/.k5.ATHENA.MIT.EDU kdc_ports = 750,88 diff --git a/src/config-files/kdc.conf.M b/src/config-files/kdc.conf.M index b47c25168..5e2e6506e 100644 --- a/src/config-files/kdc.conf.M +++ b/src/config-files/kdc.conf.M @@ -94,13 +94,6 @@ specifies the location of the access control list (acl) file that kadmin uses to determine which principals are allowed which permissions on the database. The default value is /usr/local/var/krb5kdc/kadm5.acl. -.IP admin_keytab -This -.B string -Specifies the location of the keytab file that kadmin uses to -authenticate to the database. The default value is -/usr/local/var/krb5kdc/kadm5.keytab. - .IP database_name This .B string diff --git a/src/include/k5-int.h b/src/include/k5-int.h index 21228babb..7ef421d2d 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -185,7 +185,6 @@ typedef INT64_TYPE krb5_int64; /* cofiguration variables */ #define KRB5_CONF_ACL_FILE "acl_file" -#define KRB5_CONF_ADMIN_KEYTAB "admin_keytab" #define KRB5_CONF_ADMIN_SERVER "admin_server" #define KRB5_CONF_ALLOW_WEAK_CRYPTO "allow_weak_crypto" #define KRB5_CONF_AP_REQ_CHECKSUM_TYPE "ap_req_checksum_type" diff --git a/src/kadmin/server/kadmind.M b/src/kadmin/server/kadmind.M index d54b7c215..83c67ec3e 100644 --- a/src/kadmin/server/kadmind.M +++ b/src/kadmin/server/kadmind.M @@ -32,19 +32,6 @@ understands a number of variable settings in this file, some of which are mandatory and some of which are optional. See the CONFIGURATION VALUES section below. .TP -keytab -.B Kadmind -requires a keytab containing correct entries for the -.I kadmin/admin -and -.I kadmin/changepw -principals for every realm that kadmind will answer requests for. The -keytab can be created with the -.IR kadmin (8) -client. The location of the keytab is determined by the -.I admin_keytab -configuration variable (see CONFIGURATION VALUES). -.TP ACL file .BR Kadmind 's ACL (access control list) tells it which principals are allowed to @@ -145,17 +132,6 @@ The path of kadmind's password dictionary. A principal with any password policy will not be allowed to select any password in the dictionary. Optional. No default. .TP -admin_keytab -The name of the keytab containing entries for the principals -.I kadmin/admin -and -.I kadmin/changepw -in each realm that -.B kadmind -will serve. The default is the value of the -.SM KRB5_KTNAME -environment variable, if defined. Mandatory. -.TP kadmind_port The .SM TCP diff --git a/src/kadmin/testing/proto/kdc.conf.proto b/src/kadmin/testing/proto/kdc.conf.proto index 6f9edeb5b..943270d98 100644 --- a/src/kadmin/testing/proto/kdc.conf.proto +++ b/src/kadmin/testing/proto/kdc.conf.proto @@ -5,7 +5,6 @@ __REALM__ = { profile = __K5ROOT__/krb5.conf database_name = __K5ROOT__/kdb5 - admin_keytab = __K5ROOT__/ovsec_adm.srvtab key_stash_file = __K5ROOT__/.k5.__REALM__ acl_file = __K5ROOT__/ovsec_adm.acl dict_file = __K5ROOT__/ovsec_adm.dict diff --git a/src/kadmin/testing/tcl/util.t b/src/kadmin/testing/tcl/util.t index 772160990..6751f89e6 100644 --- a/src/kadmin/testing/tcl/util.t +++ b/src/kadmin/testing/tcl/util.t @@ -29,8 +29,6 @@ proc config_params {masks values} { "KADM5_CONFIG_ADBNAME" {set params [lreplace $params 5 5 $value]} "KADM5_CONFIG_ADB_LOCKFILE" { set params [lreplace $params 6 6 $value]} - "KADM5_CONFIG_ADMIN_KEYTAB" { - set params [lreplace $params 7 7 $value]} "KADM5_CONFIG_ACL_FILE" {set params [lreplace $params 8 8 $value]} "KADM5_CONFIG_DICT_FILE" { set params [lreplace $params 9 9 $value]} diff --git a/src/kadmin/testing/util/tcl_kadm5.c b/src/kadmin/testing/util/tcl_kadm5.c index b33cf0a0f..0d9c7f11d 100644 --- a/src/kadmin/testing/util/tcl_kadm5.c +++ b/src/kadmin/testing/util/tcl_kadm5.c @@ -86,7 +86,6 @@ static struct flagval config_mask_flags[] = { {"KADM5_CONFIG_MAX_RLIFE", KADM5_CONFIG_MAX_RLIFE}, {"KADM5_CONFIG_EXPIRATION", KADM5_CONFIG_EXPIRATION}, {"KADM5_CONFIG_FLAGS", KADM5_CONFIG_FLAGS}, - {"KADM5_CONFIG_ADMIN_KEYTAB", KADM5_CONFIG_ADMIN_KEYTAB}, {"KADM5_CONFIG_STASH_FILE", KADM5_CONFIG_STASH_FILE}, {"KADM5_CONFIG_ENCTYPE", KADM5_CONFIG_ENCTYPE}, {"KADM5_CONFIG_ADBNAME", KADM5_CONFIG_ADBNAME}, @@ -1033,11 +1032,7 @@ static int parse_config_params(Tcl_Interp *interp, char *list, } /* Ignore argv[5], which used to set the admin_dbname field. */ /* Ignore argv[6], which used to set the admin_lockfile field. */ - if ((retcode = parse_str(interp, argv[7], ¶ms->admin_keytab)) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing admin_keytab name"); - retcode = TCL_ERROR; - goto finished; - } + /* Ignore argv[7], which used to set the admin_keytab field. */ if ((retcode = parse_str(interp, argv[8], ¶ms->acl_file)) != TCL_OK) { Tcl_AppendElement(interp, "while parsing acl_file name"); retcode = TCL_ERROR; diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h index d1a76f737..4ce56c626 100644 --- a/src/lib/kadm5/admin.h +++ b/src/lib/kadm5/admin.h @@ -134,7 +134,7 @@ typedef long kadm5_ret_t; #define KADM5_CONFIG_MAX_RLIFE 0x00000010 #define KADM5_CONFIG_EXPIRATION 0x00000020 #define KADM5_CONFIG_FLAGS 0x00000040 -#define KADM5_CONFIG_ADMIN_KEYTAB 0x00000080 +/*#define KADM5_CONFIG_ADMIN_KEYTAB 0x00000080*/ #define KADM5_CONFIG_STASH_FILE 0x00000100 #define KADM5_CONFIG_ENCTYPE 0x00000200 #define KADM5_CONFIG_ADBNAME 0x00000400 @@ -240,7 +240,6 @@ typedef struct _kadm5_config_params { file. */ char * dbname; - char * admin_keytab; char * acl_file; char * dict_file; diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c index 35f078e1a..f182ce643 100644 --- a/src/lib/kadm5/alt_prof.c +++ b/src/lib/kadm5/alt_prof.c @@ -616,17 +616,6 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config, GET_STRING_PARAM(dbname, KADM5_CONFIG_DBNAME, KRB5_CONF_DATABASE_NAME, DEFAULT_KDB_FILE); - /* Get the value for the admin (policy) database lock file*/ - if (!GET_STRING_PARAM(admin_keytab, KADM5_CONFIG_ADMIN_KEYTAB, - KRB5_CONF_ADMIN_KEYTAB, NULL)) { - const char *s = getenv("KRB5_KTNAME"); - if (s == NULL) - s = DEFAULT_KADM5_KEYTAB; - params.admin_keytab = strdup(s); - if (params.admin_keytab) - params.mask |= KADM5_CONFIG_ADMIN_KEYTAB; - } - /* Get the name of the acl file */ GET_STRING_PARAM(acl_file, KADM5_CONFIG_ACL_FILE, KRB5_CONF_ACL_FILE, DEFAULT_KADM5_ACL_FILE); @@ -862,7 +851,6 @@ kadm5_free_config_params(context, params) free(params->stash_file); free(params->keysalts); free(params->admin_server); - free(params->admin_keytab); free(params->dict_file); free(params->acl_file); free(params->realm); diff --git a/src/lib/kadm5/clnt/client_init.c b/src/lib/kadm5/clnt/client_init.c index a1d20fb7e..a8abebfcf 100644 --- a/src/lib/kadm5/clnt/client_init.c +++ b/src/lib/kadm5/clnt/client_init.c @@ -236,8 +236,7 @@ init_any(krb5_context context, char *client_name, enum init_type init_type, #define ILLEGAL_PARAMS (KADM5_CONFIG_DBNAME | KADM5_CONFIG_ADBNAME | \ KADM5_CONFIG_ADB_LOCKFILE | \ KADM5_CONFIG_ACL_FILE | KADM5_CONFIG_DICT_FILE \ - | KADM5_CONFIG_ADMIN_KEYTAB | \ - KADM5_CONFIG_STASH_FILE | \ + | KADM5_CONFIG_STASH_FILE | \ KADM5_CONFIG_MKEY_NAME | KADM5_CONFIG_ENCTYPE \ | KADM5_CONFIG_MAX_LIFE | \ KADM5_CONFIG_MAX_RLIFE | \ diff --git a/src/man/kadmind.8 b/src/man/kadmind.8 index b4eade4ef..5f622d245 100644 --- a/src/man/kadmind.8 +++ b/src/man/kadmind.8 @@ -49,12 +49,6 @@ The KDC configuration