1% This document is included for historical purposes only, and does not 2% apply to krb5 today. 3 4\documentstyle[12pt,fullpage]{article} 5 6%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 7%% Make _ actually generate an _, and allow line-breaking after it. 8\let\underscore=\_ 9\catcode`_=13 10\def_{\underscore\penalty75\relax} 11%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 12 13\setlength{\parskip}{.7\baselineskip} 14\setlength{\parindent}{0pt} 15 16\def\v#1{\verb+#1+} 17 18\title{Kerberos Administration System \\ 19 KADM5 API Functional Specifications} 20\author{Barry Jaspan} 21 22\begin{document} 23 24\sloppy 25\maketitle 26 27{\setlength{\parskip}{0pt}\tableofcontents} 28 29\section{Introduction} 30 31This document describes the Admin API that can be used to maintain 32principals and policies. It describes the data structures used for 33each function and the interpretation of each data type field, the 34semantics of each API function, and the possible return codes. 35 36The Admin API is intended to be used by remote clients using an RPC 37interface. It is implemented by the admin server running on the 38Kerberos master server. It is also possible for a program running on 39the Kerberos master server to use the Admin API directly, without 40going through the admin server. 41 42\section{Versions of the API} 43 44The versions of this API and a brief description of the changes for 45each are: 46 47\begin{description} 48\item[KADM5_API_VERSION_1] The initial version of this API, written by 49OpenVision Technologies and donated to MIT for including in the public 50release. Originally called OVSEC_KADM_API_VERSION_1. Most everything 51has been renamed in one way or another, including functions, header 52files, and data structures. Where possible, the old OVSEC_KADM names 53have been left behind for compatibility with version 1, and 54KADM5_API_VERSION_1 is compatible with OVSEC_KADM_API_VERSION_1 at 55compile-, link-, and run-time. 56 57The OVSEC_KADM name compatibility will not be extended to new 58functionality in future versions because no existing OVSEC_KADM 59clients will use that functionality; new clients should be written to 60the KADM5 API. 61 62\item[KADM5_API_VERSION_2] This version contains the initial changes 63necessary to make the OpenVision administration system work with the 64mid-1996 MIT version of Kerberos 5. Changes include 65\begin{enumerate} 66\item The kadm5_init functions now take a structure of parameters 67instead of just a realm name, allowing the calling program to specify 68non-default values for various configuration options. See section 69\ref{sec:configparams} for details. 70 71\item The KADM5 API has been extended to support new features of the 72Kerberos database, including multiple encryption and salt types per 73principal. See section \ref{sec:keys} for details. 74 75\item kadm5_get_principal now allows a principal's keys to be 76retrieved {\it by local clients only}. This is necessary in order for 77the kadm5 API to provide the primary Kerberos database interface. 78 79\item The KADM5 authorization system has been completely changed. 80 81\item The functions kadm5_flush, kadm5_get_principals, and 82kadm5_get_policies have been added. 83 84\item The KADM5 API now obeys a caller-allocates rather than 85callee-allocates system. kadm5_get_principal and kadm5_get_policy are 86affected. 87\end{enumerate} 88\end{description} 89 90\section{Policies and Password Quality} 91 92The Admin API Password Quality mechanism provides the following 93controls. Note that two strings are defined to be ``significantly 94different'' if they differ by at least one character. The compare is not 95case sensitive. 96 97\begin{itemize} 98\item A minimum length can be required; a password with 99fewer than the specified number of characters will not be accepted. 100 101\item A minimum number of character classes can be required; a 102password that does not contain at least one character from at least 103the specified number of character classes will not be accepted. The 104character classes are defined by islower(), isupper(), isdigit(), 105ispunct(), and other. 106 107\item Passwords can be required to be different from 108previous passwords; a password that generates the same encryption key 109as any of the principal's specified previous number of passwords will 110not be accepted. This comparison is performed on the encryption keys 111generated from the passwords, not on the passwords themselves. 112 113\item A single ``forbidden password'' dictionary can be specified for all 114users; a password that is not significantly different from every word 115in the dictionary will not be accepted. 116\end{itemize} 117 118\section{Data Structures} 119 120This section describes the data structures used by the Admin API. 121They are defined in $<$kadm5/admin.h$>$. 122 123\subsection{Principals, kadm5_principal_ent_t} 124\label{sec:principal-structure} 125 126A Kerberos principal entry is represented by a kadm5_principal_ent_t. 127It contains a subset of the information stored in the master Kerberos 128database as well as the additional information maintained by the admin 129system. In the current version, the only additional information is 130the principal's policy and the aux_attributes flags. 131 132The principal may or may not have a policy enforced on it. If the 133POLICY bit (see section \ref{sec:masks}) is set in aux_attributes, the 134policy field names the principal's policy. If the POLICY bit is not 135set in aux_attributes, no policy is enforced on the principal and the 136value of the policy field is undefined. 137 138\begin{figure}[htbp] 139\begin{verbatim} 140typedef struct _kadm5_principal_ent_t { 141 krb5_principal principal; 142 143 krb5_timestamp princ_expire_time; 144 krb5_timestamp last_pwd_change; 145 krb5_timestamp pw_expiration; 146 krb5_deltat max_life; 147 krb5_principal mod_name; 148 krb5_timestamp mod_date; 149 krb5_flags attributes; 150 krb5_kvno kvno; 151 krb5_kvno mkvno; 152 153 char * policy; 154 u_int32 aux_attributes; 155 156 krb5_deltat max_renewable_life; 157 krb5_timestamp last_success; 158 krb5_timestamp last_failed; 159 krb5_kvno fail_auth_count; 160 krb5_int16 n_key_data; 161 krb5_int16 n_tl_data; 162 krb5_tl_data *tl_data; 163 krb5_key_data *key_data; 164} kadm5_principal_ent_rec, *kadm5_principal_ent_t; 165\end{verbatim} 166\caption{Definition of kadm5_principal_ent_t.} 167\label{fig:princ-t} 168\end{figure} 169 170The fields of an kadm5_principal_ent_t are interpreted as 171follows. 172 173\begin{description} 174\item[principal] The name of the principal; must conform to Kerberos 175naming specifications. 176 177\item[princ_expire_time] The expire time of the principal as a Kerberos 178timestamp. No Kerberos tickets will be issued for a principal after 179its expire time. 180 181\item[last_pwd_change] The time this principal's password was last 182changed, as a Kerberos timestamp. 183 184\item[pw_expiration] The expire time of the user's current password, as a 185Kerberos timestamp. No application service tickets will be issued for the 186principal once the password expire time has passed. Note that the user can 187only obtain tickets for services that have the PW_CHANGE_SERVICE bit set in 188the attributes field. 189 190\item[max_life] The maximum lifetime of any Kerberos ticket issued to 191this principal. 192 193\item[attributes] A bitfield of attributes for use by the KDC. The 194symbols and constant values are defined below; their interpretation 195appears in the libkdb functional specification. 196 197\begin{tabular}{clr} 198{\bf Name} & {\bf Value} \\ 199KRB5_KDB_DISALLOW_POSTDATED & 0x00000001 \\ 200KRB5_KDB_DISALLOW_FORWARDABLE & 0x00000002 \\ 201KRB5_KDB_DISALLOW_TGT_BASED & 0x00000004 \\ 202KRB5_KDB_DISALLOW_RENEWABLE & 0x00000008 \\ 203KRB5_KDB_DISALLOW_PROXIABLE & 0x00000010 \\ 204KRB5_KDB_DISALLOW_DUP_SKEY & 0x00000020 \\ 205KRB5_KDB_DISALLOW_ALL_TIX & 0x00000040 \\ 206KRB5_KDB_REQUIRES_PRE_AUTH & 0x00000080 \\ 207KRB5_KDB_REQUIRES_HW_AUTH & 0x00000100 \\ 208KRB5_KDB_REQUIRES_PWCHANGE & 0x00000200 \\ 209KRB5_KDB_DISALLOW_SVR & 0x00001000 \\ 210KRB5_KDB_PWCHANGE_SERVICE & 0x00002000 \\ 211KRB5_KDB_SUPPORT_DESMD5 & 0x00004000 \\ 212KRB5_KDB_NEW_PRINC & 0x00008000 213\end{tabular} 214 215\item[mod_name] The name of the Kerberos principal that most recently 216modified this principal. 217 218\item[mod_date] The time this principal was last modified, as a Kerberos 219timestamp. 220 221\item[kvno] The version of the principal's current key. 222 223\item[mkvno] The version of the Kerberos Master Key in effect when 224this principal's key was last changed. In KADM5_API_VERSION_2, this 225field is always zero. 226 227\item[policy] If the POLICY bit is set in aux_attributes, the name 228of the policy controlling this principal. 229 230\item[aux_attributes] A bitfield of flags for use by the 231administration system. Currently, the only valid flag is POLICY, and 232it indicates whether or not the principal has a policy enforced on it. 233 234\item[max_renewable_life] The maximum renewable lifetime of any 235Kerberos ticket issued to or for this principal. This field only 236exists in KADM5_API_VERSION_2. 237 238\item[last_success] The KDC time of the last successful AS_REQ. This 239is only updated if KRBCONF_KDC_MODIFIES_KDB is defined during 240compilation of the KDC. This field only exists in 241KADM5_API_VERSION_2. 242 243\item[last_failed] The KDC time of the last failed AS_REQ. This is 244only updated if KRBCONF_KDC_MODIFIES_KDB is defined during compilation 245of the KDC. This field only exists in KADM5_API_VERSION_2. 246 247\item[fail_auth_count] The number of consecutive failed AS_REQs. When 248this number reaches KRB5_MAX_FAIL_COUNT, the KRB5_KDC_DISALLOW_ALL_TIX 249is set on the principal. This is only updated if 250KRBCONF_KDC_MODIFIES_KDB is defined during compilation. This field 251only exists in KADM5_API_VERSION_2. 252 253\item[n_tl_data] The number of elements in the \v{tl_data} linked 254list. This field only exists in KADM5_API_VERSION_2. 255 256\item[n_key_data] The number of elements in the \v{key_data} 257array. This field only exists in KADM5_API_VERSION_2. 