diff -Nru krb5-1.13.2+dfsg/debian/changelog krb5-1.14.2+dfsg/debian/changelog --- krb5-1.13.2+dfsg/debian/changelog 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/changelog 2016-06-16 05:59:09.000000000 +0000 @@ -1,6 +1,42 @@ -krb5 (1.13.2+dfsg-5) unstable; urgency=high +krb5 (1.14.2+dfsg-1ubuntu1) yakkety; urgency=medium - * Security Update + * Fix uninitialized variable warning on ppc64el (LP: #1592841). + Thanks to Sam Hartman for the preliminary patch. + + -- Steve Langasek Wed, 16 Jun 2016 08:58:08 +0300 + +krb5 (1.14.2+dfsg-1) unstable; urgency=low + + * New upstream version + - Includes fix for CVE-2016-3119: remote DOS with ldap for + authenticated attackers, Closes: #819468 + * Fix short descriptions capitalization, Thanks Laura Arjona Reina, + Closes: #821021 + * New German translation, Thanks Chris Leick, Closes: #816548 + + + -- Sam Hartman Mon, 30 May 2016 13:12:02 -0400 + +krb5 (1.14+dfsg-1) experimental; urgency=medium + + * New upstream version, Closes: #812131 + * Apply upstream patches: + - upstream/0010-Fix-mechglue-gss_acquire_cred_impersonate_name.patch + - 0011-Correctly-use-k5_wrapmsg-in-ldap_principal2.c.patch + - upstream/0012-Set-TL_DATA-mask-flag-for-master-key-operations.patch + - upstream/0013-Check-context-handle-in-gss_export_sec_context.patch + - upstream/0014-Check-internal-context-on-init-context-errors.patch + - upstream/0015-Fix-interposed-gss_accept_sec_context.patch + - upstream/0016-Work-around-uninitialized-warning-in-cc_kcm.c.patch + - upstream/0017-Increase-hostname-length-in-ipropd_svc.c.patch + - upstream/0018-Make-ksu-work-with-prompting-clpreauth-modules.patch + - upstream/0019-Fix-memory-leak-in-SPNEGO-gss_init_sec_context.patch + - upstream/0020-Fix-EOF-check-in-kadm5.acl-line-processing.patch + - upstream/0021-Fix-iprop-server-stub-error-management.patch + - upstream/0022-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch + - upstream/0023-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch + -upstream/0024-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch + - Use blocking lock for db promote, Closes: #815677 * Verify decoded kadmin C strings [CVE-2015-8629] CVE-2015-8629: An authenticated attacker can cause kadmind to read beyond the end of allocated memory by sending a string without a @@ -17,8 +53,15 @@ Repeating these requests will eventually cause kadmind to exhaust all available memory. (Closes: #813126) + * Remove all references to libkrb53, Closes: #708175 + * Merge patch for kpropd service, introducing a new stub package for now + that will contain the binaries in stretch+1. We don't want to move + the binaries now because we'd either break existing installations or + we'd need krb5-kdc to depend on the new package, which would cause + kpropd to start in cases where we don't want it, thanks Mark Proehl + and Michael Weiser, Closes: #775277 - -- Sam Hartman Tue, 23 Feb 2016 08:54:09 -0500 + -- Sam Hartman Mon, 15 Feb 2016 15:49:06 -0500 krb5 (1.13.2+dfsg-4) unstable; urgency=high diff -Nru krb5-1.13.2+dfsg/debian/control krb5-1.14.2+dfsg/debian/control --- krb5-1.13.2+dfsg/debian/control 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/control 2016-06-16 04:42:40.000000000 +0000 @@ -8,7 +8,8 @@ libverto-dev (>= 0.2.4), pkg-config, dh-systemd build-depends-indep: python, python-cheetah, python-lxml, python-sphinx, doxygen-latex Standards-Version: 3.9.6 -Maintainer: Sam Hartman +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Sam Hartman Uploaders: Russ Allbery , Benjamin Kaduk Homepage: http://web.mit.edu/kerberos/ VCS-Git: git://git.debian.org/git/pkg-k5-afs/debian-krb5-2013.git @@ -20,7 +21,7 @@ Depends: ${misc:Depends}, ${shlibs:Depends}, libkrb5-3 (= ${binary:Version}), krb5-config Conflicts: heimdal-clients -Description: Basic programs to authenticate using MIT Kerberos +Description: basic programs to authenticate using MIT Kerberos Kerberos is a system for authenticating users and services on a network. Kerberos is a trusted third-party service. That means that there is a third party (the Kerberos server) that is trusted by all the entities on @@ -36,10 +37,10 @@ Architecture: any Priority: optional Depends: ${misc:Depends}, ${shlibs:Depends}, libkrb5-3 (= ${binary:Version}), - libkadm5srv-mit9, + libkadm5srv-mit10, krb5-config, krb5-user, lsb-base (>= 3.0-6), libverto-libev1 | libverto-libevent1, libkdb5-8 (>= 1.13.1+dfsg-1) -Suggests: openbsd-inetd | inet-superserver, krb5-admin-server, +Suggests: krb5-kpropd, krb5-admin-server, krb5-kdc-ldap (= ${binary:Version}) Description: MIT Kerberos key server (KDC) Kerberos is a system for authenticating users and services on a network. @@ -92,18 +93,37 @@ slave KDCs. This package is generally only used on the master KDC for a Kerberos realm. +Package: krb5-kpropd +Architecture: any +Priority: optional +Depends: ${misc:Depends}, ${shlibs:Depends}, + krb5-kdc (= ${binary:Version}) +Suggests: openbsd-inetd | inet-superserver +Description: MIT Kerberos key server (KDC) + Kerberos is a system for authenticating users and services on a network. + Kerberos is a trusted third-party service. That means that there is a + third party (the Kerberos server) that is trusted by all the entities on + the network (users and services, usually called "principals"). + . + This is the MIT reference implementation of Kerberos V5. + . + This package contains the Kerberos slave KDC update server (kpropd). The + kpropd command runs on the slave KDC server. It listens for update requests + made by the kprop program, and periodically requests incremental updates from + the master KDC. This package should be installed on slave KDCs. + Package: krb5-multidev Section: libdevel Architecture: any Depends: ${misc:Depends}, libkrb5-3 (= ${binary:Version}), libk5crypto3 (= ${binary:Version}), libgssapi-krb5-2 (= ${binary:Version}), libgssrpc4 (= ${binary:Version}), - libkadm5srv-mit9 (= ${binary:Version}), - libkadm5clnt-mit9 (= ${binary:Version}), + libkadm5srv-mit10 (= ${binary:Version}), + libkadm5clnt-mit10 (= ${binary:Version}), comerr-dev, Priority: optional Suggests: krb5-doc -Description: Development files for MIT Kerberos without Heimdal conflict +Description: development files for MIT Kerberos without Heimdal conflict Kerberos is a system for authenticating users and services on a network. Kerberos is a trusted third-party service. That means that there is a third party (the Kerberos server) that is trusted by all the entities on @@ -125,7 +145,7 @@ Conflicts: heimdal-dev Priority: extra Suggests: krb5-doc -Description: Headers and development libraries for MIT Kerberos +Description: headers and development libraries for MIT Kerberos Kerberos is a system for authenticating users and services on a network. Kerberos is a trusted third-party service. That means that there is a third party (the Kerberos server) that is trusted by all the entities on @@ -144,7 +164,7 @@ Priority: extra Section: debug Multi-Arch: same -Description: Debugging files for MIT Kerberos +Description: debugging files for MIT Kerberos Kerberos is a system for authenticating users and services on a network. Kerberos is a trusted third-party service. That means that there is a third party (the Kerberos server) that is trusted by all the entities on @@ -159,6 +179,7 @@ Package: krb5-pkinit Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends}, libkrb5-3 (= ${binary:Version}) +Breaks: krb5-kdc (<< 1.14+dfsg) Suggests: opensc Priority: extra Multi-Arch: same @@ -218,7 +239,7 @@ Conflicts: heimdal-docs Section: doc Depends: ${misc:Depends} -Description: Documentation for MIT Kerberos +Description: documentation for MIT Kerberos Kerberos is a system for authenticating users and services on a network. Kerberos is a trusted third-party service. That means that there is a third party (the Kerberos server) that is trusted by all the entities on @@ -237,7 +258,6 @@ Depends: ${misc:Depends}, ${shlibs:Depends}, libkrb5support0 (= ${binary:Version}) Suggests: krb5-doc, krb5-user -Conflicts: libkrb53 Recommends: krb5-locales Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} @@ -290,7 +310,7 @@ This package contains an RPC library used by the Kerberos administrative programs and potentially other applications. -Package: libkadm5srv-mit9 +Package: libkadm5srv-mit10 Section: libs Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends} @@ -308,7 +328,7 @@ This package contains the runtime library used by Kerberos administrative servers. -Package: libkadm5clnt-mit9 +Package: libkadm5clnt-mit10 Section: libs Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends} @@ -334,7 +354,6 @@ Suggests: krb5-doc, krb5-user Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} -Conflicts: libkrb53 Description: MIT Kerberos runtime libraries - Crypto Library Kerberos is a system for authenticating users and services on a network. Kerberos is a trusted third-party service. That means that there is a @@ -369,7 +388,6 @@ Breaks: libgssapi-krb5-2 (<< 1.13~alpha1-1), libkadm5srv-mit9 (<< 1.13~alpha1-1), libkadm5clnt-mit9 (<< 1.13~alpha1-1), libk5crypto3 (<< 1.13~alpha1-1), libkdb5-7 (<< 1.13~alpha1-1) -Conflicts: libkrb53 Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends} Multi-Arch: same @@ -425,7 +443,7 @@ Depends: ${misc:Depends}, ${shlibs:Depends}, Pre-Depends: ${misc:Pre-Depends} Multi-Arch: foreign -Description: Internationalization support for MIT Kerberos +Description: internationalization support for MIT Kerberos Kerberos is a system for authenticating users and services on a network. Kerberos is a trusted third-party service. That means that there is a third party (the Kerberos server) that is trusted by all the entities on diff -Nru krb5-1.13.2+dfsg/debian/.git-dpm krb5-1.14.2+dfsg/debian/.git-dpm --- krb5-1.13.2+dfsg/debian/.git-dpm 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/.git-dpm 2016-06-16 04:42:24.000000000 +0000 @@ -1,8 +1,8 @@ # see git-dpm(1) from git-dpm package -842bffc28f9907cc509deb2c943a56c5eba49844 -842bffc28f9907cc509deb2c943a56c5eba49844 -ae9655b1dd98998036ebc11f766357bb4ac490f1 -ae9655b1dd98998036ebc11f766357bb4ac490f1 -krb5_1.13.2+dfsg.orig.tar.gz -2de0f519bb7c51612e2816a9dc64d966ac6e97b2 -11884064 +0696cc5a5dfb59f15dc0212d58aa509066212b65 +0696cc5a5dfb59f15dc0212d58aa509066212b65 +f9a9321e95564255c4045596b057d2c879f07915 +f9a9321e95564255c4045596b057d2c879f07915 +krb5_1.14.2+dfsg.orig.tar.gz +0b6dab166cb036b4054cf6cfca6a16cba1ecd98e +11900279 diff -Nru krb5-1.13.2+dfsg/debian/krb5-kdc.news krb5-1.14.2+dfsg/debian/krb5-kdc.news --- krb5-1.13.2+dfsg/debian/krb5-kdc.news 1970-01-01 00:00:00.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/krb5-kdc.news 2016-05-30 17:11:38.000000000 +0000 @@ -0,0 +1,15 @@ +krb5-kdc (1.14+dfsg-1) unstable; urgency=high + + In this version of the kdc, a new package is introduced, krb5-kpropd. This package should be installed on all slave KDCs that need the kpropd daemon. Future versions of krb5-kdc will drop the kpropd binary. Today the only effect of installing krb5-kpropd is that init scripts and systemd service files will be installed for kpropd. If the krb5-kpropd package is not installed on slave KDCs by the time that the kpropd binaries are removed, then slave functionality will fail until the package is installed. + + + + -- Sam Hartman Thu, 25 Feb 2016 08:03:11 -0500 + +krb5 (1.12.1+dfsg-11) unstable; urgency=medium + + This version includes systemd unit files. In previous versions of krb5-admin-server, debconf was used to determine whether to use kadmind. With this version, update-rc.d krb5-admin-server disable should be used to disable the Kerberos administration daemon. + + + -- Sam Hartman Mon, 20 Oct 2014 16:39:32 -0400 + diff -Nru krb5-1.13.2+dfsg/debian/krb5-kdc.postinst krb5-1.14.2+dfsg/debian/krb5-kdc.postinst --- krb5-1.13.2+dfsg/debian/krb5-kdc.postinst 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/krb5-kdc.postinst 2016-05-30 17:11:38.000000000 +0000 @@ -46,18 +46,6 @@ db_stop fi -# Only try to add the inetd line on an initial installation. Add it -# commented out in a way that will not be automatically enabled, since the -# Kerberos administrator should do that manually when ready. -# -# If update-inetd isn't available, don't bother, since it's just an example. -if [ "configure" = "$1" ] && which update-inetd >/dev/null 2>&1 ; then - if [ -z "$2" ] || [ x"$2" = x"" ] ; then - update-inetd --add --group Kerberos \ - '#krb5_prop\tstream\ttcp\tnowait\troot\t/usr/sbin/kpropd kpropd' - fi -fi - #DEBHELPER# exit 0 diff -Nru krb5-1.13.2+dfsg/debian/krb5-kpropd.init krb5-1.14.2+dfsg/debian/krb5-kpropd.init --- krb5-1.13.2+dfsg/debian/krb5-kpropd.init 1970-01-01 00:00:00.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/krb5-kpropd.init 2016-05-30 17:11:38.000000000 +0000 @@ -0,0 +1,127 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: krb5-kpropd +# Required-Start: $local_fs $remote_fs $network $syslog +# Required-Stop: $local_fs $remote_fs $network $syslog +# X-Start-Before: $x-display-manager +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: MIT Kerberos slave KDC update server +# Description: Starts, stops, or restarts the MIT Kerberos slave KDC +# update server +### END INIT INFO + +# Author: Sam Hartman +# Author: Russ Allbery +# +# Based on the /etc/init.d/skeleton template as found in initscripts version +# 2.86.ds1-15. + +PATH=/usr/sbin:/usr/bin:/sbin:/bin +DESC="Kerberos slave KDC update server" +NAME=kpropd +DAEMON=/usr/sbin/$NAME +DAEMON_ARGS="" +PIDFILE=/var/run/$NAME.pid +SCRIPTNAME=/etc/init.d/kpropd + +# Exit if the package is not installed. +[ -x "$DAEMON" ] || exit 0 + +# Read configuration if it is present. +[ -r /etc/default/kpropd ] && . /etc/default/kpropd + +# Get the setting of VERBOSE and other rcS variables. +[ -f /etc/default/rcS ] && . /etc/default/rcS + +# Define LSB log functions (requires lsb-base >= 3.0-6). +. /lib/lsb/init-functions + + +# Return +# 0 if daemon has been started +# 1 if daemon was already running +# 2 if daemon could not be started +do_start_kpropd() +{ + start-stop-daemon --start --quiet --pidfile $PIDFILE --startas $DAEMON --name $NAME --test \ + > /dev/null || return 1 + start-stop-daemon --start --quiet --make-pidfile --background --pidfile $PIDFILE --startas $DAEMON --name $NAME \ + -- -D $DAEMON_ARGS || return 2 +} + + +# Return +# 0 if daemon has been stopped +# 1 if daemon was already stopped +# 2 if daemon could not be stopped +# other if a failure occurred +do_stop_kpropd() +{ + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + rm -f $PIDFILE + return "$RETVAL" +} + + +case "$1" in + start) + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" + do_start_kpropd + case "$?" in + 0|1) + [ "$VERBOSE" != no ] && log_end_msg 0 + ;; + 2) + [ "$VERBOSE" != no ] && log_end_msg 1 + ;; + esac + ;; + + stop) + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" + do_stop_kpropd + case "$?" in + 0|1) + [ "$VERBOSE" != no ] && log_progress_msg "krb524d" + ;; + 2) + [ "$VERBOSE" != no ] && log_end_msg 1 + ;; + esac + ;; + + restart|force-reload) + log_daemon_msg "Restarting $DESC" "$NAME" + do_stop_kpropd + case "$?" in + 0|1) + do_start_kpropd + case "$?" in + 0) + log_end_msg 0 + ;; + 1|2) + log_end_msg 1 + ;; + esac + ;; + *) + log_end_msg 1 + ;; + esac + ;; + + status) + status_of_proc -p $PIDFILE "$DAEMON" "$NAME" && exit 0 || exit $? + ;; + + *) + echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload|status}" >&2 + exit 3 + ;; +esac + +: diff -Nru krb5-1.13.2+dfsg/debian/krb5-kpropd.postinst krb5-1.14.2+dfsg/debian/krb5-kpropd.postinst --- krb5-1.13.2+dfsg/debian/krb5-kpropd.postinst 1970-01-01 00:00:00.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/krb5-kpropd.postinst 2016-05-30 17:11:38.000000000 +0000 @@ -0,0 +1,19 @@ +#! /bin/sh + +set -e + +# Only try to add the inetd line on an initial installation. Add it +# commented out in a way that will not be automatically enabled, since the +# Kerberos administrator should do that manually when ready. +# +# If update-inetd isn't available, don't bother, since it's just an example. +if [ "configure" = "$1" ] && which update-inetd >/dev/null 2>&1 ; then + if [ -z "$2" ] || [ x"$2" = x"" ] ; then + update-inetd --add --group Kerberos \ + '#krb5_prop\tstream\ttcp\tnowait\troot\t/usr/sbin/kpropd kpropd' + fi +fi + +#DEBHELPER# + +exit 0 diff -Nru krb5-1.13.2+dfsg/debian/krb5-kpropd.prerm krb5-1.14.2+dfsg/debian/krb5-kpropd.prerm --- krb5-1.13.2+dfsg/debian/krb5-kpropd.prerm 1970-01-01 00:00:00.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/krb5-kpropd.prerm 2016-05-30 17:11:38.000000000 +0000 @@ -0,0 +1,13 @@ +#! /bin/sh + +set -e + +if test "remove" = "$1"; then + if which update-inetd >/dev/null 2>&1 ; then + update-inetd --remove '#?krb5_prop.*/usr/sbin/kpropd' + fi +fi + +#DEBHELPER# + +exit 0 diff -Nru krb5-1.13.2+dfsg/debian/krb5-kpropd.service krb5-1.14.2+dfsg/debian/krb5-kpropd.service --- krb5-1.13.2+dfsg/debian/krb5-kpropd.service 1970-01-01 00:00:00.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/krb5-kpropd.service 2016-05-30 17:11:38.000000000 +0000 @@ -0,0 +1,15 @@ +[Unit] +Description=Kerberos 5 slave KDC update server +Conflicts=krb5-admin-server.service + +[Service] +ExecReload=/bin/kill -HUP $MAINPID +EnvironmentFile=-/etc/default/krb5-kpropd +ExecStart=/usr/sbin/kpropd -D $DAEMON_ARGS +InaccessibleDirectories=-/etc/ssh -/etc/ssl/private /root +ReadOnlyDirectories=/ +ReadWriteDirectories=/var/tmp /tmp /var/lib/krb5kdc /var/run /run +CapabilityBoundingSet=CAP_NET_BIND_SERVICE + +[Install] +WantedBy=multi-user.target diff -Nru krb5-1.13.2+dfsg/debian/libgssapi-krb5-2.symbols krb5-1.14.2+dfsg/debian/libgssapi-krb5-2.symbols --- krb5-1.13.2+dfsg/debian/libgssapi-krb5-2.symbols 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/libgssapi-krb5-2.symbols 2016-05-30 17:11:38.000000000 +0000 @@ -36,18 +36,19 @@ GSS_C_NT_MACHINE_UID_NAME@gssapi_krb5_2_MIT 1.6.dfsg.2 GSS_C_NT_STRING_UID_NAME@gssapi_krb5_2_MIT 1.6.dfsg.2 GSS_C_NT_USER_NAME@gssapi_krb5_2_MIT 1.6.dfsg.2 + GSS_KRB5_CRED_NO_CI_FLAGS_X@gssapi_krb5_2_MIT 1.14+dfsg GSS_KRB5_NT_PRINCIPAL_NAME@gssapi_krb5_2_MIT 1.6.dfsg.2 HIDDEN@HIDDEN 1.6.dfsg.2 - gss_accept_sec_context@gssapi_krb5_2_MIT 1.8+dfsg - gss_acquire_cred@gssapi_krb5_2_MIT 1.10+dfsg~ + gss_accept_sec_context@gssapi_krb5_2_MIT 1.14+dfsg + gss_acquire_cred@gssapi_krb5_2_MIT 1.14+dfsg gss_acquire_cred_from@gssapi_krb5_2_MIT 1.11+dfsg gss_acquire_cred_impersonate_name@gssapi_krb5_2_MIT 1.8+dfsg - gss_acquire_cred_with_password@gssapi_krb5_2_MIT 1.10+dfsg~ + gss_acquire_cred_with_password@gssapi_krb5_2_MIT 1.14+dfsg gss_add_buffer_set_member@gssapi_krb5_2_MIT 1.7+dfsg gss_add_cred@gssapi_krb5_2_MIT 1.10+dfsg~ gss_add_cred_from@gssapi_krb5_2_MIT 1.11+dfsg gss_add_cred_impersonate_name@gssapi_krb5_2_MIT 1.8+dfsg - gss_add_cred_with_password@gssapi_krb5_2_MIT 1.13.1+dfsg + gss_add_cred_with_password@gssapi_krb5_2_MIT 1.14+dfsg gss_add_oid_set_member@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_authorize_localname@gssapi_krb5_2_MIT 1.9.1+dfsg gss_canonicalize_name@gssapi_krb5_2_MIT 1.6.dfsg.2 @@ -68,17 +69,17 @@ gss_export_cred@gssapi_krb5_2_MIT 1.11+dfsg gss_export_name@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_export_name_composite@gssapi_krb5_2_MIT 1.8+dfsg - gss_export_sec_context@gssapi_krb5_2_MIT 1.6.dfsg.2 + gss_export_sec_context@gssapi_krb5_2_MIT 1.14+dfsg gss_get_mic@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_get_mic_iov@gssapi_krb5_2_MIT 1.12~alpha1+dfsg gss_get_mic_iov_length@gssapi_krb5_2_MIT 1.12~alpha1+dfsg gss_get_name_attribute@gssapi_krb5_2_MIT 1.8+dfsg gss_import_cred@gssapi_krb5_2_MIT 1.11+dfsg gss_import_name@gssapi_krb5_2_MIT 1.6.dfsg.2 - gss_import_sec_context@gssapi_krb5_2_MIT 1.6.dfsg.2 + gss_import_sec_context@gssapi_krb5_2_MIT 1.14+dfsg gss_indicate_mechs@gssapi_krb5_2_MIT 1.12.1+dfsg-2 gss_indicate_mechs_by_attrs@gssapi_krb5_2_MIT 1.12.1+dfsg-2 - gss_init_sec_context@gssapi_krb5_2_MIT 1.10+dfsg~ + gss_init_sec_context@gssapi_krb5_2_MIT 1.14+dfsg gss_inquire_attrs_for_mech@gssapi_krb5_2_MIT 1.9+dfsg~beta1 gss_inquire_context@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_inquire_cred@gssapi_krb5_2_MIT 1.10+dfsg~ @@ -102,7 +103,7 @@ gss_krb5int_unseal_token_v3@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_localname@gssapi_krb5_2_MIT 1.9.1+dfsg gss_map_name_to_any@gssapi_krb5_2_MIT 1.8+dfsg - gss_mech_iakerb@gssapi_krb5_2_MIT 1.9+dfsg~beta1 + gss_mech_iakerb@gssapi_krb5_2_MIT 1.14+dfsg gss_mech_krb5@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_mech_krb5_old@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_mech_krb5_wrong@gssapi_krb5_2_MIT 1.10.2+dfsg diff -Nru krb5-1.13.2+dfsg/debian/libk5crypto3.symbols krb5-1.14.2+dfsg/debian/libk5crypto3.symbols --- krb5-1.13.2+dfsg/debian/libk5crypto3.symbols 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/libk5crypto3.symbols 2016-05-30 17:11:38.000000000 +0000 @@ -13,6 +13,7 @@ krb5_c_crypto_length_iov@k5crypto_3_MIT 1.7+dfsg krb5_c_decrypt@k5crypto_3_MIT 1.6.dfsg.2 krb5_c_decrypt_iov@k5crypto_3_MIT 1.7+dfsg + krb5_c_derive_prfplus@k5crypto_3_MIT 1.14+dfsg krb5_c_encrypt@k5crypto_3_MIT 1.6.dfsg.2 krb5_c_encrypt_iov@k5crypto_3_MIT 1.7+dfsg krb5_c_encrypt_length@k5crypto_3_MIT 1.6.dfsg.2 @@ -30,6 +31,7 @@ krb5_c_padding_length@k5crypto_3_MIT 1.7+dfsg krb5_c_prf@k5crypto_3_MIT 1.6.dfsg.2 krb5_c_prf_length@k5crypto_3_MIT 1.6.dfsg.2 + krb5_c_prfplus@k5crypto_3_MIT 1.14+dfsg krb5_c_random_add_entropy@k5crypto_3_MIT 1.6.dfsg.2 krb5_c_random_make_octets@k5crypto_3_MIT 1.6.dfsg.2 krb5_c_random_os_entropy@k5crypto_3_MIT 1.6.dfsg.2 diff -Nru krb5-1.13.2+dfsg/debian/libkadm5clnt-mit10.install krb5-1.14.2+dfsg/debian/libkadm5clnt-mit10.install --- krb5-1.13.2+dfsg/debian/libkadm5clnt-mit10.install 1970-01-01 00:00:00.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/libkadm5clnt-mit10.install 2016-05-30 17:11:38.000000000 +0000 @@ -0,0 +1 @@ +usr/lib/*/libkadm5clnt_mit.so.10* diff -Nru krb5-1.13.2+dfsg/debian/libkadm5clnt-mit10.symbols krb5-1.14.2+dfsg/debian/libkadm5clnt-mit10.symbols --- krb5-1.13.2+dfsg/debian/libkadm5clnt-mit10.symbols 1970-01-01 00:00:00.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/libkadm5clnt-mit10.symbols 2016-05-30 17:11:38.000000000 +0000 @@ -0,0 +1,114 @@ +libkadm5clnt_mit.so.10 libkadm5clnt-mit10 #MINVER# + HIDDEN@HIDDEN 1.14+dfsg + _kadm5_check_handle@kadm5clnt_mit_10_MIT 1.14+dfsg + _kadm5_chpass_principal_util@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_chpass_principal@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_chpass_principal_3@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_chpass_principal_util@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_create_policy@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_create_principal@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_create_principal_3@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_decrypt_key@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_delete_policy@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_delete_principal@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_destroy@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_flush@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_free_config_params@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_free_key_data@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_free_name_list@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_free_policy_ent@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_free_principal_ent@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_free_strings@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_get_admin_service_name@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_get_config_params@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_get_policies@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_get_policy@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_get_principal@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_get_principals@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_get_privs@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_get_strings@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_init@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_init_anonymous@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_init_iprop@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_init_krb5_context@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_init_with_creds@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_init_with_password@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_init_with_skey@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_lock@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_modify_policy@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_modify_principal@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_purgekeys@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_randkey_principal@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_randkey_principal_3@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_rename_principal@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_set_string@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_setkey_principal@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_setkey_principal_3@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_setv4key_principal@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5_unlock@kadm5clnt_mit_10_MIT 1.14+dfsg + kadm5clnt_mit_10_MIT@kadm5clnt_mit_10_MIT 1.14+dfsg + krb5_aprof_finish@kadm5clnt_mit_10_MIT 1.14+dfsg + krb5_aprof_get_boolean@kadm5clnt_mit_10_MIT 1.14+dfsg + krb5_aprof_get_deltat@kadm5clnt_mit_10_MIT 1.14+dfsg + krb5_aprof_get_int32@kadm5clnt_mit_10_MIT 1.14+dfsg + krb5_aprof_get_string@kadm5clnt_mit_10_MIT 1.14+dfsg + krb5_aprof_getvals@kadm5clnt_mit_10_MIT 1.14+dfsg + krb5_aprof_init@kadm5clnt_mit_10_MIT 1.14+dfsg + krb5_flagnum_to_string@kadm5clnt_mit_10_MIT 1.14+dfsg + krb5_flags_to_strings@kadm5clnt_mit_10_MIT 1.14+dfsg + krb5_flagspec_to_mask@kadm5clnt_mit_10_MIT 1.14+dfsg + krb5_free_key_data_contents@kadm5clnt_mit_10_MIT 1.14+dfsg + krb5_keysalt_is_present@kadm5clnt_mit_10_MIT 1.14+dfsg + krb5_keysalt_iterate@kadm5clnt_mit_10_MIT 1.14+dfsg + krb5_klog_close@kadm5clnt_mit_10_MIT 1.14+dfsg + krb5_klog_init@kadm5clnt_mit_10_MIT 1.14+dfsg + krb5_klog_reopen@kadm5clnt_mit_10_MIT 1.14+dfsg + krb5_klog_syslog@kadm5clnt_mit_10_MIT 1.14+dfsg + krb5_string_to_keysalts@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_chpass3_arg@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_chpass_arg@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_chrand3_arg@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_chrand_arg@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_chrand_ret@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_cpol_arg@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_cprinc3_arg@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_cprinc_arg@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_dpol_arg@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_dprinc_arg@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_generic_ret@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_getprivs_ret@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_gpol_arg@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_gpol_ret@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_gpols_arg@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_gpols_ret@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_gprinc_arg@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_gprinc_ret@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_gprincs_arg@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_gprincs_ret@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_kadm5_policy_ent_rec@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_kadm5_principal_ent_rec@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_kadm5_ret_t@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_krb5_deltat@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_krb5_enctype@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_krb5_flags@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_krb5_int16@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_krb5_key_data_nocontents@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_krb5_key_salt_tuple@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_krb5_keyblock@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_krb5_kvno@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_krb5_octet@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_krb5_principal@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_krb5_salttype@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_krb5_timestamp@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_krb5_tl_data@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_krb5_ui_2@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_krb5_ui_4@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_mpol_arg@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_mprinc_arg@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_nullstring@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_nulltype@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_rprinc_arg@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_setkey3_arg@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_setkey_arg@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_setv4key_arg@kadm5clnt_mit_10_MIT 1.14+dfsg + xdr_ui_4@kadm5clnt_mit_10_MIT 1.14+dfsg diff -Nru krb5-1.13.2+dfsg/debian/libkadm5clnt-mit9.install krb5-1.14.2+dfsg/debian/libkadm5clnt-mit9.install --- krb5-1.13.2+dfsg/debian/libkadm5clnt-mit9.install 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/libkadm5clnt-mit9.install 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -usr/lib/*/libkadm5clnt_mit.so.9* diff -Nru krb5-1.13.2+dfsg/debian/libkadm5clnt-mit9.symbols krb5-1.14.2+dfsg/debian/libkadm5clnt-mit9.symbols --- krb5-1.13.2+dfsg/debian/libkadm5clnt-mit9.symbols 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/libkadm5clnt-mit9.symbols 1970-01-01 00:00:00.000000000 +0000 @@ -1,114 +0,0 @@ -libkadm5clnt_mit.so.9 libkadm5clnt-mit9 #MINVER# - HIDDEN@HIDDEN 1.12~alpha1+dfsg - _kadm5_check_handle@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - _kadm5_chpass_principal_util@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_chpass_principal@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_chpass_principal_3@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_chpass_principal_util@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_create_policy@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_create_principal@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_create_principal_3@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_decrypt_key@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_delete_policy@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_delete_principal@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_destroy@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_flush@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_free_config_params@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_free_key_data@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_free_name_list@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_free_policy_ent@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_free_principal_ent@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_free_strings@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_get_admin_service_name@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_get_config_params@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_get_policies@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_get_policy@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_get_principal@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_get_principals@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_get_privs@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_get_strings@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_init@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_init_anonymous@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_init_iprop@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_init_krb5_context@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_init_with_creds@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_init_with_password@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_init_with_skey@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_lock@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_modify_policy@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_modify_principal@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_purgekeys@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_randkey_principal@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_randkey_principal_3@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_rename_principal@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_set_string@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_setkey_principal@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_setkey_principal_3@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_setv4key_principal@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5_unlock@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - kadm5clnt_mit_9_MIT@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - krb5_aprof_finish@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - krb5_aprof_get_boolean@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - krb5_aprof_get_deltat@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - krb5_aprof_get_int32@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - krb5_aprof_get_string@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - krb5_aprof_getvals@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - krb5_aprof_init@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - krb5_flags_to_string@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - krb5_free_key_data_contents@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - krb5_input_flag_to_string@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - krb5_keysalt_is_present@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - krb5_keysalt_iterate@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - krb5_klog_close@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - krb5_klog_init@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - krb5_klog_reopen@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - krb5_klog_syslog@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - krb5_string_to_flags@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - krb5_string_to_keysalts@kadm5clnt_mit_9_MIT 1.13~alpha1+dfsg - xdr_chpass3_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_chpass_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_chrand3_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_chrand_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_chrand_ret@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_cpol_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_cprinc3_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_cprinc_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_dpol_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_dprinc_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_generic_ret@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_getprivs_ret@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_gpol_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_gpol_ret@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_gpols_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_gpols_ret@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_gprinc_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_gprinc_ret@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_gprincs_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_gprincs_ret@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_kadm5_policy_ent_rec@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_kadm5_principal_ent_rec@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_kadm5_ret_t@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_deltat@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_enctype@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_flags@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_int16@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_key_data_nocontents@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_key_salt_tuple@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_keyblock@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_kvno@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_octet@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_principal@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_salttype@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_timestamp@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_tl_data@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_ui_2@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_ui_4@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_mpol_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_mprinc_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_nullstring@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_nulltype@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_rprinc_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_setkey3_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_setkey_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_setv4key_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg - xdr_ui_4@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg diff -Nru krb5-1.13.2+dfsg/debian/libkadm5srv-mit10.install krb5-1.14.2+dfsg/debian/libkadm5srv-mit10.install --- krb5-1.13.2+dfsg/debian/libkadm5srv-mit10.install 1970-01-01 00:00:00.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/libkadm5srv-mit10.install 2016-05-30 17:11:38.000000000 +0000 @@ -0,0 +1 @@ +usr/lib/*/libkadm5srv_mit.so.10* diff -Nru krb5-1.13.2+dfsg/debian/libkadm5srv-mit10.symbols krb5-1.14.2+dfsg/debian/libkadm5srv-mit10.symbols --- krb5-1.13.2+dfsg/debian/libkadm5srv-mit10.symbols 1970-01-01 00:00:00.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/libkadm5srv-mit10.symbols 2016-05-30 17:11:38.000000000 +0000 @@ -0,0 +1,141 @@ +libkadm5srv_mit.so.10 libkadm5srv-mit10 #MINVER# + HIDDEN@HIDDEN 1.14+dfsg + _kadm5_check_handle@kadm5srv_mit_10_MIT 1.14+dfsg + _kadm5_chpass_principal_util@kadm5srv_mit_10_MIT 1.14+dfsg + hist_princ@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_chpass_principal@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_chpass_principal_3@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_chpass_principal_util@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_create_policy@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_create_principal@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_create_principal_3@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_decrypt_key@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_delete_policy@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_delete_principal@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_destroy@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_flush@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_free_config_params@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_free_key_data@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_free_name_list@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_free_policy_ent@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_free_principal_ent@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_free_strings@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_get_config_params@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_get_policies@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_get_policy@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_get_principal@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_get_principal_keys@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_get_principals@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_get_privs@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_get_strings@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_init@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_init_anonymous@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_init_iprop@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_init_krb5_context@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_init_with_creds@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_init_with_password@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_init_with_skey@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_lock@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_modify_policy@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_modify_principal@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_purgekeys@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_randkey_principal@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_randkey_principal_3@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_rename_principal@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_set_string@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_set_use_password_server@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_setkey_principal@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_setkey_principal_3@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_setv4key_principal@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5_unlock@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5int_acl_check@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5int_acl_check_krb@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5int_acl_finish@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5int_acl_impose_restrictions@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5int_acl_init@kadm5srv_mit_10_MIT 1.14+dfsg + kadm5srv_mit_10_MIT@kadm5srv_mit_10_MIT 1.14+dfsg + kdb_delete_entry@kadm5srv_mit_10_MIT 1.14+dfsg + kdb_free_entry@kadm5srv_mit_10_MIT 1.14+dfsg + kdb_init_hist@kadm5srv_mit_10_MIT 1.14+dfsg + kdb_init_master@kadm5srv_mit_10_MIT 1.14+dfsg + kdb_iter_entry@kadm5srv_mit_10_MIT 1.14+dfsg + kdb_put_entry@kadm5srv_mit_10_MIT 1.14+dfsg + krb5_aprof_finish@kadm5srv_mit_10_MIT 1.14+dfsg + krb5_aprof_get_boolean@kadm5srv_mit_10_MIT 1.14+dfsg + krb5_aprof_get_deltat@kadm5srv_mit_10_MIT 1.14+dfsg + krb5_aprof_get_int32@kadm5srv_mit_10_MIT 1.14+dfsg + krb5_aprof_get_string@kadm5srv_mit_10_MIT 1.14+dfsg + krb5_aprof_get_string_all@kadm5srv_mit_10_MIT 1.14+dfsg + krb5_aprof_getvals@kadm5srv_mit_10_MIT 1.14+dfsg + krb5_aprof_init@kadm5srv_mit_10_MIT 1.14+dfsg + krb5_copy_key_data_contents@kadm5srv_mit_10_MIT 1.14+dfsg + krb5_flagnum_to_string@kadm5srv_mit_10_MIT 1.14+dfsg + krb5_flags_to_strings@kadm5srv_mit_10_MIT 1.14+dfsg + krb5_flagspec_to_mask@kadm5srv_mit_10_MIT 1.14+dfsg + krb5_free_key_data_contents@kadm5srv_mit_10_MIT 1.14+dfsg + krb5_keysalt_is_present@kadm5srv_mit_10_MIT 1.14+dfsg + krb5_keysalt_iterate@kadm5srv_mit_10_MIT 1.14+dfsg + krb5_klog_close@kadm5srv_mit_10_MIT 1.14+dfsg + krb5_klog_init@kadm5srv_mit_10_MIT 1.14+dfsg + krb5_klog_reopen@kadm5srv_mit_10_MIT 1.14+dfsg + krb5_klog_syslog@kadm5srv_mit_10_MIT 1.14+dfsg + krb5_string_to_keysalts@kadm5srv_mit_10_MIT 1.14+dfsg + master_db@kadm5srv_mit_10_MIT 1.14+dfsg + master_princ@kadm5srv_mit_10_MIT 1.14+dfsg + osa_free_princ_ent@kadm5srv_mit_10_MIT 1.14+dfsg + passwd_check@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_chpass3_arg@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_chpass_arg@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_chrand3_arg@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_chrand_arg@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_chrand_ret@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_cpol_arg@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_cprinc3_arg@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_cprinc_arg@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_dpol_arg@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_dprinc_arg@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_generic_ret@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_getprivs_ret@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_gpol_arg@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_gpol_ret@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_gpols_arg@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_gpols_ret@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_gprinc_arg@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_gprinc_ret@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_gprincs_arg@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_gprincs_ret@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_gstrings_arg@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_gstrings_ret@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_kadm5_policy_ent_rec@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_kadm5_principal_ent_rec@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_kadm5_ret_t@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_krb5_deltat@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_krb5_enctype@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_krb5_flags@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_krb5_int16@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_krb5_key_data@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_krb5_key_data_nocontents@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_krb5_key_salt_tuple@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_krb5_keyblock@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_krb5_kvno@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_krb5_octet@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_krb5_principal@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_krb5_salttype@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_krb5_string_attr@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_krb5_timestamp@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_krb5_tl_data@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_krb5_ui_2@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_krb5_ui_4@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_mpol_arg@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_mprinc_arg@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_nullstring@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_nulltype@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_osa_princ_ent_rec@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_osa_pw_hist_ent@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_purgekeys_arg@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_rprinc_arg@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_setkey3_arg@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_setkey_arg@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_setv4key_arg@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_sstring_arg@kadm5srv_mit_10_MIT 1.14+dfsg + xdr_ui_4@kadm5srv_mit_10_MIT 1.14+dfsg diff -Nru krb5-1.13.2+dfsg/debian/libkadm5srv-mit9.install krb5-1.14.2+dfsg/debian/libkadm5srv-mit9.install --- krb5-1.13.2+dfsg/debian/libkadm5srv-mit9.install 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/libkadm5srv-mit9.install 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -usr/lib/*/libkadm5srv_mit.so.9* diff -Nru krb5-1.13.2+dfsg/debian/libkadm5srv-mit9.symbols krb5-1.14.2+dfsg/debian/libkadm5srv-mit9.symbols --- krb5-1.13.2+dfsg/debian/libkadm5srv-mit9.symbols 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/libkadm5srv-mit9.symbols 1970-01-01 00:00:00.000000000 +0000 @@ -1,141 +0,0 @@ -libkadm5srv_mit.so.9 libkadm5srv-mit9 #MINVER# - HIDDEN@HIDDEN 1.12~alpha1+dfsg - _kadm5_check_handle@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - _kadm5_chpass_principal_util@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - hist_princ@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_chpass_principal@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_chpass_principal_3@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_chpass_principal_util@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_create_policy@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_create_principal@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_create_principal_3@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_decrypt_key@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_delete_policy@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_delete_principal@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_destroy@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_flush@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_free_config_params@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_free_key_data@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_free_name_list@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_free_policy_ent@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_free_principal_ent@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_free_strings@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_get_config_params@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_get_policies@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_get_policy@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_get_principal@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_get_principal_keys@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_get_principals@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_get_privs@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_get_strings@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_init@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_init_anonymous@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_init_iprop@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_init_krb5_context@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_init_with_creds@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_init_with_password@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_init_with_skey@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_lock@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_modify_policy@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_modify_principal@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_purgekeys@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_randkey_principal@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_randkey_principal_3@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_rename_principal@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_set_string@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_set_use_password_server@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_setkey_principal@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_setkey_principal_3@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_setv4key_principal@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5_unlock@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5int_acl_check@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5int_acl_check_krb@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5int_acl_finish@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5int_acl_impose_restrictions@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5int_acl_init@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kadm5srv_mit_9_MIT@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kdb_delete_entry@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kdb_free_entry@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kdb_init_hist@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kdb_init_master@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kdb_iter_entry@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - kdb_put_entry@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - krb5_aprof_finish@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - krb5_aprof_get_boolean@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - krb5_aprof_get_deltat@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - krb5_aprof_get_int32@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - krb5_aprof_get_string@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - krb5_aprof_get_string_all@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - krb5_aprof_getvals@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - krb5_aprof_init@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - krb5_copy_key_data_contents@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - krb5_flags_to_string@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - krb5_free_key_data_contents@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - krb5_input_flag_to_string@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - krb5_keysalt_is_present@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - krb5_keysalt_iterate@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - krb5_klog_close@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - krb5_klog_init@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - krb5_klog_reopen@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - krb5_klog_syslog@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - krb5_string_to_flags@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - krb5_string_to_keysalts@kadm5srv_mit_9_MIT 1.13~alpha1+dfsg - master_db@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - master_princ@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - osa_free_princ_ent@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - passwd_check@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_chpass3_arg@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_chpass_arg@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_chrand3_arg@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_chrand_arg@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_chrand_ret@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_cpol_arg@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_cprinc3_arg@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_cprinc_arg@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_dpol_arg@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_dprinc_arg@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_generic_ret@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_getprivs_ret@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_gpol_arg@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_gpol_ret@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_gpols_arg@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_gpols_ret@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_gprinc_arg@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_gprinc_ret@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_gprincs_arg@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_gprincs_ret@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_gstrings_arg@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_gstrings_ret@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_kadm5_policy_ent_rec@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_kadm5_principal_ent_rec@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_kadm5_ret_t@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_deltat@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_enctype@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_flags@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_int16@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_key_data@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_key_data_nocontents@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_key_salt_tuple@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_keyblock@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_kvno@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_octet@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_principal@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_salttype@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_string_attr@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_timestamp@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_tl_data@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_ui_2@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_krb5_ui_4@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_mpol_arg@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_mprinc_arg@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_nullstring@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_nulltype@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_osa_princ_ent_rec@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_osa_pw_hist_ent@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_purgekeys_arg@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_rprinc_arg@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_setkey3_arg@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_setkey_arg@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_setv4key_arg@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_sstring_arg@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg - xdr_ui_4@kadm5srv_mit_9_MIT 1.12~alpha1+dfsg diff -Nru krb5-1.13.2+dfsg/debian/libkrb5-3.symbols krb5-1.14.2+dfsg/debian/libkrb5-3.symbols --- krb5-1.13.2+dfsg/debian/libkrb5-3.symbols 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/libkrb5-3.symbols 2016-05-30 17:11:38.000000000 +0000 @@ -10,6 +10,7 @@ decode_krb5_as_req@krb5_3_MIT 1.6.dfsg.2 decode_krb5_authdata@krb5_3_MIT 1.6.dfsg.2 decode_krb5_authenticator@krb5_3_MIT 1.6.dfsg.2 + decode_krb5_cammac@krb5_3_MIT 1.14+dfsg decode_krb5_cred@krb5_3_MIT 1.6.dfsg.2 decode_krb5_enc_cred_part@krb5_3_MIT 1.6.dfsg.2 decode_krb5_enc_data@krb5_3_MIT 1.6.dfsg.2 @@ -43,11 +44,13 @@ decode_krb5_sam_challenge_2@krb5_3_MIT 1.11+dfsg decode_krb5_sam_challenge_2_body@krb5_3_MIT 1.11+dfsg decode_krb5_sam_response_2@krb5_3_MIT 1.7dfsg + decode_krb5_secure_cookie@krb5_3_MIT 1.14+dfsg decode_krb5_setpw_req@krb5_3_MIT 1.7dfsg decode_krb5_tgs_rep@krb5_3_MIT 1.6.dfsg.2 decode_krb5_tgs_req@krb5_3_MIT 1.6.dfsg.2 decode_krb5_ticket@krb5_3_MIT 1.6.dfsg.2 decode_krb5_typed_data@krb5_3_MIT 1.7dfsg + decode_utf8_strings@krb5_3_MIT 1.14+dfsg encode_krb5_ad_kdcissued@krb5_3_MIT 1.8+dfsg encode_krb5_ad_signedpath@krb5_3_MIT 1.8+dfsg encode_krb5_ad_signedpath_data@krb5_3_MIT 1.8+dfsg @@ -58,6 +61,7 @@ encode_krb5_as_req@krb5_3_MIT 1.6.dfsg.2 encode_krb5_authdata@krb5_3_MIT 1.6.dfsg.2 encode_krb5_authenticator@krb5_3_MIT 1.6.dfsg.2 + encode_krb5_cammac@krb5_3_MIT 1.14+dfsg encode_krb5_checksum@krb5_3_MIT 1.8+dfsg encode_krb5_cred@krb5_3_MIT 1.6.dfsg.2 encode_krb5_enc_cred_part@krb5_3_MIT 1.6.dfsg.2 @@ -91,11 +95,13 @@ encode_krb5_sam_challenge_2@krb5_3_MIT 1.9+dfsg~beta1 encode_krb5_sam_challenge_2_body@krb5_3_MIT 1.9+dfsg~beta1 encode_krb5_sam_response_2@krb5_3_MIT 1.7dfsg + encode_krb5_secure_cookie@krb5_3_MIT 1.14+dfsg encode_krb5_sp80056a_other_info@krb5_3_MIT 1.10+dfsg~alpha1 encode_krb5_tgs_rep@krb5_3_MIT 1.6.dfsg.2 encode_krb5_tgs_req@krb5_3_MIT 1.6.dfsg.2 encode_krb5_ticket@krb5_3_MIT 1.6.dfsg.2 encode_krb5_typed_data@krb5_3_MIT 1.10+dfsg~alpha1 + encode_utf8_strings@krb5_3_MIT 1.14+dfsg et_asn1_error_table@krb5_3_MIT 1.6.dfsg.2 et_k524_error_table@krb5_3_MIT 1.6.dfsg.2 et_kdb5_error_table@krb5_3_MIT 1.6.dfsg.2 @@ -116,10 +122,13 @@ k5_expand_path_tokens@krb5_3_MIT 1.11+dfsg k5_expand_path_tokens_extra@krb5_3_MIT 1.11+dfsg k5_free_algorithm_identifier@krb5_3_MIT 1.11+dfsg + k5_free_cammac@krb5_3_MIT 1.14+dfsg + k5_free_data_ptr_list@krb5_3_MIT 1.14+dfsg k5_free_kkdcp_message@krb5_3_MIT 1.13~alpha1+dfsg k5_free_otp_tokeninfo@krb5_3_MIT 1.11+dfsg k5_free_pa_otp_challenge@krb5_3_MIT 1.11+dfsg k5_free_pa_otp_req@krb5_3_MIT 1.11+dfsg + k5_free_secure_cookie@krb5_3_MIT 1.14+dfsg k5_free_serverlist@krb5_3_MIT 1.10+dfsg~alpha1 k5_hostrealm_free_context@krb5_3_MIT 1.12~alpha1+dfsg k5_init_trace@krb5_3_MIT 1.12~alpha1+dfsg @@ -137,6 +146,7 @@ k5_plugin_register_dyn@krb5_3_MIT 1.10+dfsg~alpha1 k5_unmarshal_cred@krb5_3_MIT 1.13~alpha1+dfsg k5_unmarshal_princ@krb5_3_MIT 1.13~alpha1+dfsg + k5_zapfree_pa_data@krb5_3_MIT 1.14+dfsg krb524_convert_creds_kdc@krb5_3_MIT 1.6.dfsg.2 krb524_init_ets@krb5_3_MIT 1.6.dfsg.2 krb5_3_MIT@krb5_3_MIT 1.6.dfsg.2 @@ -470,6 +480,7 @@ krb5_pac_verify@krb5_3_MIT 1.7dfsg krb5_parse_name@krb5_3_MIT 1.6.dfsg.2 krb5_parse_name_flags@krb5_3_MIT 1.7dfsg + krb5_prepend_error_message@krb5_3_MIT 1.14+dfsg krb5_principal2salt@krb5_3_MIT 1.6.dfsg.2 krb5_principal2salt_norealm@krb5_3_MIT 1.6.dfsg.2 krb5_principal_compare@krb5_3_MIT 1.6.dfsg.2 @@ -603,8 +614,11 @@ krb5_verify_init_creds@krb5_3_MIT 1.6.dfsg.2 krb5_verify_init_creds_opt_init@krb5_3_MIT 1.6.dfsg.2 krb5_verify_init_creds_opt_set_ap_req_nofail@krb5_3_MIT 1.6.dfsg.2 + krb5_vprepend_error_message@krb5_3_MIT 1.14+dfsg krb5_vset_error_message@krb5_3_MIT 1.6.dfsg.2 + krb5_vwrap_error_message@krb5_3_MIT 1.14+dfsg krb5_walk_realm_tree@krb5_3_MIT 1.6.dfsg.2 + krb5_wrap_error_message@krb5_3_MIT 1.14+dfsg krb5_write_message@krb5_3_MIT 1.6.dfsg.2 krb5int_accessor@krb5_3_MIT 1.6.dfsg.2 krb5int_cc_default@krb5_3_MIT 1.6.dfsg.2 diff -Nru krb5-1.13.2+dfsg/debian/patches/0010-Initial-German-translations.patch krb5-1.14.2+dfsg/debian/patches/0010-Initial-German-translations.patch --- krb5-1.13.2+dfsg/debian/patches/0010-Initial-German-translations.patch 1970-01-01 00:00:00.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/patches/0010-Initial-German-translations.patch 2016-05-30 17:11:40.000000000 +0000 @@ -0,0 +1,9318 @@ +From 3c245b25ed946e393838bfe0b90a491cdfa948d0 Mon Sep 17 00:00:00 2001 +From: Sam Hartman +Date: Mon, 30 May 2016 12:51:16 -0400 +Subject: Initial German translations + +Thanks, Chris Leick +--- + src/po/de.po | 9301 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 9301 insertions(+) + create mode 100644 src/po/de.po + +diff --git a/src/po/de.po b/src/po/de.po +new file mode 100644 +index 0000000..fd199b3 +--- /dev/null ++++ b/src/po/de.po +@@ -0,0 +1,9301 @@ ++# German translation of mit-krb5. ++# This file is distributed under the same license as the mit-krb5 package. ++# Copyright (C) 1985-2013 by the Massachusetts Institute of Technology. ++# Copyright (C) of this file 2014-2016 Chris Leick . ++# ++msgid "" ++msgstr "" ++"Project-Id-Version: mit-krb5 13.2\n" ++"Report-Msgid-Bugs-To: krbdev@mit.edu\n" ++"POT-Creation-Date: 2015-05-06 14:59-0400\n" ++"PO-Revision-Date: 2016-04-05 23:20+0200\n" ++"Last-Translator: Chris Leick \n" ++"Language-Team: German \n" ++"Language: de\n" ++"MIME-Version: 1.0\n" ++"Content-Type: text/plain; charset=UTF-8\n" ++"Content-Transfer-Encoding: 8bit\n" ++"Plural-Forms: nplurals=2; plural=n != 1;\n" ++ ++#: ../../src/clients/kdestroy/kdestroy.c:62 ++#, c-format ++msgid "Usage: %s [-A] [-q] [-c cache_name]\n" ++msgstr "Aufruf: %s [-A] [-q] [-c Zwischenspeichername]\n" ++ ++#: ../../src/clients/kdestroy/kdestroy.c:63 ++#, c-format ++msgid "\t-A destroy all credential caches in collection\n" ++msgstr "\t-A vernichtet alle Anmeldedatenzwischenspeicher in der Sammlung.\n" ++ ++#: ../../src/clients/kdestroy/kdestroy.c:64 ++#, c-format ++msgid "\t-q quiet mode\n" ++msgstr "\t-q stiller Modus\n" ++ ++#: ../../src/clients/kdestroy/kdestroy.c:65 ++#: ../../src/clients/kswitch/kswitch.c:45 ++#, c-format ++msgid "\t-c specify name of credentials cache\n" ++msgstr "\t-c gibt den Namen des Zwischenspeichers für Anmeldedaten an.\n" ++ ++#: ../../src/clients/kdestroy/kdestroy.c:98 ++#: ../../src/clients/kinit/kinit.c:383 ../../src/clients/ksu/main.c:284 ++#, c-format ++msgid "Only one -c option allowed\n" ++msgstr "Nur eine »-c«-Option ist erlaubt.\n" ++ ++#: ../../src/clients/kdestroy/kdestroy.c:105 ++#: ../../src/clients/kinit/kinit.c:412 ../../src/clients/klist/klist.c:182 ++#, c-format ++msgid "Kerberos 4 is no longer supported\n" ++msgstr "Kerberos 4 wird nicht mehr unterstützt.\n" ++ ++#: ../../src/clients/kdestroy/kdestroy.c:126 ++#: ../../src/clients/klist/klist.c:253 ../../src/clients/ksu/main.c:131 ++#: ../../src/clients/ksu/main.c:137 ../../src/clients/kswitch/kswitch.c:97 ++#: ../../src/kadmin/ktutil/ktutil.c:52 ../../src/kdc/main.c:926 ++#: ../../src/slave/kprop.c:102 ../../src/slave/kpropd.c:1052 ++msgid "while initializing krb5" ++msgstr "beim Initialisieren von Krb5" ++ ++#: ../../src/clients/kdestroy/kdestroy.c:133 ++msgid "while listing credential caches" ++msgstr "beim Auflisten der Anmeldedatenzwischenspeicher" ++ ++#: ../../src/clients/kdestroy/kdestroy.c:140 ++msgid "composing ccache name" ++msgstr "Ccache-Name wird zusammengesetzt." ++ ++#: ../../src/clients/kdestroy/kdestroy.c:145 ++#, c-format ++msgid "while destroying cache %s" ++msgstr "beim Zerstören des Zwischenspeichers %s" ++ ++#: ../../src/clients/kdestroy/kdestroy.c:157 ++#: ../../src/clients/kswitch/kswitch.c:104 ++#, c-format ++msgid "while resolving %s" ++msgstr "beim Auflösen von %s" ++ ++#: ../../src/clients/kdestroy/kdestroy.c:163 ++#: ../../src/clients/kinit/kinit.c:501 ../../src/clients/klist/klist.c:460 ++msgid "while getting default ccache" ++msgstr "beim Holen des Standard-Ccaches" ++ ++#: ../../src/clients/kdestroy/kdestroy.c:170 ../../src/clients/ksu/main.c:986 ++msgid "while destroying cache" ++msgstr "beim Zerstören des Zwischenspeichers" ++ ++#: ../../src/clients/kdestroy/kdestroy.c:173 ++#, c-format ++msgid "Ticket cache NOT destroyed!\n" ++msgstr "Ticketzwischenspeicher NICHT vernichtet!\n" ++ ++#: ../../src/clients/kdestroy/kdestroy.c:175 ++#, c-format ++msgid "Ticket cache %cNOT%c destroyed!\n" ++msgstr "Ticketzwischenspeicher %cNICHT%c vernichtet!\n" ++ ++#: ../../src/clients/kinit/kinit.c:213 ++#, c-format ++msgid "\t-V verbose\n" ++msgstr "\t-V detaillierte Ausgabe\n" ++ ++#: ../../src/clients/kinit/kinit.c:214 ++#, c-format ++msgid "\t-l lifetime\n" ++msgstr "\t-l Lebensdauer\n" ++ ++#: ../../src/clients/kinit/kinit.c:215 ++#, c-format ++msgid "\t-s start time\n" ++msgstr "\t-s Startzeit\n" ++ ++#: ../../src/clients/kinit/kinit.c:216 ++#, c-format ++msgid "\t-r renewable lifetime\n" ++msgstr "\t-r verlängerbare Lebensdauer\n" ++ ++#: ../../src/clients/kinit/kinit.c:217 ++#, c-format ++msgid "\t-f forwardable\n" ++msgstr "\t-f weiterleitbar\n" ++ ++#: ../../src/clients/kinit/kinit.c:218 ++#, c-format ++msgid "\t-F not forwardable\n" ++msgstr "\t-F nicht weiterleitbar\n" ++ ++#: ../../src/clients/kinit/kinit.c:219 ++#, c-format ++msgid "\t-p proxiable\n" ++msgstr "\t-p Proxy nutzbar\n" ++ ++#: ../../src/clients/kinit/kinit.c:220 ++#, c-format ++msgid "\t-P not proxiable\n" ++msgstr "\t-P Proxy nicht nutzbar\n" ++ ++#: ../../src/clients/kinit/kinit.c:221 ++#, c-format ++msgid "\t-n anonymous\n" ++msgstr "\t-n anonym\n" ++ ++#: ../../src/clients/kinit/kinit.c:222 ++#, c-format ++msgid "\t-a include addresses\n" ++msgstr "\t-a bezieht Adressen ein.\n" ++ ++#: ../../src/clients/kinit/kinit.c:223 ++#, c-format ++msgid "\t-A do not include addresses\n" ++msgstr "\t-a bezieht Adressen nicht ein.\n" ++ ++#: ../../src/clients/kinit/kinit.c:224 ++#, c-format ++msgid "\t-v validate\n" ++msgstr "\t-v überprüft\n" ++ ++#: ../../src/clients/kinit/kinit.c:225 ++#, c-format ++msgid "\t-R renew\n" ++msgstr "\t-R erneuert\n" ++ ++#: ../../src/clients/kinit/kinit.c:226 ++#, c-format ++msgid "\t-C canonicalize\n" ++msgstr "\t-C bringt in Normalform\n" ++ ++#: ../../src/clients/kinit/kinit.c:227 ++#, c-format ++msgid "\t-E client is enterprise principal name\n" ++msgstr "\t-E Client ist der Principal-Name des Unternehmens\n" ++ ++#: ../../src/clients/kinit/kinit.c:228 ++#, c-format ++msgid "\t-k use keytab\n" ++msgstr "\t-k verwendet Schlüsseltabelle\n" ++ ++#: ../../src/clients/kinit/kinit.c:229 ++#, c-format ++msgid "\t-i use default client keytab (with -k)\n" ++msgstr "\t-i verwendet die Standardschlüsseltabelle des Clients (mit -k).\n" ++ ++#: ../../src/clients/kinit/kinit.c:230 ++#, c-format ++msgid "\t-t filename of keytab to use\n" ++msgstr "\t-t Dateiname der zu verwendenden Schlüsseltabelle\n" ++ ++#: ../../src/clients/kinit/kinit.c:231 ++#, c-format ++msgid "\t-c Kerberos 5 cache name\n" ++msgstr "\t-c Kerberos-5-Zwischenspeichername\n" ++ ++#: ../../src/clients/kinit/kinit.c:232 ++#, c-format ++msgid "\t-S service\n" ++msgstr "\t-S Dienst\n" ++ ++#: ../../src/clients/kinit/kinit.c:233 ++#, c-format ++msgid "\t-T armor credential cache\n" ++msgstr "\t-T gehärteter Anmeldedatenzwischenspeicher\n" ++ ++#: ../../src/clients/kinit/kinit.c:234 ++#, c-format ++msgid "\t-X [=]\n" ++msgstr "\t-X [=]\n" ++ ++#: ../../src/clients/kinit/kinit.c:301 ../../src/clients/kinit/kinit.c:309 ++#, c-format ++msgid "Bad lifetime value %s\n" ++msgstr "falscher Wert für die Lebensdauer %s\n" ++ ++#: ../../src/clients/kinit/kinit.c:343 ++#, c-format ++msgid "Bad start time value %s\n" ++msgstr "falscher Wert für die Startzeit %s\n" ++ ++#: ../../src/clients/kinit/kinit.c:362 ++#, c-format ++msgid "Only one -t option allowed.\n" ++msgstr "Nur die Option -t ist erlaubt.\n" ++ ++#: ../../src/clients/kinit/kinit.c:370 ++#, c-format ++msgid "Only one armor_ccache\n" ++msgstr "nur ein gehärteter Ccache\n" ++ ++#: ../../src/clients/kinit/kinit.c:391 ++#, c-format ++msgid "Only one -I option allowed\n" ++msgstr "Nur die Option -I ist erlaubt.\n" ++ ++#: ../../src/clients/kinit/kinit.c:401 ++msgid "while adding preauth option" ++msgstr "beim Hinzufügen der Option »preauth«" ++ ++#: ../../src/clients/kinit/kinit.c:425 ++#, c-format ++msgid "Only one of -f and -F allowed\n" ++msgstr "Nur eine der Optionen -f und -F ist erlaubt.\n" ++ ++#: ../../src/clients/kinit/kinit.c:430 ++#, c-format ++msgid "Only one of -p and -P allowed\n" ++msgstr "Nur eine der Optionen -p und -P ist erlaubt.\n" ++ ++#: ../../src/clients/kinit/kinit.c:435 ++#, c-format ++msgid "Only one of -a and -A allowed\n" ++msgstr "Nur -a und -A ist erlaubt.\n" ++ ++#: ../../src/clients/kinit/kinit.c:440 ++#, c-format ++msgid "Only one of -t and -i allowed\n" ++msgstr "Nur -t und-i ist erlaubt.\n" ++ ++#: ../../src/clients/kinit/kinit.c:447 ++#, c-format ++msgid "keytab specified, forcing -k\n" ++msgstr "Schlüsseltabelle angegeben, -k wird erzwungen\n" ++ ++#: ../../src/clients/kinit/kinit.c:451 ../../src/clients/klist/klist.c:221 ++#, c-format ++msgid "Extra arguments (starting with \"%s\").\n" ++msgstr "zusätzliche Argumente (beginnend mit »%s«)\n" ++ ++#: ../../src/clients/kinit/kinit.c:480 ++msgid "while initializing Kerberos 5 library" ++msgstr "beim Initialisieren der Kerberos-5-Bibliothek" ++ ++#: ../../src/clients/kinit/kinit.c:488 ../../src/clients/kinit/kinit.c:644 ++#, c-format ++msgid "resolving ccache %s" ++msgstr "Ccache %s wird ermittelt" ++ ++#: ../../src/clients/kinit/kinit.c:493 ++#, c-format ++msgid "Using specified cache: %s\n" ++msgstr "Angegebener Zwischenspeicher wird verwendet: %s\n" ++ ++#: ../../src/clients/kinit/kinit.c:515 ../../src/clients/kinit/kinit.c:595 ++#: ../../src/clients/kpasswd/kpasswd.c:28 ../../src/clients/ksu/main.c:238 ++#, c-format ++msgid "when parsing name %s" ++msgstr "wenn der Name %s ausgewertet wird" ++ ++#: ../../src/clients/kinit/kinit.c:523 ../../src/kadmin/dbutil/kdb5_util.c:307 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:391 ++#: ../../src/slave/kprop.c:203 ++msgid "while getting default realm" ++msgstr "beim Holen des Standard-Realms" ++ ++#: ../../src/clients/kinit/kinit.c:535 ++msgid "while building principal" ++msgstr "beim Erstellen des Principals" ++ ++#: ../../src/clients/kinit/kinit.c:543 ++msgid "When resolving the default client keytab" ++msgstr "beim Auflösen der Standardschlüsseltabelle des Clients" ++ ++#: ../../src/clients/kinit/kinit.c:550 ++msgid "When determining client principal name from keytab" ++msgstr "beim Bestimmen des Dienst-Principal-Namens anhand der Schlüsseltabelle" ++ ++#: ../../src/clients/kinit/kinit.c:559 ++msgid "when creating default server principal name" ++msgstr "wenn der Standard-Principal-Name des Servers erstellt wird" ++ ++#: ../../src/clients/kinit/kinit.c:566 ++#, c-format ++msgid "(principal %s)" ++msgstr "(Principal %s)" ++ ++#: ../../src/clients/kinit/kinit.c:569 ++msgid "for local services" ++msgstr "für lokale Dienste" ++ ++#: ../../src/clients/kinit/kinit.c:590 ../../src/clients/kpasswd/kpasswd.c:42 ++#, c-format ++msgid "Unable to identify user\n" ++msgstr "Benutzer kann nicht identifiziert werden\n" ++ ++#: ../../src/clients/kinit/kinit.c:605 ../../src/clients/kswitch/kswitch.c:116 ++#, c-format ++msgid "while searching for ccache for %s" ++msgstr "beim Suchen nach Ccache für %s" ++ ++#: ../../src/clients/kinit/kinit.c:611 ++#, c-format ++msgid "Using existing cache: %s\n" ++msgstr "Existierender Zwischenspeicher wird verwendet: %s\n" ++ ++#: ../../src/clients/kinit/kinit.c:620 ++msgid "while generating new ccache" ++msgstr "beim Erstellen von neuem Ccache" ++ ++#: ../../src/clients/kinit/kinit.c:624 ++#, c-format ++msgid "Using new cache: %s\n" ++msgstr "Neuer Zwischenspeicher wird verwendet: %s\n" ++ ++#: ../../src/clients/kinit/kinit.c:636 ++#, c-format ++msgid "Using default cache: %s\n" ++msgstr "Standardzwischenspeicher wird verwendet: %s\n" ++ ++#: ../../src/clients/kinit/kinit.c:649 ++#, c-format ++msgid "Using specified input cache: %s\n" ++msgstr "Angegebener Eingabezwischenspeicher wird verwendet: %s\n" ++ ++#: ../../src/clients/kinit/kinit.c:657 ../../src/clients/ksu/krb_auth_su.c:160 ++msgid "when unparsing name" ++msgstr "beim Rückgängigmachen der Auswertung des Namens" ++ ++#: ../../src/clients/kinit/kinit.c:661 ++#, c-format ++msgid "Using principal: %s\n" ++msgstr "verwendeter Principal: %s\n" ++ ++#: ../../src/clients/kinit/kinit.c:752 ++msgid "getting local addresses" ++msgstr "Lokale Adressen werden geholt." ++ ++#: ../../src/clients/kinit/kinit.c:771 ++#, c-format ++msgid "while setting up KDB keytab for realm %s" ++msgstr "beim Einrichten der KDB-Schlüsseltabelle für Realm %s" ++ ++#: ../../src/clients/kinit/kinit.c:780 ../../src/clients/kvno/kvno.c:201 ++#, c-format ++msgid "resolving keytab %s" ++msgstr "Schlüsseltabelle wird ermittelt: %s" ++ ++#: ../../src/clients/kinit/kinit.c:785 ++#, c-format ++msgid "Using keytab: %s\n" ++msgstr "Schlüsseltabelle wird verwendet: %s\n" ++ ++#: ../../src/clients/kinit/kinit.c:789 ++msgid "resolving default client keytab" ++msgstr "Standardschlüsseltabelle des Clients wird ermittelt." ++ ++#: ../../src/clients/kinit/kinit.c:799 ++#, c-format ++msgid "while setting '%s'='%s'" ++msgstr "beim Setzen von »%s«=»%s«" ++ ++#: ../../src/clients/kinit/kinit.c:804 ++#, c-format ++msgid "PA Option %s = %s\n" ++msgstr "PA-Option %s = %s\n" ++ ++#: ../../src/clients/kinit/kinit.c:849 ++msgid "getting initial credentials" ++msgstr "Anfängliche Anmeldedaten werden geholt." ++ ++#: ../../src/clients/kinit/kinit.c:852 ++msgid "validating credentials" ++msgstr "Anmeldedaten werden geprüft." ++ ++#: ../../src/clients/kinit/kinit.c:855 ++msgid "renewing credentials" ++msgstr "Anmeldedaten werden erneuert." ++ ++#: ../../src/clients/kinit/kinit.c:860 ++#, c-format ++msgid "%s: Password incorrect while %s\n" ++msgstr "%s: Passwort bei %s falsch\n" ++ ++#: ../../src/clients/kinit/kinit.c:863 ++#, c-format ++msgid "while %s" ++msgstr "bei %s" ++ ++#: ../../src/clients/kinit/kinit.c:871 ../../src/slave/kprop.c:224 ++#, c-format ++msgid "when initializing cache %s" ++msgstr "beim Initialisieren des Zwischenspeichers %s" ++ ++#: ../../src/clients/kinit/kinit.c:876 ++#, c-format ++msgid "Initialized cache\n" ++msgstr "initialisierter Zwischenspeicher\n" ++ ++#: ../../src/clients/kinit/kinit.c:880 ++msgid "while storing credentials" ++msgstr "beim Speichern der Anmeldedaten" ++ ++#: ../../src/clients/kinit/kinit.c:884 ++#, c-format ++msgid "Stored credentials\n" ++msgstr "gespeicherte Anmeldedaten\n" ++ ++#: ../../src/clients/kinit/kinit.c:891 ++msgid "while switching to new ccache" ++msgstr "beim Wechsel zum neuen Ccache" ++ ++#: ../../src/clients/kinit/kinit.c:946 ++#, c-format ++msgid "Authenticated to Kerberos v5\n" ++msgstr "Authentifiziert für Kerberos v5\n" ++ ++#: ../../src/clients/klist/klist.c:91 ++#, c-format ++msgid "" ++"Usage: %s [-e] [-V] [[-c] [-l] [-A] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] " ++"[name]\n" ++msgstr "" ++"Aufruf: %s [-e] [-V] [[-c] [-l] [-A] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-" ++"K]] [Name]\n" ++ ++#: ../../src/clients/klist/klist.c:93 ++#, c-format ++msgid "\t-c specifies credentials cache\n" ++msgstr "\t-c gibt den Anmeldedatenzwischenspeicher an\n" ++ ++#: ../../src/clients/klist/klist.c:94 ++#, c-format ++msgid "\t-k specifies keytab\n" ++msgstr "\t-k gibt die Schlüsseltabelle an.\n" ++ ++#: ../../src/clients/klist/klist.c:95 ++#, c-format ++msgid "\t (Default is credentials cache)\n" ++msgstr "\t (Voreinstellung ist Anmeldedatenzwischenspeicher)\n" ++ ++#: ../../src/clients/klist/klist.c:96 ++#, c-format ++msgid "\t-i uses default client keytab if no name given\n" ++msgstr "" ++"\t-i verwendet die Standardschlüsseltabelle des Clients, falls kein Name " ++"angegeben wurde.\n" ++ ++#: ../../src/clients/klist/klist.c:97 ++#, c-format ++msgid "\t-l lists credential caches in collection\n" ++msgstr "\t-l listet gesammelte Anmeldedatenzwischenspeicher auf.\n" ++ ++#: ../../src/clients/klist/klist.c:98 ++#, c-format ++msgid "\t-A shows content of all credential caches\n" ++msgstr "\t-A zeigt den Inhalt aller Anmeldedatenzwischenspeicher an.\n" ++ ++#: ../../src/clients/klist/klist.c:99 ++#, c-format ++msgid "\t-e shows the encryption type\n" ++msgstr "\t-e zeigt den Verschlüsselungstyp.\n" ++ ++#: ../../src/clients/klist/klist.c:100 ++#, c-format ++msgid "\t-V shows the Kerberos version and exits\n" ++msgstr "\t-V zeigt die Kerberos-Version und wird beendet.\n" ++ ++#: ../../src/clients/klist/klist.c:101 ++#, c-format ++msgid "\toptions for credential caches:\n" ++msgstr "\tOptionen für Anmeldedatenzwischenspeicher:\n" ++ ++#: ../../src/clients/klist/klist.c:102 ++#, c-format ++msgid "\t\t-d shows the submitted authorization data types\n" ++msgstr "\t\t-d zeigt die übertragenen Authorisierungsdatentypen.\n" ++ ++#: ../../src/clients/klist/klist.c:104 ++#, c-format ++msgid "\t\t-f shows credentials flags\n" ++msgstr "t\t-f zeigt die Anmeldedatenschalter.\n" ++ ++#: ../../src/clients/klist/klist.c:105 ++#, c-format ++msgid "\t\t-s sets exit status based on valid tgt existence\n" ++msgstr "" ++"\t\t-s setzt den Exit-Status auf Basis der Existenz eines gültigen TGTs.\n" ++ ++#: ../../src/clients/klist/klist.c:107 ++#, c-format ++msgid "\t\t-a displays the address list\n" ++msgstr "\t\t-a zeigt die Adressliste.\n" ++ ++#: ../../src/clients/klist/klist.c:108 ++#, c-format ++msgid "\t\t\t-n do not reverse-resolve\n" ++msgstr "\t\t\t-n löst nicht rückwärts auf.\n" ++ ++#: ../../src/clients/klist/klist.c:109 ++#, c-format ++msgid "\toptions for keytabs:\n" ++msgstr "\tOptionen für Schlüsseltabellen:\n" ++ ++#: ../../src/clients/klist/klist.c:110 ++#, c-format ++msgid "\t\t-t shows keytab entry timestamps\n" ++msgstr "\t\t-t zeigt die Zeitstempel der Schlüsseltabelleneinträge.\n" ++ ++#: ../../src/clients/klist/klist.c:111 ++#, c-format ++msgid "\t\t-K shows keytab entry keys\n" ++msgstr "\t\t-K zeigt die Schlüssel der Schlüsseltabelleneinträge.\n" ++ ++#: ../../src/clients/klist/klist.c:230 ++#, c-format ++msgid "%s version %s\n" ++msgstr "%s Version %s\n" ++ ++#: ../../src/clients/klist/klist.c:282 ++msgid "while getting default client keytab" ++msgstr "beim Holen der Standardschlüsseltabelle des Clients" ++ ++#: ../../src/clients/klist/klist.c:287 ++msgid "while getting default keytab" ++msgstr "beim Holen der Standardschlüsseltabelle" ++ ++#: ../../src/clients/klist/klist.c:292 ../../src/kadmin/cli/keytab.c:108 ++#, c-format ++msgid "while resolving keytab %s" ++msgstr "beim Ermitteln der Schlüsseltabelle %s" ++ ++#: ../../src/clients/klist/klist.c:298 ../../src/kadmin/cli/keytab.c:92 ++msgid "while getting keytab name" ++msgstr "beim Holen des Schlüsseltabellennamens" ++ ++#: ../../src/clients/klist/klist.c:305 ../../src/kadmin/cli/keytab.c:399 ++msgid "while starting keytab scan" ++msgstr "beim Start des Schlüsseltabellen-Scans" ++ ++#: ../../src/clients/klist/klist.c:326 ../../src/clients/klist/klist.c:500 ++#: ../../src/clients/ksu/ccache.c:465 ../../src/kadmin/dbutil/dump.c:550 ++msgid "while unparsing principal name" ++msgstr "beim Rückgängigmachen des Auswertens des Principal-Namens" ++ ++#: ../../src/clients/klist/klist.c:350 ../../src/kadmin/cli/keytab.c:443 ++msgid "while scanning keytab" ++msgstr "beim Scannen der Schlüsseltabelle" ++ ++#: ../../src/clients/klist/klist.c:354 ../../src/kadmin/cli/keytab.c:448 ++msgid "while ending keytab scan" ++msgstr "beim Beenden des Schlüsseltabellen-Scans" ++ ++#: ../../src/clients/klist/klist.c:371 ../../src/clients/klist/klist.c:434 ++msgid "while listing ccache collection" ++msgstr "beim Aufführen der Ccache-Sammlung" ++ ++#: ../../src/clients/klist/klist.c:411 ++msgid "(Expired)" ++msgstr "(abgelaufen)" ++ ++#: ../../src/clients/klist/klist.c:466 ++#, c-format ++msgid "while resolving ccache %s" ++msgstr "beim Ermitteln des Ccaches %s" ++ ++#: ../../src/clients/klist/klist.c:504 ++#, c-format ++msgid "" ++"Ticket cache: %s:%s\n" ++"Default principal: %s\n" ++"\n" ++msgstr "" ++"Ticketzwischenspeicher: %s:%s\n" ++"Standard-Principal: %s\n" ++"\n" ++ ++#: ../../src/clients/klist/klist.c:518 ++msgid "while starting to retrieve tickets" ++msgstr "während das Abfragen der Tickets beginnt" ++ ++#: ../../src/clients/klist/klist.c:539 ++msgid "while finishing ticket retrieval" ++msgstr "während das Abfragem der Tickets endet" ++ ++#: ../../src/clients/klist/klist.c:545 ++msgid "while closing ccache" ++msgstr "beim Schließen des Ccaches" ++ ++#: ../../src/clients/klist/klist.c:555 ++msgid "while retrieving a ticket" ++msgstr "beim Abfragen eines Tickets" ++ ++#: ../../src/clients/klist/klist.c:667 ../../src/clients/ksu/ccache.c:450 ++#: ../../src/slave/kpropd.c:1225 ../../src/slave/kpropd.c:1285 ++msgid "while unparsing client name" ++msgstr "beim Rückgängigmachen des Auswertens des Client-Namens" ++ ++#: ../../src/clients/klist/klist.c:672 ../../src/clients/ksu/ccache.c:455 ++#: ../../src/slave/kprop.c:240 ++msgid "while unparsing server name" ++msgstr "beim Rückgängigmachen des Auswertens des Server-Namens" ++ ++#: ../../src/clients/klist/klist.c:701 ../../src/clients/ksu/ccache.c:480 ++#, c-format ++msgid "\tfor client %s" ++msgstr "\tfür Client %s" ++ ++#: ../../src/clients/klist/klist.c:713 ../../src/clients/ksu/ccache.c:489 ++msgid "renew until " ++msgstr "erneuern bis " ++ ++#: ../../src/clients/klist/klist.c:730 ../../src/clients/ksu/ccache.c:499 ++#, c-format ++msgid "Flags: %s" ++msgstr "Schalter: %s" ++ ++#: ../../src/clients/klist/klist.c:749 ++#, c-format ++msgid "Etype (skey, tkt): %s, " ++msgstr "Etype (Skey, TKT): %s, " ++ ++#: ../../src/clients/klist/klist.c:766 ++#, c-format ++msgid "AD types: " ++msgstr "AD-Typen" ++ ++#: ../../src/clients/klist/klist.c:783 ++#, c-format ++msgid "\tAddresses: (none)\n" ++msgstr "\tAdressen: (keine)\n" ++ ++#: ../../src/clients/klist/klist.c:785 ++#, c-format ++msgid "\tAddresses: " ++msgstr "\tAdressen: " ++ ++#: ../../src/clients/klist/klist.c:818 ++#, c-format ++msgid "broken address (type %d length %d)" ++msgstr "kaputte Adresse (Typ %d Länge %d)" ++ ++#: ../../src/clients/klist/klist.c:838 ++#, c-format ++msgid "unknown addrtype %d" ++msgstr "unbekannter »addrtype« %d" ++ ++#: ../../src/clients/klist/klist.c:847 ++#, c-format ++msgid "unprintable address (type %d, error %d %s)" ++msgstr "nicht druckbare Adresse (Typ %d Fehler %d %s)" ++ ++#: ../../src/clients/kpasswd/kpasswd.c:12 ../../src/lib/krb5/krb/gic_pwd.c:396 ++msgid "Enter new password" ++msgstr "Geben Sie ein neues Passwort ein." ++ ++#: ../../src/clients/kpasswd/kpasswd.c:13 ../../src/lib/krb5/krb/gic_pwd.c:404 ++msgid "Enter it again" ++msgstr "Geben Sie es erneut ein." ++ ++#: ../../src/clients/kpasswd/kpasswd.c:33 ++#, c-format ++msgid "Unable to identify user from password file\n" ++msgstr "" ++"Der Benutzer kann nicht anhand der Passwortdatei identifiziert werden.\n" ++ ++#: ../../src/clients/kpasswd/kpasswd.c:65 ++#, c-format ++msgid "usage: %s [principal]\n" ++msgstr "Aufruf: %s [Principal]\n" ++ ++#: ../../src/clients/kpasswd/kpasswd.c:73 ++msgid "initializing kerberos library" ++msgstr "Kerberos-Bibliothek wird initialisiert." ++ ++#: ../../src/clients/kpasswd/kpasswd.c:77 ++msgid "allocating krb5_get_init_creds_opt" ++msgstr "krb5_get_init_creds_opt wird reserviert." ++ ++#: ../../src/clients/kpasswd/kpasswd.c:92 ++msgid "opening default ccache" ++msgstr "Standard-Ccache wird geöffnet." ++ ++#: ../../src/clients/kpasswd/kpasswd.c:97 ++msgid "getting principal from ccache" ++msgstr "Principal wird vom Ccache geholt." ++ ++#: ../../src/clients/kpasswd/kpasswd.c:104 ++msgid "while setting FAST ccache" ++msgstr "beim Setzen des FAST-Ccaches" ++ ++#: ../../src/clients/kpasswd/kpasswd.c:111 ++msgid "closing ccache" ++msgstr "Ccache wird geschlossen." ++ ++#: ../../src/clients/kpasswd/kpasswd.c:118 ++msgid "parsing client name" ++msgstr "Client-Name wird ausgewertet." ++ ++#: ../../src/clients/kpasswd/kpasswd.c:135 ++msgid "Password incorrect while getting initial ticket" ++msgstr "Passwort beim Holen des anfänglichen Tickets falsch" ++ ++#: ../../src/clients/kpasswd/kpasswd.c:137 ++msgid "getting initial ticket" ++msgstr "Anfängliches Ticket wird geholt." ++ ++#: ../../src/clients/kpasswd/kpasswd.c:144 ++msgid "while reading password" ++msgstr "beim Lesen des Passworts" ++ ++#: ../../src/clients/kpasswd/kpasswd.c:152 ++msgid "changing password" ++msgstr "Passwort wird geändert." ++ ++#: ../../src/clients/kpasswd/kpasswd.c:174 ++#: ../lib/kadm5/chpass_util_strings.c:30 ++#, c-format ++msgid "Password changed.\n" ++msgstr "Passwort geändert\n" ++ ++#: ../../src/clients/ksu/authorization.c:369 ++#, c-format ++msgid "" ++"Error: bad entry - %s in %s file, must be either full path or just the cmd " ++"name\n" ++msgstr "" ++"Fehler: falscher Eintrag – %s in Datei %s muss entweder ein vollständiger " ++"Pfad oder nur ein Befehlsname sein.\n" ++ ++#: ../../src/clients/ksu/authorization.c:377 ++#, c-format ++msgid "" ++"Error: bad entry - %s in %s file, since %s is just the cmd name, CMD_PATH " ++"must be defined \n" ++msgstr "" ++"Fehler: falscher Eintrag – %s in Datei %s. Da %s nur ein Befehlsname ist, " ++"muss CMD_PATH definiert sein.\n" ++ ++#: ../../src/clients/ksu/authorization.c:392 ++#, c-format ++msgid "Error: bad entry - %s in %s file, CMD_PATH contains no paths \n" ++msgstr "" ++"Fehler: falscher Eintrag – %s in Datei %s. CMD_PATH enthält keine Pfade.\n" ++ ++#: ../../src/clients/ksu/authorization.c:401 ++#, c-format ++msgid "Error: bad path %s in CMD_PATH for %s must start with '/' \n" ++msgstr "Fehler: falscher Pfad %s in CMD_PATH für %s muss mit »/« beginnen\n" ++ ++#: ../../src/clients/ksu/authorization.c:517 ++msgid "Error: not found -> " ++msgstr "Fehler: nicht gefunden -> " ++ ++#: ../../src/clients/ksu/authorization.c:723 ++#, c-format ++msgid "home directory name `%s' too long, can't search for .k5login\n" ++msgstr "" ++"Name des Home-Verzeichnisses »%s« ist zu lang, Suche nach .k5login nicht " ++"möglich\n" ++ ++#: ../../src/clients/ksu/ccache.c:368 ++#, c-format ++msgid "home directory path for %s too long\n" ++msgstr "Home-Verzeichnispfad für %s zu lang\n" ++ ++#: ../../src/clients/ksu/ccache.c:461 ++msgid "while retrieving principal name" ++msgstr "beim Abfragen des Principal-Namens" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:57 ++#: ../../src/clients/ksu/krb_auth_su.c:62 ../../src/slave/kprop.c:247 ++msgid "while copying client principal" ++msgstr "beim Kopieren des Client-Principals" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:69 ++msgid "while creating tgt for local realm" ++msgstr "beim Erstellen des TGTs für lokalen Realm" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:84 ++msgid "while retrieving creds from cache" ++msgstr "beim Abfragen der Anmeldedaten aus dem Zwischenspeicher" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:95 ++msgid "while switching to target uid" ++msgstr "beim Umschalten auf die Ziel-UID" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:100 ++#, c-format ++msgid "" ++"WARNING: Your password may be exposed if you enter it here and are logged \n" ++msgstr "" ++"WARNUNG: Ihr Passwort könnte offengelegt werden, falls Sie es hier eingeben " ++"und\n" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:102 ++#, c-format ++msgid " in remotely using an unsecure (non-encrypted) channel. \n" ++msgstr "" ++" in der Ferne mittels eines unsicheren (unverschlüsselten) Kanals\n" ++" angemeldet sind.\n" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:114 ../../src/clients/ksu/main.c:464 ++msgid "while reclaiming root uid" ++msgstr "beim erneuten Beanspruchen der Root-UID" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:121 ++#, c-format ++msgid "does not have any appropriate tickets in the cache.\n" ++msgstr "hat keine geeigneten Tickets im Zwischenspeicher.\n" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:133 ++msgid "while verifying ticket for server" ++msgstr "beim Prüfen des Tickets für Server" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:167 ++msgid "while getting time of day" ++msgstr "beim Holen der Tageszeit" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:171 ++#, c-format ++msgid "Kerberos password for %s: " ++msgstr "Kerberos-Passwort für %s: " ++ ++#: ../../src/clients/ksu/krb_auth_su.c:175 ++#, c-format ++msgid "principal name %s too long for internal buffer space\n" ++msgstr "Principal-Name %s für den internen Pufferbereich zu groß\n" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:184 ++#, c-format ++msgid "while reading password for '%s'\n" ++msgstr "beim Lesen des Passworts für »%s«\n" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:191 ++#, c-format ++msgid "No password given\n" ++msgstr "kein Passwort angegeben\n" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:204 ++#, c-format ++msgid "%s: Password incorrect\n" ++msgstr "%s: Passwort falsch\n" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:206 ++msgid "while getting initial credentials" ++msgstr "beim Holen der Anfangsanmeldedaten" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:226 ++#: ../../src/clients/ksu/krb_auth_su.c:240 ++#, c-format ++msgid " %s while unparsing name\n" ++msgstr "%s beim Rückgängigmachen der Namensauswertung\n" ++ ++#: ../../src/clients/ksu/main.c:68 ++#, c-format ++msgid "" ++"Usage: %s [target user] [-n principal] [-c source cachename] [-k] [-D] [-r " ++"time] [-pf] [-l lifetime] [-zZ] [-q] [-e command [args... ] ] [-a " ++"[args... ] ]\n" ++msgstr "" ++"Aufruf: %s [Zielbenutzer] [-n Principal] [-c Quellenzwischenspeichername] [-" ++"k] [-D] [-r Zeit] [-pf] [-l Lebensdauer] [-zZ] [-q] [-e Befehl [Argumente " ++"…] ] [-a [Argumente …] ]\n" ++ ++#: ../../src/clients/ksu/main.c:147 ++msgid "" ++"program name too long - quitting to avoid triggering system logging bugs" ++msgstr "" ++"Programmname zu lang – wird beendet, um das Auslösen von " ++"Systemprotokollierungsfehlern zu vermeiden" ++ ++#: ../../src/clients/ksu/main.c:173 ++msgid "while allocating memory" ++msgstr "bei Reservieren von Speicher" ++ ++#: ../../src/clients/ksu/main.c:186 ++msgid "while setting euid to source user" ++msgstr "beim Setzen der EUID auf dem Quellbenutzer" ++ ++#: ../../src/clients/ksu/main.c:196 ../../src/clients/ksu/main.c:231 ++#, c-format ++msgid "Bad lifetime value (%s hours?)\n" ++msgstr "falscher Wert für Lebensdauer (%s Stunden?)\n" ++ ++#: ../../src/clients/ksu/main.c:208 ../../src/clients/ksu/main.c:292 ++msgid "when gathering parameters" ++msgstr "beim Zusammenstellen der Parameter" ++ ++#: ../../src/clients/ksu/main.c:251 ++#, c-format ++msgid "-z option is mutually exclusive with -Z.\n" ++msgstr "Die Optionen -z und -Z schließen sich gegenseitig aus.\n" ++ ++#: ../../src/clients/ksu/main.c:259 ++#, c-format ++msgid "-Z option is mutually exclusive with -z.\n" ++msgstr "Die Optionen -Z und -z schließen sich gegenseitig aus.