|
1 # |
|
2 # This patch updates a number of man pages to reflect Solaris specific features |
|
3 # in Kerberos. |
|
4 # |
|
5 # Note: It is not intended that these changes are to be contributed to MIT given |
|
6 # that the associated updates are for Solaris only features. |
|
7 # Patch source: in-house |
|
8 # |
|
9 diff -pur old/src/man/kadm5.acl.man new/src/man/kadm5.acl.man |
|
10 --- old/src/man/kadm5.acl.man 2015-06-02 23:50:06.299043998 -0600 |
|
11 +++ new/src/man/kadm5.acl.man 2015-06-03 00:21:02.470157817 -0600 |
|
12 @@ -131,6 +131,12 @@ T} T{ |
|
13 T} |
|
14 _ |
|
15 T{ |
|
16 +u |
|
17 +T} T{ |
|
18 +[Dis]allows the creation of one-component user principals whose password can be validated with PAM |
|
19 +T} |
|
20 +_ |
|
21 +T{ |
|
22 x |
|
23 T} T{ |
|
24 Short for admcilsp. All privileges |
|
25 diff -pur old/src/man/kadmind.man new/src/man/kadmind.man |
|
26 --- old/src/man/kadmind.man 2015-06-02 23:50:06.300700577 -0600 |
|
27 +++ new/src/man/kadmind.man 2015-06-03 00:14:42.953821215 -0600 |
|
28 @@ -141,4 +141,16 @@ MIT |
|
29 .SH COPYRIGHT |
|
30 1985-2015, MIT |
|
31 .\" Generated by docutils manpage writer. |
|
32 +.SH NOTES |
|
33 +.sp |
|
34 +The \fBkadmind\fR service is managed by the service management facility, \fBsmf\fR(5), under the service identifier: |
|
35 +.sp |
|
36 +.in +2 |
|
37 +.nf |
|
38 +svc:/network/security/kadmin:default |
|
39 +.fi |
|
40 +.in -2 |
|
41 +.sp |
|
42 +Administrative actions on this service, such as enabling, disabling, or requesting restart, can be performed using \fBsvcadm\fR(1M). The service's status can be queried using the \fBsvcs\fR(1) command. |
|
43 +.sp |
|
44 . |
|
45 diff -pur old/src/man/kdc.conf.man new/src/man/kdc.conf.man |
|
46 --- old/src/man/kdc.conf.man 2015-06-02 23:50:06.299728571 -0600 |
|
47 +++ new/src/man/kdc.conf.man 2015-07-10 02:34:59.845899733 -0600 |
|
48 @@ -96,6 +96,8 @@ subsection does not contain a relation f |
|
49 .IP \(bu 2 |
|
50 \fBhost_based_services\fP |
|
51 .IP \(bu 2 |
|
52 +\fBkdc_max_tcp_connections\fP |
|
53 +.IP \(bu 2 |
|
54 \fBkdc_ports\fP |
|
55 .IP \(bu 2 |
|
56 \fBkdc_tcp_ports\fP |
|
57 @@ -300,6 +302,11 @@ is 749, which is used by default. |
|
58 (String.) Specifies the location where the master key has been |
|
59 stored (via kdb5_util stash). The default is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/.k5.REALM\fP, where \fIREALM\fP is the Kerberos realm. |
|
60 .TP |
|
61 +.B \fBkdc_max_tcp_connections\fP |
|
62 +This relation controls the maximum number of TCP connections the |
|
63 +KDC allows. The minimum value is 10. If this relation is not specified, the |
|
64 +Kerberos server allows a maximum of 30 TCP connections. |
|
65 +.TP |
|
66 .B \fBkdc_ports\fP |
|
67 (Whitespace\- or comma\-separated list.) Lists the ports on which |
|
68 the Kerberos server should listen for UDP requests, as a |
|
69 @@ -600,11 +607,64 @@ If no severity is specified, the default |
|
70 facility is specified, the default is \fBAUTH\fP\&. |
|
71 .UNINDENT |
|
72 .sp |
|
73 +The following relation can be defined to specify how to rotate \fBkadmin\fP |
|
