From eb42bf70756786f3edb77fb01b9483f38f5983fd Mon Sep 17 00:00:00 2001
From: Hans Insulander <hin@cvs.openbsd.org>
Date: Mon, 25 Jun 2001 04:43:38 +0000
Subject: /etc/krb5.conf -> /etc/kerberosV/krb5.conf /etc/krb5.keytab ->
 /etc/kerberosV/krb5.keytab

---
 kerberosV/src/kdc/kdc.8                    | 18 ++++----
 kerberosV/src/kuser/kinit.1                | 37 +++++++++++------
 kerberosV/src/lib/krb5/krb5.conf.5         | 66 ++++++++++++++++++++++++++----
 kerberosV/src/lib/krb5/krb5_init_context.3 |  2 +-
 kerberosV/src/lib/krb5/krb5_keytab.3       |  2 +-
 5 files changed, 96 insertions(+), 29 deletions(-)

(limited to 'kerberosV')

diff --git a/kerberosV/src/kdc/kdc.8 b/kerberosV/src/kdc/kdc.8
index 146b77ace6d..a0f025ec59c 100644
--- a/kerberosV/src/kdc/kdc.8
+++ b/kerberosV/src/kdc/kdc.8
@@ -1,29 +1,31 @@
-.\" $KTH: kdc.8,v 1.11 2001/01/26 22:46:28 assar Exp $
+.\" $KTH: kdc.8,v 1.13 2001/06/08 21:35:32 joda Exp $
 .\"
 .Dd July 27, 1997
 .Dt KDC 8
 .Os HEIMDAL
 .Sh NAME
 .Nm kdc
-.Nd
-Kerberos 5 server
+.Nd Kerberos 5 server
 .Sh SYNOPSIS
 .Nm
 .Oo Fl c Ar file \*(Ba Xo
-.Fl -config-file= Ns Ar file Oc
+.Fl -config-file= Ns Ar file
 .Xc
+.Oc
 .Op Fl p | Fl -no-require-preauth
 .Op Fl -max-request= Ns Ar size
 .Op Fl H | Fl -enable-http
 .Oo Fl r Ar string \*(Ba Xo
-.Fl -v4-realm= Ns Ar string Oc
+.Fl -v4-realm= Ns Ar string
 .Xc
+.Oc
 .Op Fl K | Fl -no-kaserver
 .Op Fl r Ar realm
 .Op Fl -v4-realm= Ns Ar realm
 .Oo Fl P Ar string \*(Ba Xo
-.Fl -ports= Ns Ar string Oc
+.Fl -ports= Ns Ar string
 .Xc
+.Oc
 .Op Fl -addresses= Ns Ar list of addresses
 .Sh DESCRIPTION
 .Nm
@@ -97,9 +99,9 @@ The entity used for logging is
 The configuration file has the same syntax as the 
 .Pa krb5.conf
 file (you can actually put the configuration in
-.Pa /etc/krb5.conf ,
+.Pa /etc/kerberosV/krb5.conf ,
 and then start the KDC with
-.Fl -config-file= Ns Ar /etc/krb5.conf ) .
+.Fl -config-file= Ns Ar /etc/kerberosV/krb5.conf ) .
 All options should be in a section called
 .Dq kdc .