\n" ++ ++#: ../../src/clients/ksu/main.c:272 ++#, c-format ++msgid "while looking for credentials cache %s" ++msgstr "beim Suchen nach dem Anmeldedatenzwischenspeicher %s" ++ ++#: ../../src/clients/ksu/main.c:278 ++#, c-format ++msgid "malformed credential cache name %s\n" ++msgstr "falsch gebildeter Anmeldedatenzwischenspeichername %s\n" ++ ++# ksu ist eine Kerberos-Variante von su ++#: ../../src/clients/ksu/main.c:336 ++#, c-format ++msgid "ksu: who are you?\n" ++msgstr "ksu: Wer sind Sie?\n" ++ ++#: ../../src/clients/ksu/main.c:340 ++#, c-format ++msgid "Your uid doesn't match your passwd entry?!\n" ++msgstr "Ihre UID passt nicht zu Ihrem Passworteintrag.\n" ++ ++#: ../../src/clients/ksu/main.c:355 ++#, c-format ++msgid "ksu: unknown login %s\n" ++msgstr "ksu: unbekannter Anmeldename %s\n" ++ ++#: ../../src/clients/ksu/main.c:375 ++msgid "while getting source cache" ++msgstr "beim Holen des Quellenzwischenspeichers" ++ ++#: ../../src/clients/ksu/main.c:381 ../../src/clients/kvno/kvno.c:194 ++msgid "while opening ccache" ++msgstr "beim Öffnen des Ccaches" ++ ++#: ../../src/clients/ksu/main.c:389 ++msgid "while selecting the best principal" ++msgstr "beim Auswählen des besten Principals" ++ ++#: ../../src/clients/ksu/main.c:397 ++msgid "while returning to source uid after finding best principal" ++msgstr "" ++"bei der Rückkehr zur Quell-UID, nachdem der beste Principal gefunden wurde" ++ ++#: ../../src/clients/ksu/main.c:417 ++#, c-format ++msgid "account %s: authorization failed\n" ++msgstr "Konto %s: Authentifizierung fehlgeschlagen\n" ++ ++#: ../../src/clients/ksu/main.c:442 ++msgid "while parsing temporary name" ++msgstr "beim Auswertens des temporären Namens" ++ ++#: ../../src/clients/ksu/main.c:447 ++msgid "while creating temporary cache" ++msgstr "bei Erstellen des temporären Zwischenspeichers" ++ ++#: ../../src/clients/ksu/main.c:453 ../../src/clients/ksu/main.c:693 ++#, c-format ++msgid "while copying cache %s to %s" ++msgstr "beim Kopieren des Zwischenspeichers %s nach %s" ++ ++#: ../../src/clients/ksu/main.c:471 ++#, c-format ++msgid "" ++"WARNING: Your password may be exposed if you enter it here and are logged\n" ++msgstr "" ++"WARNUNG: Ihr Passwort könnte offengelegt werden, falls Sie es hier eingeben " ++"und\n" ++ ++#: ../../src/clients/ksu/main.c:473 ++#, c-format ++msgid " in remotely using an unsecure (non-encrypted) channel.\n" ++msgstr "" ++" in der Ferne über einen unsicheren (unverschlüsselten) Kanal " ++"angemeldet\n" ++"sind.\n" ++ ++#: ../../src/clients/ksu/main.c:479 ++#, c-format ++msgid "Goodbye\n" ++msgstr "Auf Wiedersehen\n" ++ ++#: ../../src/clients/ksu/main.c:483 ++#, c-format ++msgid "Could not get a tgt for " ++msgstr "Es konnte kein TGT geholt werden für " ++ ++#: ../../src/clients/ksu/main.c:505 ++#, c-format ++msgid "Authentication failed.\n" ++msgstr "Authentifizierung fehlgeschlagen.\n" ++ ++#: ../../src/clients/ksu/main.c:513 ++msgid "When unparsing name" ++msgstr "beim Rückgängigmachen der Namensauswertung" ++ ++#: ../../src/clients/ksu/main.c:517 ++#, c-format ++msgid "Authenticated %s\n" ++msgstr "Authentifiziert %s\n" ++ ++#: ../../src/clients/ksu/main.c:524 ++msgid "while switching to target for authorization check" ++msgstr "beim Wechsel des Ziels der Autorisierungsprüfung" ++ ++#: ../../src/clients/ksu/main.c:531 ++msgid "while checking authorization" ++msgstr "beim Prüfen der Autorisierung" ++ ++#: ../../src/clients/ksu/main.c:537 ++msgid "while switching back from target after authorization check" ++msgstr "beim Zurückwechsel vom Ziel nach der Autorisierungsprüfung" ++ ++#: ../../src/clients/ksu/main.c:544 ++#, c-format ++msgid "Account %s: authorization for %s for execution of\n" ++msgstr "Konto %s: Autorisierung für %s zum Ausführen von\n" ++ ++#: ../../src/clients/ksu/main.c:546 ++#, c-format ++msgid " %s successful\n" ++msgstr " %s erfolgreich\n" ++ ++#: ../../src/clients/ksu/main.c:552 ++#, c-format ++msgid "Account %s: authorization for %s successful\n" ++msgstr "Konto %s: Autorisierung für %s erfolgreich\n" ++ ++#: ../../src/clients/ksu/main.c:564 ++#, c-format ++msgid "Account %s: authorization for %s for execution of %s failed\n" ++msgstr "Konto %s: Autorisierung für %s zum Ausführen von %s fehlgeschlagen\n" ++ ++#: ../../src/clients/ksu/main.c:572 ++#, c-format ++msgid "Account %s: authorization of %s failed\n" ++msgstr "Konto %s: Autorisierung von %s fehlgeschlagen\n" ++ ++#: ../../src/clients/ksu/main.c:587 ++msgid "while calling cc_filter" ++msgstr "beim Aufruf von »cc_filter«" ++ ++#: ../../src/clients/ksu/main.c:595 ++msgid "while erasing target cache" ++msgstr "bei Löschen des Zielzwischenspeichers" ++ ++#: ../../src/clients/ksu/main.c:615 ++#, c-format ++msgid "ksu: permission denied (shell).\n" ++msgstr "ksu: Zugriff verweigert (Shell)\n" ++ ++#: ../../src/clients/ksu/main.c:624 ++#, c-format ++msgid "ksu: couldn't set environment variable USER\n" ++msgstr "ksu: Umgebungsvariable USER kann nicht gesetzt werden\n" ++ ++#: ../../src/clients/ksu/main.c:630 ++#, c-format ++msgid "ksu: couldn't set environment variable HOME\n" ++msgstr "ksu: Umgebungsvariable HOME kann nicht gesetzt werden\n" ++ ++#: ../../src/clients/ksu/main.c:635 ++#, c-format ++msgid "ksu: couldn't set environment variable SHELL\n" ++msgstr "ksu: Umgebungsvariable SHELL kann nicht gesetzt werden\n" ++ ++#: ../../src/clients/ksu/main.c:646 ++#, c-format ++msgid "ksu: initgroups failed.\n" ++msgstr "ksu: »initgroups« fehlgeschlagen\n" ++ ++#: ../../src/clients/ksu/main.c:651 ++#, c-format ++msgid "Leaving uid as %s (%ld)\n" ++msgstr "UID bleibt %s (%ld)\n" ++ ++#: ../../src/clients/ksu/main.c:654 ++#, c-format ++msgid "Changing uid to %s (%ld)\n" ++msgstr "UID wird zu %s (%ld) geändert\n" ++ ++#: ../../src/clients/ksu/main.c:680 ++msgid "while getting name of target ccache" ++msgstr "beim Holen des Ziel-Ccache-Namens" ++ ++#: ../../src/clients/ksu/main.c:700 ++#, c-format ++msgid "%s does not have correct permissions for %s, %s aborted" ++msgstr "%s hat nicht die korrekten Rechte für %s, %s wird abgebrochen." ++ ++#: ../../src/clients/ksu/main.c:721 ++#, c-format ++msgid "Internal error: command %s did not get resolved\n" ++msgstr "Interner Fehler: Befehl %s wurde nicht aufgelöst\n" ++ ++#: ../../src/clients/ksu/main.c:738 ../../src/clients/ksu/main.c:774 ++#, c-format ++msgid "while trying to execv %s" ++msgstr "beim Versuch von »execv %s«" ++ ++#: ../../src/clients/ksu/main.c:764 ++msgid "while calling waitpid" ++msgstr "beim Aufruf von »waitpid«" ++ ++#: ../../src/clients/ksu/main.c:769 ++msgid "while trying to fork." ++msgstr "beim Versuch zu verzweigen." ++ ++#: ../../src/clients/ksu/main.c:791 ++msgid "while reading cache name from ccache" ++msgstr "beim Lesen des Zwischenspeichernamens aus dem Ccache" ++ ++#: ../../src/clients/ksu/main.c:797 ++#, c-format ++msgid "ksu: couldn't set environment variable %s\n" ++msgstr "ksu: Umgebungsvariable %s kann nicht gesetzt werden\n" ++ ++#: ../../src/clients/ksu/main.c:820 ++#, c-format ++msgid "while clearing the value of %s" ++msgstr "beim Leeren des Werts von %s" ++ ++#: ../../src/clients/ksu/main.c:828 ++msgid "while resetting target ccache name" ++msgstr "beim Zurücksetzen des Ziel-Ccache-Namens" ++ ++#: ../../src/clients/ksu/main.c:842 ++msgid "while determining target ccache name" ++msgstr "beim Bestimmen des Ziel-Ccache-Namens" ++ ++#: ../../src/clients/ksu/main.c:881 ++msgid "while generating part of the target ccache name" ++msgstr "beim Erzeugen eines Teils des Ziel-Ccache-Namens" ++ ++#: ../../src/clients/ksu/main.c:887 ++msgid "while allocating memory for the target ccache name" ++msgstr "beim Reservieren von Speicher für den Ziel-Ccache-Namen" ++ ++#: ../../src/clients/ksu/main.c:906 ++msgid "while creating new target ccache" ++msgstr "bei Erstellen von neuem Ziel-Ccache" ++ ++#: ../../src/clients/ksu/main.c:912 ++msgid "while initializing target cache" ++msgstr "beim Initialisieren des Zielzwischenspeichers" ++ ++#: ../../src/clients/ksu/main.c:952 ++#, c-format ++msgid "terminal name %s too long\n" ++msgstr "Terminal-Name %s ist zu lang.\n" ++ ++#: ../../src/clients/ksu/main.c:980 ++msgid "while changing to target uid for destroying ccache" ++msgstr "beim Ändern der Ziel-UID für das Zerstören von Ccache" ++ ++#: ../../src/clients/kswitch/kswitch.c:44 ++#, c-format ++msgid "Usage: %s {-c cache_name | -p principal}\n" ++msgstr "Aufruf: %s {-c Zwischenspeichername | -p Principal}\n" ++ ++#: ../../src/clients/kswitch/kswitch.c:46 ++#, c-format ++msgid "\t-p specify name of principal\n" ++msgstr "\t-p gibt den Namen des Principals an.\n" ++ ++#: ../../src/clients/kswitch/kswitch.c:69 ++#, c-format ++msgid "Only one -c or -p option allowed\n" ++msgstr "Nur eine der Optionen -c oder -p ist erlaubt.\n" ++ ++#: ../../src/clients/kswitch/kswitch.c:88 ++#, c-format ++msgid "One of -c or -p must be specified\n" ++msgstr "Entweder -c oder -p muss angegeben werden.\n" ++ ++#: ../../src/clients/kswitch/kswitch.c:110 ../../src/clients/kvno/kvno.c:211 ++#: ../../src/clients/kvno/kvno.c:245 ../../src/kadmin/cli/keytab.c:350 ++#: ../../src/kadmin/dbutil/kdb5_util.c:576 ++#, c-format ++msgid "while parsing principal name %s" ++msgstr "beim Auswerten des Principal-Namens %s" ++ ++#: ../../src/clients/kswitch/kswitch.c:124 ++msgid "while switching to credential cache" ++msgstr "beim Wechsel auf den Anmeldedatenzwischenspeicher" ++ ++#: ../../src/clients/kvno/kvno.c:46 ++#, c-format ++msgid "usage: %s [-C] [-u] [-c ccache] [-e etype]\n" ++msgstr "Aufruf: %s [-C] [-u] [-c Ccache] [-e Etype]\n" ++ ++#: ../../src/clients/kvno/kvno.c:47 ++#, c-format ++msgid "\t[-k keytab] [-S sname] [-U for_user [-P]]\n" ++msgstr "\t[-k Schlüsseltabelle] [-S Sname] [-U für_Benutzer [-P]]\n" ++ ++#: ../../src/clients/kvno/kvno.c:48 ++#, c-format ++msgid "\tservice1 service2 ...\n" ++msgstr "\tDienst1 Dienst2 …\n" ++ ++#: ../../src/clients/kvno/kvno.c:103 ../../src/clients/kvno/kvno.c:111 ++#, c-format ++msgid "Options -u and -S are mutually exclusive\n" ++msgstr "Die Optionen -u und -S schließen sich gegenseitig aus.\n" ++ ++#: ../../src/clients/kvno/kvno.c:126 ++#, c-format ++msgid "Option -P (constrained delegation) requires keytab to be specified\n" ++msgstr "" ++"Die Option -P (eingeschränkte Abtretung) erfordert zur Angabe eine " ++"Schlüsseltabelle.\n" ++ ++#: ../../src/clients/kvno/kvno.c:130 ++#, c-format ++msgid "" ++"Option -P (constrained delegation) requires option -U (protocol transition)\n" ++msgstr "" ++"Die Option -P (eingeschränkte Abtretung) erfordert die Option -U " ++"(Protokollübergang)\n" ++ ++#: ../../src/clients/kvno/kvno.c:175 ../../src/kadmin/cli/kadmin.c:280 ++msgid "while initializing krb5 library" ++msgstr "beim Initialisieren der Krb5-Bibliothek" ++ ++#: ../../src/clients/kvno/kvno.c:182 ++msgid "while converting etype" ++msgstr "bei der Etype-Umwandlung" ++ ++#: ../../src/clients/kvno/kvno.c:218 ++msgid "while getting client principal name" ++msgstr "beim Holen des Client-Principal-Namens" ++ ++#: ../../src/clients/kvno/kvno.c:256 ++#, c-format ++msgid "while formatting parsed principal name for '%s'" ++msgstr "beim Formatieren des ausgewerteten Principal-Namens für »%s«" ++ ++#: ../../src/clients/kvno/kvno.c:267 ++msgid "client and server principal names must match" ++msgstr "Die Principal-Namen von Client und Server müssen übereinstimmen." ++ ++#: ../../src/clients/kvno/kvno.c:284 ++#, c-format ++msgid "while getting credentials for %s" ++msgstr "beim Holen der Anmeldedaten für %s" ++ ++#: ../../src/clients/kvno/kvno.c:291 ++#, c-format ++msgid "while decoding ticket for %s" ++msgstr "beim Dekodieren des Tickets für %s" ++ ++#: ../../src/clients/kvno/kvno.c:302 ++#, c-format ++msgid "while decrypting ticket for %s" ++msgstr "beim Entschlüsseln des Tickets für %s" ++ ++#: ../../src/clients/kvno/kvno.c:306 ++#, c-format ++msgid "%s: kvno = %d, keytab entry valid\n" ++msgstr "%s: KVNO = %d, Schlüsseltabelleneintrag gültig\n" ++ ++#: ../../src/clients/kvno/kvno.c:324 ++#, c-format ++msgid "%s: constrained delegation failed" ++msgstr "%s: eingeschränkte Abtretung fehlgeschlagen" ++ ++#: ../../src/clients/kvno/kvno.c:330 ++#, c-format ++msgid "%s: kvno = %d\n" ++msgstr "%s: KVNO = %d\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:118 ++#, c-format ++msgid "" ++"Usage: %s [-r realm] [-p principal] [-q query] [clnt|local args]\n" ++"\tclnt args: [-s admin_server[:port]] [[-c ccache]|[-k [-t keytab]]]|[-n]\n" ++"\tlocal args: [-x db_args]* [-d dbname] [-e \"enc:salt ...\"] [-m]\n" ++"where,\n" ++"\t[-x db_args]* - any number of database specific arguments.\n" ++"\t\t\tLook at each database documentation for supported arguments\n" ++msgstr "" ++"Aufruf: %s [-r Realm] [-p Principal] [-q Abfrage] [clnt|lokale Argumente]\n" ++"\tclnt Argumente: [-s Admin-Server[:Port]] [[-c Ccache]|\n" ++"\t[-k [-t Schlüsseltabelle]]]|[-n] lokale Argumente: [-x DB-Argumente]*\n" ++"\t[-d Datenbankname] [-e \"enc:Salt …\"] [-m]\n" ++"wobei\n" ++"\t[-x DB-Argumente]* - eine beliebige Anzahl datenbankspezifischer " ++"Argumente\n" ++"\tist. Die unterstützten Argumente finden Sie in den jeweiligen " ++"\tDatenbankdokumentationen\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:292 ../../src/kadmin/cli/kadmin.c:333 ++#, c-format ++msgid "%s: Cannot initialize. Not enough memory\n" ++msgstr "%s: Zu wenig Speicher zum Initialisieren\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:353 ../../src/kadmin/cli/kadmin.c:804 ++#: ../../src/kadmin/cli/kadmin.c:1084 ../../src/kadmin/cli/kadmin.c:1634 ++#: ../../src/kadmin/cli/keytab.c:159 ../../src/kadmin/dbutil/kdb5_util.c:591 ++#, c-format ++msgid "while parsing keysalts %s" ++msgstr "beim Auswerten der Schlüssel-Salts %s" ++ ++#: ../../src/kadmin/cli/kadmin.c:376 ++#, c-format ++msgid "%s: unable to get default realm\n" ++msgstr "%s: Standard-Realm kann nicht geholt werden\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:396 ++msgid "while opening default credentials cache" ++msgstr "beim Öffnen des Standardanmeldedatenzwischenspeichers" ++ ++#: ../../src/kadmin/cli/kadmin.c:402 ++#, c-format ++msgid "while opening credentials cache %s" ++msgstr "beim Öffnen des Anmeldedatenzwischenspeichers %s" ++ ++#: ../../src/kadmin/cli/kadmin.c:424 ../../src/kadmin/cli/kadmin.c:479 ++#: ../../src/kadmin/cli/kadmin.c:487 ../../src/kadmin/cli/kadmin.c:494 ++#, c-format ++msgid "%s: out of memory\n" ++msgstr "%s: Speicherplatz reicht nicht aus\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:433 ../../src/kadmin/cli/kadmin.c:448 ++#: ../../src/slave/kpropd.c:681 ++msgid "while canonicalizing principal name" ++msgstr "während der Principal-Name in die normale Form gebracht wird" ++ ++#: ../../src/kadmin/cli/kadmin.c:442 ++msgid "creating host service principal" ++msgstr "Principal des Rechnerdienstes wird erstellt" ++ ++#: ../../src/kadmin/cli/kadmin.c:455 ++#, c-format ++msgid "%s: unable to canonicalize principal\n" ++msgstr "%s: Principal kann nicht in die normale Form gebracht werden\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:499 ++#, c-format ++msgid "%s: unable to figure out a principal name\n" ++msgstr "%s: Es kann kein Principal-Name herausgefunden werden.\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:507 ++msgid "while setting up logging" ++msgstr "beim Einrichten der Protokollierung" ++ ++#: ../../src/kadmin/cli/kadmin.c:516 ++#, c-format ++msgid "Authenticating as principal %s with existing credentials.\n" ++msgstr "Authentifizierung als Principal %s mit existierenden Anmeldedaten\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:522 ++#, c-format ++msgid "Authenticating as principal %s with password; anonymous requested.\n" ++msgstr "" ++"Authentifizierung als Principal %s mit Passwort; Anonymität erwünscht\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:529 ++#, c-format ++msgid "Authenticating as principal %s with keytab %s.\n" ++msgstr "Authentifizierung als Principal %s mit Schlüsseltabelle %s\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:532 ++#, c-format ++msgid "Authenticating as principal %s with default keytab.\n" ++msgstr "Authentifizierung als Principal %s mit Standardschlüsseltabelle\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:538 ++#, c-format ++msgid "Authenticating as principal %s with password.\n" ++msgstr "Authentifizierung als Principal %s mit Passwort\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:546 ../../src/slave/kpropd.c:728 ++#, c-format ++msgid "while initializing %s interface" ++msgstr "beim Initialisieren der Schnittstelle %s" ++ ++#: ../../src/kadmin/cli/kadmin.c:560 ++#, c-format ++msgid "while closing ccache %s" ++msgstr "beim Schließen von Ccache %s" ++ ++#: ../../src/kadmin/cli/kadmin.c:566 ++msgid "while mapping update log" ++msgstr "beim Abbilden des Aktualisierungsprotokolls" ++ ++#: ../../src/kadmin/cli/kadmin.c:581 ++msgid "while unlocking locked database" ++msgstr "beim Entsperren der Datenbank" ++ ++#: ../../src/kadmin/cli/kadmin.c:590 ++msgid "Administration credentials NOT DESTROYED.\n" ++msgstr "Verwaltungsanmeldedaten NICHT VERNICHTET\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:639 ++#, c-format ++msgid "usage: delete_principal [-force] principal\n" ++msgstr "Aufruf: delete_principal [-force] Principal\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:644 ../../src/kadmin/cli/kadmin.c:819 ++msgid "while parsing principal name" ++msgstr "beim Auswerten des Principal-Namens" ++ ++#: ../../src/kadmin/cli/kadmin.c:650 ../../src/kadmin/cli/kadmin.c:825 ++#: ../../src/kadmin/cli/kadmin.c:1217 ../../src/kadmin/cli/kadmin.c:1339 ++#: ../../src/kadmin/cli/kadmin.c:1409 ../../src/kadmin/cli/kadmin.c:1858 ++#: ../../src/kadmin/cli/kadmin.c:1902 ../../src/kadmin/cli/kadmin.c:1948 ++#: ../../src/kadmin/cli/kadmin.c:1988 ++msgid "while canonicalizing principal" ++msgstr "während der Principal in die normale Form gebracht wird" ++ ++#: ../../src/kadmin/cli/kadmin.c:654 ++#, c-format ++msgid "Are you sure you want to delete the principal \"%s\"? (yes/no): " ++msgstr "" ++"Sind Sie sicher, dass Sie den Principal »%s« löschen möchten? (yes/no): " ++ ++#: ../../src/kadmin/cli/kadmin.c:658 ++#, c-format ++msgid "Principal \"%s\" not deleted\n" ++msgstr "Principal »%s« nicht gelöscht\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:665 ++#, c-format ++msgid "while deleting principal \"%s\"" ++msgstr "beim Löschen von Principal »%s«" ++ ++#: ../../src/kadmin/cli/kadmin.c:668 ++#, c-format ++msgid "Principal \"%s\" deleted.\n" ++msgstr "Principal »%s« gelöscht\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:669 ++#, c-format ++msgid "" ++"Make sure that you have removed this principal from all ACLs before " ++"reusing.\n" ++msgstr "" ++"Stellen Sie sicher, dass Sie diesen Principal aus allen ACLs entfernt haben, " ++"bevor Sie ihn erneut benutzen.\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:686 ++#, c-format ++msgid "usage: rename_principal [-force] old_principal new_principal\n" ++msgstr "Aufruf: rename_principal [-force] alter_Principal neuer_Principal\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:693 ++msgid "while parsing old principal name" ++msgstr "beim Auswerten des alten Principal-Namens" ++ ++#: ../../src/kadmin/cli/kadmin.c:699 ++msgid "while parsing new principal name" ++msgstr "beim Auswerten des neuen Principal-Namens" ++ ++#: ../../src/kadmin/cli/kadmin.c:705 ++msgid "while canonicalizing old principal" ++msgstr "während der alte Principal in die normale Form gebracht wird" ++ ++#: ../../src/kadmin/cli/kadmin.c:711 ++msgid "while canonicalizing new principal" ++msgstr "während der neue Principal in die normale Form gebracht wird" ++ ++#: ../../src/kadmin/cli/kadmin.c:715 ++#, c-format ++msgid "" ++"Are you sure you want to rename the principal \"%s\" to \"%s\"? (yes/no): " ++msgstr "" ++"Sind Sie sicher, dass Sie den Principal »%s« in »%s« umbenennen möchten? " ++"(yes/no): " ++ ++#: ../../src/kadmin/cli/kadmin.c:719 ++#, c-format ++msgid "Principal \"%s\" not renamed\n" ++msgstr "Principal »%s« wurde nicht umbenannt.\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:726 ++#, c-format ++msgid "while renaming principal \"%s\" to \"%s\"" ++msgstr "beim Umbenennen von Principal »%s« in »%s«" ++ ++#: ../../src/kadmin/cli/kadmin.c:730 ++#, c-format ++msgid "Principal \"%s\" renamed to \"%s\".\n" ++msgstr "Principal »%s« wurde in »%s« umbenannt.\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:731 ++#, c-format ++msgid "" ++"Make sure that you have removed the old principal from all ACLs before " ++"reusing.\n" ++msgstr "" ++"Stellen Sie sicher, dass Sie den alten Principal aus allen ACLs entfernt " ++"haben, bevor Sie ihn erneut benutzen.\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:746 ++#, c-format ++msgid "" ++"usage: change_password [-randkey] [-keepold] [-e keysaltlist] [-pw password] " ++"principal\n" ++msgstr "" ++"Aufruf: change_password [-randkey] [-keepold] [-e Schlüssel-Salt-Liste] [-pw " ++"Passwort] Principal\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:772 ++msgid "change_password: missing db argument" ++msgstr "change_password: fehlendes Datenbankargument" ++ ++#: ../../src/kadmin/cli/kadmin.c:778 ++#, c-format ++msgid "change_password: Not enough memory\n" ++msgstr "change_password: zu wenig Speicher\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:786 ++msgid "change_password: missing password arg" ++msgstr "change_password: fehlendes Passwortargument" ++ ++#: ../../src/kadmin/cli/kadmin.c:797 ++msgid "change_password: missing keysaltlist arg" ++msgstr "change_password: fehlendes Schlüssel-Salt-Listenargument" ++ ++#: ../../src/kadmin/cli/kadmin.c:813 ++msgid "missing principal name" ++msgstr "fehlender Principal-Name" ++ ++#: ../../src/kadmin/cli/kadmin.c:837 ../../src/kadmin/cli/kadmin.c:874 ++#, c-format ++msgid "while changing password for \"%s\"." ++msgstr "beim Ändern des Passworts von »%s«." ++ ++#: ../../src/kadmin/cli/kadmin.c:840 ../../src/kadmin/cli/kadmin.c:877 ++#, c-format ++msgid "Password for \"%s\" changed.\n" ++msgstr "Passwort von »%s« geändert\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:846 ../../src/kadmin/cli/kadmin.c:1290 ++#, c-format ++msgid "while randomizing key for \"%s\"." ++msgstr "beim Erzeugen eines zufälligen Schlüssels für »%s«." ++ ++#: ../../src/kadmin/cli/kadmin.c:849 ++#, c-format ++msgid "Key for \"%s\" randomized.\n" ++msgstr "Es wurde ein zufälliger Schlüssel für %s erzeugt\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:854 ../../src/kadmin/cli/kadmin.c:1250 ++#, c-format ++msgid "Enter password for principal \"%s\"" ++msgstr "Geben Sie das Passwort für Principal »%s« ein." ++ ++#: ../../src/kadmin/cli/kadmin.c:856 ../../src/kadmin/cli/kadmin.c:1252 ++#, c-format ++msgid "Re-enter password for principal \"%s\"" ++msgstr "Geben Sie das Passwort für Principal »%s« erneut ein." ++ ++#: ../../src/kadmin/cli/kadmin.c:861 ../../src/kadmin/cli/kadmin.c:1256 ++#, c-format ++msgid "while reading password for \"%s\"." ++msgstr "beim Lesen des Passworts von »%s«." ++ ++#: ../../src/kadmin/cli/kadmin.c:915 ++#, c-format ++msgid "Not enough memory\n" ++msgstr "Speicher reicht nicht aus\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:945 ../../src/kadmin/dbutil/kdb5_util.c:623 ++msgid "while getting time" ++msgstr "beim Holen der Zeit" ++ ++#: ../../src/kadmin/cli/kadmin.c:994 ../../src/kadmin/cli/kadmin.c:1007 ++#: ../../src/kadmin/cli/kadmin.c:1020 ../../src/kadmin/cli/kadmin.c:1033 ++#: ../../src/kadmin/cli/kadmin.c:1546 ../../src/kadmin/cli/kadmin.c:1558 ++#: ../../src/kadmin/cli/kadmin.c:1601 ../../src/kadmin/cli/kadmin.c:1618 ++#, c-format ++msgid "Invalid date specification \"%s\".\n" ++msgstr "ungültige Datumsangabe »%s«\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1118 ../../src/kadmin/cli/kadmin.c:1333 ++#: ../../src/kadmin/cli/kadmin.c:1404 ../../src/kadmin/cli/kadmin.c:1852 ++#: ../../src/kadmin/cli/kadmin.c:1896 ../../src/kadmin/cli/kadmin.c:1942 ++#: ../../src/kadmin/cli/kadmin.c:1982 ++msgid "while parsing principal" ++msgstr "beim Auswerten des Principals" ++ ++#: ../../src/kadmin/cli/kadmin.c:1127 ++#, c-format ++msgid "usage: add_principal [options] principal\n" ++msgstr "Aufruf: add_principal [Optionen] Principal\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1128 ../../src/kadmin/cli/kadmin.c:1155 ++#: ../../src/kadmin/cli/kadmin.c:1657 ++#, c-format ++msgid "\toptions are:\n" ++msgstr "\tEs gibt folgende Optionen:\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1130 ++#, c-format ++msgid "" ++"\t\t[-randkey|-nokey] [-x db_princ_args]* [-expire expdate] [-pwexpire " ++"pwexpdate] [-maxlife maxtixlife]\n" ++"\t\t[-kvno kvno] [-policy policy] [-clearpolicy]\n" ++"\t\t[-pw password] [-maxrenewlife maxrenewlife]\n" ++"\t\t[-e keysaltlist]\n" ++"\t\t[{+|-}attribute]\n" ++msgstr "" ++"\t\t[-randkey|-nokey] [-x DB-Principal-Argumente]* [-expire Ablaufdatum] [-" ++"pwexpire Passwortablaufdatum] [-maxlife maximale_Ticketlebensdauer]\n" ++"\t\t[-kvno KVNO] [-policy Richtlinie] [-clearpolicy]\n" ++"\t\t[-pw Passwort] [-maxrenewlife maximale_Dauer_bis_zum_Erneuern]\n" ++"\t\t[-e Schlüssel-Salt-Liste]\n" ++"\t\t[{+|-}Attribut]\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1136 ++#, c-format ++msgid "\tattributes are:\n" ++msgstr "\tEs gibt folgende Attribute:\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1138 ../../src/kadmin/cli/kadmin.c:1164 ++#, c-format ++msgid "" ++"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n" ++"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n" ++"\t\trequires_hwauth needchange allow_svr password_changing_service\n" ++"\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n" ++"\n" ++"where,\n" ++"\t[-x db_princ_args]* - any number of database specific arguments.\n" ++"\t\t\tLook at each database documentation for supported arguments\n" ++msgstr "" ++"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n" ++"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n" ++"\t\trequires_hwauth needchange allow_svr password_changing_service\n" ++"\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n" ++"\n" ++"wobei\n" ++"\t[-x DB-Principal-Argumente]* - eine beliebige Zahl\n" ++"\tdatenbankspezifischer Argumente ist.\n" ++"\t\t\tDie unterstützten Argumente finden Sie in der jeweiligen\n" ++"Datenbankdokumentation.\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1154 ++#, c-format ++msgid "usage: modify_principal [options] principal\n" ++msgstr "Aufruf: modify_principal [Optionen] Principal\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1157 ++#, c-format ++msgid "" ++"\t\t[-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife " ++"maxtixlife]\n" ++"\t\t[-kvno kvno] [-policy policy] [-clearpolicy]\n" ++"\t\t[-maxrenewlife maxrenewlife] [-unlock] [{+|-}attribute]\n" ++msgstr "" ++"\t\t[-x DB-Principal-Argumente]* [-expire Ablaufdatum] [-pwexpire " ++"Passwortablaufdatum] [-maxlife maximale_Ticketlebensdauer]\n" ++"\t\t[-kvno KVNO] [-policy Richtlinie] [-clearpolicy]\n" ++"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern] [-unlock] [{+|-}" ++"Attribut]\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1224 ../../src/kadmin/cli/kadmin.c:1362 ++#, c-format ++msgid "WARNING: policy \"%s\" does not exist\n" ++msgstr "WARNUNG: Richtlinie »%s« existiert nicht.\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1230 ++#, c-format ++msgid "NOTICE: no policy specified for %s; assigning \"default\"\n" ++msgstr "" ++"HINWEIS: Für %s wurde keine Richtlinie angegeben, es wird »default« " ++"zugewiesen\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1235 ++#, c-format ++msgid "WARNING: no policy specified for %s; defaulting to no policy\n" ++msgstr "" ++"WARNUNG: Für %s wurde keine Richtlinie angegeben, es wird die Vorgabe " ++"»keine\n" ++"Richtlinie« verwandt.\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1276 ++#, c-format ++msgid "Admin server does not support -nokey while creating \"%s\"\n" ++msgstr "" ++"Der Administrationsrechner unterstützt beim Erstellen von »%s« kein -nokey\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1298 ++#, c-format ++msgid "while clearing DISALLOW_ALL_TIX for \"%s\"." ++msgstr "beim Löschen von DISALLOW_ALL_TIX für »%s«." ++ ++#: ../../src/kadmin/cli/kadmin.c:1345 ++#, c-format ++msgid "while getting \"%s\"." ++msgstr "beim Holen von »%s«." ++ ++#: ../../src/kadmin/cli/kadmin.c:1371 ++#, c-format ++msgid "while modifying \"%s\"." ++msgstr "beim Ändern von »%s«." ++ ++#: ../../src/kadmin/cli/kadmin.c:1375 ++#, c-format ++msgid "Principal \"%s\" modified.\n" ++msgstr "Principal »%s« wurde geändert.\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1396 ++#, c-format ++msgid "usage: get_principal [-terse] principal\n" ++msgstr "Aufruf: get_principal [-terse] Principal\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1415 ++#, c-format ++msgid "while retrieving \"%s\"." ++msgstr "beim Abfragen von »%s«." ++ ++#: ../../src/kadmin/cli/kadmin.c:1420 ../../src/kadmin/cli/kadmin.c:1425 ++msgid "while unparsing principal" ++msgstr "beim Rückgängigmachen der Auswertung des Principals" ++ ++#: ../../src/kadmin/cli/kadmin.c:1429 ++#, c-format ++msgid "Principal: %s\n" ++msgstr "Principal: %s\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1430 ++#, c-format ++msgid "Expiration date: %s\n" ++msgstr "Ablaufdatum: %s\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1431 ../../src/kadmin/cli/kadmin.c:1433 ++#: ../../src/kadmin/cli/kadmin.c:1444 ++msgid "[never]" ++msgstr "[niemals]" ++ ++#: ../../src/kadmin/cli/kadmin.c:1432 ++#, c-format ++msgid "Last password change: %s\n" ++msgstr "Letzte Passwortänderung: %s\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1434 ++#, c-format ++msgid "Password expiration date: %s\n" ++msgstr "Passwortablaufdatum: %s\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1436 ../../src/kadmin/cli/kadmin.c:1478 ++msgid "[none]" ++msgstr "[keins]" ++ ++#: ../../src/kadmin/cli/kadmin.c:1437 ++#, c-format ++msgid "Maximum ticket life: %s\n" ++msgstr "maximale Ticketlebensdauer: %s\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1438 ++#, c-format ++msgid "Maximum renewable life: %s\n" ++msgstr "maximale verlängerbare Lebensdauer: %s\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1440 ++#, c-format ++msgid "Last modified: %s (%s)\n" ++msgstr "zuletzt geändert: %s (%s)\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1442 ++#, c-format ++msgid "Last successful authentication: %s\n" ++msgstr "letzte erfolgreiche Authentifizierung: %s\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1448 ++#, c-format ++msgid "Failed password attempts: %d\n" ++msgstr "Fehlgeschlagene Anmeldeversuche: %d\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1450 ++#, c-format ++msgid "Number of keys: %d\n" ++msgstr "Anzahl der Schlüssel: %d\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1457 ++#, c-format ++msgid "" ++msgstr "" ++ ++#: ../../src/kadmin/cli/kadmin.c:1464 ++#, c-format ++msgid "" ++msgstr "" ++ ++#: ../../src/kadmin/cli/kadmin.c:1470 ++#, c-format ++msgid "MKey: vno %d\n" ++msgstr "MKey: vno %d\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1472 ++#, c-format ++msgid "Attributes:" ++msgstr "Attribute:" ++ ++#: ../../src/kadmin/cli/kadmin.c:1480 ++msgid " [does not exist]" ++msgstr " [existiert nicht]" ++ ++#: ../../src/kadmin/cli/kadmin.c:1481 ++#, c-format ++msgid "Policy: %s%s\n" ++msgstr "Richtlinie: %s%s\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1517 ++#, c-format ++msgid "usage: get_principals [expression]\n" ++msgstr "Aufruf: get_principals [Ausdruck]\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1522 ../../src/kadmin/cli/kadmin.c:1794 ++msgid "while retrieving list." ++msgstr "beim Abfragen der Liste." ++ ++#: ../../src/kadmin/cli/kadmin.c:1647 ++#, c-format ++msgid "%s: parser lost count!\n" ++msgstr "%s: Auswertungsprogramm verlor Anzahl!\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1656 ++#, c-format ++msgid "usage; %s [options] policy\n" ++msgstr "Aufruf: %s [Optionen] Richtlinie\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1659 ++#, c-format ++msgid "" ++"\t\t[-maxlife time] [-minlife time] [-minlength length]\n" ++"\t\t[-minclasses number] [-history number]\n" ++"\t\t[-maxfailure number] [-failurecountinterval time]\n" ++"\t\t[-allowedkeysalts keysalts]\n" ++msgstr "" ++"\t\t[-maxlife Zeit] [-minlife Zeit] [-minlength Länge]\n" ++"\t\t[-minclasses Anzahl] [-history Nummer]\n" ++"\t\t[-maxfailure Anzahl] [-failurecountinterval Zeit]\n" ++"\t\t[-allowedkeysalts Schlüssel-Salts]\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1663 ++#, c-format ++msgid "\t\t[-lockoutduration time]\n" ++msgstr "\t\t[-lockoutduration Dauer]\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1682 ++#, c-format ++msgid "while creating policy \"%s\"." ++msgstr "beim Erstellen der Richtlinie »%s«" ++ ++#: ../../src/kadmin/cli/kadmin.c:1703 ++#, c-format ++msgid "while modifying policy \"%s\"." ++msgstr "beim Ändern der Richtlinie »%s«" ++ ++#: ../../src/kadmin/cli/kadmin.c:1715 ++#, c-format ++msgid "usage: delete_policy [-force] policy\n" ++msgstr "Aufruf: delete_policy [-force] Richtlinie\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1719 ++#, c-format ++msgid "Are you sure you want to delete the policy \"%s\"? (yes/no): " ++msgstr "" ++"Sind Sie sicher, dass Sie die Richtlinie »%s« löschen möchten? (yes/no): " ++ ++#: ../../src/kadmin/cli/kadmin.c:1723 ++#, c-format ++msgid "Policy \"%s\" not deleted.\n" ++msgstr "Richtlinie »%s« nicht gelöscht\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1729 ++#, c-format ++msgid "while deleting policy \"%s\"" ++msgstr "bei Löschen der Richtlinie »%s«" ++ ++#: ../../src/kadmin/cli/kadmin.c:1741 ++#, c-format ++msgid "usage: get_policy [-terse] policy\n" ++msgstr "Aufruf: get_policy [-terse] Richtlinie\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1746 ++#, c-format ++msgid "while retrieving policy \"%s\"." ++msgstr "beim Abfragen der Richtlinie »%s«." ++ ++#: ../../src/kadmin/cli/kadmin.c:1751 ++#, c-format ++msgid "Policy: %s\n" ++msgstr "Richtlinie: »%s«\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1752 ++#, c-format ++msgid "Maximum password life: %ld\n" ++msgstr "maximale Passwortlebensdauer: %ld\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1753 ++#, c-format ++msgid "Minimum password life: %ld\n" ++msgstr "minimale Passwortlebensdauer: %ld\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1754 ++#, c-format ++msgid "Minimum password length: %ld\n" ++msgstr "minimale Passwortlänge: %ld\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1755 ++#, c-format ++msgid "Minimum number of password character classes: %ld\n" ++msgstr "minimale Anzahl von Passwortzeichenklassen: %ld\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1757 ++#, c-format ++msgid "Number of old keys kept: %ld\n" ++msgstr "Anzahl aufbewahrter alter Schlüssel: %ld\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1758 ++#, c-format ++msgid "Maximum password failures before lockout: %lu\n" ++msgstr "maximale Anzahl falscher Passworteingaben vor dem Sperren: %lu\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1760 ++#, c-format ++msgid "Password failure count reset interval: %s\n" ++msgstr "Rücksetzintervall für zu viele falsch eingebene Passwörter: %s\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1762 ++#, c-format ++msgid "Password lockout duration: %s\n" ++msgstr "Passwortsperrdauer: %s\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1765 ++#, c-format ++msgid "Allowed key/salt types: %s\n" ++msgstr "erlaubte Schlüssel-/Salt-Typen: %s\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1789 ++#, c-format ++msgid "usage: get_policies [expression]\n" ++msgstr "Aufruf: get_policies [Ausdruck]\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1811 ++#, c-format ++msgid "usage: get_privs\n" ++msgstr "Aufruf: get_privs\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1816 ++msgid "while retrieving privileges" ++msgstr "beim Abfragen von Rechten" ++ ++#: ../../src/kadmin/cli/kadmin.c:1819 ++#, c-format ++msgid "current privileges:" ++msgstr "aktuelle Rechte:" ++ ++#: ../../src/kadmin/cli/kadmin.c:1845 ++#, c-format ++msgid "usage: purgekeys [-all|-keepkvno oldest_kvno_to_keep] principal\n" ++msgstr "" ++"Aufruf: purgekeys [-all|-keepkvno älteste_KVNO_die_behalten_wird] Principal\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1865 ++#, c-format ++msgid "while purging keys for principal \"%s\"" ++msgstr "beim vollständigen Löschen der Schlüssel für Principal »%s«" ++ ++#: ../../src/kadmin/cli/kadmin.c:1870 ++#, c-format ++msgid "All keys for principal \"%s\" removed.\n" ++msgstr "Alle Schlüssel für Principal »%s« wurden entfernt.\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1872 ++#, c-format ++msgid "Old keys for principal \"%s\" purged.\n" ++msgstr "Alte Schlüssel für Principal »%s« wurden entfernt.\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1889 ++#, c-format ++msgid "usage: get_strings principal\n" ++msgstr "Aufruf: get_strings Principal\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1909 ++#, c-format ++msgid "while getting attributes for principal \"%s\"" ++msgstr "beim Holen von Attributen für Principal »%s«" ++ ++#: ../../src/kadmin/cli/kadmin.c:1914 ++#, c-format ++msgid "(No string attributes.)\n" ++msgstr "(keine Zeichenkettenattribute)\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1933 ++#, c-format ++msgid "usage: set_string principal key value\n" ++msgstr "Aufruf: set_string Principal Schlüssel Wert\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1955 ++#, c-format ++msgid "while setting attribute on principal \"%s\"" ++msgstr "beim Setzen eines Attributes für Principal »%s«" ++ ++#: ../../src/kadmin/cli/kadmin.c:1959 ++#, c-format ++msgid "Attribute set for principal \"%s\".\n" ++msgstr "Attribute für Principal »%s« wurden gesetzt.\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1974 ++#, c-format ++msgid "usage: del_string principal key\n" ++msgstr "Aufruf: del_string Principal Schlüssel\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1995 ++#, c-format ++msgid "while deleting attribute from principal \"%s\"" ++msgstr "beim Löschen eines Attributs von Principal »%s«" ++ ++#: ../../src/kadmin/cli/kadmin.c:1999 ++#, c-format ++msgid "Attribute removed from principal \"%s\".\n" ++msgstr "Attribut von Principal »%s« wurde gelöscht.\n" ++ ++#: ../../src/kadmin/cli/keytab.c:56 ++#, c-format ++msgid "" ++"Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [-norandkey] " ++"[principal | -glob princ-exp] [...]\n" ++msgstr "" ++"Aufruf: ktadd [-k[eytab] Schlüsseltabelle] [-q] [-e Schlüssel-Salt-Liste] [-" ++"norandkey] [Principal | -glob Principal-Ausdruck] […]\n" ++ ++#: ../../src/kadmin/cli/keytab.c:59 ++#, c-format ++msgid "" ++"Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [principal | -glob " ++"princ-exp] [...]\n" ++msgstr "" ++"Aufruf: ktadd [-k[eytab] Schlüsseltabelle] [-q] [-e Schlüssel-Salt-Liste] " ++"[Principal | -glob Principal-Ausdruck] […]\n" ++ ++#: ../../src/kadmin/cli/keytab.c:67 ++#, c-format ++msgid "" ++"Usage: ktremove [-k[eytab] keytab] [-q] principal [kvno|\"all\"|\"old\"]\n" ++msgstr "" ++"Aufruf: ktremove [-k[eytab] Schlüsseltabelle] [-q] Principal " ++"[kvno|»all«|»old«]\n" ++ ++#: ../../src/kadmin/cli/keytab.c:81 ../../src/kadmin/cli/keytab.c:102 ++msgid "while creating keytab name" ++msgstr "beim Erstellen des Schlüsseltabellennamens" ++ ++#: ../../src/kadmin/cli/keytab.c:86 ++msgid "while opening default keytab" ++msgstr "beim Öffnen der Standardschlüsseltabelle" ++ ++#: ../../src/kadmin/cli/keytab.c:147 ++#, c-format ++msgid "-norandkey option only valid for kadmin.local\n" ++msgstr "Die Option »-norandkey« ist nur für »kadmin.local« gültig.\n" ++ ++#: ../../src/kadmin/cli/keytab.c:176 ++#, c-format ++msgid "cannot specify keysaltlist when not changing key\n" ++msgstr "" ++"Schlüssel-Salt-Liste kann nicht angegeben werden, wenn der Schlüssel nicht " ++"geändert wird\n" ++ ++#: ../../src/kadmin/cli/keytab.c:192 ++#, c-format ++msgid "while expanding expression \"%s\"." ++msgstr "beim Expandieren des Ausdrucks »%s«." ++ ++#: ../../src/kadmin/cli/keytab.c:211 ../../src/kadmin/cli/keytab.c:251 ++msgid "while closing keytab" ++msgstr "beim Schließen der Schlüsseltabelle" ++ ++#: ../../src/kadmin/cli/keytab.c:275 ++#, c-format ++msgid "while parsing -add principal name %s" ++msgstr "beim Auswerten von »-add Principal-Name %s«" ++ ++#: ../../src/kadmin/cli/keytab.c:289 ++#, c-format ++msgid "%s: Principal %s does not exist.\n" ++msgstr "%s: Principal %s existiert nicht.\n" ++ ++#: ../../src/kadmin/cli/keytab.c:292 ++#, c-format ++msgid "while changing %s's key" ++msgstr "beim Ändern des Schlüssels von %s" ++ ++#: ../../src/kadmin/cli/keytab.c:299 ++msgid "while retrieving principal" ++msgstr "beim Abfragen des Principals" ++ ++#: ../../src/kadmin/cli/keytab.c:311 ++msgid "while adding key to keytab" ++msgstr "beim Hinzufügen des Schlüssels zur Schlüsseltabelle" ++ ++#: ../../src/kadmin/cli/keytab.c:317 ++#, c-format ++msgid "" ++"Entry for principal %s with kvno %d, encryption type %s added to keytab %s.\n" ++msgstr "" ++"Der Eintrag für Principal %s mit KVNO %d und Verschlüsselungstyp %s wurde " ++"der Schlüsseltabelle %s hinzugefügt.\n" ++ ++#: ../../src/kadmin/cli/keytab.c:326 ++msgid "while freeing principal entry" ++msgstr "beim Freigeben des Principal-Eintrags" ++ ++#: ../../src/kadmin/cli/keytab.c:373 ++#, c-format ++msgid "%s: Keytab %s does not exist.\n" ++msgstr "%s: Schlüsseltabelle %s existiert nicht.\n" ++ ++#: ../../src/kadmin/cli/keytab.c:377 ++#, c-format ++msgid "%s: No entry for principal %s exists in keytab %s\n" ++msgstr "" ++"%s: Für Principal %s existiert kein Eintrag in der Schlüsseltabelle %s.\n" ++ ++#: ../../src/kadmin/cli/keytab.c:381 ++#, c-format ++msgid "%s: No entry for principal %s with kvno %d exists in keytab %s\n" ++msgstr "" ++"%s: Für den Principal %s mit der KVNO %d existiert kein Eintrag in der " ++"Schlüsseltabelle %s.\n" ++ ++#: ../../src/kadmin/cli/keytab.c:387 ++msgid "while retrieving highest kvno from keytab" ++msgstr "beim Abfragen der höchsten KVNO der Schlüsseltabelle" ++ ++#: ../../src/kadmin/cli/keytab.c:420 ++msgid "while temporarily ending keytab scan" ++msgstr "beim Unterbrechen des Schlüsseltabellen-Scans" ++ ++#: ../../src/kadmin/cli/keytab.c:425 ++msgid "while deleting entry from keytab" ++msgstr "beim Löschen eines Eintrags aus der Schlüsseltabelle" ++ ++#: ../../src/kadmin/cli/keytab.c:430 ++msgid "while restarting keytab scan" ++msgstr "bei der Wiederaufnahme des Schlüsseltabellen-Scans" ++ ++#: ../../src/kadmin/cli/keytab.c:436 ++#, c-format ++msgid "Entry for principal %s with kvno %d removed from keytab %s.\n" ++msgstr "" ++"Der Eintrag für Principal %s mit KVNO %d wurde aus der Schlüsseltabelle %s " ++"entfernt.\n" ++ ++#: ../../src/kadmin/cli/keytab.c:458 ++#, c-format ++msgid "%s: There is only one entry for principal %s in keytab %s\n" ++msgstr "" ++"%s: Es gibt nur einen Eintrag für Principal %s in der Schlüsseltabelle %s.\n" ++ ++#: ../../src/kadmin/cli/ss_wrapper.c:49 ../../src/kadmin/ktutil/ktutil.c:58 ++msgid "creating invocation" ++msgstr "Aufruf wird erstellt" ++ ++#: ../../src/kadmin/dbutil/dump.c:165 ++msgid "while allocating temporary filename dump" ++msgstr "beim Reservieren des temporären Dateinamenspeicherauszugs" ++ ++#: ../../src/kadmin/dbutil/dump.c:176 ++msgid "while renaming dump file into place" ++msgstr "während das Umbenennen der Auszugsdateien Gestalt annimmt" ++ ++#: ../../src/kadmin/dbutil/dump.c:192 ++msgid "while allocating dump_ok filename" ++msgstr "beim Reservieren des »dump_ok«-Dateinamens" ++ ++#: ../../src/kadmin/dbutil/dump.c:199 ++#, c-format ++msgid "while creating 'ok' file, '%s'" ++msgstr "beim Erstellen der Datei »ok«, »%s«" ++ ++#: ../../src/kadmin/dbutil/dump.c:206 ++#, c-format ++msgid "while locking 'ok' file, '%s'" ++msgstr "beim Sperren der Datei »ok«, »%s«" ++ ++#: ../../src/kadmin/dbutil/dump.c:248 ../../src/kadmin/dbutil/dump.c:277 ++#, c-format ++msgid "%s: regular expression error: %s\n" ++msgstr "%s: Fehler im regulären Ausdruck: %s\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:260 ++#, c-format ++msgid "%s: regular expression match error: %s\n" ++msgstr "%s: Fehler beim Abgleich mit regulärem Ausdruck: %s\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:361 ++#, c-format ++msgid "%s: tagged data list inconsistency for %s (counted %d, stored %d)\n" ++msgstr "" ++"%s: Unstimmigkeit in der markierten Datenliste für %s (%d gezählt, %d " ++"gespeichert)\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:519 ++#, c-format ++msgid "" ++"Warning! Multiple DES-CBC-CRC keys for principal %s; skipping duplicates.\n" ++msgstr "" ++"Warnung! Mehrere DES-CBC-CRC-Schlüssel für Principal %s, Duplikate werden " ++"übersprungen.\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:530 ++#, c-format ++msgid "" ++"Warning! No DES-CBC-CRC key for principal %s, cannot generate OV-compatible " ++"record; skipping\n" ++msgstr "" ++"Warnung! Kein DES-CBC-CRC-Schlüssel für Principal %s, es kann kein OV-" ++"kompatibler Datensatz erzeugt werden, wird übersprungen\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:558 ++#, c-format ++msgid "while converting %s to new master key" ++msgstr "beim Umwandeln von %s in den neuen Hauptschlüssel" ++ ++#: ../../src/kadmin/dbutil/dump.c:579 ++#, c-format ++msgid "%s(%d): %s\n" ++msgstr "%s(%d): %s\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:622 ++#, c-format ++msgid "%s(%d): ignoring trash at end of line: " ++msgstr "%s(%d): Müll am Zeilenende wird ignoriert: " ++ ++#: ../../src/kadmin/dbutil/dump.c:685 ++msgid "cannot read tagged data type and length" ++msgstr "Markierter Datentyp und Länge können nicht gelesen werden." ++ ++#: ../../src/kadmin/dbutil/dump.c:692 ++msgid "cannot read tagged data contents" ++msgstr "Inhalt der markierten Daten kann nicht gelesen werden." ++ ++#: ../../src/kadmin/dbutil/dump.c:726 ++msgid "cannot match size tokens" ++msgstr "Größenmerkmale können nicht zugeordnet werden." ++ ++#: ../../src/kadmin/dbutil/dump.c:755 ++msgid "cannot read name string" ++msgstr "Namenszeichenkette kann nicht gelesen werden." ++ ++#: ../../src/kadmin/dbutil/dump.c:760 ++#, c-format ++msgid "while parsing name %s" ++msgstr "beim Auswerten des Namens %s" ++ ++#: ../../src/kadmin/dbutil/dump.c:768 ++msgid "cannot read principal attributes" ++msgstr "Principal-Attribute können nicht gelesen werden." ++ ++#: ../../src/kadmin/dbutil/dump.c:821 ++msgid "cannot read key size and version" ++msgstr "Schlüssellänge und -version können nicht gelesen werden." ++ ++#: ../../src/kadmin/dbutil/dump.c:832 ++msgid "cannot read key type and length" ++msgstr "Schlüsseltyp und -länge können nicht gelesen werden." ++ ++#: ../../src/kadmin/dbutil/dump.c:838 ++msgid "cannot read key data" ++msgstr "Schlüsseldaten können nicht gelesen werden." ++ ++#: ../../src/kadmin/dbutil/dump.c:848 ++msgid "cannot read extra data" ++msgstr "Zusätzliche Daten können nicht gelesen werden." ++ ++#: ../../src/kadmin/dbutil/dump.c:857 ++#, c-format ++msgid "while storing %s" ++msgstr "beim Speichern von %s" ++ ++#: ../../src/kadmin/dbutil/dump.c:896 ../../src/kadmin/dbutil/dump.c:935 ++#: ../../src/kadmin/dbutil/dump.c:981 ++#, c-format ++msgid "cannot parse policy (%d read)\n" ++msgstr "Richtlinie kann nicht ausgewertet werden (%d gelesen)\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:904 ../../src/kadmin/dbutil/dump.c:943 ++#: ../../src/kadmin/dbutil/dump.c:1001 ++msgid "while creating policy" ++msgstr "beim Erstellen der Richtlinie" ++ ++#: ../../src/kadmin/dbutil/dump.c:908 ++#, c-format ++msgid "created policy %s\n" ++msgstr "erstellte Richtlinie %s\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:1038 ++#, c-format ++msgid "unknown record type \"%s\"\n" ++msgstr "unbekannter Datensatztyp »%s«\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:1167 ++#, c-format ++msgid "%s: Unknown iprop dump version %d\n" ++msgstr "%s: unbekannte Iprop-Auszugsversion %d\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:1270 ../../src/kadmin/dbutil/dump.c:1498 ++#, c-format ++msgid "Iprop not enabled\n" ++msgstr "Iprop nicht aktiviert\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:1308 ++msgid "Conditional dump is an undocumented option for use only for iprop dumps" ++msgstr "" ++"Bedingter Auszug ist eine nicht dokumentierte Option, die nur für Iprop-" ++"Auszüge benutzt wird." ++ ++#: ../../src/kadmin/dbutil/dump.c:1321 ++msgid "Database not currently opened!" ++msgstr "Die Datenbank ist zur Zeit nicht geöffnet!" ++ ++#: ../../src/kadmin/dbutil/dump.c:1335 ++#: ../../src/kadmin/dbutil/kdb5_stash.c:116 ++#: ../../src/kadmin/dbutil/kdb5_util.c:479 ++msgid "while reading master key" ++msgstr "beim Lesen des Hauptschlüssels" ++ ++#: ../../src/kadmin/dbutil/dump.c:1341 ++msgid "while verifying master key" ++msgstr "beim Prüfen des Hauptschlüssels" ++ ++#: ../../src/kadmin/dbutil/dump.c:1360 ../../src/kadmin/dbutil/dump.c:1370 ++msgid "while reading new master key" ++msgstr "beim Lesen des neuen Hauptschlüssels" ++ ++#: ../../src/kadmin/dbutil/dump.c:1364 ++#, c-format ++msgid "Please enter new master key....\n" ++msgstr "Bitte geben Sie den neuen Hauptschlüssel ein …\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:1388 ++#, c-format ++msgid "while opening %s for writing" ++msgstr "beim Öffnen von %s zum Schreiben" ++ ++#: ../../src/kadmin/dbutil/dump.c:1403 ++msgid "while reading update log header" ++msgstr "beim Lesen der Aktualisierungsprotokollkopfzeilen" ++ ++#: ../../src/kadmin/dbutil/dump.c:1418 ../../src/kadmin/dbutil/dump.c:1425 ++#, c-format ++msgid "performing %s dump" ++msgstr "Auszug von %s wird durchgeführt" ++ ++#: ../../src/kadmin/dbutil/dump.c:1455 ++#, c-format ++msgid "%s: error processing line %d of %s\n" ++msgstr "%s: Fehler beim Verarbeiten von Zeile %d von %s\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:1507 ++msgid "while parsing options" ++msgstr "beim Auswerten der Optionen" ++ ++#: ../../src/kadmin/dbutil/dump.c:1522 ++#, c-format ++msgid "while opening %s" ++msgstr "beim Öffnen von %s" ++ ++#: ../../src/kadmin/dbutil/dump.c:1527 ../../src/kadmin/dbutil/dump.c:1626 ++msgid "standard input" ++msgstr "Standardeingabe" ++ ++#: ../../src/kadmin/dbutil/dump.c:1532 ++#, c-format ++msgid "%s: can't read dump header in %s\n" ++msgstr "%s: Kopfzeilen des Auszugs in %s können nicht gelesen werden.\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:1540 ../../src/kadmin/dbutil/dump.c:1557 ++#, c-format ++msgid "%s: dump header bad in %s\n" ++msgstr "%s: falsche Kopfzeilen des Auszugs in %s\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:1566 ++#, c-format ++msgid "Could not open iprop ulog\n" ++msgstr "Iprop-Ulog kann nicht geöffnet werden.\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:1571 ++#, c-format ++msgid "%s: dump version %s can only be loaded with the -update flag\n" ++msgstr "" ++"%s: Die Auszugsversion %s kann nur mit dem Schalter -update geladen werden.\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:1580 ../../src/kadmin/dbutil/dump.c:1585 ++msgid "computing parameters for database" ++msgstr "Parameter für die Datenbank werden berechnet." ++ ++#: ../../src/kadmin/dbutil/dump.c:1591 ++msgid "while creating database" ++msgstr "beim Erstellen der Datenbank" ++ ++#: ../../src/kadmin/dbutil/dump.c:1600 ++msgid "while opening database" ++msgstr "beim Öffnen der Datenbank" ++ ++#: ../../src/kadmin/dbutil/dump.c:1610 ++msgid "while permanently locking database" ++msgstr "beim dauerhaften Sperren der Datenbank" ++ ++#: ../../src/kadmin/dbutil/dump.c:1628 ++#, c-format ++msgid "%s: %s restore failed\n" ++msgstr "%s: Wiederherstellen von %s fehlgeschlagen\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:1633 ++msgid "while unlocking database" ++msgstr "beim Aufheben der Datenbanksperre" ++ ++#: ../../src/kadmin/dbutil/dump.c:1643 ../../src/kadmin/dbutil/dump.c:1662 ++msgid "while reinitializing update log" ++msgstr "beim erneuten Initialisieren des Aktualisierungsprotokolls" ++ ++#: ../../src/kadmin/dbutil/dump.c:1653 ++msgid "while making newly loaded database live" ++msgstr "beim Aktivieren der neu geladenen Datenbank" ++ ++#: ../../src/kadmin/dbutil/dump.c:1669 ++msgid "while writing update log header" ++msgstr "beim Schreiben der Aktualisierungsprotokollkopfzeilen" ++ ++#: ../../src/kadmin/dbutil/dump.c:1683 ++#, c-format ++msgid "while deleting bad database %s" ++msgstr "beim Löschen der falschen Datenbank %s" ++ ++#: ../../src/kadmin/dbutil/kadm5_create.c:84 ++msgid "while looking up the Kerberos configuration" ++msgstr "beim Nachschlagen der Kerberos-Konfiguration" ++ ++#: ../../src/kadmin/dbutil/kadm5_create.c:111 ++msgid "while initializing the Kerberos admin interface" ++msgstr "beim Initialisieren der Kerberos-Administrationsoberfläche" ++ ++#: ../../src/kadmin/dbutil/kadm5_create.c:169 ++#, c-format ++msgid "getaddrinfo(%s): Cannot determine canonical hostname.\n" ++msgstr "" ++"getaddrinfo(%s): Die Normalform des Rechnernamens kann nicht bestimmt " ++"werden.\n" ++ ++#: ../../src/kadmin/dbutil/kadm5_create.c:190 ++#: ../../src/kadmin/dbutil/kadm5_create.c:196 ++#, c-format ++msgid "Out of memory\n" ++msgstr "Speicherplatz reicht nicht aus.\n" ++ ++#: ../../src/kadmin/dbutil/kadm5_create.c:270 ++msgid "while appending realm to principal" ++msgstr "beim Anhängen des Realms an den Principal" ++ ++#: ../../src/kadmin/dbutil/kadm5_create.c:275 ++msgid "while parsing admin principal name" ++msgstr "beim Auswerten des Principal-Namens des Administrators" ++ ++#: ../../src/kadmin/dbutil/kadm5_create.c:286 ++#, c-format ++msgid "while creating principal %s" ++msgstr "beim Erstellen des Principals %s" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:175 ++#: ../../src/kadmin/dbutil/kdb5_util.c:241 ++#: ../../src/kadmin/dbutil/kdb5_util.c:248 ++msgid "while parsing command arguments\n" ++msgstr "beim Auswerten der Befehlsargumente\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:198 ++#, c-format ++msgid "Loading random data\n" ++msgstr "Zufällige Daten werden geladen.\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:201 ++msgid "Loading random data" ++msgstr "Zufällige Daten werden geladen." ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:211 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:242 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:435 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:591 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1149 ++#: ../../src/kadmin/dbutil/kdb5_util.c:423 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:606 ++msgid "while setting up master key name" ++msgstr "beim Einrichten des Hauptschlüsselnamens" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:222 ++#, c-format ++msgid "" ++"Initializing database '%s' for realm '%s',\n" ++"master key name '%s'\n" ++msgstr "" ++"Datenbank »%s« für Realm »%s« wird initialisiert,\n" ++"Hauptschlüsselname »%s«\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:227 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:516 ++#, c-format ++msgid "You will be prompted for the database Master Password.\n" ++msgstr "Sie werden nach dem Master-Passwort der Datenbank gefragt.\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:228 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:260 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:517 ++#, c-format ++msgid "It is important that you NOT FORGET this password.\n" ++msgstr "Es ist wichtig, dass Sie dieses Passwort NICHT VERGESSEN.\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:234 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:266 ++msgid "while creating new master key" ++msgstr "beim Erstellen des neuen Hauptschlüssels" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:242 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:527 ++msgid "while reading master key from keyboard" ++msgstr "beim Lesen des Hauptschlüssels von der Tastatur" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:252 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:285 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:618 ++msgid "while calculating master key salt" ++msgstr "beim Berechnen des Hauptschlüssel-Salts" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:260 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:294 ++#: ../../src/kadmin/dbutil/kdb5_util.c:465 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:630 ++msgid "while transforming master key from password" ++msgstr "beim Umwandeln des Hauptschlüssels vom Passwort" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:270 ++msgid "while initializing random key generator" ++msgstr "beim Initialisieren des Zufallsschlüsselgenerators" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:275 ++#, c-format ++msgid "while creating database '%s'" ++msgstr "beim Erstellen der Datenbank »%s«" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:293 ++msgid "while creating update log" ++msgstr "beim Erstellen des Aktualisierungsprotokolls" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:304 ++msgid "while initializing update log" ++msgstr "beim Initialisieren des Aktualisierungsprotokolls" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:320 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:642 ++msgid "while adding entries to the database" ++msgstr "beim Hinzufügen von Einträgen in die Datenbank" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:348 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:339 ++#: ../../src/kadmin/dbutil/kdb5_stash.c:133 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:667 ++msgid "while storing key" ++msgstr "beim Speichern des Schlüssels" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:349 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:340 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:668 ++#, c-format ++msgid "Warning: couldn't stash master key.\n" ++msgstr "Warnung: Hauptschlüssel kann nicht gelagert werden.\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_destroy.c:57 ++msgid "while initializing krb5_context" ++msgstr "beim Initialisieren von »krb5_context«" ++ ++#: ../../src/kadmin/dbutil/kdb5_destroy.c:63 ++#: ../../src/kadmin/dbutil/kdb5_util.c:259 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:291 ++msgid "while setting default realm name" ++msgstr "beim Einstellen des Standard-Realm-Namens" ++ ++#: ../../src/kadmin/dbutil/kdb5_destroy.c:83 ++#, c-format ++msgid "Deleting KDC database stored in '%s', are you sure?\n" ++msgstr "" ++"Die in »%s« gespeicherte KDC-Datenbank wird gelöscht. Sind Sie sicher?\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_destroy.c:85 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1166 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:360 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1482 ++#, c-format ++msgid "(type 'yes' to confirm)? " ++msgstr "(Geben Sie als Bestätigung »yes« ein)? " ++ ++#: ../../src/kadmin/dbutil/kdb5_destroy.c:92 ++#, c-format ++msgid "OK, deleting database '%s'...\n" ++msgstr "OK, Datenbank »%s« wird gelöscht …\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_destroy.c:97 ++#, c-format ++msgid "deleting database '%s'" ++msgstr "Datenbank »%s« wird gelöscht." ++ ++#: ../../src/kadmin/dbutil/kdb5_destroy.c:106 ++#, c-format ++msgid "** Database '%s' destroyed.\n" ++msgstr "** Datenbank »%s« vernichtet\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:218 ++#, c-format ++msgid "%s is an invalid enctype" ++msgstr "%s ist ein ungültiger Verschlüsselungstyp" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:250 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:443 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:599 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:986 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1157 ++#, c-format ++msgid "while getting master key principal %s" ++msgstr "beim Holen des Hauptschlüssels von Principal %s" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:256 ++#, c-format ++msgid "Creating new master key for master key principal '%s'\n" ++msgstr "" ++"Es wird ein neuer Hauptschlüssel für den Hauptschlüssel-Principal »%s« " ++"erstellt.\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:259 ++#, c-format ++msgid "You will be prompted for a new database Master Password.\n" ++msgstr "Sie werden nach einem neuen Datenbank-Master-Passwort gefragt.\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:275 ++msgid "while reading new master key from keyboard" ++msgstr "beim Lesen des neuen Hauptschlüssels von der Tastatur" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:304 ++msgid "adding new master key to master principal" ++msgstr "dem Haupt-Principal wird ein neuer Hauptschlüssel hinzugefügt" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:310 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:402 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:843 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1356 ++msgid "while getting current time" ++msgstr "beim Holen der aktuellen Zeit" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:317 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:544 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1363 ++msgid "while updating the master key principal modification time" ++msgstr "beim Aktulisieren der Änderungszeit des Hauptschlüssel-Principals" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:325 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:553 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1374 ++msgid "while adding master key entry to the database" ++msgstr "beim Hinzufügen des Hauptschlüsseleintrags zur Datenbank" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:383 ++msgid "0 is an invalid KVNO value" ++msgstr "0 ist kein gültiger KVNO-Wert" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:394 ++#, c-format ++msgid "%d is an invalid KVNO value" ++msgstr "%d ist kein gültiger KVNO-Wert" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:410 ++#, c-format ++msgid "could not parse date-time string '%s'" ++msgstr "»date-time«-Zeichenkette »%s« konnte nicht ausgewertet werden" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:452 ++msgid "while looking up active version of master key" ++msgstr "beim Nachschlagen der aktiven Version des Hauptschlüssels" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:491 ++msgid "while adding new master key" ++msgstr "beim Hinzufügen eines neuen Hauptschlüssels" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:529 ++msgid "there must be one master key currently active" ++msgstr "ein Hauptschlüssel muss derzeit aktiv sein" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:537 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1342 ++msgid "while updating actkvno data for master principal entry" ++msgstr "beim Aktualisieren der Actkvno-Daten für den Haupt-Principal-Eintrag" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:581 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:948 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1116 ++msgid "master keylist not initialized" ++msgstr "Hauptschlüsselliste ist nicht initialisiert" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:607 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:994 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1254 ++msgid "while looking up active kvno list" ++msgstr "beim Nachschlagen der Liste aktiver KVNOs" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:615 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1002 ++msgid "while looking up active master key" ++msgstr "beim Nachschlagen des aktiven Hauptschlüssels" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:627 ++msgid "while getting enctype description" ++msgstr "beim Holen des Verschlüsselungsbeschreibung" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:644 ++#, c-format ++msgid "KVNO: %d, Enctype: %s, Active on: %s *\n" ++msgstr "KVNO: %d, Verschlüsselungstyp: %s, aktiviert auf: %s *\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:649 ++#, c-format ++msgid "KVNO: %d, Enctype: %s, Active on: %s\n" ++msgstr "KVNO: %d, Verschlüsselungstyp: %s, aktiviert auf: %s\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:653 ++#, c-format ++msgid "KVNO: %d, Enctype: %s, No activate time set\n" ++msgstr "KVNO: %d, Verschlüsselungstyp: %s, keine Aktivierungszeit gesetzt\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:658 ++msgid "asprintf could not allocate enough memory to hold output" ++msgstr "" ++"Asprintf konnte nicht genug Speicher reservieren, um die Ausgabe " ++"bereitzuhalten" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:793 ++msgid "getting string representation of principal name" ++msgstr "Principal-Name wird im Klartext geholt" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:817 ++#, c-format ++msgid "determining master key used for principal '%s'" ++msgstr "Hauptschlüssel, der für Principal »%s« benutzt wird, wird bestimmt" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:823 ++#, c-format ++msgid "would skip: %s\n" ++msgstr "würde übersprungen: %s\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:825 ++#, c-format ++msgid "skipping: %s\n" ++msgstr "wird übersprungen: %s\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:831 ++#, c-format ++msgid "would update: %s\n" ++msgstr "würde aktualisiert: %s\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:835 ++#, c-format ++msgid "updating: %s\n" ++msgstr "wird aktualisiert: %s\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:839 ++#, c-format ++msgid "error re-encrypting key for principal '%s'" ++msgstr "Fehler beim erneuten Verschlüsseln des Schlüssels für Principal »%s«" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:850 ++#, c-format ++msgid "while updating principal '%s' modification time" ++msgstr "beim Aktualisieren der Änderungszeit von Principal »%s«" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:857 ++#, c-format ++msgid "while updating principal '%s' key data in the database" ++msgstr "" ++"beim Aktualisieren der Schlüsseldaten von Principal »%s« in der Datenbank" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:889 ++#, c-format ++msgid "" ++"\n" ++"(type 'yes' to confirm)? " ++msgstr "" ++"\n" ++"(Geben Sie als Bestätigung »yes« ein) " ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:942 ++msgid "while formatting master principal name" ++msgstr "beim Formatieren des Haupt-Principal-Namens" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:959 ++#, c-format ++msgid "converting glob pattern '%s' to regular expression" ++msgstr "Platzhalter »%s« wird in einen regulären Ausdruck umgewandelt" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:977 ++#, c-format ++msgid "error compiling converted regexp '%s'" ++msgstr "Fehler beim Kompilieren des umgewandelten regulären Ausdrucks »%s«" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1010 ++#, c-format ++msgid "Re-encrypt all keys not using master key vno %u?" ++msgstr "" ++"Sollen alle Schlüssel neu verschlüsselt werden, die nicht die Hauptschlüssel-" ++"VNO %u verwenden?" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1012 ++#, c-format ++msgid "OK, doing nothing.\n" ++msgstr "Ok, es wird nichts getan.\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1018 ++#, c-format ++msgid "Principals whose keys WOULD BE re-encrypted to master key vno %u:\n" ++msgstr "" ++"Principals, deren Schlüssel mit dem Hauptschlüssel VNO %u neu verschlüsselt " ++"WÜRDEN:\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1021 ++#, c-format ++msgid "" ++"Principals whose keys are being re-encrypted to master key vno %u if " ++"necessary:\n" ++msgstr "" ++"Principals, deren Schlüssel mit dem Hauptschlüssel VNO %u neu verschlüsselt " ++"werden, falls nötig:\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1037 ++msgid "trying to process principal database" ++msgstr "es wird versucht, die Principal-Datenbank zu verarbeiten" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1042 ++#, c-format ++msgid "%u principals processed: %u would be updated, %u already current\n" ++msgstr "" ++"%u Principals verarbeitet: %u würden aktualisiert, %u bereits aktuell\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1046 ++#, c-format ++msgid "%u principals processed: %u updated, %u already current\n" ++msgstr "%u Principals verarbeitet: %u aktualisiert, %u bereits aktuell\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1164 ++#, c-format ++msgid "" ++"Will purge all unused master keys stored in the '%s' principal, are you " ++"sure?\n" ++msgstr "" ++"Sind Sie sicher, dass alle nicht verwendeten Hauptschlüssel, die für " ++"Principal »%s« gespeichert sind, vollständig entfernt werden sollen?\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1175 ++#, c-format ++msgid "OK, purging unused master keys from '%s'...\n" ++msgstr "" ++"Ok, die nicht verwendeten Hauptschlüssel von »%s« werden vollständig " ++"entfernt …\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1183 ++#, c-format ++msgid "There is only one master key which can not be purged.\n" ++msgstr "" ++"Es gibt nur einen einzigen Hauptschlüssel, der nicht vollständig entfernt " ++"werden kann.\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1192 ++msgid "while allocating args.kvnos" ++msgstr "beim Reservieren von »args.kvnos«" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1208 ++msgid "while finding master keys in use" ++msgstr "bei der Suche nach den gerade verwendeten Hauptschlüsseln" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1217 ++#, c-format ++msgid "Would purge the following master key(s) from %s:\n" ++msgstr "" ++"Der/Die folgende(n) Hauptschlüssel würden/würde von %s vollständig " ++"entfernt:\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1220 ++#, c-format ++msgid "Purging the following master key(s) from %s:\n" ++msgstr "" ++"Der/Die folgende(n) Hauptschlüssel werden/wird von %s vollständig entfernt:\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1232 ++msgid "master key stash file needs updating, command aborting" ++msgstr "" ++"Ablagedatei des Hauptschlüssels erfordert Aktualisierung, Befehl abgebrochen" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1238 ++#, c-format ++msgid "KVNO: %d\n" ++msgstr "KVNO: %d\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1243 ++#, c-format ++msgid "All keys in use, nothing purged.\n" ++msgstr "Alle Schlüssel sind in Gebrauch, keiner wurde vollständig entfernt.\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1248 ++#, c-format ++msgid "%d key(s) would be purged.\n" ++msgstr "%d Schlüssel würde(n) vollständig entfernt.\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1261 ++msgid "while looking up mkey aux data list" ++msgstr "beim Nachschlagen der Mkey-Aux-Datenliste" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1269 ++msgid "while allocating key_data" ++msgstr "beim Reservieren von »key_data«" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1350 ++msgid "while updating mkey_aux data for master principal entry" ++msgstr "beim Aktualisieren der Mkey-Aux-Daten für den Haupt-Principal-Eintrag" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1378 ++#, c-format ++msgid "%d key(s) purged.\n" ++msgstr "%d Schlüssel vollständig entfernt\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_stash.c:97 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:538 ++#, c-format ++msgid "while setting up enctype %d" ++msgstr "beim Einrichten des Verschlüsselungstyps %d" ++ ++#: ../../src/kadmin/dbutil/kdb5_stash.c:123 ++msgid "while getting master key list" ++msgstr "beim Holen der Hauptschlüsselliste" ++ ++#: ../../src/kadmin/dbutil/kdb5_stash.c:127 ++#, c-format ++msgid "Using existing stashed keys to update stash file.\n" ++msgstr "" ++"Zur Aktualisierung der Ablagedatei werden existierende gelagert Schlüssel " ++"verwendet.\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:80 ++#, c-format ++msgid "" ++"Usage: kdb5_util [-x db_args]* [-r realm] [-d dbname] [-k mkeytype] [-M " ++"mkeyname]\n" ++"\t [-kv mkeyVNO] [-sf stashfilename] [-m] cmd [cmd_options]\n" ++"\tcreate [-s]\n" ++"\tdestroy [-f]\n" ++"\tstash [-f keyfile]\n" ++"\tdump [-old|-ov|-b6|-b7|-r13|-r18] [-verbose]\n" ++"\t [-mkey_convert] [-new_mkey_file mkey_file]\n" ++"\t [-rev] [-recurse] [filename [princs...]]\n" ++"\tload [-old|-ov|-b6|-b7|-r13|-r18] [-verbose] [-update] filename\n" ++"\tark [-e etype_list] principal\n" ++"\tadd_mkey [-e etype] [-s]\n" ++"\tuse_mkey kvno [time]\n" ++"\tlist_mkeys\n" ++msgstr "" ++"Aufruf: kdb5_util [-x Datenbankargumente]* [-r Realm] [-d Datenbankname] [-k " ++"Mkeytype] [-M Mkeyname]\n" ++"\t [-kv MkeyVNO] [-sf Ablagedateiname] [-m] Befehl [Befehlsoptionen]\n" ++"\tcreate [-s]\n" ++"\tdestroy [-f]\n" ++"\tstash [-f Schlüsseldatei]\n" ++"\tdump [-old|-ov|-b6|-b7|-r13|-r18] [-verbose]\n" ++"\t [-mkey_convert] [-new_mkey_file mkey-Datei]\n" ++"\t [-rev] [-recurse] [Dateiname [Principals …]]\n" ++"\tload [-old|-ov|-b6|-b7|-r13|-r18] [-verbose] [-update] Dateiname\n" ++"\tark [-e Etype-Liste] Principal\n" ++"\tadd_mkey [-e Etype] [-s]\n" ++"\tuse_mkey kvno [Zeit]\n" ++"\tlist_mkeys\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:98 ++#, c-format ++msgid "" ++"\tupdate_princ_encryption [-f] [-n] [-v] [princ-pattern]\n" ++"\tpurge_mkeys [-f] [-n] [-v]\n" ++"\n" ++"where,\n" ++"\t[-x db_args]* - any number of database specific arguments.\n" ++"\t\t\tLook at each database documentation for supported arguments\n" ++msgstr "" ++"\tupdate_princ_encryption [-f] [-n] [-v] [Principal-Muster]\n" ++"\tpurge_mkeys [-f] [-n] [-v]\n" ++"\n" ++"dabei sind\n" ++"\t[-x Datenbankargumente]* - eine beliebige Anzahl datenbankspezifischer " ++"Argumente.\n" ++"\t\t\tWelche Argumente unterstützt werden, finden Sie in der Dokumentation " ++"der jeweiligen Datenbank.\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:211 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:260 ++msgid "while initializing Kerberos code" ++msgstr "beim Initialisieren von Kerberos-Code" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:217 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:267 ++msgid "while creating sub-command arguments" ++msgstr "beim Erstellen von Unterbefehlsargumenten" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:235 ++msgid "while parsing command arguments" ++msgstr "beim Auswerten von Befehlsargumenten" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:264 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:298 ++#, c-format ++msgid ": %s is an invalid enctype" ++msgstr ": %s ist kein gültiger Verschlüsselungstyp" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:272 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:307 ++#, c-format ++msgid ": %s is an invalid mkeyVNO" ++msgstr ": %s ist kein gültiger MkeyVNO" ++ ++# FIXME s/retreiving/retrieving/ ++#: ../../src/kadmin/dbutil/kdb5_util.c:317 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:431 ++msgid "while retreiving configuration parameters" ++msgstr "beim Abfragen der Konfigurationsparameter" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:368 ++msgid "Too few arguments" ++msgstr "zu wenige Argumente" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:369 ++#, c-format ++msgid "Usage: %s dbpathname realmname" ++msgstr "Aufruf: %s Datenbankpfadname Realm-Name" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:375 ++msgid "while closing previous database" ++msgstr "beim Schließen der vorherigen Datenbank" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:412 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:877 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1497 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:564 ++msgid "while initializing database" ++msgstr "beim Initialisieren der Datenbank" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:429 ++msgid "while retrieving master entry" ++msgstr "beim Abfragen des Haupteintrags" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:448 ++msgid "while calculated master key salt" ++msgstr "beim Berechnen des Hauptschlüssel-Salts" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:480 ++msgid "Warning: proceeding without master key" ++msgstr "Warnung: Es wird ohne Hauptschlüssel fortgefahren" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:498 ++msgid "while seeding random number generator" ++msgstr "beim Erzeugen des Startwerts des Zufallszahlengenerators" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:508 ++#, c-format ++msgid "%s: Could not map log\n" ++msgstr "%s: Protokolldatei konnte nicht abgebildet werden\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:535 ++msgid "while closing database" ++msgstr "beim Schließen der Datenbank" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:582 ++#, c-format ++msgid "while fetching principal %s" ++msgstr "beim Abrufen von Principal %s" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:605 ++msgid "while finding mkey" ++msgstr "beim Suchen nach Mkey" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:630 ++msgid "while setting changetime" ++msgstr "beim Setzen der Änderungszeit der Datei" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:638 ++#, c-format ++msgid "while saving principal %s" ++msgstr "beim Speichern von Principal %s" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:642 ++#, c-format ++msgid "%s changed\n" ++msgstr "%s geändert\n" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:73 ++#, c-format ++msgid "%s: invalid arguments\n" ++msgstr "%s: ungültige Argumente\n" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:78 ++msgid "while freeing ktlist" ++msgstr "beim Freigeben von »ktlist«" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:89 ++#, c-format ++msgid "%s: must specify keytab to read\n" ++msgstr "" ++"%s: Die Schlüsseltabelle, die gelesen werden soll, muss angegeben werden.\n" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:94 ++#, c-format ++msgid "while reading keytab \"%s\"" ++msgstr "beim Lesen der Schlüsseltabelle »%s«" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:104 ++#, c-format ++msgid "%s: must specify the srvtab to read\n" ++msgstr "%s: Die zu lesende Dienstschlüsseltabelle muss angegeben werden.\n" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:109 ++#, c-format ++msgid "while reading srvtab \"%s\"" ++msgstr "beim Lesen der Dienstschlüsseltabelle »%s«" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:119 ++#, c-format ++msgid "%s: must specify keytab to write\n" ++msgstr "%s: Die zu schreibende Schlüsseltabelle muss angegeben werden.\n" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:124 ++#, c-format ++msgid "while writing keytab \"%s\"" ++msgstr "beim Schreiben der Schlüsseltabelle »%s«" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:131 ++#, c-format ++msgid "%s: writing srvtabs is no longer supported\n" ++msgstr "" ++"%s: Schreiben der Dienstschlüsseltabelle wird nicht länger unterstützt\n" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:169 ++#, c-format ++msgid "usage: %s (-key | -password) -p principal -k kvno -e enctype\n" ++msgstr "" ++"Aufruf: %s (-key | -password) -p Principal -k KVNO -e Verschlüsselungstyp\n" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:176 ++msgid "while adding new entry" ++msgstr "beim Hinzufügen eines neuen Eintrags" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:186 ++#, c-format ++msgid "%s: must specify entry to delete\n" ++msgstr "%s: zu löschender Eintrag muss angegeben werden\n" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:191 ++#, c-format ++msgid "while deleting entry %d" ++msgstr "beim Löschen von Eintrag %d" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:219 ++#, c-format ++msgid "%s: usage: %s [-t] [-k] [-e]\n" ++msgstr "%s: Aufruf: %s [-t] [-k] [-e]\n" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:259 ++msgid "While converting enctype to string" ++msgstr "beim Umwandeln des Verschlüsselungstyps in eine Zeichenkette" ++ ++#: ../../src/kadmin/ktutil/ktutil_funcs.c:162 ++#, c-format ++msgid "Password for %.1000s" ++msgstr "Passwort für %.1000s" ++ ++#: ../../src/kadmin/ktutil/ktutil_funcs.c:179 ++#, c-format ++msgid "Key for %s (hex): " ++msgstr "Schlüssel für %s (hexadezimal): " ++ ++#: ../../src/kadmin/ktutil/ktutil_funcs.c:191 ++#, c-format ++msgid "addent: Error reading key.\n" ++msgstr "addent: Fehler beim Lesen des Schlüssels\n" ++ ++#: ../../src/kadmin/ktutil/ktutil_funcs.c:206 ++#, c-format ++msgid "addent: Illegal character in key.\n" ++msgstr "addent: unerlaubtes Zeichen im Schlüssel\n" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:48 ++#, c-format ++msgid "Unauthorized request: %s, client=%s, service=%s, addr=%s" ++msgstr "unberechtigte Anfrage: %s, Client=%s, Dienst=%s, Adresse=%s" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:49 ++#: ../../src/kadmin/server/ipropd_svc.c:212 ++#, c-format ++msgid "Request: %s, %s, %s, client=%s, service=%s, addr=%s" ++msgstr "Anfrage: %s, %s, %s, Client=%s, Dienst=%s, Adresse=%s" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:146 ++#: ../../src/kadmin/server/ipropd_svc.c:271 ++#, c-format ++msgid "%s: server handle is NULL" ++msgstr "%s: Server-Identifikator ist NULL" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:156 ++#: ../../src/kadmin/server/ipropd_svc.c:284 ++#, c-format ++msgid "%s: setup_gss_names failed" ++msgstr "%s: setup_gss_names fehlgeschlagen" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:166 ++#: ../../src/kadmin/server/ipropd_svc.c:295 ++#, c-format ++msgid "%s: out of memory recording principal names" ++msgstr "%s: Speicher reicht nicht zur Aufzeichnung der Principal-Namen aus" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:195 ++#, c-format ++msgid "%s; Incoming SerialNo=%lu; Outgoing SerialNo=%lu" ++msgstr "%s; eingehende Seriennummer=%lu; ausgehende Seriennummer=%lu" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:201 ++#, c-format ++msgid "%s; Incoming SerialNo=%lu; Outgoing SerialNo=N/A" ++msgstr "%s; eingehende Seriennummer=%lu; ausgehende Seriennummer=N/A" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:320 ++#, c-format ++msgid "%s: getclhoststr failed" ++msgstr "%s: getclhoststr fehlgeschlagen" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:342 ++#, c-format ++msgid "%s: cannot construct kdb5 util dump string too long; out of memory" ++msgstr "" ++"Ausgabenzeichenkette des KDB5-Hilfswerkzeugs nicht konstruierbar, da zu " ++"lang; Speicher reicht nicht aus.%s: Die Ausgabezeichenkette des KDB5-" ++"Hilfswerkzeugs kann nicht erstellt werden, weil sie zu lang ist. Der " ++"Speicherplatz reicht nicht aus." ++ ++#: ../../src/kadmin/server/ipropd_svc.c:362 ++#, c-format ++msgid "%s: fork failed: %s" ++msgstr "%s: Verzweigen fehlgeschlagen: %s" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:374 ++#, c-format ++msgid "%s: popen failed: %s" ++msgstr "%s: popen fehlgeschlagen: %s" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:388 ++#, c-format ++msgid "%s: pclose(popen) failed: %s" ++msgstr "%s: pclose(popen) fehlgeschlagen: %s" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:405 ++#, c-format ++msgid "%s: exec failed: %s" ++msgstr "%s: exec fehlgeschlagen: %s" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:421 ++#, c-format ++msgid "Request: %s, spawned resync process %d, client=%s, service=%s, addr=%s" ++msgstr "" ++"Anfrage: %s, hervorgebrachter Neusynchronisationsprozess %d, Client=%s, " ++"Dienst=%s, Adresse=%s" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:485 ++#: ../../src/kadmin/server/kadm_rpc_svc.c:275 ++#, c-format ++msgid "check_rpcsec_auth: failed inquire_context, stat=%u" ++msgstr "check_rpcsec_auth: inquire_context fehlgeschlagen, Stat=%u" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:515 ++#: ../../src/kadmin/server/kadm_rpc_svc.c:304 ++#, c-format ++msgid "bad service principal %.*s%s" ++msgstr "falscher Dienst-Principal %.*s%s" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:538 ++#, c-format ++msgid "authentication attempt failed: %s, RPC authentication flavor %d" ++msgstr "" ++"Authentifizierungsversuche gescheitert: %s, PRC-Authentifizierungsvariante %d" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:572 ++#, c-format ++msgid "RPC unknown request: %d (%s)" ++msgstr "unbekannte PRC-Anfrage: %d (%s)" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:580 ++#, c-format ++msgid "RPC svc_getargs failed (%s)" ++msgstr "RPC-»svc_getargs« fehlgeschlagen (%s)" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:590 ++#, c-format ++msgid "RPC svc_sendreply failed (%s)" ++msgstr "RPC-»svc_sendreply« fehlgeschlagen (%s)" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:596 ++#, c-format ++msgid "RPC svc_freeargs failed (%s)" ++msgstr "RPC-»svc_freeargs« fehlgeschlagen (%s)" ++ ++#: ../../src/kadmin/server/kadm_rpc_svc.c:325 ++#, c-format ++msgid "gss_to_krb5_name: failed display_name status %d" ++msgstr "gss_to_krb5_name: display_name fehlgeschlagen, Status %d" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:86 ++#, c-format ++msgid "" ++"Usage: kadmind [-x db_args]* [-r realm] [-m] [-nofork] [-port port-number]\n" ++"\t\t[-proponly] [-p path-to-kdb5_util] [-F dump-file]\n" ++"\t\t[-K path-to-kprop] [-P pid_file]\n" ++"\n" ++"where,\n" ++"\t[-x db_args]* - any number of database specific arguments.\n" ++"\t\t\tLook at each database documentation for supported arguments\n" ++msgstr "" ++"Aufruf: kadmind [-x Datenbankargumente]* [-r Realm] [-m] [-nofork]\n" ++"\t\t[-port Portummer] [-p Pfad_zum_KDB5-Hilfswerkzeug] [-F Auszugsdatei]\n" ++"\t\t[-K Pfad_zu_Kprop] [-P PID-Datei]\n" ++"\n" ++"dabei sind\n" ++"\t[-x Datenbankargumente]* - eine beliebige Anzahl datenbankspezifischer " ++"Argumente.\n" ++"\t\t\tWelche Argumente unterstützt werden, finden Sie in der Dokumentation " ++"der jeweiligen Datenbank.\n" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:111 ++#, c-format ++msgid "%s: %s while %s, aborting\n" ++msgstr "%s: %s bei %s, wird abgebrochen\n" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:113 ++#, c-format ++msgid "%s while %s, aborting\n" ++msgstr "%s bei %s, wird abgebrochen\n" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:115 ++#, c-format ++msgid "%s: %s, aborting\n" ++msgstr "%s: %s, wird abgebrochen\n" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:116 ++#, c-format ++msgid "%s, aborting" ++msgstr "%s, wird abgebrochen" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:282 ++#, c-format ++msgid "" ++"WARNING! Forged/garbled request: %s, claimed client = %.*s%s, server = %.*s" ++"%s, addr = %s" ++msgstr "" ++"WARNUNG! Gefälschte/verstümmelte Anfrage: %s, geforderter Client = %.*s%s, " ++"Server = %.*s%s, Adresse = %s" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:288 ++#, c-format ++msgid "" ++"WARNING! Forged/garbled request: %d, claimed client = %.*s%s, server = %.*s" ++"%s, addr = %s" ++msgstr "" ++"WARNUNG! Gefälschte/verstümmelte Anfrage: %d, Client = %.*s%s, Server = " ++"%.*s%s, Adresse = %s" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:302 ++#, c-format ++msgid "Miscellaneous RPC error: %s, %s" ++msgstr "sonstiger PRC-Fehler: %s, %s" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:318 ++#, c-format ++msgid "%s Cannot decode status %d" ++msgstr "%s: Status %d kann nicht dekodiert werden" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:336 ++#, c-format ++msgid "Authentication attempt failed: %s, GSS-API error strings are:" ++msgstr "Authentifizierungsversuch fehlgeschlagen: %s, GSS-API-Fehlermeldungen:" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:341 ++msgid " GSS-API error strings complete." ++msgstr " GSS-API-Fehlermeldungen vollständig" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:378 ++#, c-format ++msgid "%s: cannot initialize. Not enough memory\n" ++msgstr "%s: kann nicht initialisiert werden: Speicher reicht nicht aus.\n" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:445 ++#, c-format ++msgid "%s: %s while initializing context, aborting\n" ++msgstr "%s: %s beim Initialisieren des Kontextes, wird abgebrochen\n" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:456 ++msgid "initializing" ++msgstr "wird initialisiert" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:460 ++msgid "getting config parameters" ++msgstr "beim Holen der Konfigurationsparameter" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:462 ++msgid "Missing required realm configuration" ++msgstr "erforderliche Realm-Konfiguration fehlt" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:464 ++msgid "Missing required ACL file configuration" ++msgstr "erforderliche ACL-Dateikonfiguration fehlt" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:468 ++msgid "initializing network" ++msgstr "Netzwerk wird initialisiert" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:473 ++msgid "Cannot build GSSAPI auth names" ++msgstr "GSS-API-Authentifizierungsnamen können nicht gebildet werden." ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:477 ++msgid "Cannot set up KDB keytab" ++msgstr "Die KDB-Schlüsseltabelle kann nicht eingerichtet werden." ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:480 ++msgid "Cannot set GSSAPI authentication names" ++msgstr "GSS-API-Authentifizierungsnamen können nicht gesetzt werden." ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:497 ++msgid "Cannot initialize GSSAPI service name" ++msgstr "GSSAPI-Dienstname kann nicht initialisiert werden" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:501 ++msgid "initializing ACL file" ++msgstr "ACL-Datei wird initialisiert" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:504 ++msgid "spawning daemon process" ++msgstr "Daemon-Prozess wird erzeugt" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:508 ++msgid "creating PID file" ++msgstr "PID-Datei wird erstellt" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:511 ++msgid "Seeding random number generator" ++msgstr "Startwert des Zufallszahlengenerators wird erzeugt" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:514 ++msgid "getting random seed" ++msgstr "Zufallsstartwert wird geholt" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:521 ++msgid "mapping update log" ++msgstr "Aktualisierungsprotokoll wird abgebildet" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:525 ++#, c-format ++msgid "%s: create IPROP svc (PROG=%d, VERS=%d)\n" ++msgstr "%s: IPROP-Dienst wird erstellt (PROG=%d, VERS=%d)\n" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:530 ++msgid "starting" ++msgstr "startet" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:532 ../../src/kdc/main.c:1061 ++#, c-format ++msgid "%s: starting...\n" ++msgstr "%s: startet …\n" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:535 ++msgid "finished, exiting" ++msgstr "fertig, wird beendet" ++ ++#: ../../src/kadmin/server/schpw.c:282 ++#, c-format ++msgid "setpw request from %s by %.*s%s for %.*s%s: %s" ++msgstr "»setpw«-Anfrage von %s durch %.*s%s für %.*s%s: %s" ++ ++#: ../../src/kadmin/server/schpw.c:287 ++#, c-format ++msgid "chpw request from %s for %.*s%s: %s" ++msgstr "»chpw«-Anfrage von %s für %.*s%s: %s" ++ ++#: ../../src/kadmin/server/schpw.c:464 ++#, c-format ++msgid "chpw: Couldn't open admin keytab %s" ++msgstr "chpw«: Administratorschlüsseltabelle %s konnte nicht geöffnet werden" ++ ++#: ../../src/kadmin/server/server_stubs.c:293 ++#, c-format ++msgid "" ++"Unauthorized request: %s, %.*s%s, client=%.*s%s, service=%.*s%s, addr=%s" ++msgstr "" ++"Unauthorisierte Anfrage: %s, %.*s%s, Client=%.*s%s, Dienst=%.*s%s, Adresse=%s" ++ ++#: ../../src/kadmin/server/server_stubs.c:314 ++#: ../../src/kadmin/server/server_stubs.c:649 ++#: ../../src/kadmin/server/server_stubs.c:1792 ++msgid "success" ++msgstr "erfolgreich" ++ ++#: ../../src/kadmin/server/server_stubs.c:324 ++#, c-format ++msgid "Request: %s, %.*s%s, %s, client=%.*s%s, service=%.*s%s, addr=%s" ++msgstr "Anfrage: %s, %.*s%s, %s, Client=%.*s%s, Dienst=%.*s%s, Adresse=%s" ++ ++#: ../../src/kadmin/server/server_stubs.c:628 ++#, c-format ++msgid "" ++"Unauthorized request: kadm5_rename_principal, %.*s%s to %.*s%s, client=%.*s" ++"%s, service=%.*s%s, addr=%s" ++msgstr "" ++"Unauthorisierte Anfrage: kadm5_rename_principal, %.*s%s bis %.*s%s, Client=" ++"%.*s%s, Dienst=%.