74 +and \fBkdc\fP log files if the \fBFILE:\fP value is being used to log: |
|
75 +.sp |
|
76 +.TP |
|
77 +.B \fBadmin_server_rotate\fP |
|
78 +.TP |
|
79 +.B \fBkdc_rotate\fP |
|
80 +A relation subsection that enables \fBkadmin\fP (\fBadmin_server_rotate\fP) |
|
81 +and/or \fBkdc\fP (\fBkdc_rotate\fP) logging to be rotated to multiple files |
|
82 +based on a time interval. This can be used to avoid logging to one |
|
83 +file, which might grow too large and bring the \fBKDC\fP to a halt. |
|
84 +.UNINDENT |
|
85 +.sp |
|
86 +.INDENT 0.0 |
|
87 +The time interval for the rotation is specified by the \fBperiod\fP relation. |
|
88 +The number of log files to be rotated is specified by the \fBversions\fP |
|
89 +relation. Both the \fBperiod\fP and \fBversions\fP (described below) should be |
|
90 +included in this subsection. And, this subsection applies only if the |
|
91 +\fBkdc\fP relation has a \fBFILE:\fP value. |
|
92 +.sp |
|
93 +The following relations can be specified for the \fBkdc_rotate\fP relation |
|
94 +subsection: |
|
95 +.sp |
|
96 +.TP |
|
97 +.B \fBperiod\fP=\fIdelta_time\fP |
|
98 +Specifies the time interval before a new log file is created. See |
|
99 +the \fBTimeFormats\fP section in \fBkinit\fP(1) for the valid time duration |
|
100 +formats you can specify for \fIdelta_time\fP. If \fBperiod\fP is not specified |
|
101 +or set to never, no rotation occurs. |
|
102 +.UNINDENT |
|
103 +.sp |
|
104 +.INDENT 0.0 |
|
105 +Specifying a time interval does not mean that the log files are rotated |
|
106 +at the time interval based on real time. This is because the time |
|
107 +interval is checked at each attempt to write a record to the log, or |
|
108 +when logging is actually occurring. Therefore, rotation occurs only |
|
109 +when logging has actually occurred for the specified time interval. |
|
110 +.sp |
|
111 +.TP |
|
112 +.B \fBversions\fP=\fInumber\fP |
|
113 +Specifies how many previous versions are saved before the rotation |
|
114 +begins. A number is appended to the log file, starting with 0 and |
|
115 +ending with (\fInumber\fP - 1). For example, if \fBversions\fP is set to 2, up |
|
116 +to three logging files are created (\fIfilename\fP, \fIfilename\fP.0, and |
|
117 +\fIfilename\fP.1) before the first one is overwritten to begin the rotation. |
|
118 +.UNINDENT |
|
119 +.sp |
|
120 +.INDENT 0.0 |
|
121 +Notice that if \fBversions\fP is not specified or set to \fB0\fP, only one log |
|
122 +file is created, but it is overwritten whenever the time interval is met. |
|
123 +.sp |
|
124 In the following example, the logging messages from the KDC will go to |
|
125 the console and to the system log under the facility LOG_DAEMON with |
|
126 default severity of LOG_INFO; and the logging messages from the |
|
127 administrative server will be appended to the file |
|
128 \fB/var/adm/kadmin.log\fP and sent to the device \fB/dev/tty04\fP\&. |
|
129 +\fB/var/adm/kadmin.log\fP is rotated between twenty-one log files with a |
|
130 +specified time interval of a day. |
|
131 .INDENT 0.0 |
|
132 .INDENT 3.5 |
|
133 .sp |
|
134 @@ -615,6 +675,10 @@ administrative server will be appended t |
|
135 kdc = SYSLOG:INFO:DAEMON |