258 259\item[tl_data] A linked list of tagged data. This list is a mechanism 260by which programs can store extended information in a principal entry, 261without having to modify the database API. Each element is of type 262krb5_tl_data: 263\begin{verbatim} 264typedef struct _krb5_tl_data { 265 struct _krb5_tl_data* tl_data_next; 266 krb5_int16 tl_data_type; 267 krb5_int16 tl_data_length; 268 krb5_octet * tl_data_contents; 269} krb5_tl_data; 270\end{verbatim} 271% 272The KADM5 API only allows elements whose tl_data_type is greater than 273or equal to 256. Values less than 256 are reserved for internal use 274by the KADM5 or kdb system. They are filtered out of the list 275returned by kadm5_get_principal, and generate an error if given to 276kadm5_modify_principal. 277 278The libkdb library defines the tagged data types 279KRB5_TL_LAST_PWD_CHANGE, KRB5_TL_MOD_PRINC, and KRB5_TL_KADM_DATA, all 280with values less than 256, which store the last password modification 281time, time and modifier of last principal modification, and 282administration system data. All of these entries are expected by the 283administration system and parsed out into fields of the 284kadm5_principal_ent_rec structure; as described above, they are not 285included in the tl_data list. 286 287Tagged data elements with types greater than 256 are handled without 288interpretation by KADM5. Note that an application that calls 289kadm5_modify_principal with the KADM5_TL_DATA mask bit set is 290responsible for providing the {\it complete} tl_data list, which it 291necessarily must obtain from kadm5_get_principal. It is {\it never} 292possible for an application to construct a complete tl_data list from 293scratch. 294 295\item[key_data] An array of the principal's keys. The keys contained 296in this array are encrypted in the Kerberos master key. See section 297\ref{sec:keys} for a discussion of the krb5_key_data structure. 298\end{description} 299 300\subsection{Policies, kadm5_policy_ent_t} 301\label{sec:policy-fields} 302 303If the POLICY bit is set in aux_attributes, the \v{policy} name field 304in the kadm5_principal_ent_t structure refers to a password policy 305entry defined in a \v{kadm5_policy_ent_t}. 306 307\begin{verbatim} 308typedef struct _kadm5_policy_ent_t { 309 char *policy; 310 311 u_int32 pw_min_life; 312 u_int32 pw_max_life; 313 u_int32 pw_min_length; 314 u_int32 pw_min_classes; 315 u_int32 pw_history_num; 316 u_int32 policy_refcnt; 317} kadm5_policy_ent_rec, *kadm5_policy_ent_t; 318\end{verbatim} 319 320The fields of an kadm5_policy_ent_t are interpreted as follows. 321Note that a policy's values only apply to a principal using that 322policy. 323 324\begin{description} 325\item[policy] The name of this policy, as a NULL-terminated string. 326The ASCII characters between 32 (space) and 126 (tilde), inclusive, 327are legal. 328 329\item[pw_min_life] The minimum password lifetime, in seconds. 330A principal cannot change its password before pw_min_life seconds have 331passed since last_pwd_change. 332 333\item[pw_max_life] The default duration, in seconds, used to compute 334pw_expiration when a principal's password is changed. 335 336\item[pw_min_length] The minimum password length, in characters. A 337principal cannot set its password to anything with fewer than this 338number of characters. This value must be greater than zero. 339 340\item[pw_min_classes] The minimum number of character classes in the 341password. This value can only be 1, 2, 3, 4, or 5. A principal cannot 342set its password to anything with fewer than this number of character 343classes in it. 344 345\item[pw_history_num] The number of past passwords that are 346stored for the principal; the minimum value is 1 and the maximum value 347is 10. A principal cannot set its password to any of its previous 348pw_history_num passwords. The first ``previous'' password is the 349current password; thus, a principal with a policy can never reset its 350password to its current value. 351 352\item[policy_refcnt] The number of principals currently using this policy. 353A policy cannot be deleted unless this number is zero. 354\end{description} 355 356\subsection{Configuration parameters} 357\label{sec:configparams} 358 359The KADM5 API acquires configuration information from the Kerberos 360configuration file (\$KRB5_CONFIG or DEFAULT_PROFILE_PATH) and from 361the KDC configuration file (\$KRB5_KDC_CONFIG or DEFAULT_KDC_PROFILE). 362In KADM5_API_VERSION_2, some of the configuration parameters used by 363the KADM5 API can be controlled by the caller by providing a 364kadm5_config_params structure to kadm5_init: 365% 366\begin{verbatim} 367typedef struct _kadm5_config_params { 368 u_int32 mask; 369 370 /* Client and server fields */ 371 char *realm; 372 char *profile; 373 int kadmind_port; 374 375 /* client fields */ 376 char *admin_server; 377 378 /* server fields */ 379 char *dbname; 380 char *admin_dbname; 381 char *admin_lockfile; 382 char *acl_file; 383 char *dict_file; 384 char *admin_keytab; 385 386 /* server library (database) fields */ 387 int mkey_from_kbd; 388 char *stash_file; 389 char *mkey_name; 390 krb5_enctype enctype; 391 krb5_deltat max_life; 392 krb5_deltat max_rlife; 393 krb5_timestamp expiration; 394 krb5_flags flags; 395 krb5_key_salt_tuple *keysalts; 396 krb5_int32 num_keysalts; 397} kadm5_config_params; 398\end{verbatim} 399% 400The following list describes each of the fields of the structure, 401along with the profile relation it overrides, its mask value, its 402default value, and whether it is valid on the client, server, or both, 403or neither. 404\begin{description} 405\item[mask] No variable. No mask value. A bitfield specifying which 406fields of the structure contain valid information. A caller sets this 407mask before calling kadm5_init_*, indicating which parameters are 408specified. The mask values are defined in $<$kadm5/admin.h$>$ and are 409all prefixed with KADM5_CONFIG_; the prefix is not included in the 410descriptions below. 411 412\item[realm] No variable. REALM. Client and server. The realm to 413which these parameters apply, and the realm for which additional 414parameters are to be acquired, if any. If this field is not specified 415in the mask, the default local realm is used. 416 417\item[profile] Variable: profile (server only). PROFILE. Client and 418server. The Kerberos profile to use. On the client, the default is 419the value of the KRB5_CONFIG environment variable, or 420DEFAULT_PROFILE_PATH if that is not set. On the server, the value of 421the ``profile'' variable of the KDC configuration file will be used as 422the first default if it exists; otherwise, the default is the value of 423the KRB5_KDC_PROFILE environment variable or DEFAULT_KDC_PROFILE. 424 425\item[kadmind_port] Variable: kadmind_port. KADMIND_PORT. Client and 426server. The port number the kadmind server listens on. The client 427uses this field to determine where to connect, and the server to 428determine where to listen. The default is 749, which has been 429assigned by IANA. 430 431\item[admin_server] Variable: admin_server. ADMIN_SERVER. Client. 432The host name of the admin server to which to connect. There is no 433default. If the value of this field contains a colon (:), the text 434following the colon is treated as an integer and assigned to the 435kadmind_port field, overriding any value of the kadmind_port variable. 436 437\item[dbname] Variable: dbname. DBNAME. Server. The Kerberos 438database name to use; the Kerberos database stores principal 439information. The default is DEFAULT_KDB_FILE. 440 441\item[admin_dbname] Variable: admin_database_name. ADBNAME. 442Neither. If the dbname field is set, this field is set to the value 443of dbname followed by ``.kadm5''. 444 445\item[admin_lockfile] Variable: admin_database_lockfile. 446ADB_LOCKFILE. Neither. If the admin_dbname field is set, this field 447is set to the value of admin_dbname followed by ``.lock''. 448 449\item[acl_file] Variable: acl_file. ACL_FILE. Server. The admin 450server's ACL file. The default is DEFAULT_KADM5_ACL_FILE. 451 452\item[dict_file] Variable: admin_dict_file. DICT_FILE. Server. The 453admin server's dictionary file of passwords to disallow. No default. 454 455\item[admin_keytab] Variable: admin_keytab. ADMIN_KEYTAB. Server. 456The keytab file containing the kadmin/admin and kadmin/changepw 457entries for the server to use. The default is the value of the 458KRB5_KTNAME environment variable, if defined, else 459DEFAULT_KADM5_KEYTAB. 460 461\item[mkey_from_keyboard] No variable. MKEY_FROM_KEYBOARD. Server. 462If non-zero, prompt for the master password via the tty instead of 463using the stash file. If this mask bit is not set, or is set and the 464value is zero, the stash file is used. 465 466\item[stash_file] Variable: key_stash_file. STASH_FILE. Server. The 467file name containing the master key stash file. No default; libkdb 468will work with a NULL value. 469 470\item[mkey_name] Variable: master_key_name. MKEY_NAME. Server. The 471name of the master principal for the realm. No default; lbkdb will 472work with a NULL value. 473 474\item[enctype] Variable: master_key_type. ENCTYPE. Server. The 475encryption type of the master principal. The default is 476DEFAULT_KDC_ENCTYPE. 477 478\item[max_life] Variable: max_life. MAX_LIFE. Maximum lifetime for 479all tickets issued to the principal. The default is 28800, which is 8 480hours. 481 482\item[max_rlife, expiration, flags] Variables: max_renewable_life, 483default_principal_expiration, default_principal_flags. MAX_LIFE, 484MAX_RLIFE, EXPIRATION, FLAGS. Server. Default values for new 485principals. All default to 0. 486 487\item[keysalts, num_keysalts] Variable: supported_enctypes. ENCTYPES. 488Server. The list of supported encryption type/salt type tuples; both 489fields must be assigned if ENCTYPES is set. The default is a list 490containing one enctype, DES-CBC-CRC with normal salt. 491\end{description} 492 493\subsection{Principal keys} 494\label{sec:keys} 495 496In KADM5_API_VERSION_1, all principals had a single key. The 497encryption method was always DES, and the salt type was determined 498outside the API (by command-line options to the administration 499server). 500 501In KADM5_API_VERSION_2, principals can have multiple keys, each with 502its own encryption type and salt. Each time a principal's key is 503changed with kadm5_create_principal, kadm5_chpass_principal or 504kadm5_randkey_principal, existing key entries are removed and a key 505entry for each encryption and salt type tuple specified in the 506configuration parameters is added. There is no provision for 507specifying encryption and salt type information on a per-principal 508basis; in a future version, this will probably be part of the admin 509policy. There is also presently no provision for keeping multiple key 510versions for a single principal active in the database. 