*s%s, Adresse=%s" ++ ++#: ../../src/kadmin/server/server_stubs.c:644 ++#, c-format ++msgid "" ++"Request: kadm5_rename_principal, %.*s%s to %.*s%s, %s, client=%.*s%s, " ++"service=%.*s%s, addr=%s" ++msgstr "" ++"Anfrage: kadm5_rename_principal, %.*s%s bis %.*s%s, %s, Client=%.*s%s, " ++"Dienst=%.*s%s, Adresse=%s" ++ ++#: ../../src/kadmin/server/server_stubs.c:1788 ++#, c-format ++msgid "" ++"Request: kadm5_init, %.*s%s, %s, client=%.*s%s, service=%.*s%s, addr=%s, " ++"vers=%d, flavor=%d" ++msgstr "" ++"Anfrage: kadm5_init, %.*s%s, %s, Client=%.*s%s, Dienst=%.*s%s, Adresse=%s, " ++"Version=%d, Variante=%d" ++ ++#: ../../src/kdc/do_as_req.c:273 ++#, c-format ++msgid "AS_REQ : handle_authdata (%d)" ++msgstr "AS_REQ: handle_authdata (%d)" ++ ++#: ../../src/kdc/do_tgs_req.c:593 ++#, c-format ++msgid "TGS_REQ : handle_authdata (%d)" ++msgstr "TGS_REQ: handle_authdata (%d)" ++ ++#: ../../src/kdc/do_tgs_req.c:655 ++msgid "not checking transit path" ++msgstr "Übergangspfad wird nicht geprüft" ++ ++#: ../../src/kdc/fast_util.c:62 ++#, c-format ++msgid "%s while handling ap-request armor" ++msgstr "%s bei der Handhabung des »ap-request«-Schutzes" ++ ++#: ../../src/kdc/fast_util.c:71 ++msgid "ap-request armor for something other than the local TGS" ++msgstr "»ap-request«-Schutz für etwas anderes als den lokalen TGS" ++ ++#: ../../src/kdc/fast_util.c:80 ++msgid "ap-request armor without subkey" ++msgstr "»ap-request«-Schutz ohne Unterschlüssel" ++ ++#: ../../src/kdc/fast_util.c:162 ++msgid "Ap-request armor not permitted with TGS" ++msgstr "»ap-request«-Schutz nicht mit TGS gestattet" ++ ++#: ../../src/kdc/fast_util.c:169 ++#, c-format ++msgid "Unknown FAST armor type %d" ++msgstr "unbekanntet FAST-Schutztyp %d" ++ ++#: ../../src/kdc/fast_util.c:183 ++msgid "No armor key but FAST armored request present" ++msgstr "Es gibt keinen Schutzschlüssel aber eine FAST-geschützte Anfrage" ++ ++#: ../../src/kdc/fast_util.c:219 ++msgid "FAST req_checksum invalid; request modified" ++msgstr "FAST-»req_checksum« ungültig; Anfrage geändert" ++ ++#: ../../src/kdc/fast_util.c:225 ++msgid "Unkeyed checksum used in fast_req" ++msgstr "in fast_req wurde eine Prüfsumme ohne Schlüssel benutzt" ++ ++#: ../../src/kdc/kdc_audit.c:110 ++#, c-format ++msgid "audit plugin %s failed to open. error=%i" ++msgstr "Öffnen der Audit-Erweiterung %s fehlgeschlagen. Fehler=%i" ++ ++#: ../../src/kdc/kdc_authdata.c:292 ../../src/kdc/kdc_authdata.c:328 ++#, c-format ++msgid "authdata %s failed to initialize: %s" ++msgstr "Initialisieren von »authdata« %s fehlgeschlagen: %s" ++ ++#: ../../src/kdc/kdc_authdata.c:779 ++#, c-format ++msgid "authdata (%s) handling failure: %s" ++msgstr "Handhabung von »authdata« %s fehlgeschlagen: %s" ++ ++#: ../../src/kdc/kdc_log.c:82 ++#, c-format ++msgid "AS_REQ (%s) %s: ISSUE: authtime %d, %s, %s for %s" ++msgstr "AS_REQ (%s) %s: PROBLEM: Authentifizierungszeit %d, %s, %s für %s" ++ ++#: ../../src/kdc/kdc_log.c:88 ++#, c-format ++msgid "AS_REQ (%s) %s: %s: %s for %s%s%s" ++msgstr "AS_REQ (%s) %s: %s: %s für %s%s%s" ++ ++#: ../../src/kdc/kdc_log.c:159 ++#, c-format ++msgid "TGS_REQ (%s) %s: %s: authtime %d, %s%s %s for %s%s%s" ++msgstr "TGS_REQ (%s) %s: %s: Authentifizierungszeit %d, %s%s %s für %s%s%s" ++ ++#: ../../src/kdc/kdc_log.c:166 ++#, c-format ++msgid "... PROTOCOL-TRANSITION s4u-client=%s" ++msgstr "… PROTOKOLLÜBERGANG s4u-client=%s" ++ ++#: ../../src/kdc/kdc_log.c:170 ++#, c-format ++msgid "... CONSTRAINED-DELEGATION s4u-client=%s" ++msgstr "… EINHESCHRÄNKTE DELEGIERUNG s4u-client=%s" ++ ++#: ../../src/kdc/kdc_log.c:174 ++#, c-format ++msgid "TGS_REQ %s: %s: authtime %d, %s for %s, 2nd tkt client %s" ++msgstr "TGS_REQ %s: %s: Authentifizierungszeit %d, %s für %s, 2. TKT-Client %s" ++ ++#: ../../src/kdc/kdc_log.c:208 ++#, c-format ++msgid "bad realm transit path from '%s' to '%s' via '%.*s%s'" ++msgstr "falscher Realm-Übergangspfad von »%s« zu »%s« über »%.*s%s«" ++ ++#: ../../src/kdc/kdc_log.c:214 ++#, c-format ++msgid "unexpected error checking transit from '%s' to '%s' via '%.*s%s': %s" ++msgstr "" ++"unerwarteter Fehler bei der Prüfung des Übergangs von »%s« zu »%s« über »%.*s" ++"%s«: %s" ++ ++#: ../../src/kdc/kdc_log.c:232 ++msgid "TGS_REQ: issuing alternate TGT" ++msgstr "TGS_REQ: alternativer TGT wird erstellt" ++ ++#: ../../src/kdc/kdc_log.c:235 ++#, c-format ++msgid "TGS_REQ: issuing TGT %s" ++msgstr "TGS_REQ: TGT %s wird erstellt" ++ ++#: ../../src/kdc/kdc_preauth.c:328 ++#, c-format ++msgid "preauth %s failed to initialize: %s" ++msgstr "Initialisieren von »preauth« %s fehlgeschlagen: %s" ++ ++#: ../../src/kdc/kdc_preauth.c:339 ++#, c-format ++msgid "preauth %s failed to setup loop: %s" ++msgstr "Einrichten der Schleife von »preauth« %s fehlgeschlagen: %s" ++ ++#: ../../src/kdc/kdc_preauth.c:760 ++#, c-format ++msgid "%spreauth required but hint list is empty" ++msgstr "%spreauth benötigt, aber Hinweisliste ist leer" ++ ++#: ../../src/kdc/kdc_preauth_ec.c:75 ++msgid "Encrypted Challenge used outside of FAST tunnel" ++msgstr "verschlüsselte Aufforderung wurde außerhalb des FAST-Tunnels verwendet" ++ ++#: ../../src/kdc/kdc_preauth_ec.c:110 ++msgid "Incorrect password in encrypted challenge" ++msgstr "falsches Passwort in verschlüsselter Aufforderung" ++ ++#: ../../src/kdc/kdc_util.c:236 ++msgid "TGS_REQ: SESSION KEY or MUTUAL" ++msgstr "TGS_REQ: SITZUNGSSCHLÜSSEL oder BEIDERSEITIG" ++ ++#: ../../src/kdc/kdc_util.c:314 ++msgid "PROCESS_TGS: failed lineage check" ++msgstr "PROCESS_TGS: Abstammungsprüfung fehlgeschlagen" ++ ++#: ../../src/kdc/kdc_util.c:468 ++#, c-format ++msgid "TGS_REQ: UNKNOWN SERVER: server='%s'" ++msgstr "TGS_REQ: UNBEKANNTER SERVER: Server=»%s«" ++ ++#: ../../src/kdc/main.c:231 ++#, c-format ++msgid "while getting context for realm %s" ++msgstr "beim Holen des Kontextes für Realm %s" ++ ++#: ../../src/kdc/main.c:329 ++#, c-format ++msgid "while setting default realm to %s" ++msgstr "beim Setzen des Standard-Realms auf %s" ++ ++#: ../../src/kdc/main.c:337 ++#, c-format ++msgid "while initializing database for realm %s" ++msgstr "beim Initialisieren der Datenbank für Realm %s" ++ ++#: ../../src/kdc/main.c:346 ++#, c-format ++msgid "while setting up master key name %s for realm %s" ++msgstr "beim Einrichten des Hauptschlüsselnamens %s für Realm %s" ++ ++#: ../../src/kdc/main.c:359 ++#, c-format ++msgid "while fetching master key %s for realm %s" ++msgstr "beim Abholen des Hauptschlüssels %s für Realm %s" ++ ++#: ../../src/kdc/main.c:367 ++#, c-format ++msgid "while fetching master keys list for realm %s" ++msgstr "beim Abholen der Hauptschlüsselliste für Realm %s" ++ ++#: ../../src/kdc/main.c:376 ++#, c-format ++msgid "while resolving kdb keytab for realm %s" ++msgstr "beim Ermitteln der KDB-Schlüsseltabelle für Realm %s" ++ ++#: ../../src/kdc/main.c:385 ++#, c-format ++msgid "while building TGS name for realm %s" ++msgstr "beim Bilden des TGS-Namens für Realm %s" ++ ++#: ../../src/kdc/main.c:503 ++#, c-format ++msgid "creating %d worker processes" ++msgstr "%d Arbeitsprozesse werden erzeugt" ++ ++#: ../../src/kdc/main.c:513 ++msgid "Unable to reinitialize main loop" ++msgstr "Hauptschleife konnte nicht neu initialisiert werden" ++ ++#: ../../src/kdc/main.c:518 ++#, c-format ++msgid "Unable to initialize signal handlers in pid %d" ++msgstr "" ++"Signalbehandlungsprogramme in PID %d konnten nicht initialisiert werden" ++ ++#: ../../src/kdc/main.c:548 ++#, c-format ++msgid "worker %ld exited with status %d" ++msgstr "Arbeitsprozess %ld endete mit Status %d" ++ ++#: ../../src/kdc/main.c:572 ++#, c-format ++msgid "signal %d received in supervisor" ++msgstr "Überwachungsprogramm empfing Signal %d" ++ ++#: ../../src/kdc/main.c:591 ++#, c-format ++msgid "" ++"usage: %s [-x db_args]* [-d dbpathname] [-r dbrealmname]\n" ++"\t\t[-R replaycachename] [-m] [-k masterenctype]\n" ++"\t\t[-M masterkeyname] [-p port] [-P pid_file]\n" ++"\t\t[-n] [-w numworkers] [/]\n" ++"\n" ++"where,\n" ++"\t[-x db_args]* - Any number of database specific arguments.\n" ++"\t\t\tLook at each database module documentation for \t\t\tsupported " ++"arguments\n" ++msgstr "" ++"Aufruf: %s [-x Datenbankargumente]* [-d Datenbankpfadname]\n" ++"\t\t[-r Datenbank-Realm-Name] [-m] [-k Hauptverschlüsselungstyp]\n" ++"\t\t[-M Hauptschlüsselname] [-p Port] [-P PID-Datei]\n" ++"\t\t[-n] [-w Arbeitsprozessanzahl] [/]\n" ++"\n" ++"dabei sind\n" ++"\t[-x Datenbankargumente]* - eine beliebige Anzahl datenbankspezifischer " ++"Argumente.\n" ++"\t\t\tWelche Argumente unterstützt werden, finden Sie in der Dokumentation " ++"der jeweiligen Datenbank.\n" ++ ++#: ../../src/kdc/main.c:653 ../../src/kdc/main.c:660 ../../src/kdc/main.c:774 ++#, c-format ++msgid " KDC cannot initialize. Not enough memory\n" ++msgstr "KDC kann nicht initialisiert werden. Speicher reicht nicht aus\n" ++ ++#: ../../src/kdc/main.c:679 ../../src/kdc/main.c:722 ../../src/kdc/main.c:733 ++#, c-format ++msgid "%s: KDC cannot initialize. Not enough memory\n" ++msgstr "%s: KDC kann nicht initialisiert werden. Speicher reicht nicht aus\n" ++ ++#: ../../src/kdc/main.c:699 ../../src/kdc/main.c:816 ++#, c-format ++msgid "%s: cannot initialize realm %s - see log file for details\n" ++msgstr "" ++"%s: Realm %s kann nicht initialisiert werden - Einzelheiten finden Sie in " ++"der Protokolldatei\n" ++ ++#: ../../src/kdc/main.c:710 ++#, c-format ++msgid "%s: cannot initialize realm %s. Not enough memory\n" ++msgstr "" ++"%s: Realm %s kann nicht initialisiert werden. Speicher reicht nicht aus\n" ++ ++#: ../../src/kdc/main.c:761 ++#, c-format ++msgid "invalid enctype %s" ++msgstr "ungültiger Verschlüsselungstyp %s" ++ ++#: ../../src/kdc/main.c:804 ++msgid "while attempting to retrieve default realm" ++msgstr "beim Versuch, den Standard-Realm abzufragen" ++ ++#: ../../src/kdc/main.c:806 ++#, c-format ++msgid "%s: %s, attempting to retrieve default realm\n" ++msgstr "%s: %s, es wird versucht, den Standard-Realm abzufragen\n" ++ ++#: ../../src/kdc/main.c:912 ++#, c-format ++msgid "%s: cannot get memory for realm list\n" ++msgstr "%s: Speicher für die Realm-Liste kann nicht erlangt werden\n" ++ ++# http://www.oreilly.de/german/freebooks/linuxdrive2ger/getcache.html ++#: ../../src/kdc/main.c:947 ++msgid "while initializing lookaside cache" ++msgstr "beim Initialisieren des Lookaside-Zwischenspeichers" ++ ++#: ../../src/kdc/main.c:955 ++msgid "while creating main loop" ++msgstr "beim Erzeugen der Hauptschleife" ++ ++# SAM=Security Accounts Manager ++#: ../../src/kdc/main.c:965 ++msgid "while initializing SAM" ++msgstr "beim Initialisieren des SAMs" ++ ++#: ../../src/kdc/main.c:1011 ++msgid "while initializing routing socket" ++msgstr "beim Initialisieren des Routing-Sockets" ++ ++#: ../../src/kdc/main.c:1017 ++msgid "while initializing signal handlers" ++msgstr "beim Initialisieren des Signalbehandlungsprogramms" ++ ++#: ../../src/kdc/main.c:1024 ++msgid "while initializing network" ++msgstr "beim Initialisieren des Netzwerks" ++ ++#: ../../src/kdc/main.c:1029 ++msgid "while detaching from tty" ++msgstr "beim Lösen vom Terminal" ++ ++#: ../../src/kdc/main.c:1036 ++msgid "while creating PID file" ++msgstr "beim Erstellen der PID-Datei" ++ ++#: ../../src/kdc/main.c:1045 ++msgid "creating worker processes" ++msgstr "Arbeitsprozesse werden erzeugt" ++ ++#: ../../src/kdc/main.c:1055 ++msgid "while loading audit plugin module(s)" ++msgstr "beim Laden des/der Auditerweiterungsmoduls/Auditerweiterungsmodule" ++ ++#: ../../src/kdc/main.c:1059 ++msgid "commencing operation" ++msgstr "Aktion wird begonnen" ++ ++#: ../../src/kdc/main.c:1067 ++msgid "shutting down" ++msgstr "wird heruntergefahren" ++ ++#: ../../src/lib/apputils/net-server.c:258 ++msgid "Got signal to request exit" ++msgstr "Signal zur Anfrage des Beendens empfangen" ++ ++#: ../../src/lib/apputils/net-server.c:272 ++msgid "Got signal to reset" ++msgstr "Signal zum Zurücksetzen empfangen" ++ ++#: ../../src/lib/apputils/net-server.c:429 ++#, c-format ++msgid "closing down fd %d" ++msgstr "Dateideskriptor %d wird geschlossen" ++ ++#: ../../src/lib/apputils/net-server.c:443 ++#, c-format ++msgid "descriptor %d closed but still in svc_fdset" ++msgstr "Deskriptor %d geschlossen, aber immer noch in »svc_fdset«" ++ ++#: ../../src/lib/apputils/net-server.c:469 ++msgid "cannot create io event" ++msgstr "E/A-Ereignis kann nicht erzeugt werden" ++ ++#: ../../src/lib/apputils/net-server.c:475 ++msgid "cannot save event" ++msgstr "Ereignis kann nicht gesichert werden" ++ ++#: ../../src/lib/apputils/net-server.c:495 ++#, c-format ++msgid "file descriptor number %d too high" ++msgstr "Dateideskriptornummer %d zu hoch" ++ ++#: ../../src/lib/apputils/net-server.c:503 ++msgid "cannot allocate storage for connection info" ++msgstr "Speicher für Verbindungsinformation kann nicht reserviert werden" ++ ++#: ../../src/lib/apputils/net-server.c:562 ++#, c-format ++msgid "Cannot create TCP server socket on %s" ++msgstr "Auf %s kann kein TCP-Server-Socket erstellt werden." ++ ++#: ../../src/lib/apputils/net-server.c:571 ++#, c-format ++msgid "TCP socket fd number %d (for %s) too high" ++msgstr "TCP-Socket-Deskriptornummer %d (für %s) zu hoch" ++ ++#: ../../src/lib/apputils/net-server.c:579 ++#, c-format ++msgid "Cannot enable SO_REUSEADDR on fd %d" ++msgstr "SO_REUSEADDR kann nicht für Dateideskriptor %d aktiviert werden" ++ ++#: ../../src/lib/apputils/net-server.c:586 ++#, c-format ++msgid "setsockopt(%d,IPV6_V6ONLY,1) failed" ++msgstr "setsockopt(%d,IPV6_V6ONLY,1) fehlgeschlagen" ++ ++#: ../../src/lib/apputils/net-server.c:588 ++#, c-format ++msgid "setsockopt(%d,IPV6_V6ONLY,1) worked" ++msgstr "setsockopt(%d,IPV6_V6ONLY,1) funktioniert" ++ ++#: ../../src/lib/apputils/net-server.c:591 ++msgid "no IPV6_V6ONLY socket option support" ++msgstr "keine Socket-Option für IPV6_V6ONLY unterstützt" ++ ++#: ../../src/lib/apputils/net-server.c:597 ++#, c-format ++msgid "Cannot bind server socket on %s" ++msgstr "Server-Socket kann nicht an %s gebunden werden" ++ ++#: ../../src/lib/apputils/net-server.c:624 ++#, c-format ++msgid "Cannot create RPC service: %s; continuing" ++msgstr "RPC-Dienst kann nicht erstellt werden: %s; es wird fortgefahren" ++ ++#: ../../src/lib/apputils/net-server.c:633 ++#, c-format ++msgid "Cannot register RPC service: %s; continuing" ++msgstr "RPC-Dienst kann nicht registriert werden: %s; es wird fortgefahren" ++ ++#: ../../src/lib/apputils/net-server.c:682 ++#, c-format ++msgid "Cannot listen on TCP server socket on %s" ++msgstr "" ++"Auf dem TCP-Server-Socket kann nicht auf eine Verbindung gewartet werden auf " ++"%s." ++ ++#: ../../src/lib/apputils/net-server.c:688 ++#, c-format ++msgid "cannot set listening tcp socket on %s non-blocking" ++msgstr "" ++"Das auf eine Verbindung wartende TCP-Socket kann nicht auf nicht-" ++"blockierendes %s gesetzt werden." ++ ++#: ../../src/lib/apputils/net-server.c:695 ++#, c-format ++msgid "disabling SO_LINGER on TCP socket on %s" ++msgstr "SO_LINGER auf dem TCP-Socket auf %s wird deaktiviert" ++ ++#: ../../src/lib/apputils/net-server.c:743 ++#: ../../src/lib/apputils/net-server.c:752 ++#, c-format ++msgid "listening on fd %d: tcp %s" ++msgstr "auf Dateideskriptor %d wird auf eine Verbindung gewartet: TCP %s" ++ ++#: ../../src/lib/apputils/net-server.c:757 ++msgid "assuming IPv6 socket accepts IPv4" ++msgstr "es wird davon ausgegangen, dass das IPv6-Socket IPv4 akzeptiert" ++ ++#: ../../src/lib/apputils/net-server.c:791 ++#: ../../src/lib/apputils/net-server.c:804 ++#, c-format ++msgid "listening on fd %d: rpc %s" ++msgstr "auf Dateideskriptor %d wird auf eine Verbindung gewartet: RPC %s" ++ ++#: ../../src/lib/apputils/net-server.c:883 ++#, c-format ++msgid "Cannot request packet info for udp socket address %s port %d" ++msgstr "" ++"Paketinformation für UDP-Socket-Adresse %s, Port %d, kann nicht abgefragt " ++"werden" ++ ++#: ../../src/lib/apputils/net-server.c:889 ++#, c-format ++msgid "listening on fd %d: udp %s%s" ++msgstr "auf Dateideskriptor %d wird auf eine Verbindung gewartet: UDP %s%s" ++ ++#: ../../src/lib/apputils/net-server.c:918 ++msgid "Failed to reconfigure network, exiting" ++msgstr "Neukonfiguration des Netzwerks fehlgeschlagen, wird beendet" ++ ++#: ../../src/lib/apputils/net-server.c:979 ++#, c-format ++msgid "" ++"unhandled routing message type %d, will reconfigure just for the fun of it" ++msgstr "" ++"nicht behandelter Routing-Meldungstyp %d, es wird es nur zum Spaß neu " ++"konfiguriert" ++ ++#: ../../src/lib/apputils/net-server.c:1013 ++#, c-format ++msgid "short read (%d/%d) from routing socket" ++msgstr "ungenügende Daten (%d/%d) vom Routing-Socket gelesen" ++ ++#: ../../src/lib/apputils/net-server.c:1023 ++#, c-format ++msgid "read %d from routing socket but msglen is %d" ++msgstr "%d vom Routing-Socket gelesen, Nachrichtenlänge ist jedoch %d" ++ ++#: ../../src/lib/apputils/net-server.c:1055 ++#, c-format ++msgid "couldn't set up routing socket: %s" ++msgstr "Routing-Socket konnte nicht eingerichtet werden: %s" ++ ++#: ../../src/lib/apputils/net-server.c:1058 ++#, c-format ++msgid "routing socket is fd %d" ++msgstr "Das Routing-Socket hat den Dateideskriptor %d." ++ ++#: ../../src/lib/apputils/net-server.c:1084 ++msgid "setting up network..." ++msgstr "Netzwerk wird eingerichtet …" ++ ++#: ../../src/lib/apputils/net-server.c:1101 ++#, c-format ++msgid "set up %d sockets" ++msgstr "%d Sockets werden eingerichtet" ++ ++#: ../../src/lib/apputils/net-server.c:1103 ++msgid "no sockets set up?" ++msgstr "keine Sockets eingerichtet?" ++ ++#: ../../src/lib/apputils/net-server.c:1351 ++#: ../../src/lib/apputils/net-server.c:1405 ++msgid "while dispatching (udp)" ++msgstr "beim Versenden (UDP)" ++ ++#: ../../src/lib/apputils/net-server.c:1380 ++#, c-format ++msgid "while sending reply to %s/%s from %s" ++msgstr "beim Senden der Antwort zu %s/%s von %s" ++ ++#: ../../src/lib/apputils/net-server.c:1385 ++#, c-format ++msgid "short reply write %d vs %d\n" ++msgstr "ungenügende Ausgabe der Antwort %d gegenüber %d\n" ++ ++#: ../../src/lib/apputils/net-server.c:1430 ++msgid "while receiving from network" ++msgstr "beim Empfangen vom Netzwerk" ++ ++#: ../../src/lib/apputils/net-server.c:1446 ++#, c-format ++msgid "pktinfo says local addr is %s" ++msgstr "Pktinfo sagt, die lokale Adresse sei %s" ++ ++#: ../../src/lib/apputils/net-server.c:1479 ++msgid "too many connections" ++msgstr "zu viele Verbindungen" ++ ++#: ../../src/lib/apputils/net-server.c:1502 ++#, c-format ++msgid "dropping %s fd %d from %s" ++msgstr "%s Dateideskriptor %d von %s wird verworfen" ++ ++#: ../../src/lib/apputils/net-server.c:1580 ++#, c-format ++msgid "allocating buffer for new TCP session from %s" ++msgstr "Puffer für neue TCP-Sitzung von %s wird reserviert" ++ ++#: ../../src/lib/apputils/net-server.c:1610 ++msgid "while dispatching (tcp)" ++msgstr "beim Versenden (TCP)" ++ ++#: ../../src/lib/apputils/net-server.c:1642 ++msgid "error allocating tcp dispatch private!" ++msgstr "Fehler beim Reservieren zum nicht öffentlichen TCP-Versand!" ++ ++#: ../../src/lib/apputils/net-server.c:1689 ++#, c-format ++msgid "TCP client %s wants %lu bytes, cap is %lu" ++msgstr "TCP-Client %s will %lu Byte, Cap ist %lu" ++ ++#: ../../src/lib/apputils/net-server.c:1697 ++#, c-format ++msgid "error constructing KRB_ERR_FIELD_TOOLONG error! %s" ++msgstr "Fehler beim Erzeugen des KRB_ERR_FIELD_TOOLONG-Fehlers! %s" ++ ++#: ../../src/lib/apputils/net-server.c:1876 ++#, c-format ++msgid "accepted RPC connection on socket %d from %s" ++msgstr "akzeptierte PRC-Verbindung auf Socket %d von %s" ++ ++# pseudo random function ++#: ../../src/lib/crypto/krb/cf2.c:114 ++#, c-format ++msgid "Enctype %d has no PRF" ++msgstr "Verschlüsselungstyp %d hat keine PRF" ++ ++#: ../../src/lib/crypto/krb/prng_fortuna.c:428 ++msgid "Random number generator could not be seeded" ++msgstr "Zufallszahlengenerator konnte kein Startwert zugewiesen werden" ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:43 ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:165 ++msgid "A required input parameter could not be read" ++msgstr "Ein benötigter Eingabeparameter konnte nicht gelesen werden." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:44 ++msgid "A required input parameter could not be written" ++msgstr "Ein benötigter Eingabeparameter konnte nicht geschrieben werden." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:45 ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:175 ++msgid "A parameter was malformed" ++msgstr "Ein Parameter hatte eine falsche Form" ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:48 ++msgid "calling error" ++msgstr "Aufruffehler" ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:59 ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:195 ++msgid "An unsupported mechanism was requested" ++msgstr "Ein nicht unterstützter Mechanismus wurde angefordert." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:60 ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:199 ++msgid "An invalid name was supplied" ++msgstr "Ein ungültiger Name wurde übergeben." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:61 ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:203 ++msgid "A supplied name was of an unsupported type" ++msgstr "Ein übergebener Name hatte einen nicht unterstützten Typ." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:62 ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:208 ++msgid "Incorrect channel bindings were supplied" ++msgstr "Falsche Kanalbindungen wurden übergeben." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:63 ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:179 ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:274 ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:334 ++msgid "An invalid status code was supplied" ++msgstr "Ein ungültiger Statuscode wurde übergeben." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:64 ++msgid "A token had an invalid signature" ++msgstr "Ein Merkmal hatte eine ungültige Signatur." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:65 ++msgid "No credentials were supplied" ++msgstr "Es wurden keine Anmeldedaten übergeben." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:66 ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:223 ++msgid "No context has been established" ++msgstr "Es wurde keine Kontext etabliert." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:67 ++msgid "A token was invalid" ++msgstr "Ein Merkmal war ungültig." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:68 ++msgid "A credential was invalid" ++msgstr "Eine der Anmeldedaten war ungültig." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:69 ++msgid "The referenced credentials have expired" ++msgstr "Die referenzierten Anmeldedaten sind abgelaufen." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:70 ++msgid "The context has expired" ++msgstr "Der Kontext ist abgelaufen." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:71 ++msgid "Miscellaneous failure" ++msgstr "sonstiger Fehlschlag" ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:72 ++msgid "The quality-of-protection requested could not be provided" ++msgstr "" ++"Die angeforderte Qualität des Schutzes konnte nicht bereitgestellt werden." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:73 ++msgid "The operation is forbidden by the local security policy" ++msgstr "Die Aktion wird durch die lokale Sicherheitsrichtinie verboten." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:74 ++msgid "The operation or option is not available" ++msgstr "Die Aktion oder Option ist nicht verfügbar." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:77 ++msgid "routine error" ++msgstr "Fehler in einer Routine" ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:89 ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:311 ++msgid "The routine must be called again to complete its function" ++msgstr "" ++"Die Routine muss erneut aufgerufen werden, um ihre Funktion zu " ++"vervollständigen." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:90 ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:316 ++msgid "The token was a duplicate of an earlier token" ++msgstr "Das Merkmal war ein Zweitexemplar eines früheren Merkmals." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:91 ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:321 ++msgid "The token's validity period has expired" ++msgstr "Die Gültigkeitsperiode des Merkmals ist abgelaufen." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:92 ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:325 ++msgid "A later token has already been processed" ++msgstr "Es wurde bereits ein neueres Merkmal verarbeitet." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:95 ++msgid "supplementary info code" ++msgstr "zusätzlicher Informationscode" ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:106 ++#: ../lib/krb5/error_tables/krb5_err.c:23 ++msgid "No error" ++msgstr "kein Fehler" ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:107 ++#, c-format ++msgid "Unknown %s (field = %d)" ++msgstr "%s unbekannt (Feld = %d)" ++ ++#: ../../src/lib/gssapi/krb5/acquire_cred.c:165 ++#, c-format ++msgid "No key table entry found matching %s" ++msgstr "Es wurde kein zu %s passender Schlüsseltabelleneintrag gefunden." ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:161 ++msgid "The routine completed successfully" ++msgstr "Die Routine wurde erfolgreich abgeschlossen" ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:170 ++msgid "A required output parameter could not be written" ++msgstr "Ein erforderlicher Ausgabeparameter konnte nicht geschrieben werden." ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:212 ++msgid "A token had an invalid Message Integrity Check (MIC)" ++msgstr "" ++"Ein Merkmal hatte eine ungültige Meldungsintegritätsprüfung (Message " ++"Integrity Check/MIC)." ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:217 ++msgid "" ++"No credentials were supplied, or the credentials were unavailable or " ++"inaccessible" ++msgstr "" ++"Es wurden keine Anmeldedaten übergeben oder die Anmeldedaten waren nicht " ++"verfügbar bzw. ein Zugriff darauf nicht möglich." ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:227 ++msgid "Invalid token was supplied" ++msgstr "Es wurde ein ungültiges Token übergeben." ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:231 ++msgid "Invalid credential was supplied" ++msgstr "ungültige Anmeldedaten wurden übergeben" ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:235 ++msgid "The referenced credential has expired" ++msgstr "Die referenzierten Anmeldedaten sind abgelaufen." ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:239 ++msgid "The referenced context has expired" ++msgstr "Der referenzierte Kontext ist abgelaufen." ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:243 ++msgid "Unspecified GSS failure. Minor code may provide more information" ++msgstr "" ++"nicht spezifizierter GSS-Fehlschlag. Möglicherweise stellt der " ++"untergeordnete Code weitere Informationen bereit." ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:248 ++msgid "The quality-of-protection (QOP) requested could not be provided" ++msgstr "" ++"Die Qualität des Schutzes (quality-of-protection/QOP) konnte nicht " ++"bereitgestellt werden." ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:253 ++msgid "The operation is forbidden by local security policy" ++msgstr "Die Aktion wird durch die lokale Sicherheitsrichtinie verboten." ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:258 ++msgid "The operation or option is not available or unsupported" ++msgstr "" ++"Die Aktion oder Option ist nicht verfügbar oder wird nicht unterstützt." ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:263 ++msgid "The requested credential element already exists" ++msgstr "Das angeforderte Anmeldedatenelement existiert bereits." ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:268 ++msgid "The provided name was not mechanism specific (MN)" ++msgstr "Der bereitgestellte Name war nicht mechanismusspezifisch (MN)." ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:329 ++msgid "An expected per-message token was not received" ++msgstr "Ein erwartetes nachrichtenspezifisches Token wurde nicht empfangen." ++ ++#: ../../src/lib/gssapi/spnego/spnego_mech.c:1860 ++msgid "SPNEGO cannot find mechanisms to negotiate" ++msgstr "SPNEGO kann keine Mechanismen zum Aushandeln finden." ++ ++#: ../../src/lib/gssapi/spnego/spnego_mech.c:1865 ++msgid "SPNEGO failed to acquire creds" ++msgstr "SPNEGO ist beim Beschaffen von Anmeldedaten gescheitert" ++ ++#: ../../src/lib/gssapi/spnego/spnego_mech.c:1870 ++msgid "SPNEGO acceptor did not select a mechanism" ++msgstr "SPNEGO-Abnehmer hat keinen Mechanismus ausgewählt" ++ ++#: ../../src/lib/gssapi/spnego/spnego_mech.c:1875 ++msgid "SPNEGO failed to negotiate a mechanism" ++msgstr "SPNEGO ist beim Aushandeln eines Mechanismus gescheitert." ++ ++#: ../../src/lib/gssapi/spnego/spnego_mech.c:1880 ++msgid "SPNEGO acceptor did not return a valid token" ++msgstr "SPNEGO-Abnehmer hat kein gültiges Token zurückgeliefert" ++ ++#: ../../src/lib/kadm5/alt_prof.c:854 ++#, c-format ++msgid "Cannot resolve address of admin server \"%s\" for realm \"%s\"" ++msgstr "" ++"Adresse des Admin-Servers »%s« für Realm »%s« kann nicht ermittelt werden" ++ ++#: ../../src/lib/kadm5/logger.c:56 ++#, c-format ++msgid "%s: cannot parse <%s>\n" ++msgstr "%s: <%s> kann nicht ausgewertet werden\n" ++ ++#: ../../src/lib/kadm5/logger.c:57 ++#, c-format ++msgid "%s: warning - logging entry syntax error\n" ++msgstr "%s: Warnung – Syntaxfehler bei Protokolleintrag\n" ++ ++#: ../../src/lib/kadm5/logger.c:58 ++#, c-format ++msgid "%s: error writing to %s\n" ++msgstr "%s: Fehler beim Schreiben auf %s\n" ++ ++#: ../../src/lib/kadm5/logger.c:59 ++#, c-format ++msgid "%s: error writing to %s device\n" ++msgstr "%s: Fehler beim Schreiben auf Gerät %s\n" ++ ++#: ../../src/lib/kadm5/logger.c:61 ++msgid "EMERGENCY" ++msgstr "NOTFALL" ++ ++#: ../../src/lib/kadm5/logger.c:62 ++msgid "ALERT" ++msgstr "ALARM" ++ ++#: ../../src/lib/kadm5/logger.c:63 ++msgid "CRITICAL" ++msgstr "KRITISCH" ++ ++#: ../../src/lib/kadm5/logger.c:64 ++msgid "Error" ++msgstr "Fehler" ++ ++#: ../../src/lib/kadm5/logger.c:65 ++msgid "Warning" ++msgstr "Warnung" ++ ++#: ../../src/lib/kadm5/logger.c:66 ++msgid "Notice" ++msgstr "Hinweis" ++ ++#: ../../src/lib/kadm5/logger.c:67 ++msgid "info" ++msgstr "Information" ++ ++#: ../../src/lib/kadm5/logger.c:68 ++msgid "debug" ++msgstr "Fehlersuchmeldung" ++ ++#: ../../src/lib/kadm5/logger.c:967 ++#, c-format ++msgid "Couldn't open log file %s: %s\n" ++msgstr "Protokolldatei %s konnte nicht geöffnet werden: %s\n" ++ ++#: ../../src/lib/kadm5/srv/kadm5_hook.c:119 ++#, c-format ++msgid "kadm5_hook %s failed postcommit %s: %s" ++msgstr "»kadm5_hook« %s ist beim Nach-Commit %s gescheitert: %s" ++ ++#: ../../src/lib/kadm5/srv/pwqual_dict.c:106 ++msgid "No dictionary file specified, continuing without one." ++msgstr "keine Wörterbuchdatei angegeben, es wird ohne fortgefahren" ++ ++#: ../../src/lib/kadm5/srv/pwqual_dict.c:113 ++#, c-format ++msgid "WARNING! Cannot find dictionary file %s, continuing without one." ++msgstr "" ++"WARNUNG! Wörterbuchdatei %s kann nicht gefunden werden, es wird ohne " ++"fortgefahren" ++ ++#: ../../src/lib/kadm5/srv/pwqual_empty.c:42 ++msgid "Empty passwords are not allowed" ++msgstr "Leere Passwörter sind nicht erlaubt." ++ ++#: ../../src/lib/kadm5/srv/pwqual_hesiod.c:114 ++msgid "Password may not match user information." ++msgstr "Das Passwort darf keinen Anwenderdaten entsprechen." ++ ++#: ../../src/lib/kadm5/srv/pwqual_princ.c:54 ++msgid "Password may not match principal name" ++msgstr "Das Passwort darf nicht mit dem Principal-Namen übereinstimmen." ++ ++#: ../../src/lib/kadm5/srv/server_acl.c:89 ++#, c-format ++msgid "%s: line %d too long, truncated" ++msgstr "%s: Zeile %d zu lang, wurde gekürzt" ++ ++#: ../../src/lib/kadm5/srv/server_acl.c:90 ++#, c-format ++msgid "Unrecognized ACL operation '%c' in %s" ++msgstr "unbekannte ACL-Aktion »%c« in %s" ++ ++#: ../../src/lib/kadm5/srv/server_acl.c:92 ++#, c-format ++msgid "%s: syntax error at line %d <%10s...>" ++msgstr "%s: Syntaxfehler in Zeile %d <%10s …>" ++ ++#: ../../src/lib/kadm5/srv/server_acl.c:94 ++#, c-format ++msgid "%s while opening ACL file %s" ++msgstr "%s beim Öffnen der ACL-Datei %s" ++ ++#: ../../src/lib/kadm5/srv/server_acl.c:353 ++#, c-format ++msgid "%s: invalid restrictions: %s" ++msgstr "%s: ungültige Beschränkung: %s" ++ ++#: ../../src/lib/kadm5/srv/server_kdb.c:192 ++msgid "History entry contains no key data" ++msgstr "Chronikeintrag enthält keine Schlüsseldaten" ++ ++#: ../../src/lib/kadm5/srv/server_misc.c:128 ++#, c-format ++msgid "password quality module %s rejected password for %s: %s" ++msgstr "" ++"Das Modul %s für Passwortqualität hat das Passwort für %s abgelehnt: %s" ++ ++#: ../../src/lib/kadm5/str_conv.c:80 ++msgid "Not Postdateable" ++msgstr "nicht vordatierbar" ++ ++#: ../../src/lib/kadm5/str_conv.c:81 ++msgid "Not Forwardable" ++msgstr "nicht weiterleitbar" ++ ++#: ../../src/lib/kadm5/str_conv.c:82 ++msgid "No TGT-based requests" ++msgstr "keine TGT-basierten Anfragen" ++ ++#: ../../src/lib/kadm5/str_conv.c:83 ++msgid "Not renewable" ++msgstr "nicht erneuerbar" ++ ++#: ../../src/lib/kadm5/str_conv.c:84 ++msgid "Not proxiable" ++msgstr "Proxy nicht nutzbar" ++ ++#: ../../src/lib/kadm5/str_conv.c:85 ++msgid "No DUP_SKEY requests" ++msgstr "keine DUP_SKEY-Anfragen" ++ ++#: ../../src/lib/kadm5/str_conv.c:86 ++msgid "All Tickets Disallowed" ++msgstr "keine Tickets erlaubt" ++ ++#: ../../src/lib/kadm5/str_conv.c:87 ++msgid "Preauthentication required" ++msgstr "Vorauthentifizierung erforderlich" ++ ++#: ../../src/lib/kadm5/str_conv.c:88 ++msgid "HW authentication required" ++msgstr "HW-Authentifizierung erforderlich" ++ ++#: ../../src/lib/kadm5/str_conv.c:89 ++msgid "OK as Delegate" ++msgstr "OK als Vertreter" ++ ++#: ../../src/lib/kadm5/str_conv.c:90 ++msgid "Password Change required" ++msgstr "Passwortänderung erforderlich" ++ ++#: ../../src/lib/kadm5/str_conv.c:91 ++msgid "Service Disabled" ++msgstr "Dienst deaktiviert" ++ ++#: ../../src/lib/kadm5/str_conv.c:92 ++msgid "Password Changing Service" ++msgstr "Passwortänderungsdienst" ++ ++#: ../../src/lib/kadm5/str_conv.c:93 ++msgid "RSA-MD5 supported" ++msgstr "RSA-MD5 unterstützt" ++ ++#: ../../src/lib/kadm5/str_conv.c:94 ++msgid "Protocol transition with delegation allowed" ++msgstr "Protokollübergang mit Vertretung erlaubt" ++ ++#: ../../src/lib/kadm5/str_conv.c:95 ++msgid "No authorization data required" ++msgstr "keine Authentifizierungsdaten erforderlich" ++ ++#: ../../src/lib/kdb/kdb5.c:219 ++msgid "No default realm set; cannot initialize KDB" ++msgstr "kein Standard-Realm gesetzt; KDB kann nicht initialisiert werden" ++ ++#: ../../src/lib/kdb/kdb5.c:324 ../../src/lib/kdb/kdb5.c:406 ++#, c-format ++msgid "Unable to find requested database type: %s" ++msgstr "angeforderter Datenbanktyp kann nicht gefunden werden. %s" ++ ++#: ../../src/lib/kdb/kdb5.c:416 ++#, c-format ++msgid "plugin symbol 'kdb_function_table' lookup failed: %s" ++msgstr "" ++"Nachschlagen des Erweiterungssymbols »kdb_function_table« fehlgeschlagen: %s" ++ ++#: ../../src/lib/kdb/kdb5.c:426 ++#, c-format ++msgid "" ++"Unable to load requested database module '%s': plugin symbol " ++"'kdb_function_table' not found" ++msgstr "" ++"angefordertes Datenbankmodul »%s« kann nicht geladen werden: " ++"Erweiterungssymbol »kdb_function_table« nicht gefunden" ++ ++#: ../../src/lib/kdb/kdb5.c:1650 ++#, c-format ++msgid "Illegal version number for KRB5_TL_MKEY_AUX %d\n" ++msgstr "Ungültige Versionsnummer für KRB5_TL_MKEY_AUX %d\n" ++ ++#: ../../src/lib/kdb/kdb5.c:1819 ++#, c-format ++msgid "Illegal version number for KRB5_TL_ACTKVNO %d\n" ++msgstr "Ungültige Versionsnummer für KRB5_TL_ACTKVNO %d\n" ++ ++#: ../../src/lib/kdb/kdb_default.c:164 ++#, c-format ++msgid "keyfile (%s) is not a regular file: %s" ++msgstr "Schlüsseldatei (%s) ist keine normale Datei: %s" ++ ++#: ../../src/lib/kdb/kdb_default.c:177 ++msgid "Could not create temp keytab file name." ++msgstr "Temporärer Schlüsseltabellendateiname konnte nicht erstellt werden." ++ ++#: ../../src/lib/kdb/kdb_default.c:202 ++#, c-format ++msgid "Temporary stash file already exists: %s." ++msgstr "Temporäre Ablagedatei existiert bereits: %s." ++ ++#: ../../src/lib/kdb/kdb_default.c:230 ++#, c-format ++msgid "rename of temporary keyfile (%s) to (%s) failed: %s" ++msgstr "" ++"Umbenennen von temporärer Schlüsseldatei (%s) in (%s) fehlgeschlagen: %s" ++ ++#: ../../src/lib/kdb/kdb_default.c:419 ++#, c-format ++msgid "Can not fetch master key (error: %s)." ++msgstr "Hauptschlüssel kann nicht abgeholt werden (Fehler: %s)" ++ ++#: ../../src/lib/kdb/kdb_default.c:482 ++msgid "Unable to decrypt latest master key with the provided master key\n" ++msgstr "" ++"Letzter Hauptschlüssel kann nicht mit dem bereitgestellten Hauptschlüssel " ++"entschlüsselt werden.\n" ++ ++#: ../../src/lib/kdb/kdb_log.c:83 ++msgid "could not sync ulog header to disk" ++msgstr "Ulog-Kopfzeilen konnten nicht auf die Platte synchronisiert werden" ++ ++#: ../../src/lib/krb5/ccache/cc_dir.c:122 ++#, c-format ++msgid "Subsidiary cache path %s has no parent directory" ++msgstr "" ++"Ergänzender Zwischenspeicherpfad %s hat kein übergeordnetes Verzeichnis." ++ ++#: ../../src/lib/krb5/ccache/cc_dir.c:128 ++#, c-format ++msgid "Subsidiary cache path %s filename does not begin with \"tkt\"" ++msgstr "" ++"Dateiname des ergänzenden Zwischenspeicherpfads %s beginnt nicht mit »tkt«" ++ ++#: ../../src/lib/krb5/ccache/cc_dir.c:169 ++#, c-format ++msgid "%s contains invalid filename" ++msgstr "%s enthält einen ungültigen Dateinamen." ++ ++#: ../../src/lib/krb5/ccache/cc_dir.c:229 ++#, c-format ++msgid "Credential cache directory %s does not exist" ++msgstr "Anmeldedatenzwischenspeicherverzeichnis %s existiert nicht." ++ ++#: ../../src/lib/krb5/ccache/cc_dir.c:235 ++#, c-format ++msgid "Credential cache directory %s exists but is not a directory" ++msgstr "" ++"Anmeldedatenzwischenspeicherverzeichnis %s existiert, ist jedoch kein " ++"Verzeichnis" ++ ++#: ../../src/lib/krb5/ccache/cc_dir.c:400 ++msgid "" ++"Can't create new subsidiary cache because default cache is not a directory " ++"collection" ++msgstr "" ++"Der neue ergänzende Zwischenspeicher kann nicht erstellt werden, da der " ++"Standardzwischenspeicher keine Ansammlung von Verzeichnissen ist." ++ ++#: ../../src/lib/krb5/ccache/cc_file.c:569 ++#, c-format ++msgid "Credentials cache file '%s' not found" ++msgstr "Anmeldedatenzwischenspeicherdatei »%s« nicht gefunden" ++ ++#: ../../src/lib/krb5/ccache/cc_file.c:1575 ++#, c-format ++msgid "Credentials cache I/O operation failed (%s)" ++msgstr "Anmeldedatenzwischenspeicher-E/A-Aktion fehlgeschlagen (%s)" ++ ++#: ../../src/lib/krb5/ccache/cc_keyring.c:1151 ++msgid "" ++"Can't create new subsidiary cache because default cache is already a " ++"subsidiary" ++msgstr "" ++"Der neue ergänzende Zwischenspeicher kann nicht erstellt werden, da der " ++"Standardzwischenspeicher bereits eine Ergänzung ist." ++ ++#: ../../src/lib/krb5/ccache/cc_keyring.c:1219 ++#, c-format ++msgid "Credentials cache keyring '%s' not found" ++msgstr "Schlüsselbund %s des Anmeldedatenzwischenspeichers nicht gefunden" ++ ++#: ../../src/lib/krb5/ccache/cccursor.c:212 ++#, c-format ++msgid "Can't find client principal %s in cache collection" ++msgstr "" ++"Client-Principal %s kann nicht in der Zwischenspeicheransammlung gefunden " ++"werden" ++ ++#: ../../src/lib/krb5/ccache/cccursor.c:253 ++msgid "No Kerberos credentials available" ++msgstr "keine Kerberos-Anmeldedaten verfügbar" ++ ++#: ../../src/lib/krb5/keytab/kt_file.c:398 ++#, c-format ++msgid "No key table entry found for %s" ++msgstr "Für %s wurde kein Schlüsseltabelleneintrag gefunden." ++ ++#: ../../src/lib/krb5/keytab/kt_file.c:815 ++#: ../../src/lib/krb5/keytab/kt_file.c:848 ++msgid "Cannot change keytab with keytab iterators active" ++msgstr "" ++"Schlüsseltabelle mit aktiven Schlüsseltabelleniteratoren kann nicht geändert " ++"werden" ++ ++#: ../../src/lib/krb5/keytab/kt_file.c:1047 ++#, c-format ++msgid "Key table file '%s' not found" ++msgstr "Schlüsseltabellendatei »%s« nicht gefunden" ++ ++#: ../../src/lib/krb5/keytab/ktfns.c:127 ++#, c-format ++msgid "Keytab %s is nonexistent or empty" ++msgstr "Schlüsseltabelle %s existiert nicht oder ist leer" ++ ++#: ../../src/lib/krb5/krb/chpw.c:251 ++msgid "Malformed request error" ++msgstr "Fehler wegen Anfrage in falscher Form" ++ ++#: ../../src/lib/krb5/krb/chpw.c:254 ../lib/krb5/error_tables/kdb5_err.c:58 ++msgid "Server error" ++msgstr "Serverfehler" ++ ++#: ../../src/lib/krb5/krb/chpw.c:257 ++msgid "Authentication error" ++msgstr "Authentifizierungsfehler" ++ ++#: ../../src/lib/krb5/krb/chpw.c:260 ++msgid "Password change rejected" ++msgstr "Passwortänderung abgelehnt" ++ ++#: ../../src/lib/krb5/krb/chpw.c:263 ++msgid "Access denied" ++msgstr "Zugriff verweigert" ++ ++#: ../../src/lib/krb5/krb/chpw.c:266 ++msgid "Wrong protocol version" ++msgstr "falsche Protokollversion" ++ ++#: ../../src/lib/krb5/krb/chpw.c:269 ++msgid "Initial password required" ++msgstr "Erstpasswort erforderlich" ++ ++#: ../../src/lib/krb5/krb/chpw.c:272 ++msgid "Success" ++msgstr "Erfolg" ++ ++#: ../../src/lib/krb5/krb/chpw.c:275 ../lib/krb5/error_tables/krb5_err.c:257 ++msgid "Password change failed" ++msgstr "Ändern des Passworts fehlgeschlagen" ++ ++#: ../../src/lib/krb5/krb/chpw.c:433 ++msgid "" ++"The password must include numbers or symbols. Don't include any part of " ++"your name in the password." ++msgstr "" ++"Das Passwort muss Zahlen oder Symbole enthalten. Fügen Sie keinen Teil Ihres " ++"Namens in das Passwort ein." ++ ++#: ../../src/lib/krb5/krb/chpw.c:439 ++#, c-format ++msgid "The password must contain at least %d character." ++msgid_plural "The password must contain at least %d characters." ++msgstr[0] "Das Passwort muss mindestens %d Zeichen enthalten." ++msgstr[1] "Das Passwort muss mindestens %d Zeichen enthalten." ++ ++#: ../../src/lib/krb5/krb/chpw.c:448 ++#, c-format ++msgid "The password must be different from the previous password." ++msgid_plural "The password must be different from the previous %d passwords." ++msgstr[0] "Das Passwort muss sich vom vorhergehenden Passwort unterscheiden." ++msgstr[1] "" ++"Das Passwort muss sich von den vorhergehenden %d Passwörtern unterscheiden." ++ ++#: ../../src/lib/krb5/krb/chpw.c:460 ++#, c-format ++msgid "The password can only be changed once a day." ++msgid_plural "The password can only be changed every %d days." ++msgstr[0] "Das Passwort kann nur einmal täglich geändert werden." ++msgstr[1] "Das Passwort kann nur alle %d Tage geändert werden." ++ ++#: ../../src/lib/krb5/krb/chpw.c:506 ++msgid "Try a more complex password, or contact your administrator." ++msgstr "" ++"Versuchen Sie es mit einem etwas komplexeren Passwort oder wenden Sie sich " ++"an Ihren Administrator." ++ ++#: ../../src/lib/krb5/krb/fast.c:217 ++#, c-format ++msgid "%s constructing AP-REQ armor" ++msgstr "%s-Konstruktion von AP-REQ-Schutz" ++ ++#: ../../src/lib/krb5/krb/fast.c:399 ++#, c-format ++msgid "%s while decrypting FAST reply" ++msgstr "%s beim Entschlüsseln der FAST-Antwort" ++ ++#: ../../src/lib/krb5/krb/fast.c:408 ++msgid "nonce modified in FAST response: KDC response modified" ++msgstr "" ++"Nummer für einmaligen Gebrauch in der FAST-Anwort geändert: KDC-Anwort " ++"geändert" ++ ++#: ../../src/lib/krb5/krb/fast.c:474 ++msgid "Expecting FX_ERROR pa-data inside FAST container" ++msgstr "Innerhalb des FAST-Containers wird »FX_ERROR pa-data« erwartet." ++ ++#: ../../src/lib/krb5/krb/fast.c:545 ++msgid "FAST response missing finish message in KDC reply" ++msgstr "Der FAST-Anwort fehlt die Beendigungsnachricht in der KDC-Anwort" ++ ++#: ../../src/lib/krb5/krb/fast.c:558 ++msgid "Ticket modified in KDC reply" ++msgstr "Ticket in der KDC-Antwort verändert" ++ ++#: ../../src/lib/krb5/krb/gc_via_tkt.c:208 ++#, c-format ++msgid "KDC returned error string: %.*s" ++msgstr "KDC gab eine Fehlermeldung zurück: %.*s" ++ ++#: ../../src/lib/krb5/krb/gc_via_tkt.c:217 ++#, c-format ++msgid "Server %s not found in Kerberos database" ++msgstr "Server %s wurde nicht in der Kerberos-Datenbank gefunden" ++ ++#: ../../src/lib/krb5/krb/get_in_tkt.c:133 ++msgid "Reply has wrong form of session key for anonymous request" ++msgstr "" ++"Antwort hat die falsche Form des Sitzungschlüssels für eine anonyme Anfrage" ++ ++#: ../../src/lib/krb5/krb/get_in_tkt.c:1628 ++#, c-format ++msgid "%s while storing credentials" ++msgstr "%s beim Speichern der Anmeldedaten" ++ ++#: ../../src/lib/krb5/krb/get_in_tkt.c:1715 ++#, c-format ++msgid "Client '%s' not found in Kerberos database" ++msgstr "Client »%s« wurde nicht in der Kerberos-Datenbank gefunden" ++ ++#: ../../src/lib/krb5/krb/gic_keytab.c:207 ++#, c-format ++msgid "Keytab contains no suitable keys for %s" ++msgstr "Schlüsseltabelle enthält keine passenden Schlüssel für %s" ++ ++#: ../../src/lib/krb5/krb/gic_pwd.c:75 ++#, c-format ++msgid "Password for %s" ++msgstr "Passwort for %s" ++ ++#: ../../src/lib/krb5/krb/gic_pwd.c:227 ++#, c-format ++msgid "Warning: Your password will expire in less than one hour on %s" ++msgstr "" ++"Warnung: Ihr Passwort auf %s wird in weniger als einer Stunde ablaufen." ++ ++# FIXME in German impossible; plural without »s« ++#: ../../src/lib/krb5/krb/gic_pwd.c:231 ++#, c-format ++msgid "Warning: Your password will expire in %d hour%s on %s" ++msgstr "Warnung: Ihr Passwort wird in %d Stunden%s auf %s ablaufen." ++ ++#: ../../src/lib/krb5/krb/gic_pwd.c:235 ++#, c-format ++msgid "Warning: Your password will expire in %d days on %s" ++msgstr "Warnung: Ihr Passwort wird in %d Tagen auf %s ablaufen." ++ ++#: ../../src/lib/krb5/krb/gic_pwd.c:409 ++msgid "Password expired. You must change it now." ++msgstr "Passwort abgelaufen. Sie müssen es nun ändern." ++ ++#: ../../src/lib/krb5/krb/gic_pwd.c:428 ../../src/lib/krb5/krb/gic_pwd.c:432 ++#, c-format ++msgid "%s. Please try again." ++msgstr "%s. Bitte versuchen Sie es erneut." ++ ++#: ../../src/lib/krb5/krb/gic_pwd.c:471 ++#, c-format ++msgid "%.*s%s%s. Please try again.\n" ++msgstr "%.*s%s%s. Bitte versuchen Sie es erneut.\n" ++ ++#: ../../src/lib/krb5/krb/parse.c:203 ++#, c-format ++msgid "Principal %s is missing required realm" ++msgstr "Principal %s fehlt erforderlicher Realm" ++ ++#: ../../src/lib/krb5/krb/parse.c:215 ++#, c-format ++msgid "Principal %s has realm present" ++msgstr "Für Principal %s ist Realm vorhanden" ++ ++#: ../../src/lib/krb5/krb/plugin.c:165 ++#, c-format ++msgid "Invalid module specifier %s" ++msgstr "ungültiger Modulbezeichner %s" ++ ++#: ../../src/lib/krb5/krb/plugin.c:402 ++#, c-format ++msgid "Could not find %s plugin module named '%s'" ++msgstr "Das Erweiterungsmodul %s namens »%s« konnte nicht gefunden werden." ++ ++#: ../../src/lib/krb5/krb/preauth2.c:1018 ++msgid "Unable to initialize preauth context" ++msgstr "Vorauthentifizierungskontext konnte nicht initialisiert werden." ++ ++#: ../../src/lib/krb5/krb/preauth2.c:1032 ++#, c-format ++msgid "Preauth module %s: %s" ++msgstr "Vorauthentifizierungsmodul %s: %s" ++ ++#: ../../src/lib/krb5/krb/preauth_otp.c:510 ++msgid "Please choose from the following:\n" ++msgstr "Bitte wählen Sie aus dem Folgenden aus:\n" ++ ++#: ../../src/lib/krb5/krb/preauth_otp.c:511 ++msgid "Vendor:" ++msgstr "Anbieter:" ++ ++#: ../../src/lib/krb5/krb/preauth_otp.c:523 ++msgid "Enter #" ++msgstr "Geben Sie # ein" ++ ++#: ../../src/lib/krb5/krb/preauth_otp.c:559 ++msgid "OTP Challenge:" ++msgstr "Anforderung des Einwegpassworts:" ++ ++#: ../../src/lib/krb5/krb/preauth_otp.c:588 ++msgid "OTP Token PIN" ++msgstr "Einwegpasswort-Token-PIN" ++ ++#: ../../src/lib/krb5/krb/preauth_otp.c:702 ++msgid "OTP value doesn't match any token formats" ++msgstr "Wert des Einwegpassworts entspricht keinem Token-Format" ++ ++#: ../../src/lib/krb5/krb/preauth_otp.c:769 ++msgid "Enter OTP Token Value" ++msgstr "Geben Sie den Wert des Einwegpasswort-Tokens an" ++ ++#: ../../src/lib/krb5/krb/preauth_otp.c:914 ++msgid "No supported tokens" ++msgstr "keine unterstützten Token" ++ ++#: ../../src/lib/krb5/krb/preauth_sam2.c:49 ++msgid "Challenge for Enigma Logic mechanism" ++msgstr "Anforderung für Enigma-Logic-Mechanismus" ++ ++#: ../../src/lib/krb5/krb/preauth_sam2.c:53 ++msgid "Challenge for Digital Pathways mechanism" ++msgstr "Anforderung für Digital-Pathway-Mechanismus" ++ ++#: ../../src/lib/krb5/krb/preauth_sam2.c:57 ++msgid "Challenge for Activcard mechanism" ++msgstr "Anforderung für Activcard-Mechanismus" ++ ++#: ../../src/lib/krb5/krb/preauth_sam2.c:60 ++msgid "Challenge for Enhanced S/Key mechanism" ++msgstr "Anforderung für erweiterten S/Key-Mechanismus" ++ ++#: ../../src/lib/krb5/krb/preauth_sam2.c:63 ++msgid "Challenge for Traditional S/Key mechanism" ++msgstr "Anforderung für traditionellen S/Key-Mechanismus" ++ ++#: ../../src/lib/krb5/krb/preauth_sam2.c:66 ++#: ../../src/lib/krb5/krb/preauth_sam2.c:69 ++msgid "Challenge for Security Dynamics mechanism" ++msgstr "Anforderung für Security-Dynamics-Mechanismus" ++ ++#: ../../src/lib/krb5/krb/preauth_sam2.c:72 ++msgid "Challenge from authentication server" ++msgstr "Anforderung vom Authentifizierungsserver" ++ ++#: ../../src/lib/krb5/krb/preauth_sam2.c:166 ++msgid "SAM Authentication" ++msgstr "SAM-Authentifizierung" ++ ++#: ../../src/lib/krb5/krb/rd_req_dec.c:145 ++#, c-format ++msgid "Cannot find key for %s kvno %d in keytab" ++msgstr "" ++"Schlüssel für %s-KNVO %d kann nicht in der Schlüsseltabelle gefunden werden" ++ ++#: ../../src/lib/krb5/krb/rd_req_dec.c:150 ++#, c-format ++msgid "Cannot find key for %s kvno %d in keytab (request ticket server %s)" ++msgstr "" ++"Schlüssel für %s-KNVO %d kann nicht in der Schlüsseltabelle gefunden werden " ++"(angefragter Ticketserver %s)" ++ ++#: ../../src/lib/krb5/krb/rd_req_dec.c:175 ++#, c-format ++msgid "Cannot decrypt ticket for %s using keytab key for %s" ++msgstr "" ++"Ticket für %s kann nicht mittels des Schlüsseltabellenschlüssels für %s " ++"entschlüsselt werden" ++ ++#: ../../src/lib/krb5/krb/rd_req_dec.c:197 ++#, c-format ++msgid "Server principal %s does not match request ticket server %s" ++msgstr "Server-Principal %s passt nicht zum abgefragten Ticketserver %s" ++ ++#: ../../src/lib/krb5/krb/rd_req_dec.c:226 ++msgid "No keys in keytab" ++msgstr "keine Schlüssel in der Schlüsseltabelle" ++ ++#: ../../src/lib/krb5/krb/rd_req_dec.c:229 ++#, c-format ++msgid "Server principal %s does not match any keys in keytab" ++msgstr "" ++"Server-Principal %s hat keinen passenden Schlüssel in der Schlüsseltabelle" ++ ++#: ../../src/lib/krb5/krb/rd_req_dec.c:236 ++#, c-format ++msgid "" ++"Request ticket server %s found in keytab but does not match server principal " ++"%s" ++msgstr "" ++"abgefragter Ticketserver %s wurde in der Schlüsseltabelle gefunden, er passte " ++"jedoch nicht zu Server-Principal %s" ++ ++#: ../../src/lib/krb5/krb/rd_req_dec.c:241 ++#, c-format ++msgid "Request ticket server %s not found in keytab (ticket kvno %d)" ++msgstr "" ++"Abgefragter Ticketserver %s wurde nicht in der Schlüsseltabelle gefunden " ++"(Ticket KVNO %d)." ++ ++#: ../../src/lib/krb5/krb/rd_req_dec.c:247 ++#, c-format ++msgid "" ++"Request ticket server %s kvno %d not found in keytab; ticket is likely out " ++"of date" ++msgstr "" ++"Abgefragter Ticketserver %s KVNO %d wurde nicht in der Schlüsseltabelle " ++"gefunden; Ticket ist wahrscheinlich abgelaufen." ++ ++#: ../../src/lib/krb5/krb/rd_req_dec.c:252 ++#, c-format ++msgid "" ++"Request ticket server %s kvno %d not found in keytab; keytab is likely out " ++"of date" ++msgstr "" ++"Abgefragter Ticketserver %s KVNO %d wurde nicht in der Schlüsseltabelle " ++"gefunden; Schlüsseltabelle ist wahrscheinlich nicht mehr aktuell." ++ ++#: ../../src/lib/krb5/krb/rd_req_dec.c:261 ++#, c-format ++msgid "" ++"Request ticket server %s kvno %d found in keytab but not with enctype %s" ++msgstr "" ++"Abgefragter Ticketserver %s KVNO %d wurde in der Schlüsseltabelle gefunden, " ++"jedoch nicht mit Verschlüsselungstyp %s." ++ ++#: ../../src/lib/krb5/krb/rd_req_dec.c:266 ++#, c-format ++msgid "" ++"Request ticket server %s kvno %d enctype %s found in keytab but cannot " ++"decrypt ticket" ++msgstr "" ++"Abgefragter Ticketserver %s KVNO %d mit Verschlüsselungstyp %s in der " ++"Schlüsseltabelle gefunden, Ticket kann jedoch nicht entschlüsselt werden." ++ ++#: ../../src/lib/krb5/krb/rd_req_dec.c:897 ++#, c-format ++msgid "Encryption type %s not permitted" ++msgstr "Verschlüsselungstyp %s nicht erlaubt" ++ ++#: ../../src/lib/krb5/os/expand_path.c:316 ++#, c-format ++msgid "Can't find username for uid %lu" ++msgstr "Zu UID %lu kann kein Benutzername gefunden werden." ++ ++#: ../../src/lib/krb5/os/expand_path.c:405 ++#: ../../src/lib/krb5/os/expand_path.c:421 ++msgid "Invalid token" ++msgstr "ungültiges Token" ++ ++#: ../../src/lib/krb5/os/expand_path.c:506 ++msgid "variable missing }" ++msgstr "Variable fehlt }" ++ ++#: ../../src/lib/krb5/os/locate_kdc.c:660 ++#, c-format ++msgid "Cannot find KDC for realm \"%.*s\"" ++msgstr "KDC für Realm »%.*s« kann nicht gefunden werden" ++ ++#: ../../src/lib/krb5/os/sendto_kdc.c:475 ++#, c-format ++msgid "Cannot contact any KDC for realm '%.*s'" ++msgstr "für Realm »%.*s« kann nicht KDC kontaktiert werden" ++ ++#: ../../src/lib/krb5/rcache/rc_io.c:106 ++#, c-format ++msgid "Cannot fstat replay cache file %s: %s" ++msgstr "»fstat« für Antwortzwischenspeicherdatei %s nicht möglich: %s" ++ ++#: ../../src/lib/krb5/rcache/rc_io.c:112 ++#, c-format ++msgid "" ++"Insecure mkstemp() file mode for replay cache file %s; try running this " ++"program with umask 077" ++msgstr "" ++"unsicherer mkstemp()-Dateimodus für Antwortzwischenspeicherdatei %s; " ++"versuchen Sie, dieses Programm mit der Umask 077 auszuführen" ++ ++#: ../../src/lib/krb5/rcache/rc_io.c:144 ++#, c-format ++msgid "Cannot %s replay cache file %s: %s" ++msgstr "%s der Wiederholungszwischenspeicherdatei %s nicht möglich: %s" ++ ++#: ../../src/lib/krb5/rcache/rc_io.c:149 ++#, c-format ++msgid "Cannot %s replay cache: %s" ++msgstr "%s des Wiederholungszwischenspeichers nicht möglich: %s" ++ ++#: ../../src/lib/krb5/rcache/rc_io.c:272 ++#, c-format ++msgid "Insecure file mode for replay cache file %s" ++msgstr "unsicherer Dateimodus für Wiederholungszwischenspeicherdatei %s" ++ ++#: ../../src/lib/krb5/rcache/rc_io.c:278 ++#, c-format ++msgid "rcache not owned by %d" ++msgstr "Rcache gehört nicht %d" ++ ++#: ../../src/lib/krb5/rcache/rc_io.c:402 ../../src/lib/krb5/rcache/rc_io.c:406 ++#: ../../src/lib/krb5/rcache/rc_io.c:411 ++#, c-format ++msgid "Can't write to replay cache: %s" ++msgstr "" ++"in Wiederholungszwischenspeicherdatei kann nicht geschrieben werden: %s" ++ ++#: ../../src/lib/krb5/rcache/rc_io.c:432 ++#, c-format ++msgid "Cannot sync replay cache file: %s" ++msgstr "" ++"Wiederholungszwischenspeicherdatei kann nicht synchronisiert werden: %s" ++ ++#: ../../src/lib/krb5/rcache/rc_io.c:451 ++#, c-format ++msgid "Can't read from replay cache: %s" ++msgstr "aus dem Wiederholungszwischenspeicher kann nicht gelesen werden: %s" ++ ++#: ../../src/lib/krb5/rcache/rc_io.c:482 ../../src/lib/krb5/rcache/rc_io.c:488 ++#: ../../src/lib/krb5/rcache/rc_io.c:493 ++#, c-format ++msgid "Can't destroy replay cache: %s" ++msgstr "Wiederholungszwischenspeicher kann nicht vernichtet werden: %s" ++ ++#: ../../src/plugins/kdb/db2/kdb_db2.c:245 ++#: ../../src/plugins/kdb/db2/kdb_db2.c:830 ++#, c-format ++msgid "Unsupported argument \"%s\" for db2" ++msgstr "nicht unterstütztes Argument »%s« für DB2" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:69 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:887 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1088 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1507 ++msgid "while reading kerberos container information" ++msgstr "beim Lesen der Kerberos-Container-Information" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:129 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:143 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:504 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:518 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:151 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:166 ++msgid "while providing time specification" ++msgstr "beim Bereitstellen der Zeitspezifikation" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:268 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:304 ++msgid "while creating policy object" ++msgstr "beim Erstellen des Richtlinienobjekts" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:279 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1515 ++msgid "while reading realm information" ++msgstr "beim Lesen der Realm-Information" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:348 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:407 ++msgid "while destroying policy object" ++msgstr "beim Zerstören des Richtlinienobjekts" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:358 ++#, c-format ++msgid "This will delete the policy object '%s', are you sure?\n" ++msgstr "Dies wird das Richtlinienobjekt »%s« löschen, sind Sie sicher?\n" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:473 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:663 ++msgid "while modifying policy object" ++msgstr "beim Ändern des Richtlinienobjekts" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:487 ++#, c-format ++msgid "while reading information of policy '%s'" ++msgstr "beim Lesen der Information der Richtlinie »%s«" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:692 ++msgid "while viewing policy" ++msgstr "beim Betrachten der Richtlinie" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:701 ++#, c-format ++msgid "while viewing policy '%s'" ++msgstr "beim Betrachten der Richtlinie »%s«" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:835 ++msgid "while listing policy objects" ++msgstr "beim Auflisten der Richtlinienobjekte" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:453 ++#, c-format ++msgid "for subtree while creating realm '%s'" ++msgstr "für einen Teilbaum beim Erstellen von Realm »%s«" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:465 ++#, c-format ++msgid "for container reference while creating realm '%s'" ++msgstr "für Container-Bezug beim Erstellen von Realm »%s«" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:489 ++#, c-format ++msgid "invalid search scope while creating realm '%s'" ++msgstr "ungültiger Suchbereich beim Erstellen von Realm »%s«" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:504 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:823 ++#, c-format ++msgid "'%s' is an invalid option\n" ++msgstr "»%s« ist keine gültige Option\n" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:512 ++#, c-format ++msgid "Initializing database for realm '%s'\n" ++msgstr "Datenbank für Realm »%s« wird initialisiert\n" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:536 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:696 ++#, c-format ++msgid "while creating realm '%s'" ++msgstr "beim Erstellen von Realm »%s«" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:556 ++#, c-format ++msgid "Enter DN of Kerberos container: " ++msgstr "Geben Sie die den DN des Kerberos-Containers ein: " ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:591 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:894 ++#, c-format ++msgid "while reading information of realm '%s'" ++msgstr "beim Lesen der Information von Realm »%s«" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:733 ++msgid "while reading Kerberos container information" ++msgstr "beim Lesen der Kerberos-Container-Information" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:774 ++#, c-format ++msgid "for subtree while modifying realm '%s'" ++msgstr "für einen Teilbaum beim Ändern von Realm »%s«" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:785 ++#, c-format ++msgid "for container reference while modifying realm '%s'" ++msgstr "für Container-Bezug beim Ändern von Realm »%s«" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:812 ++#, c-format ++msgid "specified for search scope while modifying information of realm '%s'" ++msgstr "" ++"angegeben für Suchbereich, während die Information für Realm »%s« geändert " ++"wird" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:851 ++#, c-format ++msgid "while modifying information of realm '%s'" ++msgstr "beim Ändern der Information von Realm »%s«" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:940 ++msgid "Realm Name" ++msgstr "Realm-Name" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:943 ++msgid "Subtree" ++msgstr "Teilbaum" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:946 ++msgid "Principal Container Reference" ++msgstr "Principal-Container-Bezug" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:951 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:953 ++msgid "SearchScope" ++msgstr "Suchbereich" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:951 ++msgid "Invalid !" ++msgstr "ungültig!" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:958 ++msgid "KDC Services" ++msgstr "KDC-Dienste" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:973 ++msgid "Admin Services" ++msgstr "Administratordienste" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:988 ++msgid "Passwd Services" ++msgstr "Passwortdienste" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1004 ++msgid "Maximum Ticket Life" ++msgstr "maximale Ticketlebensdauer" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1009 ++msgid "Maximum Renewable Life" ++msgstr "maximale verlängerbare Lebensdauer" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1016 ++msgid "Ticket flags" ++msgstr "Ticket-Flags" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1095 ++msgid "while listing realms" ++msgstr "beim Auflisten der Realms" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1439 ++msgid "while adding entries to database" ++msgstr "beim Hinzufügen von Einträgen zur Datenbank" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1480 ++#, c-format ++msgid "Deleting KDC database of '%s', are you sure?\n" ++msgstr "" ++"Sind Sie sicher, dass die KDC-Datenbank von »%s« gelöscht werden soll?\n" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1491 ++#, c-format ++msgid "OK, deleting database of '%s'...\n" ++msgstr "OK, die Datenbank von »%s« wird gelöscht …\n" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1524 ++#, c-format ++msgid "deleting database of '%s'" ++msgstr "Die Datenbank von »%s« wird gelöscht." ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1529 ++#, c-format ++msgid "** Database of '%s' destroyed.\n" ++msgstr "** Datenbank von »%s« vernichtet\n" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:81 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:88 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:96 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:104 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:120 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:148 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:227 ++msgid "while setting service object password" ++msgstr "beim Setzen des Passworts für das Dienstobjekt" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:140 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:477 ++#, c-format ++msgid "Password for \"%s\"" ++msgstr "Passwort für »%s«" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:143 ++#, c-format ++msgid "Re-enter password for \"%s\"" ++msgstr "Geben Sie das Passwort für »%s« erneut ein." ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:154 ++#, c-format ++msgid "%s: Invalid password\n" ++msgstr "%s: ungültiges Passwort\n" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:170 ++msgid "Failed to convert the password to hexadecimal" ++msgstr "Das Umwandeln des Passworts in Dezimalschreibweise ist fehlgeschlagen." ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:183 ++#, c-format ++msgid "Failed to open file %s: %s" ++msgstr "Datei %s konnte nicht geöffnet werden: %s" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:205 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:247 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:256 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:283 ++msgid "Failed to write service object password to file" ++msgstr "" ++"Schreiben des Passworts für das Dienstobjekt in eine Datei fehlgeschlagen" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:211 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:268 ++msgid "Error reading service object password file" ++msgstr "Fehler beim Lesen der Passwortdatei für das Dienstobjekt" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:236 ++#, c-format ++msgid "Error creating file %s" ++msgstr "Fehler beim Erstellen der Datei %s" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:105 ++#, c-format ++msgid "" ++"Usage: kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri]\n" ++"\tcmd [cmd_options]\n" ++"create [-subtrees subtree_dn_list] [-sscope search_scope] [-" ++"containerref container_reference_dn]\n" ++"\t\t[-m|-P password|-sf stashfilename] [-k mkeytype] [-kv mkeyVNO] [-s]\n" ++"\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n" ++"\t\t[ticket_flags] [-r realm]\n" ++"modify [-subtrees subtree_dn_list] [-sscope search_scope] [-" ++"containerref container_reference_dn]\n" ++"\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n" ++"\t\t[ticket_flags] [-r realm]\n" ++"view [-r realm]\n" ++"destroy [-f] [-r realm]\n" ++"list\n" ++"stashsrvpw [-f filename] service_dn\n" ++"create_policy [-r realm] [-maxtktlife max_ticket_life]\n" ++"\t\t[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy\n" ++"modify_policy [-r realm] [-maxtktlife max_ticket_life]\n" ++"\t\t[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy\n" ++"view_policy [-r realm] policy\n" ++"destroy_policy [-r realm] [-force] policy\n" ++"list_policy [-r realm]\n" ++msgstr "" ++"Aufruf: kdb5_ldap_util [-D Benutzer-DN [-w Passwort]] [-H LDAP-URI]\n" ++"\tcmd [Befehlsoptionen]\n" ++"create [-subtrees DN-Liste_Teilbäume] [-sscope Suchbereich] [-" ++"containerref Container-Bezug-DN]\n" ++"\t\t[-m|-P Passwort|-sf Ablagedateiname] [-k mkeytype] [-kv mkeyVNO] [-s]\n" ++"\t\t[-maxtktlife maximale_Ticketlebensdauer]\n" ++"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern_des_Tickets]\n" ++"\t\t[Ticket_Flags] [-r Realm]\n" ++"modify [-subtrees DN-Liste_Teilbäume] [-sscope Suchbereich] [-" ++"containerref Container-Bezug-DN]\n" ++"\t\t[-maxtktlife maximale_Ticketlebensdauer]\n" ++"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern_des_Tickets]\n" ++"\t\t[Ticket_Flags] [-r Realm]\n" ++"view [-r Realm]\n" ++"destroy [-f] [-r Realm]\n" ++"list\n" ++"stashsrvpw [-f Dateiname] Dienst-DN\n" ++"create_policy [-r Realm] [-maxtktlife maximale_Ticketlebensdauer]\n" ++"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern_des_Tickets]\n" ++"\t\t[Ticket_Flags] Richtlinie\n" ++"modify_policy [-r Realm] [-maxtktlife maximale_Ticketlebensdauer]\n" ++"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern_des_Tickets]\n" ++"\t\t[Ticket_Flags] Richtlinie\n" ++"view_policy [-r Realm] Richtlinie\n" ++"destroy_policy [-r Realm] [-force] Richtlinie\n" ++"list_policy [-r Realm]\n" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:325 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:333 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:341 ++msgid "while reading ldap parameters" ++msgstr "beim Lesen der LDAP-Parameter" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:439 ++msgid "while initializing error handling" ++msgstr "beim Initialisieren der Fehlerbehandlung" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:447 ++msgid "while initializing ldap handle" ++msgstr "beim Initialisieren des LDAP-Identifikators" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:461 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:470 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:483 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:525 ++msgid "while retrieving ldap configuration" ++msgstr "beim Abfragen der LDAP-Konfiguration" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:500 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:507 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:516 ++msgid "while initializing server list" ++msgstr "beim Initialisieren der Serverliste" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:547 ++msgid "while setting up lib handle" ++msgstr "ein Einrichten der BibliotheksIdentifikators" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:556 ++msgid "while reading ldap configuration" ++msgstr "beim Lesen der LDAP-Konfiguration" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:68 ++msgid "Unable to read Kerberos container" ++msgstr "Kerberos-Container kann nicht gelesen werden" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:74 ++msgid "Unable to read Realm" ++msgstr "Realm kann nicht gelesen werden" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:215 ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:73 ++msgid "Error processing LDAP DB params:" ++msgstr "Fehler beim Verarbeiten der LDAP-Datenbankparameter:" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:222 ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:80 ++msgid "Error reading LDAP server params:" ++msgstr "Fehler beim Lesen der LDAP-Server-Parameters:" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:64 ++msgid "LDAP bind dn value missing" ++msgstr "LDAP-Bindungs-DN-Wert fehlt" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:69 ++msgid "LDAP bind password value missing" ++msgstr "LDAP-Bindungs-Passwortwert fehlt" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:77 ++msgid "Error reading password from stash: " ++msgstr "Fehler beim Lesen des Passworts aus der Ablage: " ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:85 ++msgid "Service password length is zero" ++msgstr "Länge des Dienstpassworts ist Null" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:145 ++#, c-format ++msgid "Cannot bind to LDAP server '%s' with SASL mechanism '%s': %s" ++msgstr "" ++"mit LDAP-Server »%s« kann keine Verbindung mit SASL-Mechanismus »%s« " ++"hergestellt werden: %s" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:158 ++#, c-format ++msgid "Cannot bind to LDAP server '%s' as '%s': %s" ++msgstr "" ++"mit LDAP-Server »%s« kann keine Verbindung als »%s« hergestellt werden: %s" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:183 ++#, c-format ++msgid "Cannot create LDAP handle for '%s': %s" ++msgstr "LDAP-Identifikator für »%s« kann nicht erstellt werden: %s" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:131 ++msgid "could not complete roll-back, error deleting Kerberos Container" ++msgstr "" ++"Zurücksetzen kann nicht abgeschlossen werden, Fehler beim Löschen des " ++"Kerberos-Containers" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:56 ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:67 ++msgid "Error reading kerberos container location from krb5.conf" ++msgstr "" ++"Fehler beim Lesen des Kerberos-Container-Speicherorts aus der »krb5.conf«." ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:75 ++msgid "Kerberos container location not specified" ++msgstr "Kerberos-Container-Speicherort nicht angegeben" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:55 ++#, c-format ++msgid "Error reading '%s' attribute: %s" ++msgstr "Fehler beim Lesen des Attributs »%s«: %s" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:218 ++msgid "KDB module requires -update argument" ++msgstr "KDB-Modul benötigt Argument »-update«" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:224 ++#, c-format ++msgid "'%s' value missing" ++msgstr "Wert »%s« fehlt" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:282 ++#, c-format ++msgid "unknown option '%s'" ++msgstr "unbekannte Option »%s«" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:342 ++msgid "Minimum connections required per server is 2" ++msgstr "Die benötigte Mindestanzahl von Verbindungen pro Server ist zwei" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c:159 ++msgid "Default realm not set" ++msgstr "Standard-Realm nicht gesetzt" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c:262 ++msgid "DN information missing" ++msgstr "DN-Information fehlt" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:108 ++msgid "Principal does not belong to realm" ++msgstr "Principal gehört nicht zum Realm" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:278 ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:287 ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:295 ++#, c-format ++msgid "%s option not supported" ++msgstr "Option %s wird nicht unterstützt" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:302 ++#, c-format ++msgid "unknown option: %s" ++msgstr "unbekannte Option: %s" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:309 ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:316 ++#, c-format ++msgid "%s option value missing" ++msgstr "Wert der Option %s fehlt" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:542 ++msgid "Principal does not belong to the default realm" ++msgstr "Principal gehört nicht zum Standard-Realm" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:610 ++#, c-format ++msgid "" ++"operation can not continue, more than one entry with principal name \"%s\" " ++"found" ++msgstr "" ++"Die Aktion kann nicht fortfahren, da mehr als ein Principal namens »%s« " ++"gefunden wurde." ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:673 ++#, c-format ++msgid "'%s' not found: " ++msgstr "»%s« nicht gefunden: " ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:751 ++msgid "DN is out of the realm subtree" ++msgstr "DN liegt außerhalb ders Teilbaums des Realms" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:807 ++#, c-format ++msgid "ldap object is already kerberized" ++msgstr "LDAP-Objekt ist bereits an Kerberos angepasst" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:827 ++#, c-format ++msgid "" ++"link information can not be set/updated as the kerberos principal belongs to " ++"an ldap object" ++msgstr "" ++"Verweisinformation kann nicht eingerichtet/aktualisiert werden, da der " ++"Kerberos-Principal zu einem LDAP-Objekt gehört." ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:842 ++#, c-format ++msgid "Failed getting object references" ++msgstr "Holen von Objektbezügen fehlgeschlagen" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:849 ++#, c-format ++msgid "kerberos principal is already linked to a ldap object" ++msgstr "Kerberos-Principal ist bereits mit einem LDAP-Objekt verknüpft" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1167 ++msgid "ticket policy object value: " ++msgstr "Wert des Ticket-Richtlinienobjekts: " ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1215 ++#, c-format ++msgid "Principal delete failed (trying to replace entry): %s" ++msgstr "" ++"Löschen des Principals fehlgeschlagen (es wird versucht, den Eintrag zu " ++"ersetzen): %s" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1225 ++#, c-format ++msgid "Principal add failed: %s" ++msgstr "Hinzufügen des Principals fehlgeschlagen: %s" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1263 ++#, c-format ++msgid "User modification failed: %s" ++msgstr "Änderung des Benutzers fehlgeschlagen: %s" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1336 ++msgid "Error reading ticket policy. " ++msgstr "Fehler beim Lesen der Ticket-Richtlinie" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1402 ++#, c-format ++msgid "unable to decode stored principal key data (%s)" ++msgstr "" ++"Die gespeicherten Schlüsseldaten des Principals (%s) konnten nicht " ++"dekodiert werden." ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:223 ++msgid "Realm information not available" ++msgstr "Realm-Information nicht verfügbar" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:294 ++msgid "Error reading ticket policy: " ++msgstr "Fehler beim Lesen der Ticket-Richtlinie:" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:307 ++#, c-format ++msgid "Realm Delete FAILED: %s" ++msgstr "Löschen des Realms FEHLGESCHLAGEN: %s" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:387 ++msgid "subtree value: " ++msgstr "Wert des Teilbaums: " ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:404 ++msgid "container reference value: " ++msgstr "Wert des Container-Bezugs: " ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:487 ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:550 ++msgid "Kerberos Container information is missing" ++msgstr "Kerberos-Container-Information fehlt" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:499 ++msgid "Invalid Kerberos container DN" ++msgstr "ungültiger Kerberos-Container-DN" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:515 ++#, c-format ++msgid "Kerberos Container create FAILED: %s" ++msgstr "Erstellen des Kerberos-Containers FEHLGESCHLAGEN: %s" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:558 ++#, c-format ++msgid "Kerberos Container delete FAILED: %s" ++msgstr "Löschen des Kerberos-Containers FEHLGESCHLAGEN: %s" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:634 ++msgid "realm object value: " ++msgstr "Wert des Realm-Objekts: " ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:48 ++msgid "Not a hexadecimal password" ++msgstr "kein hexadezimales Passwort" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:55 ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:66 ++msgid "Password corrupt" ++msgstr "Passwort beschädigt" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:93 ++#, c-format ++msgid "Cannot open LDAP password file '%s': %s" ++msgstr "LDAP-Passwortdatei »%s« kann nicht geöffnet werden: %s" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:123 ++#, c-format ++msgid "Bind DN entry '%s' missing in LDAP password file '%s'" ++msgstr "Bind-DN-Eintrag »%s« fehlt in der LDAP-Passwortdatei »%s«" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:56 ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:132 ++msgid "Ticket Policy Name missing" ++msgstr "Ticket-Richtlinienname fehlt" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:144 ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:221 ++msgid "ticket policy object: " ++msgstr "Ticket-Richtlinienobjekt: " ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:209 ++msgid "Ticket Policy Object information missing" ++msgstr "Ticket-Richtlinienobjekt-Information fehlt" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:300 ++msgid "Ticket Policy Object DN missing" ++msgstr "DN des Ticket-Richtlinienobjekts fehlt" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:327 ++msgid "Delete Failed: One or more Principals associated with the Ticket Policy" ++msgstr "" ++"Löschen fehlgeschlagen: Ein oder mehrere Principals gehören zur Ticket-" ++"Richtlinie." ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:435 ++msgid "Error reading container object: " ++msgstr "Fehler beim Lesen des Container-Objekts: " ++ ++#: ../../src/plugins/preauth/pkinit/pkinit_crypto_nss.c:667 ++#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:652 ++#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4153 ++msgid "Pass phrase for" ++msgstr "Passphrase für" ++ ++#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1081 ++#, c-format ++msgid "Cannot create cert chain: %s" ++msgstr "Zertifikatskette kann nicht erstellt werden: %s" ++ ++#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1408 ++msgid "Invalid pkinit packet: octet string expected" ++msgstr "ungültiges Pkinit-Paket: Achtbit-Zeichenkette erwartet" ++ ++#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1427 ++msgid "wrong oid\n" ++msgstr "falsche OID\n" ++ ++#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:5994 ++#, c-format ++msgid "unknown code 0x%x" ++msgstr "unbekannter Code 0x%x" ++ ++#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:424 ++#, c-format ++msgid "Unsupported type while processing '%s'\n" ++msgstr "nicht unterstützter Typ bei der Verarbeitung von »%s«\n" ++ ++#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:465 ++msgid "Internal error parsing X509_user_identity\n" ++msgstr "interner Fehler beim Auswerten von »X509_user_identity«\n" ++ ++#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:560 ++msgid "No user identity options specified" ++msgstr "keine Optionen der Nutzeridentität angegeben" ++ ++#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:414 ++msgid "Pkinit request not signed, but client not anonymous." ++msgstr "Pkinit-Anfrage nicht signiert, Client ist jedoch nicht anonym" ++ ++# DH = Diffie-Hellman ++#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:447 ++msgid "Anonymous pkinit without DH public value not supported." ++msgstr "Anonymes Pkinit wird nicht ohne öffentlichen DH-Wert unterstützt." ++ ++#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1147 ++#, c-format ++msgid "No pkinit_identity supplied for realm %s" ++msgstr "Für Realm %s wird keine »pkinit_identity« bereitgestellt." ++ ++#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1158 ++#, c-format ++msgid "No pkinit_anchors supplied for realm %s" ++msgstr "Für Realm %s werden keine »pkinit_anchors« bereitgestellt." ++ ++#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1346 ++msgid "No realms configured correctly for pkinit support" ++msgstr "Für Pkinit-Unterstützung wurden keine Realms korrekt konfiguriert." ++ ++#: ../../src/slave/kprop.c:85 ++#, c-format ++msgid "" ++"\n" ++"Usage: %s [-r realm] [-f file] [-d] [-P port] [-s srvtab] slave_host\n" ++"\n" ++msgstr "" ++"\n" ++"Aufruf: %s [-r Realm] [-f Datei] [-d] [-P Port] [-s Dienstschlüsseltabelle] " ++"untergeordneter_Rechner\n" ++"\n" ++ ++#: ../../src/slave/kprop.c:114 ++#, c-format ++msgid "Database propagation to %s: SUCCEEDED\n" ++msgstr "Datenbankverbreitung auf %s: ERFOLGREICH\n" ++ ++#: ../../src/slave/kprop.c:187 ++msgid "while setting client principal name" ++msgstr "beim Setzen des Client-Principal-Namens" ++ ++#: ../../src/slave/kprop.c:194 ../../src/slave/kprop.c:209 ++msgid "while setting client principal realm" ++msgstr "beim Setzen des Client-Principal-Realms" ++ ++#: ../../src/slave/kprop.c:217 ++#, c-format ++msgid "while opening credential cache %s" ++msgstr "beim Öffnen des Anmeldedatenzwischenspeichers %s" ++ ++#: ../../src/slave/kprop.c:233 ++msgid "while setting server principal name" ++msgstr "beim Setzen des Server-Principal-Namens" ++ ++#: ../../src/slave/kprop.c:255 ++msgid "while resolving keytab" ++msgstr "beim Ermitteln der Schlüsseltabelle" ++ ++#: ../../src/slave/kprop.c:264 ++msgid "while getting initial credentials\n" ++msgstr "beim Holen der Anfangsanmeldedaten\n" ++ ++#: ../../src/slave/kprop.c:301 ++msgid "while creating socket" ++msgstr "beim Erstellen eines Sockets" ++ ++#: ../../src/slave/kprop.c:317 ++msgid "while converting server address" ++msgstr "beim Umwandeln der Server-Adresse" ++ ++#: ../../src/slave/kprop.c:327 ++msgid "while connecting to server" ++msgstr "beim Verbinden mit dem Server" ++ ++#: ../../src/slave/kprop.c:334 ../../src/slave/kpropd.c:1215 ++msgid "while getting local socket address" ++msgstr "beim Holen der lokalen Socket-Adresse" ++ ++#: ../../src/slave/kprop.c:339 ++msgid "while converting local address" ++msgstr "beim Umwandeln der lokalen Socket-Adresse" ++ ++#: ../../src/slave/kprop.c:362 ++msgid "in krb5_auth_con_setaddrs" ++msgstr "in »krb5_auth_con_setaddrs«" ++ ++#: ../../src/slave/kprop.c:370 ++msgid "while authenticating to server" ++msgstr "beim Authentifizieren am Server" ++ ++#: ../../src/slave/kprop.c:374 ../../src/slave/kprop.c:573 ++#: ../../src/slave/kpropd.c:1521 ++#, c-format ++msgid "Generic remote error: %s\n" ++msgstr "allgemeiner ferner Fehler: %s\n" ++ ++#: ../../src/slave/kprop.c:380 ../../src/slave/kprop.c:579 ++msgid "signalled from server" ++msgstr "signalisiert vom Server" ++ ++#: ../../src/slave/kprop.c:382 ../../src/slave/kprop.c:581 ++#, c-format ++msgid "Error text from server: %s\n" ++msgstr "Fehlermeldung vom Server: %s\n" ++ ++#: ../../src/slave/kprop.c:410 ++#, c-format ++msgid "allocating database file name '%s'" ++msgstr "Datenbankdateiname »%s« wird reserviert" ++ ++#: ../../src/slave/kprop.c:416 ++#, c-format ++msgid "while trying to open %s" ++msgstr "beim Versuch, %s zu öffnen" ++ ++#: ../../src/slave/kprop.c:423 ++msgid "database locked" ++msgstr "Datenbank gesperrt" ++ ++#: ../../src/slave/kprop.c:426 ../../src/slave/kpropd.c:525 ++#, c-format ++msgid "while trying to lock '%s'" ++msgstr "beim Versuch, »%s« zu sperren" ++ ++#: ../../src/slave/kprop.c:430 ../../src/slave/kprop.c:438 ++#, c-format ++msgid "while trying to stat %s" ++msgstr "beim Versuch, »stat« für %s auszuführen" ++ ++#: ../../src/slave/kprop.c:434 ++msgid "while trying to malloc data_ok_fn" ++msgstr "beim Versuch, Speicher für »data_ok_fn« zu reservieren" ++ ++#: ../../src/slave/kprop.c:443 ++#, c-format ++msgid "'%s' more recent than '%s'." ++msgstr "»%s« ist aktueller als »%s«." ++ ++#: ../../src/slave/kprop.c:459 ++#, c-format ++msgid "while unlocking database '%s'" ++msgstr "beim Entsperren von Datenbank »%s«" ++ ++#: ../../src/slave/kprop.c:492 ../../src/slave/kprop.c:493 ++msgid "while encoding database size" ++msgstr "beim Aufbereiten der Datenbankgröße" ++ ++#: ../../src/slave/kprop.c:501 ++msgid "while sending database size" ++msgstr "beim Senden der Datenbankgröße" ++ ++#: ../../src/slave/kprop.c:511 ++msgid "while allocating i_vector" ++msgstr "beim Reservieren von »i_vector«" ++ ++#: ../../src/slave/kprop.c:534 ++#, c-format ++msgid "while sending database block starting at %d" ++msgstr "beim Senden des Datenbankblocks, der bei %d beginnt" ++ ++#: ../../src/slave/kprop.c:544 ++msgid "Premature EOF found for database file!" ++msgstr "vorzeitiges EOF für Datenbankdatei gefunden!" ++ ++#: ../../src/slave/kprop.c:557 ++msgid "while reading response from server" ++msgstr "beim Lesen der Antwort vom Servers" ++ ++#: ../../src/slave/kprop.c:568 ++msgid "while decoding error response from server" ++msgstr "beim Aufschlüsseln der Fehlerantwort vom Server" ++ ++#: ../../src/slave/kprop.c:599 ++#, c-format ++msgid "Kpropd sent database size %d, expecting %d" ++msgstr "Kpropd sendet Datenbankgröße %d, erwartet wurde %d" ++ ++#: ../../src/slave/kprop.c:643 ++msgid "while allocating filename for update_last_prop_file" ++msgstr "beim Reservieren des Dateinamens für »update_last_prop_file«" ++ ++#: ../../src/slave/kprop.c:648 ++#, c-format ++msgid "while creating 'last_prop' file, '%s'" ++msgstr "beim Erstellen der Datei »last_prop«, »%s«" ++ ++#: ../../src/slave/kpropd.c:170 ++#, c-format ++msgid "" ++"\n" ++"Usage: %s [-r realm] [-s srvtab] [-dS] [-f slave_file]\n" ++msgstr "" ++"\n" ++"Aufruf: %s [-r Realm] [-s Dienstschlüsseltabelle] [-dS] [-f " ++"untergeordnete_Datei]\n" ++ ++#: ../../src/slave/kpropd.c:172 ++#, c-format ++msgid "\t[-F kerberos_db_file ] [-p kdb5_util_pathname]\n" ++msgstr "\t[-F Kerberos-Datenbankdatei ] [-p KDB5-Hilfswerkzeugpfadname]\n" ++ ++#: ../../src/slave/kpropd.c:173 ++#, c-format ++msgid "\t[-x db_args]* [-P port] [-a acl_file]\n" ++msgstr "\t[-x Datenbankargumente]* [-P Port] [-a ACL-Datei]\n" ++ ++#: ../../src/slave/kpropd.c:174 ++#, c-format ++msgid "\t[-A admin_server]\n" ++msgstr "\t[-A Serveradministrator]\n" ++ ++#: ../../src/slave/kpropd.c:215 ++#, c-format ++msgid "Killing fullprop child (%d)\n" ++msgstr "Beenden des Fullprop-Kindprozesses (%d) wird erzwungen\n" ++ ++#: ../../src/slave/kpropd.c:244 ++msgid "while checking if stdin is a socket" ++msgstr "beim Prüfen, ob die Standardeingabe ein Socket ist" ++ ++#: ../../src/slave/kpropd.c:262 ++#, c-format ++msgid "ready\n" ++msgstr "bereit\n" ++ ++#: ../../src/slave/kpropd.c:272 ++#, c-format ++msgid "Could not open /dev/null: %s" ++msgstr "/dev/null konnte nicht geöffnet werden: %s" ++ ++#: ../../src/slave/kpropd.c:279 ++#, c-format ++msgid "Could not dup the inetd socket: %s" ++msgstr "Das Inetd-Socket konnte nicht dupliziert werden: %s" ++ ++#: ../../src/slave/kpropd.c:314 ../../src/slave/kpropd.c:327 ++msgid "do_iprop failed.\n" ++msgstr "»do_iprop« fehlgeschlagen\n" ++ ++#: ../../src/slave/kpropd.c:366 ++#, c-format ++msgid "getaddrinfo: %s\n" ++msgstr "getaddrinfo: %s\n" ++ ++#: ../../src/slave/kpropd.c:372 ++msgid "while obtaining socket" ++msgstr "beim Erlangen des Sockets" ++ ++#: ../../src/slave/kpropd.c:378 ++msgid "while setting SO_REUSEADDR option" ++msgstr "beim Setzen der Option SO_REUSEADDR" ++ ++#: ../../src/slave/kpropd.c:386 ++msgid "while unsetting IPV6_V6ONLY option" ++msgstr "beim Entfernen der Option IPV6_V6ONLY" ++ ++#: ../../src/slave/kpropd.c:391 ++msgid "while binding listener socket" ++msgstr "beim Anbinden an das auf Verbindung wartende Socket" ++ ++#: ../../src/slave/kpropd.c:402 ++#, c-format ++msgid "waiting for a kprop connection\n" ++msgstr "warten auf Kprop-Verbindung\n" ++ ++#: ../../src/slave/kpropd.c:408 ++msgid "while accepting connection" ++msgstr "beim Akzeptieren der Verbindung" ++ ++#: ../../src/slave/kpropd.c:414 ++msgid "while forking" ++msgstr "beim Erzeugen eines Kindprozesses" ++ ++#: ../../src/slave/kpropd.c:429 ++#, c-format ++msgid "waitpid() failed to wait for doit() (%d %s)\n" ++msgstr "waitpid() schlug beim Warten auf doit() fehl (%d %s)\n" ++ ++#: ../../src/slave/kpropd.c:433 ++msgid "while waiting to receive database" ++msgstr "beim Warten auf den Erhalt der Datenbank" ++ ++#: ../../src/slave/kpropd.c:437 ++#, c-format ++msgid "Database load process for full propagation completed.\n" ++msgstr "" ++"Der Datenbankladeprozess für eine vollständige Verbreitung ist " ++"abgeschlossen.\n" ++ ++#: ../../src/slave/kpropd.c:471 ++#, c-format ++msgid "" ++"%s: Standard input does not appear to be a network socket.\n" ++"\t(Not run from inetd, and missing the -S option?)\n" ++msgstr "" ++"%s: Bei der Standardeingabe scheint es sich nicht um ein Netzwerk-Socket zu\n" ++"\thandeln (läuft nicht aus Inetd und die Option -S fehlt?).\n" ++ ++#: ../../src/slave/kpropd.c:485 ++msgid "while attempting setsockopt (SO_KEEPALIVE)" ++msgstr "beim Versuch, »setsockopt« auszuführen (SO_KEEPALIVE)" ++ ++#: ../../src/slave/kpropd.c:490 ++#, c-format ++msgid "Connection from %s" ++msgstr "Verbindung von %s" ++ ++#: ../../src/slave/kpropd.c:510 ++#, c-format ++msgid "Rejected connection from unauthorized principal %s\n" ++msgstr "Zurückgewiesene Verbindung von nicht autorisiertem Principal %s\n" ++ ++#: ../../src/slave/kpropd.c:514 ++#, c-format ++msgid "Rejected connection from unauthorized principal %s" ++msgstr "Zurückgewiesene Verbindung von nicht authorisiertem Principal %s" ++ ++#: ../../src/slave/kpropd.c:531 ++#, c-format ++msgid "while opening database file, '%s'" ++msgstr "beim Öffnen der Datenbankdatei, »%s«" ++ ++#: ../../src/slave/kpropd.c:537 ++#, c-format ++msgid "while renaming %s to %s" ++msgstr "beim Umbenennen von %s in %s" ++ ++#: ../../src/slave/kpropd.c:543 ++#, c-format ++msgid "while downgrading lock on '%s'" ++msgstr "beim Downgrade der Sperre auf »%s«" ++ ++#: ../../src/slave/kpropd.c:550 ++#, c-format ++msgid "while unlocking '%s'" ++msgstr "beim Aufheben der Sperre »%s«" ++ ++#: ../../src/slave/kpropd.c:562 ++msgid "while sending # of received bytes" ++msgstr "beim Senden n empfangener Byte" ++ ++#: ../../src/slave/kpropd.c:568 ++msgid "while trying to close database file" ++msgstr "beim Versuch, die Datenbankdatei zu schließen" ++ ++#: ../../src/slave/kpropd.c:624 ++#, c-format ++msgid "Incremental propagation enabled\n" ++msgstr "inkrementelle Verbreitung aktiviert\n" ++ ++#: ../../src/slave/kpropd.c:634 ++msgid "Unable to get default realm" ++msgstr "Standard-Realm kann nicht geholt werden" ++ ++#: ../../src/slave/kpropd.c:647 ++#, c-format ++msgid "%s: unable to get kiprop host based service name for realm %s\n" ++msgstr "" ++"%s: Kiprop-rechnerbasierter Dienstname für Realm %s kann nicht geholt " ++"werden\n" ++ ++#: ../../src/slave/kpropd.c:658 ++msgid "while trying to construct host service principal" ++msgstr "beim Versuch, den Rechnerdienst-Principal zu erstellen" ++ ++#: ../../src/slave/kpropd.c:672 ++msgid "while determining local service principal name" ++msgstr "beim Bestimmen des lokalen Dienst-Principal-Namens" ++ ++#: ../../src/slave/kpropd.c:692 ++#, c-format ++msgid "Initializing kadm5 as client %s\n" ++msgstr "Kadm5 wird als Client %s initialisiert\n" ++ ++#: ../../src/slave/kpropd.c:706 ++#, c-format ++msgid "kadm5 initialization failed!