                    User-Visible kadmin-remctl Changes

kadmin-remctl 3.6 (2014-01-15)

    Add a new per-instance configuration option to set the password
    expiration time for newly-created principals.  Be aware that this only
    controls the initial expiration period.  After the first password
    change, further expiration periods are normally controlled by the KDC
    configuration or policy.

    In the Heimdal backend, map password quality errors on account
    creation or password reset to a generic error.  The kadmin protocol
    doesn't have a mechanism for passing back the rich error message from
    the password quality check, so all failures use the same error string.
    Remap it here, since the error message from Heimdal is of dubious
    accuracy.  This will only apply to sites that have patched Heimdal to
    do password quality checks on administrative operations.

    Update to rra-c-util 5.1:

    * Don't attempt to use Kerberos if no Kerberos error APIs were found.
    * Improve error handling in xasprintf and xvasprintf.
    * Check the return status of snprintf and vsnprintf properly.
    * Preserve errno if snprintf fails in vasprintf replacement.

kadmin-remctl 3.5 (2013-10-10)

    Increase the timeout for initial authentication during a kpasswd
    password change to ten seconds, and the timeout for a successful
    password change to sixty seconds.  The previous timeouts of two
    seconds and thirty seconds was occasionally too short in production.
    Also fix Perl warnings if the initial authentication or password
    change time out.

    In the Heimdal backend, use get instead of list to check whether a
    given principal already exists.  list requires a complete database
    traversal and is much more resource-intensive.

    In the Heimdal backend, recognize the new form of the Heimdal kpasswd
    prompt to repeat the new password.

    Stop mapping password quality errors in the Heimdal kpasswd backend.
    Instead, remove any prefix about an external password quality program
    and pass the rest of the error message back to the user.

    Check the existence of the principal before enabling or disabling it
    in the Heimdal backend so that nonexistent principals report a clearer
    error message instead of an internal error about getAttributes
    failure.

    Update to rra-c-util 4.10:

    * Remove some unnecessary includes.

kadmin-remctl 3.4 (2013-07-09)

    Set the disallow-svr flag on all newly-created principals.  This
    prohibits obtaining service tickets for the principal, which provides
    some hardening against brute force attacks.  Since the create command
    is designed for creation of user principals, not service principals,
    and use of service tickets for user principals is quite obscure and
    rare in Kerberos, this seems like a better default.

    Change the default allowed principal regex to allow two-character user
    principals.  This is just a default and can be overridden by setting
    the allowed key in the configuration.

kadmin-remctl 3.3 (2013-03-25)

    In the Heimdal version of kadmin-backend, retry the kadmin connection
    once if the first connection fails.  This is a workaround for a
    transient networking error that we're seeing at Stanford and therefore
    may not be fully appropriate for other sites, but should hopefully be
    harmless.  Also suppress the standard error output from the Heimdal
    library during connect since Heimdal::Kadm5 does not.

    Clean up error reporting in the Heimdal version of kadmin-backend.
    Use the correct (rather than the documented) way to tell
    Heimdal::Kadm5 to throw exceptions, and ensure that all kadmin
    functions uniformly use the same standard error formatting and exit
    status for kadmin failures.

    Exit with a non-zero status if the check_passwd command rejects the
    password.  Previously, an error would be reported but the backend
    would always report a successful zero status if the password could be
    checked, even if it was rejected.

    The Heimdal version of kadmin-backend now requires the IPC::Run Perl
    module (available from CPAN).

    Produce a better error message when trying to change the password of a
    disabled account with the Heimdal backend.

    When prompting for a username in passwd_change, strip any surrounding
    whitespace from that username before proceeding.