511 512A single key is represented by a krb5_key_data: 513% 514\begin{verbatim} 515typedef struct _krb5_key_data { 516 krb5_int16 key_data_ver; /* Version */ 517 krb5_int16 key_data_kvno; /* Key Version */ 518 krb5_int16 key_data_type[2]; /* Array of types */ 519 krb5_int16 key_data_length[2]; /* Array of lengths */ 520 krb5_octet * key_data_contents[2]; /* Array of pointers */ 521} krb5_key_data; 522\end{verbatim} 523% 524\begin{description} 525\item[key_data_ver] The version number of the structure. Versions 1 526and 2 are currently defined. If key_data_ver is 1 then the key is 527either a random key (not requiring a salt) or the salt is the normal 528v5 salt which is the same as the realm and therefore doesn't need to 529be saved in the database. 530 531\item[key_data_kvno] The key version number of this key. 532 533\item[key_data_type] The first element is the enctype of this key. In 534a version 2 structure, the second element is the salttype of this key. 535The legal encryption types are defined in $<$krb5.h$>$. The legal 536salt types are defined in $<$k5-int.h$>$. 537 538\item[key_data_length] The first element is length this key. In a 539version 2 structure, the second element is length of the salt for this 540key. 541 542\item[key_data_contents] The first element is the content of this key. 543In a version 2 structure, the second element is the contents of the 544salt for this key. 545\end{description} 546 547\subsection{Field masks} 548\label{sec:masks} 549 550The API functions for creating, retrieving, and modifying principals 551and policies allow for a relevant subset of the fields of the 552kadm5_principal_ent_t and kadm5_policy_ent_t to be specified or 553changed. The chosen fields are determined by a bitmask that is passed 554to the relevant function. Each API function has different rules for 555which mask values can be specified, and can specify whether a given 556mask value is mandatory, optional, or forbidden. Mandatory fields 557must be present and forbidden fields must not be present or an error 558is generated. When creating a principal or policy, optional fields 559have a default value if they are not specified. When modifying a 560principal or policy, optional fields are unchanged if they are not 561specified. When retrieving a principal, optional fields are simply 562not provided if they are not specified; not specifying undeeded fields 563for retrieval may improve efficiency. The values for forbidden fields 564are defined in the function semantics. 565 566The masks for principals are in table \ref{tab:princ-bits} and the 567masks for policies are in table \ref{tab:policy-bits}. They are 568defined in $<$kadm5/admin.h$>$. The KADM5_ prefix has been removed 569from the Name fields. In the Create and Modify fields, M means 570mandatory, F means forbidden, and O means optional. Create fields 571that are optional specify the default value. The notation ``K/M 572value'' means that the field inherits its value from the corresponding 573field in the Kerberos master principal, for KADM5_API_VERSION_1, and 574from the configuration parameters for KADM5_API_VERSION_2. 575 576All masks for principals are optional for retrevial, {\it except} that 577the KEY_DATA mask is illegal when specified by a remote client; for 578details, see the function semantics for kadm5_get_principal. 579 580Note that the POLICY and POLICY_CLR bits are special. When POLICY is 581set, the policy is assigned to the principal. When POLICY_CLR is 582specified, the policy is unassigned to the principal and as a result 583no policy controls the principal. 584 585For convenience, the mask KADM5_PRINCIPAL_NORMAL_MASK contains all of 586the principal masks {\it except} KADM5_KEY_DATA and KADM5_TL_DATA, and 587the mask KADM5_POLICY_NORMAL_MASK contains all of the policy masks. 588 589\begin{table}[htbp] 590\begin{tabular}{@{}lclll} 591{\bf Name} & {\bf Value} & {\bf Fields Affected} & {\bf Create} & 592 {\bf Modify} \\ 593PRINCIPAL & 0x000001 & principal & M & F \\ 594PRINC_EXPIRE_TIME & 0x000002 & princ_expire_time & O, K/M value & O \\ 595PW_EXPIRATION & 0x000004 & pw_expiration & O, now+pw_max_life & O \\ 596LAST_PWD_CHANGE & 0x000008 & last_pwd_change & F & F \\ 597ATTRIBUTES & 0x000010 & attributes & O, 0 & O \\ 598MAX_LIFE & 0x000020 & max_life & O, K/M value & O \\ 599MOD_TIME & 0x000040 & mod_date & F & F \\ 600MOD_NAME & 0x000080 & mod_name & F & F \\ 601KVNO & 0x000100 & kvno & O, 1 & O \\ 602MKVNO & 0x000200 & mkvno & F & F \\ 603AUX_ATTRIBUTES & 0x000400 & aux_attributes & F & F \\ 604POLICY & 0x000800 & policy & O, none & O \\ 605POLICY_CLR & 0x001000 & policy & F & O \\ 606MAX_RLIFE & 0x002000 & max_renewable_life & O, K/M value & O \\ 607LAST_SUCCESS & 0x004000 & last_success & F & F \\ 608LAST_FAILED & 0x008000 & last_failed & F & F \\ 609FAIL_AUTH_COUNT & 0x010000 & fail_auth_count & F & O \\ 610KEY_DATA & 0x020000 & n_key_data, key_data & F & F \\ 611TL_DATA & 0x040000 & n_tl_data, tl_data & O, 0, NULL & O 612\end{tabular} 613\caption{Mask bits for creating, retrieving, and modifying principals.} 614\label{tab:princ-bits} 615\end{table} 616 617\begin{table}[htbp] 618\begin{tabular}{@{}lclll} 619Name & Value & Field Affected & Create & Modify \\ 620POLICY & same & policy & M & F \\ 621PW_MAX_LIFE & 0x004000 & pw_max_life & O, 0 (infinite) & O \\ 622PW_MIN_LIFE & 0x008000 & pw_min_life & O, 0 & O \\ 623PW_MIN_LENGTH & 0x010000 & pw_min_length & O, 1 & O \\ 624PW_MIN_CLASSES & 0x020000 & pw_min_classes & O, 1 & O \\ 625PW_HISTORY_NUM & 0x040000 & pw_history_num & O, 0 & O \\ 626REF_COUNT & 0x080000 & pw_refcnt & F & F 627\end{tabular} 628\caption{Mask bits for creating/modifying policies.} 629\label{tab:policy-bits} 630\end{table} 631 632\section{Constants, Header Files, Libraries} 633 634$<$kadm5/admin.h$>$ includes a number of required header files, 635including RPC, Kerberos 5, com_err, and admin com_err 636defines. It contains prototypes for all kadm5 routines mentioned 637below, as well as all Admin API data structures, type definitions and 638defines mentioned in this document. 639 640Before \v{\#include}ing $<$kadm5/admin.h$>$, the programmer can 641specify the API version number that the program will use by 642\v{\#define}ing USE_KADM5_API_VERSION; for example, define that symbol 643to be 1 to use KADM5_API_VERSION_1. This will ensure that the correct 644functional prototypes and data structures are defined. If no version 645symbol is defined, the most recent version supported by the header 646files will be used. 647 648Some of the defines and their values contained in $<$kadm5/admin.h$>$ 649include the following, whose KADM5_ prefixes have been removed. 650Symbols that do not exist in KADM5_API_VERSION_2 do not have a KADM5_ 651prefix, but instead retain only with OVSEC_KADM_ prefix for 652compatibility. 653\begin{description} 654\item[admin service principal] ADMIN_SERVICE (``kadmin/admin'') 655\item[admin history key] HIST_PRINCIPAL (``kadmin/history'') 656\item[change password principal] CHANGEPW_SERVICE (``kadmin/changepw'') 657\item[server acl file path] ACLFILE (``/krb5/ovsec_adm.acl''). In 658KADM5_API_VERSION 2, this is controlled by configuration parameters. 659\item[dictionary] WORDFILE (``/krb5/kadmind.dict''). In 660KADM5_API_VERSION 2, this is controlled by configuration parameters. 661\end{description} 662 663KADM5 errors are described in $<$kadm5/kadm_err.h$>$, which 664is included by $<$kadm5/admin.h$>$. 665 666The locations of the admin policy and principal databases, as well as 667defines and type definitions for the databases, are defined in 668$<$kadm5/adb.h$>$. Some of the defines in that file are: 669\begin{description} 670\item[admin policy database] POLICY_DB (``/krb5/kadm5_policy.db''). In 671KADM5_API_VERSION 2, this is controlled by configuration parameters. 672\item[admin principal database] PRINCIPAL_DB 673(``/krb5/ovsec_principal.db''). In KADM5_API_VERSION 2, this is 674controlled by configuration parameters. 675\end{description} 676 677Client applications will link against libkadm5clnt.a and server 678programs against libkadm5srv.a. Client applications must also link 679against: libgssapi_krb5.a, libkrb5.a, libcrypto.a, libgssrpc.a, 680libcom_err.a, and libdyn.a. Server applications must also link 681against: libkdb5.a, libkrb5.a, libcrypto.a, libgssrpc.a, libcom_err.a, 682and libdyn.a. 683 684\section{Error Codes} 685 686The error codes that can be returned by admin functions are listed 687below. Error codes indicated with a ``*'' can be returned by every 688admin function and always have the same meaning; these codes are 689omitted from the list presented with each function. 690 691The admin system guarantees that a function that returns an error code 692has no other side effect. 693 694The Admin system will use \v{com_err} for error codes. Note that this 695means \v{com_err} codes may be returned from functions that the admin 696routines call (e.g. the kerberos library). Callers should not expect 697that only KADM5 errors will be returned. The Admin system error code 698table name will be ``ovk'', and the offsets will be the same as the 699order presented here. As mentioned above, the error table include file 700will be $<$kadm5/kadm_err.h$>$. 701 702Note that these error codes are also used as protocol error code 703constants and therefore must not change between product releases. 704Additional codes should be added at the end of the list, not in the 705middle. The integer value of KADM5_FAILURE is 43787520; the 706remaining values are assigned in sequentially increasing order. 