|
136 admin_server = FILE:/var/adm/kadmin.log |
|
137 admin_server = DEVICE=/dev/tty04 |
|
138 + admin_server_rotate = { |
|
139 + period = 1d |
|
140 + versions = 20 |
|
141 + } |
|
142 .ft P |
|
143 .fi |
|
144 .UNINDENT |
|
145 diff -pur old/src/man/kpropd.man new/src/man/kpropd.man |
|
146 --- old/src/man/kpropd.man 2015-06-02 23:50:06.300408196 -0600 |
|
147 +++ new/src/man/kpropd.man 2015-06-03 00:14:37.624396664 -0600 |
|
148 @@ -151,4 +151,16 @@ MIT |
|
149 .SH COPYRIGHT |
|
150 1985-2015, MIT |
|
151 .\" Generated by docutils manpage writer. |
|
152 +.SH NOTES |
|
153 +.sp |
|
154 +The \fBkprop\fR service is managed by the service management facility, \fBsmf\fR(5), under the service identifier: |
|
155 +.sp |
|
156 +.in +2 |
|
157 +.nf |
|
158 +svc:/network/security/krb5_prop:default |
|
159 +.fi |
|
160 +.in -2 |
|
161 +.sp |
|
162 +Administrative actions on this service, such as enabling, disabling, or requesting restart, can be performed using \fBsvcadm\fR(1M). The service's status can be queried using the \fBsvcs\fR(1) command. |
|
163 +.sp |
|
164 . |
|
165 diff -pur old/src/man/krb5.conf.man new/src/man/krb5.conf.man |
|
166 --- old/src/man/krb5.conf.man 2015-06-02 23:50:06.301088663 -0600 |
|
167 +++ new/src/man/krb5.conf.man 2015-07-10 01:32:03.489438178 -0600 |
|
168 @@ -199,6 +199,10 @@ set if backward compatibility requires a |
|
169 See the \fBkdc_req_checksum_type\fP configuration option for the |
|
170 possible values and their meanings. |
|
171 .TP |
|
172 +.B \fBauth_to_local_realm\fP |
|
173 +For use in the default realm, non-default realms can be equated |
|
174 +with the default realm for authenticated name-to-local name mapping. |
|
175 +.TP |
|
176 .B \fBcanonicalize\fP |
|
177 If this flag is set to true, initial ticket requests to the KDC |
|
178 will request canonicalization of the client principal name, and |
|
179 @@ -499,7 +503,7 @@ attempt fails. |
|
180 .B \fBverify_ap_req_nofail\fP |
|
181 If this flag is true, then an attempt to verify initial |
|
182 credentials will fail if the client machine does not have a |
|
183 -keytab. The default value is false. |
|
184 +keytab. The default value is true. |
|
185 .UNINDENT |
|
186 .SS [realms] |
|
187 .sp |
|
188 @@ -823,6 +827,52 @@ other realms should have \fBoption2\fP s |
|
189 The list of specifiable options for each application may be found in |
|
190 that application\(aqs man pages. The application defaults specified here |
|
191 are overridden by those specified in the \fI\%realms\fP section. |
|
192 +.sp |
|
193 +The following relations can be found in the \fB[appdefaults]\fP section, |
|
194 +though not all relations are recognized by all kerberized applications. |
|
195 +Some are specific to particular applications. |
|
196 +.TP |
|
197 +.B \fBautologin\fP = [\fBtrue\fP | \fBfalse\fP] |
|
198 +Forces the application to attempt automatic login by presenting |
|
199 +Kerberos credentials. This is valid for the following applications: |
|
200 +\fBrlogin\fP, \fBrsh\fP, \fBrcp\fP, and \fBtelnet\fP. |
|
201 +.TP |
|
202 +.B \fBencrypt\fP = [\fBtrue\fP | \fBfalse\fP] |
|