 All the command-line options can preferably be added in the
diff --git a/kerberosV/src/kuser/kinit.1 b/kerberosV/src/kuser/kinit.1
index 3648d109165..9bd905d8676 100644
--- a/kerberosV/src/kuser/kinit.1
+++ b/kerberosV/src/kuser/kinit.1
@@ -1,4 +1,4 @@
-.\" $KTH: kinit.1,v 1.8 2001/01/28 21:44:56 assar Exp $
+.\" $KTH: kinit.1,v 1.11 2001/06/08 21:35:32 joda Exp $
 .\"
 .Dd May 29, 1998
 .Dt KINIT 1
@@ -6,45 +6,51 @@
 .Sh NAME
 .Nm kinit ,
 .Nm kauth
-.Nd
-acquire initial tickets
+.Nd acquire initial tickets
 .Sh SYNOPSIS
 .Nm kinit
 .Op Fl 4 | Fl -524init
 .Op Fl -afslog
 .Oo Fl c Ar cachename \*(Ba Xo
-.Fl -cache= Ns Ar cachename Oc
+.Fl -cache= Ns Ar cachename
 .Xc
+.Oc
 .Op Fl f | Fl -forwardable
 .Oo Fl t Ar keytabname \*(Ba Xo
-.Fl -keytab= Ns Ar keytabname Oc
+.Fl -keytab= Ns Ar keytabname
 .Xc
+.Oc
 .Oo Fl l Ar time \*(Ba Xo
-.Fl -lifetime= Ns Ar time Oc
+.Fl -lifetime= Ns Ar time
 .Xc
+.Oc
 .Op Fl p | Fl -proxiable
 .Op Fl R | Fl -renew
 .Op Fl -renewable
 .Oo Fl r Ar time \*(Ba Xo
-.Fl -renewable-life= Ns Ar time Oc
+.Fl -renewable-life= Ns Ar time
 .Xc
+.Oc
 .Oo Fl S Ar principal \*(Ba Xo
-.Fl -server= Ns Ar principal Oc
+.Fl -server= Ns Ar principal
 .Xc
+.Oc
 .Oo Fl s Ar time \*(Ba Xo
-.Fl -start-time= Ns Ar time Oc
+.Fl -start-time= Ns Ar time
 .Xc
+.Oc
 .Op Fl k | Fl -use-keytab
 .Op Fl v | Fl -validate
 .Oo Fl e Ar enctype \*(Ba Xo
-.Fl -enctypes= Ns Ar enctype Oc
+.Fl -enctypes= Ns Ar enctype
 .Xc
+.Oc
 .Op Fl -fcache-version= Ns Ar integer
 .Op Fl -no-addresses
 .Op Fl -anonymous
 .Op Fl -version
 .Op Fl -help
-.Op Ar principal
+.Op Ar principal Op Ar command
 .Sh DESCRIPTION
 .Nm
 is used to authenticate to the kerberos server as
@@ -126,7 +132,7 @@ seconds into the future.
 The same as
 .Fl -keytab ,
 but with the default keytab name (normally
-.Ar FILE:/etc/krb5.keytab ) .
+.Ar FILE:/etc/kerberosV/krb5.keytab ) .
 .It Xo
 .Fl v Ns ,
 .Fl -validate
@@ -185,6 +191,13 @@ options can be set to a default value from the
 .Dv appdefaults
 section in krb5.conf, see
 .Xr krb5_appdefault 3 .
+.Pp
+If  a
+.Ar command
+is given, 
+.Nm kinit
+will setup new credentials caches, and AFS PAG, and then run the given
+command. When it finishes the credentials will be removed.
 .Sh ENVIRONMENT
 .Bl -tag -width Ds
 .It Ev KRB5CCNAME
diff --git a/kerberosV/src/lib/krb5/krb5.conf.5 b/kerberosV/src/lib/krb5/krb5.conf.5
index 7324e219e9d..85213ae5dd9 100644
--- a/kerberosV/src/lib/krb5/krb5.conf.5
+++ b/kerberosV/src/lib/krb5/krb5.conf.5
@@ -1,12 +1,11 @@
-.\" $KTH: krb5.conf.5,v 1.12 2001/01/19 04:53:24 assar Exp $
+.\" $KTH: krb5.conf.5,v 1.17 2001/05/31 13:58:34 assar Exp $
 .\"
 .Dd April 11, 1999
 .Dt KRB5.CONF 5
 .Os HEIMDAL
 .Sh NAME
-.Nm /etc/krb5.conf
-.Nd
-Configuration file for Kerberos 5
+.Nm /etc/kerberosV/krb5.conf
+.Nd configuration file for Kerberos 5
 .Sh DESCRIPTION
 The 
 .Nm
@@ -47,6 +46,35 @@ name:
 consists of one or more non-white space characters.
 Currently recognised sections and bindings are:
 .Bl -tag -width "xxx" -offset indent
+.It Li [appdefaults]
+Specifies the default values to be used for Kerberos applications.
+You can specify defaults per application, realm, or a combination of
+these.  The preference order is:
+.Bl -enum -compact
+.It
+.Va application Va realm Va option
+.It
+.Va application Va option
+.It
+.Va realm Va option
+.It
+.Va option
+.El
+.Pp
+The supported options are:
+.Bl -tag -width "xxx" -offset indent
+.It Li forwardable = Va boolean
+When obtaining initial credentials, make the credentials forwardable.
+.It Li proxiable = Va boolean
+When obtaining initial credentials, make the credentials proxiable.
+.It Li no-addresses = Va boolean
+When obtaining initial credentials, request them for an empty set of
+addresses, making the tickets valid from any address.
+.It Li ticket_life = Va time
+Default ticket lifetime.