\n" ++msgstr "Initialisierung von Kadm5 fehlgeschlagen!\n" ++ ++#: ../../src/slave/kpropd.c:715 ++msgid "while attempting to connect to master KDC ... retrying" ++msgstr "" ++"beim Versuch, eine Verbindung zum Master-KDC aufzubauen … wird erneut " ++"versucht" ++ ++#: ../../src/slave/kpropd.c:719 ++#, c-format ++msgid "Sleeping %d seconds to re-initialize kadm5 (RPC ERROR)\n" ++msgstr "" ++"Um Kadm5 neu zu initialisieren, wird %d Sekunden gewartet (RPC-FEHLER).\n" ++ ++#: ../../src/slave/kpropd.c:735 ++#, c-format ++msgid "while initializing %s interface, retrying" ++msgstr "beim Initialisieren der Schnittstelle %s, wird erneut versucht" ++ ++#: ../../src/slave/kpropd.c:739 ++#, c-format ++msgid "Sleeping %d seconds to re-initialize kadm5 (krb5kdc not running?)\n" ++msgstr "" ++"Um Kadm5 neu zu initialisieren, wird %d Sekunden gewartet (läuft Krb5kdc " ++"nicht?).\n" ++ ++#: ../../src/slave/kpropd.c:749 ++#, c-format ++msgid "kadm5 initialization succeeded\n" ++msgstr "Initialisieren von Kadm5 erfolgreich\n" ++ ++#: ../../src/slave/kpropd.c:771 ++msgid "reading update log header" ++msgstr "Aktualisierungsprotokollkopfzeilen werden gelesen" ++ ++#: ../../src/slave/kpropd.c:782 ++#, c-format ++msgid "Calling iprop_get_updates_1 (sno=%u sec=%u usec=%u)\n" ++msgstr "»iprop_get_updates_1()« wird aufgerufen (sno=%u sec=%u usec=%u)\n" ++ ++#: ../../src/slave/kpropd.c:792 ++msgid "iprop_get_updates call failed" ++msgstr "Aufruf von »iprop_get_updates« fehlgeschlagen" ++ ++#: ../../src/slave/kpropd.c:798 ++#, c-format ++msgid "Reinitializing iprop because get updates failed\n" ++msgstr "" ++"Iprop wird neu initialisiert, da Aktualisierungen fehlgeschlagen sind\n" ++ ++#: ../../src/slave/kpropd.c:819 ++#, c-format ++msgid "Still waiting for full resync\n" ++msgstr "" ++"Es wird immer noch auf das vollständige erneute Synchronisieren gewartet.\n" ++ ++#: ../../src/slave/kpropd.c:824 ++#, c-format ++msgid "Full resync needed\n" ++msgstr "erneutes vollständiges Synchronisieren erforderlich\n" ++ ++#: ../../src/slave/kpropd.c:825 ++msgid "kpropd: Full resync needed." ++msgstr "Kpropd: erneutes vollständiges Synchronisieren erforderlich" ++ ++#: ../../src/slave/kpropd.c:830 ++msgid "iprop_full_resync call failed" ++msgstr "Aufruf von »iprop_full_resync« fehlgeschlagen" ++ ++#: ../../src/slave/kpropd.c:841 ++#, c-format ++msgid "Full resync request granted\n" ++msgstr "Anfrage nach vollständigem erneuten Synchronisieren genehmigt\n" ++ ++#: ../../src/slave/kpropd.c:842 ++msgid "Full resync request granted." ++msgstr "Anfrage nach vollständigem erneuten Synchronisieren genehmigt" ++ ++# FIXME s/backoff/back-off/ ++#: ../../src/slave/kpropd.c:851 ++#, c-format ++msgid "Exponential backoff\n" ++msgstr "exponentieller Wartezyklus\n" ++ ++#: ../../src/slave/kpropd.c:857 ++#, c-format ++msgid "Full resync permission denied\n" ++msgstr "vollständiges erneutes Synchronisieren nicht gestattet\n" ++ ++#: ../../src/slave/kpropd.c:858 ++msgid "Full resync, permission denied." ++msgstr "vollständiges erneutes Synchronisieren, nicht gestattet" ++ ++#: ../../src/slave/kpropd.c:863 ++#, c-format ++msgid "Full resync error from master\n" ++msgstr "Fehler beim vollständigen erneuten Synchronisieren vom Master\n" ++ ++#: ../../src/slave/kpropd.c:864 ++msgid " Full resync, error returned from master KDC." ++msgstr "" ++"vollständiges erneutes Synchronisieren, das Master-KDC gab einen Fehler " ++"zurück" ++ ++#: ../../src/slave/kpropd.c:872 ++#, c-format ++msgid "Full resync invalid result from master\n" ++msgstr "" ++"Beim vollständigen erneuten Synchronisieren gab der Master ein ungültiges " ++"Ergebnis zurück.\n" ++ ++#: ../../src/slave/kpropd.c:874 ++msgid "Full resync, invalid return from master KDC." ++msgstr "" ++"vollständiges erneutes Synchronisieren, ungültiger Rückgabewert vom Master-" ++"KDC" ++ ++#: ../../src/slave/kpropd.c:890 ++#, c-format ++msgid "Got incremental updates (sno=%u sec=%u usec=%u)\n" ++msgstr "" ++"inkrementelle Aktualisierungen erhalten (sno=%u sec=%u usec=%u)\n" ++ ++#: ../../src/slave/kpropd.c:902 ++#, c-format ++msgid "ulog_replay failed (%s), updates not registered\n" ++msgstr "" ++"»ulog_replay« fehlgeschlagen (%s), Aktualisierungen nicht registriert\n" ++ ++#: ../../src/slave/kpropd.c:905 ++#, c-format ++msgid "ulog_replay failed (%s), updates not registered." ++msgstr "»ulog_replay« fehlgeschlagen (%s), Aktualisierungen nicht registriert" ++ ++#: ../../src/slave/kpropd.c:914 ++#, c-format ++msgid "Incremental updates: %d updates / %lu us" ++msgstr "inkrementelle Aktualisierungen: %d Aktualisierungen / %lu us" ++ ++#: ../../src/slave/kpropd.c:917 ++#, c-format ++msgid "Incremental updates: %d updates / %lu us\n" ++msgstr "inkrementelle Aktualisierungen: %d Aktualisierungen / %lu us\n" ++ ++#: ../../src/slave/kpropd.c:925 ++#, c-format ++msgid "get_updates permission denied\n" ++msgstr "Zugriff bei »get_updates« verweigert\n" ++ ++#: ../../src/slave/kpropd.c:926 ++msgid "get_updates, permission denied." ++msgstr "»get_updates«, Zugriff verweigert" ++ ++#: ../../src/slave/kpropd.c:931 ++#, c-format ++msgid "get_updates error from master\n" ++msgstr "»get_updates«-Fehler vom Master\n" ++ ++#: ../../src/slave/kpropd.c:932 ++msgid "get_updates, error returned from master KDC." ++msgstr "Vom Master-KDC wurde ein »get_updates«-Fehler zurückgegeben." ++ ++# FIXME s/backoff/back-off/ ++#: ../../src/slave/kpropd.c:940 ++#, c-format ++msgid "get_updates master busy; backoff\n" ++msgstr "»get_updates«-Master ausgelastet; hält sich zurück\n" ++ ++#: ../../src/slave/kpropd.c:949 ++#, c-format ++msgid "KDC is synchronized with master.\n" ++msgstr "KDC wurde mit dem Master synchronisiert.\n" ++ ++#: ../../src/slave/kpropd.c:957 ++#, c-format ++msgid "get_updates invalid result from master\n" ++msgstr "ungültiges »get_updates«-Ergebnis vom Master\n" ++ ++#: ../../src/slave/kpropd.c:958 ++msgid "get_updates, invalid return from master KDC." ++msgstr "»get_updates«, ungültiger Rückgabewert vom Master-KDC" ++ ++# FIXME s/backoff/back-off/ ++#: ../../src/slave/kpropd.c:973 ++#, c-format ++msgid "Busy signal received from master, backoff for %d secs\n" ++msgstr "" ++"Vom Master wurde ein Signal empfangen, dass er ausgelastet ist, " ++"Zurückhaltung für %d Sekunden\n" ++ ++#: ../../src/slave/kpropd.c:980 ++#, c-format ++msgid "Waiting for %d seconds before checking for updates again\n" ++msgstr "" ++"vor der erneuten Prufung auf Aktualisierungen wird %d Sekunden gewartet\n" ++ ++#: ../../src/slave/kpropd.c:991 ++#, c-format ++msgid "ERROR returned by master, bailing\n" ++msgstr "FEHLER vom Master zurückgegeben, Ausstieg\n" ++ ++#: ../../src/slave/kpropd.c:992 ++msgid "ERROR returned by master KDC, bailing.\n" ++msgstr "FEHLER vom Master-KDC zurückgegeben, Ausstieg\n" ++ ++#: ../../src/slave/kpropd.c:1134 ++msgid "copying db args" ++msgstr "Datenbankargumente werden kopiert" ++ ++#: ../../src/slave/kpropd.c:1161 ++msgid "while trying to construct my service name" ++msgstr "beim Versuch, meinen Dienstnamen zu erstellen" ++ ++#: ../../src/slave/kpropd.c:1167 ++msgid "while constructing my service realm" ++msgstr "beim Erstellen meines Dienst-Realms" ++ ++#: ../../src/slave/kpropd.c:1175 ++msgid "while allocating filename for temp file" ++msgstr "beim Reservieren des Dateinamens für die temporäre Datei" ++ ++#: ../../src/slave/kpropd.c:1181 ++msgid "while initializing" ++msgstr "bei der Initialisierung" ++ ++#: ../../src/slave/kpropd.c:1189 ++msgid "Unable to map log!\n" ++msgstr "Protokoll kann nicht abgebildet werden!\n" ++ ++#: ../../src/slave/kpropd.c:1235 ++#, c-format ++msgid "Error in krb5_auth_con_ini: %s" ++msgstr "Fehler in »krb5_auth_con_ini«: %s" ++ ++#: ../../src/slave/kpropd.c:1243 ++#, c-format ++msgid "Error in krb5_auth_con_setflags: %s" ++msgstr "Fehler in »krb5_auth_con_setflags«: %s" ++ ++#: ../../src/slave/kpropd.c:1251 ++#, c-format ++msgid "Error in krb5_auth_con_setaddrs: %s" ++msgstr "Fehler in »krb5_auth_con_setaddrs«: %s" ++ ++#: ../../src/slave/kpropd.c:1259 ++#, c-format ++msgid "Error in krb5_kt_resolve: %s" ++msgstr "Fehler in »krb5_kt_resolve«: %s" ++ ++#: ../../src/slave/kpropd.c:1268 ++#, c-format ++msgid "Error in krb5_recvauth: %s" ++msgstr "Fehler in »krb5_recvauth«: %s" ++ ++#: ../../src/slave/kpropd.c:1275 ++#, c-format ++msgid "Error in krb5_copy_prinicpal: %s" ++msgstr "Fehler in »krb5_copy_prinicpal«: %s" ++ ++#: ../../src/slave/kpropd.c:1291 ++msgid "while unparsing ticket etype" ++msgstr "beim Rückgängigmachen der Auswertung des »etype«s des Tickets" ++ ++#: ../../src/slave/kpropd.c:1295 ++#, c-format ++msgid "authenticated client: %s (etype == %s)\n" ++msgstr "Authentifizierter Client: %s (etype == %s)\n" ++ ++#: ../../src/slave/kpropd.c:1374 ++msgid "while reading size of database from client" ++msgstr "beim Lesen der Datenbankgröße vom Client" ++ ++#: ../../src/slave/kpropd.c:1384 ++msgid "while decoding database size from client" ++msgstr "beim Dekodieren der Datenbankgröße vom Client" ++ ++#: ../../src/slave/kpropd.c:1397 ++msgid "while initializing i_vector" ++msgstr "beim Initialisieren von »i_vector«" ++ ++#: ../../src/slave/kpropd.c:1402 ++#, c-format ++msgid "Full propagation transfer started.\n" ++msgstr "vollständige Verbreitungsübertragung gestartet\n" ++ ++#: ../../src/slave/kpropd.c:1455 ++#, c-format ++msgid "Full propagation transfer finished.\n" ++msgstr "vollständige Verbreitungsübertragung beendet\n" ++ ++#: ../../src/slave/kpropd.c:1516 ++msgid "while decoding error packet from client" ++msgstr "beim Dekodieren des Fehlerpakets vom Client" ++ ++#: ../../src/slave/kpropd.c:1525 ++msgid "signaled from server" ++msgstr "signalisiert vom Server" ++ ++#: ../../src/slave/kpropd.c:1527 ++#, c-format ++msgid "Error text from client: %s\n" ++msgstr "Fehlermeldung vom Client: %s\n" ++ ++#: ../../src/slave/kpropd.c:1576 ++#, c-format ++msgid "while trying to fork %s" ++msgstr "beim Versuch, einen Kindprozess von %s zu erzeugen" ++ ++#: ../../src/slave/kpropd.c:1580 ++#, c-format ++msgid "while trying to exec %s" ++msgstr "beim Versuch, %s auszuführen" ++ ++#: ../../src/slave/kpropd.c:1587 ++#, c-format ++msgid "while waiting for %s" ++msgstr "beim Warten auf %s" ++ ++#: ../../src/slave/kpropd.c:1593 ++#, c-format ++msgid "%s load terminated" ++msgstr "Laden von %s beendet" ++ ++#: ../../src/slave/kpropd.c:1599 ++#, c-format ++msgid "%s returned a bad exit status (%d)" ++msgstr "%s gab einen falschen Exit-Status (%d) zurück" ++ ++#: ../../src/slave/kproplog.c:27 ++#, c-format ++msgid "" ++"\n" ++"Usage: %s [-h] [-v] [-v] [-e num]\n" ++"\t%s -R\n" ++"\n" ++msgstr "" ++"\n" ++"Aufruf: %s [-h] [-v] [-v] [-e Zahl]\n" ++"\t%s -R\n" ++"\n" ++ ++#: ../../src/slave/kproplog.c:129 ++#, c-format ++msgid "" ++"\n" ++"Couldn't allocate memory" ++msgstr "" ++"\n" ++"Speicher konnte nicht reserviert werden" ++ ++#: ../../src/slave/kproplog.c:223 ++#, c-format ++msgid "\t\tAttribute flags\n" ++msgstr "\t\tAttributschalter\n" ++ ++#: ../../src/slave/kproplog.c:228 ++#, c-format ++msgid "\t\tMaximum ticket life\n" ++msgstr "\t\tmaximale Ticketlebensdauer\n" ++ ++#: ../../src/slave/kproplog.c:233 ++#, c-format ++msgid "\t\tMaximum renewable life\n" ++msgstr "\t\tmaximale verlängerbare Lebensdauer\n" ++ ++#: ../../src/slave/kproplog.c:238 ++#, c-format ++msgid "\t\tPrincipal expiration\n" ++msgstr "\t\tAblauf des Principals\n" ++ ++#: ../../src/slave/kproplog.c:243 ++#, c-format ++msgid "\t\tPassword expiration\n" ++msgstr "\t\tAblauf des Passworts\n" ++ ++#: ../../src/slave/kproplog.c:248 ++#, c-format ++msgid "\t\tLast successful auth\n" ++msgstr "\t\tletzte erfolgreiche Authentifizierung\n" ++ ++#: ../../src/slave/kproplog.c:253 ++#, c-format ++msgid "\t\tLast failed auth\n" ++msgstr "\t\tletzte fehlgeschlagene Authentifizierung\n" ++ ++#: ../../src/slave/kproplog.c:258 ++#, c-format ++msgid "\t\tFailed passwd attempt\n" ++msgstr "\t\tfehlgeschlagener Passwortversuch\n" ++ ++#: ../../src/slave/kproplog.c:263 ++#, c-format ++msgid "\t\tPrincipal\n" ++msgstr "\t\tPrincipal\n" ++ ++#: ../../src/slave/kproplog.c:268 ++#, c-format ++msgid "\t\tKey data\n" ++msgstr "\t\tSchlüsseldaten\n" ++ ++#: ../../src/slave/kproplog.c:275 ++#, c-format ++msgid "\t\tTL data\n" ++msgstr "\t\tTL-Daten\n" ++ ++#: ../../src/slave/kproplog.c:282 ++#, c-format ++msgid "\t\tLength\n" ++msgstr "\t\tLänge\n" ++ ++#: ../../src/slave/kproplog.c:287 ++#, c-format ++msgid "\t\tPassword last changed\n" ++msgstr "\t\tletzte Passwortänderung\n" ++ ++#: ../../src/slave/kproplog.c:292 ++#, c-format ++msgid "\t\tModifying principal\n" ++msgstr "\t\ttPrincipal wird geändert\n" ++ ++#: ../../src/slave/kproplog.c:297 ++#, c-format ++msgid "\t\tModification time\n" ++msgstr "\t\tÄnderungszeit\n" ++ ++#: ../../src/slave/kproplog.c:302 ++#, c-format ++msgid "\t\tModified where\n" ++msgstr "\t\tGeändert wobei\n" ++ ++#: ../../src/slave/kproplog.c:307 ++#, c-format ++msgid "\t\tPassword policy\n" ++msgstr "\t\tPasswortrichtlinie\n" ++ ++#: ../../src/slave/kproplog.c:312 ++#, c-format ++msgid "\t\tPassword policy switch\n" ++msgstr "\t\tPasswortrichtlinienumschalter\n" ++ ++#: ../../src/slave/kproplog.c:317 ++#, c-format ++msgid "\t\tPassword history KVNO\n" ++msgstr "\t\tPasswortchronik KVNO\n" ++ ++#: ../../src/slave/kproplog.c:322 ++#, c-format ++msgid "\t\tPassword history\n" ++msgstr "\t\tPasswortchronik\n" ++ ++#: ../../src/slave/kproplog.c:356 ++#, c-format ++msgid "" ++"Corrupt update entry\n" ++"\n" ++msgstr "" ++"beschädigter Aktualisierungseintrag\n" ++"\n" ++ ++#: ../../src/slave/kproplog.c:364 ++#, c-format ++msgid "" ++"Entry data decode failure\n" ++"\n" ++msgstr "" ++"Dekodieren der eingetragenen Daten fehlgeschlagen\n" ++"\n" ++ ++#: ../../src/slave/kproplog.c:369 ++#, c-format ++msgid "Update Entry\n" ++msgstr "Aktualisierungseintrag\n" ++ ++#: ../../src/slave/kproplog.c:371 ++#, c-format ++msgid "\tUpdate serial # : %u\n" ++msgstr "\tAktualisierung der Seriennummer: %u\n" ++ ++#: ../../src/slave/kproplog.c:373 ++#, c-format ++msgid "\tUpdate operation : " ++msgstr "\tAktualisierungsaktion: " ++ ++#: ../../src/slave/kproplog.c:375 ++#, c-format ++msgid "Delete\n" ++msgstr "Löschen\n" ++ ++#: ../../src/slave/kproplog.c:377 ++#, c-format ++msgid "Add\n" ++msgstr "Hinzufügen\n" ++ ++#: ../../src/slave/kproplog.c:381 ++#, c-format ++msgid "" ++"Could not allocate principal name\n" ++"\n" ++msgstr "" ++"Der Principal-Name konnte nicht reserviert werden.\n" ++"\n" ++ ++#: ../../src/slave/kproplog.c:387 ++#, c-format ++msgid "\tUpdate principal : %s\n" ++msgstr "\tAktualisierung des Principals: %s\n" ++ ++#: ../../src/slave/kproplog.c:389 ++#, c-format ++msgid "\tUpdate size : %u\n" ++msgstr "\tGröße der Aktualisierung: %u\n" ++ ++#: ../../src/slave/kproplog.c:390 ++#, c-format ++msgid "\tUpdate committed : %s\n" ++msgstr "\tAktualisierung übergeben: %s\n" ++ ++#: ../../src/slave/kproplog.c:394 ++#, c-format ++msgid "\tUpdate time stamp : None\n" ++msgstr "\tZeitstempel der Aktualisierung: keiner\n" ++ ++#: ../../src/slave/kproplog.c:396 ++#, c-format ++msgid "\tUpdate time stamp : %s" ++msgstr "\tZeitstempel der Aktualisierung: %s" ++ ++#: ../../src/slave/kproplog.c:400 ++#, c-format ++msgid "\tAttributes changed : %d\n" ++msgstr "\tgeänderte Attribute: %d\n" ++ ++#: ../../src/slave/kproplog.c:465 ++#, c-format ++msgid "" ++"Unable to initialize Kerberos\n" ++"\n" ++msgstr "" ++"Kerberos kann nicht initialisiert werden\n" ++"\n" ++ ++#: ../../src/slave/kproplog.c:472 ++#, c-format ++msgid "" ++"Couldn't read database_name\n" ++"\n" ++msgstr "" ++"»database_name« kann nicht gelesen werden\n" ++"\n" ++ ++#: ../../src/slave/kproplog.c:476 ++#, c-format ++msgid "" ++"\n" ++"Kerberos update log (%s)\n" ++msgstr "" ++"\n" ++"Kerberos-Aktualisierungsprotokoll (%s)\n" ++ ++#: ../../src/slave/kproplog.c:480 ../../src/slave/kproplog.c:495 ++#, c-format ++msgid "" ++"Unable to map log file %s\n" ++"\n" ++msgstr "" ++"Protokolldatei %s kann nicht abgebildet werden\n" ++"\n" ++ ++#: ../../src/slave/kproplog.c:485 ++#, c-format ++msgid "" ++"Couldn't reinitialize ulog file %s\n" ++"\n" ++msgstr "" ++"Ulog-Datei %s konnte nicht neu initialisiert werden\n" ++"\n" ++ ++#: ../../src/slave/kproplog.c:489 ++#, c-format ++msgid "Reinitialized the ulog.\n" ++msgstr "Das Ulog wurde neu initialisiert.\n" ++ ++#: ../../src/slave/kproplog.c:501 ++#, c-format ++msgid "" ++"Corrupt header log, exiting\n" ++"\n" ++msgstr "" ++"beschädigtes Kopfzeilenprotokoll, wird beendet\n" ++"\n" ++ ++#: ../../src/slave/kproplog.c:505 ++#, c-format ++msgid "Update log dump :\n" ++msgstr "Aktualisierungsprotokollauszug :\n" ++ ++#: ../../src/slave/kproplog.c:506 ++#, c-format ++msgid "\tLog version # : %u\n" ++msgstr "\tProtokollversion #: %u\n" ++ ++#: ../../src/slave/kproplog.c:507 ++#, c-format ++msgid "\tLog state : " ++msgstr "\tProtokollstatus: " ++ ++#: ../../src/slave/kproplog.c:510 ++#, c-format ++msgid "Stable\n" ++msgstr "stabil\n" ++ ++#: ../../src/slave/kproplog.c:513 ++#, c-format ++msgid "Unstable\n" ++msgstr "instabil\n" ++ ++#: ../../src/slave/kproplog.c:516 ++#, c-format ++msgid "Corrupt\n" ++msgstr "beschädigt\n" ++ ++#: ../../src/slave/kproplog.c:519 ++#, c-format ++msgid "Unknown state: %d\n" ++msgstr "unbekannter Status: %d\n" ++ ++#: ../../src/slave/kproplog.c:522 ++#, c-format ++msgid "\tEntry block size : %u\n" ++msgstr "\tBlockgrößeneintrag: %u\n" ++ ++#: ../../src/slave/kproplog.c:523 ++#, c-format ++msgid "\tNumber of entries : %u\n" ++msgstr "\tAnzahl der Einträge: %u\n" ++ ++#: ../../src/slave/kproplog.c:526 ++#, c-format ++msgid "\tLast serial # : None\n" ++msgstr "\tletzte Seriennummer: keine\n" ++ ++#: ../../src/slave/kproplog.c:529 ++#, c-format ++msgid "\tFirst serial # : None\n" ++msgstr "\terste Seriennummer: keine\n" ++ ++#: ../../src/slave/kproplog.c:531 ++#, c-format ++msgid "\tFirst serial # : " ++msgstr "\terste Seriennummer: " ++ ++#: ../../src/slave/kproplog.c:535 ++#, c-format ++msgid "\tLast serial # : " ++msgstr "\tletzte Seriennummer: " ++ ++#: ../../src/slave/kproplog.c:540 ++#, c-format ++msgid "\tLast time stamp : None\n" ++msgstr "\tletzter Zeitstempel: keiner\n" ++ ++#: ../../src/slave/kproplog.c:543 ++#, c-format ++msgid "\tFirst time stamp : None\n" ++msgstr "\terster Zeitstempel: keiner\n" ++ ++#: ../../src/slave/kproplog.c:545 ++#, c-format ++msgid "\tFirst time stamp : %s" ++msgstr "\terster Zeitstempel: %s" ++ ++#: ../../src/slave/kproplog.c:549 ++#, c-format ++msgid "\tLast time stamp : %s\n" ++msgstr "\tletzter Zeitstempel: %s\n" ++ ++#: ../../src/util/support/errors.c:77 ++msgid "Kerberos library initialization failure" ++msgstr "Initialisieren der Kerberos-Bibliothek fehlgeschlagen" ++ ++#: ../../src/util/support/errors.c:93 ++#, c-format ++msgid "error %ld" ++msgstr "Fehler %ld" ++ ++#: ../../src/util/support/plugins.c:186 ++#, c-format ++msgid "unable to find plugin [%s]: %s" ++msgstr "Erweiterung [%s] konnte nicht gefunden werden: %s" ++ ++#: ../../src/util/support/plugins.c:274 ++msgid "unknown failure" ++msgstr "unbekannter Fehlschlag" ++ ++#: ../../src/util/support/plugins.c:277 ++#, c-format ++msgid "unable to load plugin [%s]: %s" ++msgstr "Erweiterung [%s] konnte nicht geladen werden: %s" ++ ++#: ../../src/util/support/plugins.c:300 ++#, c-format ++msgid "unable to load DLL [%s]" ++msgstr "DLL [%s] konnte nicht geladen werden" ++ ++#: ../../src/util/support/plugins.c:316 ++#, c-format ++msgid "plugin unavailable: %s" ++msgstr "Erweiterung nicht verfügbar: %s" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:23 ++msgid "No @ in SERVICE-NAME name string" ++msgstr "keine @ in der Namenszeichenkette SERVICE-NAME" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:24 ++msgid "STRING-UID-NAME contains nondigits" ++msgstr "STRING-UID-NAME enthält etwas anderes als Ziffern" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:25 ++msgid "UID does not resolve to username" ++msgstr "UID lässt sich nicht zu Benutzernamen ermitteln" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:26 ++msgid "Validation error" ++msgstr "Überprüfungsfehler" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:27 ++msgid "Couldn't allocate gss_buffer_t data" ++msgstr "»gss_buffer_t«-Daten konnten reserviert werden" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:28 ++msgid "Message context invalid" ++msgstr "Nachrichtenkontext ungültig" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:29 ++msgid "Buffer is the wrong size" ++msgstr "Puffer hat die falsche Größe" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:30 ++msgid "Credential usage type is unknown" ++msgstr "Typ des Anmeldedatenaufrufs ist unbekannt" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:31 ++msgid "Unknown quality of protection specified" ++msgstr "unbekannte Schutzqualität angegeben" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:32 ++msgid "Local host name could not be determined" ++msgstr "lokaler Rechnername konnte nicht bestimmt werden" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:33 ++msgid "Hostname in SERVICE-NAME string could not be canonicalized" ++msgstr "" ++"Rechnername in der Zeichenkette »SERVICE-NAME« konnte nicht in Normalform " ++"gebracht werden" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:34 ++msgid "Mechanism is incorrect" ++msgstr "Mechanismus ist nicht korrekt" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:35 ++msgid "Token header is malformed or corrupt" ++msgstr "Token-Kopfzeilen haben die falsche Form oder sind beschädigt" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:36 ++msgid "Packet was replayed in wrong direction" ++msgstr "Paket wurde in falscher Richtung erneut abgespielt" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:37 ++msgid "Token is missing data" ++msgstr "dem Token fehlen Daten" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:38 ++msgid "Token was reflected" ++msgstr "Token wurde zurückgeworfen" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:39 ++msgid "Received token ID does not match expected token ID" ++msgstr "Die empfangene Token-Kennung passt nicht zur erwarteten Token-Kennung." ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:40 ++msgid "The given credential's usage does not match the requested usage" ++msgstr "" ++"Die Verwendung der angegebenen Anmeldedaten passt nicht zur angeforderten " ++"Verwendung." ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:41 ++msgid "Storing of acceptor credentials is not supported by the mechanism" ++msgstr "" ++"Das Speichern von Abnehmeranmeldedaten wird nicht durch den Mechanismus " ++"unterstützt." ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:42 ++msgid "Storing of non-default credentials is not supported by the mechanism" ++msgstr "" ++"Das Speichern von Nichtstandardanmeldedaten wird nicht durch den Mechanismus " ++"unterstützt." ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:23 ++msgid "Principal in credential cache does not match desired name" ++msgstr "" ++"Principal im Anmeldedatenzwischenspeicher entspricht nicht dem gewünschten " ++"Namen" ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:24 ++msgid "No principal in keytab matches desired name" ++msgstr "Kein Principal in der Schlüsseltabelle passt zum gewünschten Namen." ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:25 ++msgid "Credential cache has no TGT" ++msgstr "Anmeldedatenzwischenspeicher hat kein TGT" ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:26 ++msgid "Authenticator has no subkey" ++msgstr "Schlüsselziffer hat keinen Unterschlüssel" ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:27 ++msgid "Context is already fully established" ++msgstr "Kontext wurde bereits vollständig eingerichtet" ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:28 ++msgid "Unknown signature type in token" ++msgstr "unbekannter Signaturtyp im Token" ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:29 ++msgid "Invalid field length in token" ++msgstr "falsche Feldlänge im Token" ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:30 ++msgid "Attempt to use incomplete security context" ++msgstr "" ++"Es wurde versucht, einen unvollständigen Sicherheitskontext zu verwenden." ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:31 ++msgid "Bad magic number for krb5_gss_ctx_id_t" ++msgstr "falsche Magische Zahl für »krb5_gss_ctx_id_t«" ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:32 ++msgid "Bad magic number for krb5_gss_cred_id_t" ++msgstr "falsche Magische Zahl für »krb5_gss_cred_id_t«" ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:33 ++msgid "Bad magic number for krb5_gss_enc_desc" ++msgstr "falsche Magische Zahl für »krb5_gss_enc_desc«" ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:34 ++msgid "Sequence number in token is corrupt" ++msgstr "Sequnznummer im Token ist beschädigt" ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:35 ++msgid "Credential cache is empty" ++msgstr "Anmeldedatenzwischenspeicher ist leer" ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:36 ++msgid "Acceptor and Initiator share no checksum types" ++msgstr "Abnehmer und Initiator haben keinen gemeinsamen Prüfsummentyp" ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:37 ++msgid "Requested lucid context version not supported" ++msgstr "angeforderte »lucid«-Kontextversion nicht unterstützt" ++ ++# PRF = Pseudo Random Function ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:38 ++msgid "PRF input too long" ++msgstr "PRF-Eingabe zu lang" ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:39 ++msgid "Bad magic number for iakerb_ctx_id_t" ++msgstr "falsche Magische Zahl für »iakerb_ctx_id_t«" ++ ++#: ../lib/kadm5/chpass_util_strings.c:23 ++msgid "while getting policy info." ++msgstr "beim Holen der Richtlinieninformation." ++ ++#: ../lib/kadm5/chpass_util_strings.c:24 ++msgid "while getting principal info." ++msgstr "beim Holen der Principal-Information." ++ ++#: ../lib/kadm5/chpass_util_strings.c:25 ++msgid "New passwords do not match - password not changed.\n" ++msgstr "neue Passwörter stimmen nicht überein – Passwort nicht geändert\n" ++ ++#: ../lib/kadm5/chpass_util_strings.c:26 ++msgid "New password" ++msgstr "neues Passwort" ++ ++#: ../lib/kadm5/chpass_util_strings.c:27 ++msgid "New password (again)" ++msgstr "neues Passwort (erneut)" ++ ++#: ../lib/kadm5/chpass_util_strings.c:28 ++msgid "" ++"You must type a password. Passwords must be at least one character long.\n" ++msgstr "" ++"Sie müssen ein Passwort eingeben. Passwörter müssen mindestens ein Zeichen " ++"lang sein.\n" ++ ++#: ../lib/kadm5/chpass_util_strings.c:29 ++msgid "yet no policy set! Contact your system security administrator." ++msgstr "" ++"noch keine Richtlinie gesetzt! Kontaktieren Sie Ihren " ++"Systemsicherheitsadministrator" ++ ++#: ../lib/kadm5/chpass_util_strings.c:31 ++msgid "" ++"New password was found in a dictionary of possible passwords and\n" ++"therefore may be easily guessed. Please choose another password.\n" ++"See the kpasswd man page for help in choosing a good password." ++msgstr "" ++"Das neue Passwort wurde in einem Wörterbuch mit möglichen Passwörtern " ++"gefunden\n" ++"und kann daher leicht erraten werden. Bitte wählen Sie ein anderes " ++"Passwort.\n" ++"Hilfe bei der Wahl guter Passwörter finden Sie in der Handbuchseite von\n" ++"»kpasswd«." ++ ++#: ../lib/kadm5/chpass_util_strings.c:32 ++msgid "Password not changed." ++msgstr "Passwort nicht geändert" ++ ++#: ../lib/kadm5/chpass_util_strings.c:33 ++#, c-format ++msgid "" ++"New password is too short.\n" ++"Please choose a password which is at least %d characters long." ++msgstr "" ++"Das neue Passwort ist zu kurz.\n" ++"Bitte wählen Sie ein Passwort, das mindestens %d Zeichen lang ist." ++ ++#: ../lib/kadm5/chpass_util_strings.c:34 ++#, c-format ++msgid "" ++"New password does not have enough character classes.\n" ++"The character classes are:\n" ++"\t- lower-case letters,\n" ++"\t- upper-case letters,\n" ++"\t- digits,\n" ++"\t- punctuation, and\n" ++"\t- all other characters (e.g., control characters).\n" ++"Please choose a password with at least %d character classes." ++msgstr "" ++"Das neue Passwort besteht aus zu wenigen Zeichenklassen.\n" ++"Die Zeichenklassen sind:\n" ++"\t- Kleinbuchstaben,\n" ++"\t- Großbuchstaben,\n" ++"\t- Ziffern,\n" ++"\t- Satzzeichen und\n" ++"\t- alle anderen Zeichen (z.B. Steuerzeichen).\n" ++"Bitte wählen Sie ein Passwort mit mindestens %d Zeichenklassen." ++ ++#: ../lib/kadm5/chpass_util_strings.c:35 ++#, c-format ++msgid "" ++"Password cannot be changed because it was changed too recently.\n" ++"Please wait until %s before you change it.\n" ++"If you need to change your password before then, contact your system\n" ++"security administrator." ++msgstr "" ++"Das Passwort kann nicht geändert werden, da es erst vor kurzem geändert " ++"wurde.\n" ++"Bitte warten Sie bis %s, ehe Sie es ändern.\n" ++"Falls Sie es vorher ändern müssen, kontaktieren Sie Ihren\n" ++"Systemsicherheitsadministrator." ++ ++#: ../lib/kadm5/chpass_util_strings.c:36 ++msgid "New password was used previously. Please choose a different password." ++msgstr "" ++"Das neue Passwort wurde zuvor schon benutzt. Bitte wählen Sie ein anderes " ++"Passwort." ++ ++#: ../lib/kadm5/chpass_util_strings.c:37 ++msgid "while trying to change password." ++msgstr "beim Versuch, das Passwort zu ändern." ++ ++#: ../lib/kadm5/chpass_util_strings.c:38 ++msgid "while reading new password." ++msgstr "beim Lesen des neuen Passworts." ++ ++#: ../lib/kadm5/kadm_err.c:23 ++msgid "Operation failed for unspecified reason" ++msgstr "Aktion aus nicht näher beschriebenem Grund fehlgeschlagen" ++ ++#: ../lib/kadm5/kadm_err.c:24 ++msgid "Operation requires ``get'' privilege" ++msgstr "Aktion erfordert »get«-Recht" ++ ++#: ../lib/kadm5/kadm_err.c:25 ++msgid "Operation requires ``add'' privilege" ++msgstr "Aktion erfordert »add«-Recht" ++ ++#: ../lib/kadm5/kadm_err.c:26 ++msgid "Operation requires ``modify'' privilege" ++msgstr "Aktion erfordert »modify«-Recht" ++ ++#: ../lib/kadm5/kadm_err.c:27 ++msgid "Operation requires ``delete'' privilege" ++msgstr "Aktion erfordert »delete«-Recht" ++ ++#: ../lib/kadm5/kadm_err.c:28 ++msgid "Insufficient authorization for operation" ++msgstr "unzureichende Berechtigung für diese Aktion" ++ ++#: ../lib/kadm5/kadm_err.c:29 ../lib/kdb/adb_err.c:29 ++msgid "Database inconsistency detected" ++msgstr "Datenbankinkonsistenz entdeckt" ++ ++#: ../lib/kadm5/kadm_err.c:30 ../lib/kdb/adb_err.c:24 ++msgid "Principal or policy already exists" ++msgstr "Principal oder Richtlinie existiert bereits" ++ ++#: ../lib/kadm5/kadm_err.c:31 ++msgid "Communication failure with server" ++msgstr "Kommunikation mit dem Server fehlgeschlagen" ++ ++#: ../lib/kadm5/kadm_err.c:32 ++msgid "No administration server found for realm" ++msgstr "kein Administrationsserver für den Realm gefunden" ++ ++#: ../lib/kadm5/kadm_err.c:33 ++msgid "Password history principal key version mismatch" ++msgstr "Die Passwortchronikschlüssel des Principals passen nicht zusammen." ++ ++#: ../lib/kadm5/kadm_err.c:34 ++msgid "Connection to server not initialized" ++msgstr "Verbindung zum Server nicht initialisiert" ++ ++#: ../lib/kadm5/kadm_err.c:35 ++msgid "Principal does not exist" ++msgstr "Principal existiert nicht" ++ ++#: ../lib/kadm5/kadm_err.c:36 ++msgid "Policy does not exist" ++msgstr "Richtlinie existiert nicht" ++ ++#: ../lib/kadm5/kadm_err.c:37 ++msgid "Invalid field mask for operation" ++msgstr "ungültige Feldmaske für Aktion" ++ ++#: ../lib/kadm5/kadm_err.c:38 ++msgid "Invalid number of character classes" ++msgstr "ungültige Anzahl von Zeichenklassen" ++ ++#: ../lib/kadm5/kadm_err.c:39 ++msgid "Invalid password length" ++msgstr "ungültige Passwortlänge" ++ ++#: ../lib/kadm5/kadm_err.c:40 ++msgid "Illegal policy name" ++msgstr "unzulässiger Richtlinienname" ++ ++#: ../lib/kadm5/kadm_err.c:41 ++msgid "Illegal principal name" ++msgstr "unzulässiger Principal-Name" ++ ++# FIXME s/auxillary/auxilary/ ++#: ../lib/kadm5/kadm_err.c:42 ++msgid "Invalid auxillary attributes" ++msgstr "ungültige Zusatzattribute" ++ ++#: ../lib/kadm5/kadm_err.c:43 ++msgid "Invalid password history count" ++msgstr "ungültige Passwortchronikanzahl" ++ ++#: ../lib/kadm5/kadm_err.c:44 ++msgid "Password minimum life is greater than password maximum life" ++msgstr "Die minimale Lebensdauer des Passworts ist größer als die maximale." ++ ++#: ../lib/kadm5/kadm_err.c:45 ++msgid "Password is too short" ++msgstr "Das Passwort ist zu kurz." ++ ++#: ../lib/kadm5/kadm_err.c:46 ++msgid "Password does not contain enough character classes" ++msgstr "Das Passwort enthält nicht genug Zeichenklassen." ++ ++#: ../lib/kadm5/kadm_err.c:47 ++msgid "Password is in the password dictionary" ++msgstr "Das Passwort steht im Passwortwörterbuch." ++ ++#: ../lib/kadm5/kadm_err.c:48 ++msgid "Cannot reuse password" ++msgstr "Das Passwort kann nicht erneut verwendet werden." ++ ++#: ../lib/kadm5/kadm_err.c:49 ++msgid "Current password's minimum life has not expired" ++msgstr "Die aktuell minimale Lebensdauer des Passworts ist nicht abgelaufen." ++ ++#: ../lib/kadm5/kadm_err.c:50 ../lib/krb5/error_tables/kdb5_err.c:67 ++msgid "Policy is in use" ++msgstr "Richtlinie ist in Benutzung" ++ ++#: ../lib/kadm5/kadm_err.c:51 ++msgid "Connection to server already initialized" ++msgstr "Verbindung zum Server ist bereits initialisiert" ++ ++#: ../lib/kadm5/kadm_err.c:52 ++msgid "Incorrect password" ++msgstr "falsches Passwort" ++ ++#: ../lib/kadm5/kadm_err.c:53 ++msgid "Cannot change protected principal" ++msgstr "geschützter Principal kann nicht geändert werden" ++ ++#: ../lib/kadm5/kadm_err.c:54 ++msgid "Programmer error! Bad Admin server handle" ++msgstr "Fehler des Programmierers! Falscher Admin-Server-Identifikator" ++ ++#: ../lib/kadm5/kadm_err.c:55 ++msgid "Programmer error! Bad API structure version" ++msgstr "Fehler des Programmierers! Falsche API-Strukturversion" ++ ++#: ../lib/kadm5/kadm_err.c:56 ++msgid "" ++"API structure version specified by application is no longer supported (to " ++"fix, recompile application against current KADM5 API header files and " ++"libraries)" ++msgstr "" ++"Die von der Anwendung angegebene Version der API-Struktur wird nicht länger " ++"unterstützt. (Kompilieren Sie die Anwendung mit den aktuellen KADM5-API-" ++"Header-Dateien und -Bibliotheken, um dies zu beheben.)" ++ ++#: ../lib/kadm5/kadm_err.c:57 ++msgid "" ++"API structure version specified by application is unknown to libraries (to " ++"fix, obtain current KADM5 API header files and libraries and recompile " ++"application)" ++msgstr "" ++"Die von der Anwendung angegebene Version der API-Struktur ist den " ++"Bibliotheken unbekannt. (Besorgen Sie sich die aktuellen KADM5-API-Header-" ++"Dateien und -Bibliotheken und kompilieren Sie die Anwendung neu, um dies zu " ++"beheben.)" ++ ++#: ../lib/kadm5/kadm_err.c:58 ++msgid "Programmer error! Bad API version" ++msgstr "Fehler des Programmierers! Falsche API-Version" ++ ++#: ../lib/kadm5/kadm_err.c:59 ++msgid "" ++"API version specified by application is no longer supported by libraries (to " ++"fix, update application to adhere to current API version and recompile)" ++msgstr "" ++"Die von der Anwendung angegebene Version der API-Struktur wird nicht länger " ++"von den Bibliotheken unterstützt. (Aktualisieren Sie die Anwendung, dass sie " ++"zu der aktuellen API-Version passt, und kompilieren Sie sie, um dies zu " ++"beheben.)" ++ ++#: ../lib/kadm5/kadm_err.c:60 ++msgid "" ++"API version specified by application is no longer supported by server (to " ++"fix, update application to adhere to current API version and recompile)" ++msgstr "" ++"Die von der Anwendung angegebene Version der API-Struktur wird nicht länger " ++"vom Server unterstützt. (Aktualisieren Sie die Anwendung, dass sie zu der " ++"aktuellen API-Version passt, und kompilieren Sie sie, um dies zu beheben.)" ++ ++#: ../lib/kadm5/kadm_err.c:61 ++msgid "" ++"API version specified by application is unknown to libraries (to fix, obtain " ++"current KADM5 API header files and libraries and recompile application)" ++msgstr "" ++"Die von der Anwendung angegebenene API-Version ist den Bibliotheken " ++"unbekannt. (Besorgen Sie sich die aktuellen KADM5-API-Header-Dateien und -" ++"Bibliotheken und kompilieren Sie die Anwendung neu, um dies zu beheben.)" ++ ++#: ../lib/kadm5/kadm_err.c:62 ++msgid "" ++"API version specified by application is unknown to server (to fix, obtain " ++"and install newest KADM5 Admin Server)" ++msgstr "" ++"Die von der Anwendung angegebene API-Version ist dem Server unbekannt. " ++"(Besorgen und installieren Sie sich den neuesten KADM5-Admin-Server, um dies " ++"zu beheben.)" ++ ++#: ../lib/kadm5/kadm_err.c:63 ++msgid "Database error! Required KADM5 principal missing" ++msgstr "Datenbankfehler! Erforderlicher KADM5-Principal fehlt" ++ ++#: ../lib/kadm5/kadm_err.c:64 ++msgid "The salt type of the specified principal does not support renaming" ++msgstr "Der Salt-Typ des angegebenen Principals unterstützt kein Umbenennen." ++ ++#: ../lib/kadm5/kadm_err.c:65 ++msgid "Illegal configuration parameter for remote KADM5 client" ++msgstr "widerrechtlicher Konfigurationsparameter für fernen KADM5-Client" ++ ++#: ../lib/kadm5/kadm_err.c:66 ++msgid "Illegal configuration parameter for local KADM5 client" ++msgstr "widerrechtlicher Konfigurationsparameter für lokalen KADM5-Client" ++ ++#: ../lib/kadm5/kadm_err.c:67 ++msgid "Operation requires ``list'' privilege" ++msgstr "Aktion erfordert das »list«-Recht" ++ ++#: ../lib/kadm5/kadm_err.c:68 ++msgid "Operation requires ``change-password'' privilege" ++msgstr "Aktion erfordert das »change-password«-Recht" ++ ++#: ../lib/kadm5/kadm_err.c:69 ++msgid "GSS-API (or Kerberos) error" ++msgstr "GSS-API- (oder Kerberos-) Fehler" ++ ++#: ../lib/kadm5/kadm_err.c:70 ++msgid "Programmer error! Illegal tagged data list type" ++msgstr "" ++"Fehler des Programmierers! Widerrechlicher Listentyp für gekennzeichnete " ++"Daten" ++ ++#: ../lib/kadm5/kadm_err.c:71 ++msgid "Required parameters in kdc.conf missing" ++msgstr "erforderliche Parameter in »kdc.conf« fehlen" ++ ++#: ../lib/kadm5/kadm_err.c:72 ++msgid "Bad krb5 admin server hostname" ++msgstr "falscher Rechnername des KRB5-Admin-Servers" ++ ++#: ../lib/kadm5/kadm_err.c:73 ++msgid "Operation requires ``set-key'' privilege" ++msgstr "Aktion erfordert das »set-key«-Recht" ++ ++#: ../lib/kadm5/kadm_err.c:74 ++msgid "Multiple values for single or folded enctype" ++msgstr "" ++"mehrere Werte für einzelnen Verschlüsselungstyp oder Verschlüsselungstyp mit " ++"Salt" ++ ++#: ../lib/kadm5/kadm_err.c:75 ++msgid "Invalid enctype for setv4key" ++msgstr "widerrechtlicher Verschlüsselungstyp für Setv4key" ++ ++#: ../lib/kadm5/kadm_err.c:76 ++msgid "Mismatched enctypes for setkey3" ++msgstr "nicht zusammenpassende Verschlüsselungstypen für Setkey3" ++ ++#: ../lib/kadm5/kadm_err.c:77 ++msgid "Missing parameters in krb5.conf required for kadmin client" ++msgstr "für Kadmin-Client benötigte Parameter fehlen in »krb5.conf«" ++ ++#: ../lib/kadm5/kadm_err.c:78 ../lib/kdb/adb_err.c:30 ++msgid "XDR encoding error" ++msgstr "XDR-Verschlüsselungsfehler" ++ ++#: ../lib/kadm5/kadm_err.c:79 ++msgid "Cannot resolve network address for admin server in requested realm" ++msgstr "" ++"Die Netzwerkadresse für den Admin-Server im angeforderten Realm kann nicht " ++"aufgelöst werden." ++ ++#: ../lib/kadm5/kadm_err.c:80 ++msgid "Unspecified password quality failure" ++msgstr "nicht näher angegebener Passwortqualitätsfehlschlag" ++ ++#: ../lib/kadm5/kadm_err.c:81 ++msgid "Invalid key/salt tuples" ++msgstr "ungültige Schlüssel-/Salt-Tupel" ++ ++#: ../lib/kdb/adb_err.c:23 ++msgid "No Error" ++msgstr "kein Fehler" ++ ++#: ../lib/kdb/adb_err.c:25 ++msgid "Principal or policy does not exist" ++msgstr "Principal oder Richtlinie existiert nicht" ++ ++#: ../lib/kdb/adb_err.c:26 ++msgid "Database not initialized" ++msgstr "Datenbank nicht initialisiert" ++ ++#: ../lib/kdb/adb_err.c:27 ++msgid "Invalid policy name" ++msgstr "ungültiger Richtlinienname" ++ ++#: ../lib/kdb/adb_err.c:28 ++msgid "Invalid principal name" ++msgstr "ungültiger Principal-Name" ++ ++#: ../lib/kdb/adb_err.c:31 ++msgid "Failure!" ++msgstr "Fehlschlag!" ++ ++#: ../lib/kdb/adb_err.c:32 ++msgid "Bad lock mode" ++msgstr "falscher Sperrmodus" ++ ++#: ../lib/kdb/adb_err.c:33 ++msgid "Cannot lock database" ++msgstr "Datenbank kann nicht gesperrt werden" ++ ++#: ../lib/kdb/adb_err.c:34 ++msgid "Database not locked" ++msgstr "Datenbank nicht gesperrt" ++ ++#: ../lib/kdb/adb_err.c:35 ++msgid "KADM5 administration database lock file missing" ++msgstr "Sperrdatei der KADM5-Verwaltungsdatenbank fehlt" ++ ++#: ../lib/kdb/adb_err.c:36 ++msgid "Insufficient permission to lock file" ++msgstr "keine ausreichenden Rechte zum Sperren der Datei" ++ ++#: ../lib/krb5/error_tables/k5e1_err.c:23 ++msgid "Plugin does not support interface version" ++msgstr "Erweiterung unterstützt nicht die Schnittstellenversion" ++ ++#: ../lib/krb5/error_tables/k5e1_err.c:24 ++msgid "Invalid module specifier" ++msgstr "ungültige Modulangabe" ++ ++#: ../lib/krb5/error_tables/k5e1_err.c:25 ++msgid "Plugin module name not found" ++msgstr "Erweiterungsmodulname nicht gefunden" ++ ++#: ../lib/krb5/error_tables/k5e1_err.c:26 ++msgid "The KDC should discard this request" ++msgstr "Das KDC sollte diese Anfrage verwerfen" ++ ++#: ../lib/krb5/error_tables/k5e1_err.c:27 ++msgid "Can't create new subsidiary cache" ++msgstr "Der neue ergänzende Zwischenspeicher kann nicht erzeugt werden" ++ ++#: ../lib/krb5/error_tables/k5e1_err.c:28 ++msgid "Invalid keyring anchor name" ++msgstr "ungültiger Schlüsselbundverankerungsname" ++ ++#: ../lib/krb5/error_tables/k5e1_err.c:29 ++msgid "Unknown keyring collection version" ++msgstr "unbekannte Schlüsselbundsammlungsversion" ++ ++#: ../lib/krb5/error_tables/k5e1_err.c:30 ++msgid "Invalid UID in persistent keyring name" ++msgstr "ungültige UID im beständigen Schlüsselbundnamen" ++ ++#: ../lib/krb5/error_tables/k5e1_err.c:31 ++msgid "Malformed reply from KCM daemon" ++msgstr "Antwort des KCM-Daemons hat die falsche Form" ++ ++#: ../lib/krb5/error_tables/k5e1_err.c:32 ++msgid "Mach RPC error communicating with KCM daemon" ++msgstr "Mach-RPC-Fehler beim der Kommunikation mit dem KCM-Daemon" ++ ++#: ../lib/krb5/error_tables/k5e1_err.c:33 ++msgid "KCM daemon reply too big" ++msgstr "Antwort des KCM-Daemons zu groß" ++ ++#: ../lib/krb5/error_tables/k5e1_err.c:34 ++msgid "No KCM server found" ++msgstr "Kein KCM-Server gefunden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:24 ++msgid "Client's entry in database has expired" ++msgstr "Eintrag des Clients in der Datenbank ist abgelaufen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:25 ++msgid "Server's entry in database has expired" ++msgstr "Eintrag des Servers in der Datenbank ist abgelaufen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:26 ++msgid "Requested protocol version not supported" ++msgstr "angeforderte Protokollversion nicht unterstützt" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:27 ++msgid "Client's key is encrypted in an old master key" ++msgstr "" ++"Der Schlüssel des Clients wurde mit einem alten Hauptschlüssel verschlüsselt." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:28 ++msgid "Server's key is encrypted in an old master key" ++msgstr "" ++"Der Schlüssel des Servers wurde mit einem alten Hauptschlüssel verschlüsselt." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:29 ++msgid "Client not found in Kerberos database" ++msgstr "Client nicht in der Kerberos-Datenbank gefunden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:30 ++msgid "Server not found in Kerberos database" ++msgstr "Server nicht in der Kerberos-Datenbank gefunden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:31 ++msgid "Principal has multiple entries in Kerberos database" ++msgstr "Principal hat in der Kerberos-Datenbank mehrere Einträge" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:32 ++msgid "Client or server has a null key" ++msgstr "Client oder Server hat einen Nullschlüssel" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:33 ++msgid "Ticket is ineligible for postdating" ++msgstr "Ticket ist zum Vordatieren ungeeignet" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:34 ++msgid "Requested effective lifetime is negative or too short" ++msgstr "Die angeforderte effektive Lebensdauer ist negativ oder zu kurz." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:35 ++msgid "KDC policy rejects request" ++msgstr "KDC-Richtlinie weist die Anfrage zurück" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:36 ++msgid "KDC can't fulfill requested option" ++msgstr "KDC kann erforderliche Option nicht erfüllen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:37 ++msgid "KDC has no support for encryption type" ++msgstr "KDC unterstützt diesen Verschlüsselungstyp nicht" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:38 ++msgid "KDC has no support for checksum type" ++msgstr "KDC unterstützt diesen Prüfsummentyp nicht" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:39 ++msgid "KDC has no support for padata type" ++msgstr "KDC unterstützt diesen Padata-Typ nicht" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:40 ++msgid "KDC has no support for transited type" ++msgstr "KDC unterstützt diesen Übergangstyp nicht" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:41 ++msgid "Clients credentials have been revoked" ++msgstr "Anmeldedaten des Clients wurden widerrufen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:42 ++msgid "Credentials for server have been revoked" ++msgstr "Anmeldedaten für den Server wurden widerrufen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:43 ++msgid "TGT has been revoked" ++msgstr "TGT wurde widerrufen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:44 ++msgid "Client not yet valid - try again later" ++msgstr "Client noch nicht gültig – versuchen Sie es später noch einmal" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:45 ++msgid "Server not yet valid - try again later" ++msgstr "Server noch nicht gültig – versuchen Sie es später noch einmal" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:46 ++msgid "Password has expired" ++msgstr "Passwort ist abgelaufen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:47 ++msgid "Preauthentication failed" ++msgstr "Vorauthentifizierung fehlgeschlagen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:48 ++msgid "Additional pre-authentication required" ++msgstr "zusätzlich Vorauthentifizierung erforderlich" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:49 ++msgid "Requested server and ticket don't match" ++msgstr "abgefragter Server und Ticket passen nicht zusammen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:50 ++msgid "Server principal valid for user2user only" ++msgstr "Der Server-Principal ist nur für »user2user« gültig" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:51 ++msgid "KDC policy rejects transited path" ++msgstr "KDC-Richtlinie verwirft durchgereichten Pfad" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:52 ++msgid "A service is not available that is required to process the request" ++msgstr "" ++"Ein Dienst, der zum Verarbeiten der Abfrage erforderlich ist, ist nicht " ++"verfügbar." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:53 ++msgid "KRB5 error code 30" ++msgstr "KRB5-Fehlercode 30" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:54 ++msgid "Decrypt integrity check failed" ++msgstr "Entschlüsselungsintegritätsprüfung fehlgeschlagen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:55 ++msgid "Ticket expired" ++msgstr "Ticket abgelaufen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:56 ++msgid "Ticket not yet valid" ++msgstr "Ticket noch nicht gültig" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:57 ++msgid "Request is a replay" ++msgstr "Anfrage ist eine Wiederholung" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:58 ++msgid "The ticket isn't for us" ++msgstr "Das Ticket ist nicht für uns." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:59 ++msgid "Ticket/authenticator don't match" ++msgstr "Ticket/Schlüsselziffer passen nicht zueinander" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:60 ++msgid "Clock skew too great" ++msgstr "Uhrzeitabweichung zu groß" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:61 ++msgid "Incorrect net address" ++msgstr "falsche Netzwerkadresse" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:62 ++msgid "Protocol version mismatch" ++msgstr "Protokollversion passt nicht" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:63 ++msgid "Invalid message type" ++msgstr "ungültiger Nachrichtentyp" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:64 ++msgid "Message stream modified" ++msgstr "Nachrichtendatenstrom geändert" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:65 ++msgid "Message out of order" ++msgstr "Nachricht nicht in Ordnung" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:66 ++msgid "Illegal cross-realm ticket" ++msgstr "Widerrechliches Realm-übergreifendes Ticket" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:67 ++msgid "Key version is not available" ++msgstr "Schlüsselversion ist nicht verfügbar" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:68 ++msgid "Service key not available" ++msgstr "Dienstschlüssel nicht verfügbar" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:69 ++#: ../lib/krb5/error_tables/krb5_err.c:181 ++msgid "Mutual authentication failed" ++msgstr "gegenseitige Authentifizierung fehlgeschlagen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:70 ++msgid "Incorrect message direction" ++msgstr "falsche Nachrichtenrichtung" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:71 ++msgid "Alternative authentication method required" ++msgstr "alternative Authentifizierungsmethode erforderlich" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:72 ++msgid "Incorrect sequence number in message" ++msgstr "falsche Sequenznummer in der Nachricht" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:73 ++msgid "Inappropriate type of checksum in message" ++msgstr "ungeeigneter Prüfsummentyp in der Nachricht" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:74 ++msgid "Policy rejects transited path" ++msgstr "Richtlinie verwirft durchgereichten Pfad" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:75 ++msgid "Response too big for UDP, retry with TCP" ++msgstr "Antwort für UDP zu groß, erneuter Versuch mit TCP" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:76 ++msgid "KRB5 error code 53" ++msgstr "KRB5-Fehlercode 53" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:77 ++msgid "KRB5 error code 54" ++msgstr "KRB5-Fehlercode 54" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:78 ++msgid "KRB5 error code 55" ++msgstr "KRB5-Fehlercode 55" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:79 ++msgid "KRB5 error code 56" ++msgstr "KRB5-Fehlercode 56" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:80 ++msgid "KRB5 error code 57" ++msgstr "KRB5-Fehlercode 57" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:81 ++msgid "KRB5 error code 58" ++msgstr "KRB5-Fehlercode 58" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:82 ++msgid "KRB5 error code 59" ++msgstr "KRB5-Fehlercode 59" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:83 ++msgid "Generic error (see e-text)" ++msgstr "allgemeiner Fehler (siehe E-Text)" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:84 ++msgid "Field is too long for this implementation" ++msgstr "Feld ist für diese Implementierung zu lang" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:85 ++msgid "Client not trusted" ++msgstr "Client nicht vertrauenswürdig" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:86 ++msgid "KDC not trusted" ++msgstr "KDC nicht vertrauenswürdig" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:87 ++msgid "Invalid signature" ++msgstr "ungültige Signatur" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:88 ++msgid "Key parameters not accepted" ++msgstr "Schlüsselparameter nicht akzeptiert" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:89 ++msgid "Certificate mismatch" ++msgstr "Zertifikat passt nicht" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:90 ++msgid "No ticket granting ticket" ++msgstr "kein ticketgewährendes Ticket" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:91 ++msgid "Realm not local to KDC" ++msgstr "Realm für KDC nicht lokal" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:92 ++msgid "User to user required" ++msgstr "Benutzer-zu-Benutzer erforderlich" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:93 ++msgid "Can't verify certificate" ++msgstr "Zertifikat kann nicht überprüft werden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:94 ++msgid "Invalid certificate" ++msgstr "ungültiges Zertifikat" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:95 ++msgid "Revoked certificate" ++msgstr "widerrufenes Zertifikat" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:96 ++msgid "Revocation status unknown" ++msgstr "Widerrufsstatus unbekannt" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:97 ++msgid "Revocation status unavailable" ++msgstr "Widerrufsstatus nicht verfügbar" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:98 ++msgid "Client name mismatch" ++msgstr "Client-Name passt nicht" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:99 ++msgid "KDC name mismatch" ++msgstr "KDC-Name passt nicht" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:100 ++msgid "Inconsistent key purpose" ++msgstr "inkonstistenter Schlüsselzweck" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:101 ++msgid "Digest in certificate not accepted" ++msgstr "Kurzfassung im Zertifikat nicht akzeptiert" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:102 ++msgid "Checksum must be included" ++msgstr "Prüfsumme muss enthalten sein" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:103 ++msgid "Digest in signed-data not accepted" ++msgstr "Kurzfassung in signierten Daten nicht akzeptiert" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:104 ++msgid "Public key encryption not supported" ++msgstr "Asymetrische Verschlüsselung nicht unterstützt" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:105 ++msgid "KRB5 error code 82" ++msgstr "KRB5-Fehlercode 82" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:106 ++msgid "KRB5 error code 83" ++msgstr "KRB5-Fehlercode 83" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:107 ++msgid "KRB5 error code 84" ++msgstr "KRB5-Fehlercode 84" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:108 ++msgid "The IAKERB proxy could not find a KDC" ++msgstr "Der IAKERB-Proxy konnte kein KDC finden." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:109 ++msgid "The KDC did not respond to the IAKERB proxy" ++msgstr "Das KDC anwortete dem IAKERB-Proxy nicht." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:110 ++msgid "KRB5 error code 87" ++msgstr "KRB5-Fehlercode 87" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:111 ++msgid "KRB5 error code 88" ++msgstr "KRB5-Fehlercode 88" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:112 ++msgid "KRB5 error code 89" ++msgstr "KRB5-Fehlercode 89" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:113 ++msgid "KRB5 error code 90" ++msgstr "KRB5-Fehlercode 90" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:114 ++msgid "KRB5 error code 91" ++msgstr "KRB5-Fehlercode 91" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:115 ++msgid "KRB5 error code 92" ++msgstr "KRB5-Fehlercode 92" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:116 ++msgid "An unsupported critical FAST option was requested" ++msgstr "Es wurde eine nicht unterstützte kritische FAST-Aktion angefordert." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:117 ++msgid "KRB5 error code 94" ++msgstr "KRB5-Fehlercode 94" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:118 ++msgid "KRB5 error code 95" ++msgstr "KRB5-Fehlercode 95" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:119 ++msgid "KRB5 error code 96" ++msgstr "KRB5-Fehlercode 96" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:120 ++msgid "KRB5 error code 97" ++msgstr "KRB5-Fehlercode 97" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:121 ++msgid "KRB5 error code 98" ++msgstr "KRB5-Fehlercode 98" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:122 ++msgid "KRB5 error code 99" ++msgstr "KRB5-Fehlercode 99" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:123 ++msgid "No acceptable KDF offered" ++msgstr "kein akzeptables KDF angeboten" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:124 ++msgid "KRB5 error code 101" ++msgstr "KRB5-Fehlercode 101" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:125 ++msgid "KRB5 error code 102" ++msgstr "KRB5-Fehlercode 102" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:126 ++msgid "KRB5 error code 103" ++msgstr "KRB5-Fehlercode 103" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:127 ++msgid "KRB5 error code 104" ++msgstr "KRB5-Fehlercode 104" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:128 ++msgid "KRB5 error code 105" ++msgstr "KRB5-Fehlercode 105" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:129 ++msgid "KRB5 error code 106" ++msgstr "KRB5-Fehlercode 106" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:130 ++msgid "KRB5 error code 107" ++msgstr "KRB5-Fehlercode 107" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:131 ++msgid "KRB5 error code 108" ++msgstr "KRB5-Fehlercode 108" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:132 ++msgid "KRB5 error code 109" ++msgstr "KRB5-Fehlercode 109" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:133 ++msgid "KRB5 error code 110" ++msgstr "KRB5-Fehlercode 110" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:134 ++msgid "KRB5 error code 111" ++msgstr "KRB5-Fehlercode 111" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:135 ++msgid "KRB5 error code 112" ++msgstr "KRB5-Fehlercode 112" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:136 ++msgid "KRB5 error code 113" ++msgstr "KRB5-Fehlercode 113" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:137 ++msgid "KRB5 error code 114" ++msgstr "KRB5-Fehlercode 114" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:138 ++msgid "KRB5 error code 115" ++msgstr "KRB5-Fehlercode 115" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:139 ++msgid "KRB5 error code 116" ++msgstr "KRB5-Fehlercode 116" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:140 ++msgid "KRB5 error code 117" ++msgstr "KRB5-Fehlercode 117" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:141 ++msgid "KRB5 error code 118" ++msgstr "KRB5-Fehlercode 118" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:142 ++msgid "KRB5 error code 119" ++msgstr "KRB5-Fehlercode 119" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:143 ++msgid "KRB5 error code 120" ++msgstr "KRB5-Fehlercode 120" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:144 ++msgid "KRB5 error code 121" ++msgstr "KRB5-Fehlercode 121" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:145 ++msgid "KRB5 error code 122" ++msgstr "KRB5-Fehlercode 122" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:146 ++msgid "KRB5 error code 123" ++msgstr "KRB5-Fehlercode 123" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:147 ++msgid "KRB5 error code 124" ++msgstr "KRB5-Fehlercode 124" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:148 ++msgid "KRB5 error code 125" ++msgstr "KRB5-Fehlercode 125" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:149 ++msgid "KRB5 error code 126" ++msgstr "KRB5-Fehlercode 126" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:150 ++msgid "KRB5 error code 127" ++msgstr "KRB5-Fehlercode 127" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:151 ++#: ../lib/krb5/error_tables/kdb5_err.c:23 ++msgid "$Id$" ++msgstr "$Id$" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:152 ++msgid "Invalid flag for file lock mode" ++msgstr "ungültiger Schalter für den Datei-Sperrmodus" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:153 ++msgid "Cannot read password" ++msgstr "Passwort kann nicht gelesen werden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:154 ++msgid "Password mismatch" ++msgstr "Passwort stimmt nicht überein" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:155 ++msgid "Password read interrupted" ++msgstr "Lesen des Passworts unterbrochen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:156 ++msgid "Illegal character in component name" ++msgstr "ungültiges Zeichen in Komponentenname" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:157 ++msgid "Malformed representation of principal" ++msgstr "Darstellung des Principals in falscher Form" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:158 ++msgid "Can't open/find Kerberos configuration file" ++msgstr "Kerberos-Konfigurationsdatei kann nicht geöffnet/gefunden werden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:159 ++msgid "Improper format of Kerberos configuration file" ++msgstr "Format der Kerberos-Konfigurationsdatei ist ungeeignet" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:160 ++msgid "Insufficient space to return complete information" ++msgstr "Platz reicht nicht zur Rückgabe aller Informationen aus" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:161 ++msgid "Invalid message type specified for encoding" ++msgstr "der zum Kodieren angegebene Nachrichtentyp ist ungültig" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:162 ++msgid "Credential cache name malformed" ++msgstr "falsche Form des Anmeldedatenzwischenspeichernamens" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:163 ++msgid "Unknown credential cache type" ++msgstr "unbekannter Anmeldedatenzwischenspeichertyp" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:164 ++msgid "Matching credential not found" ++msgstr "keine passenden Anmeldedaten gefunden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:165 ++msgid "End of credential cache reached" ++msgstr "Ende des Anmeldedatenzwischenspeichers erreicht" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:166 ++msgid "Request did not supply a ticket" ++msgstr "Anfrage lieferte kein Ticket" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:167 ++msgid "Wrong principal in request" ++msgstr "falscher Principal in der Anfrage" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:168 ++msgid "Ticket has invalid flag set" ++msgstr "Das Ticket hat einen falsch gesetzten Schalter." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:169 ++msgid "Requested principal and ticket don't match" ++msgstr "angeforderter Principal und Ticket passen nicht zusammen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:170 ++msgid "KDC reply did not match expectations" ++msgstr "KDC-Antwort entsprach nicht den Erwartungen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:171 ++msgid "Clock skew too great in KDC reply" ++msgstr "Zeitversatz in der KDC-Antwort zu groß" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:172 ++msgid "Client/server realm mismatch in initial ticket request" ++msgstr "" ++"Client-/Server-Realm passen in der anfänglichen Ticketanfrage nicht zusammen." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:173 ++msgid "Program lacks support for encryption type" ++msgstr "" ++"Dem Programm fehlt es an der Unterstützung für den Verschlüsselungstyp." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:174 ++msgid "Program lacks support for key type" ++msgstr "Dem Programm fehlt es an der Unterstützung für den Schlüsseltyp." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:175 ++msgid "Requested encryption type not used in message" ++msgstr "" ++"Der angeforderte Verschlüsselungstyp wird in der Nachricht nicht verwendet." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:176 ++msgid "Program lacks support for checksum type" ++msgstr "Dem Programm fehlt es an der Unterstützung für den Prüfsummentyp." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:177 ++msgid "Cannot find KDC for requested realm" ++msgstr "KDC für angeforderten Realm kann nicht gefunden werden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:178 ++msgid "Kerberos service unknown" ++msgstr "Kerberos-Dienst unbekannt" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:179 ++msgid "Cannot contact any KDC for requested realm" ++msgstr "Für den angeforderten Realm kann kein KDC kontaktiert werden." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:180 ++msgid "No local name found for principal name" ++msgstr "Für den Principal-Namen wurde kein lokaler Name gefunden." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:182 ++msgid "Replay cache type is already registered" ++msgstr "Wiederholungszwischenspeichertyp ist bereits registriert" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:183 ++msgid "No more memory to allocate (in replay cache code)" ++msgstr "" ++"kein Speicher mehr zu reservieren (im Wiederholungszwischenspeichercode)" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:184 ++msgid "Replay cache type is unknown" ++msgstr "Wiederholungszwischenspeichertyp ist unbekannt" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:185 ++msgid "Generic unknown RC error" ++msgstr "allgemeiner unbekannter Wiederholungszwischenspeicherfehler" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:186 ++msgid "Message is a replay" ++msgstr "Nachricht ist eine Wiederholung" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:187 ++msgid "Replay cache I/O operation failed" ++msgstr "Wiederholungszwischenspeicher-E/A-Aktion fehlgeschlagen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:188 ++msgid "Replay cache type does not support non-volatile storage" ++msgstr "" ++"Wiederholungszwischenspeichertyp unterstützt keinen beständigen Speicher" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:189 ++msgid "Replay cache name parse/format error" ++msgstr "Auswerte-/Formatfehler im Wiederholungszwischenspeichernamens" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:190 ++msgid "End-of-file on replay cache I/O" ++msgstr "Dateiende bei der E/A des Wiederholungszwischenspeichers" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:191 ++msgid "No more memory to allocate (in replay cache I/O code)" ++msgstr "" ++"kein weiterer Speicher reservierbar (im Wiederholungszwischenspeicher-E/A-" ++"Code)" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:192 ++msgid "Permission denied in replay cache code" ++msgstr "Zugriff im Wiederholungszwischenspeichercode verweigert" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:193 ++msgid "I/O error in replay cache i/o code" ++msgstr "E/A-Fehler im Wiederholungszwischenspeicher-E/A-Code" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:194 ++msgid "Generic unknown RC/IO error" ++msgstr "allgemeiner unbekannter Wiederholungszwischenspeicher-/E/A-Fehler" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:195 ++msgid "Insufficient system space to store replay information" ++msgstr "" ++"Platz im System reicht nicht zum Speichern der Wiederholungsinformationen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:196 ++msgid "Can't open/find realm translation file" ++msgstr "Realm-Übersetzungsdatei kann nicht geöffnet/gefunden werden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:197 ++msgid "Improper format of realm translation file" ++msgstr "Format der Realm-Übersetzungsdatei ist ungeeignet" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:198 ++msgid "Can't open/find lname translation database" ++msgstr "die Lname-Übersetzungsdatenbank kann nicht geöffnet/gefunden werden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:199 ++msgid "No translation available for requested principal" ++msgstr "Für den angeforderten Principal ist keine Übersetzung verfügbar." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:200 ++msgid "Improper format of translation database entry" ++msgstr "Format des Eintrags der Übersetzungsdatenbank ist ungeeignet" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:201 ++msgid "Cryptosystem internal error" ++msgstr "interner Fehler des Verschlüsselungssystems" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:202 ++msgid "Key table name malformed" ++msgstr "falsche Form des Schlüsseltabellennamens" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:203 ++msgid "Unknown Key table type" ++msgstr "unbekannter Schlüsseltabellentyp" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:204 ++msgid "Key table entry not found" ++msgstr "Schlüsseltabelleneintrag nicht gefunden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:205 ++msgid "End of key table reached" ++msgstr "Ende der Schlüsseltabelle erreicht" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:206 ++msgid "Cannot write to specified key table" ++msgstr "in angegebene Schlüsseltabelle kann nicht geschrieben werden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:207 ++msgid "Error writing to key table" ++msgstr "Fehler beim Schreiben in Schlüsseltabelle" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:208 ++msgid "Cannot find ticket for requested realm" ++msgstr "Ticket für angeforderten Realm kann nicht gefunden werden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:209 ++msgid "DES key has bad parity" ++msgstr "DES-Schlüssel hat falsche Parität" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:210 ++msgid "DES key is a weak key" ++msgstr "DES-Schlüssel ist schwach" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:211 ++msgid "Bad encryption type" ++msgstr "falscher Verschlüsselungstyp" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:212 ++msgid "Key size is incompatible with encryption type" ++msgstr "Schlüssellänge ist nicht mit dem Verschlüsselungstyp kompatibel" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:213 ++msgid "Message size is incompatible with encryption type" ++msgstr "Nachrichtengröße ist nicht mit Verschlüsselungstyp kompatibel" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:214 ++msgid "Credentials cache type is already registered." ++msgstr "Anmeldedatenzwischenspeichertyp ist bereits registriert" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:215 ++msgid "Key table type is already registered." ++msgstr "Schlüsseltabellentyp ist bereits registriert" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:216 ++msgid "Credentials cache I/O operation failed XXX" ++msgstr "E/A-Aktion für Anmeldedatenzwischenspeicher fehlgeschlagen XXX" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:217 ++msgid "Credentials cache permissions incorrect" ++msgstr "Anmeldedatenzwischenspeicherrechte nicht korrekt" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:218 ++msgid "No credentials cache found" ++msgstr "kein Anmeldedatenzwischenspeicher gefunden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:219 ++msgid "Internal credentials cache error" ++msgstr "interner Anmeldedatenzwischenspeicherfehler" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:220 ++msgid "Error writing to credentials cache" ++msgstr "Fehler beim Schreiben in den Anmeldedatenzwischenspeicher" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:221 ++msgid "No more memory to allocate (in credentials cache code)" ++msgstr "" ++"kein weiterer Speicher zu reservieren (im Anmeldedatenzwischenspeichercode)" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:222 ++msgid "Bad format in credentials cache" ++msgstr "falsches Format im Anmeldedatenzwischenspeicher" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:223 ++msgid "No credentials found with supported encryption types" ++msgstr "keine Anmeldedaten mit unterstützten Verschlüsselungstypen gefunden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:224 ++msgid "Invalid KDC option combination (library internal error)" ++msgstr "ungültige Kombination von KDC-Optionen (interner Bibliotheksfehler)" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:225 ++msgid "Request missing second ticket" ++msgstr "Der Anfrage fehlt das zweite Ticket." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:226 ++msgid "No credentials supplied to library routine" ++msgstr "der Bibliotheks-Routine wurden keine Anmeldedaten geliefert" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:227 ++msgid "Bad sendauth version was sent" ++msgstr "Es wurde eine falsche Sendauth-Version verschickt" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:228 ++msgid "Bad application version was sent (via sendauth)" ++msgstr "Es wurde eine falsche Anwendungsversion (über Sendauth) verschickt" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:229 ++msgid "Bad response (during sendauth exchange)" ++msgstr "falsche Antwort (beim Sendauth-Austausch)" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:230 ++msgid "Server rejected authentication (during sendauth exchange)" ++msgstr "Server wies Authentifizierung (beim Sendauth-Austausch) zurück" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:231 ++msgid "Unsupported preauthentication type" ++msgstr "nicht unterstützter Vorauthentifizierungstyp" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:232 ++msgid "Required preauthentication key not supplied" ++msgstr "erforderlicher Vorauthentifizierungsschlüssel nicht bereitgestellt" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:233 ++msgid "Generic preauthentication failure" ++msgstr "allgemeiner Fehlschlag der Vorauthentifizierung" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:234 ++msgid "Unsupported replay cache format version number" ++msgstr "" ++"nicht unterstütztes Versionsnummernformat des Wiederholungszwischenspeichers" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:235 ++msgid "Unsupported credentials cache format version number" ++msgstr "" ++"nicht unterstütztes Versionsnummernformat des Anmeldedatenzwischenspeichers" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:236 ++msgid "Unsupported key table format version number" ++msgstr "nicht unterstütztes Versionsnummernformat der Schlüsseltabelle" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:237 ++msgid "Program lacks support for address type" ++msgstr "Dem Programm fehlt es an der Unterstützung des Adresstyps." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:238 ++msgid "Message replay detection requires rcache parameter" ++msgstr "Erkennung der Antwortnachricht erfordert den Parameter »rcache«" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:239 ++msgid "Hostname cannot be canonicalized" ++msgstr "Rechnername kann nicht in Normalform gebracht werden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:240 ++msgid "Cannot determine realm for host" ++msgstr "Realm für Rechner kann nicht bestimmt werden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:241 ++msgid "Conversion to service principal undefined for name type" ++msgstr "Umwandlung in Dienst-Principal für Namenstyp nicht definiert" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:242 ++msgid "Initial Ticket response appears to be Version 4 error" ++msgstr "anfängliche Ticket-Antwort scheint ein Fehler der Version 4 zu sein" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:243 ++msgid "Cannot resolve network address for KDC in requested realm" ++msgstr "" ++"Netzwerkadresse für KDC im angeforderten Realm kann nicht aufgelöst werden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:244 ++msgid "Requesting ticket can't get forwardable tickets" ++msgstr "anforderndes Ticket kann keine weiterleitbaren Tickets holen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:245 ++msgid "Bad principal name while trying to forward credentials" ++msgstr "falscher Principal beim Versuch, Anmeldedaten weiterzuleiten" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:246 ++msgid "Looping detected inside krb5_get_in_tkt" ++msgstr "Schleife innerhalb von »krb5_get_in_tkt« entdeckt" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:247 ++msgid "Configuration file does not specify default realm" ++msgstr "Konfigurationsdatei gibt keinen Standard-Realm an" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:248 ++msgid "Bad SAM flags in obtain_sam_padata" ++msgstr "falsche SAM-Schalter in »obtain_sam_padata«" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:249 ++msgid "Invalid encryption type in SAM challenge" ++msgstr "ungültiger Verschlüsselungstyp in der SAM-Aufforderung" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:250 ++msgid "Missing checksum in SAM challenge" ++msgstr "fehlende Prüfsumme in der SAM-Aufforderung" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:251 ++msgid "Bad checksum in SAM challenge" ++msgstr "falsche Prüfsumme in der SAM-Aufforderung" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:252 ++msgid "Keytab name too long" ++msgstr "Schlüsseltabellennamen zu lang" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:253 ++msgid "Key version number for principal in key table is incorrect" ++msgstr "" ++"Schlüsselversionsnummer des Principals in der Schlüsseltabelle ist nicht " ++"korrekt" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:254 ++msgid "This application has expired" ++msgstr "Diese Anwendung ist abgelaufen." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:255 ++msgid "This Krb5 library has expired" ++msgstr "Diese Krb5-Bibliothek ist abgelaufen." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:256 ++msgid "New password cannot be zero length" ++msgstr "Das neue Passwort kann nicht die Länge Null haben." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:258 ++msgid "Bad format in keytab" ++msgstr "falsches Format in der Schlüsseltabelle" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:259 ++msgid "Encryption type not permitted" ++msgstr "Verschlüsselungstyp nicht erlaubt" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:260 ++msgid "No supported encryption types (config file error?)" ++msgstr "" ++"keine unterstützten Verschlüsselungstypen (Fehler in der " ++"Konfigurationsdatei?)" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:261 ++msgid "Program called an obsolete, deleted function" ++msgstr "Das Programm rief eine veraltete, gelöschte Funktion auf." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:262 ++msgid "unknown getaddrinfo failure" ++msgstr "unbekannter Getaddrinfo-Fehlschlag" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:263 ++msgid "no data available for host/domain name" ++msgstr "keine Daten für Rechner/Domain-Namen verfügbar" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:264 ++msgid "host/domain name not found" ++msgstr "Rechner/Domain-Name nicht gefunden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:265 ++msgid "service name unknown" ++msgstr "Dienstname unbekannt" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:266 ++msgid "Cannot determine realm for numeric host address" ++msgstr "Realm für numerische Rechneradresse kann nicht bestimmt werden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:267 ++msgid "Invalid key generation parameters from KDC" ++msgstr "ungültige Parameter zum Erzeugen von Schlüsseln vom KDC" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:268 ++msgid "service not available" ++msgstr "Dienst nicht verfügbar" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:269 ++msgid "Ccache function not supported: read-only ccache type" ++msgstr "Ccache-Funktion nicht unterstützt: Ccache-Typ nur lesbar" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:270 ++msgid "Ccache function not supported: not implemented" ++msgstr "Ccache-Funktion nicht unterstützt: nicht implementiert" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:271 ++msgid "Invalid format of Kerberos lifetime or clock skew string" ++msgstr "" ++"ungültiges Format der Kerberos-Lebensdauer oder der Zeitversatzzeichenkette" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:272 ++msgid "Supplied data not handled by this plugin" ++msgstr "" ++"Die bereitgestellten Daten werden nicht von dieser Erweiterung behandelt." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:273 ++msgid "Plugin does not support the operation" ++msgstr "Erweiterung unterstützt diese Aktion nicht" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:274 ++msgid "Invalid UTF-8 string" ++msgstr "ungültige UTF-8-Zeichenkette" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:275 ++msgid "FAST protected pre-authentication required but not supported by KDC" ++msgstr "" ++"FAST-geschützte Vorauthentifizierung erforderlich, aber nicht vom KDC " ++"unterstützt" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:276 ++msgid "Auth context must contain local address" ++msgstr "Authentifizierungskontext muss lokale Adresse enthalten" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:277 ++msgid "Auth context must contain remote address" ++msgstr "Authentifizierungskontext muss ferne Adresse enthalten" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:278 ++msgid "Tracing unsupported" ++msgstr "Verfolgung nicht unterstützt" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:24 ++msgid "Entry already exists in database" ++msgstr "Eintrag existiert bereits in der Datenbank" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:25 ++msgid "Database store error" ++msgstr "Datenbank-Speicherfehler" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:26 ++msgid "Database read error" ++msgstr "Datenbank-Lesefehler" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:27 ++msgid "Insufficient access to perform requested operation" ++msgstr "Zugriffsrechte reichen nicht zur Durchführung der angeforderten Aktion" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:28 ++msgid "No such entry in the database" ++msgstr "kein derartiger Eintrag in der Datenbank" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:29 ++msgid "Illegal use of wildcard" ++msgstr "ungültige Verwendung eines Platzhalters" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:30 ++msgid "Database is locked or in use--try again later" ++msgstr "" ++"Datenbank ist gesperrt oder wird gerade benutzt – versuchen Sie es später " ++"wieder" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:31 ++msgid "Database was modified during read" ++msgstr "Datenbank wurde während des Lesens geändert" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:32 ++msgid "Database record is incomplete or corrupted" ++msgstr "Datensatz ist unvollständig oder beschädigt" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:33 ++msgid "Attempt to lock database twice" ++msgstr "Es wurde zweimal versucht, die Datenbank zu sperren." ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:34 ++msgid "Attempt to unlock database when not locked" ++msgstr "" ++"Es wurde versucht, die Datenbank zu entsperren, obwohl sie nicht gesperrt " ++"ist." ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:35 ++msgid "Invalid kdb lock mode" ++msgstr "ungültiger KDB-Sperrmodus" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:36 ++msgid "Database has not been initialized" ++msgstr "Datenbank wurde nicht initialisiert" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:37 ++msgid "Database has already been initialized" ++msgstr "Datenbank wurde bereits initialisiert" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:38 ++msgid "Bad direction for converting keys" ++msgstr "falsche Richtung zum Umwandeln von Schlüsseln" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:39 ++msgid "Cannot find master key record in database" ++msgstr "Hauptschlüsseldatensatz kann nicht in der Datenbank gefunden werden" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:40 ++msgid "Master key does not match database" ++msgstr "Hauptschlüssel passt nicht zur Datenbank" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:41 ++msgid "Key size in database is invalid" ++msgstr "Die Schlüssellänge in der Datenbank ist ungültig," ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:42 ++msgid "Cannot find/read stored master key" ++msgstr "Der gespeicherte Hauptschlüssel kann nicht gefunden/gelesen werden." ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:43 ++msgid "Stored master key is corrupted" ++msgstr "Der gespeicherte Hauptschlüssel ist beschädigt." ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:44 ++msgid "Cannot find active master key" ++msgstr "Der aktive Hauptschlüssel kann nicht gefunden werden." ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:45 ++msgid "KVNO of new master key does not match expected value" ++msgstr "KVNO des neuen Hauptschlüssels passt nicht zum erwarteten Wert" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:46 ++msgid "Stored master key is not current" ++msgstr "gespeicherter Hauptschlüssel ist nicht aktuell" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:47 ++msgid "Insufficient access to lock database" ++msgstr "keine ausreichenden Zugriffsrechte zum Sperren der Datenbank" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:48 ++msgid "Database format error" ++msgstr "fehlerhaftes Datenbankformat" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:49 ++msgid "Unsupported version in database entry" ++msgstr "nicht unterstützte Version im Datenbankeintrag" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:50 ++msgid "Unsupported salt type" ++msgstr "nicht unterstützter Salt-Typ" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:51 ++msgid "Unsupported encryption type" ++msgstr "nicht unterstützter Verschlüsselungstyp" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:52 ++msgid "Bad database creation flags" ++msgstr "falsche Schalter zum Erstellen der Datenbank" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:53 ++msgid "No matching key in entry having a permitted enctype" ++msgstr "" ++"kein passender Schlüssel in einem Eintrag mit erlaubtem Verschlüsselungstyp" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:54 ++msgid "No matching key in entry" ++msgstr "kein passender Schlüssel im Eintrag" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:55 ++msgid "Unable to find requested database type" ++msgstr "angeforderter Datenbanktyp kann nicht gefunden werden" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:56 ++msgid "Database type not supported" ++msgstr "Datenbanktyp nicht unterstützt" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:57 ++msgid "Database library failed to initialize" ++msgstr "Initialisieren der Datenbankbibliothek fehlgeschlagen" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:59 ++msgid "Unable to access Kerberos database" ++msgstr "auf die Kerberos-Datenbank kann nicht zugegriffen werden" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:60 ++msgid "Kerberos database internal error" ++msgstr "interner Kerberos-Datenbankfehler" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:61 ++msgid "Kerberos database constraints violated" ++msgstr "Kerberos-Datenbankbeschränkungen verletzt" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:62 ++msgid "Update log conversion error" ++msgstr "Fehler beim Umwandeln des Aktualisierungsprotokolls" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:63 ++msgid "Update log is unstable" ++msgstr "Aktualisierungsprotokoll ist instabil" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:64 ++msgid "Update log is corrupt" ++msgstr "Aktualisierungsprotokoll ist beschädigt" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:65 ++msgid "Generic update log error" ++msgstr "allgemeiner Aktualisierungsprotokollfehler" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:66 ++msgid "Database module does not match KDC version" ++msgstr "Datenbankmodul passt nicht zur KDC-Version" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:68 ++msgid "Too much string mapping data" ++msgstr "zu viele zeichenkettenabbildenden Daten" ++ ++#: ../lib/krb5/error_tables/asn1_err.c:23 ++msgid "ASN.1 failed call to system time library" ++msgstr "ASN.1 beim Aufruf der Systemzeitbibliothek gescheitert" ++ ++#: ../lib/krb5/error_tables/asn1_err.c:24 ++msgid "ASN.1 structure is missing a required field" ++msgstr "ASN.1-Struktur fehlt in einem erforderlichen Feld" ++ ++#: ../lib/krb5/error_tables/asn1_err.c:25 ++msgid "ASN.1 unexpected field number" ++msgstr "ASN.1 unerwartete Feldnummer" ++ ++#: ../lib/krb5/error_tables/asn1_err.c:26 ++msgid "ASN.1 type numbers are inconsistent" ++msgstr "ASN.1-Typnummern sind inkonsistent" ++ ++#: ../lib/krb5/error_tables/asn1_err.c:27 ++msgid "ASN.1 value too large" ++msgstr "ASN.1-Wert zu groß" ++ ++#: ../lib/krb5/error_tables/asn1_err.c:28 ++msgid "ASN.1 encoding ended unexpectedly" ++msgstr "ASN.1-Kodierung endete unerwartet" ++ ++#: ../lib/krb5/error_tables/asn1_err.c:29 ++msgid "ASN.1 identifier doesn't match expected value" ++msgstr "ASN.1-Bezeichner passt nicht zum erwarteten Wert" ++ ++#: ../lib/krb5/error_tables/asn1_err.c:30 ++msgid "ASN.1 length doesn't match expected value" ++msgstr "Länge von ASN.1 passt nicht zum erwarteten Wert" ++ ++#: ../lib/krb5/error_tables/asn1_err.c:31 ++msgid "ASN.1 badly-formatted encoding" ++msgstr "fehlerhaft formatierte ASN.1-Kodierung" ++ ++#: ../lib/krb5/error_tables/asn1_err.c:32 ++msgid "ASN.1 parse error" ++msgstr "ASN.1-Auswertungsfehler" ++ ++#: ../lib/krb5/error_tables/asn1_err.c:33 ++msgid "ASN.1 bad return from gmtime" ++msgstr "ASN.1 falscher Rückgabewert von Gmtime" ++ ++#: ../lib/krb5/error_tables/asn1_err.c:34 ++msgid "ASN.1 non-constructed indefinite encoding" ++msgstr "nicht konstruierte unbestimmte ASN.1-Kodierung" ++ ++#: ../lib/krb5/error_tables/asn1_err.c:35 ++msgid "ASN.1 missing expected EOC" ++msgstr "ASN.1 fehlt erwartetes EOC" ++ ++#: ../lib/krb5/error_tables/asn1_err.c:36 ++msgid "ASN.1 object omitted in sequence" ++msgstr "ASN.1-Objekt in Sequenz ausgelassen" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:23 ++msgid "Kerberos V5 magic number table" ++msgstr "Tabelle magischer Zahlen von Kerberos V5" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:24 ++msgid "Bad magic number for krb5_principal structure" ++msgstr "falsche Magische Zahl für Krb5_principal-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:25 ++msgid "Bad magic number for krb5_data structure" ++msgstr "falsche Magische Zahl für Krb5_data-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:26 ++msgid "Bad magic number for krb5_keyblock structure" ++msgstr "falsche Magische Zahl für Krb5_krb5_keyblock-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:27 ++msgid "Bad magic number for krb5_checksum structure" ++msgstr "falsche Magische Zahl für Krb5_krb5_checksum-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:28 ++msgid "Bad magic number for krb5_encrypt_block structure" ++msgstr "falsche Magische Zahl für Krb5_encrypt_bloc-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:29 ++msgid "Bad magic number for krb5_enc_data structure" ++msgstr "falsche Magische Zahl für Krb5_enc_data-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:30 ++msgid "Bad magic number for krb5_cryptosystem_entry structure" ++msgstr "falsche Magische Zahl für Krb5_cryptosystem_entry-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:31 ++msgid "Bad magic number for krb5_cs_table_entry structure" ++msgstr "falsche Magische Zahl für Krb5_cs_table_entry-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:32 ++msgid "Bad magic number for krb5_checksum_entry structure" ++msgstr "falsche Magische Zahl für Krb5_checksum_entry-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:33 ++msgid "Bad magic number for krb5_authdata structure" ++msgstr "falsche Magische Zahl für Krb5_authdata-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:34 ++msgid "Bad magic number for krb5_transited structure" ++msgstr "falsche Magische Zahl für Krb5_transited-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:35 ++msgid "Bad magic number for krb5_enc_tkt_part structure" ++msgstr "falsche Magische Zahl für Krb5_enc_tkt_part-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:36 ++msgid "Bad magic number for krb5_ticket structure" ++msgstr "falsche Magische Zahl für Krb5_ticket-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:37 ++msgid "Bad magic number for krb5_authenticator structure" ++msgstr "falsche Magische Zahl für Krb5_authenticator-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:38 ++msgid "Bad magic number for krb5_tkt_authent structure" ++msgstr "falsche Magische Zahl für Krb5_tkt_authent-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:39 ++msgid "Bad magic number for krb5_creds structure" ++msgstr "falsche Magische Zahl für Krb5_creds-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:40 ++msgid "Bad magic number for krb5_last_req_entry structure" ++msgstr "falsche Magische Zahl für Krb5_last_req_entry-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:41 ++msgid "Bad magic number for krb5_pa_data structure" ++msgstr "falsche Magische Zahl für Krb5_pa_data-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:42 ++msgid "Bad magic number for krb5_kdc_req structure" ++msgstr "falsche Magische Zahl für Krb5_kdc_req-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:43 ++msgid "Bad magic number for krb5_enc_kdc_rep_part structure" ++msgstr "falsche Magische Zahl für Krb5_enc_kdc_rep_part-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:44 ++msgid "Bad magic number for krb5_kdc_rep structure" ++msgstr "falsche Magische Zahl für Krb5_kdc_rep-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:45 ++msgid "Bad magic number for krb5_error structure" ++msgstr "falsche Magische Zahl für Krb5_error-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:46 ++msgid "Bad magic number for krb5_ap_req structure" ++msgstr "falsche Magische Zahl für Krb5_ap_req-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:47 ++msgid "Bad magic number for krb5_ap_rep structure" ++msgstr "falsche Magische Zahl für Krb5_ap_rep-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:48 ++msgid "Bad magic number for krb5_ap_rep_enc_part structure" ++msgstr "falsche Magische Zahl für Krb5_ap_rep_enc_part-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:49 ++msgid "Bad magic number for krb5_response structure" ++msgstr "falsche Magische Zahl für Krb5_response-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:50 ++msgid "Bad magic number for krb5_safe structure" ++msgstr "falsche Magische Zahl für Krb5_safe-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:51 ++msgid "Bad magic number for krb5_priv structure" ++msgstr "falsche Magische Zahl für Krb5_priv-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:52 ++msgid "Bad magic number for krb5_priv_enc_part structure" ++msgstr "falsche Magische Zahl für Krb5_priv_enc_part-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:53 ++msgid "Bad magic number for krb5_cred structure" ++msgstr "falsche Magische Zahl für Krb5_cred-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:54 ++msgid "Bad magic number for krb5_cred_info structure" ++msgstr "falsche Magische Zahl für Krb5_cred_info-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:55 ++msgid "Bad magic number for krb5_cred_enc_part structure" ++msgstr "falsche Magische Zahl für Krb5_cred_enc_part-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:56 ++msgid "Bad magic number for krb5_pwd_data structure" ++msgstr "falsche Magische Zahl für Krb5_pwd_data-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:57 ++msgid "Bad magic number for krb5_address structure" ++msgstr "falsche Magische Zahl für Krb5_address-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:58 ++msgid "Bad magic number for krb5_keytab_entry structure" ++msgstr "falsche Magische Zahl für Krb5_keytab_entry-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:59 ++msgid "Bad magic number for krb5_context structure" ++msgstr "falsche Magische Zahl für Krb5_context-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:60 ++msgid "Bad magic number for krb5_os_context structure" ++msgstr "falsche Magische Zahl für Krb5_os_context-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:61 ++msgid "Bad magic number for krb5_alt_method structure" ++msgstr "falsche Magische Zahl für Krb5_alt_method-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:62 ++msgid "Bad magic number for krb5_etype_info_entry structure" ++msgstr "falsche Magische Zahl für Krb5_etype_info_entry-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:63 ++msgid "Bad magic number for krb5_db_context structure" ++msgstr "falsche Magische Zahl für Krb5_db_context-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:64 ++msgid "Bad magic number for krb5_auth_context structure" ++msgstr "falsche Magische Zahl für Krb5_auth_context-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:65 ++msgid "Bad magic number for krb5_keytab structure" ++msgstr "falsche Magische Zahl für Krb5_keytab-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:66 ++msgid "Bad magic number for krb5_rcache structure" ++msgstr "falsche Magische Zahl für Krb5_rcache-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:67 ++msgid "Bad magic number for krb5_ccache structure" ++msgstr "falsche Magische Zahl für Krb5_ccache-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:68 ++msgid "Bad magic number for krb5_preauth_ops" ++msgstr "falsche Magische Zahl für Krb5_preauth_ops" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:69 ++msgid "Bad magic number for krb5_sam_challenge" ++msgstr "falsche Magische Zahl für Krb5_sam_challenge" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:70 ++msgid "Bad magic number for krb5_sam_challenge_2" ++msgstr "falsche Magische Zahl für Krb5_sam_challenge_2" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:71 ++msgid "Bad magic number for krb5_sam_key" ++msgstr "falsche Magische Zahl für Krb5_sam_key" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:72 ++#: ../lib/krb5/error_tables/kv5m_err.c:73 ++msgid "Bad magic number for krb5_enc_sam_response_enc" ++msgstr "falsche Magische Zahl für Krb5_enc_sam_response_enc" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:74 ++msgid "Bad magic number for krb5_sam_response" ++msgstr "falsche Magische Zahl für Krb5_sam_response" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:75 ++msgid "Bad magic number for krb5_sam_response 2" ++msgstr "falsche Magische Zahl für Krb5_sam_response 2" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:76 ++msgid "Bad magic number for krb5_predicted_sam_response" ++msgstr "falsche Magische Zahl für Krb5_predicted_sam_response" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:77 ++msgid "Bad magic number for passwd_phrase_element" ++msgstr "falsche Magische Zahl für Passwd_phrase_element" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:78 ++msgid "Bad magic number for GSSAPI OID" ++msgstr "falsche Magische Zahl für GSSAPI OID" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:79 ++msgid "Bad magic number for GSSAPI QUEUE" ++msgstr "falsche Magische Zahl für GSSAPI QUEUE" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:80 ++msgid "Bad magic number for fast armored request" ++msgstr "falsche Magische Zahl für per FAST geschützte Anfrage" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:81 ++msgid "Bad magic number for FAST request" ++msgstr "falsche Magische Zahl für FAST-Anfrage" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:82 ++msgid "Bad magic number for FAST response" ++msgstr "falsche Magische Zahl für FAST-Antwort" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:83 ++msgid "Bad magic number for krb5_authdata_context" ++msgstr "falsche Magische Zahl für Krb5_authdata_context" ++ ++#: ../lib/krb5/error_tables/krb524_err.c:23 ++msgid "Cannot convert V5 keyblock" ++msgstr "V5-Schlüsselblock kann nicht umgewandelt werden" ++ ++#: ../lib/krb5/error_tables/krb524_err.c:24 ++msgid "Cannot convert V5 address information" ++msgstr "V5-Adressinformationen können nicht umgewandelt werden" ++ ++#: ../lib/krb5/error_tables/krb524_err.c:25 ++msgid "Cannot convert V5 principal" ++msgstr "V5-Principal kann nicht umgewandelt werden" ++ ++#: ../lib/krb5/error_tables/krb524_err.c:26 ++msgid "V5 realm name longer than V4 maximum" ++msgstr "V5-Realm-Name ist länger als die V4-Maximallänge" ++ ++#: ../lib/krb5/error_tables/krb524_err.c:27 ++msgid "Kerberos V4 error" ++msgstr "Kerberos-V4-Fehler" ++ ++#: ../lib/krb5/error_tables/krb524_err.c:28 ++msgid "Encoding too large" ++msgstr "Kodierung zu lang" ++ ++#: ../lib/krb5/error_tables/krb524_err.c:29 ++msgid "Decoding out of data" ++msgstr "Dekodieren außerhalb der Daten" ++ ++#: ../lib/krb5/error_tables/krb524_err.c:30 ++msgid "Service not responding" ++msgstr "Dienst antwortet nicht" ++ ++#: ../lib/krb5/error_tables/krb524_err.c:31 ++msgid "Kerberos version 4 support is disabled" ++msgstr "Kerberos 4 Unterstützung ist deaktiviert" ++ ++#~ msgid "while creating server %s principal name" ++#~ msgstr "beim Erstellen des Principal-Namens für Server %s" ++ ++# KDC = Key Distribution Center ++#~ msgid "while getting credentials from kdc" ++#~ msgstr "beim Holen der Anmeldedaten vom KDC" ++ ++# FIXME s/Retrieving/retrieving/ ++#~ msgid "while Retrieving credentials" ++#~ msgstr "beim Abfragen der Anmeldedaten" ++ ++#~ msgid "while copying principal" ++#~ msgstr "beim Kopieren des Principals" ++ ++#~ msgid "%s does not have correct permissions for %s\n" ++#~ msgstr "%s hat nicht die erforderlichen Zugriffsrechte für %s\n" ++ ++#~ msgid "no salt\n" ++#~ msgstr "kein Salt\n" ++ ++#~ msgid "%s: Couldn't grab lock\n" ++#~ msgstr "%s: Es konnte keine Sperre erlangt werden.\n" ++ ++#~ msgid "%s: Loads disallowed when iprop is enabled and a ulog is present\n" ++#~ msgstr "" ++#~ "%s: Wenn Iprop aktiviert und Ulog vorhanden ist, ist Laden nicht " ++#~ "möglich.\n" ++ ++#~ msgid "trying to lock database" ++#~ msgstr "es wird versucht, die Datenbank zu sperren" ++ ++#~ msgid "GSS-API error %s: %s\n" ++#~ msgstr "GSS-API-Fehler %s: %s\n" ++ ++#~ msgid "Couldn't create KRB5 Name NameType OID\n" ++#~ msgstr "KRB5 Name NameType OID konnte nicht erstellt werden.\n" ++ ++#~ msgid "%s: %s while initializing, aborting" ++#~ msgstr "%s: %s beim Initialisieren, wird abgebrochen" ++ ++#~ msgid "" ++#~ "%s: Missing required configuration values (%lx) while initializing, " ++#~ "aborting" ++#~ msgstr "" ++#~ "%s: Beim Initialisieren fehlen die erforderlichen Konfigurationswerte " ++#~ "(%lx), wird abgebrochen" ++ ++#~ msgid "" ++#~ "%s: Missing required configuration values (%lx) while initializing, " ++#~ "aborting\n" ++#~ msgstr "" ++#~ "%s: Beim Initialisieren fehlen die erforderlichen Konfigurationswerte " ++#~ "(%lx), wird abgebrochen\n" ++ ++#~ msgid "%s: could not initialize loop, aborting" ++#~ msgstr "%s: Schleife konnte nicht initialisiert werden, wird abgebrochen" ++ ++#~ msgid "%s: could not initialize loop, aborting\n" ++#~ msgstr "%s: Schleife konnte nicht initialisiert werden, wird abgebrochen\n" ++ ++#~ msgid "%s: %s while initializing signal handlers, aborting" ++#~ msgstr "" ++#~ "%s: %s beim Initialisieren des Signalbehandlungsprogramms, wird " ++#~ "abgebrochen" ++ ++#~ msgid "%s: %s while initializing signal handlers, aborting\n" ++#~ msgstr "" ++#~ "%s: %s beim Initialisieren des Signalbehandlungsprogramms, wird " ++#~ "abgebrochen\n" ++ ++#~ msgid "%s: %s while initializing network, aborting" ++#~ msgstr "%s: %s beim Initialisieren des Netzwerks, wird abgebrochen" ++ ++#~ msgid "%s: %s while initializing network, aborting\n" ++#~ msgstr "%s: %s beim Initialisieren des Netzwerks, wird abgebrochen\n" ++ ++#~ msgid "Cannot build GSS-API authentication names, failing." ++#~ msgstr "" ++#~ "GSS-API-Authentifizierungsnamen können nicht gebildet werden, " ++#~ "fehlgeschlagen" ++ ++#~ msgid "Can't set kdb keytab's internal context." ++#~ msgstr "" ++#~ "Der interne Kontext von KDBs Schlüsseltabelle kann nicht gesetzt werden." ++ ++#~ msgid "Can't register kdb keytab." ++#~ msgstr "Die KDB-Schlüsseltabelle kann nicht registriert werden." ++ ++#~ msgid "Can't register acceptor keytab." ++#~ msgstr "Die Empfängerschlüsseltabelle kann nicht registriert werden." ++ ++#~ msgid "" ++#~ "Cannot set GSS-API authentication names (keytab not present?), failing." ++#~ msgstr "" ++#~ "GSS-API-Authentifizierungsnamen können nicht gesetzt werden " ++#~ "(Schlüsseltabelle nicht vorhanden?), fehlgeschlagen" ++ ++#~ msgid "Cannot initialize acl file: %s" ++#~ msgstr "ACL-Datei kann nicht initialisiert werden: %s" ++ ++#~ msgid "%s: Cannot initialize acl file: %s\n" ++#~ msgstr "%s: ACL-Datei kann nicht initialisiert werden: %s\n" ++ ++#~ msgid "Cannot detach from tty: %s" ++#~ msgstr "kann nicht vom Terminal gelöst werden: %s" ++ ++#~ msgid "Cannot create PID file %s: %s" ++#~ msgstr "PID-Datei %s kann nicht erstellt werden: %s" ++ ++#~ msgid "%s: %s while mapping update log (`%s.ulog')\n" ++#~ msgstr "%s: %s beim Abbilden des Aktualisierungsprotokolls (»%s.ulog«)\n" ++ ++#~ msgid "%s while mapping update log (`%s.ulog')" ++#~ msgstr "%s beim Abbilden des Aktualisierungsprotokolls (»%s.ulog«)" ++ ++#~ msgid "%s: Cannot create IProp RPC service (PROG=%d, VERS=%d)\n" ++#~ msgstr "" ++#~ "%s: IProp-RPC-Dienst kann nicht erstellt werden (PROG=%d, VERS=%d)\n" ++ ++#~ msgid "Cannot create IProp RPC service (PROG=%d, VERS=%d), failing." ++#~ msgstr "" ++#~ "IProp-RPC-Dienst kann nicht erstellt werden (PROG=%d, VERS=%d), " ++#~ "fehlgeschlagen" ++ ++#~ msgid "%s while getting IProp svc name, failing" ++#~ msgstr "%s beim Holen des IProp-Dienstnamens, fehlgeschlagen" ++ ++#~ msgid "%s: %s while getting IProp svc name, failing\n" ++#~ msgstr "%s: %s beim Holen des IProp-Dienstnamens, fehlgeschlagen\n" ++ ++#~ msgid "Unable to set RPCSEC_GSS service name (`%s'), failing." ++#~ msgstr "" ++#~ "der RPCSEC_GSS-Dienstname (»%s«) kann nicht gesetzt werden, fehlgeschlagen" ++ ++#~ msgid "%s: Unable to set RPCSEC_GSS service name (`%s'), failing.\n" ++#~ msgstr "" ++#~ "%s: der RPCSEC_GSS-Dienstname (»%s«) kann nicht gesetzt werden, " ++#~ "fehlgeschlagen\n" ++ ++#~ msgid "GSS-API authentication error %.*s: recursive failure!" ++#~ msgstr "GSS-API-Authentifizierungsfehler %.*s: rekursiver Fehlschlag!" ++ ++#~ msgid "skipping unrecognized local address family %d" ++#~ msgstr "nicht erkannte lokale Adressfamilie %d wird übersprungen" ++ ++#~ msgid "got routing msg type %d(%s) v%d" ++#~ msgstr "Routing-Meldungstyp %d(%s) v%d erhalten" ++ ++#~ msgid "Could not create temp stash file: %s" ++#~ msgstr "Temporäre Ablagedatei konnte nicht erstellt werden: %s" ++ ++#~ msgid "ulog_sync_header: could not sync to disk" ++#~ msgstr "ulog_sync_header: kann nicht auf Platte sychronisiert werden" ++ ++#~ msgid "%s: attempt to convert non-extended krb5_get_init_creds_opt" ++#~ msgstr "" ++#~ "%s: Es wird versucht, nicht erweiterte »krb5_get_init_creds_opt« " ++#~ "umzuwandeln" ++ ++#~ msgid "krb5_sname_to_principal, while adding entries to the database" ++#~ msgstr "" ++#~ "»krb5_sname_to_principal« beim Hinzufügen von Einträgen zur Datenbank" ++ ++#~ msgid "krb5_copy_principal, while adding entries to the database" ++#~ msgstr "»krb5_copy_principal« beim Hinzufügen von Einträgen zur Datenbank" ++ ++#~ msgid "" ++#~ "Unable to check if SASL EXTERNAL mechanism is supported by LDAP server. " ++#~ "Proceeding anyway ..." ++#~ msgstr "" ++#~ "Es konnte nicht geprüft werden, ob der Mechanismus SASL EXTERNAL vom LDAP-" ++#~ "Server unterstützt wird. Es wird trotzdem fortgesetzt …" ++ ++#~ msgid "" ++#~ "SASL EXTERNAL mechanism not supported by LDAP server. Can't perform " ++#~ "certificate-based bind." ++#~ msgstr "" ++#~ "Der Mechanismus SASL EXTERNAL wird nicht vom LDAP-Server unterstützt. Es " ++#~ "kann keine zertifikatbasierte Verbindung hergestellt werden." ++ ++#~ msgid "Error reading 'ldap_servers' attribute" ++#~ msgstr "Fehler beim Lesen des Attributs »ldap_servers«" ++ ++#~ msgid "Stash file entry corrupt" ++#~ msgstr "Eintrag in der Ablagedatei beschädigt" ++ ++#~ msgid "while setting server principal realm" ++#~ msgstr "beim Setzen des Server-Principal-Realms" ++ ++#~ msgid "while getting initial ticket\n" ++#~ msgstr "beim Holen eines Anfangs-Tickets\n" ++ ++#~ msgid "while destroying ticket cache" ++#~ msgstr "beim Zerstören des Ticket-Zwischenspeichers" ++ ++#~ msgid "while closing default ccache" ++#~ msgstr "beim Schließen des Standard-Ccaches" diff -Nru krb5-1.13.2+dfsg/debian/patches/0011-sendto_kdc-uninitialized-variable.patch krb5-1.14.2+dfsg/debian/patches/0011-sendto_kdc-uninitialized-variable.patch --- krb5-1.13.2+dfsg/debian/patches/0011-sendto_kdc-uninitialized-variable.patch 1970-01-01 00:00:00.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/patches/0011-sendto_kdc-uninitialized-variable.patch 2016-06-16 05:57:49.000000000 +0000 @@ -0,0 +1,45 @@ +From 0696cc5a5dfb59f15dc0212d58aa509066212b65 Mon Sep 17 00:00:00 2001 +From: Steve Langasek +Date: Thu, 16 Jun 2016 08:57:00 +0300 +Subject: sendto_kdc uninitialized variable + +--- + src/lib/krb5/os/sendto_kdc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +Index: krb5-1.14.2+dfsg/src/lib/krb5/os/sendto_kdc.c +=================================================================== +--- krb5-1.14.2+dfsg.orig/src/lib/krb5/os/sendto_kdc.c ++++ krb5-1.14.2+dfsg/src/lib/krb5/os/sendto_kdc.c +@@ -339,7 +339,8 @@ cm_select_or_poll(const struct select_st + struct timeval tv; + #endif + krb5_error_code retval; +- time_ms curtime, interval; ++ time_ms curtime = 0; ++ time_ms interval; + + retval = get_curtime_ms(&curtime); + if (retval != 0) +@@ -1315,7 +1316,7 @@ service_fds(krb5_context context, struct + void *msg_handler_data, struct conn_state **winner_out) + { + int e, selret = 0; +- time_ms endtime; ++ time_ms endtime = 0; + struct conn_state *state; + + *winner_out = NULL; +Index: krb5-1.14.2+dfsg/src/tests/asn.1/trval.c +=================================================================== +--- krb5-1.14.2+dfsg.orig/src/tests/asn.1/trval.c ++++ krb5-1.14.2+dfsg/src/tests/asn.1/trval.c +@@ -404,7 +404,7 @@ int do_cons(fp, enc, len, lev, rlen) + { + int n; + int r = 0; +- int rlen2; ++ int rlen2 = 0; + int rlent; + int save_appl; + diff -Nru krb5-1.13.2+dfsg/debian/patches/debian-local/0001-Debian-HURD-compatibility.patch krb5-1.14.2+dfsg/debian/patches/debian-local/0001-Debian-HURD-compatibility.patch --- krb5-1.13.2+dfsg/debian/patches/debian-local/0001-Debian-HURD-compatibility.patch 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/patches/debian-local/0001-Debian-HURD-compatibility.patch 2016-05-30 17:11:40.000000000 +0000 @@ -1,4 +1,4 @@ -From 8068523e7d7260cff1416c1cda17b464978aa031 Mon Sep 17 00:00:00 2001 +From 276792ffc3aed45f3da6a94b8eae2da759f17cee Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Mon, 26 Dec 2011 18:05:13 -0500 Subject: Debian: HURD compatibility @@ -32,10 +32,10 @@ extern int optind; extern char * optarg; diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index d57dd6b..4989a71 100644 +index 41c3d1b..4810f04 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h -@@ -564,6 +564,9 @@ extern char *strdup (const char *); +@@ -573,6 +573,9 @@ extern char *strdup (const char *); #ifdef HAVE_SYS_PARAM_H #include /* MAXPATHLEN */ #endif @@ -61,7 +61,7 @@ * Free a kt_list */ diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c -index f9248ab..6e39c37 100644 +index 5f1ca33..5f8c51b 100644 --- a/src/lib/gssapi/spnego/spnego_mech.c +++ b/src/lib/gssapi/spnego/spnego_mech.c @@ -65,6 +65,9 @@ diff -Nru krb5-1.13.2+dfsg/debian/patches/debian-local/0002-debian-suppress-multi-arch-paths-in-krb5-config.patch krb5-1.14.2+dfsg/debian/patches/debian-local/0002-debian-suppress-multi-arch-paths-in-krb5-config.patch --- krb5-1.13.2+dfsg/debian/patches/debian-local/0002-debian-suppress-multi-arch-paths-in-krb5-config.patch 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/patches/debian-local/0002-debian-suppress-multi-arch-paths-in-krb5-config.patch 2016-05-30 17:11:40.000000000 +0000 @@ -1,4 +1,4 @@ -From 849b68fabddfadbc19620030256e2d604cb2c3f1 Mon Sep 17 00:00:00 2001 +From 6fd8af67cff694954d3209363159790f2e3838a0 Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Mon, 26 Dec 2011 18:19:53 -0500 Subject: debian: suppress multi-arch paths in krb5-config diff -Nru krb5-1.13.2+dfsg/debian/patches/debian-local/0003-debian-osconf.hin-path-changes.patch krb5-1.14.2+dfsg/debian/patches/debian-local/0003-debian-osconf.hin-path-changes.patch --- krb5-1.13.2+dfsg/debian/patches/debian-local/0003-debian-osconf.hin-path-changes.patch 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/patches/debian-local/0003-debian-osconf.hin-path-changes.patch 2016-05-30 17:11:40.000000000 +0000 @@ -1,4 +1,4 @@ -From 60309d28f2d167ff67c6e4add6e95bade03890a9 Mon Sep 17 00:00:00 2001 +From 059e62cbca5b92205c1e2b123f445e6e9251bd81 Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Mon, 26 Dec 2011 18:20:11 -0500 Subject: debian: osconf.hin path changes @@ -9,7 +9,7 @@ 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/include/osconf.hin b/src/include/osconf.hin -index 6f28bc3..f290430 100644 +index 922d796..4af260b 100644 --- a/src/include/osconf.hin +++ b/src/include/osconf.hin @@ -59,7 +59,7 @@ @@ -21,7 +21,7 @@ #define DEFAULT_KDB_FILE KDC_DIR "/principal" #define DEFAULT_KEYFILE_STUB KDC_DIR "/.k5." #define KRB5_DEFAULT_ADMIN_ACL KDC_DIR "/krb5_adm.acl" -@@ -118,8 +118,8 @@ +@@ -117,8 +117,8 @@ * krb5 slave support follows */ diff -Nru krb5-1.13.2+dfsg/debian/patches/debian-local/0004-debian-install-ldap-library-in-subdirectory.patch krb5-1.14.2+dfsg/debian/patches/debian-local/0004-debian-install-ldap-library-in-subdirectory.patch --- krb5-1.13.2+dfsg/debian/patches/debian-local/0004-debian-install-ldap-library-in-subdirectory.patch 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/patches/debian-local/0004-debian-install-ldap-library-in-subdirectory.patch 2016-05-30 17:11:40.000000000 +0000 @@ -1,4 +1,4 @@ -From 927c5c2687c94bfdaf101825f3e8f7e126d22e45 Mon Sep 17 00:00:00 2001 +From 35cdc9aa64d78032f0b3f1c86ef6c05fdb2af6d2 Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Mon, 26 Dec 2011 18:12:39 -0500 Subject: debian: install ldap library in subdirectory diff -Nru krb5-1.13.2+dfsg/debian/patches/debian-local/0005-gssapi-never-unload-mechanisms.patch krb5-1.14.2+dfsg/debian/patches/debian-local/0005-gssapi-never-unload-mechanisms.patch --- krb5-1.13.2+dfsg/debian/patches/debian-local/0005-gssapi-never-unload-mechanisms.patch 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/patches/debian-local/0005-gssapi-never-unload-mechanisms.patch 2016-05-30 17:11:40.000000000 +0000 @@ -1,4 +1,4 @@ -From 8e573ffa7e5c2951f92902653a2fea60cfd0e157 Mon Sep 17 00:00:00 2001 +From 5283126a4f048d831aaa7e0b61081de4af98892f Mon Sep 17 00:00:00 2001 From: Benjamin Kaduk Date: Fri, 29 Mar 2013 17:18:40 -0400 Subject: gssapi: never unload mechanisms @@ -20,7 +20,7 @@ 1 file changed, 2 deletions(-) diff --git a/src/lib/gssapi/mechglue/g_initialize.c b/src/lib/gssapi/mechglue/g_initialize.c -index 2987164..3a49ae8 100644 +index b7e8a8d..8fa2085 100644 --- a/src/lib/gssapi/mechglue/g_initialize.c +++ b/src/lib/gssapi/mechglue/g_initialize.c @@ -517,8 +517,6 @@ releaseMechInfo(gss_mech_info *pCf) diff -Nru krb5-1.13.2+dfsg/debian/patches/debian-local/0006-Add-substpdf-target.patch krb5-1.14.2+dfsg/debian/patches/debian-local/0006-Add-substpdf-target.patch --- krb5-1.13.2+dfsg/debian/patches/debian-local/0006-Add-substpdf-target.patch 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/patches/debian-local/0006-Add-substpdf-target.patch 2016-05-30 17:11:40.000000000 +0000 @@ -1,4 +1,4 @@ -From 46d0224e7bd32b012e4e09faa335b22a105b4da4 Mon Sep 17 00:00:00 2001 +From 72c5a38c527b61ea0266664c5237101da5db7ccc Mon Sep 17 00:00:00 2001 From: Ben Kaduk Date: Fri, 29 Mar 2013 20:53:37 -0400 Subject: Add substpdf target diff -Nru krb5-1.13.2+dfsg/debian/patches/debian-local/0007-Fix-pkg-config-library-include-paths.patch krb5-1.14.2+dfsg/debian/patches/debian-local/0007-Fix-pkg-config-library-include-paths.patch --- krb5-1.13.2+dfsg/debian/patches/debian-local/0007-Fix-pkg-config-library-include-paths.patch 1970-01-01 00:00:00.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/patches/debian-local/0007-Fix-pkg-config-library-include-paths.patch 2016-05-30 17:11:40.000000000 +0000 @@ -0,0 +1,102 @@ +From d750031adb2ebc0a902f9aaceffe63a7161482db Mon Sep 17 00:00:00 2001 +From: Jelmer Vernooij +Date: Wed, 27 Aug 2014 16:40:29 -0400 +Subject: Fix pkg-config library/include paths + +Include library and include flags in pkg-config files, so they work when the +symlinks provided by libkrb5-dev are not installed. + +Patch-Category: debian-local +--- + src/build-tools/gssrpc.pc.in | 4 ++-- + src/build-tools/kadm-client.pc.in | 4 ++-- + src/build-tools/kadm-server.pc.in | 4 ++-- + src/build-tools/kdb.pc.in | 4 ++-- + src/build-tools/mit-krb5-gssapi.pc.in | 4 ++-- + src/build-tools/mit-krb5.pc.in | 4 ++-- + 6 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/src/build-tools/gssrpc.pc.in b/src/build-tools/gssrpc.pc.in +index ca90921..e08c2e8 100644 +--- a/src/build-tools/gssrpc.pc.in ++++ b/src/build-tools/gssrpc.pc.in +@@ -1,7 +1,7 @@ + prefix=@prefix@ + exec_prefix=@exec_prefix@ +-libdir=@libdir@ +-includedir=@includedir@ ++libdir=@libdir@/mit-krb5 ++includedir=@includedir@/mit-krb5 + vendor=MIT + + Name: gssrpc +diff --git a/src/build-tools/kadm-client.pc.in b/src/build-tools/kadm-client.pc.in +index c8d1cd1..de56a75 100644 +--- a/src/build-tools/kadm-client.pc.in ++++ b/src/build-tools/kadm-client.pc.in +@@ -1,7 +1,7 @@ + prefix=@prefix@ + exec_prefix=@exec_prefix@ +-libdir=@libdir@ +-includedir=@includedir@ ++libdir=@libdir@/mit-krb5 ++includedir=@includedir@/mit-krb5 + + Name: kadm-client + Description: Kerberos administration client library +diff --git a/src/build-tools/kadm-server.pc.in b/src/build-tools/kadm-server.pc.in +index cd2f86c..a73ff86 100644 +--- a/src/build-tools/kadm-server.pc.in ++++ b/src/build-tools/kadm-server.pc.in +@@ -1,7 +1,7 @@ + prefix=@prefix@ + exec_prefix=@exec_prefix@ +-libdir=@libdir@ +-includedir=@includedir@ ++libdir=@libdir@/mit-krb5 ++includedir=@includedir@/mit-krb5 + + Name: kadm-server + Description: Kerberos administration server library +diff --git a/src/build-tools/kdb.pc.in b/src/build-tools/kdb.pc.in +index 461a8d01d0..356501d 100644 +--- a/src/build-tools/kdb.pc.in ++++ b/src/build-tools/kdb.pc.in +@@ -1,7 +1,7 @@ + prefix=@prefix@ + exec_prefix=@exec_prefix@ +-libdir=@libdir@ +-includedir=@includedir@ ++libdir=@libdir@/mit-krb5 ++includedir=@includedir@/mit-krb5 + + KDB5_DB_LIB=@KDB5_DB_LIB@ + +diff --git a/src/build-tools/mit-krb5-gssapi.pc.in b/src/build-tools/mit-krb5-gssapi.pc.in +index 7b91b19..b2b2436 100644 +--- a/src/build-tools/mit-krb5-gssapi.pc.in ++++ b/src/build-tools/mit-krb5-gssapi.pc.in +@@ -1,7 +1,7 @@ + prefix=@prefix@ + exec_prefix=@exec_prefix@ +-libdir=@libdir@ +-includedir=@includedir@ ++libdir=@libdir@/mit-krb5 ++includedir=@includedir@/mit-krb5 + + Name: mit-krb5-gssapi + Description: Kerberos implementation of the GSSAPI +diff --git a/src/build-tools/mit-krb5.pc.in b/src/build-tools/mit-krb5.pc.in +index 0308815..058e75f 100644 +--- a/src/build-tools/mit-krb5.pc.in ++++ b/src/build-tools/mit-krb5.pc.in +@@ -1,7 +1,7 @@ + prefix=@prefix@ + exec_prefix=@exec_prefix@ +-libdir=@libdir@ +-includedir=@includedir@ ++libdir=@libdir@/mit-krb5 ++includedir=@includedir@/mit-krb5 + + defccname=@DEFCCNAME@ + defktname=@DEFKTNAME@ diff -Nru krb5-1.13.2+dfsg/debian/patches/debian-local/0007-Quick-and-dirty-fix-to-building-O3.patch krb5-1.14.2+dfsg/debian/patches/debian-local/0007-Quick-and-dirty-fix-to-building-O3.patch --- krb5-1.13.2+dfsg/debian/patches/debian-local/0007-Quick-and-dirty-fix-to-building-O3.patch 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/patches/debian-local/0007-Quick-and-dirty-fix-to-building-O3.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -From 2c48ebcd8b4dcce06ec782737225222175fef386 Mon Sep 17 00:00:00 2001 -From: Sam Hartman -Date: Fri, 1 Aug 2014 17:47:59 -0400 -Subject: Quick and dirty fix to building -O3 - -This is a quick and dirty fix to pacify gcc which is over-concerned -about uninitialized variables at -O3. - -This should allow Ubuntu to sync krb5 without need for any ubuntu changes. - -Patch-Category: debian-local ---- - src/kadmin/dbutil/dump.c | 2 ++ - src/lib/krb5/os/sendto_kdc.c | 4 ++-- - src/tests/asn.1/trval.c | 2 +- - 3 files changed, 5 insertions(+), 3 deletions(-) - -diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c -index bfb8577..f165cc9 100644 ---- a/src/kadmin/dbutil/dump.c -+++ b/src/kadmin/dbutil/dump.c -@@ -1476,6 +1476,8 @@ load_db(int argc, char **argv) - krb5_boolean db_locked = FALSE, temp_db_created = FALSE; - krb5_boolean verbose = FALSE, update = FALSE, iprop_load = FALSE; - -+ memset(&last, 0, sizeof(last)); -+ - /* Parse the arguments. */ - dbname = global_params.dbname; - exit_status = 0; -diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c -index 3b3b438..462e157 100644 ---- a/src/lib/krb5/os/sendto_kdc.c -+++ b/src/lib/krb5/os/sendto_kdc.c -@@ -339,7 +339,7 @@ cm_select_or_poll(const struct select_state *in, time_ms endtime, - struct timeval tv; - #endif - krb5_error_code retval; -- time_ms curtime, interval; -+ time_ms curtime = 0, interval; - - retval = get_curtime_ms(&curtime); - if (retval != 0) -@@ -1315,7 +1315,7 @@ service_fds(krb5_context context, struct select_state *selstate, - void *msg_handler_data, struct conn_state **winner_out) - { - int e, selret = 0; -- time_ms endtime; -+ time_ms endtime = 0; - struct conn_state *state; - - *winner_out = NULL; -diff --git a/src/tests/asn.1/trval.c b/src/tests/asn.1/trval.c -index e924fd8..3ea1edc 100644 ---- a/src/tests/asn.1/trval.c -+++ b/src/tests/asn.1/trval.c -@@ -404,7 +404,7 @@ int do_cons(fp, enc, len, lev, rlen) - { - int n; - int r = 0; -- int rlen2; -+ int rlen2 = 0; - int rlent; - int save_appl; - diff -Nru krb5-1.13.2+dfsg/debian/patches/debian-local/0008-Fix-pkg-config-library-include-paths.patch krb5-1.14.2+dfsg/debian/patches/debian-local/0008-Fix-pkg-config-library-include-paths.patch --- krb5-1.13.2+dfsg/debian/patches/debian-local/0008-Fix-pkg-config-library-include-paths.patch 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/patches/debian-local/0008-Fix-pkg-config-library-include-paths.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,102 +0,0 @@ -From d9f132e4f2ac73ffa7178862b23ff9a4b6b57b1b Mon Sep 17 00:00:00 2001 -From: Jelmer Vernooij -Date: Wed, 27 Aug 2014 16:40:29 -0400 -Subject: Fix pkg-config library/include paths - -Include library and include flags in pkg-config files, so they work when the -symlinks provided by libkrb5-dev are not installed. - -Patch-Category: debian-local ---- - src/build-tools/gssrpc.pc.in | 4 ++-- - src/build-tools/kadm-client.pc.in | 4 ++-- - src/build-tools/kadm-server.pc.in | 4 ++-- - src/build-tools/kdb.pc.in | 4 ++-- - src/build-tools/mit-krb5-gssapi.pc.in | 4 ++-- - src/build-tools/mit-krb5.pc.in | 4 ++-- - 6 files changed, 12 insertions(+), 12 deletions(-) - -diff --git a/src/build-tools/gssrpc.pc.in b/src/build-tools/gssrpc.pc.in -index ca90921..e08c2e8 100644 ---- a/src/build-tools/gssrpc.pc.in -+++ b/src/build-tools/gssrpc.pc.in -@@ -1,7 +1,7 @@ - prefix=@prefix@ - exec_prefix=@exec_prefix@ --libdir=@libdir@ --includedir=@includedir@ -+libdir=@libdir@/mit-krb5 -+includedir=@includedir@/mit-krb5 - vendor=MIT - - Name: gssrpc -diff --git a/src/build-tools/kadm-client.pc.in b/src/build-tools/kadm-client.pc.in -index c8d1cd1..de56a75 100644 ---- a/src/build-tools/kadm-client.pc.in -+++ b/src/build-tools/kadm-client.pc.in -@@ -1,7 +1,7 @@ - prefix=@prefix@ - exec_prefix=@exec_prefix@ --libdir=@libdir@ --includedir=@includedir@ -+libdir=@libdir@/mit-krb5 -+includedir=@includedir@/mit-krb5 - - Name: kadm-client - Description: Kerberos administration client library -diff --git a/src/build-tools/kadm-server.pc.in b/src/build-tools/kadm-server.pc.in -index cd2f86c..a73ff86 100644 ---- a/src/build-tools/kadm-server.pc.in -+++ b/src/build-tools/kadm-server.pc.in -@@ -1,7 +1,7 @@ - prefix=@prefix@ - exec_prefix=@exec_prefix@ --libdir=@libdir@ --includedir=@includedir@ -+libdir=@libdir@/mit-krb5 -+includedir=@includedir@/mit-krb5 - - Name: kadm-server - Description: Kerberos administration server library -diff --git a/src/build-tools/kdb.pc.in b/src/build-tools/kdb.pc.in -index 461a8d01d0..356501d 100644 ---- a/src/build-tools/kdb.pc.in -+++ b/src/build-tools/kdb.pc.in -@@ -1,7 +1,7 @@ - prefix=@prefix@ - exec_prefix=@exec_prefix@ --libdir=@libdir@ --includedir=@includedir@ -+libdir=@libdir@/mit-krb5 -+includedir=@includedir@/mit-krb5 - - KDB5_DB_LIB=@KDB5_DB_LIB@ - -diff --git a/src/build-tools/mit-krb5-gssapi.pc.in b/src/build-tools/mit-krb5-gssapi.pc.in -index 7b91b19..b2b2436 100644 ---- a/src/build-tools/mit-krb5-gssapi.pc.in -+++ b/src/build-tools/mit-krb5-gssapi.pc.in -@@ -1,7 +1,7 @@ - prefix=@prefix@ - exec_prefix=@exec_prefix@ --libdir=@libdir@ --includedir=@includedir@ -+libdir=@libdir@/mit-krb5 -+includedir=@includedir@/mit-krb5 - - Name: mit-krb5-gssapi - Description: Kerberos implementation of the GSSAPI -diff --git a/src/build-tools/mit-krb5.pc.in b/src/build-tools/mit-krb5.pc.in -index 0308815..058e75f 100644 ---- a/src/build-tools/mit-krb5.pc.in -+++ b/src/build-tools/mit-krb5.pc.in -@@ -1,7 +1,7 @@ - prefix=@prefix@ - exec_prefix=@exec_prefix@ --libdir=@libdir@ --includedir=@includedir@ -+libdir=@libdir@/mit-krb5 -+includedir=@includedir@/mit-krb5 - - defccname=@DEFCCNAME@ - defktname=@DEFKTNAME@ diff -Nru krb5-1.13.2+dfsg/debian/patches/debian-local/0008-Use-isystem-for-include-paths.patch krb5-1.14.2+dfsg/debian/patches/debian-local/0008-Use-isystem-for-include-paths.patch --- krb5-1.13.2+dfsg/debian/patches/debian-local/0008-Use-isystem-for-include-paths.patch 1970-01-01 00:00:00.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/patches/debian-local/0008-Use-isystem-for-include-paths.patch 2016-05-30 17:11:40.000000000 +0000 @@ -0,0 +1,109 @@ +From f2280655e97d2efe0fc7c4f3efeb8a560b911c55 Mon Sep 17 00:00:00 2001 +From: Jelmer Vernooij +Date: Wed, 3 Sep 2014 22:41:55 -0400 +Subject: Use -isystem for include paths + + This is necessary so Kerberos headers files are classified as "system headers" + by the compiler, and thus not subject to the same strict warnings as + other headers (which breaks compilation if -Werror is specified). + . + This fixes the build of folks using -Werror and including Kerberos headers + when the latter are installed in a non-standard location (e.g. + /usr/include/tuple/mit-krb5, as Debian is doing). +(cherry picked from commit d8520c1d1c218e3c766009abc728b207c0421232) + +Author: Jelmer Vernooij +Bug-Debian: http://bugs.debian.org/751760 +Patch-Category: debian-local +--- + src/build-tools/gssrpc.pc.in | 2 +- + src/build-tools/kadm-client.pc.in | 2 +- + src/build-tools/kadm-server.pc.in | 2 +- + src/build-tools/kdb.pc.in | 2 +- + src/build-tools/krb5-config.in | 2 +- + src/build-tools/mit-krb5-gssapi.pc.in | 2 +- + src/build-tools/mit-krb5.pc.in | 2 +- + 7 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/build-tools/gssrpc.pc.in b/src/build-tools/gssrpc.pc.in +index e08c2e8..fb4f489 100644 +--- a/src/build-tools/gssrpc.pc.in ++++ b/src/build-tools/gssrpc.pc.in +@@ -7,6 +7,6 @@ vendor=MIT + Name: gssrpc + Description: GSSAPI RPC implementation + Version: @KRB5_VERSION@ +-Cflags: -I${includedir} ++Cflags: -isystem ${includedir} + Libs: -L${libdir} -lgssrpc + Requires.private: mit-krb5-gssapi +diff --git a/src/build-tools/kadm-client.pc.in b/src/build-tools/kadm-client.pc.in +index de56a75..47541ac 100644 +--- a/src/build-tools/kadm-client.pc.in ++++ b/src/build-tools/kadm-client.pc.in +@@ -7,5 +7,5 @@ Name: kadm-client + Description: Kerberos administration client library + Version: @KRB5_VERSION@ + Requires.private: mit-krb5-gssapi gssrpc +-Cflags: -I${includedir} ++Cflags: -isystem ${includedir} + Libs: -L${libdir} -lkadm5clnt_mit +diff --git a/src/build-tools/kadm-server.pc.in b/src/build-tools/kadm-server.pc.in +index a73ff86..5ce4b73 100644 +--- a/src/build-tools/kadm-server.pc.in ++++ b/src/build-tools/kadm-server.pc.in +@@ -7,5 +7,5 @@ Name: kadm-server + Description: Kerberos administration server library + Version: @KRB5_VERSION@ + Requires.private: kdb mit-krb5-gssapi +-Cflags: -I${includedir} ++Cflags: -isystem ${includedir} + Libs: -L${libdir} -lkadm5srv_mit +diff --git a/src/build-tools/kdb.pc.in b/src/build-tools/kdb.pc.in +index 356501d..d39eeef 100644 +--- a/src/build-tools/kdb.pc.in ++++ b/src/build-tools/kdb.pc.in +@@ -9,6 +9,6 @@ Name: kdb + Description: Kerberos database access libraries + Version: @KRB5_VERSION@ + Requires.private: mit-krb5-gssapi mit-krb5 gssrpc +-Cflags: -I${includedir} ++Cflags: -isystem ${includedir} + Libs: -L${libdir} -lkdb5 + Libs.private: ${KDB5_DB_LIB} +diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in +index 637bad7..5a109b0 100755 +--- a/src/build-tools/krb5-config.in ++++ b/src/build-tools/krb5-config.in +@@ -201,7 +201,7 @@ fi + + if test -n "$do_cflags"; then + if test x"$includedir" != x"/usr/include" ; then +- echo "-I${includedir}" ++ echo "-isystem ${includedir}" + else + echo '' + fi +diff --git a/src/build-tools/mit-krb5-gssapi.pc.in b/src/build-tools/mit-krb5-gssapi.pc.in +index b2b2436..f919222 100644 +--- a/src/build-tools/mit-krb5-gssapi.pc.in ++++ b/src/build-tools/mit-krb5-gssapi.pc.in +@@ -7,5 +7,5 @@ Name: mit-krb5-gssapi + Description: Kerberos implementation of the GSSAPI + Version: @KRB5_VERSION@ + Requires.private: mit-krb5 +-Cflags: -I${includedir} ++Cflags: -isystem ${includedir} + Libs: -L${libdir} -lgssapi_krb5 +diff --git a/src/build-tools/mit-krb5.pc.in b/src/build-tools/mit-krb5.pc.in +index 058e75f..455427a 100644 +--- a/src/build-tools/mit-krb5.pc.in ++++ b/src/build-tools/mit-krb5.pc.in +@@ -10,6 +10,6 @@ defcktname=@DEFCKTNAME@ + Name: mit-krb5 + Description: An implementation of Kerberos network authentication + Version: @KRB5_VERSION@ +-Cflags: -I${includedir} ++Cflags: -isystem ${includedir} + Libs: -L${libdir} -lkrb5 -lk5crypto -lcom_err + Libs.private: -lkrb5support diff -Nru krb5-1.13.2+dfsg/debian/patches/debian-local/0009-Fix-krb5-config-paths.patch krb5-1.14.2+dfsg/debian/patches/debian-local/0009-Fix-krb5-config-paths.patch --- krb5-1.13.2+dfsg/debian/patches/debian-local/0009-Fix-krb5-config-paths.patch 1970-01-01 00:00:00.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/patches/debian-local/0009-Fix-krb5-config-paths.patch 2016-05-30 17:11:40.000000000 +0000 @@ -0,0 +1,47 @@ +From 6803daea2611ce98313c94282d315fdd71c5c36a Mon Sep 17 00:00:00 2001 +From: Jelmer Vernooij +Date: Sun, 20 Apr 2014 15:59:08 +0200 +Subject: Fix krb5-config paths + +Include library and include flags in krb5-config, so they +work when the symlinks provided by libkrb5-dev are not +installed. + +(cherry picked from commit 33c4b2ebf6688af9cdb71d3795187ddc1601b849) +Patch-Category: debian-local +--- + src/build-tools/krb5-config.in | 14 +++----------- + 1 file changed, 3 insertions(+), 11 deletions(-) + +diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in +index 5a109b0..723d1eb 100755 +--- a/src/build-tools/krb5-config.in ++++ b/src/build-tools/krb5-config.in +@@ -29,8 +29,8 @@ version_string="Kerberos 5 release @KRB5_VERSION@" + + prefix=@prefix@ + exec_prefix=@exec_prefix@ +-includedir=@includedir@ +-libdir=@libdir@ ++includedir=@includedir@/mit-krb5 ++libdir=@libdir@/mit-krb5 + CC_LINK='@CC_LINK@' + KDB5_DB_LIB=@KDB5_DB_LIB@ + LDFLAGS='@LDFLAGS@' +@@ -209,15 +209,7 @@ fi + + + if test -n "$do_libs"; then +- # Assumes /usr/lib is the standard library directory everywhere... +- case $libdir in +- /usr/lib*) +- libdirarg= +- ;; +- *) +- libdirarg="-L$libdir" +- ;; +- esac ++ libdirarg="-L$libdir" + # Ugly gross hack for our build tree + lib_flags=`echo $CC_LINK | sed -e 's/\$(CC)//' \ + -e 's/\$(PURE)//' \ diff -Nru krb5-1.13.2+dfsg/debian/patches/debian-local/0009-Use-isystem-for-include-paths.patch krb5-1.14.2+dfsg/debian/patches/debian-local/0009-Use-isystem-for-include-paths.patch --- krb5-1.13.2+dfsg/debian/patches/debian-local/0009-Use-isystem-for-include-paths.patch 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/patches/debian-local/0009-Use-isystem-for-include-paths.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,109 +0,0 @@ -From 8f739f2f906ca2acb73b0573c133af2fd91c2172 Mon Sep 17 00:00:00 2001 -From: Jelmer Vernooij -Date: Wed, 3 Sep 2014 22:41:55 -0400 -Subject: Use -isystem for include paths - - This is necessary so Kerberos headers files are classified as "system headers" - by the compiler, and thus not subject to the same strict warnings as - other headers (which breaks compilation if -Werror is specified). - . - This fixes the build of folks using -Werror and including Kerberos headers - when the latter are installed in a non-standard location (e.g. - /usr/include/tuple/mit-krb5, as Debian is doing). -(cherry picked from commit d8520c1d1c218e3c766009abc728b207c0421232) - -Author: Jelmer Vernooij -Bug-Debian: http://bugs.debian.org/751760 -Patch-Category: debian-local ---- - src/build-tools/gssrpc.pc.in | 2 +- - src/build-tools/kadm-client.pc.in | 2 +- - src/build-tools/kadm-server.pc.in | 2 +- - src/build-tools/kdb.pc.in | 2 +- - src/build-tools/krb5-config.in | 2 +- - src/build-tools/mit-krb5-gssapi.pc.in | 2 +- - src/build-tools/mit-krb5.pc.in | 2 +- - 7 files changed, 7 insertions(+), 7 deletions(-) - -diff --git a/src/build-tools/gssrpc.pc.in b/src/build-tools/gssrpc.pc.in -index e08c2e8..fb4f489 100644 ---- a/src/build-tools/gssrpc.pc.in -+++ b/src/build-tools/gssrpc.pc.in -@@ -7,6 +7,6 @@ vendor=MIT - Name: gssrpc - Description: GSSAPI RPC implementation - Version: @KRB5_VERSION@ --Cflags: -I${includedir} -+Cflags: -isystem ${includedir} - Libs: -L${libdir} -lgssrpc - Requires.private: mit-krb5-gssapi -diff --git a/src/build-tools/kadm-client.pc.in b/src/build-tools/kadm-client.pc.in -index de56a75..47541ac 100644 ---- a/src/build-tools/kadm-client.pc.in -+++ b/src/build-tools/kadm-client.pc.in -@@ -7,5 +7,5 @@ Name: kadm-client - Description: Kerberos administration client library - Version: @KRB5_VERSION@ - Requires.private: mit-krb5-gssapi gssrpc --Cflags: -I${includedir} -+Cflags: -isystem ${includedir} - Libs: -L${libdir} -lkadm5clnt_mit -diff --git a/src/build-tools/kadm-server.pc.in b/src/build-tools/kadm-server.pc.in -index a73ff86..5ce4b73 100644 ---- a/src/build-tools/kadm-server.pc.in -+++ b/src/build-tools/kadm-server.pc.in -@@ -7,5 +7,5 @@ Name: kadm-server - Description: Kerberos administration server library - Version: @KRB5_VERSION@ - Requires.private: kdb mit-krb5-gssapi --Cflags: -I${includedir} -+Cflags: -isystem ${includedir} - Libs: -L${libdir} -lkadm5srv_mit -diff --git a/src/build-tools/kdb.pc.in b/src/build-tools/kdb.pc.in -index 356501d..d39eeef 100644 ---- a/src/build-tools/kdb.pc.in -+++ b/src/build-tools/kdb.pc.in -@@ -9,6 +9,6 @@ Name: kdb - Description: Kerberos database access libraries - Version: @KRB5_VERSION@ - Requires.private: mit-krb5-gssapi mit-krb5 gssrpc --Cflags: -I${includedir} -+Cflags: -isystem ${includedir} - Libs: -L${libdir} -lkdb5 - Libs.private: ${KDB5_DB_LIB} -diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in -index 637bad7..5a109b0 100755 ---- a/src/build-tools/krb5-config.in -+++ b/src/build-tools/krb5-config.in -@@ -201,7 +201,7 @@ fi - - if test -n "$do_cflags"; then - if test x"$includedir" != x"/usr/include" ; then -- echo "-I${includedir}" -+ echo "-isystem ${includedir}" - else - echo '' - fi -diff --git a/src/build-tools/mit-krb5-gssapi.pc.in b/src/build-tools/mit-krb5-gssapi.pc.in -index b2b2436..f919222 100644 ---- a/src/build-tools/mit-krb5-gssapi.pc.in -+++ b/src/build-tools/mit-krb5-gssapi.pc.in -@@ -7,5 +7,5 @@ Name: mit-krb5-gssapi - Description: Kerberos implementation of the GSSAPI - Version: @KRB5_VERSION@ - Requires.private: mit-krb5 --Cflags: -I${includedir} -+Cflags: -isystem ${includedir} - Libs: -L${libdir} -lgssapi_krb5 -diff --git a/src/build-tools/mit-krb5.pc.in b/src/build-tools/mit-krb5.pc.in -index 058e75f..455427a 100644 ---- a/src/build-tools/mit-krb5.pc.in -+++ b/src/build-tools/mit-krb5.pc.in -@@ -10,6 +10,6 @@ defcktname=@DEFCKTNAME@ - Name: mit-krb5 - Description: An implementation of Kerberos network authentication - Version: @KRB5_VERSION@ --Cflags: -I${includedir} -+Cflags: -isystem ${includedir} - Libs: -L${libdir} -lkrb5 -lk5crypto -lcom_err - Libs.private: -lkrb5support diff -Nru krb5-1.13.2+dfsg/debian/patches/debian-local/0010-Fix-krb5-config-paths.patch krb5-1.14.2+dfsg/debian/patches/debian-local/0010-Fix-krb5-config-paths.patch --- krb5-1.13.2+dfsg/debian/patches/debian-local/0010-Fix-krb5-config-paths.patch 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/patches/debian-local/0010-Fix-krb5-config-paths.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,47 +0,0 @@ -From 245183404b9365b325bb1b7bed5920834a4a7c61 Mon Sep 17 00:00:00 2001 -From: Jelmer Vernooij -Date: Sun, 20 Apr 2014 15:59:08 +0200 -Subject: Fix krb5-config paths - -Include library and include flags in krb5-config, so they -work when the symlinks provided by libkrb5-dev are not -installed. - -(cherry picked from commit 33c4b2ebf6688af9cdb71d3795187ddc1601b849) -Patch-Category: debian-local ---- - src/build-tools/krb5-config.in | 14 +++----------- - 1 file changed, 3 insertions(+), 11 deletions(-) - -diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in -index 5a109b0..723d1eb 100755 ---- a/src/build-tools/krb5-config.in -+++ b/src/build-tools/krb5-config.in -@@ -29,8 +29,8 @@ version_string="Kerberos 5 release @KRB5_VERSION@" - - prefix=@prefix@ - exec_prefix=@exec_prefix@ --includedir=@includedir@ --libdir=@libdir@ -+includedir=@includedir@/mit-krb5 -+libdir=@libdir@/mit-krb5 - CC_LINK='@CC_LINK@' - KDB5_DB_LIB=@KDB5_DB_LIB@ - LDFLAGS='@LDFLAGS@' -@@ -209,15 +209,7 @@ fi - - - if test -n "$do_libs"; then -- # Assumes /usr/lib is the standard library directory everywhere... -- case $libdir in -- /usr/lib*) -- libdirarg= -- ;; -- *) -- libdirarg="-L$libdir" -- ;; -- esac -+ libdirarg="-L$libdir" - # Ugly gross hack for our build tree - lib_flags=`echo $CC_LINK | sed -e 's/\$(CC)//' \ - -e 's/\$(PURE)//' \ diff -Nru krb5-1.13.2+dfsg/debian/patches/series krb5-1.14.2+dfsg/debian/patches/series --- krb5-1.13.2+dfsg/debian/patches/series 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/patches/series 2016-06-16 04:42:24.000000000 +0000 @@ -4,16 +4,8 @@ debian-local/0004-debian-install-ldap-library-in-subdirectory.patch debian-local/0005-gssapi-never-unload-mechanisms.patch debian-local/0006-Add-substpdf-target.patch -debian-local/0007-Quick-and-dirty-fix-to-building-O3.patch -debian-local/0008-Fix-pkg-config-library-include-paths.patch -debian-local/0009-Use-isystem-for-include-paths.patch -debian-local/0010-Fix-krb5-config-paths.patch -upstream/0011-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch -upstream/0012-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch -upstream/0013-Fix-build_principal-memory-bug-CVE-2015-2697.patch -upstream/0014-Fix-two-IAKERB-comments.patch -upstream/0015-Fix-IAKERB-context-export-import-CVE-2015-2698.patch -upstream/0016-Fix-SPNEGO-context-import.patch -upstream/0017-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch -upstream/0018-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch -upstream/0019-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch +debian-local/0007-Fix-pkg-config-library-include-paths.patch +debian-local/0008-Use-isystem-for-include-paths.patch +debian-local/0009-Fix-krb5-config-paths.patch +0010-Initial-German-translations.patch +0011-sendto_kdc-uninitialized-variable.patch diff -Nru krb5-1.13.2+dfsg/debian/patches/upstream/0011-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch krb5-1.14.2+dfsg/debian/patches/upstream/0011-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch --- krb5-1.13.2+dfsg/debian/patches/upstream/0011-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/patches/upstream/0011-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,567 +0,0 @@ -From b813d5811432faed844a2dfd3daecde914978f2c Mon Sep 17 00:00:00 2001 -From: Nicolas Williams -Date: Mon, 14 Sep 2015 12:27:52 -0400 -Subject: Fix SPNEGO context aliasing bugs [CVE-2015-2695] - -The SPNEGO mechanism currently replaces its context handle with the -mechanism context handle upon establishment, under the assumption that -most GSS functions are only called after context establishment. This -assumption is incorrect, and can lead to aliasing violations for some -programs. Maintain the SPNEGO context structure after context -establishment and refer to it in all GSS methods. Add initiate and -opened flags to the SPNEGO context structure for use in -gss_inquire_context() prior to context establishment. - -CVE-2015-2695: - -In MIT krb5 1.5 and later, applications which call -gss_inquire_context() on a partially-established SPNEGO context can -cause the GSS-API library to read from a pointer using the wrong type, -generally causing a process crash. This bug may go unnoticed, because -the most common SPNEGO authentication scenario establishes the context -after just one call to gss_accept_sec_context(). Java server -applications using the native JGSS provider are vulnerable to this -bug. A carefully crafted SPNEGO packet might allow the -gss_inquire_context() call to succeed with attacker-determined -results, but applications should not make access control decisions -based on gss_inquire_context() results prior to context establishment. - - CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C - -[ghudson@mit.edu: several bugfixes, style changes, and edge-case -behavior changes; commit message and CVE description] - -ticket: 8244 -target_version: 1.14 -tags: pullup - -(cherry picked from commit b51b33f2bc5d1497ddf5bd107f791c101695000d) -Patch-Category: upstream ---- - src/lib/gssapi/spnego/gssapiP_spnego.h | 2 + - src/lib/gssapi/spnego/spnego_mech.c | 254 ++++++++++++++++++++++++--------- - 2 files changed, 192 insertions(+), 64 deletions(-) - -diff --git a/src/lib/gssapi/spnego/gssapiP_spnego.h b/src/lib/gssapi/spnego/gssapiP_spnego.h -index bc23f56..8e05736 100644 ---- a/src/lib/gssapi/spnego/gssapiP_spnego.h -+++ b/src/lib/gssapi/spnego/gssapiP_spnego.h -@@ -102,6 +102,8 @@ typedef struct { - int firstpass; - int mech_complete; - int nego_done; -+ int initiate; -+ int opened; - OM_uint32 ctx_flags; - gss_name_t internal_name; - gss_OID actual_mech; -diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c -index 6e39c37..a1072b0 100644 ---- a/src/lib/gssapi/spnego/spnego_mech.c -+++ b/src/lib/gssapi/spnego/spnego_mech.c -@@ -104,7 +104,7 @@ static OM_uint32 get_negotiable_mechs(OM_uint32 *, spnego_gss_cred_id_t, - gss_cred_usage_t, gss_OID_set *); - static void release_spnego_ctx(spnego_gss_ctx_id_t *); - static void check_spnego_options(spnego_gss_ctx_id_t); --static spnego_gss_ctx_id_t create_spnego_ctx(void); -+static spnego_gss_ctx_id_t create_spnego_ctx(int); - static int put_mech_set(gss_OID_set mechSet, gss_buffer_t buf); - static int put_input_token(unsigned char **, gss_buffer_t, unsigned int); - static int put_mech_oid(unsigned char **, gss_OID_const, unsigned int); -@@ -442,7 +442,7 @@ check_spnego_options(spnego_gss_ctx_id_t spnego_ctx) - } - - static spnego_gss_ctx_id_t --create_spnego_ctx(void) -+create_spnego_ctx(int initiate) - { - spnego_gss_ctx_id_t spnego_ctx = NULL; - spnego_ctx = (spnego_gss_ctx_id_t) -@@ -465,6 +465,8 @@ create_spnego_ctx(void) - spnego_ctx->mic_rcvd = 0; - spnego_ctx->mech_complete = 0; - spnego_ctx->nego_done = 0; -+ spnego_ctx->opened = 0; -+ spnego_ctx->initiate = initiate; - spnego_ctx->internal_name = GSS_C_NO_NAME; - spnego_ctx->actual_mech = GSS_C_NO_OID; - -@@ -630,7 +632,7 @@ init_ctx_new(OM_uint32 *minor_status, - OM_uint32 ret; - spnego_gss_ctx_id_t sc = NULL; - -- sc = create_spnego_ctx(); -+ sc = create_spnego_ctx(1); - if (sc == NULL) - return GSS_S_FAILURE; - -@@ -647,10 +649,7 @@ init_ctx_new(OM_uint32 *minor_status, - ret = GSS_S_FAILURE; - goto cleanup; - } -- /* -- * The actual context is not yet determined, set the output -- * context handle to refer to the spnego context itself. -- */ -+ - sc->ctx_handle = GSS_C_NO_CONTEXT; - *ctx = (gss_ctx_id_t)sc; - sc = NULL; -@@ -1091,16 +1090,11 @@ cleanup: - } - gss_release_buffer(&tmpmin, &mechtok_out); - if (ret == GSS_S_COMPLETE) { -- /* -- * Now, switch the output context to refer to the -- * negotiated mechanism's context. -- */ -- *context_handle = (gss_ctx_id_t)spnego_ctx->ctx_handle; -+ spnego_ctx->opened = 1; - if (actual_mech != NULL) - *actual_mech = spnego_ctx->actual_mech; - if (ret_flags != NULL) - *ret_flags = spnego_ctx->ctx_flags; -- release_spnego_ctx(&spnego_ctx); - } else if (ret != GSS_S_CONTINUE_NEEDED) { - if (spnego_ctx != NULL) { - gss_delete_sec_context(&tmpmin, -@@ -1344,7 +1338,7 @@ acc_ctx_hints(OM_uint32 *minor_status, - if (ret != GSS_S_COMPLETE) - goto cleanup; - -- sc = create_spnego_ctx(); -+ sc = create_spnego_ctx(0); - if (sc == NULL) { - ret = GSS_S_FAILURE; - goto cleanup; -@@ -1426,7 +1420,7 @@ acc_ctx_new(OM_uint32 *minor_status, - gss_release_buffer(&tmpmin, &sc->DER_mechTypes); - assert(mech_wanted != GSS_C_NO_OID); - } else -- sc = create_spnego_ctx(); -+ sc = create_spnego_ctx(0); - if (sc == NULL) { - ret = GSS_S_FAILURE; - *return_token = NO_TOKEN_SEND; -@@ -1809,13 +1803,12 @@ cleanup: - ret = GSS_S_FAILURE; - } - if (ret == GSS_S_COMPLETE) { -- *context_handle = (gss_ctx_id_t)sc->ctx_handle; -+ sc->opened = 1; - if (sc->internal_name != GSS_C_NO_NAME && - src_name != NULL) { - *src_name = sc->internal_name; - sc->internal_name = GSS_C_NO_NAME; - } -- release_spnego_ctx(&sc); - } else if (ret != GSS_S_CONTINUE_NEEDED) { - if (sc != NULL) { - gss_delete_sec_context(&tmpmin, &sc->ctx_handle, -@@ -2128,8 +2121,13 @@ spnego_gss_unwrap( - gss_qop_t *qop_state) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ - ret = gss_unwrap(minor_status, -- context_handle, -+ sc->ctx_handle, - input_message_buffer, - output_message_buffer, - conf_state, -@@ -2149,8 +2147,13 @@ spnego_gss_wrap( - gss_buffer_t output_message_buffer) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ - ret = gss_wrap(minor_status, -- context_handle, -+ sc->ctx_handle, - conf_req_flag, - qop_req, - input_message_buffer, -@@ -2167,8 +2170,14 @@ spnego_gss_process_context_token( - const gss_buffer_t token_buffer) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ /* SPNEGO doesn't have its own context tokens. */ -+ if (!sc->opened) -+ return (GSS_S_DEFECTIVE_TOKEN); -+ - ret = gss_process_context_token(minor_status, -- context_handle, -+ sc->ctx_handle, - token_buffer); - - return (ret); -@@ -2192,19 +2201,9 @@ spnego_gss_delete_sec_context( - if (*ctx == NULL) - return (GSS_S_COMPLETE); - -- /* -- * If this is still an SPNEGO mech, release it locally. -- */ -- if ((*ctx)->magic_num == SPNEGO_MAGIC_ID) { -- (void) gss_delete_sec_context(minor_status, -- &(*ctx)->ctx_handle, -- output_token); -- (void) release_spnego_ctx(ctx); -- } else { -- ret = gss_delete_sec_context(minor_status, -- context_handle, -- output_token); -- } -+ (void) gss_delete_sec_context(minor_status, &(*ctx)->ctx_handle, -+ output_token); -+ (void) release_spnego_ctx(ctx); - - return (ret); - } -@@ -2216,8 +2215,13 @@ spnego_gss_context_time( - OM_uint32 *time_rec) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ - ret = gss_context_time(minor_status, -- context_handle, -+ sc->ctx_handle, - time_rec); - return (ret); - } -@@ -2229,9 +2233,20 @@ spnego_gss_export_sec_context( - gss_buffer_t interprocess_token) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = *(spnego_gss_ctx_id_t *)context_handle; -+ -+ /* We don't currently support exporting partially established -+ * contexts. */ -+ if (!sc->opened) -+ return GSS_S_UNAVAILABLE; -+ - ret = gss_export_sec_context(minor_status, -- context_handle, -+ &sc->ctx_handle, - interprocess_token); -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) { -+ release_spnego_ctx(&sc); -+ *context_handle = GSS_C_NO_CONTEXT; -+ } - return (ret); - } - -@@ -2241,11 +2256,12 @@ spnego_gss_import_sec_context( - const gss_buffer_t interprocess_token, - gss_ctx_id_t *context_handle) - { -- OM_uint32 ret; -- ret = gss_import_sec_context(minor_status, -- interprocess_token, -- context_handle); -- return (ret); -+ /* -+ * Until we implement partial context exports, there are no SPNEGO -+ * exported context tokens, only tokens for underlying mechs. So just -+ * return an error for now. -+ */ -+ return GSS_S_UNAVAILABLE; - } - #endif /* LEAN_CLIENT */ - -@@ -2262,16 +2278,48 @@ spnego_gss_inquire_context( - int *opened) - { - OM_uint32 ret = GSS_S_COMPLETE; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (src_name != NULL) -+ *src_name = GSS_C_NO_NAME; -+ if (targ_name != NULL) -+ *targ_name = GSS_C_NO_NAME; -+ if (lifetime_rec != NULL) -+ *lifetime_rec = 0; -+ if (mech_type != NULL) -+ *mech_type = (gss_OID)gss_mech_spnego; -+ if (ctx_flags != NULL) -+ *ctx_flags = 0; -+ if (locally_initiated != NULL) -+ *locally_initiated = sc->initiate; -+ if (opened != NULL) -+ *opened = sc->opened; -+ -+ if (sc->ctx_handle != GSS_C_NO_CONTEXT) { -+ ret = gss_inquire_context(minor_status, sc->ctx_handle, -+ src_name, targ_name, lifetime_rec, -+ mech_type, ctx_flags, NULL, NULL); -+ } - -- ret = gss_inquire_context(minor_status, -- context_handle, -- src_name, -- targ_name, -- lifetime_rec, -- mech_type, -- ctx_flags, -- locally_initiated, -- opened); -+ if (!sc->opened) { -+ /* -+ * We are still doing SPNEGO negotiation, so report SPNEGO as -+ * the OID. After negotiation is complete we will report the -+ * underlying mechanism OID. -+ */ -+ if (mech_type != NULL) -+ *mech_type = (gss_OID)gss_mech_spnego; -+ -+ /* -+ * Remove flags we don't support with partially-established -+ * contexts. (Change this to keep GSS_C_TRANS_FLAG if we add -+ * support for exporting partial SPNEGO contexts.) -+ */ -+ if (ctx_flags != NULL) { -+ *ctx_flags &= ~GSS_C_PROT_READY_FLAG; -+ *ctx_flags &= ~GSS_C_TRANS_FLAG; -+ } -+ } - - return (ret); - } -@@ -2286,8 +2334,13 @@ spnego_gss_wrap_size_limit( - OM_uint32 *max_input_size) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ - ret = gss_wrap_size_limit(minor_status, -- context_handle, -+ sc->ctx_handle, - conf_req_flag, - qop_req, - req_output_size, -@@ -2304,8 +2357,13 @@ spnego_gss_get_mic( - gss_buffer_t message_token) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ - ret = gss_get_mic(minor_status, -- context_handle, -+ sc->ctx_handle, - qop_req, - message_buffer, - message_token); -@@ -2321,8 +2379,13 @@ spnego_gss_verify_mic( - gss_qop_t *qop_state) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ - ret = gss_verify_mic(minor_status, -- context_handle, -+ sc->ctx_handle, - msg_buffer, - token_buffer, - qop_state); -@@ -2337,8 +2400,14 @@ spnego_gss_inquire_sec_context_by_oid( - gss_buffer_set_t *data_set) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ /* There are no SPNEGO-specific OIDs for this function. */ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_UNAVAILABLE); -+ - ret = gss_inquire_sec_context_by_oid(minor_status, -- context_handle, -+ sc->ctx_handle, - desired_object, - data_set); - return (ret); -@@ -2407,8 +2476,15 @@ spnego_gss_set_sec_context_option( - const gss_buffer_t value) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)*context_handle; -+ -+ /* There are no SPNEGO-specific OIDs for this function, and we cannot -+ * construct an empty SPNEGO context with it. */ -+ if (sc == NULL || sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_UNAVAILABLE); -+ - ret = gss_set_sec_context_option(minor_status, -- context_handle, -+ &sc->ctx_handle, - desired_object, - value); - return (ret); -@@ -2425,8 +2501,13 @@ spnego_gss_wrap_aead(OM_uint32 *minor_status, - gss_buffer_t output_message_buffer) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ - ret = gss_wrap_aead(minor_status, -- context_handle, -+ sc->ctx_handle, - conf_req_flag, - qop_req, - input_assoc_buffer, -@@ -2447,8 +2528,13 @@ spnego_gss_unwrap_aead(OM_uint32 *minor_status, - gss_qop_t *qop_state) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ - ret = gss_unwrap_aead(minor_status, -- context_handle, -+ sc->ctx_handle, - input_message_buffer, - input_assoc_buffer, - output_payload_buffer, -@@ -2467,8 +2553,13 @@ spnego_gss_wrap_iov(OM_uint32 *minor_status, - int iov_count) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ - ret = gss_wrap_iov(minor_status, -- context_handle, -+ sc->ctx_handle, - conf_req_flag, - qop_req, - conf_state, -@@ -2486,8 +2577,13 @@ spnego_gss_unwrap_iov(OM_uint32 *minor_status, - int iov_count) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ - ret = gss_unwrap_iov(minor_status, -- context_handle, -+ sc->ctx_handle, - conf_state, - qop_state, - iov, -@@ -2505,8 +2601,13 @@ spnego_gss_wrap_iov_length(OM_uint32 *minor_status, - int iov_count) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ - ret = gss_wrap_iov_length(minor_status, -- context_handle, -+ sc->ctx_handle, - conf_req_flag, - qop_req, - conf_state, -@@ -2523,8 +2624,13 @@ spnego_gss_complete_auth_token( - gss_buffer_t input_message_buffer) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_UNAVAILABLE); -+ - ret = gss_complete_auth_token(minor_status, -- context_handle, -+ sc->ctx_handle, - input_message_buffer); - return (ret); - } -@@ -2776,8 +2882,13 @@ spnego_gss_pseudo_random(OM_uint32 *minor_status, - gss_buffer_t prf_out) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ - ret = gss_pseudo_random(minor_status, -- context, -+ sc->ctx_handle, - prf_key, - prf_in, - desired_output_len, -@@ -2918,7 +3029,12 @@ spnego_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, - gss_qop_t qop_req, gss_iov_buffer_desc *iov, - int iov_count) - { -- return gss_get_mic_iov(minor_status, context_handle, qop_req, iov, -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ -+ return gss_get_mic_iov(minor_status, sc->ctx_handle, qop_req, iov, - iov_count); - } - -@@ -2927,7 +3043,12 @@ spnego_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, - gss_qop_t *qop_state, gss_iov_buffer_desc *iov, - int iov_count) - { -- return gss_verify_mic_iov(minor_status, context_handle, qop_state, iov, -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ -+ return gss_verify_mic_iov(minor_status, sc->ctx_handle, qop_state, iov, - iov_count); - } - -@@ -2936,7 +3057,12 @@ spnego_gss_get_mic_iov_length(OM_uint32 *minor_status, - gss_ctx_id_t context_handle, gss_qop_t qop_req, - gss_iov_buffer_desc *iov, int iov_count) - { -- return gss_get_mic_iov_length(minor_status, context_handle, qop_req, iov, -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ -+ return gss_get_mic_iov_length(minor_status, sc->ctx_handle, qop_req, iov, - iov_count); - } - diff -Nru krb5-1.13.2+dfsg/debian/patches/upstream/0012-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch krb5-1.14.2+dfsg/debian/patches/upstream/0012-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch --- krb5-1.13.2+dfsg/debian/patches/upstream/0012-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/patches/upstream/0012-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,734 +0,0 @@ -From ebea85358bc72ec20c53130d83acb93f95853b76 Mon Sep 17 00:00:00 2001 -From: Nicolas Williams -Date: Mon, 14 Sep 2015 12:28:36 -0400 -Subject: Fix IAKERB context aliasing bugs [CVE-2015-2696] - -The IAKERB mechanism currently replaces its context handle with the -krb5 mechanism handle upon establishment, under the assumption that -most GSS functions are only called after context establishment. This -assumption is incorrect, and can lead to aliasing violations for some -programs. Maintain the IAKERB context structure after context -establishment and add new IAKERB entry points to refer to it with that -type. Add initiate and established flags to the IAKERB context -structure for use in gss_inquire_context() prior to context -establishment. - -CVE-2015-2696: - -In MIT krb5 1.9 and later, applications which call -gss_inquire_context() on a partially-established IAKERB context can -cause the GSS-API library to read from a pointer using the wrong type, -generally causing a process crash. Java server applications using the -native JGSS provider are vulnerable to this bug. A carefully crafted -IAKERB packet might allow the gss_inquire_context() call to succeed -with attacker-determined results, but applications should not make -access control decisions based on gss_inquire_context() results prior -to context establishment. - - CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C - -[ghudson@mit.edu: several bugfixes, style changes, and edge-case -behavior changes; commit message and CVE description] - -ticket: 8244 -target_version: 1.14 -tags: pullup - -(cherry picked from commit e04f0283516e80d2f93366e0d479d13c9b5c8c2a) -Patch-Category: upstream ---- - src/lib/gssapi/krb5/gssapiP_krb5.h | 114 ++++++++++++ - src/lib/gssapi/krb5/gssapi_krb5.c | 105 +++++++++-- - src/lib/gssapi/krb5/iakerb.c | 351 +++++++++++++++++++++++++++++++++---- - 3 files changed, 529 insertions(+), 41 deletions(-) - -diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h -index a0e8625..05dc321 100644 ---- a/src/lib/gssapi/krb5/gssapiP_krb5.h -+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h -@@ -620,6 +620,21 @@ OM_uint32 KRB5_CALLCONV krb5_gss_accept_sec_context_ext - ); - #endif /* LEAN_CLIENT */ - -+OM_uint32 KRB5_CALLCONV krb5_gss_inquire_sec_context_by_oid -+(OM_uint32*, /* minor_status */ -+ const gss_ctx_id_t, -+ /* context_handle */ -+ const gss_OID, /* desired_object */ -+ gss_buffer_set_t* /* data_set */ -+); -+ -+OM_uint32 KRB5_CALLCONV krb5_gss_set_sec_context_option -+(OM_uint32*, /* minor_status */ -+ gss_ctx_id_t*, /* context_handle */ -+ const gss_OID, /* desired_object */ -+ const gss_buffer_t/* value */ -+); -+ - OM_uint32 KRB5_CALLCONV krb5_gss_process_context_token - (OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ -@@ -1301,6 +1316,105 @@ OM_uint32 KRB5_CALLCONV - krb5_gss_import_cred(OM_uint32 *minor_status, gss_buffer_t token, - gss_cred_id_t *cred_handle); - -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_process_context_token(OM_uint32 *minor_status, -+ const gss_ctx_id_t context_handle, -+ const gss_buffer_t token_buffer); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ OM_uint32 *time_rec); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_inquire_context(OM_uint32 *minor_status, -+ gss_ctx_id_t context_handle, gss_name_t *src_name, -+ gss_name_t *targ_name, OM_uint32 *lifetime_rec, -+ gss_OID *mech_type, OM_uint32 *ctx_flags, -+ int *locally_initiated, int *opened); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ gss_qop_t qop_req, gss_buffer_t message_buffer, -+ gss_buffer_t message_token); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ gss_qop_t qop_req, gss_iov_buffer_desc *iov, -+ int iov_count); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status, -+ gss_ctx_id_t context_handle, gss_qop_t qop_req, -+ gss_iov_buffer_desc *iov, int iov_count); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ gss_buffer_t msg_buffer, gss_buffer_t token_buffer, -+ gss_qop_t *qop_state); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ gss_qop_t *qop_state, gss_iov_buffer_desc *iov, -+ int iov_count); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ int conf_req_flag, gss_qop_t qop_req, -+ gss_buffer_t input_message_buffer, int *conf_state, -+ gss_buffer_t output_message_buffer); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ int conf_req_flag, gss_qop_t qop_req, int *conf_state, -+ gss_iov_buffer_desc *iov, int iov_count); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_wrap_iov_length(OM_uint32 *minor_status, -+ gss_ctx_id_t context_handle, int conf_req_flag, -+ gss_qop_t qop_req, int *conf_state, -+ gss_iov_buffer_desc *iov, int iov_count); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ gss_buffer_t input_message_buffer, -+ gss_buffer_t output_message_buffer, int *conf_state, -+ gss_qop_t *qop_state); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ int *conf_state, gss_qop_t *qop_state, -+ gss_iov_buffer_desc *iov, int iov_count); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_wrap_size_limit(OM_uint32 *minor_status, -+ gss_ctx_id_t context_handle, int conf_req_flag, -+ gss_qop_t qop_req, OM_uint32 req_output_size, -+ OM_uint32 *max_input_size); -+ -+#ifndef LEAN_CLIENT -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_export_sec_context(OM_uint32 *minor_status, -+ gss_ctx_id_t *context_handle, -+ gss_buffer_t interprocess_token); -+#endif /* LEAN_CLIENT */ -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status, -+ const gss_ctx_id_t context_handle, -+ const gss_OID desired_object, -+ gss_buffer_set_t *data_set); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_set_sec_context_option(OM_uint32 *minor_status, -+ gss_ctx_id_t *context_handle, -+ const gss_OID desired_object, -+ const gss_buffer_t value); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ int prf_key, const gss_buffer_t prf_in, -+ ssize_t desired_output_len, gss_buffer_t prf_out); -+ - /* Magic string to identify exported krb5 GSS credentials. Increment this if - * the format changes. */ - #define CRED_EXPORT_MAGIC "K5C1" -diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c -index 77b7fff..9a23656 100644 ---- a/src/lib/gssapi/krb5/gssapi_krb5.c -+++ b/src/lib/gssapi/krb5/gssapi_krb5.c -@@ -345,7 +345,7 @@ static struct { - } - }; - --static OM_uint32 KRB5_CALLCONV -+OM_uint32 KRB5_CALLCONV - krb5_gss_inquire_sec_context_by_oid (OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_OID desired_object, -@@ -459,7 +459,7 @@ static struct { - }; - #endif - --static OM_uint32 KRB5_CALLCONV -+OM_uint32 KRB5_CALLCONV - krb5_gss_set_sec_context_option (OM_uint32 *minor_status, - gss_ctx_id_t *context_handle, - const gss_OID desired_object, -@@ -904,20 +904,103 @@ static struct gss_config krb5_mechanism = { - krb5_gss_get_mic_iov_length, - }; - -+/* Functions which use security contexts or acquire creds are IAKERB-specific; -+ * other functions can borrow from the krb5 mech. */ -+static struct gss_config iakerb_mechanism = { -+ { GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID }, -+ NULL, -+ iakerb_gss_acquire_cred, -+ krb5_gss_release_cred, -+ iakerb_gss_init_sec_context, -+#ifdef LEAN_CLIENT -+ NULL, -+#else -+ iakerb_gss_accept_sec_context, -+#endif -+ iakerb_gss_process_context_token, -+ iakerb_gss_delete_sec_context, -+ iakerb_gss_context_time, -+ iakerb_gss_get_mic, -+ iakerb_gss_verify_mic, -+#if defined(IOV_SHIM_EXERCISE_WRAP) || defined(IOV_SHIM_EXERCISE) -+ NULL, -+#else -+ iakerb_gss_wrap, -+#endif -+#if defined(IOV_SHIM_EXERCISE_UNWRAP) || defined(IOV_SHIM_EXERCISE) -+ NULL, -+#else -+ iakerb_gss_unwrap, -+#endif -+ krb5_gss_display_status, -+ krb5_gss_indicate_mechs, -+ krb5_gss_compare_name, -+ krb5_gss_display_name, -+ krb5_gss_import_name, -+ krb5_gss_release_name, -+ krb5_gss_inquire_cred, -+ NULL, /* add_cred */ -+#ifdef LEAN_CLIENT -+ NULL, -+ NULL, -+#else -+ iakerb_gss_export_sec_context, -+ NULL, -+#endif -+ krb5_gss_inquire_cred_by_mech, -+ krb5_gss_inquire_names_for_mech, -+ iakerb_gss_inquire_context, -+ krb5_gss_internal_release_oid, -+ iakerb_gss_wrap_size_limit, -+ krb5_gss_localname, -+ krb5_gss_authorize_localname, -+ krb5_gss_export_name, -+ krb5_gss_duplicate_name, -+ krb5_gss_store_cred, -+ iakerb_gss_inquire_sec_context_by_oid, -+ krb5_gss_inquire_cred_by_oid, -+ iakerb_gss_set_sec_context_option, -+ krb5_gssspi_set_cred_option, -+ krb5_gssspi_mech_invoke, -+ NULL, /* wrap_aead */ -+ NULL, /* unwrap_aead */ -+ iakerb_gss_wrap_iov, -+ iakerb_gss_unwrap_iov, -+ iakerb_gss_wrap_iov_length, -+ NULL, /* complete_auth_token */ -+ NULL, /* acquire_cred_impersonate_name */ -+ NULL, /* add_cred_impersonate_name */ -+ NULL, /* display_name_ext */ -+ krb5_gss_inquire_name, -+ krb5_gss_get_name_attribute, -+ krb5_gss_set_name_attribute, -+ krb5_gss_delete_name_attribute, -+ krb5_gss_export_name_composite, -+ krb5_gss_map_name_to_any, -+ krb5_gss_release_any_name_mapping, -+ iakerb_gss_pseudo_random, -+ NULL, /* set_neg_mechs */ -+ krb5_gss_inquire_saslname_for_mech, -+ krb5_gss_inquire_mech_for_saslname, -+ krb5_gss_inquire_attrs_for_mech, -+ krb5_gss_acquire_cred_from, -+ krb5_gss_store_cred_into, -+ iakerb_gss_acquire_cred_with_password, -+ krb5_gss_export_cred, -+ krb5_gss_import_cred, -+ NULL, /* import_sec_context_by_mech */ -+ NULL, /* import_name_by_mech */ -+ NULL, /* import_cred_by_mech */ -+ iakerb_gss_get_mic_iov, -+ iakerb_gss_verify_mic_iov, -+ iakerb_gss_get_mic_iov_length, -+}; -+ - #ifdef _GSS_STATIC_LINK - #include "mglueP.h" - static int gss_iakerbmechglue_init(void) - { - struct gss_mech_config mech_iakerb; -- struct gss_config iakerb_mechanism = krb5_mechanism; -- -- /* IAKERB mechanism mirrors krb5, but with different context SPIs */ -- iakerb_mechanism.gss_accept_sec_context = iakerb_gss_accept_sec_context; -- iakerb_mechanism.gss_init_sec_context = iakerb_gss_init_sec_context; -- iakerb_mechanism.gss_delete_sec_context = iakerb_gss_delete_sec_context; -- iakerb_mechanism.gss_acquire_cred = iakerb_gss_acquire_cred; -- iakerb_mechanism.gssspi_acquire_cred_with_password -- = iakerb_gss_acquire_cred_with_password; - - memset(&mech_iakerb, 0, sizeof(mech_iakerb)); - mech_iakerb.mech = &iakerb_mechanism; -diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c -index f30de32..4662bd9 100644 ---- a/src/lib/gssapi/krb5/iakerb.c -+++ b/src/lib/gssapi/krb5/iakerb.c -@@ -47,6 +47,8 @@ struct _iakerb_ctx_id_rec { - gss_ctx_id_t gssc; - krb5_data conv; /* conversation for checksumming */ - unsigned int count; /* number of round trips */ -+ int initiate; -+ int established; - krb5_get_init_creds_opt *gic_opts; - }; - -@@ -695,7 +697,7 @@ cleanup: - * Allocate and initialise an IAKERB context - */ - static krb5_error_code --iakerb_alloc_context(iakerb_ctx_id_t *pctx) -+iakerb_alloc_context(iakerb_ctx_id_t *pctx, int initiate) - { - iakerb_ctx_id_t ctx; - krb5_error_code code; -@@ -709,6 +711,8 @@ iakerb_alloc_context(iakerb_ctx_id_t *pctx) - ctx->magic = KG_IAKERB_CONTEXT; - ctx->state = IAKERB_AS_REQ; - ctx->count = 0; -+ ctx->initiate = initiate; -+ ctx->established = 0; - - code = krb5_gss_init_context(&ctx->k5c); - if (code != 0) -@@ -732,7 +736,7 @@ iakerb_gss_delete_sec_context(OM_uint32 *minor_status, - gss_ctx_id_t *context_handle, - gss_buffer_t output_token) - { -- OM_uint32 major_status = GSS_S_COMPLETE; -+ iakerb_ctx_id_t iakerb_ctx = (iakerb_ctx_id_t)*context_handle; - - if (output_token != GSS_C_NO_BUFFER) { - output_token->length = 0; -@@ -740,23 +744,10 @@ iakerb_gss_delete_sec_context(OM_uint32 *minor_status, - } - - *minor_status = 0; -+ *context_handle = GSS_C_NO_CONTEXT; -+ iakerb_release_context(iakerb_ctx); - -- if (*context_handle != GSS_C_NO_CONTEXT) { -- iakerb_ctx_id_t iakerb_ctx = (iakerb_ctx_id_t)*context_handle; -- -- if (iakerb_ctx->magic == KG_IAKERB_CONTEXT) { -- iakerb_release_context(iakerb_ctx); -- *context_handle = GSS_C_NO_CONTEXT; -- } else { -- assert(iakerb_ctx->magic == KG_CONTEXT); -- -- major_status = krb5_gss_delete_sec_context(minor_status, -- context_handle, -- output_token); -- } -- } -- -- return major_status; -+ return GSS_S_COMPLETE; - } - - static krb5_boolean -@@ -802,7 +793,7 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status, - int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT); - - if (initialContextToken) { -- code = iakerb_alloc_context(&ctx); -+ code = iakerb_alloc_context(&ctx, 0); - if (code != 0) - goto cleanup; - -@@ -854,11 +845,8 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status, - time_rec, - delegated_cred_handle, - &exts); -- if (major_status == GSS_S_COMPLETE) { -- *context_handle = ctx->gssc; -- ctx->gssc = NULL; -- iakerb_release_context(ctx); -- } -+ if (major_status == GSS_S_COMPLETE) -+ ctx->established = 1; - if (mech_type != NULL) - *mech_type = (gss_OID)gss_mech_krb5; - } -@@ -897,7 +885,7 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status, - int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT); - - if (initialContextToken) { -- code = iakerb_alloc_context(&ctx); -+ code = iakerb_alloc_context(&ctx, 1); - if (code != 0) { - *minor_status = code; - goto cleanup; -@@ -983,11 +971,8 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status, - ret_flags, - time_rec, - &exts); -- if (major_status == GSS_S_COMPLETE) { -- *context_handle = ctx->gssc; -- ctx->gssc = GSS_C_NO_CONTEXT; -- iakerb_release_context(ctx); -- } -+ if (major_status == GSS_S_COMPLETE) -+ ctx->established = 1; - if (actual_mech_type != NULL) - *actual_mech_type = (gss_OID)gss_mech_krb5; - } else { -@@ -1010,3 +995,309 @@ cleanup: - - return major_status; - } -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ gss_buffer_t input_message_buffer, -+ gss_buffer_t output_message_buffer, int *conf_state, -+ gss_qop_t *qop_state) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; -+ -+ return krb5_gss_unwrap(minor_status, ctx->gssc, input_message_buffer, -+ output_message_buffer, conf_state, qop_state); -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ int conf_req_flag, gss_qop_t qop_req, -+ gss_buffer_t input_message_buffer, int *conf_state, -+ gss_buffer_t output_message_buffer) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; -+ -+ return krb5_gss_wrap(minor_status, ctx->gssc, conf_req_flag, qop_req, -+ input_message_buffer, conf_state, -+ output_message_buffer); -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_process_context_token(OM_uint32 *minor_status, -+ const gss_ctx_id_t context_handle, -+ const gss_buffer_t token_buffer) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_DEFECTIVE_TOKEN; -+ -+ return krb5_gss_process_context_token(minor_status, ctx->gssc, -+ token_buffer); -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ OM_uint32 *time_rec) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; -+ -+ return krb5_gss_context_time(minor_status, ctx->gssc, time_rec); -+} -+ -+#ifndef LEAN_CLIENT -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_export_sec_context(OM_uint32 *minor_status, -+ gss_ctx_id_t *context_handle, -+ gss_buffer_t interprocess_token) -+{ -+ OM_uint32 maj; -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ /* We don't currently support exporting partially established contexts. */ -+ if (!ctx->established) -+ return GSS_S_UNAVAILABLE; -+ -+ maj = krb5_gss_export_sec_context(minor_status, &ctx->gssc, -+ interprocess_token); -+ if (ctx->gssc == GSS_C_NO_CONTEXT) { -+ iakerb_release_context(ctx); -+ *context_handle = GSS_C_NO_CONTEXT; -+ } -+ return maj; -+} -+ -+/* -+ * Until we implement partial context exports, there are no SPNEGO exported -+ * context tokens, only tokens for the underlying krb5 context. So we do not -+ * need to implement an iakerb_gss_import_sec_context() yet; it would be -+ * unreachable except via a manually constructed token. -+ */ -+ -+#endif /* LEAN_CLIENT */ -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_inquire_context(OM_uint32 *minor_status, -+ gss_ctx_id_t context_handle, gss_name_t *src_name, -+ gss_name_t *targ_name, OM_uint32 *lifetime_rec, -+ gss_OID *mech_type, OM_uint32 *ctx_flags, -+ int *initiate, int *opened) -+{ -+ OM_uint32 ret; -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (src_name != NULL) -+ *src_name = GSS_C_NO_NAME; -+ if (targ_name != NULL) -+ *targ_name = GSS_C_NO_NAME; -+ if (lifetime_rec != NULL) -+ *lifetime_rec = 0; -+ if (mech_type != NULL) -+ *mech_type = (gss_OID)gss_mech_iakerb; -+ if (ctx_flags != NULL) -+ *ctx_flags = 0; -+ if (initiate != NULL) -+ *initiate = ctx->initiate; -+ if (opened != NULL) -+ *opened = ctx->established; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_COMPLETE; -+ -+ ret = krb5_gss_inquire_context(minor_status, ctx->gssc, src_name, -+ targ_name, lifetime_rec, mech_type, -+ ctx_flags, initiate, opened); -+ -+ if (!ctx->established) { -+ /* Report IAKERB as the mech OID until the context is established. */ -+ if (mech_type != NULL) -+ *mech_type = (gss_OID)gss_mech_iakerb; -+ -+ /* We don't support exporting partially-established contexts. */ -+ if (ctx_flags != NULL) -+ *ctx_flags &= ~GSS_C_TRANS_FLAG; -+ } -+ -+ return ret; -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_wrap_size_limit(OM_uint32 *minor_status, -+ gss_ctx_id_t context_handle, int conf_req_flag, -+ gss_qop_t qop_req, OM_uint32 req_output_size, -+ OM_uint32 *max_input_size) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; -+ -+ return krb5_gss_wrap_size_limit(minor_status, ctx->gssc, conf_req_flag, -+ qop_req, req_output_size, max_input_size); -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ gss_qop_t qop_req, gss_buffer_t message_buffer, -+ gss_buffer_t message_token) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; -+ -+ return krb5_gss_get_mic(minor_status, ctx->gssc, qop_req, message_buffer, -+ message_token); -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ gss_buffer_t msg_buffer, gss_buffer_t token_buffer, -+ gss_qop_t *qop_state) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; -+ -+ return krb5_gss_verify_mic(minor_status, ctx->gssc, msg_buffer, -+ token_buffer, qop_state); -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status, -+ const gss_ctx_id_t context_handle, -+ const gss_OID desired_object, -+ gss_buffer_set_t *data_set) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_UNAVAILABLE; -+ -+ return krb5_gss_inquire_sec_context_by_oid(minor_status, ctx->gssc, -+ desired_object, data_set); -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_set_sec_context_option(OM_uint32 *minor_status, -+ gss_ctx_id_t *context_handle, -+ const gss_OID desired_object, -+ const gss_buffer_t value) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle; -+ -+ if (ctx == NULL || ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_UNAVAILABLE; -+ -+ return krb5_gss_set_sec_context_option(minor_status, &ctx->gssc, -+ desired_object, value); -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ int conf_req_flag, gss_qop_t qop_req, int *conf_state, -+ gss_iov_buffer_desc *iov, int iov_count) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; -+ -+ return krb5_gss_wrap_iov(minor_status, ctx->gssc, conf_req_flag, qop_req, -+ conf_state, iov, iov_count); -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ int *conf_state, gss_qop_t *qop_state, -+ gss_iov_buffer_desc *iov, int iov_count) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; -+ -+ return krb5_gss_unwrap_iov(minor_status, ctx->gssc, conf_state, qop_state, -+ iov, iov_count); -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_wrap_iov_length(OM_uint32 *minor_status, -+ gss_ctx_id_t context_handle, int conf_req_flag, -+ gss_qop_t qop_req, int *conf_state, -+ gss_iov_buffer_desc *iov, int iov_count) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; -+ -+ return krb5_gss_wrap_iov_length(minor_status, ctx->gssc, conf_req_flag, -+ qop_req, conf_state, iov, iov_count); -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ int prf_key, const gss_buffer_t prf_in, -+ ssize_t desired_output_len, gss_buffer_t prf_out) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; -+ -+ return krb5_gss_pseudo_random(minor_status, ctx->gssc, prf_key, prf_in, -+ desired_output_len, prf_out); -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ gss_qop_t qop_req, gss_iov_buffer_desc *iov, -+ int iov_count) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; -+ -+ return krb5_gss_get_mic_iov(minor_status, ctx->gssc, qop_req, iov, -+ iov_count); -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ gss_qop_t *qop_state, gss_iov_buffer_desc *iov, -+ int iov_count) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; -+ -+ return krb5_gss_verify_mic_iov(minor_status, ctx->gssc, qop_state, iov, -+ iov_count); -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status, -+ gss_ctx_id_t context_handle, gss_qop_t qop_req, -+ gss_iov_buffer_desc *iov, int iov_count) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; -+ -+ return krb5_gss_get_mic_iov_length(minor_status, ctx->gssc, qop_req, iov, -+ iov_count); -+} diff -Nru krb5-1.13.2+dfsg/debian/patches/upstream/0013-Fix-build_principal-memory-bug-CVE-2015-2697.patch krb5-1.14.2+dfsg/debian/patches/upstream/0013-Fix-build_principal-memory-bug-CVE-2015-2697.patch --- krb5-1.13.2+dfsg/debian/patches/upstream/0013-Fix-build_principal-memory-bug-CVE-2015-2697.patch 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/patches/upstream/0013-Fix-build_principal-memory-bug-CVE-2015-2697.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,53 +0,0 @@ -From fcafb522a0509bfd6f4f6b57e4a1e93c0092eeb0 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Fri, 25 Sep 2015 12:51:47 -0400 -Subject: Fix build_principal memory bug [CVE-2015-2697] - -In build_principal_va(), use k5memdup0() instead of strdup() to make a -copy of the realm, to ensure that we allocate the correct number of -bytes and do not read past the end of the input string. This bug -affects krb5_build_principal(), krb5_build_principal_va(), and -krb5_build_principal_alloc_va(). krb5_build_principal_ext() is not -affected. - -CVE-2015-2697: - -In MIT krb5 1.7 and later, an authenticated attacker may be able to -cause a KDC to crash using a TGS request with a large realm field -beginning with a null byte. If the KDC attempts to find a referral to -answer the request, it constructs a principal name for lookup using -krb5_build_principal() with the requested realm. Due to a bug in this -function, the null byte causes only one byte be allocated for the -realm field of the constructed principal, far less than its length. -Subsequent operations on the lookup principal may cause a read beyond -the end of the mapped memory region, causing the KDC process to crash. - -CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C - -ticket: 8252 (new) -target_version: 1.14 -tags: pullup - -(cherry picked from commit f0c094a1b745d91ef2f9a4eae2149aac026a5789) -Patch-Category: upstream ---- - src/lib/krb5/krb/bld_princ.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c -index ab6fed8..8604268 100644 ---- a/src/lib/krb5/krb/bld_princ.c -+++ b/src/lib/krb5/krb/bld_princ.c -@@ -40,10 +40,8 @@ build_principal_va(krb5_context context, krb5_principal princ, - data = malloc(size * sizeof(krb5_data)); - if (!data) { retval = ENOMEM; } - -- if (!retval) { -- r = strdup(realm); -- if (!r) { retval = ENOMEM; } -- } -+ if (!retval) -+ r = k5memdup0(realm, rlen, &retval); - - while (!retval && (component = va_arg(ap, char *))) { - if (count == size) { diff -Nru krb5-1.13.2+dfsg/debian/patches/upstream/0014-Fix-two-IAKERB-comments.patch krb5-1.14.2+dfsg/debian/patches/upstream/0014-Fix-two-IAKERB-comments.patch --- krb5-1.13.2+dfsg/debian/patches/upstream/0014-Fix-two-IAKERB-comments.patch 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/patches/upstream/0014-Fix-two-IAKERB-comments.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,41 +0,0 @@ -From 1a8bdc6d81dcd7dd8a4d42e8de6d2cacf1dd4408 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Tue, 27 Oct 2015 00:44:24 -0400 -Subject: Fix two IAKERB comments - -The comment explaining why there is no iakerb_gss_import_sec_context() -erroneously referenced SPNEGO instead of IAKERB (noticed by Ben -Kaduk). The comment above iakerb_gss_delete_sec_context() is out of -date after the last commit. - -(cherry picked from commit 92d6dd045dfc06cc03d20b327a6ee7a71e6bc24d) - -Patch-Category: upstream ---- - src/lib/gssapi/krb5/iakerb.c | 6 +----- - 1 file changed, 1 insertion(+), 5 deletions(-) - -diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c -index 4662bd9..e25862d 100644 ---- a/src/lib/gssapi/krb5/iakerb.c -+++ b/src/lib/gssapi/krb5/iakerb.c -@@ -727,10 +727,6 @@ cleanup: - return code; - } - --/* -- * Delete an IAKERB context. This can also accept Kerberos context -- * handles. The heuristic is similar to SPNEGO's delete_sec_context. -- */ - OM_uint32 KRB5_CALLCONV - iakerb_gss_delete_sec_context(OM_uint32 *minor_status, - gss_ctx_id_t *context_handle, -@@ -1077,7 +1073,7 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status, - } - - /* -- * Until we implement partial context exports, there are no SPNEGO exported -+ * Until we implement partial context exports, there are no IAKERB exported - * context tokens, only tokens for the underlying krb5 context. So we do not - * need to implement an iakerb_gss_import_sec_context() yet; it would be - * unreachable except via a manually constructed token. diff -Nru krb5-1.13.2+dfsg/debian/patches/upstream/0015-Fix-IAKERB-context-export-import-CVE-2015-2698.patch krb5-1.14.2+dfsg/debian/patches/upstream/0015-Fix-IAKERB-context-export-import-CVE-2015-2698.patch --- krb5-1.13.2+dfsg/debian/patches/upstream/0015-Fix-IAKERB-context-export-import-CVE-2015-2698.patch 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/patches/upstream/0015-Fix-IAKERB-context-export-import-CVE-2015-2698.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,130 +0,0 @@ -From 4b330d5be1f8048be4d079ac3cb38d60c0e99e69 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Wed, 4 Nov 2015 21:28:28 -0500 -Subject: Fix IAKERB context export/import [CVE-2015-2698] - -The patches for CVE-2015-2696 contained a regression in the newly -added IAKERB iakerb_gss_export_sec_context() function, which could -cause it to corrupt memory. Fix the regression by properly -dereferencing the context_handle pointer before casting it. - -Also, the patches did not implement an IAKERB gss_import_sec_context() -function, under the erroneous belief than an exported IAKERB context -would be tagged as a krb5 context. Implement it now to allow IAKERB -contexts to be successfully exported and imported after establishment. - -CVE-2015-2698: - -In any MIT krb5 release with the patches for CVE-2015-2696 applied, an -application which calls gss_export_sec_context() may experience memory -corruption if the context was established using the IAKERB mechanism. -Historically, some vulnerabilities of this nature can be translated -into remote code execution, though the necessary exploits must be -tailored to the individual application and are usually quite -complicated. - - CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C - -ticket: 8273 (new) -target_version: 1.14 -tags: pullup - -(cherry picked from commit d8b31c874c7d1039be7649362ef11c89f4e14c27) - -Patch-Category: upstream ---- - src/lib/gssapi/krb5/gssapiP_krb5.h | 5 +++++ - src/lib/gssapi/krb5/gssapi_krb5.c | 2 +- - src/lib/gssapi/krb5/iakerb.c | 42 +++++++++++++++++++++++++++++++------- - 3 files changed, 41 insertions(+), 8 deletions(-) - -diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h -index 05dc321..ac53662 100644 ---- a/src/lib/gssapi/krb5/gssapiP_krb5.h -+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h -@@ -1396,6 +1396,11 @@ OM_uint32 KRB5_CALLCONV - iakerb_gss_export_sec_context(OM_uint32 *minor_status, - gss_ctx_id_t *context_handle, - gss_buffer_t interprocess_token); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_import_sec_context(OM_uint32 *minor_status, -+ const gss_buffer_t interprocess_token, -+ gss_ctx_id_t *context_handle); - #endif /* LEAN_CLIENT */ - - OM_uint32 KRB5_CALLCONV -diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c -index 9a23656..d7ba279 100644 ---- a/src/lib/gssapi/krb5/gssapi_krb5.c -+++ b/src/lib/gssapi/krb5/gssapi_krb5.c -@@ -945,7 +945,7 @@ static struct gss_config iakerb_mechanism = { - NULL, - #else - iakerb_gss_export_sec_context, -- NULL, -+ iakerb_gss_import_sec_context, - #endif - krb5_gss_inquire_cred_by_mech, - krb5_gss_inquire_names_for_mech, -diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c -index e25862d..32a341e 100644 ---- a/src/lib/gssapi/krb5/iakerb.c -+++ b/src/lib/gssapi/krb5/iakerb.c -@@ -1057,7 +1057,7 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status, - gss_buffer_t interprocess_token) - { - OM_uint32 maj; -- iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle; - - /* We don't currently support exporting partially established contexts. */ - if (!ctx->established) -@@ -1072,13 +1072,41 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status, - return maj; - } - --/* -- * Until we implement partial context exports, there are no IAKERB exported -- * context tokens, only tokens for the underlying krb5 context. So we do not -- * need to implement an iakerb_gss_import_sec_context() yet; it would be -- * unreachable except via a manually constructed token. -- */ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_import_sec_context(OM_uint32 *minor_status, -+ gss_buffer_t interprocess_token, -+ gss_ctx_id_t *context_handle) -+{ -+ OM_uint32 maj, tmpmin; -+ krb5_error_code code; -+ gss_ctx_id_t gssc; -+ krb5_gss_ctx_id_t kctx; -+ iakerb_ctx_id_t ctx; -+ -+ maj = krb5_gss_import_sec_context(minor_status, interprocess_token, &gssc); -+ if (maj != GSS_S_COMPLETE) -+ return maj; -+ kctx = (krb5_gss_ctx_id_t)gssc; -+ -+ if (!kctx->established) { -+ /* We don't currently support importing partially established -+ * contexts. */ -+ krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER); -+ return GSS_S_FAILURE; -+ } - -+ code = iakerb_alloc_context(&ctx, kctx->initiate); -+ if (code != 0) { -+ krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER); -+ *minor_status = code; -+ return GSS_S_FAILURE; -+ } -+ -+ ctx->gssc = gssc; -+ ctx->established = 1; -+ *context_handle = (gss_ctx_id_t)ctx; -+ return GSS_S_COMPLETE; -+} - #endif /* LEAN_CLIENT */ - - OM_uint32 KRB5_CALLCONV diff -Nru krb5-1.13.2+dfsg/debian/patches/upstream/0016-Fix-SPNEGO-context-import.patch krb5-1.14.2+dfsg/debian/patches/upstream/0016-Fix-SPNEGO-context-import.patch --- krb5-1.13.2+dfsg/debian/patches/upstream/0016-Fix-SPNEGO-context-import.patch 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/patches/upstream/0016-Fix-SPNEGO-context-import.