203 +Forces applications to use encryption by default (after authentication) to |
|
204 +protect the privacy of the sessions. This is valid for the following |
|
205 +applications: \fBrlogin\fP, \fBrsh\fP, \fBrcp\fP, and \fBtelnet\fP. |
|
206 +.TP |
|
207 +.B \fBforward\fP = [\fBtrue\fP | \fBfalse\fP] |
|
208 +Forces applications to forward the user's credentials (after |
|
209 +authentication) to the remote server. This is valid for the following |
|
210 +applications: \fBrlogin\fP, \fBrsh\fP, \fBrcp\fP, and \fBtelnet\fP. |
|
211 +.TP |
|
212 +.B \fBforwardable\fP = [\fBtrue\fP | \fBfalse\fP] |
|
213 +See the description in the \fB[libdefaults]\fP section above. This is |
|
214 +used by any application that creates a ticket granting ticket and |
|
215 +also by applications that can forward tickets to a remote server. |
|
216 +.TP |
|
217 +.B \fBproxiable\fP = [\fBtrue\fP | \fBfalse\fP] |
|
218 +See the description in the \fB[libdefaults]\fP section above. This is |
|
219 +used by any application that creates a ticket granting ticket. |
|
220 +.TP |
|
221 +.B \fBrenewable\fP = [\fBtrue\fP | \fBfalse\fP] |
|
222 +Creates a TGT that can be renewed (prior to the ticket expiration |
|
223 +time). This is used by any application that creates a ticket granting ticket. |
|
224 +.TP |
|
225 +.B \fBnoaddresses\fP = [\fBtrue\fP | \fBfalse\fP] |
|
226 +Creates tickets with no address bindings. This is to allow tickets |
|
227 +to be used across a \fBNAT\fP boundary or when using multi-homed systems. |
|
228 +This option is valid in the \fBkinit [appdefault]\fP section only. |
|
229 +.TP |
|
230 +.B \fBrcmd_protocol\fP = [ \fBrcmdv1\fP | \fBrcmdv2\fP ] |
|
231 +Specifies which Kerberized "\fBrcmd\fP" protocol to use when using the |
|
232 +Kerberized \fBrlogin\fP(1), \fBrsh\fP(1), or \fBrcp\fP(1) programs. The default |
|
233 +is to use \fBrcmdv2\fP by default, as this is the more secure and more recent |
|
234 +update of the protocol. However, when talking to older \fBMIT\fP or \fBSEAM\fP- |
|
235 +based "\fBrcmd\fP" servers, it can be necessary to force the new clients |
|
236 +to use the older \fBrcmdv1\fP protocol. This option is valid only for the |
|
237 +following applications: \fBrlogin\fP, \fBrcp\fP, and \fBrsh\fP. |
|
238 .SS [plugins] |
|
239 .INDENT 0.0 |
|
240 .INDENT 3.5 |
|
241 diff -pur old/src/man/krb5kdc.man new/src/man/krb5kdc.man |
|
242 --- old/src/man/krb5kdc.man 2015-06-02 23:50:06.300178018 -0600 |
|
243 +++ new/src/man/krb5kdc.man 2015-06-03 00:17:46.568377702 -0600 |
|
244 @@ -152,4 +152,16 @@ MIT |
|
245 .SH COPYRIGHT |
|
246 1985-2015, MIT |
|
247 .\" Generated by docutils manpage writer. |
|
248 +.SH NOTES |
|
249 +.sp |
|
250 +The \fBkrb5kdc\fR service is managed by the service management facility, \fBsmf\fR(5), under the service identifier: |
|
251 +.sp |
|
252 +.in +2 |
|
253 +.nf |
|
254 +svc:/network/security/krb5kdc:default |
|
255 +.fi |
|
256 +.in -2 |
|
257 +.sp |
|
258 +Administrative actions on this service, such as enabling, disabling, or requesting restart, can be performed using \fBsvcadm\fR(1M). The service's status can be queried using the \fBsvcs\fR(1) command. |
|
259 +.sp |
|
260 . |