707 708\begin{description} 709\item[* KADM5_FAILURE] Operation failed for unspecified reason 710\item[* KADM5_AUTH_GET] Operation requires ``get'' privilege 711\item[* KADM5_AUTH_ADD] Operation requires ``add'' privilege 712\item[* KADM5_AUTH_MODIFY] Operation requires ``modify'' privilege 713\item[* KADM5_AUTH_DELETE] Operation requires ``delete'' privilege 714\item[* KADM5_AUTH_INSUFFICIENT] Insufficient authorization for 715operation 716\item[* KADM5_BAD_DB] Database inconsistency detected 717\item[KADM5_DUP] Principal or policy already exists 718\item[KADM5_RPC_ERROR] Communication failure with server 719\item[KADM5_NO_SRV] No administration server found for realm 720\item[KADM5_BAD_HIST_KEY] Password history principal key version 721mismatch 722\item[KADM5_NOT_INIT] Connection to server not initialized 723\item[KADM5_UNK_PRINC] Principal does not exist 724\item[KADM5_UNK_POLICY] Policy does not exist 725\item[KADM5_BAD_MASK] Invalid field mask for operation 726\item[KADM5_BAD_CLASS] Invalid number of character classes 727\item[KADM5_BAD_LENGTH] Invalid password length 728\item[KADM5_BAD_POLICY] Illegal policy name 729\item[KADM5_BAD_PRINCIPAL] Illegal principal name. 730\item[KADM5_BAD_AUX_ATTR] Invalid auxiliary attributes 731\item[KADM5_BAD_HISTORY] Invalid password history count 732\item[KADM5_BAD_MIN_PASS_LIFE] Password minimum life is greater 733then password maximum life 734\item[KADM5_PASS_Q_TOOSHORT] Password is too short 735\item[KADM5_PASS_Q_CLASS] Password does not contain enough 736character classes 737\item[KADM5_PASS_Q_DICT] Password is in the password dictionary 738\item[KADM5_PASS_REUSE] Cannot reuse password 739\item[KADM5_PASS_TOOSOON] Current password's minimum life has not 740expired 741\item[KADM5_POLICY_REF] Policy is in use 742\item[KADM5_INIT] Connection to server already initialized 743\item[KADM5_BAD_PASSWORD] Incorrect password 744\item[KADM5_PROTECT_PRINCIPAL] Cannot change protected principal 745\item[* KADM5_BAD_SERVER_HANDLE] Programmer error! Bad Admin server handle 746\item[* KADM5_BAD_STRUCT_VERSION] Programmer error! Bad API structure version 747\item[* KADM5_OLD_STRUCT_VERSION] API structure version specified by application is no longer supported (to fix, recompile application against current Admin API header files and libraries) 748\item[* KADM5_NEW_STRUCT_VERSION] API structure version specified by application is unknown to libraries (to fix, obtain current Admin API header files and libraries and recompile application) 749\item[* KADM5_BAD_API_VERSION] Programmer error! Bad API version 750\item[* KADM5_OLD_LIB_API_VERSION] API version specified by application is no longer supported by libraries (to fix, update application to adhere to current API version and recompile) 751\item[* KADM5_OLD_SERVER_API_VERSION] API version specified by application is no longer supported by server (to fix, update application to adhere to current API version and recompile) 752\item[* KADM5_NEW_LIB_API_VERSION] API version specified by application is unknown to libraries (to fix, obtain current Admin API header files and libraries and recompile application) 753\item[* KADM5_NEW_SERVER_API_VERSION] API version specified by 754application is unknown to server (to fix, obtain and install newest 755Admin Server) 756\item[KADM5_SECURE_PRINC_MISSING] Database error! Required principal missing 757\item[KADM5_NO_RENAME_SALT] The salt type of the specified principal 758does not support renaming 759\item[KADM5_BAD_CLIENT_PARAMS] Illegal configuration parameter for 760remote KADM5 client 761\item[KADM5_BAD_SERVER_PARAMS] Illegal configuration parameter for 762local KADM5 client. 763\item[KADM5_AUTH_LIST] Operation requires ``list'' privilege 764\item[KADM5_AUTH_CHANGEPW] Operation requires ``change-password'' privilege 765\item[KADM5_BAD_TL_TYPE] Programmer error! Illegal tagged data list 766element type 767\item[KADM5_MISSING_CONF_PARAMS] Required parameters in kdc.conf missing 768\item[KADM5_BAD_SERVER_NAME] Bad krb5 admin server hostname 769\item[KADM5_AUTH_SETKEY] Operation requires ``set-key'' privilege 770\item[KADM5_SETKEY_DUP_ENCTYPES] Multiple values for single or folded enctype 771\end{description} 772 773\section{Authentication and Authorization} 774\label{sec:auth} 775 776Two Kerberos principals exist for use in communicating with the Admin 777system: kadmin/admin and kadmin/changepw. Both principals 778have the KRB5_KDB_DISALLOW_TGT_BASED bit set in their attributes so 779that service tickets for them can only be acquired via a 780password-based (AS_REQ) request. Additionally, kadmin/changepw 781has the KRB5_KDB_PWCHANGE_SERVICE bit set so that a principal with an 782expired password can still obtain a service ticket for it. 783 784The Admin system accepts requests that are authenticated to either 785service principal, but the sets of operations that can be performed by 786a request authenticated to each service are different. In particular, 787only the functions chpass_principal, randkey_principal, get_principal, 788and get_policy can be performed by a request authenticated to the 789kadmin/changepw service, and they can only be performed when the 790target principal of the operation is the same as the authenticated 791client principal; the function semantics descriptions below give the 792precise details. This means that administrative operations can only 793be performed when authenticated to the kadmin/admin service. The 794reason for this distinction is that tickets for kadmin/changepw can be 795acquired with an expired password, and the KADM system does not want 796to allow an administrator with an expired password to perform 797administrative operations on arbitrary principals. 798 799Each Admin API operation authenticated to the kadmin/admin service 800requires a specific authorization to run. This version uses a simple 801named privilege system with the following names and meanings: 802 803\begin{description} 804\item[Get] Able to examine the attributes (NOT key data) of principals 805and policies. 806\item[Add] Able to add principals and policies. 807\item[Modify] Able to modify attributes of existing principals and 808policies; this does not include changing passwords. 809\item[Delete] Able to remove principals and policies. 810\item[List] Able to retrieve a list of principals and policies. 811\item[Changepw] Able to change the password of principals. 812\item[Setkey] Able to set principal keys directly. 813\end{description} 814 815Privileges are specified via an external configuration file on the 816Kerberos master server. 817 818Table \ref{tab:func-overview} summarizes the authorization 819requirements of each function. Additionally, each API function 820description identifies the privilege required to perform it. The 821Authorization checks only happen if you are using the RPC mechanism. 822If you are using the server-side API functions locally on the admin 823server, the only authorization check is if you can access the 824approporiate local files. 825 826\section{Functions} 827 828\subsection{Overview} 829 830The functions provided by the Admin API, and the authorization they 831require, are listed in the table \ref{tab:func-overview}. The 832``kadm5_'' prefix has been removed from each function name. 833 834The function semantics in the following sections omit details that are 835the same for every function. 836 837\begin{itemize} 838\item The effects of every function are atomic. 839 840\item Every function performs an authorization check and returns 841the appropriate KADM5_AUTH_* error code if the caller does not 842have the required privilege. No other information or error code is 843ever returned to an unauthorized user. 844 845\item Every function checks its arguments for NULL pointers or other 846obviously invalid values, and returns EINVAL if any are detected. 847 848\item Any function that performs a policy check uses the policy named 849in the principal's policy field. If the POLICY bit is not set in the 850principal's aux_attributes field, however, the principal has no 851policy, so the policy check is not performed. 852 853\item Unless otherwise specified, all functions return KADM5_OK. 854\end{itemize} 855 856\begin{table}[htbp] 857\caption{Summary of functions and required authorization.} 858\label{tab:func-overview} 859\begin{tabular}{@{}llp{3.24in}} 860\\ 861{\bf Function Name} & {\bf Authorization} & {\bf Operation} \\ 862 863init & none & Open a connection with the kadm5 library. OBSOLETE 864but still provided---use init_with_password instead. \\ 865init_with_password & none & Open a connection with the kadm5 866library using a password to obtain initial credentials. \\ 867init_with_skey & none & Open a connection with the kadm5 library 868using the keytab entry to obtain initial credentials. \\ 869destroy & none & Close the connection with the kadm5 library. \\ 870flush & none & Flush all database changes to disk; no-op when called 871remotely. \\ 872create_principal & add & Create a new principal. \\ 873delete_principal & delete & Delete a principal. \\ 874modify_principal & modify & Modify the attributes of an existing 875 principal (not password). \\ 876rename_principal & add and delete & Rename a principal. \\ 877get_principal & get\footnotemark & Retrieve a principal. \\ 878get_principals & list & Retrieve some or all principal names. \\ 879chpass_principal & changepw\footnotemark[\thefootnote] & 880 Change a principal's password. \\ 881chpass_principal_util & changepw\footnotemark[\thefootnote] & Utility wrapper around chpass_principal. \\ 882randkey_principal & changepw\footnotemark[\thefootnote] & 883 Randomize a principal's key. \\ 884setkey_principal & setkey & Explicitly set a principal's keys. \\ 885decrypt_key & none & Decrypt a principal key. \\ 886create_policy & add & Create a new policy. \\ 887delete_policy & delete & Delete a policy. \\ 888modify_policy & modify & Modify the attributes of a policy. \\ 889get_policy & get & Retrieve a policy. \\ 890get_policies & list & Retrieve some or all policy names. \\ 891free_principal_ent & none & Free the memory associated with an 892 kadm5_principal_ent_t. \\ 893free_policy_ent & none & Free the memory associated with an 894 kadm5_policy_ent_t. \\ 895get_privs & none & Return the caller's admin server privileges. 896\end{tabular} 897\end{table} 898\footnotetext[\thefootnote]{These functions also allow a principal to 899perform the operation on itself; see the function's semantics for 900details.} 901 902\subsection{kadm5_init_*} 903 904In KADM5_API_VERSION 1: 905 906\begin{verbatim} 907kadm5_ret_t kadm5_init_with_password(char *client_name, char *pass, 908 char *service_name, char *realm, 909 unsigned long struct_version, 910 unsigned long api_version, 911 void **server_handle) 912 913kadm5_ret_t kadm5_init_with_skey(char *client_name, char *keytab, 914 char *service_name, char *realm, 915 unsigned long struct_version, 916 unsigned long api_version, 917 void **server_handle) 918 919kadm5_ret_t kadm5_init(char *client_name, char *pass, 920 char *service_name, char *realm, 921 unsigned long struct_version, 922 unsigned long api_version, 923 void **server_handle) 924\end{verbatim} 925 926In KADM5_API_VERSION 2: 927 928\begin{verbatim} 929kadm5_ret_t kadm5_init_with_password(char *client_name, char *pass, 930 char *service_name, 931 kadm5_config_params *realm_params, 932 unsigned long struct_version, 933 unsigned long api_version, 934 void **server_handle) 935 936kadm5_ret_t kadm5_init_with_skey(char *client_name, char *keytab, 937 char *service_name, 938 kadm5_config_params *realm_params, 939 unsigned long struct_version, 940 unsigned long api_version, 941 void **server_handle) 942 943kadm5_ret_t kadm5_init(char *client_name, char *pass, 944 char *service_name, 945 kadm5_config_params *realm_params, 946 unsigned long struct_version, 947 unsigned long api_version, 948 void **server_handle) 949 950kadm5_ret_t kadm5_init_with_creds(char *client_name, 951 krb5_ccache ccache, 952 char *service_name, 953 kadm5_config_params *params, 954 krb5_ui_4 struct_version, 955 krb5_ui_4 api_version, 956 void **server_handle) 957\end{verbatim} 958 959AUTHORIZATION REQUIRED: none 960 961NOTE: kadm5_init is an obsolete function provided for backwards 962compatibility. It is identical to kadm5_init_with_password. 