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -From 18c512ebdcc5cacc777e9dbcc6817f83c301ad93 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Wed, 4 Nov 2015 21:29:10 -0500 -Subject: Fix SPNEGO context import - -The patches for CVE-2015-2695 did not implement a SPNEGO -gss_import_sec_context() function, under the erroneous belief than an -exported SPNEGO context would be tagged with the underlying context -mechanism. Implement it now to allow SPNEGO contexts to be -successfully exported and imported after establishment. - -ticket: 8273 -(cherry picked from commit fbb565f913c52eba9bea82f1694aba7a8c90e93d) - -Patch-Category: upstream ---- - src/lib/gssapi/spnego/spnego_mech.c | 33 +++++++++++++++++++++++++++------ - 1 file changed, 27 insertions(+), 6 deletions(-) - -diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c -index a1072b0..02284a1 100644 ---- a/src/lib/gssapi/spnego/spnego_mech.c -+++ b/src/lib/gssapi/spnego/spnego_mech.c -@@ -2256,12 +2256,33 @@ spnego_gss_import_sec_context( - const gss_buffer_t interprocess_token, - gss_ctx_id_t *context_handle) - { -- /* -- * Until we implement partial context exports, there are no SPNEGO -- * exported context tokens, only tokens for underlying mechs. So just -- * return an error for now. -- */ -- return GSS_S_UNAVAILABLE; -+ OM_uint32 ret, tmpmin; -+ gss_ctx_id_t mctx; -+ spnego_gss_ctx_id_t sc; -+ int initiate, opened; -+ -+ ret = gss_import_sec_context(minor_status, interprocess_token, &mctx); -+ if (ret != GSS_S_COMPLETE) -+ return ret; -+ -+ ret = gss_inquire_context(&tmpmin, mctx, NULL, NULL, NULL, NULL, NULL, -+ &initiate, &opened); -+ if (ret != GSS_S_COMPLETE || !opened) { -+ /* We don't currently support importing partially established -+ * contexts. */ -+ (void) gss_delete_sec_context(&tmpmin, &mctx, GSS_C_NO_BUFFER); -+ return GSS_S_FAILURE; -+ } -+ -+ sc = create_spnego_ctx(initiate); -+ if (sc == NULL) { -+ (void) gss_delete_sec_context(&tmpmin, &mctx, GSS_C_NO_BUFFER); -+ return GSS_S_FAILURE; -+ } -+ sc->ctx_handle = mctx; -+ sc->opened = 1; -+ *context_handle = (gss_ctx_id_t)sc; -+ return GSS_S_COMPLETE; - } - #endif /* LEAN_CLIENT */ - diff -Nru krb5-1.13.2+dfsg/debian/patches/upstream/0017-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch krb5-1.14.2+dfsg/debian/patches/upstream/0017-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch --- krb5-1.13.2+dfsg/debian/patches/upstream/0017-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/patches/upstream/0017-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,47 +0,0 @@ -From e4451a57240b4d66004259a8eeafc13826d203e3 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Fri, 8 Jan 2016 12:45:25 -0500 -Subject: Verify decoded kadmin C strings [CVE-2015-8629] - -In xdr_nullstring(), check that the decoded string is terminated with -a zero byte and does not contain any internal zero bytes. - -CVE-2015-8629: - -In all versions of MIT krb5, an authenticated attacker can cause -kadmind to read beyond the end of allocated memory by sending a string -without a terminating zero byte. Information leakage may be possible -for an attacker with permission to modify the database. - - CVSSv2 Vector: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C - -(cherry picked from commit df17a1224a3406f57477bcd372c61e04c0e5a5bb) - -ticket: 8341 -version_fixed: 1.14.1 - -Patch-Category: upstream ---- - src/lib/kadm5/kadm_rpc_xdr.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c -index 975f94c..6ccfcea 100644 ---- a/src/lib/kadm5/kadm_rpc_xdr.c -+++ b/src/lib/kadm5/kadm_rpc_xdr.c -@@ -64,7 +64,14 @@ bool_t xdr_nullstring(XDR *xdrs, char **objp) - return FALSE; - } - } -- return (xdr_opaque(xdrs, *objp, size)); -+ if (!xdr_opaque(xdrs, *objp, size)) -+ return FALSE; -+ /* Check that the unmarshalled bytes are a C string. */ -+ if ((*objp)[size - 1] != '\0') -+ return FALSE; -+ if (memchr(*objp, '\0', size - 1) != NULL) -+ return FALSE; -+ return TRUE; - - case XDR_ENCODE: - if (size != 0) diff -Nru krb5-1.13.2+dfsg/debian/patches/upstream/0018-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch krb5-1.14.2+dfsg/debian/patches/upstream/0018-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch --- krb5-1.13.2+dfsg/debian/patches/upstream/0018-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/patches/upstream/0018-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,77 +0,0 @@ -From f440c65c490bd7ed627ece8cbcf3a75920ff4466 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Fri, 8 Jan 2016 12:52:28 -0500 -Subject: Check for null kadm5 policy name [CVE-2015-8630] - -In kadm5_create_principal_3() and kadm5_modify_principal(), check for -entry->policy being null when KADM5_POLICY is included in the mask. - -CVE-2015-8630: - -In MIT krb5 1.12 and later, an authenticated attacker with permission -to modify a principal entry can cause kadmind to dereference a null -pointer by supplying a null policy value but including KADM5_POLICY in -the mask. - - CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C - -(cherry picked from commit b863de7fbf080b15e347a736fdda0a82d42f4f6b) - -ticket: 8342 -version_fixed: 1.14.1 - -Patch-Category: upstream ---- - src/lib/kadm5/srv/svr_principal.c | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - -diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c -index 27f8eba..7b74830 100644 ---- a/src/lib/kadm5/srv/svr_principal.c -+++ b/src/lib/kadm5/srv/svr_principal.c -@@ -395,6 +395,8 @@ kadm5_create_principal_3(void *server_handle, - /* - * Argument sanity checking, and opening up the DB - */ -+ if (entry == NULL) -+ return EINVAL; - if(!(mask & KADM5_PRINCIPAL) || (mask & KADM5_MOD_NAME) || - (mask & KADM5_MOD_TIME) || (mask & KADM5_LAST_PWD_CHANGE) || - (mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) || -@@ -403,12 +405,12 @@ kadm5_create_principal_3(void *server_handle, - return KADM5_BAD_MASK; - if ((mask & KADM5_KEY_DATA) && entry->n_key_data != 0) - return KADM5_BAD_MASK; -+ if((mask & KADM5_POLICY) && entry->policy == NULL) -+ return KADM5_BAD_MASK; - if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR)) - return KADM5_BAD_MASK; - if((mask & ~ALL_PRINC_MASK)) - return KADM5_BAD_MASK; -- if (entry == NULL) -- return EINVAL; - - /* - * Check to see if the principal exists -@@ -643,6 +645,8 @@ kadm5_modify_principal(void *server_handle, - - krb5_clear_error_message(handle->context); - -+ if(entry == NULL) -+ return EINVAL; - if((mask & KADM5_PRINCIPAL) || (mask & KADM5_LAST_PWD_CHANGE) || - (mask & KADM5_MOD_TIME) || (mask & KADM5_MOD_NAME) || - (mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) || -@@ -651,10 +655,10 @@ kadm5_modify_principal(void *server_handle, - return KADM5_BAD_MASK; - if((mask & ~ALL_PRINC_MASK)) - return KADM5_BAD_MASK; -+ if((mask & KADM5_POLICY) && entry->policy == NULL) -+ return KADM5_BAD_MASK; - if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR)) - return KADM5_BAD_MASK; -- if(entry == (kadm5_principal_ent_t) NULL) -- return EINVAL; - if (mask & KADM5_TL_DATA) { - tl_data_orig = entry->tl_data; - while (tl_data_orig) { diff -Nru krb5-1.13.2+dfsg/debian/patches/upstream/0019-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch krb5-1.14.2+dfsg/debian/patches/upstream/0019-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch --- krb5-1.13.2+dfsg/debian/patches/upstream/0019-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/patches/upstream/0019-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,572 +0,0 @@ -From 842bffc28f9907cc509deb2c943a56c5eba49844 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Fri, 8 Jan 2016 13:16:54 -0500 -Subject: Fix leaks in kadmin server stubs [CVE-2015-8631] - -In each kadmind server stub, initialize the client_name and -server_name variables, and release them in the cleanup handler. Many -of the stubs will otherwise leak the client and server name if -krb5_unparse_name() fails. Also make sure to free the prime_arg -variables in rename_principal_2_svc(), or we can leak the first one if -unparsing the second one fails. Discovered by Simo Sorce. - -CVE-2015-8631: - -In all versions of MIT krb5, an authenticated attacker can cause -kadmind to leak memory by supplying a null principal name in a request -which uses one. Repeating these requests will eventually cause -kadmind to exhaust all available memory. - - CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C - -(cherry picked from commit 83ed75feba32e46f736fcce0d96a0445f29b96c2) - -ticket: 8343 -version_fixed: 1.14.1 - -Patch-Category: upstream ---- - src/kadmin/server/server_stubs.c | 151 ++++++++++++++++++++------------------- - 1 file changed, 77 insertions(+), 74 deletions(-) - -diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c -index 1879dc6..6ac797e 100644 ---- a/src/kadmin/server/server_stubs.c -+++ b/src/kadmin/server/server_stubs.c -@@ -334,7 +334,8 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - restriction_t *rp; -@@ -382,10 +383,10 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - } - free(prime_arg); -- gss_release_buffer(&minor_stat, &client_name); -- gss_release_buffer(&minor_stat, &service_name); - - exit_func: -+ gss_release_buffer(&minor_stat, &client_name); -+ gss_release_buffer(&minor_stat, &service_name); - free_server_handle(handle); - return &ret; - } -@@ -395,7 +396,8 @@ create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - restriction_t *rp; -@@ -444,10 +446,10 @@ create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - } - free(prime_arg); -- gss_release_buffer(&minor_stat, &client_name); -- gss_release_buffer(&minor_stat, &service_name); - - exit_func: -+ gss_release_buffer(&minor_stat, &client_name); -+ gss_release_buffer(&minor_stat, &service_name); - free_server_handle(handle); - return &ret; - } -@@ -457,8 +459,8 @@ delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -501,10 +503,10 @@ delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp) - - } - free(prime_arg); -- gss_release_buffer(&minor_stat, &client_name); -- gss_release_buffer(&minor_stat, &service_name); - - exit_func: -+ gss_release_buffer(&minor_stat, &client_name); -+ gss_release_buffer(&minor_stat, &service_name); - free_server_handle(handle); - return &ret; - } -@@ -514,8 +516,8 @@ modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - restriction_t *rp; -@@ -559,9 +561,9 @@ modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - } - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -570,10 +572,9 @@ generic_ret * - rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; -- char *prime_arg1, -- *prime_arg2; -- gss_buffer_desc client_name, -- service_name; -+ char *prime_arg1 = NULL, *prime_arg2 = NULL; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - restriction_t *rp; -@@ -655,11 +656,11 @@ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - - } -+exit_func: - free(prime_arg1); - free(prime_arg2); - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -669,8 +670,8 @@ get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp) - { - static gprinc_ret ret; - char *prime_arg, *funcname; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -719,9 +720,9 @@ get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - } - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -731,8 +732,8 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp) - { - static gprincs_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -777,9 +778,9 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - - } -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -789,8 +790,8 @@ chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -840,9 +841,9 @@ chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp) - } - - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -852,8 +853,8 @@ chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -909,9 +910,9 @@ chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp) - } - - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -921,8 +922,8 @@ setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -969,9 +970,9 @@ setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp) - } - - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -981,8 +982,8 @@ setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1029,9 +1030,9 @@ setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp) - } - - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1041,8 +1042,8 @@ setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1092,9 +1093,9 @@ setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp) - } - - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1106,8 +1107,8 @@ chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp) - krb5_keyblock *k; - int nkeys; - char *prime_arg, *funcname; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1164,9 +1165,9 @@ chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - } - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1178,8 +1179,8 @@ chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp) - krb5_keyblock *k; - int nkeys; - char *prime_arg, *funcname; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1241,9 +1242,9 @@ chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - } - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1253,8 +1254,8 @@ create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1295,9 +1296,9 @@ create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp) - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); - } -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1307,8 +1308,8 @@ delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1347,9 +1348,9 @@ delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp) - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); - } -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1359,8 +1360,8 @@ modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1400,9 +1401,9 @@ modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp) - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); - } -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1413,8 +1414,8 @@ get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp) - static gpol_ret ret; - kadm5_ret_t ret2; - char *prime_arg, *funcname; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_principal_ent_rec caller_ent; - kadm5_server_handle_t handle; -@@ -1475,9 +1476,9 @@ get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp) - log_unauth(funcname, prime_arg, - &client_name, &service_name, rqstp); - } -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - -@@ -1488,8 +1489,8 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp) - { - static gpols_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1531,9 +1532,9 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp) - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); - } -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1541,7 +1542,8 @@ exit_func: - getprivs_ret * get_privs_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) - { - static getprivs_ret ret; -- gss_buffer_desc client_name, service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1571,9 +1573,9 @@ getprivs_ret * get_privs_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); - -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1583,7 +1585,8 @@ purgekeys_2_svc(purgekeys_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg, *funcname; -- gss_buffer_desc client_name, service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - -@@ -1629,9 +1632,9 @@ purgekeys_2_svc(purgekeys_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - } - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1641,8 +1644,8 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp) - { - static gstrings_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1688,9 +1691,9 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - } - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1700,8 +1703,8 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1744,9 +1747,9 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - } - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1754,8 +1757,8 @@ exit_func: - generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) - { - static generic_ret ret; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - kadm5_server_handle_t handle; - OM_uint32 minor_stat; - const char *errmsg = NULL; -@@ -1797,10 +1800,10 @@ generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) - rqstp->rq_cred.oa_flavor); - if (errmsg != NULL) - krb5_free_error_message(NULL, errmsg); -- gss_release_buffer(&minor_stat, &client_name); -- gss_release_buffer(&minor_stat, &service_name); - - exit_func: -+ gss_release_buffer(&minor_stat, &client_name); -+ gss_release_buffer(&minor_stat, &service_name); - return(&ret); - } - diff -Nru krb5-1.13.2+dfsg/debian/rules krb5-1.14.2+dfsg/debian/rules --- krb5-1.13.2+dfsg/debian/rules 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/rules 2016-05-30 17:11:38.000000000 +0000 @@ -46,9 +46,9 @@ # sure to update this list if upstream adds any more files we don't want. EXCLUDE = -Xtmac.doc -Xexamples/krb5 -Xgnats/mit -Xkrb5-send-pr \ -Xsserver -Xsim_server -Xuuserver \ - -Xsclient -Xsim_client -Xuuclient + -Xsclient -Xsim_client -Xuuclient -Xpreauth/test.so -LIB_PACKAGES = libkrb5-3 libgssapi-krb5-2 libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-8 libgssrpc4 \ +LIB_PACKAGES = libkrb5-3 libgssapi-krb5-2 libkadm5clnt-mit10 libkadm5srv-mit10 libkdb5-8 libgssrpc4 \ libkrb5support0 libk5crypto3 libkrad0 # We touch each configure and Autoconf-related file so that we do not attempt @@ -187,6 +187,7 @@ dh_installdocs dh_installdebconf DH_OPTIONS= dh_installinit -pkrb5-kdc --error-handler=init_error -- defaults 18 18 + DH_OPTIONS= dh_installinit -pkrb5-kpropd -- defaults 18 18 DH_OPTIONS= dh_installinit -pkrb5-admin-server -- defaults 18 18 dh_systemd_enable dh_lintian diff -Nru krb5-1.13.2+dfsg/debian/watch krb5-1.14.2+dfsg/debian/watch --- krb5-1.13.2+dfsg/debian/watch 2016-02-23 13:56:24.000000000 +0000 +++ krb5-1.14.2+dfsg/debian/watch 2016-05-30 17:11:38.000000000 +0000 @@ -2,4 +2,4 @@ version=3 opts=dversionmangle=s/\+dfsg// \ - http://web.mit.edu/kerberos/dist/ krb5/[\d.]+/krb5-([\d.]+)-signed.tar$ + http://web.mit.edu/kerberos/dist/ krb5/[\d.]+/krb5-([\d.]+).tar.gz$ diff -Nru krb5-1.13.2+dfsg/doc/admin/admin_commands/kadmin_local.rst krb5-1.14.2+dfsg/doc/admin/admin_commands/kadmin_local.rst --- krb5-1.13.2+dfsg/doc/admin/admin_commands/kadmin_local.rst 2015-05-13 21:11:13.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/admin/admin_commands/kadmin_local.rst 2016-05-30 16:14:07.000000000 +0000 @@ -16,6 +16,7 @@ [[**-c** *cache_name*]\|[**-k** [**-t** *keytab*]]\|\ **-n**] [**-w** *password*] [**-s** *admin_server*\ [:*port*]] +[command args...] **kadmin.local** [**-r** *realm*] @@ -25,6 +26,7 @@ [**-e** *enc*:*salt* ...] [**-m**] [**-x** *db_args*] +[command args...] .. _kadmin_synopsis_end: @@ -112,8 +114,7 @@ via the process list. **-q** *query* - Perform the specified query and then exit. This can be useful for - writing scripts. + Perform the specified query and then exit. **-d** *dbname* Specifies the name of the KDC database. This option does not @@ -143,6 +144,24 @@ .. _kadmin_options_end: +Starting with release 1.14, if any command-line arguments remain after +the options, they will be treated as a single query to be executed. +This mode of operation is intended for scripts and behaves differently +from the interactive mode in several respects: + +* Query arguments are split by the shell, not by kadmin. +* Informational and warning messages are suppressed. Error messages + and query output (e.g. for **get_principal**) will still be + displayed. +* Confirmation prompts are disabled (as if **-force** was given). + Password prompts will still be issued as required. +* The exit status will be non-zero if the query fails. + +The **-q** option does not carry these behavior differences; the query +will be processed as if it was entered interactively. The **-q** +option cannot be used in combination with a query in the remaining +arguments. + .. _dboptions: DATABASE OPTIONS @@ -613,6 +632,12 @@ modules. The following string attribute names are recognized by the KDC: +**require_auth** + Specifies an authentication indicator which is required to + authenticate to the principal as a service. Multiple indicators + can be specified, separated by spaces; in this case any of the + specified indicators will be accepted. (New in release 1.14.) + **session_enctypes** Specifies the encryption types supported for session keys when the principal is authenticated to as a server. See diff -Nru krb5-1.13.2+dfsg/doc/admin/admin_commands/kdb5_util.rst krb5-1.14.2+dfsg/doc/admin/admin_commands/kdb5_util.rst --- krb5-1.13.2+dfsg/doc/admin/admin_commands/kdb5_util.rst 2015-05-13 21:11:13.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/admin/admin_commands/kdb5_util.rst 2016-05-30 16:14:07.000000000 +0000 @@ -330,6 +330,158 @@ needed updating or not. The **-n** option performs a dry run, only showing the actions which would have been taken. +tabdump +~~~~~~~ + + **tabdump** [**-H**] [**-c**] [**-e**] [**-n**] [**-o** *outfile*] + *dumptype* + +Dump selected fields of the database in a tabular format suitable for +reporting (e.g., using traditional Unix text processing tools) or +importing into relational databases. The data format is tab-separated +(default), or optionally comma-separated (CSV), with a fixed number of +columns. The output begins with a header line containing field names, +unless suppression is requested using the **-H** option. + +The *dumptype* parameter specifies the name of an output table (see +below). + +Options: + +**-H** + suppress writing the field names in a header line + +**-c** + use comma separated values (CSV) format, with minimal quoting, + instead of the default tab-separated (unquoted, unescaped) format + +**-e** + write empty hexadecimal string fields as empty fields instead of + as "-1". + +**-n** + produce numeric output for fields that normally have symbolic + output, such as enctypes and flag names. Also requests output of + time stamps as decimal POSIX time_t values. + +**-o** *outfile* + write the dump to the specified output file instead of to standard + output + +Dump types: + +**keydata** + principal encryption key information, including actual key data + (which is still encrypted in the master key) + + **name** + principal name + **keyindex** + index of this key in the principal's key list + **kvno** + key version number + **enctype** + encryption type + **key** + key data as a hexadecimal string + **salttype** + salt type + **salt** + salt data as a hexadecimal string + +**keyinfo** + principal encryption key information (as in **keydata** above), + excluding actual key data + +**princ_flags** + principal boolean attributes. Flag names print as hexadecimal + numbers if the **-n** option is specified, and all flag positions + are printed regardless of whether or not they are set. If **-n** + is not specified, print all known flag names for each principal, + but only print hexadecimal flag names if the corresponding flag is + set. + + **name** + principal name + **flag** + flag name + **value** + boolean value (0 for clear, or 1 for set) + +**princ_lockout** + state information used for tracking repeated password failures + + **name** + principal name + **last_success** + time stamp of most recent successful authentication + **last_failed** + time stamp of most recent failed authentication + **fail_count** + count of failed attempts + +**princ_meta** + principal metadata + + **name** + principal name + **modby** + name of last principal to modify this principal + **modtime** + timestamp of last modification + **lastpwd** + timestamp of last password change + **policy** + policy object name + **mkvno** + key version number of the master key that encrypts this + principal's key data + **hist_kvno** + key version number of the history key that encrypts the key + history data for this principal + +**princ_stringattrs** + string attributes (key/value pairs) + + **name** + principal name + **key** + attribute name + **value** + attribute value + +**princ_tktpolicy** + per-principal ticket policy data, including maximum ticket + lifetimes + + **name** + principal name + **expiration** + principal expiration date + **pw_expiration** + password expiration date + **max_life** + maximum ticket lifetime + **max_renew_life** + maximum renewable ticket lifetime + +Examples:: + + $ kdb5_util tabdump -o keyinfo.txt keyinfo + $ cat keyinfo.txt + name keyindex kvno enctype salttype salt + foo@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 + bar@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 + bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 + $ sqlite3 + sqlite> .mode tabs + sqlite> .import keyinfo.txt keyinfo + sqlite> select * from keyinfo where enctype like 'des-cbc-%'; + bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 + sqlite> .quit + $ awk -F'\t' '$4 ~ /des-cbc-/ { print }' keyinfo.txt + bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 + SEE ALSO -------- diff -Nru krb5-1.13.2+dfsg/doc/admin/admin_commands/kpropd.rst krb5-1.14.2+dfsg/doc/admin/admin_commands/kpropd.rst --- krb5-1.13.2+dfsg/doc/admin/admin_commands/kpropd.rst 2015-05-13 21:11:13.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/admin/admin_commands/kpropd.rst 2016-05-30 16:14:07.000000000 +0000 @@ -15,6 +15,7 @@ [**-p** *kdb5_util_prog*] [**-P** *port*] [**-d**] +[**-t**] DESCRIPTION ----------- @@ -89,6 +90,12 @@ it will run in the foreground and print out debugging messages during the database propagation. +**-t** + In standalone mode without incremental propagation, exit after one + dump file is received. In incremental propagation mode, exit as + soon as the database is up to date, or if the master returns an + error. + **-P** Allow for an alternate port number for kpropd to listen on. This is only useful in combination with the **-S** option. diff -Nru krb5-1.13.2+dfsg/doc/admin/auth_indicator.rst krb5-1.14.2+dfsg/doc/admin/auth_indicator.rst --- krb5-1.13.2+dfsg/doc/admin/auth_indicator.rst 1970-01-01 00:00:00.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/admin/auth_indicator.rst 2016-05-30 16:14:07.000000000 +0000 @@ -0,0 +1,53 @@ +.. _auth_indicator: + +Authentication indicators +========================= + +As of release 1.14, the KDC can be configured to annotate tickets if +the client authenticated using a stronger preauthentication mechanism +such as :ref:`PKINIT ` or :ref:`OTP `. These +annotations are called "authentication indicators." Service +principals can be configured to require particular authentication +indicators in order to authenticate to that service. An +authentication indicator value can be any string chosen by the KDC +administrator; there are no pre-set values. + +To use authentication indicators with PKINIT or OTP, first configure +the KDC to include an indicator when that preauthentication mechanism +is used. For PKINIT, use the **pkinit_indicator** variable in +:ref:`kdc.conf(5)`. For OTP, use the **indicator** variable in the +token type definition, or specify the indicators in the **otp** user +string as described in :ref:`otp_preauth`. + +To require an indicator to be present in order to authenticate to a +service principal, set the **require_auth** string attribute on the +principal to the indicator value to be required. If you wish to allow +one of several indicators to be accepted, you can specify multiple +indicator values separated by spaces. + +For example, a realm could be configured to set the authentication +indicator value "strong" when PKINIT is used to authenticate, using a +setting in the :ref:`kdc_realms` subsection:: + + pkinit_indicator = strong + +A service principal could be configured to require the "strong" +authentication indicator value:: + + $ kadmin setstr host/high.value.server require_auth strong + Password for user/admin@KRBTEST.COM: + +A user who authenticates with PKINIT would be able to obtain a ticket +for the service principal:: + + $ kinit -X X509_user_identity=FILE:/my/cert.pem,/my/key.pem user + $ kvno host/high.value.server + host/high.value.server@KRBTEST.COM: kvno = 1 + +but a user who authenticates with a password would not:: + + $ kinit user + Password for user@KRBTEST.COM: + $ kvno host/high.value.server + kvno: KDC policy rejects request while getting credentials for + host/high.value.server@KRBTEST.COM diff -Nru krb5-1.13.2+dfsg/doc/admin/conf_files/kdc_conf.rst krb5-1.14.2+dfsg/doc/admin/conf_files/kdc_conf.rst --- krb5-1.13.2+dfsg/doc/admin/conf_files/kdc_conf.rst 2015-05-13 21:11:13.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/admin/conf_files/kdc_conf.rst 2016-05-30 16:14:07.000000000 +0000 @@ -578,6 +578,11 @@ passed to the RADIUS server. Otherwise, the realm will be included. The default value is ``true``. +**indicator** + This tag specifies an authentication indicator to be included in + the ticket if this token type is used to authenticate. This + option may be specified multiple times. (New in release 1.14.) + In the following example, requests are sent to a remote server via UDP:: [otp] @@ -671,6 +676,11 @@ Specifies the location of the KDC's X.509 identity information. This option is required if pkinit is to be supported by the KDC. +**pkinit_indicator** + Specifies an authentication indicator to include in the ticket if + pkinit is used to authenticate. This option may be specified + multiple times. (New in release 1.14.) + **pkinit_kdc_ocsp** Specifies the location of the KDC's OCSP. diff -Nru krb5-1.13.2+dfsg/doc/admin/conf_files/krb5_conf.rst krb5-1.14.2+dfsg/doc/admin/conf_files/krb5_conf.rst --- krb5-1.13.2+dfsg/doc/admin/conf_files/krb5_conf.rst 2015-05-13 21:11:13.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/admin/conf_files/krb5_conf.rst 2016-05-30 16:14:07.000000000 +0000 @@ -9,7 +9,12 @@ applications, and mappings of hostnames onto Kerberos realms. Normally, you should install your krb5.conf file in the directory ``/etc``. You can override the default location by setting the -environment variable **KRB5_CONFIG**. +environment variable **KRB5_CONFIG**. Multiple colon-separated +filenames may be specified in **KRB5_CONFIG**; all files which are +present will be read. Starting in release 1.14, directory names can +also be specified in **KRB5_CONFIG**; all files within the directory +whose names consist solely of alphanumeric characters, dashes, or +underscores will be read. Structure @@ -206,6 +211,11 @@ data), and anything the fake KDC sends will not be trusted without verification using some secret that it won't know. +**err_fmt** + This relation allows for custom error message formatting. If a + value is set, error messages will be formatted by substituting a + normal error message for %M and an error code for %C in the value. + **extra_addresses** This allows a computer to use multiple local addresses, in order to allow Kerberos to work in a network that uses NATs while still @@ -363,7 +373,6 @@ credentials will fail if the client machine does not have a keytab. The default value is false. - .. _realms: [realms] diff -Nru krb5-1.13.2+dfsg/doc/admin/env_variables.rst krb5-1.14.2+dfsg/doc/admin/env_variables.rst --- krb5-1.13.2+dfsg/doc/admin/env_variables.rst 2015-05-13 21:11:13.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/admin/env_variables.rst 2016-05-30 16:14:07.000000000 +0000 @@ -4,8 +4,9 @@ The following environment variables can be used during runtime: **KRB5_CONFIG** - Main Kerberos configuration file. (See :ref:`mitK5defaults` for - the default name.) + Main Kerberos configuration file. Multiple filenames can be + specified, separated by a colon; all files which are present will + be read. (See :ref:`mitK5defaults` for the default path.) **KRB5_KDC_PROFILE** KDC configuration file. (See :ref:`mitK5defaults` for the default diff -Nru krb5-1.13.2+dfsg/doc/admin/index.rst krb5-1.14.2+dfsg/doc/admin/index.rst --- krb5-1.13.2+dfsg/doc/admin/index.rst 2015-05-13 21:11:13.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/admin/index.rst 2016-05-30 16:14:07.000000000 +0000 @@ -18,6 +18,7 @@ princ_dns.rst enctypes.rst https.rst + auth_indicator.rst .. toctree:: :maxdepth: 1 diff -Nru krb5-1.13.2+dfsg/doc/admin/otp.rst krb5-1.14.2+dfsg/doc/admin/otp.rst --- krb5-1.13.2+dfsg/doc/admin/otp.rst 2015-05-13 21:11:13.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/admin/otp.rst 2016-05-30 16:14:07.000000000 +0000 @@ -30,6 +30,7 @@ timeout = (default: 5 [seconds]) retries = (default: 3) strip_realm = (default: true) + indicator = (default: none) } If the server field begins with '/', it will be interpreted as a UNIX @@ -43,6 +44,11 @@ parameter controls whether the principal is forwarded with or without the realm portion. +If an indicator field is present, tickets issued using this token type +will be annotated with the specified authentication indicator (see +:ref:`auth_indicator`). This key may be specified multiple times to +add multiple indicators. + The default token type ---------------------- @@ -71,7 +77,8 @@ [{ "type": , - "username": + "username": , + "indicators": [, ...] }, ...] This is an array of token objects. Both fields of token objects are @@ -79,7 +86,9 @@ not specified, it defaults to ``DEFAULT``. The **username** field specifies the value to be sent in the User-Name RADIUS attribute. If not specified, the principal name is sent, with or without realm as -defined in the token type. +defined in the token type. The **indicators** field specifies a list +of authentication indicators to annotate tickets with, overriding any +indicators specified in the token type. For ease of configuration, an empty array (``[]``) is treated as equivalent to one DEFAULT token (``[{}]``). diff -Nru krb5-1.13.2+dfsg/doc/appdev/refs/api/index.rst krb5-1.14.2+dfsg/doc/appdev/refs/api/index.rst --- krb5-1.13.2+dfsg/doc/appdev/refs/api/index.rst 2015-05-13 21:11:13.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/appdev/refs/api/index.rst 2016-05-30 16:14:07.000000000 +0000 @@ -254,6 +254,7 @@ krb5_pac_parse.rst krb5_pac_sign.rst krb5_pac_verify.rst + krb5_prepend_error_message.rst krb5_principal2salt.rst krb5_rd_cred.rst krb5_rd_error.rst @@ -285,7 +286,10 @@ krb5_verify_init_creds.rst krb5_verify_init_creds_opt_init.rst krb5_verify_init_creds_opt_set_ap_req_nofail.rst + krb5_vprepend_error_message.rst krb5_vset_error_message.rst + krb5_vwrap_error_message.rst + krb5_wrap_error_message.rst Public interfaces that should not be called directly @@ -300,6 +304,7 @@ krb5_c_crypto_length_iov.rst krb5_c_decrypt.rst krb5_c_decrypt_iov.rst + krb5_c_derive_prfplus.rst krb5_c_encrypt.rst krb5_c_encrypt_iov.rst krb5_c_encrypt_length.rst @@ -316,6 +321,7 @@ krb5_c_make_random_key.rst krb5_c_padding_length.rst krb5_c_prf.rst + krb5_c_prfplus.rst krb5_c_prf_length.rst krb5_c_random_add_entropy.rst krb5_c_random_make_octets.rst diff -Nru krb5-1.13.2+dfsg/doc/appdev/refs/macros/index.rst krb5-1.14.2+dfsg/doc/appdev/refs/macros/index.rst --- krb5-1.13.2+dfsg/doc/appdev/refs/macros/index.rst 2015-05-13 21:11:13.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/appdev/refs/macros/index.rst 2016-05-30 16:14:07.000000000 +0000 @@ -88,6 +88,8 @@ KRB5_AS_REP.rst KRB5_AS_REQ.rst KRB5_AUTHDATA_AND_OR.rst + KRB5_AUTHDATA_AUTH_INDICATOR.rst + KRB5_AUTHDATA_CAMMAC.rst KRB5_AUTHDATA_ETYPE_NEGOTIATION.rst KRB5_AUTHDATA_FX_ARMOR.rst KRB5_AUTHDATA_IF_RELEVANT.rst @@ -159,6 +161,7 @@ KRB5_KEYUSAGE_AS_REP_ENCPART.rst KRB5_KEYUSAGE_AS_REQ.rst KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS.rst + KRB5_KEYUSAGE_CAMMAC.rst KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.rst KRB5_KEYUSAGE_ENC_CHALLENGE_KDC.rst KRB5_KEYUSAGE_FAST_ENC.rst @@ -174,6 +177,7 @@ KRB5_KEYUSAGE_KRB_ERROR_CKSUM.rst KRB5_KEYUSAGE_KRB_PRIV_ENCPART.rst KRB5_KEYUSAGE_KRB_SAFE_CKSUM.rst + KRB5_KEYUSAGE_PA_FX_COOKIE.rst KRB5_KEYUSAGE_PA_OTP_REQUEST.rst KRB5_KEYUSAGE_PA_PKINIT_KX.rst KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY.rst diff -Nru krb5-1.13.2+dfsg/doc/CHANGES krb5-1.14.2+dfsg/doc/CHANGES --- krb5-1.13.2+dfsg/doc/CHANGES 2015-05-13 21:11:13.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/CHANGES 2016-05-30 16:14:07.000000000 +0000 @@ -1,10 +1,10 @@ -commit 7e4e051e3d2ebc06161475a42ded72c944308539 +commit 68a03305111126a183dbd3779497ed9e00be6e0a Author: Tom Yu -Date: Wed May 6 14:37:45 2015 -0400 +Date: Thu Apr 14 18:49:46 2016 -0400 - Updates for krb5-1.13.2 + Updates for krb5-1.14.2 - README | 39 +++++++++++++++++++++++++++++++++++++++ + README | 28 ++++++++++++++++++++++++++++ src/man/k5identity.man | 2 +- src/man/k5login.man | 2 +- src/man/k5srvutil.man | 2 +- @@ -32,37 +32,4198 @@ src/man/sserver.man | 2 +- src/patchlevel.h | 6 +++--- src/po/mit-krb5.pot | 4 ++-- - 28 files changed, 69 insertions(+), 30 deletions(-) + 28 files changed, 58 insertions(+), 30 deletions(-) -commit 58f3acb65b805a8ae31bd3a74c9066a0a33b7c2f +commit 12b1010042089123683b75018bf99d4fbd443578 Author: Tom Yu -Date: Wed May 6 14:57:21 2015 -0400 +Date: Thu Apr 14 18:23:01 2016 -0400 make update-po - src/po/mit-krb5.pot | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) + src/po/mit-krb5.pot | 44 ++++++++++++++++++++++---------------------- + 1 file changed, 22 insertions(+), 22 deletions(-) -commit 9fc89c22e5713962390bd351824cc037be5bf7f3 +commit d763eabe73a2d32d8820eb628a0e41603ff3077b Author: Tom Yu -Date: Wed May 6 14:51:14 2015 -0400 +Date: Mon Apr 11 15:59:56 2016 -0400 + + Update copyright years + + src/windows/version.rc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit 1f3e550f5c7a626d45c8bacccb6d52079308aa7e +Author: Greg Hudson +Date: Mon Feb 29 16:51:22 2016 -0500 + + Skip unnecessary mech calls in gss_inquire_cred() + + If the caller does not request a name, lifetime, or cred_usage when + calling gss_inquire_cred(), service the call by copying the mechanism + list (if requested) but do not call into the mech. + + This change alleviates an issue (reported by Adam Bernstein) where + SPNEGO can fail in the presence of expired krb5 credentials rather + than proceeding with a different mechanism, or can resolve a krb5 + credential without the benefit of the target name. + + (cherry picked from commit ff5eb892910eeac335d989ae14020da4ffbcc8ec) + + ticket: 8373 + version_fixed: 1.14.2 + + src/lib/gssapi/mechglue/g_inq_cred.c | 39 ++++++++++++++++++++---------------- + 1 file changed, 22 insertions(+), 17 deletions(-) + +commit e2ab5a8d7b5ec06dadadcf844132c2cc496c9bfa +Author: Sarah Day +Date: Thu Feb 18 16:54:27 2016 -0500 + + Default to LSA when TGT in LSA is inaccessible + + When UAC is enabled and a domain user with Administrator privileges + logs in, the TGT is inaccessible. Access to the TGT in a + UAC-restricted session may allow a non-elevated user to bypass the + UAC. In a UAC-restricted session, ms2mit copies the current tickets + from the LSA ccache to the API ccache except the TGT, effectively + preventing a user session from getting additional service tickets + while appearing, for some purposes, to have a usable ccache. + + Another bug is that ms2mit always copies from the LSA ccache to the + default ccache, even if the default ccache is itself the LSA ccache. + + New behavior: + + * If the TGT is accessible in the LSA ccache, copy the LSA ccache to + the API ccache. + + * Set the registry key for the default ccname to "API:" if the copy + occurred, or to "MSLSA:" if it didn't occur. + + [tlyu@mit.edu: edit commit message] + + (cherry picked from commit 33b862799efa65b16e2acd1510c84d9f1ded2cbb) + + ticket: 8390 + version_fixed: 1.14.2 + + src/windows/ms2mit/ms2mit.c | 99 ++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 79 insertions(+), 20 deletions(-) + +commit 4afb175c2077881f7cd430e15c5d1f6ac3cc4aeb +Author: Sarah Day +Date: Thu Mar 3 16:49:06 2016 -0500 + + Add cleanup label in ms2mit + + (cherry picked from commit e033a81c891030741952e4743a0b5503bdbcea17) + + ticket: 8390 + + src/windows/ms2mit/ms2mit.c | 62 +++++++++++++++------------------------------ + 1 file changed, 20 insertions(+), 42 deletions(-) + +commit 2d5910c1ae3d77344f64dd9fc0340e2eb84ff717 +Author: Sarah Day +Date: Fri Dec 11 11:46:04 2015 -0500 + + Add documentation for krb5_error_code + + (cherry picked from commit 4d02def02a172bdfc5c5c2c9059cef559d8c1feb) + + ticket: 8387 + version_fixed: 1.14.2 + status: resolved + tags: -pullup + + src/include/krb5/krb5.hin | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +commit 552a712cfc2fdd66dffc5b962777157082eb9b95 +Author: Greg Hudson +Date: Fri Mar 18 17:50:02 2016 -0400 + + Fix keytab file format description + + The key length and count of principal components are 16-bit fields. + + (cherry picked from commit 841cabb2bd0275f0aad739fc03aaa2b66a617f68) + + ticket: 8385 + version_fixed: 1.14.2 + status: resolved + tags: -pullup + + doc/formats/keytab_file_format.rst | 4 ++-- + src/lib/krb5/keytab/kt_file.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit b5abd8c4872d7a024d49439342a6643f774afb1c +Author: Greg Hudson +Date: Mon Mar 14 17:26:34 2016 -0400 + + Fix LDAP null deref on empty arg [CVE-2016-3119] + + In the LDAP KDB module's process_db_args(), strtok_r() may return NULL + if there is an empty string in the db_args array. Check for this case + and avoid dereferencing a null pointer. + + CVE-2016-3119: + + In MIT krb5 1.6 and later, an authenticated attacker with permission + to modify a principal entry can cause kadmind to dereference a null + pointer by supplying an empty DB argument to the modify_principal + command, if kadmind is configured to use the LDAP KDB module. + + CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND + + (cherry picked from commit 08c642c09c38a9c6454ab43a9b53b2a89b9eef99) + + ticket: 8383 + version_fixed: 1.14.2 + + src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 1 + + 1 file changed, 1 insertion(+) + +commit 8c505c46f4ebce10adae7e1ba671a3ec6abd5e39 +Author: Greg Hudson +Date: Thu Feb 25 11:27:40 2016 -0500 + + Fix KDC memory leak on failed S4U2Proxy requests + + Make sure to release stkt_server in process_tgs_req() if we fail + before its disposition is determined. Reported by Will Fiveash. + + (cherry picked from commit 194641a8ad7aecc6bc1d4848742c14569f14b900) + + ticket: 8363 + version_fixed: 1.14.2 + + src/kdc/do_tgs_req.c | 1 + + 1 file changed, 1 insertion(+) + +commit ccb1b1ade68c22bb263a42349424bdf0506ac533 +Author: Greg Hudson +Date: Thu Feb 25 11:19:17 2016 -0500 + + Fix memory leak on error in KDC decrypt_2ndtkt() + + Make sure to release the server principal entry in the cleanup handler + if it is not assigned to the output parameter. Reported by Will + Fiveash. + + (cherry picked from commit a1faaa4d6a404e3103f45e639b8890c3b141dfe1) + + ticket: 8362 + version_fixed: 1.14.2 + + src/kdc/do_tgs_req.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +commit d6fa09597eee34e15a70f3d0ef937f7122be0e56 +Author: Robbie Harwood +Date: Tue Jan 12 15:59:49 2016 -0500 + + Use public OID for interposing several functions + + This resolves an issue where an interposer would receive the private + OID, and be unable to call back into krb5 in the expected manner in + gss_inquire_names_for_mech(), gss_inquire_cred_by_mech(), + gss_localname(), gss_store_cred(), and gss_store_cred_into(). + + Also change the return code of gss_localname() to GSS_S_BAD_MECH + instead of GSS_S_UNAVAILABLE on mech lookup failure, for consistency + with other functions. + + (cherry picked from commit fe73f1130695880bd83cf811c37131b12711be23) + + ticket: 8360 + version_fixed: 1.14.2 + status: resolved + tags: -pullup + + src/lib/gssapi/mechglue/g_inq_cred.c | 5 +++-- + src/lib/gssapi/mechglue/g_inq_names.c | 28 +++++++++++----------------- + src/lib/gssapi/mechglue/g_store_cred.c | 6 ++++-- + src/lib/gssapi/mechglue/gssd_pname_to_uid.c | 7 ++++--- + 4 files changed, 22 insertions(+), 24 deletions(-) + +commit 41dc51a04f7581daec639342a3ac629388618d52 +Author: Robbie Harwood +Date: Tue Jan 12 11:13:09 2016 -0500 + + Enable interposing gss_inquire_saslname_for_mech + + The behavior of gss_inquire_saslname_for_mech() changes slightly, to + report GSS_S_BAD_MECH when an unsupported mech oid is given. Also + call map_error() on the minor code resulting from the mech. + + Note that gss_inquire_mech_for_saslname() cannot be interposed, as + mech_type is specified as output-only in RFC 5801. + + (cherry picked from commit 92dbcf2eb436933f769c17e6a10f671992636e5f) + + ticket: 8359 + version_fixed: 1.14.2 + status: resolved + tags: -pullup + + src/lib/gssapi/mechglue/g_saslname.c | 27 ++++++++++++++++++++------- + 1 file changed, 20 insertions(+), 7 deletions(-) + +commit 9e26436f2acb5fcd450f5cc1ac1f81ccbb0aa6ac +Author: Greg Hudson +Date: Tue Mar 15 17:45:26 2016 -0400 + + Revisit inquire_attrs_for_mech on old mechs + + In gss_inquire_attrs_for_mech(), if the mech does not implement RFC + 5587, return success with empty mech_attrs and known_mech_attrs sets + to indicate a lack of knowledge for all attributes. The previous + behavior of returning an error caused gss_indicate_mechs_by_attr() to + fail out in the presence of an old mechanism, in turn causing + gss_acquire_cred() and SPNEGO to break. + + (cherry picked from commit 89683d1f135765e91041f3a239af865b11aaf86b) + + ticket: 8358 + version_fixed: 1.14.2 + status: resolved + tags: -pullup + + src/lib/gssapi/mechglue/g_mechattr.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +commit 96125088fc6cf56dd839004dc6f6ef202de9da7e +Author: Robbie Harwood +Date: Wed Jan 27 18:48:04 2016 -0500 + + Report inquire_attrs_for_mech mech failures + + Previously, gss_inquire_attrs_for_mech() would return a list of mech + attributes that it knew about when given a bad mech oid or a mechanism + which did not provide a gss_inquire_attrs_for_mech() method. It seems + more useful to just report the failure to the application rather than + allowing it to continue with a faulty mechanism. + + (cherry picked from commit 030a4a03a0480969d6acf1591f39fd194642805a) + + ticket: 8358 + + src/lib/gssapi/mechglue/g_mechattr.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +commit 35657cff975c6022ae141d6106589257fe4118f2 +Author: Robbie Harwood +Date: Mon Jan 11 17:50:39 2016 -0500 + + Enable interposing gss_inquire_attrs_for_mech() + + Use gssint_select_mech_type() to locate an interposer mechanism, and + pass the public mech OID to the mech. Also call map_error() on the + resulting minor code. + + (cherry picked from commit 3be2b486058758cfcd16c8af0a8f560159e77cda) + + ticket: 8330 + version_fixed: 1.14.2 + status: resolved + tags: -pullup + + src/lib/gssapi/mechglue/g_mechattr.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +commit de96dc16bf855f7920b6f95b8ff93df8b9b46fa3 +Author: Tom Yu +Date: Mon Feb 29 17:10:45 2016 -0500 + + Update for krb5-1.14.1-postrelease + + src/patchlevel.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +commit feb36cf045c4ecb5b3f0da04a86a85f2fdbf71a5 +Author: Tom Yu +Date: Fri Feb 26 18:28:28 2016 -0500 + + Updates for krb5-1.14.1 + + README | 37 +++++++++++++++++++++++++++++++++++++ + src/man/k5identity.man | 2 +- + src/man/k5login.man | 2 +- + src/man/k5srvutil.man | 2 +- + src/man/kadm5.acl.man | 2 +- + src/man/kadmin.man | 2 +- + src/man/kadmind.man | 2 +- + src/man/kdb5_ldap_util.man | 2 +- + src/man/kdb5_util.man | 2 +- + src/man/kdc.conf.man | 2 +- + src/man/kdestroy.man | 2 +- + src/man/kinit.man | 2 +- + src/man/klist.man | 2 +- + src/man/kpasswd.man | 2 +- + src/man/kprop.man | 2 +- + src/man/kpropd.man | 2 +- + src/man/kproplog.man | 2 +- + src/man/krb5-config.man | 2 +- + src/man/krb5.conf.man | 2 +- + src/man/krb5kdc.man | 2 +- + src/man/ksu.man | 2 +- + src/man/kswitch.man | 2 +- + src/man/ktutil.man | 2 +- + src/man/kvno.man | 2 +- + src/man/sclient.man | 2 +- + src/man/sserver.man | 2 +- + src/patchlevel.h | 6 +++--- + src/po/mit-krb5.pot | 4 ++-- + 28 files changed, 67 insertions(+), 30 deletions(-) + +commit 899078eea642141ab11f0b2cc0f9fad4dd7c6ca9 +Author: Tom Yu +Date: Fri Jan 8 18:17:36 2016 -0500 + + Update README + + Add Sarah Day to the list of Kerberos Team members in the README file. + + Update lists of Consortium Sponsors and contributors. + + [ci skip] + + README | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +commit 37af43abca7a64614adeb9ca335041684422a43c +Author: Tom Yu +Date: Thu Feb 25 18:35:06 2016 -0500 + + make update-po + + src/po/mit-krb5.pot | 76 ++++++++++++++++++++++++++--------------------------- + 1 file changed, 38 insertions(+), 38 deletions(-) + +commit f9ab998dc4b6047fb6454e6ae5444354cbc9431e +Author: Tom Yu +Date: Thu Feb 25 18:34:42 2016 -0500 + + Update man pages + + src/man/k5identity.man | 2 +- + src/man/k5login.man | 2 +- + src/man/k5srvutil.man | 2 +- + src/man/kadm5.acl.man | 2 +- + src/man/kadmin.man | 2 +- + src/man/kadmind.man | 2 +- + src/man/kdb5_ldap_util.man | 2 +- + src/man/kdb5_util.man | 2 +- + src/man/kdc.conf.man | 2 +- + src/man/kdestroy.man | 2 +- + src/man/kinit.man | 2 +- + src/man/klist.man | 2 +- + src/man/kpasswd.man | 2 +- + src/man/kprop.man | 2 +- + src/man/kpropd.man | 2 +- + src/man/kproplog.man | 2 +- + src/man/krb5-config.man | 2 +- + src/man/krb5.conf.man | 2 +- + src/man/krb5kdc.man | 2 +- + src/man/ksu.man | 2 +- + src/man/kswitch.man | 2 +- + src/man/ktutil.man | 2 +- + src/man/kvno.man | 2 +- + src/man/sclient.man | 2 +- + src/man/sserver.man | 2 +- + 25 files changed, 25 insertions(+), 25 deletions(-) + +commit a4f104ba79d56b43c5b8711390ed237d872d2ab1 +Author: Michael Mattioli +Date: Mon Jan 4 22:17:39 2016 -0500 + + Update copyright years to 2016 + + Update copyright years to 2016 where appropriate. + + NOTICE | 2 +- + README | 2 +- + doc/conf.py | 2 +- + doc/copyright.rst | 2 +- + doc/notice.rst | 2 +- + 5 files changed, 5 insertions(+), 5 deletions(-) + +commit 1d8a9dd3644a543cd2cacc90453f46fb4573fe59 +Author: Greg Hudson +Date: Tue Feb 23 17:15:18 2016 -0500 + + Use blocking lock when creating db2 KDB + + In 1.11 we switched from non-blocking to blocking locks in the DB2 + module, but we missed one call to krb5_lock_file() in ctx_create_db(). + This non-blocking lock can cause krb5_db_promote() to fail if the + database is locked when we try to promote the DB, in turn causing + kdb5_util load to fail. Correct this call to make krb5_db_promote() + more robust. + + (cherry picked from commit 1868916dbb60a64b92da217257b4ed021262afd3) + + ticket: 8367 + version_fixed: 1.14.1 + + src/plugins/kdb/db2/kdb_db2.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +commit 9285cbd39d4c68416b057761f2859c275707c12a +Author: Greg Hudson +Date: Fri Jan 8 13:16:54 2016 -0500 + + Fix leaks in kadmin server stubs [CVE-2015-8631] + + In each kadmind server stub, initialize the client_name and + server_name variables, and release them in the cleanup handler. Many + of the stubs will otherwise leak the client and server name if + krb5_unparse_name() fails. Also make sure to free the prime_arg + variables in rename_principal_2_svc(), or we can leak the first one if + unparsing the second one fails. Discovered by Simo Sorce. + + CVE-2015-8631: + + In all versions of MIT krb5, an authenticated attacker can cause + kadmind to leak memory by supplying a null principal name in a request + which uses one. Repeating these requests will eventually cause + kadmind to exhaust all available memory. + + CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C + + (cherry picked from commit 83ed75feba32e46f736fcce0d96a0445f29b96c2) + + ticket: 8343 + version_fixed: 1.14.1 + + src/kadmin/server/server_stubs.c | 151 ++++++++++++++++++++------------------- + 1 file changed, 77 insertions(+), 74 deletions(-) + +commit 46ed05100ed8b0a82e047089cec94147ff471fb1 +Author: Greg Hudson +Date: Fri Jan 8 12:52:28 2016 -0500 + + Check for null kadm5 policy name [CVE-2015-8630] + + In kadm5_create_principal_3() and kadm5_modify_principal(), check for + entry->policy being null when KADM5_POLICY is included in the mask. + + CVE-2015-8630: + + In MIT krb5 1.12 and later, an authenticated attacker with permission + to modify a principal entry can cause kadmind to dereference a null + pointer by supplying a null policy value but including KADM5_POLICY in + the mask. + + CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C + + (cherry picked from commit b863de7fbf080b15e347a736fdda0a82d42f4f6b) + + ticket: 8342 + version_fixed: 1.14.1 + + src/lib/kadm5/srv/svr_principal.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +commit 54a9a01c6a923d604cd06f321b8381ebc5cb42d8 +Author: Greg Hudson +Date: Fri Jan 8 12:45:25 2016 -0500 + + Verify decoded kadmin C strings [CVE-2015-8629] + + In xdr_nullstring(), check that the decoded string is terminated with + a zero byte and does not contain any internal zero bytes. + + CVE-2015-8629: + + In all versions of MIT krb5, an authenticated attacker can cause + kadmind to read beyond the end of allocated memory by sending a string + without a terminating zero byte. Information leakage may be possible + for an attacker with permission to modify the database. + + CVSSv2 Vector: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C + + (cherry picked from commit df17a1224a3406f57477bcd372c61e04c0e5a5bb) + + ticket: 8341 + version_fixed: 1.14.1 + + src/lib/kadm5/kadm_rpc_xdr.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +commit 2515f9ae54e28cbfa4ad42b94ced6b4bd43b054c +Author: Greg Hudson +Date: Thu Jan 14 17:51:53 2016 -0500 + + Fix iprop server stub error management + + The ipropd stubs free client_name and server_name in the cleanup + handler, so should not free them in out-of-memory conditions. + Reported by Will Fiveash. + + (cherry picked from commit d998b088adb875bc0a4e13c184075f91fb23336b) + + ticket: 8347 + version_fixed: 1.14.1 + + src/kadmin/server/ipropd_svc.c | 4 ---- + 1 file changed, 4 deletions(-) + +commit c8b2b0cd7b327b93d4be32b0132d9370c64f7665 +Author: Robbie Harwood +Date: Wed Jan 13 18:17:09 2016 -0500 + + Fix EOF check in kadm5.acl line processing + + On platforms where the char type is unsigned, the check for EOF (which + is negative) will always fail, leaving a 255 byte at the end of the + line. This can cause a syntax error, in turn causing the contents of + kadm5.acl to be ignored. Fix this bug by removing the cast on EOF. + + [ghudson@mit.edu: more precisely describe consequences of bug in + commit message] + + (cherry picked from commit 8fd85a77789496b8d7f8092f6e8a2824bc09a6cf) + + ticket: 8346 + version_fixed: 1.14.1 + + src/lib/kadm5/srv/server_acl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit 7222177004597c0f749f98421fb626b7c50fa84a +Author: Greg Hudson +Date: Wed Nov 25 14:43:35 2015 -0500 + + Fix memory leak in SPNEGO gss_init_sec_context() + + After the initial call to spnego_gss_init_sec_context(), the context + handle can leak if init_ctx_cont() returns an error, because the + cleanup handler assumes that spnego_ctx contains the value of + *context_handle. Fix this leak by setting spnego_ctx before the if + block which contains that call. Reported by Adam Bernstein. + + (cherry picked from commit 159dbbd5ff14fdc2fa71fb3a8804eb401c914399) + + ticket: 8281 + version_fixed: 1.14.1 + + src/lib/gssapi/spnego/spnego_mech.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +commit fdc03ea1577e071875b436eed0e0bd2a880daf44 +Author: Greg Hudson +Date: Fri Jan 8 11:54:55 2016 -0500 + + Make ksu work with prompting clpreauth modules + + Commit 5fd5a67c5a93514e7d0a64425baa007ad91f57de switched ksu from + using krb5_get_in_tkt_with_password() to + krb5_get_init_creds_password(), but did not supply a prompter + argument. Pass krb5_prompter_posix so that clpreauth modules can + prompt for additional information during authentication. + + (cherry picked from commit 23a16fb5eac733880e34a770882ed17b93b5d66c) + + ticket: 8340 + verion_fixed: 1.14.1 + + src/clients/ksu/krb_auth_su.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +commit f46c5650f28d4bc53b93c3b4a2723985225de297 +Author: Tom Yu +Date: Wed Dec 30 15:26:54 2015 -0500 + + Add .travis.yml + + Do Travis CI testing with clang and gcc, on 64-bit Ubuntu Trusty. + Performance would probably be better using the container-based Travis + infrastructure, but that is currently limited to Precise, and we would + need some important apt packages whitelisted, e.g., dejagnu. + + (cherry picked from commit 09e8307da049cf90bb1f7b9b4b1608a0b9130fd9) + + ticket: 8339 (new) + target_version: 1.13-next + target_version: 1.14-next + version_fixed: 1.14.1 + tags: pullup + + .travis.yml | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +commit 552dadfd3bd8068010345c64f8e1880708fa03ac +Author: Tom Yu +Date: Wed Jan 6 15:46:40 2016 -0500 + + Increase hostname length in ipropd_svc.c + + On some systems, MAXHOSTNAMELEN is too short for valid fully qualified + domain names. Use NI_MAXHOST instead in ipropd_svc.c. + + (cherry picked from commit 39802ad406c294306a407ea3d1199941d8b5d773) + + ticket: 8336 + version_fixed: 1.14.1 + + src/kadmin/server/ipropd_svc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit 40afd7e5165de5459dabdebee10c5ccfd7322dec +Author: Tom Yu +Date: Wed Dec 30 17:17:02 2015 -0500 + + Don't canonicalize hostname in sim_client.c + + krb5_mk_req() already canonicalizes the target hostname, so don't try + to use a buffer of size MAXHOSTNAMELEN to canonicalize the hostname + beforehand. This buffer will be too short for some unusually long + FQDNs. + + (cherry picked from commit 0491c778064e80aaf2aaeb4475a0db333542fed9) + + ticket: 8336 + version_fixed: 1.14.1 + + src/appl/simple/client/sim_client.c | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +commit ab7f74d758e5d87785804f10cad45e26956d2a5d +Author: Tom Yu +Date: Wed Jan 6 15:24:16 2016 -0500 + + Work around uninitialized warning in cc_kcm.c + + Some versions of clang erroneously detect use of an uninitialized + variable reply_len in kcmio_call() when building on non-Mac platforms. + Initialize it to work around this warning. + + (cherry picked from commit 40b007c0d8e2a12c6f4205ac111dee731c9d970c) + + ticket: 8335 + version_fixed: 1.14.1 + + src/lib/krb5/ccache/cc_kcm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit d0daf73db55d8d67220e327e8c0a021e71041024 +Author: Robbie Harwood +Date: Wed Dec 16 19:31:22 2015 -0500 + + Fix interposed gss_accept_sec_context() + + If gss_accept_sec_context() is interposed, selected_mech will be an + interposer OID. In this situation, pass the corresponding public OID + to gss_inquire_attrs_for_mech() to determine whether the mech is + allowed by default. + + [ghudson@mit.edu: pared down from larger commit; rewrote commit message] + + (cherry picked from commit 0b43d10333f4c4b29896cebc9447d8866b661217) + + ticket: 8338 + version_fixed: 1.14.1 + + src/lib/gssapi/mechglue/g_accept_sec_context.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +commit 8917552b578608f99d3c38b58fdddeb78ab4bbb8 +Author: Simo Sorce +Date: Tue Jan 5 12:11:59 2016 -0500 + + Check internal context on init context errors + + If the mechanism deletes the internal context handle on error, the + mechglue must do the same with the union context, to avoid crashes if + the application calls other functions with this invalid union context. + + [ghudson@mit.edu: edit commit message and code comment] + + (cherry picked from commit 3beb564cea3d219efcf71682b6576cad548c2d23) + + ticket: 8337 + version_fixed: 1.14.1 + + src/lib/gssapi/mechglue/g_init_sec_context.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +commit 018f203ff88e8ffe187502a0e97824e697179f3a +Author: Tomas Kuthan +Date: Tue Dec 29 11:47:49 2015 +0100 + + Check context handle in gss_export_sec_context() + + After commit 4f35b27a9ee38ca0b557ce8e6d059924a63d4eff, the + context_handle parameter in gss_export_sec_context() is dereferenced + before arguments are validated by val_exp_sec_ctx_args(). With a null + context_handle, the new code segfaults instead of failing gracefully. + Revert this part of the commit and only dereference context_handle if + it is non-null. + + (cherry picked from commit b6f29cbd2ab132e336b5435447348400e9a9e241) + + ticket: 8334 + version_fixed: 1.14.1 + + src/lib/gssapi/mechglue/g_exp_sec_context.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +commit c5913198c74b8df638dedd23ceb785dc0ef79b98 +Author: Simo Sorce +Date: Wed Dec 9 18:09:18 2015 -0500 + + Set TL_DATA mask flag for master key operations + + When kdb5_util adds or removes master keys, it modifies tl-data but + doesn't set the KADM5_TL_DATA mask flag, causing KDB modules that rely + on this signaling (such as the LDAP module) not to store the tl-data + changes. Fix this issue by setting the mask bit in add_new_mkey() and + kdb5_purge_mkeys(). + + [ghudson@mit.edu: edit commit message] + + (cherry picked from commit c877f13c8985d820583b0d7ac1bb4c5dc36e677e) + + ticket: 8327 + version_fixed: 1.14.1 + + src/kadmin/dbutil/kdb5_mkey.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +commit 5e3902de9753bb86488ee04abc886a3d51261653 +Author: Greg Hudson +Date: Fri Dec 11 11:05:32 2015 -0500 + + Add libkrb5support dependencies to test plugins + + In some build environments, dependencies on libkrb5support can be + generated just from static inline functions in our header files, even + if those functions aren't used. In two test plugin modules, use + $(KRB5_BASE_DEPLIBS) and $(KRB5_BASE_LIBS) to depend on libkrb5support + as well as libkrb5. (This also pulls in libk5crypto, which is + unnecessary for these modules, but is inconsequential for a test + module.) Reported by Will Fiveash. + + (cherry picked from commit 5568d31f45fb78f505340a5b520b22d4dd3f6522) + + ticket: 8326 + version_fixed: 1.14.1 + + src/plugins/hostrealm/test/Makefile.in | 6 +++--- + src/plugins/pwqual/test/Makefile.in | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +commit 4682cfb7696231ddf4a34f9d048233012266b657 +Author: Greg Hudson +Date: Mon Dec 7 12:16:41 2015 -0500 + + Fix k5crypto NSS iov processing bug + + In k5_nss_gen_stream_iov(), don't stop processing the iov array if we + run across a zero-length iov. + + (cherry picked from commit 08fafff29a11e61036021196aaae8c303d1a5662) + + ticket: 8300 + version_fixed: 1.14.1 + + src/lib/crypto/nss/enc_provider/enc_gen.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit ad14dbfc6a0576b6b93a3890c48e697f9a88d919 +Author: Tom Yu +Date: Wed Dec 9 13:49:22 2015 -0500 + + Correctly use k5_wrapmsg() in ldap_principal2.c + + Commit ebcdf02f8ec212555b1762007fa8454615900f36 incorrectly used + k5_prependmsg() in an error handling clause in + krb5_ldap_get_principal(). Use k5_wrapmsg() instead. + + (cherry picked from commit 412c19f93a0d7fed853388194f55eaf0d778b9e6) + + ticket: 8301 + version_fixed: 1.14.1 + + src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +commit 2767ef1f7dacd086a7fc2e5058eed107d242336b +Author: Tom Yu +Date: Mon Dec 14 17:31:20 2015 -0500 + + Update mitK5features.rst for krb5-1.14 + + doc/mitK5features.rst | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +commit ff250cedda5f3c2f25570e360473e0641e5e60ee +Author: Simo Sorce +Date: Fri Nov 13 14:44:54 2015 -0500 + + Fix mechglue gss_acquire_cred_impersonate_name + + Checking for the generic gss_acquire_cred() function is no guarantee + that gss_acquire_cred_impersonate_name() is also implemented. + + [ghudson@mit.edu: edit commit message] + + (cherry picked from commit 46a4e225d2ecaa4077aa65f12f64273bf4911d3a) + + ticket: 8276 + version_fixed: 1.14 + status: resolved + + src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit 09217b32aee4c2529e1c14d947b4cd9b0269f2cb +Author: Tom Yu +Date: Fri Nov 20 16:27:29 2015 -0500 + + Update for krb5-1.14-postrelease + + src/patchlevel.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +commit 48401c2c17364ebd90d3422d01a159ca16ea9548 +Author: Tom Yu +Date: Thu Nov 19 15:06:42 2015 -0500 + + Updates for krb5-1.14 + + README | 4 ++-- + src/patchlevel.h | 4 ++-- + src/po/mit-krb5.pot | 4 ++-- + 3 files changed, 6 insertions(+), 6 deletions(-) + +commit c01d166c0f6e5c9d87df481d0900568a320e08db +Author: Tom Yu +Date: Thu Nov 12 23:51:19 2015 -0500 + + Update for krb5-1.14-beta2-postrelease + + src/patchlevel.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +commit 102087ab0ce9f8661be09f905ca546c4d471bac5 +Author: Tom Yu +Date: Thu Nov 12 16:17:48 2015 -0500 + + Updates for krb5-1.14-beta2 + + README | 28 ++++++++++++++++++++++++++++ + src/patchlevel.h | 4 ++-- + src/po/mit-krb5.pot | 4 ++-- + 3 files changed, 32 insertions(+), 4 deletions(-) + +commit be54332c6ea2d6089a94a6a26188c51212acab7a +Author: Tom Yu +Date: Thu Nov 12 16:01:36 2015 -0500 + + make update-po + + src/po/mit-krb5.pot | 35 +++++++++++++++-------------------- + 1 file changed, 15 insertions(+), 20 deletions(-) + +commit e802afa475291762b57ba2d27ce5c81dbaec2c07 +Author: Greg Hudson +Date: Sun Nov 1 22:47:53 2015 -0500 + + Add test coverage for GSS context export/import + + Pass the -export flag to gss-server in t_gss_sample.py, in order to + test context export and import for each of the mechanisms. + + (cherry picked from commit bee2d867248b24c627da4c2ef270c8de15fd96f9) + + ticket: 8273 + version_fixed: 1.14 + status: resolved + + src/appl/gss-sample/t_gss_sample.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +commit 8e10a780fd3bfefd1ba08ca1552e8d0677917454 +Author: Greg Hudson +Date: Sun Nov 1 22:46:56 2015 -0500 + + Fix SPNEGO context import + + The patches for CVE-2015-2695 did not implement a SPNEGO + gss_import_sec_context() function, under the erroneous belief that an + exported SPNEGO context would be tagged with the underlying context + mechanism. Implement it now to allow SPNEGO contexts to be + successfully exported and imported after establishment. + + (cherry picked from commit 222b09f6e2f536354555f2a0dedfe29fc10c01d6) + + ticket: 8273 + version_fixed: 1.14 + + src/lib/gssapi/spnego/spnego_mech.c | 33 +++++++++++++++++++++++++++------ + 1 file changed, 27 insertions(+), 6 deletions(-) + +commit 54222de30a89bfac0247dfbc1759556dc9fd2983 +Author: Greg Hudson +Date: Sun Nov 1 22:45:21 2015 -0500 + + Fix IAKERB context export/import [CVE-2015-2698] + + The patches for CVE-2015-2696 contained a regression in the newly + added IAKERB iakerb_gss_export_sec_context() function, which could + cause it to corrupt memory. Fix the regression by properly + dereferencing the context_handle pointer before casting it. + + Also, the patches did not implement an IAKERB gss_import_sec_context() + function, under the erroneous belief that an exported IAKERB context + would be tagged as a krb5 context. Implement it now to allow IAKERB + contexts to be successfully exported and imported after establishment. + + CVE-2015-2698: + + In any MIT krb5 release with the patches for CVE-2015-2696 applied, an + application which calls gss_export_sec_context() may experience memory + corruption if the context was established using the IAKERB mechanism. + Historically, some vulnerabilities of this nature can be translated + into remote code execution, though the necessary exploits must be + tailored to the individual application and are usually quite + complicated. + + CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C + + (cherry picked from commit 3db8dfec1ef50ddd78d6ba9503185995876a39fd) + + ticket: 8273 + version_fixed: 1.14 + + src/lib/gssapi/krb5/gssapiP_krb5.h | 5 +++++ + src/lib/gssapi/krb5/gssapi_krb5.c | 2 +- + src/lib/gssapi/krb5/iakerb.c | 42 +++++++++++++++++++++++++++++++------- + 3 files changed, 41 insertions(+), 8 deletions(-) + +commit 1be18763f94dc519da9b9928e82566558c8748c2 +Author: Greg Hudson +Date: Tue Oct 27 00:44:24 2015 -0400 + + Fix two IAKERB comments + + The comment explaining why there is no iakerb_gss_import_sec_context() + erroneously referenced SPNEGO instead of IAKERB (noticed by Ben + Kaduk). The comment above iakerb_gss_delete_sec_context() is out of + date after the last commit. + + (cherry picked from commit 92d6dd045dfc06cc03d20b327a6ee7a71e6bc24d) + + src/lib/gssapi/krb5/iakerb.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +commit 54393f97906996b7a20c3abf0948a04ce9062f49 +Author: Greg Hudson +Date: Wed Oct 21 13:21:48 2015 -0400 + + Zap secure cookie contents when freeing + + Secure cookies are intended to hold secret values which may contribute + to key data, and therefore should be sanitized when released. Also + fix a memory leak in kdc_fast_make_cookie(). + + (cherry picked from commit 73f0ee229fdd2e888bdefe580bb183d2a6c57365) + + ticket: 8271 + version_fixed: 1.14 + status: resolved + + src/include/k5-int.h | 3 +++ + src/kdc/fast_util.c | 12 ++++++++---- + src/lib/krb5/krb/kfree.c | 16 +++++++++++++++- + src/lib/krb5/libkrb5.exports | 1 + + 4 files changed, 27 insertions(+), 5 deletions(-) + +commit b32e0380cd37f90a009e4655a29d9fe7c6375fcb +Author: Paul Fertser +Date: Mon Oct 19 14:46:14 2015 -0400 + + Use fixed rcache directory when cross-compiling + + When cross-compiling, looking at what directories are present on the + build machine makes no sense. Default to /var/tmp instead. + + [ghudson@mit.edu: use /var/tmp instead of /tmp; adjust commit message] + + (cherry picked from commit db2acb6b06e469c6c12476bec68acc7964626523) + + ticket: 8254 + version_fixed: 1.14 + status: resolved + + src/configure.in | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +commit 67bdf8189b24efca8a244316e7d51bd52d0dbda9 +Author: Greg Hudson +Date: Fri Sep 25 12:51:47 2015 -0400 + + Fix build_principal memory bug [CVE-2015-2697] + + In build_principal_va(), use k5memdup0() instead of strdup() to make a + copy of the realm, to ensure that we allocate the correct number of + bytes and do not read past the end of the input string. This bug + affects krb5_build_principal(), krb5_build_principal_va(), and + krb5_build_principal_alloc_va(). krb5_build_principal_ext() is not + affected. + + CVE-2015-2697: + + In MIT krb5 1.7 and later, an authenticated attacker may be able to + cause a KDC to crash using a TGS request with a large realm field + beginning with a null byte. If the KDC attempts to find a referral to + answer the request, it constructs a principal name for lookup using + krb5_build_principal() with the requested realm. Due to a bug in this + function, the null byte causes only one byte be allocated for the + realm field of the constructed principal, far less than its length. + Subsequent operations on the lookup principal may cause a read beyond + the end of the mapped memory region, causing the KDC process to crash. + + CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C + + (cherry picked from commit f0c094a1b745d91ef2f9a4eae2149aac026a5789) + + ticket: 8252 + version_fixed: 1.14 + status: resolved + + src/lib/krb5/krb/bld_princ.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +commit 9bc7e779d56398d523e50517f355cab94a864435 +Author: Greg Hudson +Date: Fri Sep 11 17:58:33 2015 -0400 + + Add more gss_inquire_context() tests + + Add tests for partial IAKERB and SPNEGO initiators, and for partial + krb5 (DCE-style), IAKERB, and SPNEGO acceptors. Make flag checking + more strict for existing tests. + + (cherry picked from commit a705b1160ce7f0c5f23b9859c4c6c707503fbfdc) + + ticket: 8244 + version_fixed: 1.14 + status: resolved + + src/tests/gssapi/t_gssapi.py | 2 +- + src/tests/gssapi/t_inq_ctx.c | 146 +++++++++++++++++++++++++++++++++++++------ + 2 files changed, 129 insertions(+), 19 deletions(-) + +commit 096cfaa18504d20889a3d8829decb1bf72dd0ac5 +Author: Nicolas Williams +Date: Mon Sep 14 12:28:36 2015 -0400 + + Fix IAKERB context aliasing bugs [CVE-2015-2696] + + The IAKERB mechanism currently replaces its context handle with the + krb5 mechanism handle upon establishment, under the assumption that + most GSS functions are only called after context establishment. This + assumption is incorrect, and can lead to aliasing violations for some + programs. Maintain the IAKERB context structure after context + establishment and add new IAKERB entry points to refer to it with that + type. Add initiate and established flags to the IAKERB context + structure for use in gss_inquire_context() prior to context + establishment. + + CVE-2015-2696: + + In MIT krb5 1.9 and later, applications which call + gss_inquire_context() on a partially-established IAKERB context can + cause the GSS-API library to read from a pointer using the wrong type, + generally causing a process crash. Java server applications using the + native JGSS provider are vulnerable to this bug. A carefully crafted + IAKERB packet might allow the gss_inquire_context() call to succeed + with attacker-determined results, but applications should not make + access control decisions based on gss_inquire_context() results prior + to context establishment. + + CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C + + [ghudson@mit.edu: several bugfixes, style changes, and edge-case + behavior changes; commit message and CVE description] + + (cherry picked from commit e04f0283516e80d2f93366e0d479d13c9b5c8c2a) + + ticket: 8244 + version_fixed: 1.14 + + src/lib/gssapi/krb5/gssapiP_krb5.h | 114 ++++++++++++ + src/lib/gssapi/krb5/gssapi_krb5.c | 105 +++++++++-- + src/lib/gssapi/krb5/iakerb.c | 351 +++++++++++++++++++++++++++++++++---- + 3 files changed, 529 insertions(+), 41 deletions(-) + +commit 31fb730f1ad708f230e4387e02ed2f89b93c3607 +Author: Nicolas Williams +Date: Mon Sep 14 12:27:52 2015 -0400 + + Fix SPNEGO context aliasing bugs [CVE-2015-2695] + + The SPNEGO mechanism currently replaces its context handle with the + mechanism context handle upon establishment, under the assumption that + most GSS functions are only called after context establishment. This + assumption is incorrect, and can lead to aliasing violations for some + programs. Maintain the SPNEGO context structure after context + establishment and refer to it in all GSS methods. Add initiate and + opened flags to the SPNEGO context structure for use in + gss_inquire_context() prior to context establishment. + + CVE-2015-2695: + + In MIT krb5 1.5 and later, applications which call + gss_inquire_context() on a partially-established SPNEGO context can + cause the GSS-API library to read from a pointer using the wrong type, + generally causing a process crash. This bug may go unnoticed, because + the most common SPNEGO authentication scenario establishes the context + after just one call to gss_accept_sec_context(). Java server + applications using the native JGSS provider are vulnerable to this + bug. A carefully crafted SPNEGO packet might allow the + gss_inquire_context() call to succeed with attacker-determined + results, but applications should not make access control decisions + based on gss_inquire_context() results prior to context establishment. + + CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C + + [ghudson@mit.edu: several bugfixes, style changes, and edge-case + behavior changes; commit message and CVE description] + + (cherry picked from commit b51b33f2bc5d1497ddf5bd107f791c101695000d) + + ticket: 8244 + version_fixed: 1.14 + + src/lib/gssapi/spnego/gssapiP_spnego.h | 2 + + src/lib/gssapi/spnego/spnego_mech.c | 254 ++++++++++++++++++++++++--------- + 2 files changed, 192 insertions(+), 64 deletions(-) + +commit 8c40b196ce00e653081f6c21f1dd2cbbcd2cc64e +Author: Greg Hudson +Date: Thu Oct 8 08:53:37 2015 -0400 + + Allow clock skew in krb5 gss_accept_sec_context() + + Remove an unnecessarily strict check for ticket expiration from + kg_accept_krb5() and kg_accept_dce(). Instead, add the maximum + allowable clock skew to the reported lifetime of acceptor contexts. + + (cherry picked from commit b496ce4095133536e0ace36b74130e4b9ecb5e11) + + ticket: 8268 + version_fixed: 1.14 + status: resolved + + src/lib/gssapi/krb5/accept_sec_context.c | 18 ++++-------------- + src/lib/gssapi/krb5/inq_context.c | 7 ++++++- + 2 files changed, 10 insertions(+), 15 deletions(-) + +commit 83ef046b405dfad26538eeccc117e1ab178bdd91 +Author: Greg Hudson +Date: Sun Oct 4 19:54:35 2015 -0400 + + Make ksu work when unsetenv() returns NULL + + Some older platforms (OS X 10.4, glibc 2.2.1) declare unsetenv() as + returning void, as does ksu's compatibility definition of unsetenv(). + Don't use the return value in get_configured_defccname(). + + (cherry picked from commit 7eee546db10e907666e02fdded4f512e8d0faf4c) + + ticket: 8267 + version_fixed: 1.14 + status: resolved + + src/clients/ksu/main.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +commit 05af7e4e3297c33fcafe6db8c87c2be9949dc1e5 +Author: Greg Hudson +Date: Sun Oct 4 15:55:43 2015 -0400 + + Fix installed message catalog uses in kdb tests + + In src/tests/Makefile.in, rename RUN_SETUP to RUN_DB_TEST, and include + "LC_ALL=C" in the definition to avoid using the message catalog. Also + include $(VALGRIND) for consistency with RUN_TEST. + + (cherry picked from commit 9a6dcd4b56df245556e77b9b1db6a8c3f486cf9e) + + ticket: 8264 + version_fixed: 1.14 + status: resolved + + src/tests/Makefile.in | 29 +++++++++++++++-------------- + 1 file changed, 15 insertions(+), 14 deletions(-) + +commit 962a14661fc5b16aea4725f67eff22f9f9179918 +Author: Greg Hudson +Date: Sun Oct 4 14:45:29 2015 -0400 + + Use RUN_TEST and fix installed krb5.conf uses + + Use $(RUN_TEST) to run most C test programs, for simplicity and to fix + accidental uses of the installed krb5.conf. Where a particular + krb5.conf must be used instead of the one in src/config-files, use a + locally defined variant like RUN_TEST_LOCAL_CONF. + + Accidental references to the installed krb5.conf were present when + running t_pac, t_princ, t_etypes, t_trace, t_attr, t_attrset, + t_packet, t_remote, t_client, pkinit_kdf_test, test_chpw_message, + text_cxx_krb5, and test_cxx_k5int. + + Based on a patch from Robbie Harwood. + + (cherry picked from commit 4eea9c287e43ab40936e25094cd093f2f3f32bd9) + + ticket: 8266 + version_fixed: 1.14 + status: resolved + + src/kdc/Makefile.in | 3 +-- + src/lib/crypto/builtin/des/Makefile.in | 8 +++--- + src/lib/crypto/builtin/sha1/Makefile.in | 4 +-- + src/lib/crypto/builtin/sha2/Makefile.in | 2 +- + src/lib/crypto/crypto_tests/Makefile.in | 48 ++++++++++++++++----------------- + src/lib/crypto/krb/Makefile.in | 2 +- + src/lib/gssapi/generic/Makefile.in | 2 +- + src/lib/kdb/Makefile.in | 2 +- + src/lib/krad/Makefile.in | 13 +++++---- + src/lib/krb5/ccache/Makefile.in | 6 ++--- + src/lib/krb5/keytab/Makefile.in | 3 +-- + src/lib/krb5/krb/Makefile.in | 31 +++++++++++---------- + src/lib/krb5/os/Makefile.in | 18 +++++++------ + src/plugins/preauth/pkinit/Makefile.in | 2 +- + src/tests/asn.1/Makefile.in | 16 +++-------- + src/tests/gssapi/Makefile.in | 6 ++--- + src/tests/misc/Makefile.in | 14 +++++----- + src/tests/resolve/Makefile.in | 6 ++--- + src/tests/shlib/Makefile.in | 2 +- + src/tests/threads/Makefile.in | 2 +- + src/util/et/Makefile.in | 4 +-- + src/util/profile/Makefile.in | 6 ++--- + 22 files changed, 94 insertions(+), 106 deletions(-) + +commit b5b98e1acb3d72f0398a9046d220512936941b5d +Author: Greg Hudson +Date: Sun Oct 4 11:09:28 2015 -0400 + + Add RUN_TEST make variable + + Add a pre.in variable to simplify running C test programs from + Makefile rules. + + (cherry picked from commit 45c6e285be8042ffccdab13b5f78cd5ada8e7973) + + ticket: 8266 + + src/config/pre.in | 6 ++++++ + 1 file changed, 6 insertions(+) + +commit fca6f1095bd8a3bc5a5013dcf7e346a3220b9218 +Author: Andreas Schneider +Date: Tue Oct 6 13:35:03 2015 +0200 + + Accept new passwords as const char pointers + + In krb5_change_password(), krb5_set_password(), and + krb5_set_password_using_ccache(), accept the new password as a const + char * instead of a char *. Propagate this change to the necessary + internal functions. + + [ghudson@mit.edu: commit message rewrite] + + (cherry picked from commit 03c5058f2a1315aa718f0a083f5568bedaf187e8) + + ticket: 8269 + version_fixed: 1.14 + status: resolved + + src/include/krb5/krb5.hin | 11 ++++++----- + src/lib/krb5/krb/chpw.c | 4 ++-- + src/lib/krb5/krb/int-proto.h | 4 ++-- + src/lib/krb5/os/changepw.c | 10 +++++----- + 4 files changed, 15 insertions(+), 14 deletions(-) + +commit 7861885ffa0dcccfbb57b7ad7a0ccff445380253 +Author: Nalin Dahyabhai +Date: Thu Oct 1 18:59:34 2015 -0400 + + Set plugin_base_dir for kadmin tests + + In the krb5.conf used by the kadmin tests, include a plugin_base_dir + setting. Otherwise the KDC can load and run code from kdcpreauth + modules in the install tree. + + [ghudson@mit.edu: commit message] + + (cherry picked from commit 3db59d81bbbe389553d13efeee1c99117b459b24) + + ticket: 8262 + version_fixed: 1.14 + status: resolved + + src/kadmin/testing/proto/krb5.conf.proto | 1 + + src/kadmin/testing/scripts/start_servers | 1 + + 2 files changed, 2 insertions(+) + +commit be37d5edc8be2c1372f98432b187fee6a41d9fb9 +Author: Tom Yu +Date: Fri Oct 9 16:45:24 2015 -0400 + + Updates for krb5-1.14-beta1-postrelease + + src/patchlevel.h | 4 ++-- + src/po/mit-krb5.pot | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +commit f5ab3b3b18b7373ddfbcc2c2bd9cbe2b333f0203 +Author: Tom Yu +Date: Fri Oct 9 14:10:34 2015 -0400 + + Updates for krb5-1.14-beta1 + + README | 10 ++++++++++ + src/patchlevel.h | 4 ++-- + src/po/mit-krb5.pot | 4 ++-- + 3 files changed, 14 insertions(+), 4 deletions(-) + +commit 8171ee95cead3878df595164300d9492857acc96 +Author: Tom Yu +Date: Fri Oct 9 14:18:19 2015 -0400 + + make update-po + + src/po/mit-krb5.pot | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +commit e2378ca8dada3ee7e163fd272f722e4819323d00 +Author: Tom Yu +Date: Mon Oct 5 15:59:25 2015 -0400 + + Update mitK5features.rst for krb5-1.14 + + doc/mitK5features.rst | 91 ++++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 90 insertions(+), 1 deletion(-) + +commit 7db0ce98c83961537a75ba8256533955aa7885b4 +Author: Tomas Kuthan +Date: Wed Sep 30 15:44:11 2015 +0200 + + Fix gss_store_cred() minor code on acceptor cred + + In krb5_gss_store_cred_into(), if the credential is acceptor-only, set + the minor status to G_STORE_ACCEPTOR_CRED_NOSUPP instead of + G_BAD_USAGE. + + [ghudson@mit.edu: edit commit message] + + (cherry picked from commit c0e16bb2f654038ad81602e89851f232916da051) + + ticket: 8260 + version_fixed: 1.14 + status: resolved + + src/lib/gssapi/krb5/store_cred.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit d8bb4512bbf57f7889fbb54171e45e9e5dfa86d8 +Author: Tomas Kuthan +Date: Wed Sep 30 15:18:05 2015 +0200 + + Check output params on GSS OID set functions + + Add sanity checks for the output parameters of + generic_gss_create_empty_oid_set() and + generic_gss_add_oid_set_member(), which are used directly by the API + functions gss_create_empty_oid_set() and gss_add_oid_set_member(). + + [ghudson@mit.edu: edit commit message] + + (cherry picked from commit c9e035794caa784b6cdf416e2b3f1d641d011390) + + ticket: 8259 + version_fixed: 1.14 + status: resolved + + src/lib/gssapi/generic/oid_ops.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +commit 53d1b3bcee1c40ae3f1d4762c41f94a48abbe34e +Author: Tomas Kuthan +Date: Wed Sep 30 15:34:26 2015 +0200 + + Correct GSS major code for non-default QOP values + + This patch fixes several krb5 mech error cases to comply with RFC + 2743; non-default QOP arguments should result in GSS_S_BAD_QOP, not + GSS_S_FAILURE. + + [ghudson@mit.edu: edit commit message] + + (cherry picked from commit 45ccc1c85f42e4f41f2042df8a51dd7826533029) + + ticket: 8258 + version_fixed: 1.14 + status: resolved + + src/lib/gssapi/krb5/k5seal.c | 2 +- + src/lib/gssapi/krb5/k5sealiov.c | 4 ++-- + src/lib/gssapi/krb5/wrap_size_limit.c | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +commit 8fcc83baf3b1a3e2b810b8a632aa71d9fb526ffa +Author: Tomas Kuthan +Date: Wed Sep 30 15:24:24 2015 +0200 + + Fix gss_inquire_names_for_mech() on MS krb5 mech + + Allow the krb5 mech to query names for the gss_mech_krb5_wrong OID + (the erroneous OID used in old Microsoft SPNEGO implementations). + + [ghudson@mit.edu: edit commit message] + + (cherry picked from commit 95736f7d51cce7551c3c20450ff56831a71043df) + + ticket: 8257 + version_fixed: 1.14 + status: resolved + + src/lib/gssapi/krb5/inq_names.c | 1 + + 1 file changed, 1 insertion(+) + +commit 59df6a4f1c0c1e6f43132448fea372aa8beff5c0 +Author: Tomas Kuthan +Date: Wed Sep 30 15:14:40 2015 +0200 + + Fix typo in GSS_S_UNAUTHORIZED error message + + Remove an erroneous double space in the gss_display_status() result + for GSS_S_UNAUTHORIZED. + + [ghudson@mit.edu: edit commit message] + + (cherry picked from commit 36732bf2084803eef52ad56576e5a50f37ccd115) + + ticket: 8256 + version_fixed: 1.14 + status: resolved + + src/lib/gssapi/mechglue/g_dsp_status.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit 4599701d2ed216856cd7a865bbbcb1a73ae09929 +Author: Tomas Kuthan +Date: Wed Sep 30 15:11:03 2015 +0200 + + Define error status GSS_S_BAD_MIC + + RFC 2743 adds GSS_S_BAD_MIC as an alias for GSS_S_BAD_SIG. + + [ghudson@mit.edu: edit commit messsage] + + (cherry picked from commit be87852a12737eed448032875fb74f23e9cbf26b) + + ticket: 8255 + version_fixed: 1.14 + status: resolved + + src/lib/gssapi/generic/gssapi.hin | 1 + + 1 file changed, 1 insertion(+) + +commit 299476d5d8ff60e127139b37473954e4d0d2125f +Author: Greg Hudson +Date: Fri Sep 25 17:31:53 2015 -0400 + + Fix minor utf8-to-ucs2s read overrun bug + + k5_utf8s_to_ucs2s() reads and ignores one extra byte from the input + string before terminating its loop, possibly overrunning the input + buffer of its caller. This overrun is typically without consequence, + but can show up in tools like asan or valgrind during RC4 + string-to-key operations. Fix the bug by swapping the order of the + loop conditions. + + (cherry picked from commit eb52da21d72faa3d00b1205a5a0fdbabc45c9e6d) + + ticket: 8253 + version_fixed: 1.14 + status: resolved + + src/util/support/utf8_conv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit c01d9df461f68079245880066c5cbc2e447b5cb7 +Author: Greg Hudson +Date: Wed Sep 23 18:20:41 2015 -0400 + + Fix kadmin with e2fsprogs libss + + The libss in e2fsprogs exports ss_execute_command(), but does not + prototype it (as of this writing; a patch has been submitted + upstream). When using the system ss library, check if a prototype is + needed and provide one if so. + + (cherry picked from commit fd0b693f00f4d0b7b603bf4a2b8812869ad1df19) + + ticket: 8251 + version_fixed: 1.14 + status: resolved + + src/aclocal.m4 | 1 + + src/kadmin/cli/ss_wrapper.c | 4 ++++ + 2 files changed, 5 insertions(+) + +commit 8ba3d5790c8065e65eaff10f89a5c9ea7c809b68 +Author: Tom Yu +Date: Mon Sep 21 17:20:06 2015 -0400 + + Fail during configure if stdint.h missing + + We now require stdint.h to build this software. Gracefully fail + during configure time if stdint.h is missing. + + (cherry picked from commit 33441e6376d5b1606089a3621798493027816010) + + ticket: 8221 + version_fixed: 1.14 + status: resolved + + src/configure.in | 3 +++ + 1 file changed, 3 insertions(+) + +commit e6eaaace67aa5c39c753862d25cce3e5d3894a2a +Author: Tom Yu +Date: Fri Sep 18 15:18:50 2015 -0400 + + Updates for krb5-1.14-alpha1-postrelease + + src/patchlevel.h | 4 ++-- + src/po/mit-krb5.pot | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +commit 4b6ba67f51b8723f53bcf7a532fedfda66f4bdbb +Author: Tom Yu +Date: Fri Sep 18 13:03:05 2015 -0400 + + Updates for krb5-1.14-alpha1 + + README | 162 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + src/patchlevel.h | 4 +- + src/po/mit-krb5.pot | 4 +- + 3 files changed, 166 insertions(+), 4 deletions(-) + +commit cef408cff0d4a7c2b06922535d0e5f67a3b5f9e7 +Author: Tom Yu +Date: Thu Sep 17 15:27:41 2015 -0400 + + make update-po + + src/po/mit-krb5.pot | 3229 +++++++++++++++++++++++++-------------------------- + 1 file changed, 1596 insertions(+), 1633 deletions(-) + +commit 66c10cfedf88efa0b3a9fac6d766cd54b405df94 +Author: Tom Yu +Date: Thu Sep 17 15:20:38 2015 -0400 Update manpages - src/man/kadm5.acl.man | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) + src/man/k5identity.man | 8 +- + src/man/k5login.man | 17 ++-- + src/man/k5srvutil.man | 8 +- + src/man/kadm5.acl.man | 72 ++++++++------ + src/man/kadmin.man | 194 ++++++++++++++++++++++++++++--------- + src/man/kadmind.man | 62 ++++-------- + src/man/kdb5_ldap_util.man | 34 ++++--- + src/man/kdb5_util.man | 234 +++++++++++++++++++++++++++++++++++++++++---- + src/man/kdc.conf.man | 193 ++++++++++++++++++++++++------------- + src/man/kdestroy.man | 10 +- + src/man/kinit.man | 25 +++-- + src/man/klist.man | 17 ++-- + src/man/kpasswd.man | 8 +- + src/man/kprop.man | 14 +-- + src/man/kpropd.man | 34 ++++--- + src/man/kproplog.man | 8 +- + src/man/krb5-config.man | 10 +- + src/man/krb5.conf.man | 183 ++++++++++++++++++++++------------- + src/man/krb5kdc.man | 53 +++------- + src/man/ksu.man | 60 +++++++----- + src/man/kswitch.man | 12 +-- + src/man/ktutil.man | 16 ++-- + src/man/kvno.man | 12 +-- + src/man/sclient.man | 8 +- + src/man/sserver.man | 18 ++-- + 25 files changed, 860 insertions(+), 450 deletions(-) + +commit 57d8287bb736aed8942bca8980460d8c870cb6e9 +Author: Tom Yu +Date: Thu Sep 17 14:53:57 2015 -0400 + + make depend + + src/clients/ksu/deps | 17 +++++++++-------- + src/kadmin/cli/deps | 3 ++- + src/kadmin/dbutil/deps | 32 +++++++++++++++++++++++++++++++ + src/kadmin/server/deps | 17 ++++++++++++----- + src/kdc/deps | 35 ++++++++++++++++++++++++++++++---- + src/lib/krb5/ccache/deps | 16 ++++++++-------- + src/lib/krb5/os/deps | 22 ++++++++++++++++----- + src/plugins/authdata/greet_client/deps | 8 ++++---- + src/plugins/authdata/greet_server/deps | 11 ++++++----- + src/plugins/kdb/test/deps | 15 +++++++++++++++ + src/plugins/preauth/test/deps | 25 ++++++++++++++++++++++++ + src/tests/deps | 30 +++++++++++++++++++++++++++++ + src/tests/gssapi/deps | 20 +++++++++++++++++++ + src/util/support/deps | 7 ++++--- + 14 files changed, 215 insertions(+), 43 deletions(-) + +commit 11a2a90d9e2229da6f2d49dd37105f7455c49dd8 +Author: Tom Yu +Date: Wed Sep 16 17:13:53 2015 -0400 + + Update acknowledgments + + README | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +commit 969c976ff021db7e409ce9a38d28316d9acfa2cc +Author: Tomas Kuthan +Date: Wed Sep 16 12:13:26 2015 +0200 + + Fix error mappings for IOV MIC mechglue funcs + + The mechglue functions gss_get_mic_iov(), gss_get_mic_iov_length(), + and gss_verify_mic_iov() don't call map_error() to map + mechanism-specific error codes. As a result, a subsequent call to + gss_display_status() fails with GSS_S_BAD_MECH, because no translation + for the error code is found in the error table. + + This patch adds the missing map_error call. + + [ghudson@mit.edu: correct a whitespace issue, edit commit message] + + ticket: 8246 (new) + target_version: 1.13.3 + tags: pullup + + src/lib/gssapi/mechglue/g_unwrap_iov.c | 7 +++++-- + src/lib/gssapi/mechglue/g_wrap_iov.c | 14 ++++++++++---- + 2 files changed, 15 insertions(+), 6 deletions(-) + +commit dd2baa849b00fa1f26d722450f22f13e34e71af4 +Author: Greg Hudson +Date: Wed Sep 16 12:06:08 2015 -0400 + + Untabify kerberos.schema and kerberos.ldif + + Tabs are not equivalent to spaces in LDIF. + + ticket: 8245 + + src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif | 12 ++++++------ + src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema | 24 ++++++++++++------------ + 2 files changed, 18 insertions(+), 18 deletions(-) + +commit 5b156650dca05ee5d41813cd757706520b427a18 +Author: Greg Hudson +Date: Tue Sep 1 12:17:18 2015 -0400 + + Fix memory leak in t_accname test program + + In t_accname.c, release real_acceptor_name and namebuf before + returning from main(). + + src/tests/gssapi/t_accname.c | 2 ++ + 1 file changed, 2 insertions(+) + +commit 3aa8506ee9e1f564e3f396eed5ac5616d7c54b34 +Author: Nicolas Williams +Date: Tue Sep 1 11:58:30 2015 -0400 + + Fix krb5_rd_req() memory leak + + In release 1.13, commit eba8c4909ec7ba0d7054d5d1b1061319e9970cc7 + (ticket #7232) introduced a memory leak when skipping keytab entries + which do not match the application-provided server specification. Fix + it by freeing the keytab entry before continuing the loop on a failure + to match. + + [ghudson@mit.edu: commit message] + + ticket: 8239 (new) + target_version: 1.13.3 + tags: pullup + + src/lib/krb5/krb/rd_req_dec.c | 1 + + 1 file changed, 1 insertion(+) + +commit 4f35b27a9ee38ca0b557ce8e6d059924a63d4eff +Author: Nicolas Williams +Date: Tue Sep 1 19:42:58 2015 -0400 + + Fix error handling in gss_export_sec_context() + + In the mechglue gss_export_sec_context(), make sure to delete the + union context if the underlying mech context has been deleted. This + can happen if the mech's gss_export_sec_context() returns a failure + and deletes the context (not a behavior exhibited by any of our + in-tree mechanisms, but an allowed behavior for other mechs), or if we + fail to allocate space for the wrapped token. + + [ghudson@mit.edu: commit message; rename exit label to "cleanup" and + make it valid for all exit cases] + + ticket: 8240 (new) + target_version: 1.13.3 + tags: pullup + + src/lib/gssapi/mechglue/g_exp_sec_context.c | 30 ++++++++++++++++------------- + 1 file changed, 17 insertions(+), 13 deletions(-) + +commit 1e4a0394d0085e48d732ab318f9cbe08e9359587 +Author: Greg Hudson +Date: Thu Sep 3 12:46:39 2015 -0400 + + Add test cases for client referrals + + Add support for out-of-realm referrals to the test KDB modlule, and + add some tests to t_referral.py to exercise the KDC and client logic. + + src/plugins/kdb/test/kdb_test.c | 51 +++++++++++++++++++++++++++++++++++------ + src/tests/t_referral.py | 21 +++++++++++++++++ + 2 files changed, 65 insertions(+), 7 deletions(-) + +commit 4e036ef4127a9b09d1a567472da1df24c55cdb89 +Author: Greg Hudson +Date: Thu Sep 3 12:38:44 2015 -0400 + + Fix KDC client referrals + + Although our built-in KDB modules do not support client referrals for + AS requests, the KDC is supposed to return one if a third-party module + returns a DB entry containing a principal in a foreign realm. + Unfortunately, this code has never worked; in prepare_error_as(), we + erroneously compare the protocol code errcode against the com_err code + KRB5KDC_ERR_WRONG_REALM; as a result, we never supply the canonical + client principal. Fix this by comparing errcode against the protocol + code KDC_ERR_WRONG_REALM instead. + + Discovered by Alexander Bokovoy and Simo Sorce. + + ticket: 8241 (new) + target_version: 1.13.3 + tags: pullup + + src/kdc/do_as_req.