+.It Li renew_lifetime = Va time
+Default renewable ticket lifetime.
+.El
 .It Li [libdefaults]
 .Bl -tag -width "xxx" -offset indent
 .It Li default_realm = Va REALM
@@ -88,7 +116,7 @@ A list of default etypes to use.
 A list of default etypes to use when requesting a DES credential.
 .It Li default_keytab_name = Va keytab
 The keytab to use if none other is specified, default is
-.Dq FILE:/etc/krb5.keytab .
+.Dq FILE:/etc/kerberosV/krb5.keytab .
 .It Li kdc_timesync = Va boolean
 Try to keep track of the time differential between the local machine
 and the KDC, and then compensate for that when issuing requests.
@@ -98,6 +126,12 @@ The max number of times to try to contact each KDC.
 Default ticket lifetime.
 .It Li renew_lifetime = Va time
 Default renewable ticket lifetime.
+.It Li forwardable = Va boolean
+When obtaining initial credentials, make the credentials forwardable.
+This option is also valid in the [realms] section.
+.It Li proxiable = Va boolean
+When obtaining initial credentials, make the credentials proxiable.
+This option is also valid in the [realms] section.
 .It Li verify_ap_req_nofail = Va boolean
 Enable to make a failure to verify obtained credentials
 non-fatal. This can be useful if there is no keytab on a host.
@@ -112,8 +146,25 @@ A list of addresses to get tickets for along with all local addresses.
 .It Li time_format = Va string
 How to print time strings in logs, this string is passed to
 .Xr strftime 3 .
+.It Li date_format = Va string
+How to print date strings in logs, this string is passed to
+.Xr strftime 3 .
 .It Li log_utc = Va boolean
 Write log-entries using UTC instead of your local time zone.
+.It Li srv_lookup = Va boolean
+Use DNS SRV records to lookup realm configuration information.
+.It Li srv_try_txt = Va boolean
+If a SRV lookup fails, try looking up the same info in a DNS TXT record.
+.It Li scan_interfaces = Va boolean
+Scan all network interfaces for addresses, as opposed to simply using
+the address associated with the system's host name.
+.It Li fcache_version = Va int
+Use file credential cache format version specified.
+.It Li krb4_get_tickets = Va boolean
+Also get Kerberos 4 tickets in
+.Nm kinit
+and other programs.
+This option is also valid in the [realms] section.
 .El
 .It Li [domain_realm]
 This is a list of mappings from DNS domain to Kerberos realm. Each
@@ -256,8 +307,8 @@ and is only left for backwards compatability.
 points to the configuration file to read.
 .Sh EXAMPLE
 .Bd -literal -offset indent
-[lib_defaults]
-	default_domain = FOO.SE
+[libdefaults]
+	default_realm = FOO.SE
 [domain_realm]
 	.foo.se = FOO.SE
 	.bar.se = FOO.SE
@@ -295,4 +346,5 @@ actually used and thus cannot warn about unknown or misspelt ones.
 .Xr krb5_openlog 3 ,
 .Xr krb5_425_conv_principal 3 ,
 .Xr strftime 3 ,
+.Xr kinit 1 ,
 .Xr Source tm
diff --git a/kerberosV/src/lib/krb5/krb5_init_context.3 b/kerberosV/src/lib/krb5/krb5_init_context.3
index 94d41d343c6..56ef56f87f8 100644
--- a/kerberosV/src/lib/krb5/krb5_init_context.3
+++ b/kerberosV/src/lib/krb5/krb5_init_context.3
@@ -19,7 +19,7 @@ The
 function initializes the
 .Fa context
 structure and reads the configration file
-.Pa /etc/krb5.conf .
+.Pa /etc/kerberosV/krb5.conf .
 .Pp
 The structure should be freed by calling
 .Fn krb5_free_context
diff --git a/kerberosV/src/lib/krb5/krb5_keytab.3 b/kerberosV/src/lib/krb5/krb5_keytab.3
index e9ab0c2f68c..fde3036c2bf 100644
--- a/kerberosV/src/lib/krb5/krb5_keytab.3
+++ b/kerberosV/src/lib/krb5/krb5_keytab.3
@@ -141,7 +141,7 @@ list of keytab types. If there is no matching keytab type,
 the default keytab is used. The current default type is
 .Nm file .
 The default value can be changed in the configuration file
-.Pa /etc/krb5.conf
+.Pa /etc/kerberosV/krb5.conf
 by setting the variable 
 .Li [defaults]default_keytab_name .
 .Pp
-- 
cgit v1.2.3