    Update to rra-c-util 4.8:

    * Fix Heimdal libroken probes for old versions of Heimdal.
    * Fix Kerberos header probing with non-standard include paths.
    * Pass --deps to krb5-config if it is supported.
    * Properly find krb5.h on NetBSD systems.
    * Fix stripping of -I/usr/include from krb5-config output.
    * Avoid using krb5-config if specific Kerberos paths are configured.
    * Use PATH_KRB5_CONFIG instead of KRB5_CONFIG to locate krb5-config.
    * Replace concat with xasprintf.
    * xasprintf is now void and always calls the failure handler on error.
    * Improve __attribute__ portability to old GCC or non-GCC compilers.
    * Add -D_FORTIFY_SOURCE=2 to make warnings flags.
    * Probe for ssize_t and replace it in portable/system.h if not found.
    * Include strings.h in portable/system.h if it exists.
    * Add a pointer to rra-c-util in all files.

kadmin-remctl 3.2 (2011-06-09)

    Add support for a separate blacklist of principals whose passwords
    cannot be changed with reset_passwd but who do not themselves have the
    ability to reset passwords.

    Properly handle incorrect password errors from Heimdal's kpasswd.
    Previously, if change_passwd failed because the original password was
    incorrect, kadmin-remctl-heim would output a confusing Expect error.

    When creating principals for Heimdal, set a default set of attributes
    before making the principal.  Heimdal::Kadm5 doesn't seem to be
    working properly with the default attributes from the default
    principal.  This currently hard-codes enabling pre-auth for new
    principals and needs to be revisited.

    Update to rra-c-util 3.6:

    * Check for krb5-config in /usr/kerberos/bin as well as user's PATH.
    * Add replacement for krb5_appdefault_* functions for AIX Kerberos.
    * Fix broken GCC attribute markers.
    * Fix Kerberos library probing without transitive shared libraries.
    * Suppress warnings when probing for AIX-only Kerberos headers.
    * Support Heimdal GSS-API on OpenBSD without a separate libroken.
    * Update GCC warning flags for GCC 4.6.1.

kadmin-remctl 3.1 (2010-07-21)

    In the Heimdal backend, don't set KADM5_POLICY_NORMAL_MASK or
    KADM5_POLICY_CLR as attributes when creating a new principal.  These
    are not valid attribute values and end up setting or clearing large
    numbers of other attributes.

    In the Heimdal backend, don't unconditionally set the preauth required
    attribute on newly created principals.  This should be handled using
    the "default" principal in Heimdal to configure the desired default
    principal lifetime and attributes.

    kadmin-backend for an MIT Kerberos server no longer has the boolean
    checking configuration parameter, which said whether to do password
    checking.  Instead, there is a new policy configuration parameter
    which, if set, sets that password policy for newly created accounts.
    To duplicate the previous behavior when checking was true, set policy
    to "standard".

    Add an expiration command, which sets the expiration date of a
    principal.  Based on a patch from Garrett Wollman.

    Add a pwexpiration command, which sets the expiration date of the
    password of a principal.

    Add a check_expire command, which returns the expiration date of
    either a principal or a password.

    kadmin backend for an MIT Kerberos server now supports the create_opts
    configuration parameter, which adds additional options that are passed
    to kadmin addprinc when a principal is created.  Based on a patch by
    Garrett Wollman.

    Allow underscores in principal names by default in the examine
    function.

    Update to rra-c-util 2.5:

    * Restore default settings after probing for GSS-API libraries.
    * Support the *BSD build of Heimdal in the Kerberos probes.
    * Fix krb5_free_error_message replacement for older Kerberos libraries.

kadmin-remctl 3.0 (2010-02-17)

    Add kadmin-backend-heim, which duplicates the kadmin-backend
    functionality for Heimdal.  The examine function of this backend
    duplicates the output of the MIT getprinc function so that the output
    is compatible with the output of kadmin-backend.  This separate script
    is a temporary measure until both scripts can be refactored as Perl
    modules and use a better method to avoid code duplication.

    Use the Heimdal external program API for password strength checking in
    kadmin-backend-heim and check password strength on create if strength
    checking is enabled for that instance, since the Heimdal kadmin API
    doesn't enforce password strength on passwords changed by
    administrators.

    Allow - in principal names for the examine function.

    Add new config item for each instance, locked.  This optional value
    contains an array of a command and any arguments to it, which is 
    called to determine if the instance is locked for some external 
    policy reason.  If so, the enable command will fail for this instance.