963 964These three functions open a connection to the kadm5 library and 965initialize any necessary state information. They behave differently 966when called from local and remote clients. 967 968In KADM5_API_VERSION_2, these functions take a kadm5_config_params 969structure instead of a realm name as an argument. The semantics are 970similar: if a NULL pointer is passed for the realm_params argument, 971the default realm and default parameters for that realm, as specified 972in the krb5 configuration file (e.g. /etc/krb5.conf) are used. If a 973realm_params structure is provided, the fields that are set override 974the default values. If a parameter is specified to the local or 975remote libraries that does not apply to that side, an error code 976(KADM5_BAD_CLIENT_PARAMS or KADM5_BAD_SERVER_PARAMS) is returned. See 977section \ref{sec:configparams} for a discussion of configuration 978parameters. 979 980For remote clients, the semantics are: 981 982\begin{enumerate} 983\item Initializes all the com_err error tables used by the Admin 984system. 985 986\item Acquires configuration parameters. In KADM5_API_VERSION_1, all 987the defaults specified in the configuration file are used, according 988to the realm. In KADM5_API_VERSION_2, the values in params_in are 989merged with the default values. If an illegal mask value is 990specified, KADM5_BAD_CLIENT_PARAMS is returned. 991 992\item Acquires a Kerberos ticket for the specified service. 993 994\begin{enumerate} 995\item The ticket's client is client_name, which can be any valid 996Kerberos principal. If client_name does not include a realm, the 997default realm of the local host is used 998\item The ticket's service is service_name@realm. service_name must 999be one of the constants KADM5_ADMIN_SERVICE or 1000KADM5_CHANGEPW_SERVICE. 1001\item If realm is NULL, client_name's realm is used. 1002 1003\item For init_with_password, an initial ticket is acquired and 1004decoded with the password pass, which must be client_name's password. 1005If pass is NULL or an empty string, the user is prompted (via the tty) 1006for a password. 1007 1008\item For init_with_skey, an initial ticket is acquired and decoded 1009with client_name's key obtained from the specified keytab. If keytab 1010is NULL or an empty string the default keytab is used. 1011 1012\item For init_with_creds, ccache must be an open credential cache 1013that already has a ticket for the specified client and server. 1014Alternatively, if a site chooses to disable the DISALLOW_TGT_BASED 1015flag on the admin and changepw principals, the ccache can contain a 1016ticket-granting ticket for client_name. 1017\end{enumerate} 1018 1019\item Creates a GSS-API authenticated connection to the Admin server, 1020using the just-acquired Kerberos ticket. 1021 1022\item Verifies that the struct_version and api_version specified by 1023the caller are valid and known to the library. 1024 1025\item Sends the specified api_version to the server. 1026 1027\item Upon successful completion, fills in server_handle with a handle 1028for this connection, to be used in all subsequent API calls. 1029\end{enumerate} 1030 1031The caller should always specify KADM5_STRUCT_VERSION for the 1032struct_version argument, a valid and supported API version constant 1033for the api_version argument (currently, KADM5_API_VERSION_1 or 1034KADM5_API_VERSION_2), and a valid pointer in which the server handle 1035will be stored. 1036 1037If any kadm5_init_* is invoked locally its semantics are: 1038 1039\begin{enumerate} 1040\item Initializes all the com_err error tables used by the Admin 1041system. 1042 1043\item Acquires configuration parameters. In KADM5_API_VERSION_1, all 1044the defaults specified in the configuration file are used, according 1045to the realm. In KADM5_API_VERSION_2, the values in params_in are 1046merged with the default values. If an illegal mask value is 1047specified, KADM5_BAD_SERVER_PARAMS is returned. 1048 1049\item Initializes direct access to the KDC database. In 1050KADM5_API_VERISON_1, if pass (or keytab) is NULL or an empty string, 1051reads the master password from the stash file; otherwise, the non-NULL 1052password is ignored and the user is prompted for it via the tty. In 1053KADM5_API_VERSION_2, if the MKEY_FROM_KEYBOARD parameter mask is set 1054and the value is non-zero, reads the master password from the user via 1055the tty; otherwise, the master key is read from the stash file. 1056Calling init_with_skey or init_with_creds with the MKEY_FROM_KEYBOARD 1057mask set with a non-zero field is illegal, and calling them without 1058the mask set is exactly like calling init_with_password. 1059 1060\item Initializes the dictionary (if present) for dictionary checks. 1061 1062\item Parses client_name as a Kerberos principal. client_name should 1063usually be specified as the name of the program. 1064 1065\item Verifies that the struct_version and api_version specified by 1066the caller are valid. 1067 1068\item Fills in server_handle with a handle containing all state 1069information (version numbers and client name) for this ``connection.'' 1070\end{enumerate} 1071The service_name argument is not used. 1072 1073RETURN CODES: 1074 1075\begin{description} 1076\item[KADM5_NO_SRV] No Admin server can be found for the 1077specified realm. 1078 1079\item[KADM5_RPC_ERROR] The RPC connection to the server cannot be 1080initiated. 1081 1082\item[KADM5_BAD_PASSWORD] Incorrect password. 1083 1084\item[KADM5_SECURE_PRINC_MISSING] The principal 1085KADM5_ADMIN_SERVICE or KADM5_CHANGEPW_SERVICE does not 1086exist. This is a special-case replacement return code for ``Server 1087not found in database'' for these required principals. 1088 1089\item[KADM5_BAD_CLIENT_PARAMS] A field in the parameters mask was 1090specified to the remote client library that is not legal for remote 1091clients. 1092 1093\item[KADM5_BAD_SERVER_PARAMS] A field in the parameters mask was 1094specified to the local client library that is not legal for local 1095clients. 1096\end{description} 1097 1098\subsection{kadm5_flush} 1099 1100\begin{verbatim} 1101kadm5_ret_t kadm5_flush(void *server_handle) 1102\end{verbatim} 1103 1104AUTHORIZATION REQUIRED: none 1105 1106Flush all changes to the Kerberos databases, leaving the connection to 1107the Admin API open. This function behaves differently when called by 1108local and remote clients. 1109 1110For local clients, the function closes and reopens the Kerberos 1111database with krb5_db_fini() and krb5_db_init(). 1112Although it is unlikely, either of these functions 1113could return errors; in that case, this function calls 1114kadm5_destroy and returns the error code. Therefore, if 1115kadm5_flush does not return KADM5_OK, the connection to the 1116Admin server has been terminated and, in principle, the databases 1117might be corrupt. 1118 1119For remote clients, the function is a no-op. 1120 1121\subsection{kadm5_destroy} 1122 1123\begin{verbatim} 1124kadm5_ret_t kadm5_destroy(void *server_handle) 1125\end{verbatim} 1126 1127AUTHORIZATION REQUIRED: none 1128 1129Close the connection to the Admin server and releases all related 1130resources. This function behaves differently when called by local and 1131remote clients. 1132 1133For remote clients, the semantics are: 1134 1135\begin{enumerate} 1136\item Destroy the temporary credential cache created by 1137kadm5_init. 1138 1139\item Tear down the GSS-API context negotiated with the server. 1140 1141\item Close the RPC connection. 1142 1143\item Free storage space associated with server_handle, after erasing 1144its magic number so it won't be mistaken for a valid handle by the 1145library later. 1146\end{enumerate} 1147 1148For local clients, this function just frees the storage space 1149associated with server_handle after erasing its magic number. 1150 1151RETURN CODES: 1152 1153\subsection{kadm5_create_principal} 1154 1155\begin{verbatim} 1156kadm5_ret_t 1157kadm5_create_principal(void *server_handle, 1158 kadm5_principal_ent_t princ, u_int32 mask, 1159 char *pw); 1160\end{verbatim} 1161 1162AUTHORIZATION REQUIRED: add 1163 1164\begin{enumerate} 1165 1166\item Return KADM5_BAD_MASK if the mask is invalid. 1167\item If the named principal exists, return KADM5_DUP. 1168\item If the POLICY bit is set and the named policy does not exist, 1169return KADM5_UNK_POLICY. 1170\item If KADM5_POLICY bit is set in aux_attributes check to see if 1171the password does not meets quality standards, return the appropriate 1172KADM5_PASS_Q_* error code if it fails. 1173\item Store the principal, set the key; see section \ref{sec:keys}. 1174\item If the POLICY bit is set, increment the named policy's reference 1175count by one. 1176 1177\item Set the pw_expiration field. 1178\begin{enumerate} 1179\item If the POLICY bit is set in mask, then if pw_max_life is non-zero, 1180set pw_expiration to now + pw_maxlife, otherwise set pw_max_life to 1181never. 1182\item If the PW_EXPIRATION bit is set in mask, set pw_expiration to 1183the requested value, overriding the value set above. 1184\end{enumerate} 1185NOTE: This is a change from the original semantics, in which policy 1186expiration was enforced even on administrators. The old semantics are 1187not preserved, even for version 1 callers, because this is a 1188server-specific policy decision; besides, the new semantics are less 1189restrictive, so all previous callers should continue to function 1190properly. 1191 1192\item Set mod_date to now and set mod_name to caller. 1193\item Set last_pwd_change to now. 1194\end{enumerate} 1195 1196RETURN CODES: 1197 1198\begin{description} 1199\item[KADM5_BAD_MASK] The field mask is invalid for a create 1200operation. 1201\item[KADM5_DUP] Principal already exists. 1202\item[KADM5_UNK_POLICY] Policy named in entry does not exist. 1203\item[KADM5_PASS_Q_*] Specified password does not meet policy 1204standards. 