file contains configuration information for the KDC and th of variable settings in this file, some of which are mandatory and some of which are optional. See the CONFIGURATION VALUES section below. .TP -.B \fIkeytab\fP -.sp -Kadmind requires a keytab containing correct entries for the kadmin/admin and kadmin/changepw principals for every realm that -\fIkadmind\fP will answer requests for. The keytab can be created with the kadmin(8) client. -The location of the keytab is determined by the \fIadmin_keytab\fP configuration variable (see CONFIGURATION VALUES). -.TP .B \fIACL\fP file .sp \fIkadmind\fP\(aqs \fIACL\fP (access control list) tells it which principals are allowed to perform KADM5 administration actions. @@ -146,11 +140,6 @@ all of which should appear in the [realms] section: .sp The path of \fIkadmind\fP\(aqs \fIACL\fP file. \fBMandatory\fP. No default. .TP -.B \fBadmin_keytab\fP -.sp -The name of the keytab containing entries for the principals kadmin/admin and kadmin/changepw in each realm that \fIkadmind\fP will -serve. The default is the value of the KRB5_KTNAME environment variable, if defined. \fBMandatory\fP. -.TP .B \fBdict_file\fP .sp The path of \fIkadmind\fP\(aqs password dictionary. A principal with any password policy will not be allowed to select any password in diff --git a/src/man/kdc.conf.5 b/src/man/kdc.conf.5 index 7f7668431..49f300773 100644 --- a/src/man/kdc.conf.5 +++ b/src/man/kdc.conf.5 @@ -101,10 +101,6 @@ For each realm, the following tags may be specified in the [realms] subsection: .sp (String.) Location of the access control list (acl) file that kadmin uses to determine which principals are allowed which permissions on the database. The default is \fI/usr/local/var/krb5kdc/kadm5.acl\fP. .TP -.B \fBadmin_keytab\fP -.sp -(String.) Location of the keytab file that the legacy administration daemons kadmind4 and v5passwdd use to authenticate to the database. The default is \fI/usr/local/var/krb5kdc/kadm5.keytab\fP. -.TP .B \fBdatabase_name\fP .sp This string specifies the location of the Kerberos database for this realm. diff --git a/src/tests/kdc_realm/input_conf/kdc_pri_template.conf b/src/tests/kdc_realm/input_conf/kdc_pri_template.conf index 31b2f9232..286760717 100755 --- a/src/tests/kdc_realm/input_conf/kdc_pri_template.conf +++ b/src/tests/kdc_realm/input_conf/kdc_pri_template.conf @@ -4,7 +4,6 @@ [realms] Y.COM = { database_name = %(tier2)s/principal - admin_keytab = FILE:%(tier2)s/kadm5.keytab acl_file = %(tier2)s/kadm5.acl key_stash_file = %(tier2)s/.k5.ATHENA.MIT.EDU kdc_ports = 7777 diff --git a/src/tests/kdc_realm/input_conf/kdc_ref_template.conf b/src/tests/kdc_realm/input_conf/kdc_ref_template.conf index 819713c18..fc5101059 100755 --- a/src/tests/kdc_realm/input_conf/kdc_ref_template.conf +++ b/src/tests/kdc_realm/input_conf/kdc_ref_template.conf @@ -4,7 +4,6 @@ [realms] Z.COM = { database_name = %(tier1)s/principal - admin_keytab = FILE:%(tier1)s/kadm5.keytab acl_file = %(tier1)s/kadm5.acl key_stash_file = %(tier1)s/.k5.ATHENA.MIT.EDU kdc_ports = 7778 diff --git a/src/tests/mk_migr/ldap_backend/input_conf/kdc_template_ldap.conf b/src/tests/mk_migr/ldap_backend/input_conf/kdc_template_ldap.conf index 94a82a752..559eabff0 100644 --- a/src/tests/mk_migr/ldap_backend/input_conf/kdc_template_ldap.conf +++ b/src/tests/mk_migr/ldap_backend/input_conf/kdc_template_ldap.conf @@ -6,7 +6,6 @@ database_name = %(sandir)s/krb5kdc/principal acl_file = %(sandir)s/kadm5.acl key_stash_file = %(sandir)s/krb5kdc/.k5.EXAMPLE.ORG - admin_keytab = FILE:%(sandir)s/krb5kdc/kadm5.keytab kdc_ports = 8888 kpasswd_port = 8887 kadmind_port = 8886