    Significantly improve the error reporting in ksetpass and
    passwd_change by using modern Kerberos error functions where
    available, and avoid Kerberos API calls that are deprecated on
    Heimdal.

kadmin-remctl 2.4 (2009-10-05)

    When enabling or disabling accounts in Active Directory via LDAP, send
    the required "replace: userAccountControl" portion of the LDIF.

    Enable Automake silent rules.  For a quieter build, pass the
    --enable-silent-rules option to configure or build with make V=0.

    Update to rra-c-util 2.0:

    * Sanity-check the results of krb5-config before proceeding.
    * Fall back on manual probing if krb5-config results don't work.
    * Don't break if the user clobbers CPPFLAGS or LDFLAGS at build time.
    * Support Solaris 10's native generic GSS-API libraries.
    * Require Autoconf 2.64 and Automake 1.11.

kadmin-remctl 2.3 (2009-01-07)

    Properly add support for examining principals with instances we don't
    manage.  Previous versions were supposed to support this but didn't
    due to a bug in argument passing.

    Improve the conversion of Kerberos v5 principal names to Kerberos v4
    principal names for examine against an AFS kaserver, although it's
    still not as good as calling the Kerberos library routine would be.

    Attempt to determine if the library directory for remctl (and the
    directory for Kerberos and GSS-API libraries if krb5-config isn't
    found) is lib32 or lib64 instead of lib and set LDFLAGS accordingly.
    Based on an idea from the CMU Autoconf macros.

    Add --with-remctl-include, --with-remctl-lib, --with-gssapi-include,
    --with-gssapi-lib, --with-krb5-include, and --with-krb5-lib configure
    options to allow more specific setting of paths if necessary.

    Check at configure time that we can link with the remctl library we
    found.

kadmin-remctl 2.2 (2008-07-31)

    As of this release, AFS kaserver support is frozen and no longer
    tested.  It may be removed in a future release if there is significant
    code restructuring.

    Close the kasetkey output file descriptor before checking its exit
    status so that we get accurate results.

    Produce better error messages if REMOTE_USER isn't set in the
    environment when checking authorization for instance management and
    document the use of REMOTE_USER in the man page.

kadmin-remctl 2.1 (2008-04-25)

    kasetkey now supports examine, enable, and disable, so drop all
    remaining calls to a Kerberos v4 kadmin client and use kasetkey for
    all AFS kaserver integration.

    Honor allowed regex configuration for valid principal names in examine
    as well.

    Improve the library probing and allow for systems where shared library
    dependencies don't work properly.

    If KRB5_CONFIG was explicitly set in the environment, don't use a
    different krb5-config based on --with-krb4 or --with-krb5.  If
    krb5-config isn't executable, don't use it.  This allows one to force
    library probing by setting KRB5_CONFIG to point to a nonexistent file.

    Sanity-check the results of krb5-config before proceeding and error
    out in configure if they don't work.

kadmin-remctl 2.0 (2008-03-25)

    Significantly rework kadmin-backend.  The configuration variable for
    instance management has been renamed to %CONFIG and now must be set.
    It controls both instances and principals without instances.  Many of
    the global settings have been moved into that hash and can be set
    per-instance.  Particular instances may now be configured to only
    exist in Active Directory and bypass Kerberos v5 entirely.

    Add the ksetpass client, which sets a Kerberos password via the
    password change protocol using an existing Kerberos ticket cache.
    Support using it for password resets in Active Directory and to work
    around a Windows Server 2008 bug that prevents setting passwords at
    the time of account creation when using GSS-API authentication.  Based
    on work by Dmitri Priimak.

    Support enable and disable commands for instance management as well.

    Recognize instance list errors from kadmin correctly.  kadmin returns
    errors prefixed by get_principals, not list_principals.

    Allow for kadmin binaries that print error messages in two parts by
    waiting for the end of the line before extracting the error message.

    When checking against ACLs, support include commands with the same
    syntax as remctld.