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit 67b21425aeb551b4489d5fbf7694e87beefbc701 +Author: Tom Yu +Date: Wed Sep 9 16:02:13 2015 -0400 + + Document tabdump + + ticket: 8243 + + doc/admin/admin_commands/kdb5_util.rst | 152 +++++++++++++++++++++++++++++++++ + 1 file changed, 152 insertions(+) + +commit 9e68815fa166b0fcf78148b1bc402de1752a6424 +Author: Tom Yu +Date: Wed Sep 9 15:46:18 2015 -0400 + + Add tests for tabdump + + ticket: 8243 + + src/tests/Makefile.in | 1 + + src/tests/t_tabdump.py | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 82 insertions(+) + +commit 899fe672b88d59902986baec42c4e42fc5af4d03 +Author: Tom Yu +Date: Wed Sep 9 14:06:06 2015 -0400 + + Add tabular dump capability to kdb5_util + + This new kdb5_util tabdump command provides a reporting-friendly + tabular dump format for the KDC database. This format is also + suitable for importing into relational databases for queries. Output + is in tab-separated or CSV format. The user can select an output + table with a fixed number of columns. + + Currently, this only provides tables for a subset of the available + principal data. This includes making visible some data that is hidden + in hexadecimal strings in the tl_data of the ordinary dump format. + + ticket: 8243 + + src/kadmin/dbutil/Makefile.in | 6 +- + src/kadmin/dbutil/kdb5_util.c | 2 + + src/kadmin/dbutil/kdb5_util.h | 2 + + src/kadmin/dbutil/tabdump.c | 663 ++++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 671 insertions(+), 2 deletions(-) + +commit 31a63dd8f5719255f9aea0be54d79247ec3b9ab6 +Author: Tom Yu +Date: Wed Sep 9 14:05:24 2015 -0400 + + Add utility functions for tabular dumps + + These utility functions allow for tab-separated and comma-separated + (CSV) output. These are primarily to support the tabular dump + capability for kdb5_util. Additional output options can be added + later. + + ticket: 8243 (new) + subjetct: Add tabular dump capability to kdb5_util + + src/kadmin/dbutil/Makefile.in | 8 ++ + src/kadmin/dbutil/t_tdumputil.c | 115 +++++++++++++++++ + src/kadmin/dbutil/t_tdumputil.py | 32 +++++ + src/kadmin/dbutil/tdumputil.c | 266 +++++++++++++++++++++++++++++++++++++++ + src/kadmin/dbutil/tdumputil.h | 51 ++++++++ + 5 files changed, 472 insertions(+) + +commit 3b7e7bcb108add23c3c4a159287c88adcfbd6fd2 +Author: Greg Hudson +Date: Thu Sep 10 13:22:24 2015 -0400 + + Fix missing success() in t_preauth.py + + Add a success() call at the end to avoid displaying the debugging help + message on completion. + + ticket: 8233 + + src/tests/t_preauth.py | 2 ++ + 1 file changed, 2 insertions(+) + +commit 7621d2f9a87214327ca3b2594e34dc7cea84596b +Author: Greg Hudson +Date: Mon Sep 7 14:32:06 2015 -0400 + + Improve PKINIT OpenSSL error reporting + + When a non-trivial OpenSSL function fails during PKINIT processing, + try to ensure that the error message includes an indication of the + what PKINIT was doing and the reason for the first queued OpenSSL + error, and flush all queued OpenSSL errors to the trace log. For + certificate verification failures, also include the higher-level error + from the cert store. Add new helper functions oerr() and oerr_cert() + to minimize the amount of code needed to handle each error. + + ticket: 8242 (new) + + src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 146 ++++++++++++--------- + src/plugins/preauth/pkinit/pkinit_trace.h | 4 + + 2 files changed, 89 insertions(+), 61 deletions(-) + +commit 3fdf09ac9a36581b47f40c9d177e463cc12687ff +Author: Solly Ross +Date: Thu Aug 27 15:55:35 2015 -0400 + + Check for null name_type in gss_display_name_ext + + It is possible for the input name's name_type to be GSS_C_NO_OID. + g_OID_equal() does not account for GSS_C_NO_OID, so we have to + manually check before use to prevent null pointer dereferences. + + ticket: 8238 (new) + target_version: 1.13.3 + tags: pullup + + src/lib/gssapi/mechglue/g_dsp_name_ext.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +commit f9e79bfdfaa6eb7c2059fb496b296b4316ca6352 +Author: Thomas Sondergaard +Date: Wed Aug 12 21:29:27 2015 +0200 + + Remove windows/gina + + It has only received cosmetic and build fix changes since it was + introduced in 1997 and doesn't do anything useful. The motivation for + removal at this point is to avoid spending time on build fixes for + newer tool chains like VS2015, and because GINA modules are only + supported by Windows versions prior to Windows Vista. + + https://support.microsoft.com/en-us/kb/925520 + + ticket: 8231 + + src/Makefile.in | 5 +- + src/windows/Makefile.in | 2 +- + src/windows/gina/Makefile.in | 36 ----- + src/windows/gina/gina.def | 21 --- + src/windows/gina/ginastub.c | 364 ------------------------------------------- + src/windows/gina/ginastub.h | 39 ----- + 6 files changed, 2 insertions(+), 465 deletions(-) + +commit 4552159e97007a45370dd49fa6b9fb963bb7d160 +Author: Thomas Sondergaard +Date: Tue Aug 11 08:52:20 2015 +0200 + + Link ucrt.lib and vcruntime.lib for VS2015 + + The Visual C++ runtime libraries have been rearranged in VS2015: + + http://blogs.msdn.com/b/vcblog/archive/2015/03/03/introducing-the-universal-crt.aspx + + [ghudson@mit.edu: wrap a long line in lib/Makefile.in; edit commit + summary] + + ticket: 8231 + + src/lib/Makefile.in | 6 +++++- + src/windows/kfwlogon/Makefile.in | 5 ++++- + 2 files changed, 9 insertions(+), 2 deletions(-) + +commit 705c2a4f21f64e0ee5be10eeffbc8c78c27a518d +Author: Thomas Sondergaard +Date: Tue Aug 11 08:31:53 2015 +0200 + + Pick MFC version based on VisualStudioVersion + + Rather than hardcode support for VS2010 and VS2012, assume that the + right MFC version can be obtained by removing the "." in the + VisualStudioVersion variable. This is true for VS2010, VS2012, + VS2013, and VS2015 at least. If VisualStudioVersion it is not set, + fall back to using MFC100(D) as before. + + ticket: 8231 + + src/windows/leash/Makefile.in | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +commit 4896c7e43725d2690e2adb0d49040c9bc594744b +Author: Thomas Sondergaard +Date: Wed Aug 12 21:09:42 2015 +0200 + + Fix Windows regression in prof_file.c + + Commit 13bfcda8de68 (Add support for directories in profile paths) + introduced use of S_ISDIR, but this macro is not defined by Windows + SDK stat.h. + + ticket: 8030 + + src/util/profile/prof_file.c | 3 +++ + 1 file changed, 3 insertions(+) + +commit 1b4bd4e388faa5685aa483fdc2bded02c95350bc +Author: Greg Hudson +Date: Mon Aug 17 18:26:36 2015 -0400 + + Add etype-info2 to MORE_PREAUTH_DATA_REQUIRED + + A multi-round-trip preauth mechanism may require key information, but + not for the initial message from the client. To support optimistic + preauth for such mechanisms, make the KDC include etype-info2 + information in a MORE_PREAUTH_DATA_REQUIRED error if the client didn't + include a PA-FX-COOKIE in its request. + + Add optimistic preauth support to the test preauth module and to + etinfo.c, and add a test case to t_etype_info.py to verify that + etype-info2 is included in the optimistic multi-hop scenario. + + ticket: 8234 (new) + + src/kdc/kdc_preauth.c | 52 ++++++++++++++++++++++++++++++++++++++ + src/plugins/preauth/test/cltest.c | 17 ++++++++++++- + src/plugins/preauth/test/kdctest.c | 11 +++++--- + src/tests/etinfo.c | 22 ++++++++++++---- + src/tests/t_etype_info.py | 12 +++++++++ + 5 files changed, 104 insertions(+), 10 deletions(-) + +commit 426d0bae0ebc8a4d4c6e44dd8953cde2196b5d82 +Author: Greg Hudson +Date: Mon Aug 17 17:41:22 2015 -0400 + + Refactor finish_check_padata() in KDC + + Use a helper function to filter the error codes from preauth modules. + Use a cleanup handler so that we aren't separately considering the + disposition of state and state->pa_e_data along different exit paths. + + src/kdc/kdc_preauth.c | 73 ++++++++++++++++++++++++++------------------------- + 1 file changed, 37 insertions(+), 36 deletions(-) + +commit 752574e288c8322001d1b4e62f5fd99c579a3403 +Author: Greg Hudson +Date: Sun Aug 16 00:30:46 2015 -0400 + + Document secure cookie format and callbacks + + In kdcpreauth.rst, describe the set_cookie and get_cookie callbacks + and explain how to generate a KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error + for multi-round-trip mechanisms. Add a new file formats/cookie.rst + documenting the secure cookie format. + + ticket: 8233 + + doc/formats/cookie.rst | 60 ++++++++++++++++++++++++++++++++++++++++++++ + doc/formats/index.rst | 1 + + doc/plugindev/kdcpreauth.rst | 14 +++++++++++ + 3 files changed, 75 insertions(+) + +commit 379239d98a05b271bbd6127f98bdb64646958b4c +Author: Greg Hudson +Date: Sun Aug 16 00:28:53 2015 -0400 + + Add cookie tests + + Add cookie and KDC_ERR_MORE_PREAUTH_DATA_REQUIRED functionality to the + test preauth plugins modules. Create a new test script t_preauth.py + and move a test there from t_etype_info.py which is only marginally + related to etype-info. Add a new test which exercises a multi-hop + preauth scenario and generates different cookies for each KDC error. + + ticket: 8233 + + src/plugins/preauth/test/cltest.c | 40 +++++++++++++++++++-- + src/plugins/preauth/test/kdctest.c | 71 ++++++++++++++++++++++++++++++-------- + src/tests/Makefile.in | 1 + + src/tests/t_etype_info.py | 20 ----------- + src/tests/t_preauth.py | 25 ++++++++++++++ + 5 files changed, 119 insertions(+), 38 deletions(-) + +commit 4e15c03b54464b661c6578f78de3bd348163fc07 +Author: Greg Hudson +Date: Wed Aug 12 11:58:17 2015 -0400 + + Add secure cookie support + + Remove the existing support for creating trivial cookies. Add new + functions to fast_util.c for reading and generating secure cookies. + Add new kdcpreauth callbacks "get_cookie" and "set_cookie" to allow + preauth mechs to retrieve and set cookie values. + + Based on a patch by Nathaniel McCallum. + + ticket: 8233 (new) + + doc/appdev/refs/macros/index.rst | 1 + + src/include/krb5/kdcpreauth_plugin.h | 21 ++ + src/include/krb5/krb5.hin | 2 + + src/kdc/do_as_req.c | 40 +++- + src/kdc/fast_util.c | 363 +++++++++++++++++++++++++++-------- + src/kdc/kdc_preauth.c | 24 ++- + src/kdc/kdc_util.h | 20 +- + src/kdc/reqstate.h | 3 +- + 8 files changed, 382 insertions(+), 92 deletions(-) + +commit 312b3bc29a0c52a0a82055f566241964532c2128 +Author: Nathaniel McCallum +Date: Fri May 1 22:52:47 2015 -0400 + + Add ASN.1 encoder and decoder for secure cookie + + Add an internal type declaration, ASN.1 encoder and decoder functions, + an internal free function, and ASN.1 tests for krb5_secure_cookie. + The reference DER encoding was constructed by hand. + + To save on space, we don't use context tags, and use an integer rather + than a KerberosTime for the timestamp. The timestamp is stored in a + time_t; this requires a bugfix to the 64-bit case in + asn1_encode.c:store_int(). + + [ghudson@mit.edu: reference encoding; decode test; minor adustments to + free functions; added comments; alterations for space savings; commit + message] + + src/include/k5-int.h | 13 +++++++++++++ + src/lib/krb5/asn.1/asn1_encode.c | 2 +- + src/lib/krb5/asn.1/asn1_k_encode.c | 17 +++++++++++++++++ + src/lib/krb5/krb/kfree.c | 9 +++++++++ + src/lib/krb5/libkrb5.exports | 3 +++ + src/tests/asn.1/krb5_decode_test.c | 8 ++++++++ + src/tests/asn.1/krb5_encode_test.c | 8 ++++++++ + src/tests/asn.1/ktest.c | 13 +++++++++++++ + src/tests/asn.1/ktest.h | 2 ++ + src/tests/asn.1/ktest_equal.c | 11 +++++++++++ + src/tests/asn.1/ktest_equal.h | 3 +++ + src/tests/asn.1/reference_encode.out | 1 + + src/tests/asn.1/trval_reference.out | 12 ++++++++++++ + 13 files changed, 101 insertions(+), 1 deletion(-) + +commit c8e9758db1d8a536a1404187b5911a96f7cdbea3 +Author: Greg Hudson +Date: Fri Aug 21 18:48:06 2015 -0400 + + Update SPNEGO hintName value to current spec + + [MS-SPNG] currently specifies that the hintName field of NegHints + should contain "not_defined_in_RFC4178@please_ignore". Heimdal + implements this behavior, but we instead try to include a display + name. Implement the currently specified behavior, and add a test to + t_spnego.c to verify that the expected hint token is generated. + + Further cleanup is possible; the negHints encoding is now constant (so + it does not need to be generated dynamically), and we could avoid + abusing the mechListMIC parameter of make_spnego_tokenInit_msg() to + transport it. + + ticket: 8236 (new) + + src/lib/gssapi/spnego/spnego_mech.c | 98 +++++-------------------------------- + src/tests/gssapi/t_spnego.c | 38 ++++++++++++++ + 2 files changed, 49 insertions(+), 87 deletions(-) + +commit 382556f580e3b7fb8469976988c50b67bba51f26 +Author: Greg Hudson +Date: Thu Aug 20 12:26:57 2015 -0400 + + Check mech in gss_accept_sec_context w/ no cred + + If no verifier_cred_handle is passed to gss_accept_sec_context(), + accept the same mechs as we would with a default acceptor + credential--that is, not those which assert the GSS_C_MA_DEPRECATED or + GSS_C_MA_NOT_DFLT_MECH attributes. + + ticket: 8021 + + src/lib/gssapi/mechglue/g_accept_sec_context.c | 28 ++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +commit 53cc103b176b2141fbe4b92b433a516ac06a1ff4 +Author: Greg Hudson +Date: Fri Aug 21 12:26:17 2015 -0400 + + Adjust SPNEGO Microsoft krb5 OID tests + + In the Microsoft krb5 OID tests in t_spnego.c, use the proper krb5 OID + for the framing of the mech token, which better reflects the behavior + of Microsoft clients that use the wrong OID. Move the test to a + separate function and run it twice, once with an acceptor cred and + once without. + + Also add a comment noting that the reselection test no longer + exercises what it was designed to. We can't really fix that until we + add gss_acquire_cred_with_cred() or similar. + + src/tests/gssapi/t_spnego.c | 120 ++++++++++++++++++++++++++------------------ + 1 file changed, 72 insertions(+), 48 deletions(-) + +commit 042e9fc95a662acb54dc9168749c6725f17ae34a +Author: Simo Sorce +Date: Fri Aug 21 12:16:07 2015 -0400 + + Keep valgrind happy after time_rec change + + In gss_acquire_cred_from(), initialize initTimeOut and acceptTimeOut + so valgrind does not complain. All these values are ignored if + time_rec is NULL, so not having those variables initialized is + harmless, but it is annoying to get noise in the valgrind output. + + [ghudson@mit.edu: clarify commit message] + + ticket: 8235 + + src/lib/gssapi/mechglue/g_acquire_cred.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit 50f426ac17a81ff5b7c212c24645b9874ea911f0 +Author: Simo Sorce +Date: Mon Aug 17 13:21:42 2015 -0400 + + Resolve krb5 GSS creds if time_rec is requested + + The code normally tries to defer credential acquisition to a later + time. However, if the application requests the lifetime, the code + needs to resolve the credential and return the actual expiration time. + Returning 0 would cause the application to think credentials are + expired. + + In the mechglue, pass through null time_rec pointers to the mech so + that the mech knows whether it was requested. In SPNEGO, pass through + time_rec to the mech when acquiring creds, via a new parameter to + get_available_mechs(). + + [ghudson@mit.edu: minor style changes; edit and expand commit message] + + ticket: 8235 (new) + + src/lib/gssapi/krb5/acquire_cred.c | 9 ++++++++- + src/lib/gssapi/mechglue/g_acquire_cred.c | 14 +++++++++----- + src/lib/gssapi/spnego/spnego_mech.c | 15 ++++++++------- + 3 files changed, 25 insertions(+), 13 deletions(-) + +commit a3f3f4069858ea795b732ec1d96fae20d5fafe24 +Author: Isaac Boukris +Date: Thu Aug 13 02:28:36 2015 +0300 + + Fix gss_inquire_name() name_is_MN result + + Currently name_is_MN is left uninitialized for non-mechanism names due + to a typo. + + [ghudson@mit.edu: edited commit message] + + ticket: 8232 (new) + target_version: 1.13.3 + tags: pullup + + src/lib/gssapi/mechglue/g_inq_name.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit 16128e80d30b4f5e03c2f4fd3d1024216eed3fa4 +Author: Greg Hudson +Date: Mon Aug 3 20:45:17 2015 -0400 + + Make cross-realm S4U2Self work + + When sending a S4U2Self query to a foreign realm, send an enterprise + server principal so that the foreign KDC can identify the home realm + of the server principal. + + To make this work, adjust the memory management of + krb5_get_self_cred_from_kdc(). s4u_creds is now a shallow copy of + in_creds which owns no memory. A new variable eprinc owns the + enterprise form of the server principal, constructed using a new + helper function convert_to_enterprise(). Since we have to set the + server realm for KDC-REQ encoding to work, a new temporary variable + sprinc holds a shallow copy of *eprinc with the realm pointing to the + realm we are currently querying. + + Based on a patch by Sumit Bose. + + ticket: 7790 + + src/lib/krb5/krb/s4u_creds.c | 58 ++++++++++++++++++++++++++++---------------- + src/tests/gssapi/t_s4u.py | 17 +++++++++++++ + 2 files changed, 54 insertions(+), 21 deletions(-) + +commit 9771826f113708c41c75d7c447d4b870c0f6a78f +Author: Greg Hudson +Date: Tue Aug 11 11:32:56 2015 -0400 + + Fix new doxygen parameter lists + + Use [out] instead of [in] for the output parameters of + krb5_c_prfplus() and krb5_c_derive_prfplus(). Also use "out" instead + of "output" for krb5_c_derive_prfplus() to match the parameter name in + the definition. + + ticket: 8228 + + src/include/krb5/krb5.hin | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +commit d3e0af0774dd100f00fbc8895b99355d82d86bf1 +Author: Greg Hudson +Date: Mon Jul 27 10:34:54 2015 -0400 + + Add KDC_ERR_PREAUTH_EXPIRED support + + Define KDC_ERR_PREAUTH_EXPIRED and KRB5KDC_ERR_PREAUTH_EXPIRED. In + init_creds_step_reply(), handle a preauth-expired error by restarting + the exchange. + + ticket: 8224 (new) + + src/include/k5-int.h | 1 + + src/lib/krb5/error_tables/krb5_err.et | 2 +- + src/lib/krb5/krb/get_in_tkt.c | 5 +++++ + 3 files changed, 7 insertions(+), 1 deletion(-) + +commit 9914d38658e5612db5b2847892b5ddce2b73c344 +Author: Greg Hudson +Date: Mon Jul 27 10:30:30 2015 -0400 + + Simplify get_in_tkt.c restart handling + + To simplify callers, make restart_init_creds_loop() reset the + err_reply and err_padata fields and free per-request preauth moddata. + Change its padata argument to a boolean argument for FAST upgrades, + instead of sometimes passing in ctx->err_padata (which would become + invalid partway through the function now that we're freeing it). + Split up the upgrade-to-FAST and downgrade-to-no-padata cases in + init_creds_step_reply(), and eliminate negotiation_requests_restart(). + + For brevity, rename the krb5_init_creds_context have_restarted field + to restarted. Rename krb5int_upgrade_to_fast_p() to + k5_upgrade_to_fast_p() and make it a true predicate. Change some flag + field assignments to use TRUE/FALSE instead of 1/0. Reset + enc_pa_rep_permitted after a client realm referral, since we don't + know that the new realm's KDCs will fail on informational padata. + + src/lib/krb5/krb/fast.c | 25 ++++--- + src/lib/krb5/krb/fast.h | 6 +- + src/lib/krb5/krb/get_in_tkt.c | 142 +++++++++++--------------------------- + src/lib/krb5/krb/init_creds_ctx.h | 2 +- + 4 files changed, 61 insertions(+), 114 deletions(-) + +commit 608a65570aa868d6e03423b5de3b8f82c0bff60b +Author: Greg Hudson +Date: Fri Jul 31 12:31:25 2015 -0400 + + Limit use of IAKERB + + Add the GSS_C_MA_NOT_DFLT_MECH attribute to IAKERB, and filter out + mechs with that attribute from the SPNEGO and gss_acquire_cred() + default mechanisms. + + Add a -iakerb option to gss-server and pass it when performing IAKERB + tests. Also add tests using the wrong password, to verify that + gss_acquire_cred_with_password() fails with the wrong password when + using SPNEGO. + + ticket: 8021 + + src/appl/gss-sample/gss-server.c | 22 +++++++++--- + src/appl/gss-sample/t_gss_sample.py | 60 +++++++++++++++++++++----------- + src/lib/gssapi/krb5/gssapi_krb5.c | 1 + + src/lib/gssapi/mechglue/g_acquire_cred.c | 5 +-- + src/lib/gssapi/spnego/spnego_mech.c | 5 +-- + 5 files changed, 64 insertions(+), 29 deletions(-) + +commit 2a34b898b4810e88c9137818b6cd0e762e480196 +Author: Greg Hudson +Date: Fri Jul 31 11:58:36 2015 -0400 + + Don't assert GSS_C_MA_NOT_DFLT_MECH in mechglue + + gss_inquire_attrs_for_mech() should not add GSS_C_MA_NOT_DFLT_MECH to + mechs which aren't the default. The attribute means "MUST NOT be used + as a default mechanism" (RFC 5587) and is intended to be used by the + mechglue. It does not mean "is not the default mech". + + ticket: 8021 + + src/lib/gssapi/mechglue/g_mechattr.c | 15 --------------- + 1 file changed, 15 deletions(-) + +commit a14739f2a2acac30a8aba6f8e9f8f5a34bd38d6e +Author: Thomas Sondergaard +Date: Sat Aug 8 17:21:28 2015 +0200 + + Visual Studio 2015 build fixes + + Define HAVE_VSNPRINTF for VS2015 or newer. Avoid putting constants + directly after string literals without whitespace, or the VS2015 + compiler thinks it's a string suffix. Prefix the OVERFLOW identifier + in x-deltat.y (along with NUM and LONGNUM for consistency) to avoid a + conflict with math.h. Regenerate deltat.c. + + [ghudson@mit.edu: squashed three commits and condensed commit + messages; avoid creating long lines] + + ticket: 8231 + + src/include/win-mac.h | 3 ++ + src/lib/krb5/krb/deltat.c | 80 ++++++++++++++++++++++----------------------- + src/lib/krb5/krb/x-deltat.y | 29 ++++++++-------- + src/windows/leash/Leash.cpp | 4 +-- + 4 files changed, 60 insertions(+), 56 deletions(-) + +commit 35cb760ab5289b29faebc7ecb4b5d8d0315ceae4 +Author: egonk +Date: Fri Jul 31 17:16:30 2015 +0200 + + Fix crash in libecho.c on win64 build + + Return value of _findfirst is intptr_t; see + https://msdn.microsoft.com/en-us/library/zyzxfzac.aspx + + [ghudson@mit.edu: also fix plugins.c] + + ticket: 8230 + + src/util/support/plugins.c | 4 ++-- + src/util/windows/libecho.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit 5aa4127760b3e49821971550193669a80509e5eb +Author: Michael Mattioli +Date: Sun Aug 9 01:25:08 2015 -0400 + + Minor spelling and grammar fixes + + Fix minor spelling and grammar errors in documentation and comments, + and remove some trailing whitespace. + + [ghudson@mit.edu: remove a new trailing whitespace character; edit + commit message and k5unseal.c comment change; omit an out-of-scope + change] + + src/lib/gssapi/krb5/gssapi_krb5.h | 2 +- + src/lib/gssapi/krb5/k5unseal.c | 2 +- + src/windows/README | 54 +++++++++++++++++++-------------------- + 3 files changed, 29 insertions(+), 29 deletions(-) + +commit 35f288092f0df7f4aca92e1f51db3611a3b32ada +Author: Nathaniel McCallum +Date: Sun Jun 14 21:03:00 2015 -0400 + + Add krb5_c_prfplus() and krb5_c_derive_prfplus() + + This commit permits the external use of the RFC 6113 PRF+ function. + It also adds a function to derive a key from an input key and string + using PRF+. + + [ghudson@mit.edu: adjust style; avoid new C99isms; use string2data(), + empty_data(), and alloc_data() where appropriate; add some explanatory + comments; edit docstrings and commit message] + + ticket: 8228 (new) + + doc/appdev/refs/api/index.rst | 2 + + src/include/krb5/krb5.hin | 42 ++++++++ + src/lib/crypto/krb/cf2.c | 209 +++++++++++++++++++++---------------- + src/lib/crypto/libk5crypto.exports | 2 + + src/lib/krb5_32.def | 2 + + 5 files changed, 167 insertions(+), 90 deletions(-) + +commit bd6a449f6591f75d0db6dbf3fb702268b92d7eb8 +Author: Greg Hudson +Date: Mon Aug 3 11:44:58 2015 -0400 + + Support OTP auth indicators in string attribute + + To better support integration with FreeIPA, allow authentication + indicators to be specified in the "otp" string attribute, overriding + any indicators in the token type. + + ticket: 8157 + + doc/admin/auth_indicator.rst | 3 +- + doc/admin/otp.rst | 13 ++++++- + src/plugins/preauth/otp/otp_state.c | 73 +++++++++++++++++++++++++++++++++++-- + src/tests/t_otp.py | 26 ++++++++++--- + 4 files changed, 103 insertions(+), 12 deletions(-) + +commit 25e0656fdf9862faf9aa91288023776e9a47caad +Author: Nathaniel McCallum +Date: Fri Aug 7 15:35:58 2015 -0400 + + Do not allow stream socket retries in libkrad + + Before this patch, libkrad would follow the same exact logic for all + socket types when the retries parameter was non-zero. This meant that + when connecting with SOCK_STREAM, multiple requests were sent in case + of packet drops, which, of course, cannot happen for SOCK_STREAM. + + Instead, just disable retries for SOCK_STREAM sockets. + + [ghudson@mit.edu: minor wording edits] + + ticket: 8229 (new) + target_version: 1.13.3 + tags: pullup + + src/include/krad.h | 3 ++- + src/lib/krad/remote.c | 3 +++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +commit 0e60d5ce041607cfc7659a8d3198d0f3f8958245 +Author: Simo Sorce +Date: Tue Aug 4 14:04:14 2015 -0400 + + Allow missing authenticator checksum with GSSAPI + + Some SMB client implementations omit the authenticator checksum. To + interoperate with these clients, a server needs to allow missing + checksums and assume no flags are requested. This is being documented + in MS-KILE as well, as Microsoft does the same. + + [ghudson@mit.edu: edited and reformatted comment; edited commit + message summary] + + ticket: 8227 (new) + + src/lib/gssapi/krb5/accept_sec_context.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +commit 7746beda3b0312216ac3ffa18fa3179f252b15f4 +Author: Greg Hudson +Date: Wed Jul 29 11:46:19 2015 -0400 + + Improve krb5_cccol_have_content() error messages + + If we encounter any errors during krb5_cccol_have_content(), preserve + the message for the first one and wrap it. If we do not encounter any + errors, report the default ccache name. Based on a patch from Nico + Williams. + + ticket: 8225 (new) + + src/lib/krb5/ccache/cccursor.c | 54 +++++++++++++++++++++++++++++++++++------- + 1 file changed, 46 insertions(+), 8 deletions(-) + +commit 997eb174f5fd81747ad0ecb671f00c25951931b1 +Author: Greg Hudson +Date: Sun Jul 26 13:21:47 2015 -0400 + + Fix uncommon leak in krb5_init_creds_step() + + Release any previous value of ctx->err_padata before setting it in + init_creds_step_reply(). It could have a prior value after a realm + referral or retriable error. + + ticket: 8223 + target_version: 1.13.3 + tags: pullup + + src/lib/krb5/krb/get_in_tkt.c | 2 ++ + 1 file changed, 2 insertions(+) + +commit 8b6d2227be777c4ef62bec796e864020db03031b +Author: Greg Hudson +Date: Thu Jul 23 12:33:07 2015 -0400 + + Simplify test preauth module use + + Since ticket #7665, explicitly registered kdcpreauth modules have + appeared before built-in modules (disregarding the static preauth + systems, which are all informational). Therefore, the test preauth + module can be used without disabling encrypted timestamp. Remove an + erroneous comment in kdctest.c and simplify test scripts which use the + test preauth module. + + src/plugins/preauth/test/kdctest.c | 5 ----- + src/tests/t_authdata.py | 3 +-- + src/tests/t_etype_info.py | 3 +-- + 3 files changed, 2 insertions(+), 9 deletions(-) + +commit 491b012b49ce687ffd4a26f5d0f6114d8411d04d +Author: Greg Hudson +Date: Mon Mar 23 13:03:32 2015 -0400 + + Document authentication indicators + + Add a new file auth_indicator.rst to the admin guide. Also document + the pkinit_indicator and OTP indicator profile variables, the + require_auth string attribute, and the add_auth_indicator kdcpreauth + callback. Add references to the new public constants in + appdev/refs/macros/index.rst. + + ticket: 8157 + + doc/admin/admin_commands/kadmin_local.rst | 6 ++++ + doc/admin/auth_indicator.rst | 52 +++++++++++++++++++++++++++++++ + doc/admin/conf_files/kdc_conf.rst | 10 ++++++ + doc/admin/index.rst | 1 + + doc/appdev/refs/macros/index.rst | 3 ++ + doc/plugindev/kdcpreauth.rst | 5 ++- + 6 files changed, 76 insertions(+), 1 deletion(-) + +commit 8ca82f0e3059cd8805f4dda388a8aa1d67c80920 +Author: Greg Hudson +Date: Mon Mar 23 12:20:15 2015 -0400 + + Add indicator support to PKINIT + + Read a "pkinit_indicator" profile variable for PKINIT realm + configuration and assert its values as indicators when PKINIT is used + to authenticate. Add a test case in t_pkinit.py for this feature. + + ticket: 8157 + + src/plugins/preauth/pkinit/pkinit.h | 2 ++ + src/plugins/preauth/pkinit/pkinit_srv.c | 18 ++++++++++++++++++ + src/tests/t_pkinit.py | 9 ++++++++- + 3 files changed, 28 insertions(+), 1 deletion(-) + +commit e6e6e54e89bc9644144436c3f267796ed790f70c +Author: Greg Hudson +Date: Thu Jan 8 15:56:37 2015 -0500 + + Add indicator support to OTP + + Read an "indicator" profile variable for OTP token types and assert + its values as indicators when that token type is used to authenticate. + Add a test case in t_otp.py for this feature. + + ticket: 8157 + + src/plugins/preauth/otp/main.c | 13 ++++++++++++- + src/plugins/preauth/otp/otp_state.c | 29 ++++++++++++++++++++++++----- + src/plugins/preauth/otp/otp_state.h | 3 ++- + src/tests/t_otp.py | 7 ++++++- + 4 files changed, 44 insertions(+), 8 deletions(-) + +commit e64140aba967e3d8a785d4f83b1477ed0bdc85bd +Author: Greg Hudson +Date: Sun Mar 15 15:56:34 2015 -0400 + + Test auth indicator functionality + + Modify adata.c to handle CAMMAC containers and display auth + indicators. Modify the test preauth module to transmit a list of + indicators (specified by a gic opt) from the clpreauth module to the + kdcpreauth module and assert them to the KDC. Add a new s4u2proxy + test harness in src/tests which can be used to exercise S4U2Proxy + without going through GSSAPI, using a second ccache containing an + existing evidence ticket. + + Add tests to t_authdata.py to exercise a variety of ticket issuing + scenarios and verify that the correct auth indicators appear in each + ticket. + + ticket: 8157 + + .gitignore | 1 + + src/plugins/preauth/test/cltest.c | 66 ++++++++++++++++++-- + src/plugins/preauth/test/kdctest.c | 29 +++++++-- + src/tests/Makefile.in | 11 ++-- + src/tests/adata.c | 60 ++++++++++++++++-- + src/tests/s4u2proxy.c | 110 ++++++++++++++++++++++++++++++++ + src/tests/t_authdata.py | 125 +++++++++++++++++++++++++++++++++++++ + 7 files changed, 381 insertions(+), 21 deletions(-) + +commit 24dc279b9b14fe8d6674fdd2a9210c1e1fb52e37 +Author: Greg Hudson +Date: Wed Jan 28 17:10:36 2015 -0500 + + Enforce auth indicator restrictions in KDC + + If the string attribute "require_auth" is set on a the server + principal of an AS or TGS request, deny the request unless one of the + named indicators is present was asserted for the client's initial + authentication. + + ticket: 8157 + + src/include/kdb.h | 1 + + src/kdc/do_as_req.c | 7 +++++++ + src/kdc/do_tgs_req.c | 6 ++++++ + src/kdc/kdc_util.c | 36 ++++++++++++++++++++++++++++++++++++ + src/kdc/kdc_util.h | 4 ++++ + 5 files changed, 54 insertions(+) + +commit 97973cf89cdc18a80c2bf5450caa1548c5be0b7b +Author: Greg Hudson +Date: Mon Jan 26 16:18:38 2015 -0500 + + Propagate auth indicators in TGS requests + + For normal and S4U2Proxy TGS requests (but not S4U2Self requests), + extract indicators from the subject ticket and include them in the + issued ticket. + + ticket: 8157 + + src/kdc/do_tgs_req.c | 15 ++++++++++++++- + src/kdc/kdc_authdata.c | 42 ++++++++++++++++++++++++++++++++++++++++++ + src/kdc/kdc_util.h | 4 ++++ + 3 files changed, 60 insertions(+), 1 deletion(-) + +commit 7601a1c9e103b148d94974bb2ba0c85969055c65 +Author: Greg Hudson +Date: Sun Jan 18 14:46:11 2015 -0500 + + Add authentication indicators in AS-REQs + + Add an auth_indicators parameter to handle_authdata(). In + finish_process_as_req(), supply the auth indicators asserted by + preauth modules. In handle_authdata(), wrap any supplied auth + indicators in CAMMAC and IF-RELEVANT containers and include them in + the ticket. + + ticket: 8157 + + src/kdc/do_as_req.c | 1 + + src/kdc/do_tgs_req.c | 1 + + src/kdc/kdc_authdata.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ + src/kdc/kdc_util.h | 1 + + 4 files changed, 53 insertions(+) + +commit dd95e18f5cfa426db0f265172202debd257f3cdb +Author: Greg Hudson +Date: Mon Dec 22 12:44:08 2014 -0500 + + Add kdcpreauth callback for auth indicators + + Add a new kdcpreauth callback add_auth_indicator, which adds an + authentication indicator string. This commit doesn't do anything with + the asserted authentication indicators; they are tracked in the + auth_indicators field of struct as_req_state to be used later. + + ticket: 8157 + + src/include/krb5/kdcpreauth_plugin.h | 6 ++++++ + src/kdc/do_as_req.c | 3 +++ + src/kdc/kdc_preauth.c | 10 +++++++++- + src/kdc/kdc_util.h | 1 + + 4 files changed, 19 insertions(+), 1 deletion(-) + +commit 5b39ea2b4ed54f4f208246b3cb725e7b1113d047 +Author: Greg Hudson +Date: Mon Feb 2 14:54:14 2015 -0500 + + Add KDC CAMMAC and auth indicator functions + + Add KDC utility functions to manipulate CAMMACs and authentication + indicators, to be used in later commits. + + ticket: 8157 + + src/kdc/Makefile.in | 4 ++ + src/kdc/authind.c | 123 +++++++++++++++++++++++++++++++++ + src/kdc/cammac.c | 194 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + src/kdc/kdc_util.h | 25 +++++++ + 4 files changed, 346 insertions(+) + +commit a19109fffc70cabcabab00d00bf65ea85fd33e1a +Author: Greg Hudson +Date: Thu Jan 22 12:45:25 2015 -0500 + + Filter CAMMAC authdata from non-KDC sources + + Also filter auth-indicator authdata values which aren't wrapped in + CAMMACs, although we don't normally expect to see those. + + ticket: 8157 + + src/kdc/kdc_authdata.c | 2 ++ + src/lib/krb5/krb/authdata_dec.c | 2 ++ + 2 files changed, 4 insertions(+) + +commit 4df561263da85d4683864e24de74df3bee18593e +Author: Greg Hudson +Date: Mon Jan 19 17:48:29 2015 -0500 + + Add constants for CAMMAC and auth-indicator + + ticket: 8157 + + src/include/krb5/krb5.hin | 3 +++ + 1 file changed, 3 insertions(+) + +commit d0f63158c3b0e9ebfe76c56136a575b41ec12642 +Author: Greg Hudson +Date: Fri Dec 19 12:19:23 2014 -0500 + + Add ASN.1 encoder/decoder for UTF-8 strings + + Add functions to encode and decode SEQUENCE OF UTF8String into a + null-terminated array of krb5_data pointers. This type is simple + enough that we don't need specific tests for it. + + ticket: 8157 + + src/include/k5-int.h | 9 +++++++++ + src/lib/krb5/asn.1/asn1_k_encode.c | 4 ++++ + src/lib/krb5/krb/kfree.c | 10 ++++++++++ + src/lib/krb5/libkrb5.exports | 3 +++ + 4 files changed, 26 insertions(+) + +commit 3c9ab5220bcc3f57641f6f4b6942b17aadb6613d +Author: Greg Hudson +Date: Fri Jul 17 13:03:35 2015 -0400 + + Fix compatibility with pre-1.11 iprop dump files + + Ticket #7223 added new policy fields and a new dump format version to + marshal them, but did not add a new iprop dump format version. As a + result, slave KDCs running 1.11 or later cannot receive full resyncs + from master KDCs running 1.10 or earlier. (Reported by John + Devitofranceschi.) + + Retroactively add support for pre-1.11 policy entries by making + process_r1_11_policy() read the first ten fields, check whether the + next whitespace character is a newline, and then read the rest if it + is not. + + ticket: 8213 + target_version: 1.13.3 + + src/kadmin/dbutil/dump.c | 58 ++++++++++++++++++++++++++++++++---------------- + src/tests/t_dump.py | 12 +++++++--- + 2 files changed, 48 insertions(+), 22 deletions(-) + +commit 7fd55f171e4f0bdcdfe70a912dfa6b6be92b1479 +Author: Greg Hudson +Date: Mon Jul 13 17:06:29 2015 -0400 + + Limit use of deprecated krb5 mech OIDs + + Filter out mechs with the GSS_C_MA_DEPRECATED attribute from the set + of mechanisms obtained by SPNEGO, and from the set used when + gss_acquire_cred() is called with no desired_mechs attribute. + + SPNEGO acceptors will still accept the old and wrong krb5 OIDs, but + SPNEGO initiators will not offer them. According to [MS-SPNG], only + Windows 2000 does not recognize the standard krb5 OID, and it is + client-only. + + In gss-client.c, use the standard krb5 OID for the -krb5 option, as + acceptors who call gss_acquire_cred() with no desired_mechs to create + an acceptor cred will no longer accept the old or wrong krb5 OIDs. + + ticket: 8217 (new) + + src/appl/gss-sample/gss-client.c | 2 +- + src/lib/gssapi/mechglue/g_acquire_cred.c | 11 +++++++++-- + src/lib/gssapi/spnego/spnego_mech.c | 14 +++++++++++--- + 3 files changed, 21 insertions(+), 6 deletions(-) + +commit 90544415b37e4755daf9c2c548532e1ebbcbd7a9 +Author: Greg Hudson +Date: Tue Jul 14 00:01:02 2015 -0400 + + Rewrite wrong-krb5-mech SPNEGO test + + t_spnego.c contains a test for properly reflecting the erroneous + Microsoft krb5 OID. Currently this test produces its input token by + acquiring a SPNEGO cred and using gss_set_neg_mechs() to offer only + the wrong krb5 OID. This method will not work when SPNEGO is changed + not to acquire multiple krb5 creds in the next commit, so rewrite it + to manually produce the SPNEGO initiator token. + + src/tests/gssapi/t_spnego.c | 130 ++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 108 insertions(+), 22 deletions(-) + +commit 06fbc91195bc3f7e21a9e391e98b8090aaa9b24b +Author: Greg Hudson +Date: Thu Jul 16 13:43:14 2015 -0400 + + Conditionalize iprop stderr output in kadmind + + kadmind should be quiet in nofork mode after it prints the + "starting..." sentinel line, or it can fill the pipe buffer when run + from k5test.py. Since there is currently no run-time debuf flag, + conditionalize the DPRINT macro in ipropd_svc.c on DEBUG at compile + time. + + ticket: 8219 (new) + + src/kadmin/server/ipropd_svc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +commit dd5f948614b6662fc40dc8de3f567078cfe6295e +Author: Tom Yu +Date: Mon Jul 13 18:05:35 2015 -0400 + + Fix princflags memory management + + Fix some out of memory error cases (found by Coverity) that could + cause multiple frees or freeing of invalid pointers. In + krb5_flagnum_to_string(), don't assume that asprintf() stores a null + pointer on failure (it does in BSD but not in glibc). In + krb5_flags_to_strings(), free the correct pointer in the cleanup loop + in on error. + + ticket: 8215 + + src/lib/kadm5/str_conv.c | 18 ++++++++++-------- + src/tests/t_princflags.py | 13 +++++++++++++ + 2 files changed, 23 insertions(+), 8 deletions(-) + +commit 1c12dd592804321f4752ed08e2ec02689aab004c +Author: Greg Hudson +Date: Thu Oct 23 15:34:14 2014 -0400 + + Document directory names in profile paths + + In krb5_conf.rst, document that KRB5_CONFIG can contain directory + names. + + ticket: 8030 + + doc/admin/conf_files/krb5_conf.rst | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +commit b249d2199711ced887de9ff6bc999b4a91143e5d +Author: Greg Hudson +Date: Thu Oct 23 12:30:42 2014 -0400 + + Add test case for directory in profile path + + ticket: 8030 + + src/util/profile/prof_test1 | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +commit 13bfcda8de68c6347d0ce15f5dcdca25f782b6b3 +Author: Roland Mainz +Date: Tue Oct 21 12:06:42 2014 -0400 + + Add support for directories in profile paths + + If a profile path component is a directory, process files in the + directory as we would for an "includedir" directive. + + [ghudson@mit.edu: don't change default profile path; simplify + profile_process_directory using prior commit; only check stat bits, + not final character of pathname; misc style changes; commit message] + + ticket: 8030 (new) + + src/util/profile/prof_file.c | 29 +++++++++++++++++++---------- + src/util/profile/prof_int.h | 3 +++ + src/util/profile/prof_parse.c | 19 +++++++++++++++++++ + 3 files changed, 41 insertions(+), 10 deletions(-) + +commit 433988eb744a9243041f5502c61939143986f127 +Author: Greg Hudson +Date: Thu Oct 23 17:07:36 2014 -0400 + + Simplify prof_parse.c include support + + We do not need to pass the whole parser state to parse_include_file + and parse_include_dir, only the root section. Also constify the + filename and dirname parameters. + + src/util/profile/prof_parse.c | 30 ++++++++++++++++-------------- + 1 file changed, 16 insertions(+), 14 deletions(-) + +commit 28dc817d2a065f5e0ab73377350a0529b2f4aa48 +Author: Greg Hudson +Date: Thu Oct 23 15:06:13 2014 -0400 + + Document multi-component profile paths + + In env_variables.rst and krb5_conf.rst, document that KRB5_CONFIG can + contain multiple colon-separated pathnames. + + ticket: 8031 (new) + target_version: 1.13.3 + tags: pullup + + doc/admin/conf_files/krb5_conf.rst | 4 +++- + doc/admin/env_variables.rst | 5 +++-- + 2 files changed, 6 insertions(+), 3 deletions(-) + +commit 6a06997f5f15ba81e196ac20c15b0ba17954ac6c +Author: Greg Hudson +Date: Fri Oct 24 16:56:47 2014 -0400 + + Add ASN.1 encoder and decoder for CAMMAC + + Add internal type declarations for krb5_verifier_mac and krb5_cammac. + Add ASN.1 encoder and decoder functions and an internal free function + for krb5_cammac. Add ASN.1 tests for krb5_cammac as well as asn1c + test vectors for Verifier and AD-CAMMAC. + + src/include/k5-int.h | 27 +++++++++++ + src/lib/krb5/asn.1/asn1_k_encode.c | 27 +++++++++++ + src/lib/krb5/krb/kfree.c | 25 +++++++++++ + src/lib/krb5/libkrb5.exports | 3 ++ + src/tests/asn.1/Makefile.in | 3 +- + src/tests/asn.1/cammac.asn1 | 30 +++++++++++++ + src/tests/asn.1/krb5_decode_test.c | 13 ++++++ + src/tests/asn.1/krb5_encode_test.c | 10 +++++ + src/tests/asn.1/ktest.c | 86 ++++++++++++++++++++++++++++++++++++ + src/tests/asn.1/ktest.h | 3 ++ + src/tests/asn.1/ktest_equal.c | 40 +++++++++++++++-- + src/tests/asn.1/ktest_equal.h | 1 + + src/tests/asn.1/make-vectors.c | 61 ++++++++++++++++++++++++- + src/tests/asn.1/reference_encode.out | 2 + + src/tests/asn.1/trval_reference.out | 57 ++++++++++++++++++++++++ + 15 files changed, 382 insertions(+), 6 deletions(-) + +commit 2c3c44ce0555110a919aff0902d143b7f00e26ef +Author: Greg Hudson +Date: Thu Jul 9 01:00:40 2015 -0400 + + Fix kdcpreauth counting bug + + In kdc_preauth.c, commit be20a5f5cee8d6c4072d1b81712520dbf9f6eefd made + load_preauth_plugins() handle negative preauth type numbers. + get_plugin_vtables() also needs to handle negative preauth type + numbers, or it can return the wrong count and load_preauth_plugins() + can overflow the table. + + ticket: 8200 + + src/kdc/kdc_preauth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit 971fae8285427b27dfd8c9a535a18eb588ee0689 +Author: Tom Yu +Date: Thu Jul 2 16:16:07 2015 -0400 + + Unify KDB principal flag conversion functions + + These changes unify the KDB principal flag specifiers used by kadmin, + kdc.conf default_principal_flags, and kadm5.acl. Each of those + interfaces will now accept any of the historically accepted input + forms of any of those interfaces. Additionally, accept flag + specifiers in the forms that kadmin prints, as well as hexadecimal + numbers. + + Replace krb5_string_to_flags() with krb5_flagspec_to_mask(). The + latter has a pseudo-ternary output, allowing different pointers for + flags to set versus flags to clear. Additional functionality includes + parsing hexadecimal numbers for flag settings. + + Remove krb5_input_flag_to_string(), which nothing in the tree used, + and probably hasn't ever worked properly due to long-standing gaps in + the flag number sequence. + + Remove krb5_flags_to_string(), which nothing in the tree used. + Verbose flag output can be added back through another interface if + there is demand. + + Add krb5_flagnum_to_string(), which produces a string representation + of a flag number. Additional functionality includes output of + hexadecimal numbers for unknown flags. + + Add krb5_flags_to_strings(), which produces an array of strings + describing the flags, using the output from krb5_flagnum_to_string(). + + ticket: 8215 + + src/include/adm_proto.h | 8 +- + src/kadmin/cli/kadmin.c | 101 ++----- + src/lib/kadm5/admin_internal.h | 4 - + src/lib/kadm5/alt_prof.c | 2 +- + src/lib/kadm5/clnt/Makefile.in | 2 +- + src/lib/kadm5/clnt/libkadm5clnt_mit.exports | 6 +- + src/lib/kadm5/srv/Makefile.in | 2 +- + src/lib/kadm5/srv/libkadm5srv_mit.exports | 6 +- + src/lib/kadm5/srv/server_acl.c | 18 +- + src/lib/kadm5/str_conv.c | 396 +++++++++++++++------------- + src/plugins/kdb/test/kdb_test.c | 6 +- + 11 files changed, 257 insertions(+), 294 deletions(-) + +commit ea62dd834f343b2dddea81c8295f2f8876c83090 +Author: Tom Yu +Date: Wed Jul 1 16:28:45 2015 -0400 + + Add test suite for KDB principal flags + + Test kadmin.local reading of principal flag specifiers, kdc.conf + setting of default_principal_flags, and kadm5.acl restrictions. Only + really tests one flag at a time. + + Also start requiring Python 2.5 for the test suite. It's been around + for long enough, and some syntax features such as conditional + expressions are useful. + + ticket: 8215 (new) + subject: Unify KDB principal flag specifiers + target_version: 1.14 + + src/configure.in | 3 +- + src/tests/Makefile.in | 1 + + src/tests/t_princflags.py | 126 ++++++++++++++++++++++ + src/util/k5test.py | 2 +- + src/util/princflags.py | 264 ++++++++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 394 insertions(+), 2 deletions(-) + +commit be20a5f5cee8d6c4072d1b81712520dbf9f6eefd +Author: Greg Hudson +Date: Sun Mar 15 15:56:34 2015 -0400 + + Test client_keyblock kdcpreauth callback + + Add internal clpreauth and kdcpreauth modules named "test" which can + exercise the client_keyblock callback (as well as get_string and + get_as_key on the client side). Add tests to t_etype_info.py to + verify that the callback matches the etype info sent by the KDC. + + In the KDC's load_preauth_plugins(), correct a test for the end of + pa_type_list so that we can use a negative preauth type number for the + test module. (RFC 4120 reserves negative preauth type values for + unregistered use.) + + ticket: 8200 + + src/Makefile.in | 1 + + src/configure.in | 1 + + src/kdc/kdc_preauth.c | 2 +- + src/plugins/preauth/test/Makefile.in | 21 ++++++ + src/plugins/preauth/test/cltest.c | 107 ++++++++++++++++++++++++++ + src/plugins/preauth/test/deps | 0 + src/plugins/preauth/test/kdctest.c | 137 ++++++++++++++++++++++++++++++++++ + src/plugins/preauth/test/test.exports | 2 + + src/tests/t_etype_info.py | 21 ++++++ + 9 files changed, 291 insertions(+), 1 deletion(-) + +commit 7b12eb4757f8dd05b79c9b49d4289f0caf1f6eec +Author: Greg Hudson +Date: Thu Jun 4 14:08:06 2015 -0400 + + Add client_keyblock kdcpreauth callback + + Add a new kdcpreauth callback which gets the selected client key. + This callback can be used by preauth mechs which need to use the + singular reply key in a challenge sent by the KDC, now that we send + only one etype-info entry in PREAUTH_REQUIRED errors. + + ticket: 8200 (new) + + src/include/krb5/kdcpreauth_plugin.h | 15 ++++++++++++++- + src/kdc/kdc_preauth.c | 11 +++++++++-- + 2 files changed, 23 insertions(+), 3 deletions(-) + +commit 5cf4a7e220141f10f51995ceae9b9e74232a31b7 +Author: Greg Hudson +Date: Fri Jun 5 21:19:15 2015 -0400 + + Add tests for KDC etype-info behavior + + Create a new test harness etinfo.c which can display etype-info2 + information in KDC responses. Use it to test the etype-info results + in preauth_required error e-data and AS-REP padata. + + ticket: 8199 + + .gitignore | 1 + + src/tests/Makefile.in | 19 ++++-- + src/tests/etinfo.c | 166 ++++++++++++++++++++++++++++++++++++++++++++++ + src/tests/t_etype_info.py | 76 +++++++++++++++++++++ + 4 files changed, 255 insertions(+), 7 deletions(-) + +commit 385cd2d07983a89892dad1606e1a41a78066c6ec +Author: Greg Hudson +Date: Sat Jun 6 15:45:39 2015 -0400 + + Only include one key in etype-info + + As described in RFC 6113 section 2.1, the KDC can choose a single + long-term key at the beginning of the preauth conversation based on + the request enctype list. Implement this change for the PA-ETYPE-INFO + and PA-ETYPE-INFO2 padata included in preauth hint lists, by selecting + the client key before checking padata, making the client keyblock + available in the preauth rock, and unifying the etype-info handlers to + use a single helper function for edata and AS-REP padata. + + ticket: 8199 (new) + + src/kdc/do_as_req.c | 88 ++++++++++------- + src/kdc/kdc_preauth.c | 269 +++++++++----------------------------------------- + src/kdc/kdc_util.h | 1 + + 3 files changed, 104 insertions(+), 254 deletions(-) + +commit 47b37b9e13ca1456ba6710f31bc41012d050dd07 +Author: Greg Hudson +Date: Fri Jul 3 19:34:46 2015 -0400 + + Fix uncommon null dereference in PKINIT client + + crypto_retrieve_cert_sans() is allowed to set its princs output to + NULL, although the OpenSSL implementation rarely does. Fix the + TRACE_PKINIT_CLIENT_SAN_KDCCERT_PRINC for loop to allow this like other + parts of the function do, and also get rid of the unnecessary princptr + variable by using an integer index like other parts of the function. + + Based on a patch from Daniel Deptula. + + ticket: 8214 (new) + target_version: 1.13.3 + tags: pullup + + src/plugins/preauth/pkinit/pkinit_clnt.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +commit a99e5565e99b83a86002332e39938aa6bed6a26a +Author: Greg Hudson +Date: Fri Jul 3 20:13:43 2015 -0400 + + Add rename method to kadm5_hook + + Bump the minor version of the kadm5_hook interface to 2 and add a + rename method. Invoke the rename method in kadm5_rename_principal() + like we do for other libkadm5srv operations. + + Partly based on a patch from John Hascall. + + ticket: 8171 + + doc/plugindev/kadm5_hook.rst | 5 +++-- + src/include/krb5/kadm5_hook_plugin.h | 11 +++++++++++ + src/lib/kadm5/server_internal.h | 7 +++++++ + src/lib/kadm5/srv/kadm5_hook.c | 10 +++++++++- + src/lib/kadm5/srv/svr_principal.c | 8 ++++++++ + src/plugins/kadm5_hook/test/main.c | 8 ++++++++ + src/tests/t_kadm5_hook.py | 4 ++++ + 7 files changed, 50 insertions(+), 3 deletions(-) + +commit 1be1c3593e6a50cbed2e5d2d52b98d4413f669d4 +Author: Greg Hudson +Date: Tue Apr 21 13:39:34 2015 -0400 + + Use memory cache in gss_acquire_cred_with_password + + gss_acquire_cred_with_password() was originally introduced in Solaris. + When we introduced it in 1.9, we unfortunately gave it different and + less useful semantics. Restore this function to the Solaris + semantics, which are to always get credentials and store them in a + private memory ccache. The caller can use gss_store_cred() to make + the resulting creds visible to other processes if desired. + + ticket: 8152 + + src/appl/gss-sample/t_gss_sample.py | 11 ++++++++--- + src/lib/gssapi/krb5/acquire_cred.c | 24 +++++++++++++++--------- + 2 files changed, 23 insertions(+), 12 deletions(-) + +commit e110ce6ed19f5349e304e826e6b8066312c6c15c +Author: Tom Yu +Date: Thu Jun 25 19:31:53 2015 -0400 + + Deindent krb5_string_to_keysalts + + Remove a level of indentation for the list-appending part of the + krb5_string_to_keysalts() loop body by consolidating the strtok_r() + calls into the controlling expreession of the loop. + + src/lib/kadm5/str_conv.c | 33 +++++++++++++++++---------------- + 1 file changed, 17 insertions(+), 16 deletions(-) + +commit 02a85d73c4548d27dcbc1c1681b4bf1370b03632 +Author: Greg Hudson +Date: Fri Jun 19 17:16:52 2015 -0400 + + Fix leak in gss_acquire_cred_with_password + + The target_mechs array needs to be freed on successful return. + + ticket: 8204 (new) + target_version: 1.13.3 + tags: pullup + + src/lib/gssapi/mechglue/g_acquire_cred_with_pw.c | 3 +++ + 1 file changed, 3 insertions(+) + +commit cf39ed349976908626cad3e05e17788f8334bce9 +Author: Andreas Schneider +Date: Tue Jun 23 16:27:27 2015 +0200 + + Implement GSS_KRB5_CRED_NO_CI_FLAGS_X for SPNEGO + + In the SPNEGO mechanism, if we see the GSS_KRB5_CRED_NO_CI_FLAGS_X + option, do not explicitly ask for integrity flag from underlying + mechanisms. Adjust t_ciflags.c to match the new behavior, and add a + SPNEGO test using a normal initiator cred. + + [ghudson@mit.edu: adjust style; fix tests here instead of in a + subsequent commit; clarify commit message] + + ticket: 6938 + + src/lib/gssapi/spnego/gssapiP_spnego.h | 1 + + src/lib/gssapi/spnego/spnego_mech.c | 25 ++++++++++++++++++++++--- + src/tests/gssapi/t_ciflags.c | 10 ++++------ + 3 files changed, 27 insertions(+), 9 deletions(-) + +commit 98092b003a730fa490bf2fff1b50a2339c1b2811 +Author: Andreas Schneider +Date: Thu Jun 25 15:35:52 2015 +0200 + + Add function to allocate SPNEGO cred handle + + Use a helper function to allocate SPNEGO cred handles, to make sure + that all members of the cred structure are zeroed or initialized. + + [ghudson@mit.edu: avoid gss_ prefix on helper function and give it a + name similar to create_spnego_ctx(); unbrace some single-line if + bodies; clarify commit message] + + src/lib/gssapi/spnego/spnego_mech.c | 54 ++++++++++++++++++++----------------- + 1 file changed, 29 insertions(+), 25 deletions(-) + +commit 9f095e1aab582e5a94c93d587f6d09e9d8f7479e +Author: Solly Ross +Date: Mon Jun 8 14:06:18 2015 -0400 + + Allow gss_inquire_context on partial krb5 contexts + + RFC 2743 states that gss_inquire_context() must always return flags, + locally_initiated, and open even if a context is not yet fully + established. Additionally, a partially established context may also + return mech_type. + + Previously, the krb5 mech raised an error for inquire_context on + partially completed contexts. It now follows the rules layed out in + RFC 2743. + + Add a new test program to verify that gss_inquire_context() works + correctly on both in-progress and established contexts. + + [ghudson@mit.edu: minor style changes and commit message edits] + + ticket: 8025 + + .gitignore | 1 + + src/lib/gssapi/krb5/inq_context.c | 90 +++++++++++++--------- + src/lib/gssapi/mechglue/g_inq_context.c | 5 +- + src/tests/gssapi/Makefile.in | 17 +++-- + src/tests/gssapi/t_gssapi.py | 4 + + src/tests/gssapi/t_inq_ctx.c | 131 ++++++++++++++++++++++++++++++++ + 6 files changed, 202 insertions(+), 46 deletions(-) + +commit 27e6ab7e5b6a0538f529f440aeb967822eff8f57 +Author: Ben Kaduk +Date: Thu Jun 25 15:28:29 2015 -0400 + + Update KfW copyright + + This probably should not be a hardcoded string, but we can at + least make it correct for now. + + ticket: 8212 (new) + subject: KfW 4.1-beta2 has stale copyright in 'About' box + queue: kfw + tags: pullup + target_version: 1.13.3 + + src/windows/version.rc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit d376d5948d2af7dcf60368bc3b6fe6c23172a831 +Author: Ben Kaduk +Date: Wed Jun 24 13:34:32 2015 -0400 + + Make the Principal column wider by default + + The current 100-pixel default is too small to fit most principal + names (particularly the realm). There is no reason why all the + columns must be the same width, so promote this one as needing + more space. + + ticket: 8211 (new) + subject: Leash's column for principal name truncates most principals + queue: kfw + tags: pullup + target_version: 1.13.3 + + src/windows/leash/LeashView.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit 287b8eae295a3ab496b04b327840e92c235efd1a +Author: Ben Kaduk +Date: Tue Jun 23 10:38:19 2015 -0400 + + Make registry hostrealm module highest precedence + + Testing reveals that there are a number of machines in the wild + which retain old krb5.ini files across domain configuration changes, + and it is difficult to determine which machines are potentially + affected by incorrect stale configuration data. + + To enable domain administrators to easily ensure that the correct + default realm is set, allow the registry hostrealm module to take + precedence over the profile. + + Note that the registry hostrealm module can still be disabled + in the hostrealm interface configuration statment in the + [plugins] section of the profile. + + ticket: 8209 (new) + subject: stale krb5.ini files still cause default realm WIN.MIT.EDU + tags: pullup + target_version: 1.13.3 + + src/lib/krb5/os/hostrealm.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +commit 0e025dd9bd64169a2acf5c9bea7a17eec7b37a13 +Author: Ben Kaduk +Date: Fri May 29 14:46:58 2015 -0400 + + Stop using the WiX src attribute + + The src attribute has been deprecated for a while in favor of + different (more descriptive) attributes for the different XML + elements involved. + + For the File element, use the Source attribute. + For the Directory element, use the FileSource attribute. + For the Merge, Binary, and Text elements, use the SourceFile attribute. + + This makes the installer build much quieter, with the warnings from + the light.exe invocation all fitting into the default history buffer. + + ticket: 8208 (new) + queue: kfw + tags: pullup + target_version: 1.13.3 + + src/windows/installer/wix/files.wxi | 64 +++++++++++++++--------------- + src/windows/installer/wix/kfw.wxs | 2 +- + src/windows/installer/wix/lang/ui_1033.wxi | 24 +++++------ + 3 files changed, 45 insertions(+), 45 deletions(-) + +commit 280a4b1125743bae3bf05af266131e2a524c8adf +Author: Ben Kaduk +Date: Wed May 27 15:36:51 2015 -0400 + + Stop using the WiX Registry element + + It is deprecated in favor of more specific XML elements such + as RegistryKey, RegistryValue, and RemoveRegistryKey, so as to + stop overloading a single element for what are fundamentally + different types and operations. + + RegistryValue elements can be children of RegistryKey elements, + allowing the Key attribute to be inherited, or bare within the + containing Component. We do not take advantage of the inheritance + at this time, since that would be a more disruptive change. + + WiX would prefer for us to not use the createAndRemoveOnUninstall + attribute of , in favor of ForceCreateOnInstall + and/or ForceRemoveOnUninstall, but that can wait for a follow-up + commit. + + Some instances of were commented-out and can simply be + removed. + + Some of the elements used to create keys were also + setting the KeyPath attribute, which is not permitted in the + element. According to + http://sourceforge.net/p/wix/bugs/3197/ , this should never have + been allowed, and non-value registry keys should not be used as + MSI KeyPaths. In all affected cases, there are child + RegistryValue elements that are suitable for use as KeyPath + elements instead. + + Some of the elements were present with a duplicate + element with different Id that added no new attributes; those + duplicate elements can safely be removed. + + is used to replace elements + with Action=removeKeyOnInstall. + + ticket: 7392 + tags: pullup + target_version: 1.13.3 + + src/windows/installer/wix/files.wxi | 269 +++++++++++++++++------------------- + 1 file changed, 126 insertions(+), 143 deletions(-) + +commit 50b3bba748084c99a339bd526ad47ecfccc09472 +Author: Ben Kaduk +Date: Mon Jun 22 19:11:28 2015 -0400 + + Put focus on password field when principal is set + + In the Leash "Get Ticket" window, under some user-customized + configurations, the principal field can be pre-populated. In this case, + it makes sense for the default focus to be on the password field, + since most users will only be using a single principal and should + go directly to typing their password. + + The focus was already set to the password field in the case when + the principal was not modifiable (such as when the "Get Ticket" dialog + was opened by an application requesting a specific ticket). + + ticket: 8032 + tags: pullup + target_version: 1.13.3 + + src/windows/leashdll/lsh_pwd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit b26d25e97cf3c53ef896092c71948011ceac645d +Author: Ben Kaduk +Date: Fri May 22 14:38:27 2015 -0400 + + Add leash column for the ccache name + + Previously, it was fairly easy to set the default cache to MSLSA:, + which is not collection-enabled (as opposed to the normal default + of API:, which is), and the non-collection behavior proved confusing + to many users. + + Ideally there would be an option to choose the output ccache in + the "Get Ticket" window, but that is more complicated to implement + than just a display of what cache a given ticket is in. This + extra display column should still help to alleviate user confusion. + + ticket: 8207 (new) + queue: kfw + tags: pullup + target_version: 1.13.3 + + src/windows/leash/Leash.rc | 2 ++ + src/windows/leash/LeashUICommandHandler.cpp | 5 +++++ + src/windows/leash/LeashView.cpp | 25 ++++++++++++++++++++++--- + src/windows/leash/LeashView.h | 6 +++++- + src/windows/leash/kfwribbon.xml | 4 ++++ + src/windows/leash/resource.h | 1 + + 6 files changed, 39 insertions(+), 4 deletions(-) + +commit bfba2d235370a3902faeeaad8a54d8a2dcc3427b +Author: Ben Kaduk +Date: Fri May 22 14:42:02 2015 -0400 + + Make ribbon home tab more pretty + + In the absence of a label title for a given command group, the + text "MS Shell Dlg" was inserted, which is somewhat confusing to + the user. Give the ticket-maniuplation group a title consisting + of a space, which removes the confusing text from the display. + + ticket: 8206 (new) + queue: kfw + tags: pullup + target_version: 1.13.3 + + src/windows/leash/kfwribbon.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit 1b07396924dc4c222ddb6adec415cb53827dbe25 +Author: Ben Kaduk +Date: Fri May 15 12:09:35 2015 -0400 + + Correct CSAIL KDC names + + CSAIL and ATHENA are served from different KDCs. + + ticket: 8196 (new) + quque: kfw + tags: pullup + target_version: 1.13.3 + + src/windows/installer/wix/files.wxi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +commit c1887eda950dfd84696f4f9bab9098f0bf1fd3c0 +Author: Greg Hudson +Date: Sat May 30 13:05:52 2015 -0400 + + Add tests for GSS_KRB5_CRED_NO_CI_FLAGS_X + + ticket: 6938 + + .gitignore | 1 + + src/tests/gssapi/Makefile.in | 44 +++++++++------- + src/tests/gssapi/t_ciflags.c | 122 +++++++++++++++++++++++++++++++++++++++++++ + src/tests/gssapi/t_gssapi.py | 3 ++ + 4 files changed, 150 insertions(+), 20 deletions(-) + +commit 7e6965ae33338216650384ca559d49e90312087a +Author: Andreas Schneider +Date: Thu May 7 16:16:59 2015 +0200 + + Implement GSS_KRB5_CRED_NO_CI_FLAGS_X cred option + + Microsoft implements GSS-SPNEGO, a non-standard SASL mechanism which + omits the usual wrap exchange after the GSS context is established. + As a result, it does not support authzids, does not negotiate a + maximum message size, and implicitly negotiates a security layer based + on the GSS flags asserted by the client. If the client asserts GSS + flags corresponding to a security layer the server can't support, the + server has no recourse except to reject the connection. + + Implement Heimdal's GSS_KRB5_CRED_NO_CI_FLAGS_X cred option. When set + on an initiator cred, do not assert the confidentiality and integrity + flags in initiator tokens unless they were requested by the caller. + + Our SPNEGO mechanism always requests integrity from the underlying + mechanism, which limits the utility of this option. That issue will + be addressed in the future; even if it isn't, Samba currently uses its + own SPNEGO implementation, so can benefit from the cred option in + krb5. + + [ghudson@mit.edu: expand GSS_KRB5_CRED_NO_CI_FLAGS_X comment, edit + commit message, use a boolean cred field] + + ticket: 6938 + + src/lib/gssapi/krb5/acquire_cred.c | 1 + + src/lib/gssapi/krb5/gssapiP_krb5.h | 1 + + src/lib/gssapi/krb5/gssapi_krb5.c | 24 ++++++++++++++++++++++++ + src/lib/gssapi/krb5/gssapi_krb5.h | 10 ++++++++++ + src/lib/gssapi/krb5/init_sec_context.c | 14 ++++++++------ + src/lib/gssapi/libgssapi_krb5.exports | 1 + + src/lib/gssapi32.def | 2 ++ + 7 files changed, 47 insertions(+), 6 deletions(-) + +commit 73efbee640e18ffc53ff4e08c0ce940fb726dcd4 +Author: Greg Hudson +Date: Mon Jun 15 17:34:23 2015 -0400 + + Fix make_signedpath_checksum() initialization bug + + data needs to be initialized since it is freed in the cleanup handler. + The bug was introduced by 0c6498b2b9f4f4ad8b9f224714c84714425f2ca3 and + is not part of any release. + + ticket: 8139 + + src/kdc/kdc_authdata.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit 1f2060ee1793f1acea81acefa6a8b1e0da4203ce +Author: Greg Hudson +Date: Mon Mar 2 19:19:19 2015 -0500 + + Add tests for AD-SIGNTICKET corner cases + + Test situations where the previous AD-SIGNTICKET logic would not use + the same key to create and verify the AD-SIGNTICKET data. Also test a + case which forces the new verification logic to try multiple krbtgt + versions. + + ticket: 8139 + + src/tests/gssapi/t_s4u.py | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +commit 0c6498b2b9f4f4ad8b9f224714c84714425f2ca3 +Author: Greg Hudson +Date: Mon Mar 2 16:27:47 2015 -0500 + + Use local TGT for AD-SIGNTICKET processing + + Always use the first key of the local TGT to create the AD-SIGNTICKET + checksum, and try the first key of the last three kvnos of the local + TGT to verify the checksum. + + ticket: 8139 + + src/kdc/do_as_req.c | 1 + + src/kdc/do_tgs_req.c | 2 +- + src/kdc/kdc_authdata.c | 111 ++++++++++++++++++++++++++++++++----------------- + src/kdc/kdc_util.h | 1 + + 4 files changed, 75 insertions(+), 40 deletions(-) + +commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b +Author: Greg Hudson +Date: Wed Feb 11 13:40:44 2015 -0500 + + Load local TGT in KDC requests + + Ensure that we have the server realm TGT principal entry at hand for + AS and TGS requests. In the common case, this is the same as the AS + server or TGS header server principal, but in less common cases + (direct AS requests for service tickets, cross-realm TGS requests) we + will need to explicitly load it. + + The local TGT entry is not used in this commit. In the short term, it + will be used to verify and sign CAMMACs and to shore up some edge + cases in AD-SIGNTICKET. In the longer term, we might allow realm + configuration variables to be stored in local TGT tl-data. + + src/kdc/do_as_req.c | 11 +++++++++++ + src/kdc/do_tgs_req.c | 9 +++++++++ + src/kdc/kdc_util.c | 39 +++++++++++++++++++++++++++++++++++++++ + src/kdc/kdc_util.h | 5 +++++ + 4 files changed, 64 insertions(+) + +commit 7cad84e1df664f9a1513a2899661bf2b62908dd7 +Author: Greg Hudson +Date: Mon Feb 9 15:23:05 2015 -0500 + + Rename krbtgt variable in KDC code + + In a TGS request, the header ticket server is usually a local or + cross-realm TGS principal, but for ticket modification requests it + doesn't have to be. Similarly, the server for an AS request is + usually a krbtgt principal, but in some cases it is not. Since the + KDC code must consider all possibilities, avoid using the name + "krbtgt" for entries which aren't necessarily TGTs. + + In process_tgs_req(), rename krbtgt to header_server and tgskey to + header_key. In handle_authdata(), rename the parameters similarly and + pass NULL from process_as_req() for the header_server and header_key + parameters; the code which uses those parameters is adjusted to match. + In validate_transit_path(), rename krbtgt to header_srv. + + Do not change the semantics of the sign_authdata DAL method at this + time, but more accurately document the krbtgt and krbtgt_key + parameters. + + src/include/kdb.h | 14 ++++++++------ + src/include/krb5/kdcauthdata_plugin.h | 5 +++-- + src/kdc/do_as_req.c | 4 ++-- + src/kdc/do_tgs_req.c | 20 +++++++++++--------- + src/kdc/kdc_authdata.c | 32 ++++++++++++++++++++++---------- + src/kdc/kdc_util.c | 8 ++++---- + src/kdc/kdc_util.h | 4 ++-- + 7 files changed, 52 insertions(+), 35 deletions(-) + +commit 1c3c40454f18f2165b959e6ecd856d5ddbbcb4c2 +Author: Greg Hudson +Date: Thu Oct 2 12:40:25 2014 -0400 + + Add KDC authdata tests + + Add a new test script t_authdata.py and a C harness adata.c to test + KDC authdata handling logic. KDB module authdata is not currently + tested. + + .gitignore | 1 + + src/tests/Makefile.in | 16 ++- + src/tests/adata.c | 296 ++++++++++++++++++++++++++++++++++++++++++++++++ + src/tests/t_authdata.py | 90 +++++++++++++++ + 4 files changed, 397 insertions(+), 6 deletions(-) + +commit b9820f5b3bfe1347565a39b6f8dce97828e8a2a3 +Author: Greg Hudson +Date: Mon Sep 29 11:19:08 2014 -0400 + + Update test KDC authdata module to new interface + + Remove plugins/authdata/greet, which was a v0 KDC module. Modify + plugins/authdata/greet_server to use the new interface. Within + greet_auth.c, remove the unused function greet_kdc_verify. Build the + greet_client and greet_server modules by default, but do not install + them. + + src/Makefile.in | 3 +- + src/configure.in | 1 - + src/plugins/authdata/greet/Makefile.in | 23 ----- + src/plugins/authdata/greet/deps | 6 -- + src/plugins/authdata/greet/greet.exports | 1 - + src/plugins/authdata/greet/greet_auth.c | 99 ---------------------- + src/plugins/authdata/greet_client/Makefile.in | 3 +- + src/plugins/authdata/greet_server/Makefile.in | 3 +- + src/plugins/authdata/greet_server/greet_auth.c | 78 ++++------------- + .../authdata/greet_server/greet_server.exports | 2 +- + 10 files changed, 21 insertions(+), 198 deletions(-) + +commit 4325964a5d472422cb0a1600676787d7bcfde5d2 +Author: Greg Hudson +Date: Sat Sep 27 16:14:02 2014 -0400 + + Modernize kdc_authdata.c + + Adjust whitespace, identifier names, and in some cases flow control. + No functional changes. + + src/kdc/kdc_authdata.c | 670 +++++++++++++++++++++---------------------------- + 1 file changed, 282 insertions(+), 388 deletions(-) + +commit c538feaaaeb63161c87e965f88d3b3f2795aefc9 +Author: Greg Hudson +Date: Fri Sep 26 12:02:14 2014 -0400 + + Use new KDC authdata interface in kdc_authdata.c + + Remove the server authdata interface declarations from authdata.h and + the code to load and invoke old KDC authdata modules. Add code to + load and invoke authdata modules using the new kdcauthdata pluggable + interface. + + src/include/krb5/authdata_plugin.h | 113 -------------- + src/kdc/kdc_authdata.c | 310 ++++++++----------------------------- + 2 files changed, 65 insertions(+), 358 deletions(-) + +commit d87fffd66c208cf6f13d17e4a5e911c2b259db24 +Author: Greg Hudson +Date: Fri Sep 26 11:54:16 2014 -0400 + + Add declarations for new KDC authdata interface + + Add a pluggable interface for KDC authdata using the current plugin + infrastructure, mirroring the KDC functionality of authdata_plugin.h. + Like the old interface, this one isn't yet public. + + src/include/k5-int.h | 3 +- + src/include/krb5/kdcauthdata_plugin.h | 128 ++++++++++++++++++++++++++++++++++ + src/lib/krb5/krb/plugin.c | 3 +- + 3 files changed, 132 insertions(+), 2 deletions(-) + +commit c96fe6c87a69122e6b699385f52a959d375ca4bb +Author: Greg Hudson +Date: Tue Sep 23 12:36:20 2014 -0400 + + Get rid of static KDC authdata systems + + Remove the static_authdata_systems table from kdc_authdata.c and + instead call the relevant functions explicitly in handle_authdata. + Eliminate the flags field from krb5_authdata_systems as it is no + longer used. Rename the functions to be more descriptive. Move + simple conditionals on authdata processing to handle_authdata for + clarity. Move handle_authdata to the end of the file to avoid the + need for static function declarations. + + src/kdc/kdc_authdata.c | 383 ++++++++++++++++--------------------------------- + 1 file changed, 123 insertions(+), 260 deletions(-) + +commit 4676e823e6ee9a5731872b31c5588c1b5932e0a3 +Author: Greg Hudson +Date: Wed Jun 10 19:48:51 2015 -0400 + + Tolerate null oid pointer in gss_release_oid() + + Under some circumstances, gss_inquire_name() can call + gss_release_oid() with a null oid pointer, which currently causes a + null dereference. The least invasive fix is for gss_release_oid() to + check for the invalid null pointer and return an error, like other + GSS-API functions do. + + ticket: 8201 (new) + target_version: 1.13.3 + tags: pullup + + src/lib/gssapi/mechglue/g_initialize.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit 5c6d218e385755766ff427b3e707510f0ce175c5 +Author: Greg Hudson +Date: Tue May 19 10:38:51 2015 -0400 + + Fix bindresvport_sa port byte swap bug + + The sa_setport() helper handles conversion to network byte order, so + bindresvport_sa() should not itself call htons() on the port argument. + + (This bug was introduced in commit + 0d04b60d159ab83b943e43802b1449a3b074bc83 when adding + bindresvport_sa(). It was my fault, not Andreas Schneider's.) + + ticket: 8197 (new) + target_version: 1.13.3 + tags: pullup + + src/lib/rpc/bindresvport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit 4b6045adb7a044cd7ddc3987da2f26bf8a5281fe +Author: Christian Heimes +Date: Fri May 15 09:37:31 2015 +0200 + + Support SNI in MS-KKDCP client + + In the k5tls plugin module, call SSL_set_tlsext_host_name() to allow + the server to use SNI support. SSL_set_tlsext_host_name() is a macro + which uses SSL_CTRL_SET_TLSEXT_HOSTNAME and is not available in all + versions of OpenSSL, so conditionalize on that constant. + + [ghudson@mit.edu: commit message] + + ticket: 8198 (new) + + src/plugins/tls/k5tls/openssl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +commit 50a3c3cbeab32577fba2b21deb72a64015c48ec7 +Author: Ben Kaduk +Date: Mon May 11 13:08:42 2015 -0400 + + Reboot after KfW installs to help the LSA cache + + It seems that we need to restart in order to be able to query the + contents of the the LSA cache, even if the only contents of the LSA + cache are what we put there, and even if the Microsoft klist.exe + correctly reports the presence of tickets in the LSA cache. + + ticket: 8176 (new) + queue: kfw + tags: pullup + target_version: 1.13.3 + + src/windows/installer/wix/kfw.wxs | 1 + + 1 file changed, 1 insertion(+) + +commit 770196087b12affc08591aa0ff7fa78658f467ab +Author: Ben Kaduk +Date: Tue May 5 17:08:04 2015 -0400 + + Bump KRB5_MINOR_RELEASE for windows + + Future releases will come from the KfW 4.1.x. series. + + ticket: 8174 (new) + tags: pullup + target_version: 1.13.3 + + src/windows/installer/wix/site-local.wxi | 2 +- + src/windows/kerberos.ver | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit 90ca670ac42a9aada3c310af491bbf8b924e6a00 +Author: Ben Kaduk +Date: Tue May 5 16:55:41 2015 -0400 + + Supply a hostrealm module to query the registry + + Implement a default_realm function that checks the + {HKLM,HKCU}\Software\MIT\Kerberos5\default_realm registry values + on Windows, and just returns KRB5_PLUGIN_NO_HANDLE on Unix. + + ticket: 8173 (new) + tags: pullup + target_version: 1.13.3 + + src/lib/krb5/os/Makefile.in | 3 + + src/lib/krb5/os/hostrealm.c | 4 ++ + src/lib/krb5/os/hostrealm_registry.c | 135 +++++++++++++++++++++++++++++++++++ + src/lib/krb5/os/os-proto.h | 3 + + 4 files changed, 145 insertions(+) + +commit f0cd1a65e379dd21cdb565beed9e2d8917d1a701 +Author: Ben Kaduk +Date: Wed Mar 11 16:38:10 2015 -0400 + + Do not set allow_weak_crypto for KfW + + The MIT-internal users no longer need this crutch. + + ticket: 8178 (new) + queue: kfw + tags: pullup + target_version: 1.13.3 + + src/windows/installer/wix/athena/krb5.ini | 1 - + 1 file changed, 1 deletion(-) + +commit d7dc6c347e352324e374b3456f60e49aa4b8ba08 +Author: Ben Kaduk +Date: Fri Mar 6 15:42:10 2015 -0500 + + Fix loop to determine MSLSA principal name + + When looping over principals, check the i-th entry instead of + looking at the 0-th entry each time through the loop. This would + only affect cases when multiple ticket entries were returned from + the LSA, the first one did not have a valid principal name, but + some other one did. It is expected that all of the returned + ticket entries will always have a valid client principal name, so + this is unlikely to cause any functional difference. + + ticket: 8177 (new) + queue: kfw + tags: pullup + target_version: 1.13.3 + + src/lib/krb5/ccache/cc_mslsa.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +commit 3321375cf3830a4702fdea3781a07f9dde059edc +Author: Ben Kaduk +Date: Wed Dec 5 12:15:07 2012 -0500 + + KfW shortcuts for make default, change password + + Shortcut keys such as these (in the ACCELERATORS entry in the resource + file) are what let users type, e.g., ctrl-t to get to the "get tickets" + dialog directly from the main frame. We had shortcut keys for all the + other buttons already, so add these to complete the set. + + The make default and change password functionality were already available + using keyboard-only interfaces via the ribbon access keys (tap alt, + then letters to walk through the tree of controls), but the two forms + of keyboard access are implemented differently. + + ticket: 7442 + tags: pullup + target_version: 1.13.3 + + src/windows/leash/Leash.rc | 2 ++ + 1 file changed, 2 insertions(+) + +commit 0fdbfb1891713b8ff91acba37dfb17b937929a71 +Author: Ben Kaduk +Date: Thu Apr 16 18:32:34 2015 -0400 + + Remove (old) consolidated ribbon bitmaps + + We are no longer using the MFC ribbon, so these resources + are now unused. Garbage-collect them accordingly. + + src/windows/leash/Leash.rc | 3 --- + src/windows/leash/res/homelarge.bmp | Bin 36918 -> 0 bytes + src/windows/leash/res/homesmall.bmp | Bin 11320 -> 0 bytes + src/windows/leash/res/main.bmp | Bin 1078 -> 0 bytes + src/windows/leash/resource.h | 4 ---- + 5 files changed, 7 deletions(-) + +commit 58122fec56a87ca7f88052f6b55f90b94ce1c386 +Author: Ben Kaduk +Date: Thu Apr 16 18:23:13 2015 -0400 + + Remove another lingering Leash reference + + Be consistent with the MIT Kerberos brand. + + src/windows/leashdll/lshfunc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +commit fa5edf1e72b142f14d36b7eb304f55066c5af2f9 +Author: Ben Kaduk +Date: Fri Apr 10 17:33:40 2015 -0400 + + Switch to Windows SDK Ribbon from MFC Ribbon + + The MFC Ribbon implementation is not very accessible (e.g., to + screen reading software), whereas the windows ribbon provides + essentially the same functionality and good integration with + screen reading software, including the built-in Windows Narrator. + + Remove the RT_RIBBON_XML resource from the resource file and + replace it with an inclusion of the generated kfwribbon.rc file. + Also remove the ribbon1.mfcribbon-ms ribbon description from the + res/ directory. Add the appropriate dependency relation in the + Makefile. + + LeashUIApplication implements the IUIUApplication interfaces. It + appears to be difficult to cleanly tear down the underlying + IUIFramework and ribbon, since the WM_DESTROY event is handled by the + parent MFC window, which will not call IUIFramework::Destroy(). + Manually inserting a call to IUIFramework::Destroy() in the shutdown + handling of the MFC classes is difficult, since the WM_DESTROY message + is handled by a different window than where the ribbon is initialized, + and the MFC framework will attempt to access window objects + corresponding to the UI Ribbon resources after they are destroyed, + which raises exceptions. It seems best to just go without destroying + the IUIFramework, since its lifecycle matches that of the application + and there will be no leaks during the application lifecycle. + + LeashUICommandHandler implements the IUICommandHandler interfaces, + passing messages through to the existing MFC handlers, though the + default values for the various checkbox controls must be duplicated. + + The (MFC) CMainFrame creates and maintains a handle to the + LeashUIApplication associated with the ribbon it creates, so that + it can query the height of the ribbon and redraw when the + LeashUIApplication signals that the ribbon size has changed. + + Record that the added object files depend on kfwribbon.h, so that + the XML markup is compiled sufficiently early in the build. + + src/windows/leash/Leash.rc | 16 +- + src/windows/leash/LeashUIApplication.cpp | 291 +++++++++++++++++++++++ + src/windows/leash/LeashUIApplication.h | 86 +++++++ + src/windows/leash/LeashUICommandHandler.cpp | 262 +++++++++++++++++++++ + src/windows/leash/LeashUICommandHandler.h | 72 ++++++ + src/windows/leash/MainFrm.cpp | 39 ++- + src/windows/leash/MainFrm.h | 3 + + src/windows/leash/Makefile.in | 6 +- + src/windows/leash/res/ribbon1.mfcribbon-ms | 352 ---------------------------- + 9 files changed, 758 insertions(+), 369 deletions(-) + +commit 025008dd215c20f804823dafa3bd9f45135be53e +Author: Ben Kaduk +Date: Thu Mar 19 14:14:02 2015 -0400 + + Mention Visual Studio 2010 SP1 in windows README + + The service pack is needed to avoid a linker error due to an + issue with the cvtres.exe utility, which manifests as + LINK: fatal error LNK1123: failure during conversion to COFF: file + invalid or corrupt. + + src/windows/README | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit 8cbe19a290f00de53da284588adc84aabf64092e +Author: Benjamin Kaduk +Date: Wed Jan 22 00:30:21 2014 -0500 -commit 6283684e1e0f2c2817642d293e0da84f02433b87 -Author: Tom Yu -Date: Wed May 6 14:29:14 2015 -0400 + Do not link atl.lib into leash + + We do not consume anything from the Active Template Library, and + the atl.lib form of it has been removed from Visual Studio 2013. - make depend + src/windows/leash/Makefile.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit da60312f1352cbd82e39e31398f7ead2e817f119 +Author: Benjamin Kaduk +Date: Fri Jan 17 16:02:13 2014 -0500 + + XML Ribbon markup file + + The standard windows library ribbon interface is either constructed + at runtime or specified in an XML file. Since we have a static + set of functionality in our ribbon, it is simplest to just use the + XML file. + + This should duplicate the interfaces currently provided by the + MFC ribbon, though the menu items in the file menu are slightly + taller than they used to be. + + Use uicc.exe to compile the XML to the binary format and produce + a kfwribon.rc resource file and kfwribbon.h header. + + src/windows/leash/Makefile.in | 6 ++ + src/windows/leash/kfwribbon.xml | 131 ++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 137 insertions(+) + +commit 8f89dc561c1e8464c423bde854b6fd4283497559 +Author: Benjamin Kaduk +Date: Mon Jan 27 13:07:38 2014 -0500 + + Import separate large ribbon bitmaps + + This is the content from homelarge.bmp split up into the + separate component images, since the windows ribbon has the + (more sane) interface of using a separate resource for each + graphic, instead of expecting them all in a single bitmap which + is sliced up at runtime. + + The bitmaps are required to have alpha channels, and it seems that + the easiest way to generate bitmaps with alpha channels is to use + Microsoft Paint, since the normal Unix open-source graphics tools + do not want to output this format. + + src/windows/leash/res/cpwlarge.bmp | Bin 0 -> 4152 bytes + src/windows/leash/res/destroylarge.bmp | Bin 0 -> 4152 bytes + src/windows/leash/res/exportlarge.bmp | Bin 0 -> 4152 bytes + src/windows/leash/res/getticketlarge.bmp | Bin 0 -> 4152 bytes + src/windows/leash/res/import.bmp | Bin 0 -> 3126 bytes + src/windows/leash/res/importlarge.bmp | Bin 0 -> 4152 bytes + src/windows/leash/res/makedefaultlarge.bmp | Bin 0 -> 4152 bytes + src/windows/leash/res/newlarge.bmp | Bin 0 -> 4152 bytes + src/windows/leash/res/openlarge.bmp | Bin 0 -> 4152 bytes + src/windows/leash/res/renewlarge.bmp | Bin 0 -> 4152 bytes + 10 files changed, 0 insertions(+), 0 deletions(-) + +commit 5d50bc2a62739e39ea0b90b0ced3b7489ba554b3 +Author: Benjamin Kaduk +Date: Wed Jan 22 00:05:57 2014 -0500 + + Remove MBCS from leash's DEFINES + + This is just enabling the use of multi-byte character set in the + MFC library, but we do not appear to make use of this feature. + Visual Studio 2013 gives ominous warnings that support for it may + be removed in future versions, so quiet the build and do not + enable the deprecated feature we are not using. + + src/windows/leash/Makefile.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit ebeb1e359fa10ea710d467ca3756ababd1276fa6 +Author: Ben Kaduk +Date: Tue Apr 14 15:33:20 2015 -0400 + + Fix leash crash found in some build environments + + When freeing a credentials cache name obtained from + krb5_cc_get_full_name(), the code was using plain free() + instead of the matching krb5_free_string(). If these routines + are picked from different modules at runtime, the mismatch + will cause a crash in free(), so change to using the matched + deallocation function. + + In order to use it in leash, it must be declared in Lglobals.h and + the function pointer symbol defined in Leash.cpp. + + src/windows/leash/KrbListTickets.cpp | 2 +- + src/windows/leash/Leash.cpp | 2 ++ + src/windows/leash/Lglobals.h | 1 + + 3 files changed, 4 insertions(+), 1 deletion(-) + +commit 531cbea82523ee82f3ad19028f36b4f88eaf7cdb +Author: Greg Hudson +Date: Thu Apr 23 16:16:42 2015 -0400 + + Remove doc/procedures.txt + + This file is out of date, and we now use the wiki for the kind of + material it covers. Most of the information here is covered + http://k5wiki.kerberos.org/wiki/Committer_resources + + doc/procedures.txt | 159 ----------------------------------------------------- + 1 file changed, 159 deletions(-) - src/kadmin/server/deps | 17 ++++++++++++----- - src/tests/gssapi/deps | 12 ++++++++++++ - 2 files changed, 24 insertions(+), 5 deletions(-) +commit 6ef48708cf97d484f3dddafff970aa03a72824f2 +Author: Michael Mattioli +Date: Thu Apr 23 01:39:37 2015 -0400 + + Update copyright in README to 2015 + + README | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) -commit 2c31abee54d193a007d2f170d6b6746ce277146f +commit 4ad099d28437b542b76053f44f18f763bdcd5152 Author: Michael Mattioli Date: Thu Apr 23 01:39:37 2015 -0400 @@ -74,11 +4235,8 @@ [ghudson@mit.edu: squashed several commits, summarized commit messages] - (cherry picked from commit 4ad099d28437b542b76053f44f18f763bdcd5152) - - ticket: 8170 - version_fixed: 1.13.2 - status: resolved + ticket: 8170 (new) + target_version: 1.13.2 doc/appdev/refs/index.rst | 2 +- doc/kadmin/README | 20 ++++++++++---------- @@ -86,7 +4244,7 @@ doc/tools/README | 5 +---- 4 files changed, 13 insertions(+), 16 deletions(-) -commit df8afc60d970a7176a55ffe7ce21cfd57ba423cd +commit e3b5a5e5267818c97750b266df50b6a3d4649604 Author: Greg Hudson Date: Tue Mar 24 12:02:37 2015 -0400 @@ -109,17 +4267,16 @@ CVSSv2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C - (cherry picked from commit e3b5a5e5267818c97750b266df50b6a3d4649604) - - ticket: 8160 - version_fixed: 1.13.2 - status: resolved + ticket: 8160 (new) + target_version: 1.13.2 + tags: pullup + subject: requires_preauth bypass in PKINIT-enabled KDC [CVE-2015-2694] src/plugins/preauth/otp/main.c | 10 +++++++--- src/plugins/preauth/pkinit/pkinit_srv.c | 4 ++-- 2 files changed, 9 insertions(+), 5 deletions(-) -commit 1e21529e8ddb98f9b00aa8b1be35b7c69c0b3c76 +commit 527edfaadb648a0dd2a42cd39a5a02a4ac37d7e3 Author: Pavel Jindra Date: Wed Apr 15 11:49:53 2015 -0400 @@ -130,16 +4287,107 @@ [ghudson@mit.edu: commit message] - (cherry picked from commit 527edfaadb648a0dd2a42cd39a5a02a4ac37d7e3) - ticket: 8168 - version_fixed: 1.13.2 - status: resolved + target_version: 1.13.2 + tags: pullup src/plugins/kdb/db2/kdb_db2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -commit 50913c7372c5c13a1270d6823f914e07ce0563ba +commit 3c873481596653f5a35be1fffc268847867e89e7 +Author: Greg Hudson +Date: Wed Mar 4 14:43:20 2015 -0500 + + Add tests for key rotation and 32-bit keytab kvnos + + In t_keytab.py, test that kvnos no longer wrap after 255 or 32767, that + they do wrap from 65535 to 1, and that kadmin ktrem preserves the more + recent key after a wraparound. + + Also test edge cases of the 32-bit keytab kvno extension using + hand-crafted keytab entries. + + ticket: 7532 + + src/tests/t_keytab.py | 81 ++++++++++++++++++++++++++++++++++++++++++++------- + 1 file changed, 70 insertions(+), 11 deletions(-) + +commit 73bdca02cd4c0f908affeea32a1693535955a766 +Author: Greg Hudson +Date: Sun Mar 8 16:52:11 2015 -0400 + + Adjust keytab kvno workarounds + + In krb5_ktfile_get_entry(), change the pivot and fuzzy match + workarounds for kvnos to work with the 32-bit kvno extension. For the + pivot logic, try to recognize kvno wraparound at boundary by looking + at the relative timestamps and the size of the version difference. + For the fuzzy match logic, remember the first match against the low 8 + bits of the desired kvno, but keep searching for an exact match. + + ticket: 7532 + + src/lib/krb5/keytab/kt_file.c | 72 +++++++++++++++++++++++-------------------- + 1 file changed, 39 insertions(+), 33 deletions(-) + +commit 54b4ccf510b67140caec76b12fff4b30462e7e50 +Author: Greg Hudson +Date: Wed Mar 4 14:43:00 2015 -0500 + + Implement 32-bit keytab kvno extension + + Heimdal and Shishi support a 32-bit kvno at the end of a keytab entry, + overriding the 8-bit version if present. Implement this in the FILE + keytab type and document it in keytab_file_format.rst. + + ticket: 7532 + + doc/formats/keytab_file_format.rst | 10 +++++----- + src/lib/krb5/keytab/kt_file.c | 26 +++++++++++++++++++++++++- + 2 files changed, 30 insertions(+), 6 deletions(-) + +commit 49b2c5e30edf980e0f99b5fe2cdf6ff5b2a8b032 +Author: Greg Hudson +Date: Wed Mar 4 17:19:56 2015 -0500 + + Expand kadmin protocol kvno range + + Make xdr_krb5_kvno() use xdr_u_int() instead of xdr_u_char(), allowing + it to marshal kvno values up to 32 bits. This change is + backwards-compatible because XDR uses four bytes to marshal char + values and does no bounds checking of char values on decode. + + ticket: 7532 + + src/lib/kadm5/kadm_rpc_xdr.c | 15 +-------------- + 1 file changed, 1 insertion(+), 14 deletions(-) + +commit 1d4df2264684ab6731dedc8882a0cd6353af33da +Author: Greg Hudson +Date: Sun Mar 8 16:20:07 2015 -0400 + + Use unsigned 16-bit type for key data kvno + + Change key_data_kvno from a signed 16-bit field to an unsigned 16-bit + field, since negative values are never meaningful. When adding new + keys, wrap from 65535 to 1 to avoid using the special value 0. + + Don't bump the KDB binary version since this change is unlikely to + affect callers. + + ticket: 7532 + + src/include/k5-int.h | 2 +- + src/include/kdb.h | 2 +- + src/lib/kadm5/kadm_rpc_xdr.c | 2 +- + src/lib/kadm5/srv/adb_xdr.c | 2 +- + src/lib/kdb/kdb_convert.c | 2 +- + src/lib/kdb/kdb_cpw.c | 4 ++++ + src/lib/krb5/asn.1/ldap_key_seq.c | 3 ++- + src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c | 2 +- + 8 files changed, 12 insertions(+), 7 deletions(-) + +commit 7fbc092107298bded216fbce4cff6592275bff03 Author: Greg Hudson Date: Mon Apr 13 13:09:20 2015 -0400 @@ -155,17 +4403,205 @@ platforms, the result would be written to the high 32 bits of the long value. - (cherry picked from commit 7fbc092107298bded216fbce4cff6592275bff03) - ticket: 8166 - version_fixed: 1.13.2 - status: resolved + target_version: 1.13.2 + tags: pullup src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 19 +++++++++---------- src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c | 16 ++++++++++------ 2 files changed, 19 insertions(+), 16 deletions(-) -commit 338cf20b3df6d30a8fe4c4d8c8e3b718edbf35a4 +commit 327c12762ba3a66c06906246e6e0e33c1d65d1b2 +Author: Tom Yu +Date: Mon Apr 13 16:45:35 2015 -0400 + + Remove STRING_BUFFER() macro in gssapi_generic.c + + In gssapi_generic.c, struct mech_attr_info_desc included some + gss_buffer_desc members whose length fields were never used. + Additionally, the STRING_BUFFER() macro's computation of the (unused) + length fields was incorrect, causing warnings in some versions of + clang. Remove the problematic STRING_BUFFER() macro and adjust the + array and generic_gss_display_mech_attr() accordingly. + + src/lib/gssapi/generic/gssapi_generic.c | 192 +++++++++++++++----------------- + 1 file changed, 90 insertions(+), 102 deletions(-) + +commit 0a8d39d8c4cbe0539343b44a9a1ebaebe9d1b363 +Author: Greg Hudson +Date: Thu Apr 9 14:23:07 2015 -0400 + + Avoid unnecessary iprop full resyncs after resets + + When resetting the ulog header or initializing it from a dump file + kdb_last_t value, instead of setting kdb_num to 0, create a dummy + entry for the last_sno value so that we can remember its timestamp. + With this change, a slave no longer needs to perform two full resyncs + after an upstream header initialization. Dummy entries are never + transmitted to downstream slaves because the iprop protocol never + transmits the kdb_first_sno update; if one is somehow transmitted, the + slave will ignore it because it doesn't have the kdb_commit flag set. + + reset_header() is renamed to reset_ulog(), takes a kdb_log_context + parameter, and is responsible for syncing the header. sync_update() + now returns void and aborts if msync() fails, just like sync_header(). + A new helper set_dummy() writes a dummy entry and sets the ulog to + point to it. + + Adjust kproplog to recognize and display dummy entries. Adjust + t_ulog.c and t_iprop.py for the new behavior. In t_iprop.py, remove a + kpropd -t test which became redundant with the previous test. + + ticket: 8164 (new) + + src/lib/kdb/kdb_log.c | 77 ++++++++++++++++--------- + src/lib/kdb/t_ulog.c | 6 +- + src/slave/kproplog.c | 16 ++++-- + src/tests/t_iprop.py | 153 +++++++++++++++++++++++--------------------------- + 4 files changed, 133 insertions(+), 119 deletions(-) + +commit fa76eebe09c09063b64715da4b7bcb7a969848da +Author: Greg Hudson +Date: Wed Apr 8 18:12:31 2015 -0400 + + Add kpropd -t iprop-mode tests + + Add a run_kpropd_once() method to K5Realm(), and add tests to + t_iprop.py for the cases where no updates are needed, where + incremental updates are needed, and where a full resync is needed + followed by a poll for updates. + + ticket: 8161 + + src/tests/t_iprop.py | 46 ++++++++++++++++++++++++++++++++++++++++++++++ + src/util/k5test.py | 19 ++++++++++++++----- + 2 files changed, 60 insertions(+), 5 deletions(-) + +commit 334f761ba485e4af6d5fb8822e276d4590b97bf5 +Author: Greg Hudson +Date: Wed Apr 8 17:35:56 2015 -0400 + + Document kpropd -t and fix it in iprop mode + + If kpropd is asked to run just once, don't exit after starting a full + resync; we want to wait for the fullprop child to process the request, + and then request incremental updates afterwards. Also don't exit from + do_standalone() in the fullprop child, in case multiple full resyncs + are required to get the database up to date. + + Document the -t flag in kpropd.rst. + + ticket: 8161 + + doc/admin/admin_commands/kpropd.rst | 7 +++++++ + src/slave/kpropd.c | 4 ++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +commit c19fee0a748dd26ba6ac62118cf4b9ebec36ba2f +Author: Greg Hudson +Date: Wed Apr 8 17:23:25 2015 -0400 + + In kpropd, poll after finishing resync + + When kpropd operates in iprop mode, full resyncs are handled by a + child process. After a full resync, we want to poll for incremental + updates, as the dump we received may have come from a pre-existing + dump file which was not current. To make this polling happen + promptly, signal the parent process from the child process after a + dump is received. + + With this change, t_iprop.py no longer has to prod kpropd after a full + resync occurs, so remove that logic. + + ticket: 8161 + + src/slave/kpropd.c | 6 +++++- + src/tests/t_iprop.py | 8 +------- + 2 files changed, 6 insertions(+), 8 deletions(-) + +commit 2098124705cdc7abd5321e1dee32dc843547eab3 +Author: Greg Hudson +Date: Wed Apr 8 12:09:09 2015 -0400 + + Add tests for client principal aliases + + Augment the LDAP KDB module tests to include client principal aliases + as well as server principal aliases. Also revise the server principal + alias tests to include an AS-REQ case. (This requires adjusting the + subsequent test not to assume a ccache containing a TGT.) + + src/tests/t_kdb.py | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +commit b97b84de1a83bf615853facd42bfafab267e2e06 +Author: Greg Hudson +Date: Wed Apr 1 17:11:23 2015 -0400 + + Make all Python test scripts executable + + For the convenience of developers manually running Python test + scripts, set the executable bits on all of them, and make sure the + first line is always "#!