1205\end{description} 1206 1207\subsection{kadm5_delete_principal} 1208 1209\begin{verbatim} 1210kadm5_ret_t 1211kadm5_delete_principal(void *server_handle, krb5_principal princ); 1212\end{verbatim} 1213 1214AUTHORIZATION REQUIRED: delete 1215 1216\begin{enumerate} 1217\item Return KADM5_UNK_PRINC if the principal does not exist. 1218\item If the POLICY bit is set in aux_attributes, decrement the named 1219policy's reference count by one. 1220\item Delete principal. 1221\end{enumerate} 1222 1223RETURN CODES: 1224 1225\begin{description} 1226\item[KADM5_UNK_PRINC] Principal does not exist. 1227\end{description} 1228 1229\subsection{kadm5_modify_principal} 1230 1231\begin{verbatim} 1232kadm5_ret_t 1233kadm5_modify_principal(void *server_handle, 1234 kadm5_principal_ent_t princ, u_int32 mask); 1235\end{verbatim} 1236 1237Modify the attributes of the principal named in 1238kadm5_principal_ent_t. This does not allow the principal to be 1239renamed or for its password to be changed. 1240 1241AUTHORIZATION REQUIRED: modify 1242 1243Although a principal's pw_expiration is usually computed based on its 1244policy and the time at which it changes its password, this function 1245also allows it to be specified explicitly. This allows an 1246administrator, for example, to create a principal and assign it to a 1247policy with a pw_max_life of one month, but to declare that the new 1248principal must change its password away from its initial value 1249sometime within the first week. 1250 1251\begin{enumerate} 1252\item Return KADM5_UNK_PRINC if the principal does not exist. 1253\item Return KADM5_BAD_MASK if the mask is invalid. 1254\item If POLICY bit is set but the new policy does not exist, return 1255KADM5_UNK_POLICY. 1256\item If either the POLICY or POLICY_CLR bits are set, update the 1257corresponding bits in aux_attributes. 1258 1259\item Update policy reference counts. 1260\begin{enumerate} 1261\item If the POLICY bit is set, then increment policy count on new 1262policy. 1263\item If the POLICY or POLICY_CLR bit is set, and the POLICY bit in 1264aux_attributes is set, decrement policy count on old policy. 1265\end{enumerate} 1266 1267\item Set pw_expiration appropriately. pw_expiration can change if: 1268the POLICY bit is set in mask, so the principal is changing to a 1269policy (either from another policy or no policy); the POLICY_CLR bit 1270is set in mask, so the principal is changing to no policy; or 1271PW_EXPIRATION is set. 1272\begin{enumerate} 1273\item If the POLICY bit is set in mask, set pw_expiration to 1274last_pwd_change + pw_max_life if pw_max_life is non-zero, otherwise 1275set pw_expiration to never. 1276\item If the POLICY_CLR biti s set in mask, set pw_expiration to 1277never. 1278\item If PW_EXPIRATION is set, set pw_expiration to the requested 1279value, overriding the value from the previous two cases. NOTE: This 1280is a change from the original semantics, in which policy expiration 1281was enforced even on administrators. The old semantics are not 1282preserved, even for version 1 callers, because this is a 1283server-specific policy decision; besides, the new semantics are less 1284restrictive, so all previous callers should continue to function 1285properly. 1286\end{enumerate} 1287 1288% Here is the previous, and confusing, text of pw_expiration semantics: 1289%\begin{enumerate} 1290%\item If the POLICY bit is not set in aux_attributes, then 1291%\begin{enumerate} 1292%\item if the PW_EXPIRATION bit is set, set pw_expiration to the given 1293%value, else 1294%\item set pw_expiration to never. 1295%\end{enumerate} 1296%\item Otherwise, if the PW_EXPIRATION bit is set, set pw_expiration to 1297%the sooner of the given value and last_pwd_change + pw_max_life. 1298%\item Otherwise, set pw_expiration to last_pwd_change + pw_max_life. 1299%\end{enumerate} 1300 1301\item Update the remaining fields specified in the mask. 1302\item Update mod_name field to caller and mod_date to now. 1303\end{enumerate} 1304 1305RETURN CODES: 1306 1307\begin{description} 1308\item[KADM5_UNK_PRINC] Entry does not exist. 1309\item[KADM5_BAD_MASK] The mask is not valid for a modify 1310operation. 1311\item[KADM5_UNK_POLICY] The POLICY bit is set but the new 1312policy does not exist. 1313\item[KADM5_BAD_TL_TYPE] The KADM5_TL_DATA bit is set in mask, and the 1314given tl_data list contains an element whose type is less than 256. 1315\end{description} 1316 1317\subsection{kadm5_rename_principal} 1318 1319\begin{verbatim} 1320kadm5_ret_t 1321kadm5_rename_principal(void *server_handle, krb5_principal source, 1322 krb5_principal target); 1323\end{verbatim} 1324 1325AUTHORIZATION REQUIRED: add and delete 1326 1327\begin{enumerate} 1328\item Check to see if source principal exists, if not return 1329KADM5_UNK_PRINC error. 1330\item Check to see if target exists, if so return KADM5_DUP error. 1331\item Create the new principal named target, then delete the old 1332principal named source. All of target's fields will be the same as 1333source's fields, except that mod_name and mod_date will be updated to 1334reflect the current caller and time. 1335\end{enumerate} 1336 1337Note that since the principal name may have been used as the salt for 1338the principal's key, renaming the principal may render the principal's 1339current password useless; with the new salt, the key generated by 1340string-to-key on the password will suddenly be different. Therefore, 1341an application that renames a principal must also require the user to 1342specify a new password for the principal (and administrators should 1343notify the affected party). 1344 1345Note also that, by the same argument, renaming a principal will 1346invalidate that principal's password history information; since the 1347salt will be different, a user will be able to select a previous 1348password without error. 1349 1350RETURN CODES: 1351 1352\begin{description} 1353\item[KADM5_UNK_PRINC] Source principal does not exist. 1354\item[KADM5_DUP] Target principal already exist. 1355\end{description} 1356 1357\subsection{kadm5_chpass_principal} 1358 1359\begin{verbatim} 1360kadm5_ret_t 1361kadm5_chpass_principal(void *server_handle, krb5_principal princ, 1362 char *pw); 1363\end{verbatim} 1364 1365AUTHORIZATION REQUIRED: changepw, or the calling principal being the 1366same as the princ argument. If the request is authenticated to the 1367kadmin/changepw service, the changepw privilege is disregarded. 1368 1369Change a principal's password. See section \ref{sec:keys} for a 1370description of how the keys are determined. 1371 1372This function enforces password policy and dictionary checks. If the new 1373password specified is in the password dictionary, and the policy bit is set 1374KADM5_PASS_DICT is returned. If the principal's POLICY bit is set in 1375aux_attributes, compliance with each of the named policy fields is verified 1376and an appropriate error code is returned if verification fails. 1377 1378Note that the policy checks are only be performed if the POLICY bit is 1379set in the principal's aux_attributes field. 1380 1381\begin{enumerate} 1382\item Make sure principal exists, if not return KADM5_UNK_PRINC error. 1383\item If caller does not have modify privilege, (now - last_pwd_change) $<$ 1384pw_min_life, and the KRB5_KDB_REQUIRES_PWCHANGE bit is not set in the 1385principal's attributes, return KADM5_PASS_TOOSOON. 1386\item If the principal your are trying to change is kadmin/history 1387return KADM5_PROTECT_PRINCIPAL. 1388\item If the password does not meet the quality 1389standards, return the appropriate KADM5_PASS_Q_* error code. 1390\item Convert password to key; see section \ref{sec:keys}. 1391\item If the new key is in the principal's password history, return 1392KADM5_PASS_REUSE. 1393\item Store old key in history. 1394\item Update principal to have new key. 1395\item Increment principal's key version number by one. 1396\item If the POLICY bit is set, set pw_expiration to now + 1397max_pw_life. If the POLICY bit is not set, set pw_expiration to 1398never. 1399\item If the KRB5_KDB_REQUIRES_PWCHANGE bit is set in the principal's 1400attributes, clear it. 1401\item Update last_pwd_change and mod_date to now, update mod_name to 1402caller. 1403\end{enumerate} 1404 1405RETURN CODES: 1406 1407\begin{description} 1408\item[KADM5_UNK_PRINC] Principal does not exist. 1409\item[KADM5_PASS_Q_*] Requested password does not meet quality 1410standards. 1411\item[KADM5_PASS_REUSE] Requested password is in user's 1412password history. 1413\item[KADM5_PASS_TOOSOON] Current password has not reached minimum life 1414\item[KADM5_PROTECT_PRINCIPAL] Cannot change the password of a special principal 1415\end{description} 1416 1417 1418\subsection{kadm5_chpass_principal_util} 1419 1420\begin{verbatim} 1421kadm5_ret_t 1422kadm5_chpass_principal_util(void *server_handle, krb5_principal princ, 1423 char *new_pw, char **pw_ret, 1424 char *msg_ret); 1425\end{verbatim} 1426 1427AUTHORIZATION REQUIRED: changepw, or the calling principal being the 1428same as the princ argument. If the request is authenticated to the 1429kadmin/changepw service, the changepw privilege is disregarded. 1430 1431This function is a wrapper around kadm5_chpass_principal. It can 1432read a new password from a user, change a principal's password, and 1433return detailed error messages. msg_ret should point to a char buffer 1434in the caller's space of sufficient length for the error messages 1435described below. 1024 bytes is recommended. It will also return the 1436new password to the caller if pw_ret is non-NULL. 1437 1438\begin{enumerate} 1439\item If new_pw is NULL, this routine will prompt the user for the new 1440password (using the strings specified by KADM5_PW_FIRST_PROMPT and 1441KADM5_PW_SECOND_PROMPT) and read (without echoing) the password input. 1442Since it is likely that this will simply call krb5_read_password only 1443terminal-based applications will make use of the password reading 1444functionality. If the passwords don't match the string ``New passwords do 1445not match - password not changed.'' will be copied into msg_ret, and the 1446error code KRB5_LIBOS_BADPWDMATCH will be returned. For other errors that 1447occur while reading the new password, copy the string ``<com_err message$>$ 1448occurred while trying to read new password.'' followed by a blank line and 1449the string specified by CHPASS_UTIL_PASSWORD_NOT_CHANGED into msg_ret and 1450return the error code returned by krb5_read_password. 