    Change some kadmin-backend defaults to be less Stanford-specific.

kadmin-remctl 1.9 (2007-09-11)

    Add support for optionally adding principals with instances created in
    Active Directory to an Active Directory authorization group at the
    time of creation.

kadmin-remctl 1.8 (2007-08-08)

    Increase the timeouts in the Expect calls while performing the actual
    operation, since the propagation to Active Directory can take some
    time.

    When stripping error messages for reporting to the user, don't stop
    stripping at newlines.

    Add a newline after a remctl library error when reporting such errors
    to the user in passwd_change.

kadmin-remctl 1.7 (2007-08-06)

    Add the $K5_HOST configuration variable to kadmin-backend which, if
    set, tells kadmin-backend to contact the given kadmin server instead
    of the default for the local realm.

    Tweak kadmin-backend slightly so that it runs properly with Perl
    5.6.1 without warnings.

kadmin-remctl 1.6 (2007-07-13)

    Use the correct configuration key when reading the LDIF file to find
    the DN for deleting instances and extract just the DN rather than
    keeping the "dn: " prefix.

    Active Directory expects passwords to be encoded in UCS-2LE.  Change
    the password provided to the LDIF template to match those expectations
    and move the modules needed for talking to Active Directory to
    require statements from use statements so that those Perl modules
    aren't required unless Active Directory integration is desired.

    When listing instances, add a wildcard after the instance pattern
    rather than letting kadmin append the local realm so that we can use
    the same code on development servers that may be serving different
    realms than the local realm.

    Correctly handle errors on account creation in kadmin-backend.  It was
    treating all Kerberos errors as success.

    Kerberos v4 examine output faking was prepending "retstr: " even to
    error messages.  Drop "retstr: " when there is an error.

    Standardize across the non-instance functions of kadmin-backend the
    ordering of error and retstr messages and return retstr for the case
    of creating an account that already exists instead of just error.

kadmin-remctl 1.5 (2007-07-11)

    Add support for propagation of instance creation and deletion into
    Active Directory.

    When faking Kerberos v4 examine output in kadmin-backend, strip the
    time zone information from the Kerberos v5 timestamps.  Kerberos v4
    kadmin examine didn't include time zone information.

    Fix the passwd_change configuration documentation to use the correct
    krb5.conf parameters.

kadmin-remctl 1.4 (2007-06-28)

    Add support in passwd_change for reading configuration from the system
    krb5.conf and only use the compiled-in values as defaults.

    Properly handle K4 output faking when the principal doesn't exist.

kadmin-remctl 1.3 (2007-06-11)

    MIT Kerberos kadmin doesn't return a useful exit status in conjunction
    with -q.  It always exits 0, even if the operation failed.  Adjust for
    this by inspecting its output instead.

    Add support for faking K4 kadmin examine output based on the K5
    getprinc output, for backwards compatibility for Stanford Registry
    integration.

kadmin-remctl 1.2 (2007-06-05)

    Support disabling all Kerberos v4 actions in kadmin-backend by setting
    one of the Kerberos v4 configuration variables to undef.

    Handle CRs in the output of commands run via Expect in kadmin-backend.

kadmin-remctl 1.1 (2007-05-31)

    Add support for creating and manipulating account instances to
    kadmin-backend using a separate set of commands.

    Add support in kadmin-backend for loading configuration from an
    external configuration file, which can override the defaults set at
    the top of the script.

    Add support for reserved principals in kadmin-backend (principals that
    the script will refuse to act on).

    For password change and reset, always return both an error: and a
    retstr: line to match the behavior of the old Kerberos v4 interface.
    Strip out the kpasswd advice to see its man page, since that text will
    mostly not be useful to our users.

    On password reset, have kadmin-backend exit with a different exit
    status if the user does not have permission to change passwords for
    that account and use that exit status as a trigger in passwd_change to
    break out of the loop and not keep prompting for a new password.

    Truncate error messages from kpasswd after the first sentence and
    replace newlines with spaces to put them on a single line.  kpasswd is
    more verbose about its errors than kadmin.

kadmin-remctl 1.0 (2007-03-21)

    First public release.  Many defaults are hard-coded into source code
    and synchronization with an AFS kaserver realm is done using
    Stanford-specific external programs.