1451 1452\item If pw_ret is non-NULL, and the password was prompted, set *pw_ret to 1453point to a static buffer containing the password. If pw_ret is non-NULL 1454and the password was supplied, set *pw_ret to the supplied password. 1455 1456\item Call kadm5_chpass_principal with princ, and new_pw. 1457 1458\item If successful copy the string specified by CHPASS_UTIL_PASSWORD_CHANGED 1459into msg_ret and return zero. 1460 1461\item For a policy related failure copy the appropriate message (from below) 1462followed by a newline and ``Password not changed.'' into msg_ret 1463filling in the parameters from the principal's policy information. If 1464the policy information cannot be obtained copy the generic message if 1465one is specified below. Return the error code from 1466kadm5_chpass_principal. 1467 1468Detailed messages: 1469\begin{description} 1470 1471\item[PASS_Q_TOO_SHORT] 1472New password is too short. Please choose a 1473password which is more than $<$pw-min-len$>$ characters. 1474 1475\item[PASS_Q_TOO_SHORT - generic] 1476New password is too short. Please choose a longer password. 1477 1478\item[PASS_REUSE] 1479New password was used previously. Please choose a 1480different password. 1481 1482\item[PASS_Q_CLASS] 1483New password does not have enough character classes. Classes include 1484lower class letters, upper case letters, digits, punctuation and all 1485other characters. Please choose a password with at least 1486$<$min-classes$>$ character classes. 1487 1488\item[PASS_Q_CLASS - generic] 1489New password does not have enough character classes. Classes include 1490lower class letters, upper case letters, digits, punctuation and all 1491other characters. 1492 1493\item[PASS_Q_DICT] 1494New password was found in a dictionary of possible passwords and 1495therefore may be easily guessed. Please choose another password. See 1496the kpasswd man page for help in choosing a good password. 1497 1498\item[PASS_TOOSOON] 1499Password cannot be changed because it was changed too recently. Please 1500wait until $<$last-pw-change+pw-min-life$>$ before you change it. If you 1501need to change your password before then, contact your system 1502security administrator. 1503 1504\item[PASS_TOOSOON - generic] 1505Password cannot be changed because it was changed too recently. If you 1506need to change your now please contact your system security 1507administrator. 1508\end{description} 1509 1510\item For other errors copy the string ``$<$com_err message$>$ 1511occurred while trying to change password.'' following by a blank line 1512and ``Password not changed.'' into msg_ret. Return the error code 1513returned by kadm5_chpass_principal. 1514\end{enumerate} 1515 1516 1517RETURN CODES: 1518 1519\begin{description} 1520\item[KRB5_LIBOS_BADPWDMATCH] Typed new passwords did not match. 1521\item[KADM5_UNK_PRINC] Principal does not exist. 1522\item[KADM5_PASS_Q_*] Requested password does not meet quality 1523standards. 1524\item[KADM5_PASS_REUSE] Requested password is in user's 1525password history. 1526\item[KADM5_PASS_TOOSOON] Current password has not reached minimum 1527life. 1528\end{description} 1529 1530\subsection{kadm5_randkey_principal} 1531 1532In KADM5_API_VERSION_1: 1533 1534\begin{verbatim} 1535kadm5_ret_t 1536kadm5_randkey_principal(void *server_handle, krb5_principal princ, 1537 krb5_keyblock **new_key) 1538\end{verbatim} 1539 1540In KADM5_API_VERSION_2: 1541 1542\begin{verbatim} 1543kadm5_ret_t 1544kadm5_randkey_principal(void *server_handle, krb5_principal princ, 1545 krb5_keyblock **new_keys, int *n_keys) 1546\end{verbatim} 1547 1548AUTHORIZATION REQUIRED: changepw, or the calling principal being the 1549same as the princ argument. If the request is authenticated to the 1550kadmin/changepw service, the changepw privilege is disregarded. 1551 1552Generate and assign a new random key to the named principal, and 1553return the generated key in allocated storage. In 1554KADM5_API_VERSION_2, multiple keys may be generated and returned as an 1555array, and n_new_keys is filled in with the number of keys generated. 1556See section \ref{sec:keys} for a description of how the keys are 1557chosen. In KADM5_API_VERSION_1, the caller must free the returned 1558krb5_keyblock * with krb5_free_keyblock. In KADM5_API_VERSION_2, the 1559caller must free each returned keyblock with krb5_free_keyblock. 1560 1561If the principal's POLICY bit is set in aux_attributes and the caller does 1562not have modify privilege , compliance with the password minimum life 1563specified by the policy is verified and an appropriate error code is returned 1564if verification fails. 1565 1566\begin{enumerate} 1567\item If the principal does not exist, return KADM5_UNK_PRINC. 1568\item If caller does not have modify privilege, (now - last_pwd_change) $<$ 1569pw_min_life, and the KRB5_KDB_REQUIRES_PWCHANGE bit is not set in the 1570principal's attributes, return KADM5_PASS_TOOSOON. 1571\item If the principal you are trying to change is kadmin/history return 1572KADM5_PROTECT_PRINCIPAL. 1573\item Store old key in history. 1574\item Update principal to have new key. 1575\item Increment principal's key version number by one. 1576\item If the POLICY bit in aux_attributes is set, set pw_expiration to 1577now + max_pw_life. 1578\item If the KRB5_KDC_REQUIRES_PWCHANGE bit is set in the principal's 1579attributes, clear it. 1580\item Update last_pwd_change and mod_date to now, update mod_name to 1581caller. 1582\end{enumerate} 1583 1584RETURN CODES: 1585 1586\begin{description} 1587\item[KADM5_UNK_PRINC] Principal does not exist. 1588\item[KADM5_PASS_TOOSOON] The minimum lifetime for the current 1589key has not expired. 1590\item[KADM5_PROTECT_PRINCIPAL] Cannot change the password of a special 1591principal 1592\end{description} 1593 1594This function can also be used as part of a sequence to create a new 1595principal with a random key. The steps to perform the operation 1596securely are 1597 1598\begin{enumerate} 1599\item Create the principal with kadm5_create_principal with a 1600random password string and with the KRB5_KDB_DISALLOW_ALL_TIX bit set 1601in the attributes field. 1602 1603\item Randomize the principal's key with kadm5_randkey_principal. 1604 1605\item Call kadm5_modify_principal to reset the 1606KRB5_KDB_DISALLOW_ALL_TIX bit in the attributes field. 1607\end{enumerate} 1608 1609The three steps are necessary to ensure secure creation. Since an 1610attacker might be able to guess the initial password assigned by the 1611client program, the principal must be disabled until the key can be 1612truly randomized. 1613 1614\subsection{kadm5_setkey_principal} 1615 1616\begin{verbatim} 1617kadm5_ret_t 1618kadm5_setkey_principal(void *server_handle, krb5_principal princ, 1619 krb5_keyblock *new_keys, int n_keys) 1620\end{verbatim} 1621 1622AUTHORIZATION REQUIRED: setkey. This function does not allow the use 1623of regular changepw authorization because it bypasses the password 1624policy mechanism. 1625 1626This function only exists in KADM5_API_VERSION_2. 1627 1628Explicitly sets the specified principal's keys to the n_keys keys in 1629the new_keys array. The keys in new_keys should not be encrypted in 1630the Kerberos master key; this function will perform that operation 1631itself (the keys will be protected during transmission from the 1632calling client to the kadmind server by the AUTH_GSSAPI RPC layer). 1633This function completely bypasses the principal's password policy, if 1634set. 1635 1636\begin{enumerate} 1637\item If the principal does not exist, return KADM5_UNK_PRINC. 1638\item If the principal you are trying to change is kadmin/history return 1639KADM5_PROTECT_PRINCIPAL. 1640\item If new_keys contains more than one key of any ENCTYPE_DES_CBC_* 1641type that is folded, return KADM5_SETKEY_DUP_ENCTYPES. 1642\item Store old key in history. 1643\item Update principal to have new key. 1644\item Increment principal's key version number by one. 1645\item If the POLICY bit in aux_attributes is set, set pw_expiration to 1646now + max_pw_life. 1647\item If the KRB5_KDC_REQUIRES_PWCHANGE bit is set in the principal's 1648attributes, clear it. 1649\item Update last_pwd_change and mod_date to now, update mod_name to 1650caller. 1651\end{enumerate} 1652 1653RETURN CODES: 1654 1655\begin{description} 1656\item[KADM5_UNK_PRINC] Principal does not exist. 1657\item[KADM5_PROTECT_PRINCIPAL] Cannot change the password of a special 1658principal 1659\end{description} 1660 1661This function can also be used as part of a sequence to create a new 1662principal with an explicitly key. The steps to perform the operation 1663securely are 1664 1665\begin{enumerate} 1666\item Create the principal with kadm5_create_principal with a 1667random password string and with the KRB5_KDB_DISALLOW_ALL_TIX bit set 1668in the attributes field. 1669 1670\item Set the principal's key with kadm5_setkey_principal. 1671 1672\item Call kadm5_modify_principal to reset the 1673KRB5_KDB_DISALLOW_ALL_TIX bit in the attributes field. 1674\end{enumerate} 1675 1676The three steps are necessary to ensure secure creation. Since an 1677attacker might be able to guess the initial password assigned by the 1678client program, the principal must be disabled until the key can be 1679truly randomized. 1680 1681\subsection{kadm5_get_principal} 1682 1683In KADM5_API_VERSION_1: 1684 1685\begin{verbatim} 1686kadm5_ret_t 1687kadm5_get_principal(void *server_handle, krb5_principal princ, 1688 kadm5_principal_ent_t *ent); 1689\end{verbatim} 1690 1691In KADM5_API_VERSION_2: 1692 1693\begin{verbatim} 1694kadm5_ret_t 1695kadm5_get_principal(void *server_handle, krb5_principal princ, 1696 kadm5_principal_ent_t ent, u_int32 mask); 1697\end{verbatim} 1698 1699AUTHORIZATION REQUIRED: get, or the calling principal being the same 1700as the princ argument. If the request is authenticated to the 1701kadmin/changepw service, the get privilege is disregarded. 1702 1703In KADM5_API_VERSION_1, return all of the principal's attributes in 1704allocated memory; if an error is returned entry is set to NULL. In 1705KADM5_API_VERSION_2, fill in the fields of the principal structure 1706specified in the mask; memory for the structure is not allocated. 1707Typically, a caller will specify the mask KADM5_PRINCIPAL_NORMAL_MASK, 1708which includes all the fields {\it except} key_data and tl_data to 1709improve time and memory efficiency. A caller that wants key_data and 1710tl_data can bitwise-OR those masks onto NORMAL_MASK. Note that even 1711if KADM5_TL_DATA is specified, this function will not return internal 1712tl_data elements whose type is less than 256. 1713 1714The caller must free the returned entry with kadm5_free_principal_ent. 1715 1716The function behaves differently for local and remote clients. For 1717remote clients, the KEY_DATA mask is illegal and results in a 1718KADM5_BAD_MASK error. 1719 1720RETURN CODES: 1721 1722\begin{description} 1723\item[KADM5_UNK_PRINC] Principal does not exist. 1724\item[KADM5_BAD_MASK] The mask is not valid for a get operation. 1725 1726\end{description} 1727 1728\subsection{kadm5_decyrpt_key} 1729 1730\begin{verbatim} 1731kadm5_ret_t kadm5_decrypt_key(void *server_handle, 1732 kadm5_principal_ent_t entry, krb5_int32 1733 ktype, krb5_int32 stype, krb5_int32 1734 kvno, krb5_keyblock *keyblock, 1735 krb5_keysalt *keysalt, int *kvnop) 1736\end{verbatim} 1737 1738AUTHORIZATION REQUIRED: none, local function 1739 1740Searches a principal's key_data array to find a key with the specified 1741enctype, salt type, and kvno, and decrypts the key into keyblock and 1742keysalt if found. entry must have been returned by 1743kadm5_get_principal with at least the KADM5_KEY_DATA mask set. 1744Returns ENOENT if the key cannot be found, EINVAL if the key_data 1745array is empty (as it always is in an RPC client). 1746 1747If ktype or stype is -1, it is ignored for the search. If kvno is -1, 1748ktype and stype are ignored and the key with the max kvno is returned. 1749If kvno is 0, only the key with the max kvno is returned and only if 1750it matches the ktype and stype; otherwise, ENOENT is returned. 1751 1752\subsection{kadm5_get_principals} 1753 1754\begin{verbatim} 1755kadm5_ret_t 1756kadm5_get_principals(void *server_handle, char *exp, 1757 char ***princs, int *count) 1758\end{verbatim} 1759 1760Retrieves the list of principal names. 1761 1762AUTHORIZATION REQUIRED: list 1763 1764If \v{exp} is NULL, all principal names are retrieved; otherwise, 1765principal names that match the expression exp are retrieved. 1766\v{princs} is filled in with a pointer to a NULL-terminated array of 1767strings, and \v{count} is filled in with the number of principal names 1768in the array. \v{princs} must be freed with a call to 1769\v{kadm5_free_name_list}. 1770 1771All characters in the expression match themselves except ``?'' which 1772matches any single character, ``*'' which matches any number of 1773consecutive characters, and ``[chars]'' which matches any single 1774character of ``chars''. Any character which follows a ``$\backslash$'' 1775matches itself exactly, and a ``$\backslash$'' cannot be the last 1776character in the string. 1777 1778\subsection{kadm5_create_policy} 1779 1780\begin{verbatim} 1781kadm5_ret_t 1782kadm5_create_policy(void *server_handle, 1783 kadm5_policy_ent_t policy, u_int32 mask); 1784\end{verbatim} 1785 1786Create a new policy. 1787 1788AUTHORIZATION REQUIRED: add 1789 1790\begin{enumerate} 1791\item Check to see if mask is valid, if not return KADM5_BAD_MASK error. 1792\item Return KADM5_BAD_POLICY if the policy name contains illegal 1793characters. 1794 1795\item Check to see if the policy already exists, if so return 1796KADM5_DUP error. 1797\item If the PW_MIN_CLASSES bit is set and pw_min_classes is not 1, 2, 17983, 4, or 5, return KADM5_BAD_CLASS. 1799\item Create a new policy setting the appropriate fields determined 1800by the mask. 1801\end{enumerate} 1802 1803RETURN CODES: 1804 1805\begin{description} 1806\item[KADM5_DUP] Policy already exists 1807\item[KADM5_BAD_MASK] The mask is not valid for a create 1808operation. 1809\item[KADM5_BAD_CLASS] The specified number of character classes 1810is invalid. 1811\item[KADM5_BAD_POLICY] The policy name contains illegal characters. 1812\end{description} 1813 1814\subsection{kadm5_delete_policy} 1815 1816\begin{verbatim} 1817kadm5_ret_t 1818kadm5_delete_policy(void *server_handle, char *policy); 1819\end{verbatim} 1820 1821Deletes a policy. 1822 1823AUTHORIZATION REQUIRED: delete 1824 1825\begin{enumerate} 1826\item Return KADM5_BAD_POLICY if the policy name contains illegal 1827characters. 1828\item Return KADM5_UNK_POLICY if the named policy does not exist. 1829\item Return KADM5_POLICY_REF if the named policy's refcnt is not 0. 1830\item Delete policy. 1831\end{enumerate} 1832 1833RETURN CODES: 1834 1835\begin{description} 1836\item[KADM5_BAD_POLICY] The policy name contains illegal characters. 1837\item[KADM5_UNK_POLICY] Policy does not exist. 1838\item[KADM5_POLICY_REF] Policy is being referenced. 1839\end{description} 1840 1841\subsection{kadm5_modify_policy} 1842 1843\begin{verbatim} 1844kadm5_ret_t 1845kadm5_modify_policy(void *server_handle, 1846 kadm5_policy_ent_t policy, u_int32 mask); 1847\end{verbatim} 1848 1849Modify an existing policy. Note that modifying a policy has no affect 1850on a principal using the policy until the next time the principal's 1851password is changed. 1852 1853AUTHORIZATION REQUIRED: modify 1854 1855\begin{enumerate} 1856\item Return KADM5_BAD_POLICY if the policy name contains illegal 1857characters. 1858\item Check to see if mask is legal, if not return KADM5_BAD_MASK error. 1859\item Check to see if policy exists, if not return 1860KADM5_UNK_POLICY error. 1861\item If the PW_MIN_CLASSES bit is set and pw_min_classes is not 1, 2, 18623, 4, or 5, return KADM5_BAD_CLASS. 1863\item Update the fields specified in the mask. 1864\end{enumerate} 1865 1866RETURN CODES: 1867 1868\begin{description} 1869\item[KADM5_BAD_POLICY] The policy name contains illegal characters. 1870\item[KADM5_UNK_POLICY] Policy not found. 1871\item[KADM5_BAD_MASK] The mask is not valid for a modify 1872operation. 1873\item[KADM5_BAD_CLASS] The specified number of character classes 1874is invalid. 1875\end{description} 1876 1877\subsection{kadm5_get_policy} 1878 1879In KADM5_API_VERSION_1: 1880 1881\begin{verbatim} 1882kadm5_ret_t 1883kadm5_get_policy(void *server_handle, char *policy, kadm5_policy_ent_t *ent); 1884\end{verbatim} 1885 1886In KADM5_API_VERSION_2: 1887 1888\begin{verbatim} 1889kadm5_ret_t 1890kadm5_get_policy(void *server_handle, char *policy, kadm5_policy_ent_t ent); 1891\end{verbatim} 1892 1893AUTHORIZATION REQUIRED: get, or the calling principal's policy being 1894the same as the policy argument. If the request is authenticated to 1895the kadmin/changepw service, the get privilege is disregarded. 1896 1897In KADM5_API_VERSION_1, return the policy's attributes in allocated 1898memory; if an error is returned entry is set to NULL. In 1899KADM5_API_VERSION_2, fill in fields of the policy structure allocated 1900by the caller. The caller must free the returned entry with 1901kadm5_free_policy_ent 1902 1903RETURN CODES: 1904 1905\begin{description} 1906\item[KADM5_BAD_POLICY] The policy name contains illegal characters. 1907\item[KADM5_UNK_POLICY] Policy not found. 1908\end{description} 1909 1910\subsection{kadm5_get_policies} 1911 1912\begin{verbatim} 1913kadm5_ret_t 1914kadm5_get_policies(void *server_handle, char *exp, 1915 char ***pols, int *count) 1916\end{verbatim} 1917 1918Retrieves the list of principal names. 1919 1920AUTHORIZATION REQUIRED: list 1921 1922If \v{exp} is NULL, all principal names are retrieved; otherwise, 1923principal names that match the expression exp are retrieved. \v{pols} 1924is filled in with a pointer to a NULL-terminated array of strings, and 1925\v{count} is filled in with the number of principal names in the 1926array. \v{pols} must be freed with a call to 1927\v{kadm5_free_name_list}. 1928 1929All characters in the expression match themselves except ``?'' which 1930matches any single character, ``*'' which matches any number of 1931consecutive characters, and ``[chars]'' which matches any single 1932character of ``chars''. Any character which follows a ``$\backslash$'' 1933matches itself exactly, and a ``$\backslash$'' cannot be the last 1934character in the string. 1935 1936\subsection{kadm5_free_principal_ent, _policy_ent} 1937 1938\begin{verbatim} 1939void kadm5_free_principal_ent(void *server_handle, 1940 kadm5_principal_ent_t princ); 1941\end{verbatim} 1942 1943In KADM5_API_VERSION_1, free the structure and contents allocated by a 1944call to kadm5_get_principal. In KADM5_API_VERSION_2, free the 1945contents allocated by a call to kadm5_get_principal. 1946 1947AUTHORIZATION REQUIRED: none (local operation) 1948 1949\begin{verbatim} 1950void kadm5_free_policy_ent(kadm5_policy_ent_t policy); 1951\end{verbatim} 1952 1953Free memory that was allocated by a call to kadm5_get_policy. If 1954the argument is NULL, the function returns successfully. 1955 1956AUTHORIZATION REQUIRED: none (local operation) 1957 1958\subsection{kadm5_free_name_list} 1959 1960\begin{verbatim} 1961void kadm5_free_name_list(void *server_handle, 1962 char **names, int *count); 1963\end{verbatim} 1964 1965Free the memory that was allocated by kadm5_get_principals or 1966kadm5_get_policies. names and count must be a matched pair of 1967values returned from one of those two functions. 1968 1969\subsection{kadm5_free_key_data} 1970 1971\begin{verbatim} 1972void kadm5_free_key_data(void *server_handle, 1973 krb5_int16 *n_key_data, krb5_key_data *key_data) 1974\end{verbatim} 1975 1976Free the memory that was allocated by kadm5_randkey_principal. 1977n_key_data and key_data must be a matched pair of values returned from 1978that function. 1979 1980\subsection{kadm5_get_privs} 1981 1982\begin{verbatim} 1983kadm5_ret_t 1984kadm5_get_privs(void *server_handle, u_int32 *privs); 1985\end{verbatim} 1986 1987Return the caller's admin server privileges in the integer pointed to 1988by the argument. The Admin API does not define any way for a 1989principal's privileges to be set. Note that this function will 1990probably be removed or drastically changed in future versions of this 1991system. 1992 1993The returned value is a bitmask indicating the caller's privileges: 1994 1995\begin{tabular}{llr} 1996{\bf Privilege} & {\bf Symbol} & {\bf Value} \\ 1997Get & KADM5_PRIV_GET & 0x01 \\ 1998Add & KADM5_PRIV_ADD & 0x02 \\ 1999Modify & KADM5_PRIV_MODIFY & 0x04 \\ 2000Delete & KADM5_PRIV_DELETE & 0x08 \\ 2001List & KADM5_PRIV_LIST & 0x10 \\ 2002Changepw & KADM5_PRIV_CPW & 0x20 2003\end{tabular} 2004 2005There is no guarantee that a caller will have a privilege indicated by 2006this function for any length of time or for any particular target; 2007applications using this function must still be prepared to handle all 2008possible KADM5_AUTH_* error codes. 2009 2010In the initial MIT Kerberos version of the admin server, permissions 2011depend both on the caller and the target; this function returns a 2012bitmask representing all privileges the caller can possibly have for 2013any possible target. 2014 2015\end{document} 2016