/usr/bin/python". + + ticket: 8163 + + src/appl/gss-sample/t_gss_sample.py | 3 ++- + src/appl/user_user/t_user2user.py | 0 + src/kdc/t_emptytgt.py | 0 + src/kdc/t_workers.py | 0 + src/lib/kdb/t_stringattr.py | 0 + src/lib/krad/t_daemon.py | 0 + src/lib/krb5/ccache/t_cccol.py | 0 + src/lib/krb5/krb/t_expire_warn.py | 0 + src/lib/krb5/krb/t_in_ccache_patypes.py | 0 + src/lib/krb5/krb/t_vfy_increds.py | 0 + src/tests/gssapi/t_ccselect.py | 3 ++- + src/tests/gssapi/t_client_keytab.py | 0 + src/tests/gssapi/t_enctypes.py | 0 + src/tests/gssapi/t_export_cred.py | 0 + src/tests/gssapi/t_s4u.py | 0 + src/tests/t_audit.py | 0 + src/tests/t_bogus_kdc_req.py | 0 + src/tests/t_ccache.py | 3 ++- + src/tests/t_changepw.py | 0 + src/tests/t_crossrealm.py | 0 + src/tests/t_cve-2012-1014.py | 0 + src/tests/t_cve-2012-1015.py | 0 + src/tests/t_cve-2013-1416.py | 0 + src/tests/t_cve-2013-1417.py | 0 + src/tests/t_dump.py | 0 + src/tests/t_errmsg.py | 0 + src/tests/t_hostrealm.py | 0 + src/tests/t_iprop.py | 0 + src/tests/t_kadm5_hook.py | 0 + src/tests/t_kadmin_acl.py | 0 + src/tests/t_kdb.py | 0 + src/tests/t_kdb_locking.py | 0 + src/tests/t_kdc_log.py | 0 + src/tests/t_keydata.py | 0 + src/tests/t_keyrollover.py | 0 + src/tests/t_keytab.py | 0 + src/tests/t_kprop.py | 0 + src/tests/t_localauth.py | 0 + src/tests/t_mkey.py | 0 + src/tests/t_otp.py | 0 + src/tests/t_pkinit.py | 0 + src/tests/t_policy.py | 0 + src/tests/t_proxy.py | 0 + src/tests/t_pwqual.py | 0 + src/tests/t_rdreq.py | 0 + src/tests/t_referral.py | 0 + src/tests/t_renew.py | 0 + src/tests/t_renprinc.py | 3 ++- + src/tests/t_sesskeynego.py | 0 + src/tests/t_skew.py | 0 + src/tests/t_sn2princ.py | 0 + src/tests/t_stringattr.py | 3 ++- + src/tests/t_unlockiter.py | 0 + src/util/gss-kernel-lib/t_kgss.py | 3 ++- + 54 files changed, 12 insertions(+), 6 deletions(-) + +commit 8483243664a289fea142d8a9de61eba30d713871 Author: Greg Hudson Date: Thu Mar 26 12:47:06 2015 -0400 @@ -176,16 +4612,89 @@ is not easy and requires amending the DAL (see issue #8065). For now, detect LDAP and error out when a rename operation is attempted. - (cherry picked from commit 8483243664a289fea142d8a9de61eba30d713871) - - ticket: 8162 - version_fixed: 1.13.2 - status: resolved + ticket: 8162 (new) + target_version: 1.13.2 + tags: pullup src/lib/kadm5/srv/svr_principal.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) -commit 1ff2ecc7890ae4b843c77c2ba68f5a152806bf05 +commit 2dc19c3899a98e23378c19d91594470f7350756c +Author: Greg Hudson +Date: Thu Mar 19 13:42:56 2015 -0400 + + Process TGS authdata after transited in KDC + + The CAMMAC authorization data container requires a checksum over the + encrypted part of the issued ticket, with the CAMMAC contents + substituted for the authdata field. For this to work, we must + finalize the non-authdata fields of the encrypted ticket part before + adding authdata. Call handle_authdata() after checking and modifying + the transited field and potentially setting the + transited-policy-checked flag. + + Also remove a redundant and inoperative conditional change to + enc_tkt_reply.times.starttime which happens after the ticket is + encrypted. We do the same thing right after setting up the ticket + times. + + src/kdc/do_tgs_req.c | 42 ++++++++++++++++++------------------------ + 1 file changed, 18 insertions(+), 24 deletions(-) + +commit 3d9de684ea933c4887a7aebabc71287cbf5a3f3c +Author: Greg Hudson +Date: Tue Mar 17 14:07:38 2015 -0400 + + Fix renewable ticket lifetimes + + Commit b0661f9176f5eb2644ba459e1b1e87d3dd502174 removed the starttime + hack in the EncTicketPart decoder. Take this into account when + computing the old lifetime of a ticket we are renewing. Without this + fix, we compute an old lifetime equal to the ticket end time, add that + to the current KDC time, and issue a ticket with a negative end time + due to wraparound. Add a simple test to t_renew.py to detect this by + making sure that a renewed ticket is usable. + + This bug appeared only on master and not as part of any release, so + there is no associated ticket. + + src/kdc/do_tgs_req.c | 5 ++++- + src/tests/t_renew.py | 3 +++ + 2 files changed, 7 insertions(+), 1 deletion(-) + +commit e321a9d23c4475ba105a6e892624a65940e7aed2 +Author: Greg Hudson +Date: Sat Mar 14 14:29:21 2015 -0400 + + Clean up gssrpc timeout code + + Revert b8b7bd63231094a3583847853bf60cb002781161 (for #6120) now that + we are setting the kadmin client timeout the appropriate way. + + In clnt_create(), do not set a timeout after creating the handle; + doing so defeats the purpose of keeping track of whether the caller + has set a handle timeout. + + src/lib/kadm5/clnt/client_rpc.c | 2 +- + src/lib/rpc/clnt_generic.c | 5 ----- + 2 files changed, 1 insertion(+), 6 deletions(-) + +commit 11f0cf7928b239be45c5d3cb7e2eccd2ff1e1bfc +Author: Greg Hudson +Date: Sat Mar 14 14:21:06 2015 -0400 + + Extend kadmin client timeout to one hour + + Retrieving the list of principals can take a long time for some + databases. Extend the libkadm5 client timeout from two minutes to one + hour. (We can't easily remove the timeout entirely.) + + ticket: 8027 + + src/lib/kadm5/clnt/client_init.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +commit e9eaafeab12b2b62595f4dff2fca3345b2d95b4a Author: Greg Hudson Date: Fri Mar 13 13:30:49 2015 -0400 @@ -196,16 +4705,14 @@ loop makes it difficult to pinpoint the bad restrictions field, so just output the whole string. - (cherry picked from commit e9eaafeab12b2b62595f4dff2fca3345b2d95b4a) - ticket: 8155 - version_fixed: 1.13.2 - status: resolved + target_version: 1.13.2 + tags: pullup src/lib/kadm5/srv/server_acl.c | 4 ++++ 1 file changed, 4 insertions(+) -commit 185114aa35508e46c90354d8ddea76f65fe556d8 +commit ef21069070c1eb2ab1ade1d1406f5cd3920c83a9 Author: Greg Hudson Date: Fri Mar 13 12:45:27 2015 -0400 @@ -216,16 +4723,14 @@ which means the flag names are the ones for default_principal_flags, not the ones for kadmin addprinc/modprinc. - (cherry picked from commit ef21069070c1eb2ab1ade1d1406f5cd3920c83a9) - ticket: 8155 - version_fixed: 1.13.2 - status: resolved + target_version: 1.13.2 + tags: pullup doc/admin/conf_files/kadm5_acl.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -commit 8e67dce9379c0f50bdccc12619fecad423aa5384 +commit d3d18b8d8d7a47766fd4e9667d045035f43d90ef Author: Greg Hudson Date: Thu Mar 12 16:36:33 2015 -0400 @@ -235,17 +4740,15 @@ for each acl entry. Otherwise the wildcards we process can affect back-references for later entries. - (cherry picked from commit d3d18b8d8d7a47766fd4e9667d045035f43d90ef) - ticket: 8154 - version_fixed: 1.13.2 - status: resolved + target_version: 1.13.2 + tags: pullup src/lib/kadm5/srv/server_acl.c | 2 +- src/tests/t_kadmin_acl.py | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) -commit f2302383dd3a32bf22f437c4e1d10533323db5dc +commit 29dec110c43ae9cebdcd935906a3131ca9ac0c99 Author: Solly Ross Date: Thu Mar 5 13:22:58 2015 -0500 @@ -264,11 +4767,9 @@ [ghudson@mit.edu: minor style changes] - (cherry picked from commit 29dec110c43ae9cebdcd935906a3131ca9ac0c99) - - ticket: 8153 - version_fixed: 1.13.2 - status: resolved + ticket: 8153 (new) + target_version: 1.13.2 + tags: pullup src/lib/gssapi/mechglue/g_imp_name.c | 15 ++++++++------- src/tests/gssapi/t_export_name.c | 17 ++++++++++++++--- @@ -276,7 +4777,55 @@ src/tests/gssapi/t_namingexts.c | 24 ++++++++++++++++++++++++ 4 files changed, 51 insertions(+), 10 deletions(-) -commit 37c02e7fc50a9633b639cbf3daeaeaf1c9c75724 +commit e732d9dc3f2e7b01ff3c8305d58a3a754c9e9ec5 +Author: Greg Hudson +Date: Mon Feb 23 15:48:00 2015 -0500 + + Add successful S4U2Proxy test cases + + In t_s4u.py, use the test KDB module to test successful S4U2Proxy + delegations. + + src/tests/gssapi/t_s4u.py | 38 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 38 insertions(+) + +commit c8608c52646a10503b1a950f8df5072d0a583604 +Author: Greg Hudson +Date: Mon Feb 23 15:47:21 2015 -0500 + + Add test KDB module + + Add a simple read-only KDB module which can be used to exercise KDB + behavior which the DB2 module cannot reach. Right now it supports + very basic get_principal functionality, aliases, and delegation + policy; in the future it could issue referrals or sign authdata. + + src/Makefile.in | 1 + + src/configure.in | 1 + + src/plugins/kdb/test/Makefile.in | 21 ++ + src/plugins/kdb/test/deps | 0 + src/plugins/kdb/test/kdb_test.c | 522 ++++++++++++++++++++++++++++++++++++++ + src/plugins/kdb/test/test.exports | 1 + + 6 files changed, 546 insertions(+) + +commit 9c491320f72f1e07f87c1cf5b7671505f3526891 +Author: Greg Hudson +Date: Thu Feb 26 15:02:37 2015 -0500 + + Fix kadmin script mode command-not-found error + + In ss_wrapper.c, if ss_execute_command() returns an error, we should + call ss_perror() with *args as the third argument and not request + (which is NULL). Expand out the conditional into three commented + branches for greater clarity, since the error-handling is no longer + identical for the ss_execute_command() and ss_execute_line() cases. + + ticket: 7991 + + src/kadmin/cli/ss_wrapper.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +commit 68ac7ac1f1a1d2939a2c99fa49cecd734614d16d Author: Greg Hudson Date: Fri Feb 20 12:56:17 2015 -0500 @@ -285,11 +4834,9 @@ Add a new "formats" section to the RST documentation and populate it with documentation of the credential cache and keytab file formats. - (cherry picked from commit 68ac7ac1f1a1d2939a2c99fa49cecd734614d16d) - - ticket: 8149 - version_fixed: 1.13.2 - status: resolved + ticket: 8149 (new) + target_version: 1.13.2 + tags: pullup doc/formats/ccache_file_format.rst | 176 +++++++++++++++++++++++++++++++++++++ doc/formats/index.rst | 8 ++ @@ -298,7 +4845,134 @@ src/doc/Makefile.in | 1 + 5 files changed, 237 insertions(+) -commit 21e4e653d8258d525f4b6ca87797d42a8bccc282 +commit fcc1076541a3bd9a5fa4db0be6f74888b3f5f193 +Author: Greg Hudson +Date: Mon Feb 9 12:38:06 2015 -0500 + + Use preauth timestamp in PKINIT clpreauth module + + Use the timestamp from the KDC's preauth-required error when + generating a PKAuthenticator in pa_pkinit_gen_req(), to allow PKINIT + authentication to succeed despite client clock skew if kdc_timesync is + set. + + Because this timestamp is unauthenticated (unless FAST is used), an + attacker could induce a legitimate client to generate a + PKAuthenticator for a future timestamp. But replaying this request in + the future would only cause the KDC to issue a ticket which the + attacker cannot decrypt. + + ticket: 8124 (new) + + src/plugins/preauth/pkinit/pkinit_clnt.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +commit 54984d618e01027abe73e6772fe7049c79938518 +Author: Thomas Calderon +Date: Fri Feb 6 15:55:34 2015 +0100 + + Check timestamp in PKINIT kdcpreauth module + + RFC 4556 requires the KDC to check the PKAuthenticator timestamp in + order to prevent replays after the five-minute clock skew window. (A + replay attack has minimal value; it only causes the KDC to issue a + ticket which an attacker cannot decrypt.) + + [ghudson@mit.edu: rewrote commit message; squashed with typo fix; + style fixes] + + ticket: 8123 (new) + + src/plugins/preauth/pkinit/pkinit_srv.c | 5 +++++ + 1 file changed, 5 insertions(+) + +commit 60516bb111ac68ce0d809043d46c0c1f815a7b30 +Author: Greg Hudson +Date: Sat Jan 31 00:29:59 2015 -0500 + + Use kadmin script mode in Python tests + + In k5test, rename kadmin_local to kadminl and remove the run_kadminl() + K5Realm method. Update all scripts to use realm.run([kadminl, 'cmd', + ...]). run_kadmin() still exists but takes an argument array instead + of a query string. + + Where we touch test code, rename "output" to "out" (since "output" is + a function name exported by k5test.py), elide ":normal" from salt + strings, and use expressions like realm.krbtgt_princ instead of + manually composed principal names where appropriate. In + t_kadmin_acl.py, get rid of the delprinc() helper since the equivalent + is now concise enough to be written out each time. In t_policy.py, + remove some inoperative getprinc invocations and reorder some tests + which didn't correspond to their comment headers. + + src/lib/krb5/krb/t_expire_warn.py | 10 +- + src/lib/krb5/krb/t_in_ccache_patypes.py | 4 +- + src/lib/krb5/krb/t_vfy_increds.py | 14 +- + src/tests/gssapi/t_enctypes.py | 2 +- + src/tests/gssapi/t_gssapi.py | 22 +-- + src/tests/gssapi/t_s4u.py | 2 +- + src/tests/t_audit.py | 2 +- + src/tests/t_changepw.py | 4 +- + src/tests/t_dump.py | 24 +-- + src/tests/t_general.py | 5 +- + src/tests/t_iprop.py | 54 +++--- + src/tests/t_kadm5_hook.py | 2 +- + src/tests/t_kadmin_acl.py | 286 ++++++++++++++------------------ + src/tests/t_kdb.py | 102 ++++++------ + src/tests/t_kdb_locking.py | 2 +- + src/tests/t_keydata.py | 30 ++-- + src/tests/t_keyrollover.py | 31 ++-- + src/tests/t_keytab.py | 6 +- + src/tests/t_kprop.py | 2 +- + src/tests/t_mkey.py | 25 +-- + src/tests/t_otp.py | 22 +-- + src/tests/t_pkinit.py | 8 +- + src/tests/t_policy.py | 178 ++++++++------------ + src/tests/t_pwqual.py | 21 ++- + src/tests/t_rdreq.py | 10 +- + src/tests/t_referral.py | 1 - + src/tests/t_renew.py | 22 +-- + src/tests/t_renprinc.py | 8 +- + src/tests/t_salt.py | 20 +-- + src/tests/t_sesskeynego.py | 24 +-- + src/tests/t_skew.py | 4 +- + src/tests/t_stringattr.py | 28 ++-- + src/util/k5test.py | 27 ++- + 33 files changed, 459 insertions(+), 543 deletions(-) + +commit 040fe97758bdf53b6c00815b0306410eb88ea5ec +Author: Greg Hudson +Date: Fri Jan 30 12:48:15 2015 -0500 + + Support kadmin script mode + + Add support for a command and argments to be specified on the kadmin + command line, with script-friendly behavior. kadmin_startup() now + yields either a request string or a request argv array, and sets + script_mode in the argv array case. Informational messages now go + through info() and are suppressed if script_mode is set. Prompts and + warning messages are also suppressed in script mode. Error messages + indicating a failure now go through error() and set exit_status if + script_mode is set. The extended com_err() hook is always installed + so that com_err messages go through error() and set exit_status. + + getopt() is now invoked with a leading '+' to suppress Gnu getopt + argument reordering behavior, so that invokers don't need to pass "--" + to prevent query options from being treated as kadmin options. + Non-Gnu getopt implementations should harmlessly treat '+' as a valid + flag option, which has no effect as it will reach the same default + label in the switch statement. + + ticket: 7991 + + doc/admin/admin_commands/kadmin_local.rst | 23 +- + src/kadmin/cli/kadmin.c | 351 ++++++++++++++++-------------- + src/kadmin/cli/kadmin.h | 3 +- + src/kadmin/cli/ss_wrapper.c | 18 +- + 4 files changed, 224 insertions(+), 171 deletions(-) + +commit 102bb6ebf20f9174130c85c3b052ae104e5073ec Author: Greg Hudson Date: Tue Dec 9 12:37:44 2014 -0500 @@ -322,131 +4996,71 @@ The example user-to-user server application (uuserver) is similarly vulnerable to a zero-length or non-null-terminated principal name string. - - The krb5_recvauth function reads two version strings from the client - using krb5_read_message(), which produces a krb5_data structure - containing a length and a pointer to an octet sequence. krb5_recvauth - assumes that the data pointer is a valid C string and passes it to - strcmp() to verify the versions. If the client sends an empty octet - sequence, the data pointer will be NULL and strcmp() will dereference - a NULL pointer, causing the process to crash. If the client sends a - non-null-terminated octet sequence, strcmp() will read beyond the end - of the allocated storage, possibly causing the process to crash. - - uuserver similarly uses krb5_read_message() to read a client principal - name, and then passes it to printf() and krb5_parse_name() without - verifying that it is a valid C string. - - The krb5_recvauth function is used by kpropd and the Kerberized - versions of the BSD rlogin and rsh daemons. These daemons are usually - run out of inetd or in a mode which forks before processing incoming - connections, so a process crash will generally not result in a - complete denial of service. - - Thanks to Tim Uglow for discovering this issue. - - CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C - - [tlyu@mit.edu: CVSS score] - - (cherry picked from commit 102bb6ebf20f9174130c85c3b052ae104e5073ec) - - ticket: 8050 - version_fixed: 1.13.2 - status: resolved - - src/appl/user_user/server.c | 4 +++- - src/lib/krb5/krb/recvauth.c | 9 ++++++--- - 2 files changed, 9 insertions(+), 4 deletions(-) - -commit ebd20d50039e5ef77384cf02f07ef0373ab8a8a6 -Author: Tom Yu -Date: Wed Feb 11 22:54:37 2015 -0500 - - Update for krb5-1.13.1-postrelease - - src/patchlevel.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -commit 2f5d3144379e251cb13797b92d47153e1ab51181 -Author: Tom Yu -Date: Wed Feb 11 13:32:31 2015 -0500 - - Updates for krb5-1.13.1 - - README | 48 +++++++++++++++++++++++++++++++++++++++++++++- - src/man/k5identity.man | 2 +- - src/man/k5login.man | 2 +- - src/man/k5srvutil.man | 2 +- - src/man/kadm5.acl.man | 2 +- - src/man/kadmin.man | 2 +- - src/man/kadmind.man | 2 +- - src/man/kdb5_ldap_util.man | 2 +- - src/man/kdb5_util.man | 2 +- - src/man/kdc.conf.man | 2 +- - src/man/kdestroy.man | 2 +- - src/man/kinit.man | 2 +- - src/man/klist.man | 2 +- - src/man/kpasswd.man | 2 +- - src/man/kprop.man | 2 +- - src/man/kpropd.man | 2 +- - src/man/kproplog.man | 2 +- - src/man/krb5-config.man | 2 +- - src/man/krb5.conf.man | 2 +- - src/man/krb5kdc.man | 2 +- - src/man/ksu.man | 2 +- - src/man/kswitch.man | 2 +- - src/man/ktutil.man | 2 +- - src/man/kvno.man | 2 +- - src/man/sclient.man | 2 +- - src/man/sserver.man | 2 +- - src/patchlevel.h | 6 +++--- - src/po/mit-krb5.pot | 4 ++-- - 28 files changed, 77 insertions(+), 31 deletions(-) - -commit 5a6ff732b77ed36694bb47f08dc35e687f7a4107 -Author: Tom Yu -Date: Tue Feb 10 15:28:04 2015 -0500 - - Update manpages + + The krb5_recvauth function reads two version strings from the client + using krb5_read_message(), which produces a krb5_data structure + containing a length and a pointer to an octet sequence. krb5_recvauth + assumes that the data pointer is a valid C string and passes it to + strcmp() to verify the versions. If the client sends an empty octet + sequence, the data pointer will be NULL and strcmp() will dereference + a NULL pointer, causing the process to crash. If the client sends a + non-null-terminated octet sequence, strcmp() will read beyond the end + of the allocated storage, possibly causing the process to crash. + + uuserver similarly uses krb5_read_message() to read a client principal + name, and then passes it to printf() and krb5_parse_name() without + verifying that it is a valid C string. + + The krb5_recvauth function is used by kpropd and the Kerberized + versions of the BSD rlogin and rsh daemons. These daemons are usually + run out of inetd or in a mode which forks before processing incoming + connections, so a process crash will generally not result in a + complete denial of service. + + Thanks to Tim Uglow for discovering this issue. + + CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C + + [tlyu@mit.edu: CVSS score] + + ticket: 8050 (new) + target_version: 1.13.1 + tags: pullup - src/man/k5identity.man | 2 +- - src/man/k5login.man | 2 +- - src/man/k5srvutil.man | 2 +- - src/man/kadm5.acl.man | 2 +- - src/man/kadmin.man | 2 +- - src/man/kadmind.man | 2 +- - src/man/kdb5_ldap_util.man | 2 +- - src/man/kdb5_util.man | 2 +- - src/man/kdc.conf.man | 6 +++--- - src/man/kdestroy.man | 2 +- - src/man/kinit.man | 2 +- - src/man/klist.man | 2 +- - src/man/kpasswd.man | 2 +- - src/man/kprop.man | 2 +- - src/man/kpropd.man | 2 +- - src/man/kproplog.man | 2 +- - src/man/krb5-config.man | 2 +- - src/man/krb5.conf.man | 2 +- - src/man/krb5kdc.man | 2 +- - src/man/ksu.man | 2 +- - src/man/kswitch.man | 2 +- - src/man/ktutil.man | 2 +- - src/man/kvno.man | 2 +- - src/man/sclient.man | 2 +- - src/man/sserver.man | 2 +- - 25 files changed, 27 insertions(+), 27 deletions(-) + src/appl/user_user/server.c | 4 +++- + src/lib/krb5/krb/recvauth.c | 9 ++++++--- + 2 files changed, 9 insertions(+), 4 deletions(-) -commit f43598a1363e1494a378603ce9725011818e9aac +commit 5e54fa769d1b04ccf0d904164e897d081051647f Author: Tom Yu -Date: Tue Feb 10 15:27:17 2015 -0500 +Date: Mon Feb 9 15:02:20 2015 -0500 - make update-po + Add configure checks for portability assumptions + + Check a few portability assumptions: + + * Integers are two's complement. Testing that the bitwise complement + of the representation of -1 is zero is sufficient, because C99 + 6.2.6.2 only allows sign and magnitude, one's complement, and two's + complement as representations. + + * Integer values with sign bit one and value bits zero are valid and + not trap representations. C99 6.2.6.2 allows such a value to be a + trap representation. Testing that the declared integer value bounds + are asymmetric in magnitude is sufficient. + + * Conversion of an unsigned integer value that is not representable in + the corresponding signed type preserves the bit pattern. C99 + 6.3.1.3 says this is implementation-defined, or raises an + implementation-defined signal. Exhaustively checking for the + desired behavior is prohibitive, so this spot check will have to do. + + * Bytes are 8 bits - src/po/mit-krb5.pot | 107 +++++++++++++++++++++++++++------------------------- - 1 file changed, 56 insertions(+), 51 deletions(-) + src/configure.in | 34 ++++++++++++++++++++++++++++++++++ + 1 file changed, 34 insertions(+) -commit 702e628200d158f9cfd86ba4754657753c952fd1 +commit b5143bdc766ad4819355ac2cd52f685ec5dafa16 Author: Tom Yu Date: Wed Feb 4 17:01:14 2015 -0500 @@ -457,16 +5071,14 @@ This avoids uninitialized reads in gss_pseudo_random(), which can cause intermittent test failures on some platforms. - (cherry picked from commit b5143bdc766ad4819355ac2cd52f685ec5dafa16) - - ticket: 8072 - version_fixed: 1.13.1 - status: resolved + ticket: 8072 (new) + target_version: 1.13.1 + tags: pullup src/tests/gssapi/t_prf.c | 2 ++ 1 file changed, 2 insertions(+) -commit 5ba284b94e8d755f3b8b9d27767db88f3be66286 +commit 58f6636ba3af96f7b94ba6d4b2c91b61fc85e58a Author: Greg Hudson Date: Wed Feb 4 13:03:20 2015 -0500 @@ -478,16 +5090,14 @@ the DAL iterate() function, but did not bump KRB5_KDB_DAL_MAJOR_VERSION. Bump that version from 4 to 5 now. - (cherry picked from commit 58f6636ba3af96f7b94ba6d4b2c91b61fc85e58a) - - ticket: 8066 - version_fixed: 1.13.1 - status: resolved + ticket: 8066 (new) + target_version: 1.13.1 + tags: pullup src/include/kdb.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -commit 97f96c5f74b069d7bc66bc2c5fe35c904b5e7a03 +commit bfb472ff67c00da2f2b0d0ada1af57a2c4493a11 Author: Greg Hudson Date: Wed Nov 5 11:58:52 2014 -0500 @@ -496,11 +5106,7 @@ Add a new test program t_pcontok to exercise gss_process_context_token, and run it from t_gssapi.py. - (cherry picked from commit bfb472ff67c00da2f2b0d0ada1af57a2c4493a11) - ticket: 8055 - version_fixed: 1.13.1 - status: resolved .gitignore | 1 + src/tests/gssapi/Makefile.in | 20 +++-- @@ -508,7 +5114,7 @@ src/tests/gssapi/t_pcontok.c | 202 +++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 215 insertions(+), 9 deletions(-) -commit 23f9fc04f53b68a81fb46438f7d5948e7ac4ad2f +commit 5bb8a6b9c9eb8dd22bc9526751610aaa255ead9c Author: Greg Hudson Date: Mon Dec 29 13:17:56 2014 -0500 @@ -522,17 +5128,15 @@ In gss_union_ctx_id_struct, remove the unused "interposer" field which was causing part of the union context to remain uninitialized. - (cherry picked from commit 5bb8a6b9c9eb8dd22bc9526751610aaa255ead9c) - - ticket: 8058 - version_fixed: 1.13.1 - status: resolved + ticket: 8058 (new) + target_version: 1.13.1 + tags: pullup src/lib/gssapi/mechglue/mglueP.h | 1 - src/lib/rpc/svc_auth_gss.c | 25 ++----------------------- 2 files changed, 2 insertions(+), 24 deletions(-) -commit 2bc4bb02a70d7537baf1c3f6ebc126ded42ea133 +commit 6609658db0799053fbef0d7d0aa2f1fd68ef32d8 Author: Greg Hudson Date: Mon Dec 29 13:27:42 2014 -0500 @@ -543,16 +5147,14 @@ server principal, so that we don't erroneously match left substrings of "kadmin", "history", or the realm. - (cherry picked from commit 6609658db0799053fbef0d7d0aa2f1fd68ef32d8) - - ticket: 8057 - version_fixed: 1.13.1 - status: resolved + ticket: 8057 (new) + target_version: 1.13.1 + tags: pullup src/kadmin/server/kadm_rpc_svc.c | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) -commit d89dde02db71ba3ff0377e12e485f47537d43798 +commit a197e92349a4aa2141b5dff12e9dd44c2a2166e3 Author: Greg Hudson Date: Sat Dec 27 14:16:13 2014 -0500 @@ -568,17 +5170,15 @@ we are freeing, as other XDR functions such as xdr_bytes() and xdr_string(). - (cherry picked from commit a197e92349a4aa2141b5dff12e9dd44c2a2166e3) - - ticket: 8056 - version_fixed: 1.13.1 - status: resolved + ticket: 8056 (new) + target_version: 1.13.1 + tags: pullup src/lib/kadm5/kadm_rpc_xdr.c | 2 ++ src/lib/rpc/auth_gssapi_misc.c | 1 - 2 files changed, 2 insertions(+), 1 deletion(-) -commit 3cfd4bd9e7c09c3b9024d83ab6e3bba2218eb48b +commit 82dc33da50338ac84c7b4102dc6513d897d0506a Author: Greg Hudson Date: Wed Nov 5 11:58:04 2014 -0500 @@ -592,11 +5192,9 @@ export_sec_context and pseudo_random, and adjust t_prf.c for the pseudo_random check. - (cherry picked from commit 82dc33da50338ac84c7b4102dc6513d897d0506a) - - ticket: 8055 - version_fixed: 1.13.1 - status: resolved + ticket: 8055 (new) + target_version: 1.13.1 + tags: pullup src/lib/gssapi/krb5/context_time.c | 2 +- src/lib/gssapi/krb5/export_sec_context.c | 5 +++++ @@ -614,7 +5212,7 @@ src/tests/gssapi/t_prf.c | 1 + 14 files changed, 36 insertions(+), 13 deletions(-) -commit 41d5f696c09fd1fea73844364d30729b6a891beb +commit 19bb843b40d3f62f4e29f4847717862f1423135e Author: Tom Yu Date: Tue Feb 3 14:25:09 2015 -0500 @@ -628,22 +5226,113 @@ src/prototype/prototype.h | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) -commit 3e3a1a7d7d2a0ddb0866f21d12ebcc9063a6221d +commit b0661f9176f5eb2644ba459e1b1e87d3dd502174 +Author: Greg Hudson +Date: Mon Jan 26 18:38:16 2015 -0500 + + Remove starttime hack in EncTicketPart decoder + + The EncTicketPart decoder sets starttime to authtime if it wasn't + included in the ASN.1 value. This is problematic for upcoming CAMMAC + work, as we will need to re-encode a received EncTicketPart to check + the KDC verifier. Remove that behavior and just use opt_kerberos_time + for the starttime field. Adjust krb5_decode_test.c to match the new + decoder behavior. + + Similarly, remove the process_tgs_req() code which sets starttime in + the header ticket if it isn't set. Add a comment explaining the + unrelated code adjacent to it. + + check_tgs_times() used the ticket starttime without checking if it was + present. Add a fallback to times->authtime, and narrow the function + contract to make the implementation more concise. + + There is a similar hack in the EncKDCRepPart decoder; leave that alone + for now. + + src/kdc/do_tgs_req.c | 7 +------ + src/kdc/tgs_policy.c | 17 ++++++++++------- + src/lib/krb5/asn.1/asn1_k_encode.c | 16 +--------------- + src/tests/asn.1/krb5_decode_test.c | 3 +-- + 4 files changed, 13 insertions(+), 30 deletions(-) + +commit 922f7d1230fe647821d9767fafef3774c5cfd2fc +Author: Greg Hudson +Date: Mon Jan 26 22:34:49 2015 -0500 + + Remove special case for multi-hop SAM-2 + + Revert f20a77e879d203cdcb1bdbf9dc8e604a5187c88f (issue #7571). The + special case is no longer needed, as we are now resetting the tried + list for each KDC_ERR_PREAUTH_REQUIRED message. + + src/lib/krb5/krb/preauth2.c | 5 ----- + 1 file changed, 5 deletions(-) + +commit 95c3cab051aa1b8b4f7eb309bf135e8f51665baa +Author: Nathaniel McCallum +Date: Sun Jan 25 16:53:49 2015 -0500 + + Support KDC_ERR_MORE_PREAUTH_DATA_REQUIRED + + Add support for multi-hop preauth mechs. + + In the KDC, allow kdcpreauth modules to return + KDC_ERR_MORE_PREAUTH_DATA_REQUIRED as defined in RFC 6113. + + In libkrb5, treat this code like KDC_ERR_PREAUTH_REQUIRED. clpreauth + modules can use the modreq parameter to distinguish between the first + and subsequent KDC messages. We assume that the error padata will + include an element of the preauth mech's type, or at least of a type + recognized by the clpreauth module. + + Also reset the list of previously attempted preauth types for both + kinds of errors. That list is really only appropriate for retrying + after a failed preauth attempt, which we don't currently do. Add an + intermediate variable for the reply code to avoid a long conditional + expression. + + [ghudson@mit.edu: adjust get_in_tkt.c logic to avoid needing a helper + function; clarify commit message] + + ticket: 8063 (new) + + doc/plugindev/clpreauth.rst | 6 +++--- + src/include/k5-int.h | 1 + + src/kdc/kdc_preauth.c | 2 ++ + src/lib/krb5/error_tables/krb5_err.et | 2 +- + src/lib/krb5/krb/get_in_tkt.c | 13 ++++++++----- + 5 files changed, 15 insertions(+), 9 deletions(-) + +commit d67122a21af8c24657fb7dfbb572afad4933b538 +Author: Nathaniel McCallum +Date: Mon Jan 26 13:59:54 2015 -0500 + + Fix const correctness on krb5_c_fx_cf2_simple() + + libk5crypto functions generally use "const krb5_keyblock *" for input + keyblocks. Do this in krb5_c_fx_cf2_simple() for caller convenience. + + [ghudson@mit.edu: expanded commit message] + + ticket: 8062 (new) + + src/include/krb5/krb5.hin | 4 ++-- + src/lib/crypto/krb/cf2.c | 6 +++--- + 2 files changed, 5 insertions(+), 5 deletions(-) + +commit c0778ab2252ece4c3510788d9b72f7f5e3bb05dd Author: Greg Hudson Date: Fri Jan 23 12:52:31 2015 -0500 Add test for kinit -C WRONG_REALM response - (cherry picked from commit c0778ab2252ece4c3510788d9b72f7f5e3bb05dd) - ticket: 8060 - version_fixed: 1.13.1 - status: resolved src/tests/t_general.py | 7 +++++++ 1 file changed, 7 insertions(+) -commit a4d6afb74adcd1b0f0078f7a2891ddc9d51927bc +commit d5755694b620570defeecee772def90a2733c6cc Author: Simo Sorce Date: Tue Jan 20 13:48:34 2015 -0500 @@ -662,15 +5351,67 @@ response is unexpected in practice and there is nothing dangerous about handling it this way.] - (cherry picked from commit d5755694b620570defeecee772def90a2733c6cc) - ticket: 8060 - version_fixed: 1.13.1 + target_version: 1.13.1 + tags: pullup src/lib/krb5/krb/get_in_tkt.c | 40 +++++++++++++--------------------------- 1 file changed, 13 insertions(+), 27 deletions(-) -commit c388e3df8fca0860da91f464bd18d3eba1dd77cb +commit b547063dafe7af4082b00efd4b5636ac5604f42e +Author: Greg Hudson +Date: Sun Jan 4 17:30:45 2015 -0500 + + Clean up PKINIT tests + + Use realm.user_princ where appropriate. Re-wrap some overwrapped + function calls. De-indent the PKCS11 tests using skip_rest. + + src/tests/t_pkinit.py | 256 ++++++++++++++++++-------------------------------- + 1 file changed, 93 insertions(+), 163 deletions(-) + +commit f3891f071b6dc6572c927556b6a0117ac6de50af +Author: Greg Hudson +Date: Sat Jan 3 20:14:31 2015 -0500 + + Note skipped tests + + In Python test scripts, use skipped() or skip_rest() as appropriate + when skipping tests. For Makefile-conditionalized tests, append to + $(SKIPTESTS) when skipping. + + src/kadmin/testing/util/Makefile.in | 1 + + src/lib/krb5/ccache/t_cccol.py | 2 ++ + src/lib/krb5/os/Makefile.in | 2 ++ + src/lib/rpc/unit-test/Makefile.in | 1 + + src/tests/dejagnu/Makefile.in | 1 + + src/tests/t_ccache.py | 2 ++ + src/tests/t_kdb.py | 15 +++++---------- + src/tests/t_otp.py | 10 +++++----- + src/tests/t_pkinit.py | 5 ++--- + src/tests/t_proxy.py | 11 +++-------- + src/tests/t_sn2princ.py | 16 +++++++--------- + 11 files changed, 31 insertions(+), 35 deletions(-) + +commit fa93d60a7af86e37eb25c31349cf8a7207d0c41e +Author: Greg Hudson +Date: Sat Jan 3 20:09:11 2015 -0500 + + Add framework for tracking skipped tests + + In k5test.py, add functions skipped() and skip_rest() which output a + message about skipping tests (even without the verbose flag) and also + add a note to the "skiptests" file at the top of the build tree. In + the top-level make check, empty out skiptests at the beginning and + display it at the end. Add a subsitution for the skiptests file to + pre.in so that other makefiles can append to it. + + src/Makefile.in | 5 +++++ + src/config/pre.in | 1 + + src/util/k5test.py | 22 ++++++++++++++++++++++ + 3 files changed, 28 insertions(+) + +commit 266cce14ee39f6d11b186ee988cffd0c2a119f3d Author: Robbie Harwood (frozencemetery) Date: Tue Jan 20 15:43:40 2015 -0500 @@ -679,16 +5420,32 @@ This function is already present in gssapi_ext.h, but without exporting it, a link error will be produced every time it is used. - (cherry picked from commit 266cce14ee39f6d11b186ee988cffd0c2a119f3d) - - ticket: 8061 - version_fixed: 1.13.1 - status: resolved + ticket: 8061 (new) + target_version: 1.13.1 + tags: pullup src/lib/gssapi/libgssapi_krb5.exports | 1 + 1 file changed, 1 insertion(+) -commit c0a12dd63f696b95b35826aefed7282bd7954325 +commit 14f039b40efd91b93b1148765bf0b7d3c90db58a +Author: Greg Hudson +Date: Tue Dec 16 12:57:56 2014 -0500 + + Fix bugs in previous cc_file.c changes + + In fcc_destroy and krb5int_fcc_new_unique, call set_errmsg_filename + before deleting the cache handle, or else the reference to + data->filename is a use after free. + + In set_errmsg_filename, do nothing if the code is 0, as we don't have + an error to annotate. + + ticket: 8052 + + src/lib/krb5/ccache/cc_file.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +commit 9a343200d305e7c8df6e556d63afaee42194175f Author: Greg Hudson Date: Wed Jan 14 13:10:39 2015 -0500 @@ -699,16 +5456,14 @@ Correct calling code will not trigger this case, but incorrect code has been reported in the field. - (cherry picked from commit 9a343200d305e7c8df6e556d63afaee42194175f) - - ticket: 8059 - version_fixed: 1.13.1 - status: resolved + ticket: 8059 (new) + target_version: 1.13.1 + tags: pullup src/util/profile/prof_get.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -commit 0b65438bbe5906a857f95e5a5dd4739021d4b57b +commit 57dc24093015d292189ef23313ef8ff2a81431e4 Author: Greg Hudson Date: Mon Dec 22 18:37:36 2014 -0500 @@ -717,16 +5472,115 @@ Declare User-Password as having type "octets" instead of "string" or pyrad 2.x will throw a decoding error when retrieving it. - (cherry picked from commit 57dc24093015d292189ef23313ef8ff2a81431e4) - - ticket: 8053 - version_fixed: 1.13.1 - status: resolved + ticket: 8053 (new) + target_version: 1.13.1 + tags: pullup src/tests/t_otp.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -commit 116dd62237cf19387a25b5f024472ffd06ae9973 +commit 98b55e86d7ec8b0a3b9b9f9b415ffdf78f4fd2e8 +Author: Nicolas Williams +Date: Wed Oct 29 19:42:49 2014 -0500 + + Include file ccache name in error messages + + When a FILE ccache method returns an error, append the filename to the + standard message for the code. Remove code to set extended messages + in helper functions as they would just be overwritten. + + Also change the interpretation of errno values. Treat ENAMETOOLONG as + KRB5_FCC_NOFILE instead of KRB5_FCC_INTERNAL, since it has an external + cause and a name that long can't be opened by normal means. Treat + EROFS as KRB5_FCC_PERM. Treat ENOTDIR and ELOOP as KRB5_FCC_NOFILE + instead of KRB5_FCC_PERM as both errors imply that the full pathname + doesn't exist. Treat EBUSY and ETXTBSY as KRB5_CC_IO instead of + KRB5_FCC_PERM as they indicate a conflict rather than a permission + issue. + + [ghudson@mit.edu: renamed set_error to set_errmsg_filename; removed + now-inoperative code to set extended messages in helper functions; + trimmed changes to interpret_errno; clarified and shortened commit + message] + + ticket: 8052 (new) + + src/lib/krb5/ccache/cc_file.c | 88 ++++++++++++++++++------------------ + src/tests/dejagnu/config/default.exp | 2 +- + src/tests/gssapi/t_client_keytab.py | 2 +- + src/tests/t_ccache.py | 4 +- + src/tests/t_errmsg.py | 14 +++--- + 5 files changed, 56 insertions(+), 54 deletions(-) + +commit 0008014a748310e38b3e4d69e3227af935e86cf7 +Author: Greg Hudson +Date: Tue Oct 7 12:12:11 2014 -0400 + + Use OFD locks where available + + Linux 3.15 has added OFD locks, which contend with POSIX file locks + but are owned by the open file description instead of the process. + Use these in krb5_lock_file where available, for safer concurrency + behavior. + + ticket: 8023 (new) + + src/lib/krb5/os/lock_file.c | 26 +++++++++++++++++++++++++- + 1 file changed, 25 insertions(+), 1 deletion(-) + +commit fff8e4817c2f20e923acd87a3085842f43edf192 +Author: Ben Kaduk +Date: Mon Dec 8 16:43:36 2014 -0500 + + Correct spelling + + Remove extra 'i' from "create_standalone_prinicipal". While here, + pick a slightly shorter name for the variable. + + src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +commit e316b24a2ac3d0b13fe50b37773f51441c63396e +Author: Ben Kaduk +Date: Fri Dec 5 21:18:38 2014 -0500 + + Add helper for freeing arrays of berval pointers + + This eliminates a potential leak of the bv_val members from + krb5_encode_krbsecretkey(). + + src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 32 ++++++++++++++-------- + 1 file changed, 21 insertions(+), 11 deletions(-) + +commit fb0827e065763821ed1c6c205f15189b1c70bc2a +Author: Ben Kaduk +Date: Wed Nov 19 12:09:55 2014 -0500 + + Remove some dead code + + The secretkey variable is initialized to NULL and compared against + NULL, but never actually set to anything after initialization. + + Remove the variable and all code that would have executed if it + was non-NULL. + + src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c | 20 +------------------- + 1 file changed, 1 insertion(+), 19 deletions(-) + +commit 71201ced154fd3d1a87358ebdaf209d24885ed13 +Author: Ben Kaduk +Date: Fri Nov 21 14:00:20 2014 -0500 + + Regression tests for keyless principals + + Confirm that kadmind does not crash when creating/modifying a principal + to have no keys, and confirm that no keys are present after a + purgekeys -all. + + src/tests/t_kdb.py | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +commit 04038bf3633c4b909b5ded3072dc88c8c419bf16 Author: Ben Kaduk Date: Wed Nov 19 12:04:46 2014 -0500 @@ -776,16 +5630,26 @@ CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:OF/RC:C - (cherry picked from commit 04038bf3633c4b909b5ded3072dc88c8c419bf16) - - ticket: 8041 - version_fixed: 1.13.1 - status: resolved + ticket: 8041 (new) + tags: pullup + target_version: 1.13.1 + subject: kadmind with ldap backend crashes when putting keyless entries src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 25 +++++++++++++++------- 1 file changed, 17 insertions(+), 8 deletions(-) -commit 2865a748eff3b37d2090e9cf1c88d23bc7df7710 +commit e8df0458673071e56346730fa843c83aca88631f +Author: Greg Hudson +Date: Fri Dec 5 14:02:04 2014 -0500 + + Add tests for LDAP ticket/policy name misuse + + ticket: 8051 + + src/tests/t_kdb.py | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +commit d1f707024f1d0af6e54a18885322d70fa15ec4d3 Author: Greg Hudson Date: Fri Dec 5 14:01:39 2014 -0500 @@ -823,16 +5687,14 @@ [kaduk@mit.edu: CVE description and CVSS score] - (cherry picked from commit d1f707024f1d0af6e54a18885322d70fa15ec4d3) - - ticket: 8051 - version_fixed: 1.13.1 - status: resolved + ticket: 8051 (new) + target_version: 1.13.1 + tags: pullup src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) -commit 1defbee489c261546eedafe92302bf41ba04003c +commit 8466003864b294cdb9e5547c2f8e574d2c156b13 Author: Greg Hudson Date: Mon Dec 8 15:30:25 2014 -0500 @@ -843,16 +5705,167 @@ function is asked for an authorization name, and the bind fails if it gets an unsuccessful result or if no interaction function is defined. - (cherry picked from commit 8466003864b294cdb9e5547c2f8e574d2c156b13) - - ticket: 8049 - version_fixed: 1.13.1 - status: resolved + ticket: 8049 (new) + target_version: 1.13.1 + tags: pullup src/tests/t_kdb.py | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) -commit d1a1b7c83ac568cbfec230bbdb3a9506ea27d1ca +commit aa39669d6e9d2f300777ba7cf8409ed7ef2ce2f7 +Author: Nicolas Williams +Date: Mon Nov 10 20:43:12 2014 -0600 + + Test err_fmt + + [ghudson@mit.edu: move tests to new file; stop messing with + KRB5CCNAME; use K5Realm.special_env instead of multiple K5Realm + objects] + + ticket: 8047 + + src/tests/Makefile.in | 1 + + src/tests/t_errmsg.py | 28 ++++++++++++++++++++++++++++ + 2 files changed, 29 insertions(+) + +commit 8c0b9a839fdf8ef1485a85300d82e41654864719 +Author: Nicolas Williams +Date: Wed Nov 12 15:50:53 2014 -0600 + + Add err_fmt profile parameter + + Support the err_fmt relation in [libdefaults] which allows custom + error message formatting. + + [ghudson@mit.edu: maintain alphabetical order in documentation and + reword docs; simplify err_fmt_fmt; expand commit message] + + ticket: 8047 (new) + + doc/admin/conf_files/krb5_conf.rst | 6 +++++- + src/include/k5-int.h | 2 ++ + src/lib/krb5/krb/copy_ctx.c | 3 +++ + src/lib/krb5/krb/init_ctx.c | 5 +++++ + src/lib/krb5/krb/kerrs.c | 44 +++++++++++++++++++++++++++++++++++++- + 5 files changed, 58 insertions(+), 2 deletions(-) + +commit ebcdf02f8ec212555b1762007fa8454615900f36 +Author: Nicolas Williams +Date: Wed Nov 12 15:49:37 2014 -0600 + + Use new error message wrapping APIs + + Define internal names k5_prendmsg and k5_wrapmsg and use them where we + amend error messages. This slightly changes the error message when we + fail to construct FAST AP-REQ armor, decrypt a FAST reply, or store + credentials in a gic_opts output ccache. Adjust the test suite for + the latter of those changes. + + [ghudson@mit.edu: define and use internal names for brevity; pull in + test fix from later commit; expand commit message; fix redundant + separators in LDAP messages] + + ticket: 8046 + + src/include/k5-int.h | 4 +++- + src/lib/kdb/kdb5.c | 13 ++++--------- + src/lib/krb5/krb/fast.c | 16 ++++------------ + src/lib/krb5/krb/get_in_tkt.c | 8 ++------ + src/lib/krb5/krb/preauth2.c | 6 +----- + src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c | 22 ++++------------------ + src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h | 9 +++++---- + src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c | 4 ++-- + src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c | 6 ++---- + src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 8 +++----- + src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c | 3 +-- + src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c | 13 ++++++------- + src/tests/t_ccache.py | 2 +- + 13 files changed, 38 insertions(+), 76 deletions(-) + +commit 12bf3e3f3ecd58f53d4a604e318766e4264b02c1 +Author: Nicolas Williams +Date: Wed Nov 12 15:47:53 2014 -0600 + + Add new error message wrapping APIs + + Add four new public APIs for wrapping error messages: + krb5_prepend_error_message, krb5_vprepend_error_message, + krb5_wrap_error_message, and krb5_vwrap_error_message. The first two + functions are from Heimdal and allow a prefix to be added to the + existing message for a code. The latter two functions also allow the + code to be changed. + + [ghudson@mit.edu: rename krb5_prepend_error_message2 to + krb5_wrap_error_message; clarify doxygen comments and put them in the + proper form; implement krb5_prepend_error_message in terms of + krb5_wrap_error_message; fix leak and null context handling in + krb5_wrap_error_message; rewrite commit message] + + ticket: 8046 (new) + + doc/appdev/refs/api/index.rst | 4 +++ + src/include/krb5/krb5.hin | 79 +++++++++++++++++++++++++++++++++++++++++++ + src/lib/krb5/krb/kerrs.c | 44 ++++++++++++++++++++++++ + src/lib/krb5/libkrb5.exports | 4 +++ + src/lib/krb5_32.def | 6 ++++ + 5 files changed, 137 insertions(+) + +commit f4e3e096af73254f208d0fc0632db12fc559e1ad +Author: Remi Ferrand +Date: Sat Nov 15 11:40:11 2014 +0100 + + Remove ksu -D flag documentation + + ksu -D does not work in the default build, so we should not document + it. Remove any mention of it from the usage message and from ksu.rst. + + [ghudson@mit.edu: edited commit message; omit change to generated man + page] + + ticket: 8048 (new) + + doc/user/user_commands/ksu.rst | 4 ---- + src/clients/ksu/main.c | 2 +- + 2 files changed, 1 insertion(+), 5 deletions(-) + +commit d65c504432f01eb1a03703af07356f538f16f8c6 +Author: Ben Kaduk +Date: Mon Nov 24 18:23:32 2014 -0500 + + Don't fdopen() in append mode in cc_file.c + + Implementations of fdopen() are inconsistent about the state of + the file offset after fdopen(., "a+") -- some position the stream + at the end of the file immediately (e.g., Solaris), for both reading + and writing, but others let reads occur from the beginning of the + file (e.g., glibc). + + As it turns out, we only ever write to the file descriptor, not + through stdio, so opening the file with O_APPEND and using fdopen() + with "r+b" should give us sufficient append semantics, while + more portably letting the stream read from the beginning of the file. + + This fixes the test suite on Solaris, a regression introduced + by commit 6979ead5e5c24ca0ec3569eb4bef48c2e5d8a726. + + ticket: 8026 + + src/lib/krb5/ccache/cc_file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit 66497980e56b9c8bb5c94979d48f32ef69354c85 +Author: Ben Kaduk +Date: Thu Nov 20 16:41:13 2014 -0500 + + Add tests for duplicate detection + + There's not an easy way to test for infinite loops other than + making the test suite hang, unfortunately. + + src/tests/t_salt.py | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +commit c828e7cb137de3559f026dcc552a52162d9ca5cd Author: Ben Kaduk Date: Thu Nov 20 15:44:04 2014 -0500 @@ -866,16 +5879,14 @@ Rework the conditional to avoid the loop, at the expense of additional indentation for some of the code. - (cherry picked from commit c828e7cb137de3559f026dcc552a52162d9ca5cd) - - ticket: 8038 - version_fixed: 1.13.1 - status: resolved + Ticket: 8038 + tags: pullup + target_version: 1.13.1 src/lib/kadm5/str_conv.c | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) -commit 57a3db64c8e17d92392d43a7ca7fd322573a4b4a +commit 3eeb1a7eaa6757502d73944b7694405cdd571e1c Author: Tom Yu Date: Wed Nov 5 15:57:51 2014 -0500 @@ -884,16 +5895,43 @@ Use modern enctypes for values of master_key_type and supported_enctypes in the example kdc.conf in kdc_conf.rst. - (cherry picked from commit 3eeb1a7eaa6757502d73944b7694405cdd571e1c) - - ticket: 8035 - version_fixed: 1.13.1 - status: resolved + ticket: 8035 (new) + target_version: 1.13.1 + tags: pullup doc/admin/conf_files/kdc_conf.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -commit e41ed9c9fe0ed84733c645072ea2d838a07f812a +commit 38a31852c3e58f6e2f6b3b035a87f817d1db5537 +Author: Tom Yu +Date: Wed Nov 5 14:10:35 2014 -0500 + + Remove des3 and arcfour from supported_enctypes + + The des3 and arcfour (rc4) enctypes use weak string-to-key algorithms, + and should not be used for producing password-derived keys. + + ticket: 7903 + + src/include/osconf.hin | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +commit 16989828e9b9137b4f3c701962d838360f895636 +Author: Greg Hudson +Date: Tue Nov 4 10:13:11 2014 -0500 + + Fix minor cleanup issue in file ccache + + If we fail to open the cache file in fcc_initialize, we could wind up + calling close(-1) which is harmless but incorrect. Avoid this by + initializing fd and conditionalizing its cleanup. + + ticket: 8026 + + src/lib/krb5/ccache/cc_file.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +commit 2457bf66c466321dd36cd3c76bc36bb589d31587 Author: Greg Hudson Date: Wed Nov 5 14:12:35 2014 -0500 @@ -906,16 +5944,134 @@ Also correctly check the output of the last kinit invocation. - (cherry picked from commit 2457bf66c466321dd36cd3c76bc36bb589d31587) - - ticket: 8034 - version_fixed: 1.13.1 - status: resolved + ticket: 8034 (new) + target_version: 1.13.1 + tags: pullup src/tests/t_skew.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) -commit bbff4de352a5c36c78e5d58ac2f1a81265094bcc +commit 35ab0d013f35a9840d0fbcb8de3b194eb501199d +Author: Greg Hudson +Date: Mon Nov 3 17:27:00 2014 -0500 + + Fix spurious gcc warning in cc_file.c + + gcc 4.6.3 (present in Ubuntu 12.04) is smart enough to look at + get_size and see that it does not always assign to *size_out, but not + smart enough to figure out that it always assigns to *size_out when it + returns 0. As a result, it outputs two warnings which we treat as + errors. Add an initial assignment to *size_out at the beginning of + get_size to work around this. + + ticket: 8026 + + src/lib/krb5/ccache/cc_file.c | 1 + + 1 file changed, 1 insertion(+) + +commit 6979ead5e5c24ca0ec3569eb4bef48c2e5d8a726 +Author: Greg Hudson +Date: Sun Oct 12 18:46:17 2014 -0400 + + Use stdio reads, O_APPEND writes in FILE ccache + + Remove open file state from the cache handle, use stdio for reading, + use single O_APPEND writes for writing, and use O_CLOEXEC when + opening. Keep the file handle open during iteration. These changes + simplify the code, fix some concurrency issues, and reduce the + dependency on POSIX file locks. We still acquire file locks for + compatibility with older code, and in case O_APPEND writes aren't + concurrency-atomic. + + Helper functions change as follows: + * open_cache_file yields a stdio handle, and only opens and locks. + * close_cache_file takes a stdio handle. + * read_header (new) reads the file header and yields a version. + * invalidate_cache and fcc_lseek are no longer needed. + * get_size, read_bytes, and load_bytes operate on a stdio handle. + * read32, read16, load_data, load_principal, and load_cred operate on + a stdio handle and version. + * write_bytes, store32, store16, and store_principal are no longer + needed. + + fcc_initialize now takes responsibility for writing the header and + default client principal, using a single write. + + ticket: 8026 (new) + + src/lib/krb5/ccache/cc_file.c | 875 +++++++++++++++--------------------------- + 1 file changed, 313 insertions(+), 562 deletions(-) + +commit 21c6d59c9b5b08cbd2c87a96a719b0ac511cce51 +Author: Greg Hudson +Date: Mon Oct 6 20:09:27 2014 -0400 + + Remove cc_file.c global lookup table + + The FILE ccache type maintains a global reference-counted table of + handles, which is perhaps an imperfect workaround for POSIX + per-process file locks. Remove this table, since we plan to maintain + read fds in cursors and use O_APPEND writes to render locking less + important. + + src/lib/krb5/ccache/cc_file.c | 156 +++++++++--------------------------------- + 1 file changed, 34 insertions(+), 122 deletions(-) + +commit ec3a2e9ea2d4fdb2e00fc7b2a6bfed7feac10880 +Author: Greg Hudson +Date: Mon Oct 6 10:05:41 2014 -0400 + + Stop using KRB5_TC_OPENCLOSE + + Since KRB5_TC_OPENCLOSE no longer does anything, stop setting it when + we iterate over ccaches. + + ticket: 7804 + + src/clients/klist/klist.c | 15 --------------- + src/clients/ksu/main.c | 5 ----- + src/lib/gssapi/krb5/acquire_cred.c | 7 ++----- + src/lib/krb5/ccache/cc_retr.c | 14 +------------- + src/lib/krb5/ccache/cccopy.c | 26 -------------------------- + src/lib/krb5/krb/vfy_increds.c | 25 +++++-------------------- + src/windows/cns/cns.c | 15 +-------------- + src/windows/cns/tktlist.c | 11 +---------- + src/windows/leash/KrbListTickets.cpp | 4 ++-- + src/windows/leashdll/lshfunc.c | 4 ++-- + 10 files changed, 14 insertions(+), 112 deletions(-) + +commit fe9e299521d6e2952b987d3ca29cf327b7eacdda +Author: Greg Hudson +Date: Mon Oct 6 09:47:10 2014 -0400 + + Remove KRB5_TC_OPENCLOSE handling in FILE ccache + + Stop processing the KRB5_TC_OPENCLOSE flag in cc_file.c; always reopen + the file instead. This will be replaced with more efficient cursor + handling. Also remove some unused KRB5_TC_OPENCLOSE macros in scc.h. + + src/include/krb5/krb5.hin | 2 +- + src/lib/krb5/ccache/cc_file.c | 148 ++++++++++++++---------------------------- + src/lib/krb5/ccache/scc.h | 15 ----- + 3 files changed, 48 insertions(+), 117 deletions(-) + +commit 0558407467d9e35148f3c40babbc4551ef982e73 +Author: Greg Hudson +Date: Tue Oct 28 14:31:19 2014 -0400 + + Adjust asn1c test vector code for new asn1c + + asn1c 0.9.22 added support for representing integers using unsigned + types if they have appropriate constraints. This changes the + representation of RFC4120's UInt32 type from Integer_t to unsigned + long. In make-vectors.c, this means we can use a static initializer + for kvno, and that the old method of calling asn_long2INTEGER doesn't + work. Adjust make-vectors.c to assume the newer version of asn1c. + + src/tests/asn.1/make-vectors.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +commit 3c330ea5846ca02da36a0cb5a5c879364d28a267 Author: Greg Hudson Date: Wed Oct 29 12:16:40 2014 -0400 @@ -925,16 +6081,44 @@ pkinit_get_certs_pkcs12. Use asprintf instead of snprintf. Also check the result of the prompter invocation. - (cherry picked from commit 3c330ea5846ca02da36a0cb5a5c879364d28a267) - ticket: 8011 - version_fixed: 1.13.1 - status: resolved + target_version: 1.13.1 + tags: pullup src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) -commit db81478f8c2afd247b4c401602dc3b6bd8f40f4e +commit 9b3052b5aba7d71c515710b289c237732da35f08 +Author: Greg Hudson +Date: Tue Sep 9 13:34:39 2014 -0400 + + Make it easier to find ASN.1 codec functions + + Expand out MAKE_CODEC macro invocations into MAKE_ENCODER and + MAKE_DECODER invocations, so that the defined function names appear in + the macro calls. This makes it easier to find the function + definitions using grep, although one still has to look up the macro to + see what it does. + + src/lib/krb5/asn.1/asn1_encode.h | 4 - + src/lib/krb5/asn.1/asn1_k_encode.c | 167 ++++++++++++++++++++++++------------- + 2 files changed, 111 insertions(+), 60 deletions(-) + +commit 1bc97644eb689548126781645a83bb6093dfe79c +Author: Ben Kaduk +Date: Wed Oct 22 14:53:52 2014 -0400 + + Remove unused variables from kprop.c + + Commit 29dee7d2cece615bec4616fa9b727e77210051db removed the + need for a ccache to hold the credentials used by the process, + but did not remove the ccname and ccache variables which became + unused as a result. + + src/slave/kprop.c | 20 -------------------- + 1 file changed, 20 deletions(-) + +commit 62894f854daa8251554376b6b6810fd0e9fecb7f Author: Greg Hudson Date: Mon Oct 20 13:19:26 2014 -0400 @@ -943,31 +6127,25 @@ In copy_creds_except, call krb5_cc_end_seq_get so we don't leak the ccache cursor. - (cherry picked from commit 62894f854daa8251554376b6b6810fd0e9fecb7f) - - ticket: 8029 - version_fixed: 1.13.1 - status: resolved + ticket: 8029 (new) + target_version: 1.13.1 + tags: pullup src/lib/krb5/krb/vfy_increds.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) -commit 26f2bf480f5144684fe2b628e52b3ee9c96ecb9e -Author: Tom Yu -Date: Tue Dec 16 12:38:47 2014 -0500 +commit e47d8204843ce87fcc1342c7970dded8536fcbde +Author: Greg Hudson +Date: Mon Oct 20 12:53:16 2014 -0400 Add test for kinit output ccache error - (back ported from commit e47d8204843ce87fcc1342c7970dded8536fcbde) - ticket: 8028 - version_fixed: 1.13.1 - status: resolved src/tests/t_ccache.py | 6 ++++++ 1 file changed, 6 insertions(+) -commit e2ac4e1afcb987e3c8ddfbeb73680b6501914e30 +commit feeddfb78ca5de066a509b6be8551d036e0f2c8a Author: Greg Hudson Date: Mon Oct 20 12:52:45 2014 -0400 @@ -977,16 +6155,14 @@ credentials, do set ctx->complete (since retrieving creds or times will work at this point) but don't suppress the error code. - (cherry picked from commit feeddfb78ca5de066a509b6be8551d036e0f2c8a) - - ticket: 8028 - version_fixed: 1.13.1 - status: resolved + ticket: 8028 (new) + target_version: 1.13.1 + tags: pullup src/lib/krb5/krb/get_in_tkt.c | 1 - 1 file changed, 1 deletion(-) -commit f5a40c03c5a93713468f740600cb443f53792e84 +commit 13e9694b17945d43d0cfc203b2645204f2d87086 Author: Tom Yu Date: Thu Oct 16 15:40:33 2014 -0400 @@ -996,98 +6172,99 @@ the ktadd subcommand, terminating option parsing and possibly causing options to be interpreted as principal names. - (cherry picked from commit 13e9694b17945d43d0cfc203b2645204f2d87086) - ticket: 7962 - version_fixed: 1.13.1 - status: resolved + target_version: 1.13.1 + tags: pullup src/kadmin/cli/keytab.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) -commit cde37c712c5260a7af6265458af35dc0657fc2d1 +commit f355ad110887c135a6e5fb84c0d6f392ea17f493 +Author: Tom Yu +Date: Wed Oct 15 17:16:12 2014 -0400 + + Update mitK5features.rst for 1.13 + + doc/mitK5features.rst | 34 +++++++++++++++++++++++++++++++++- + 1 file changed, 33 insertions(+), 1 deletion(-) + +commit 49f8ec5975df3cb5f204444df2a284b2e662df85 Author: Tom Yu Date: Tue Oct 14 14:40:34 2014 -0400 Fix typo in doc for krb5_get_init_creds_keytab() - (cherry picked from commit 49f8ec5975df3cb5f204444df2a284b2e662df85) - ticket: 7880 - version_fixed: 1.13.1 - status: resolved + target_version: 1.13.1 + tags: pullup src/include/krb5/krb5.hin | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -commit 9443dd349fccd3b4a72551a99a91cd6c8296bc55 -Author: Greg Hudson -Date: Tue Oct 7 20:22:52 2014 -0400 +commit fa4138c7853487105ab3c54e6d176c45eaf8b065 +Author: Tom Yu +Date: Tue Oct 14 14:31:09 2014 -0400 - Use gssalloc_malloc for GSS error tokens - - In kg_accept_krb5, use gssalloc_malloc when allocating space for the - error token, since it will be freed with gssalloc_free. Using malloc - can cause heap corruption on Windows. This bug was masked by #1445 - before 1.12. + Better document how to verify PGP signature - (cherry picked from commit 68cfc8b4e6338b78dce5a960ce47974a73906fac) + Add text clarifying our unusual packaging of the PGP signature inside + a tar file. - ticket: 8024 - version_fixed: 1.13.1 - status: resolved + ticket: 7927 + target_version: 1.13 + tags: pullup - src/lib/gssapi/krb5/accept_sec_context.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) + doc/build/index.rst | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) -commit cce64afe703307d6b7df427e0a5c632816df0324 -Author: Tom Yu -Date: Wed Oct 15 20:50:25 2014 -0400 +commit c7a8b8908e5db1af1c612bb7b94d46e97f919856 +Author: Greg Hudson +Date: Thu Oct 9 12:03:36 2014 -0400 - Update for krb5-1.13-postrelease + Add tests for klist -s - src/patchlevel.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) + src/tests/t_ccache.py | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) -commit 3165ae71ba685ff0f105383a2c2a27a76e8efac4 -Author: Tom Yu -Date: Wed Oct 15 18:44:48 2014 -0400 +commit 60b368b1b89b59924b2fde6d8a8ed8ef7e07bc1b +Author: Greg Hudson +Date: Sat Oct 4 22:49:54 2014 -0400 - Updates for krb5-1.13 + Fix klist -A -s output + + In show_all_ccaches, don't output newlines if status_only is set. - README | 9 ++++++--- - src/patchlevel.h | 4 ++-- - src/po/mit-krb5.pot | 4 ++-- - 3 files changed, 10 insertions(+), 7 deletions(-) + src/clients/klist/klist.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) -commit 2d2f7d2ff0012c20dc7f6f62cc5bf5a0e07cb239 -Author: Tom Yu -Date: Wed Oct 15 17:16:12 2014 -0400 +commit 922f627b28f480eafc240fb4706cacf6aa7f4c14 +Author: Greg Hudson +Date: Sat Oct 4 20:39:14 2014 -0400 - Update mitK5features.rst for 1.13 + Improve klist check for expired cache + + Make klist -s succeed for a cache which contains a non-expired + credential and no TGT cred. + + ticket: 8022 - doc/mitK5features.rst | 34 +++++++++++++++++++++++++++++++++- - 1 file changed, 33 insertions(+), 1 deletion(-) + src/clients/klist/klist.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) -commit 0d551dad36c5d91a93f1a8dd70bee25fb10c42aa -Author: Tom Yu -Date: Tue Oct 14 14:31:09 2014 -0400 +commit 3c6dedb2e46a3e65cf0a3aeb0346b446a1c9a235 +Author: Greg Hudson +Date: Sat Oct 4 20:32:19 2014 -0400 - Better document how to verify PGP signature - - Add text clarifying our unusual packaging of the PGP signature inside - a tar file. + Separate ccache display and checking in klist - (cherry picked from commit fa4138c7853487105ab3c54e6d176c45eaf8b065) - - ticket: 7927 - version_fixed: 1.13 - status: resolved + In klist, use separate functions to display a ccache and check its + status. Also use a helper function to check if a credential's server + principal is the local krbtgt principal for the realm. - doc/build/index.rst | 24 ++++++++++++++---------- - 1 file changed, 14 insertions(+), 10 deletions(-) + src/clients/klist/klist.c | 125 ++++++++++++++++++++++++++-------------------- + 1 file changed, 71 insertions(+), 54 deletions(-) -commit fe19aa61a8193dc8add1d85b13a80ece3b8b3ced +commit 9b51ffb0c55a6c4c44501d86eb207acc79403c5c Author: Tom Yu Date: Mon Oct 6 14:32:21 2014 -0400 @@ -1096,65 +6273,46 @@ Modern OpenAFS releases support using encryption stronger than single DES with Kerberos. Update the documentation accordingly. - (cherry picked from commit 9b51ffb0c55a6c4c44501d86eb207acc79403c5c) - ticket: 7761 - version_fixed: 1.13 - status: resolved + target_version: 1.13 + tags: pullup doc/admin/advanced/retiring-des.rst | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) -commit 58f837266a511b920fdfa8e6c3a47cba898f6d0c -Author: Tom Yu -Date: Fri Sep 26 14:16:22 2014 -0400 - - Update for krb5-1.13-beta1-postrelease - - src/patchlevel.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -commit bc6eaaa14cdeeaf1b057116c6d3ebf0b30781a36 -Author: Tom Yu -Date: Wed Sep 24 19:30:54 2014 -0400 - - Updates for krb5-1.13-beta1 - - README | 35 +++++++++++++++++++++++++++++++++++ - src/patchlevel.h | 4 ++-- - src/po/mit-krb5.pot | 4 ++-- - 3 files changed, 39 insertions(+), 4 deletions(-) - -commit a0067de3a562a4a850a59981970c1f572da47d60 -Author: Tom Yu -Date: Wed Sep 24 19:14:06 2014 -0400 - - make update-po - - src/po/mit-krb5.pot | 547 +++++++++++++++++++++++++--------------------------- - 1 file changed, 262 insertions(+), 285 deletions(-) - -commit c832e5dffca879f3a0c0b0f29413092a6977f338 -Author: Tom Yu -Date: Wed Sep 24 14:43:56 2014 -0400 +commit 68cfc8b4e6338b78dce5a960ce47974a73906fac +Author: Greg Hudson +Date: Tue Oct 7 20:22:52 2014 -0400 - Update manpages + Use gssalloc_malloc for GSS error tokens + + In kg_accept_krb5, use gssalloc_malloc when allocating space for the + error token, since it will be freed with gssalloc_free. Using malloc + can cause heap corruption on Windows. This bug was masked by #1445 + before 1.12. + + ticket: 8024 (new) + target_version: 1.13.1 + tags: pullup - src/man/kdc.conf.man | 12 +++++------- - src/man/kinit.man | 5 +++++ - src/man/krb5.conf.man | 6 ++++++ - 3 files changed, 16 insertions(+), 7 deletions(-) + src/lib/gssapi/krb5/accept_sec_context.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) -commit 11131b6764be463209f81d2930a0f94ac79b1428 -Author: Tom Yu -Date: Wed Sep 24 14:43:19 2014 -0400 +commit 319d98bf13e8486f9f378ee47147c9c4bdb15c37 +Author: Greg Hudson +Date: Wed Aug 27 16:15:46 2014 -0400 - make depend + Fix minor memory leak in klist (again) + + Commit 6e51f9cc3152c8e419fe7f459bcf521d60358434 attempted to fix two + minor memory leaks in klist, but one of the fixes was dead code. In + do_ccache, free princ before we look at the code which terminated the + loop, not after we have returned on either branch. - src/kadmin/cli/deps | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) + src/clients/klist/klist.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) -commit 3bf9e33f9d66c0eef486cbd83f9e4f13a74d12c3 +commit af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca Author: Greg Hudson Date: Thu Aug 21 13:52:07 2014 -0400 @@ -1189,16 +6347,14 @@ [tlyu@mit.edu: CVE description and CVSS score] - (cherry picked from commit af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca) - - ticket: 8018 - version_fixed: 1.13 - status: resolved + ticket: 8018 (new) + target_version: 1.13 + tags: pullup src/lib/kadm5/srv/svr_principal.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) -commit 3b30c09bf48b9a2ec943e43573a882b1f0f545d2 +commit 17689700b27c6fb6d26156330d11b57ef79385d3 Author: Greg Hudson Date: Fri Sep 19 11:35:10 2014 -0400 @@ -1213,16 +6369,14 @@ Based on a patch from Solly Ross . - (cherry picked from commit 17689700b27c6fb6d26156330d11b57ef79385d3) - - ticket: 8017 - version_fixed: 1.13 - status: resolved + ticket: 8017 (new) + target_version: 1.13 + tags: pullup src/lib/gssapi/krb5/s4u_gss_glue.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) -commit 99e08376c14240e2141c6fa9289fafab8245c754 +commit c61e8c0c6ad5fda8d23dd896c4aed0ac5b470020 Author: Greg Hudson Date: Wed Sep 17 10:45:28 2014 -0400 @@ -1237,16 +6391,14 @@ only replay cache race issue. It simply prevents the race from causing a spurious failure. - (cherry picked from commit c61e8c0c6ad5fda8d23dd896c4aed0ac5b470020) - ticket: 3498 - version_fixed: 1.13 - status: resolved + target_version: 1.13 + tags: pullup src/lib/krb5/rcache/rc_io.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) -commit 8bfc5060eb3b863a1805efab45749d6e55239e6e +commit 005f4eb3ccc1092f4a43afc4d6a4fabfa20b2b41 Author: Nalin Dahyabhai Date: Thu Sep 18 08:37:29 2014 -0400 @@ -1267,16 +6419,14 @@ creds would be copied to the target cache later, so the target ccache would never be created and populated with the newly-obtained TGT. - (cherry picked from commit 005f4eb3ccc1092f4a43afc4d6a4fabfa20b2b41) - - ticket: 8016 - version_fixed: 1.13 - status: resolved + ticket: 8016 (new) + target_version: 1.13 + tags: pullup src/clients/ksu/main.c | 2 ++ 1 file changed, 2 insertions(+) -commit 5ccab825a11b1c7f3edf4287d56202d00dd5b233 +commit 5fd5a67c5a93514e7d0a64425baa007ad91f57de Author: Nalin Dahyabhai Date: Tue Sep 16 13:50:05 2014 -0400 @@ -1297,11 +6447,9 @@ to take a "krb5_get_init_creds_opt" pointer instead of a locally-defined options structure, and rename it to ksu_get_tgt_via_passwd(). - (cherry picked from commit 5fd5a67c5a93514e7d0a64425baa007ad91f57de) - - ticket: 8015 - version_fixed: 1.13 - status: resolved + ticket: 8015 (new) + target_version: 1.13 + tags: pullup src/clients/ksu/heuristic.c | 4 +-- src/clients/ksu/krb_auth_su.c | 58 ++++++++++++++----------------------------- @@ -1309,7 +6457,7 @@ src/clients/ksu/main.c | 56 +++++++++++++++++------------------------ 4 files changed, 48 insertions(+), 87 deletions(-) -commit 8f8cf0e62ee839b161dc0ec51d04be40fcb903fc +commit 59cbb7662282f6f882b5d108cf45bdd042857c6a Author: Tom Yu Date: Tue Sep 16 14:18:17 2014 -0400 @@ -1318,16 +6466,14 @@ Update documentation to reflect the change in the default KDC TCP listener behavior, new in 1.13. - (cherry picked from commit 59cbb7662282f6f882b5d108cf45bdd042857c6a) - ticket: 6731 - version_fixed: 1.13 - status: resolved + target_version: 1.13 + tags: pullup doc/admin/conf_files/kdc_conf.rst | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) -commit 4f9527a45f80a483675beb2f61b46a51ac186284 +commit 8d88e2ab00be126237569dc72827ced2ce6b7d04 Author: Tom Yu Date: Tue Sep 16 14:15:47 2014 -0400 @@ -1335,14 +6481,144 @@ Make the KDC default to listening on TCP. - (cherry picked from commit 8d88e2ab00be126237569dc72827ced2ce6b7d04) - ticket: 6731 + target_version: 1.13 + tags: pullup src/include/osconf.hin | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -commit f744357cb51b03ce861613f84ae198bb92ceeca7 +commit 76a16d2652da483dd7bc95f24257e0f195b833f0 +Author: Ben Kaduk +Date: Thu Aug 14 13:57:48 2014 -0400 + + Avoid unneeded GetMSTGT() calls in cc_mslsa.c + + Both lcc_resolve() and lcc_get_principal() were using GetMSTGT() + to fetch a ticket from which to obtain the client principal name + of the credentials cache. However, that name is contained in + the results of the the cache information query; there is no need + to retrieve a full ticket of any sort to get it. Since there + may sometimes be difficulties obtaining a TGT when UAC is enabled, + avoid these unneeded calls. + + ticket: 7989 + + src/lib/krb5/ccache/cc_mslsa.c | 62 ++++++++++++++++++++---------------------- + 1 file changed, 29 insertions(+), 33 deletions(-) + +commit e2d1a3aea7789b6acc5fa963da75ea666614764c +Author: Ben Kaduk +Date: Thu Aug 14 13:51:22 2014 -0400 + + Move realm conversion into helper in cc_mslsa.c + + All the callers of UnicodeStringToMITPrinc() were already converting + a UnicodeString into a wchar* just to pass it in as the realm. + + Simplify everyone's life by making the helper do the conversion. + + ticket: 7989 + + src/lib/krb5/ccache/cc_mslsa.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +commit bbf946566b32dcf2f9a718b28acd948eeb53ade4 +Author: Ben Kaduk +Date: Wed Aug 13 17:48:08 2014 -0400 + + Rename cc_mslsa.c routines to avoid OS versions + + We don't care about XP versus non-XP; just indicate which + revision of the data type is being used. + + Standardize on the lowercase 'x' in "Ex", for both the "Ex" and + "Ex2" forms. + + While here, adjust the function definition prototypes to match + current style. + + ticket: 7989 + + src/lib/krb5/ccache/cc_mslsa.c | 38 +++++++++++++++++++++----------------- + 1 file changed, 21 insertions(+), 17 deletions(-) + +commit 07aaaee56bf40bfef2847b6f09897ce1aa96773d +Author: Ben Kaduk +Date: Wed Aug 13 16:28:57 2014 -0400 + + Remove unused code from cc_mslsa.c + + Remove PreserveInitialTicketIdentity() and IsKerberosLogon(), as well + as the preprocessor conditionals ENABLE_PURGING and PURGE_ALL, which + have not been used in a very long time, if ever. + + There was one potential callsite of IsKerberosLogon(), in + lcc_resolve(), which was disabled. It is perfectly reasonable to want + to use the MSLSA cache on a non-domain-joined workstation, as it is + now a read-write cache type, so we need not concern ourselves whether + the logon was performed or may have been performed using kerberos. + + ticket: 7989 + + src/lib/krb5/ccache/cc_mslsa.c | 108 ----------------------------------------- + 1 file changed, 108 deletions(-) + +commit 9d16f24e59e2a0f0809741236344394da49935e2 +Author: Ben Kaduk +Date: Wed Aug 13 16:31:49 2014 -0400 + + comment some future cleanup for cc_mslsa.c + + The function does_query_ticket_cache_ex2() will not be needed once + Windows Server 2003 drops out of support in approximately one year's + time. Note the doom timer at its definition, to facilitate future + cleanup. + + ticket: 7989 + + src/lib/krb5/ccache/cc_mslsa.c | 5 +++++ + 1 file changed, 5 insertions(+) + +commit 471b8474de8c5dfbbcc6a5a39201426bdca09f0d +Author: Ben Kaduk +Date: Wed Aug 13 12:54:37 2014 -0400 + + Remove old Windows support from cc_mslsa.c + + It is safe to remove is_windows_2000(), is_windows_xp(), and + is_windows_vista(), since the former two only check for very old + versions of windows which are no longer supported, and + is_windows_vista() was unused. Note that the check being implemented + was whether the running OS was the named version or higher, not an + exact match. The current Microsoft documentation recommends against + the sort of OS version checks that were employed here, in favor of + explicit feature tests. + + Remove is_broken_wow64() as the problem it works around (Microsoft + Article ID 960077) is believed to have been fixed in subsequent + updates to Windows Server 2003 and XP. + + Remove does_retrieve_ticket_cache_ticket() since support for the + KERB_RETRIEVE_TICKET_CACHE_TICKET flag in the + KERB_RETRIEVE_TKT_REQUEST structure was added in service packs for + Windows Server 2003 and XP. Also remove buildtime fallbacks that + are no longer needed. + + Remove the conditionals TRUST_ATTRIBUTE_TRUST_USES_AES_KEYS, + HAVE_CACHE_INFO_EX2, and KERB_SUBMIT_TICKET as all current SDK + versions have the relevant functionality. + + In all cases, de-indent chunks that are no longer conditional. + Where indentation levels changed, update the style of the reindented + code to current practices. + + ticket: 7989 + + src/lib/krb5/ccache/cc_mslsa.c | 603 +++++------------------------------------ + 1 file changed, 66 insertions(+), 537 deletions(-) + +commit 0794746f8d8e6b8ce3748d442d2bc1faecf960ce Author: Ben Kaduk Date: Thu Aug 21 18:56:24 2014 -0400 @@ -1365,16 +6641,15 @@ entry and cause the GSSAPI credential selection algorithm to function properly. - (cherry picked from commit 0794746f8d8e6b8ce3748d442d2bc1faecf960ce) - - ticket: 8000 - version_fixed: 1.13 - status: resolved + ticket: 8000 (new) + tags: pullup + target_version: 1.12.3 + subject: gssapi.dll fails to detect TGTs in the MSLSA cache when UAC is enabled src/lib/gssapi/krb5/acquire_cred.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -commit f2aaee4e07fd86960a41bd9654270b5908314067 +commit d2b76e1ba0f4bb0ec7e560a9a681d938f45f950c Author: Ben Kaduk Date: Thu Aug 21 17:33:11 2014 -0400 @@ -1385,14 +6660,15 @@ So, we do need to stay in the business of shipping around KDC entries, after all. - (cherry picked from commit d2b76e1ba0f4bb0ec7e560a9a681d938f45f950c) - - ticket: 7999 + ticket: 7999 (new) + queue: kfw + tags: pullup + target_version: 1.12.3 src/windows/installer/wix/files.wxi | 13 +++++++++++++ 1 file changed, 13 insertions(+) -commit c3d4bfab8d44ba62ed972c491e26a46bdc70ca32 +commit 674f7d7abe2d4f8bc3fe791e4347a332e3ccfd41 Author: Ben Kaduk Date: Thu Aug 21 12:48:39 2014 -0400 @@ -1404,16 +6680,15 @@ The call to scan_ccache() in the Leash case was inadvertently removed as part of commit 8651f3339ccc5a623172a8edfb9cf522883acacd. - (cherry picked from commit 674f7d7abe2d4f8bc3fe791e4347a332e3ccfd41) - - ticket: 7998 - version_fixed: 1.13 - status: resolved + ticket: 7998 (new) + tags: pullup + target_version: 1.12.3 + subject: gssapi.dll tries to get initial creds even when some are present src/lib/gssapi/krb5/acquire_cred.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -commit 635007e6f883f65e4e030ab4d64e2db1b13477e5 +commit e56f3d43a746c198b1fd1889dc1211b9feedbfc3 Author: Brett Randall Date: Fri Sep 5 11:21:35 2014 +1000 @@ -1425,17 +6700,15 @@ [tlyu@mit.edu: edit commit message, adjust wording to conform to existing style, document start time clock skew] - (cherry picked from commit e56f3d43a746c198b1fd1889dc1211b9feedbfc3) - - ticket: 8008 - version_fixed: 1.13 - status: resolved + ticket: 8008 (new) + target_version: 1.13 + tags: pullup doc/admin/conf_files/krb5_conf.rst | 6 ++++++ doc/user/user_commands/kinit.rst | 5 +++++ 2 files changed, 11 insertions(+) -commit 1825e3a407db03b1e00aad148a4dc96d6a67a912 +commit bda574576a5a2d0613fecf12d820e0adcbedf95c Author: Nalin Dahyabhai Date: Mon Sep 8 13:15:40 2014 -0400 @@ -1448,51 +6721,77 @@ [ghudson@mit.edu: minor style changes] - (cherry picked from commit bda574576a5a2d0613fecf12d820e0adcbedf95c) - - ticket: 8007 - version_fixed: 1.13 - status: resolved + ticket: 8007 (new) + target_version: 1.13 + tags: pullup src/clients/ksu/main.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) -commit e56c0064823778affabc60f94e4b59c486448e2c +commit 9a6dc30d9105f0a3c2a209a2154660a0474b3499 Author: Greg Hudson -Date: Mon Aug 25 12:48:14 2014 -0400 +Date: Fri Sep 5 15:36:11 2014 -0400 - Re-encrypt preserved key data in new master key + Fix uninitialized variable bug in kdb_cpw.c - When we are preserving old key data in kdb_cpw.c, ensure that it is - encrypted with the same master key as the new key data. This ensures - that the KRB5_TL_MKVNO tl-data on the principal entry applies to all - of the key data, not just some of it. + Now that add_key_rnd isn't looking up the TGT principal entry, it + could use retval before initializing it if the loop runs for zero + iterations. Get rid of the add_key_rnd label (as it no longer does + anything) and just return 0 after the loop ends. + + src/lib/kdb/kdb_cpw.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +commit 759a8e1001ac21161d26eb1dc80c6601fb379964 +Author: Greg Hudson +Date: Mon Aug 25 19:14:50 2014 -0400 + + Simplify kdb_cpw.c - (cherry picked from commit 32c9b8f1aa1b348388ed227394cc609e68ed833b) + In add_key_rnd, stop looking up the krbtgt DB entry; we have not used + it since 1.1. - ticket: 7995 - version_fixed: 1.13 - status: resolved + Use copy_key_data in add_key_rnd and add_key_pwd. + + krb5_dbe_crk, krb5_dbe_ark, krb5_dbe_def_cpw, and krb5_dbe_apw all + contained similar logic. Consolidate all of them into a static helper + function which does the work of all four. The ark/apw variants had + slightly different behavior then crk/cpw with keepold=true, so + introduce a three-value enum to express all three behaviors. - src/lib/kdb/kdb_cpw.c | 197 ++++++++++++++++++++++++++++++++------------------ - 1 file changed, 126 insertions(+), 71 deletions(-) + src/lib/kdb/kdb_cpw.c | 390 +++++++++++++------------------------------------- + 1 file changed, 103 insertions(+), 287 deletions(-) -commit dc46bfbe660b2b057a5892dd95cbf53b6d46e44a +commit 8ee40f56e6c789a87dc403bf70d524d2b3b21dbf Author: Greg Hudson Date: Mon Aug 25 13:02:03 2014 -0400 Add test case for -keepold mkey re-encryption - (cherry picked from commit 8ee40f56e6c789a87dc403bf70d524d2b3b21dbf) - ticket: 7995 - version_fixed: 1.13 - status: resolved src/tests/t_mkey.py | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) -commit bba0b2058ad372372bacbbef9a753a671ba79ab4 +commit 32c9b8f1aa1b348388ed227394cc609e68ed833b +Author: Greg Hudson +Date: Mon Aug 25 12:48:14 2014 -0400 + + Re-encrypt preserved key data in new master key + + When we are preserving old key data in kdb_cpw.c, ensure that it is + encrypted with the same master key as the new key data. This ensures + that the KRB5_TL_MKVNO tl-data on the principal entry applies to all + of the key data, not just some of it. + + ticket: 7995 + target_version: 1.13 + tags: pullup + + src/lib/kdb/kdb_cpw.c | 197 ++++++++++++++++++++++++++++++++------------------ + 1 file changed, 126 insertions(+), 71 deletions(-) + +commit 2cb54d39316f9a0cc8e75b791b2faf6f051c9495 Author: Benjamin Kaduk Date: Tue Sep 2 22:16:51 2014 -0400 @@ -1509,17 +6808,50 @@ indentation of some existing content, but those changes were removed by hand, so this commit only reflects new added content. - (cherry picked from commit 2cb54d39316f9a0cc8e75b791b2faf6f051c9495) - ticket: 8006 - version_fixed: 1.13 - status: resolved + tags: pullup + target_version: 1.13 NOTICE | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ doc/notice.rst | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 139 insertions(+) -commit 3aa3722bc9a07a5bc77cc09be0346226138ec2f7 +commit 935de68b110ca0369e4cf16bbdc7da74b5799e69 +Author: Greg Hudson +Date: Tue Sep 2 14:02:26 2014 -0400 + + Fix unlikely memory leak in KCM client + + Commit 956cbd24e645609c94fbc836840ce0f87ba3ce79 created a memory leak + if the KCM_OP_GET_DEFAULT_CACHE call fails inside kcm_ptcursor_new + after the KCM_OP_GET_CACHE_UUID_LIST call succeeds. Fix it. + + ticket: 8002 + + src/lib/krb5/ccache/cc_kcm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +commit 956cbd24e645609c94fbc836840ce0f87ba3ce79 +Author: Greg Hudson +Date: Thu Aug 28 18:43:56 2014 -0400 + + Fix KCM ccache per-type cursor + + The KCM per-type cursor was too simplistic and did not obey the + conventions of the other ccache types. Fix it to return a singleton + cursor when the default cache is a subsidiary and to return the + primary cache first. + + For internal convenience, make_cache now accepts a context parameter + and creates a kcmio if necessary. + + ticket: 8002 (new) + target_version: 1.13 + + src/lib/krb5/ccache/cc_kcm.c | 120 ++++++++++++++++++++++++++++++++----------- + 1 file changed, 89 insertions(+), 31 deletions(-) + +commit a85923073ad2d1f5d0314ab330fd6c5f07749be8 Author: Tom Yu Date: Tue Aug 26 18:18:02 2014 -0400 @@ -1529,16 +6861,14 @@ STDERR logging, call fdopen() using mode "w" instead of "a+", to avoid errors when stderr happens to be opened for write only. - (cherry picked from commit a85923073ad2d1f5d0314ab330fd6c5f07749be8) - - ticket: 8001 - version_fixed: 1.13 - status: resolved + ticket: 8001 (new) + target_version: 1.13 + tags: pullup src/lib/kadm5/logger.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -commit 508ce04c5552ae435513745ddccc0fbe1857bdc3 +commit bf040d0c4072742efab854ab01af162569f0a8f7 Author: Ben Kaduk Date: Fri Aug 29 13:14:07 2014 -0400 @@ -1547,16 +6877,14 @@ It is only assigned to in the non-dry-run case, which clang detects and aborts the build (when maintainer mode is enabled). - (cherry picked from commit bf040d0c4072742efab854ab01af162569f0a8f7) - - ticket: 8005 - version_fixed: 1.13 - status: resolved + ticket: 8005 (new) + tags: pullup + target_version: 1.13 src/kadmin/dbutil/kdb5_mkey.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -commit 526ef397a8fb0f51800019dac8afc55742935a39 +commit b7a4d695263f1a5b7fe72b1eadce4acdc3f0490b Author: Ben Kaduk Date: Thu Aug 28 17:54:39 2014 -0400 @@ -1568,16 +6896,14 @@ specifying that files with the .hin extension are to be treated as C language files. - (cherry picked from commit b7a4d695263f1a5b7fe72b1eadce4acdc3f0490b) - - ticket: 8004 - version_fixed: 1.13 - status: resolved + ticket: 8004 (new) + tags: pullup + target_version: 1.13 src/doc/Doxyfile.in | 1 + 1 file changed, 1 insertion(+) -commit fb345e55bb6d197b5f4b11750b08fa6019f4084f +commit f749c07bb18878f34f63aa3997bb0ef1360a9a0a Author: Ben Kaduk Date: Thu Aug 28 22:58:49 2014 -0400 @@ -1587,31 +6913,25 @@ was not added to the library export symbol list, and thus was unusable on systems that enforced library export lists. - (cherry picked from commit f749c07bb18878f34f63aa3997bb0ef1360a9a0a) - - ticket: 8003 - version_fixed: 1.13 - status: resolved + ticket: 8003 (new) + tags: pullup + target_version: 1.13 src/lib/rpc/libgssrpc.exports | 1 + 1 file changed, 1 insertion(+) -commit 0a6fe13208b13b33ada02f18958e0bb6f722409b +commit b96f562888e3e7733e449a922920158e84e0a933 Author: Greg Hudson Date: Mon Aug 18 15:10:00 2014 -0400 Add test case for randkey mkvno update - (cherry picked from commit b96f562888e3e7733e449a922920158e84e0a933) - ticket: 7994 - version_fixed: 1.13 - status: resolved src/tests/t_mkey.py | 6 ++++++ 1 file changed, 6 insertions(+) -commit af27b167ebde8de25ceabfe0c8be8e054854430a +commit 05a3b205c5d7ee491a64e24581cb4def3814c05b Author: Greg Hudson Date: Mon Aug 18 15:09:41 2014 -0400 @@ -1621,14 +6941,14 @@ update its mkvno tl-data to indicate the master key version we encrypted the new keys with. - (cherry picked from commit 05a3b205c5d7ee491a64e24581cb4def3814c05b) - ticket: 7994 + target_version: 1.13 + tags: pullup src/lib/kadm5/srv/svr_principal.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) -commit bfd301a2d167c36ee4d5b53d06ae65ba814fa2d8 +commit e86e3baaa684a7e891ffe852d74095c1a8b630ba Author: Tomas Kuthan Date: Wed May 28 15:24:20 2014 +0200 @@ -1645,18 +6965,16 @@ [ghudson@mit.edu: adjusted comments, argument wrapping, commit message] - (cherry picked from commit e86e3baaa684a7e891ffe852d74095c1a8b630ba) - - ticket: 7997 - version_fixed: 1.13 - status: resolved + ticket: 7997 (new) + target_version: 1.13 + tags: pullup src/kadmin/cli/kadmin.c | 33 ++++++++++++++++++++++----------- src/kadmin/cli/kadmin.h | 7 +++++++ src/kadmin/cli/keytab.c | 7 ++----- 3 files changed, 31 insertions(+), 16 deletions(-) -commit 7b0fd353be446c9f148ac5d870610413ce361c45 +commit bbfe19f03bdeca7b05b542dbae4c1692c9800c70 Author: Nalin Dahyabhai Date: Tue Aug 19 14:07:26 2014 -0400 @@ -1669,16 +6987,14 @@ [ghudson@mit.edu: rewrote commit message] - (cherry picked from commit bbfe19f03bdeca7b05b542dbae4c1692c9800c70) - - ticket: 7996 - version_fixed: 1.13 - status: resolved + ticket: 7996 (new) + target_version: 1.13 + tags: pullup src/clients/ksu/krb_auth_su.c | 116 ++---------------------------------------- 1 file changed, 3 insertions(+), 113 deletions(-) -commit d300093bc0b3d7a996094c02d86c6058cd0c5045 +commit a7a8e3186a21c15132cd8fb6c141afcf25a1fb74 Author: maurerpe Date: Thu Aug 14 17:43:55 2014 -0400 @@ -1690,17 +7006,15 @@ [ghudson@mit.edu: clarified commit message; minor style changes] - (cherry picked from commit a7a8e3186a21c15132cd8fb6c141afcf25a1fb74) - - ticket: 7993 - version_fixed: 1.13 - status: resolved + ticket: 7993 (new) + target_version: 1.13 + tags: pullup src/configure.in | 3 +++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) -commit 8de3b58b93e537a9ffda4c07087cd4a7bf99fe23 +commit fefd465614f11f374f5ff183e6eb6cbc1b550de5 Author: Michael Osipov <1983-01-06@gmx.net> Date: Fri Aug 15 14:20:10 2014 +0200 @@ -1712,16 +7026,14 @@ [ghudson@mit.edu: clarified commit message] - (cherry picked from commit fefd465614f11f374f5ff183e6eb6cbc1b550de5) - - ticket: 7992 - version_fixed: 1.13 - status: resolved + ticket: 7992 (new) + target_version: 1.13 + tags: pullup src/configure.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -commit 234b9459eb851bdf2d64861e596cf0a8acbb1e92 +commit fdd1c69471bbe5fec0da9f9bcaa9d0a7739db77f Author: Michael Osipov <1983-01-06@gmx.net> Date: Thu Aug 14 15:48:11 2014 +0200 @@ -1733,11 +7045,9 @@ [ghudson@mit.edu: squashed commits, condensed commit message] - (cherry picked from commit fdd1c69471bbe5fec0da9f9bcaa9d0a7739db77f) - - ticket: 7990 - version_fixed: 1.13 - status: resolved + ticket: 7990 (new) + target_version: 1.13 + tags: pullup .gitignore | 1 + src/config/lib.in | 18 +++++++++--------- @@ -1745,55 +7055,7 @@ src/config/shlib.conf | 24 +++++++++++++++--------- 4 files changed, 32 insertions(+), 25 deletions(-) -commit 875b33b85b7bcb47e78f6d5a7fd8af8311b08ff4 -Author: Tom Yu -Date: Thu Aug 21 17:57:14 2014 -0400 - - krb5-1.13-alpha1-postrelease - - src/patchlevel.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -commit a8c4205341b42445d7adf2ffe2b7cecb65701035 -Author: Tom Yu -Date: Wed Aug 20 15:24:46 2014 -0400 - - Updates for krb5-1.13-alpha1 - - README | 115 ++ - src/clients/ksu/deps | 17 +- - src/lib/krb5/os/deps | 10 +- - src/man/k5identity.man | 6 +- - src/man/k5login.man | 15 +- - src/man/k5srvutil.man | 6 +- - src/man/kadm5.acl.man | 66 +- - src/man/kadmin.man | 158 ++- - src/man/kadmind.man | 60 +- - src/man/kdb5_ldap_util.man | 32 +- - src/man/kdb5_util.man | 32 +- - src/man/kdc.conf.man | 165 ++- - src/man/kdestroy.man | 8 +- - src/man/kinit.man | 18 +- - src/man/klist.man | 15 +- - src/man/kpasswd.man | 6 +- - src/man/kprop.man | 12 +- - src/man/kpropd.man | 25 +- - src/man/kproplog.man | 6 +- - src/man/krb5-config.man | 8 +- - src/man/krb5.conf.man | 165 +-- - src/man/krb5kdc.man | 51 +- - src/man/ksu.man | 54 +- - src/man/kswitch.man | 10 +- - src/man/ktutil.man | 14 +- - src/man/kvno.man | 10 +- - src/man/sclient.man | 6 +- - src/man/sserver.man | 16 +- - src/patchlevel.h | 4 +- - src/po/mit-krb5.pot | 2595 ++++++++++++++++++++++---------------------- - src/util/support/deps | 7 +- - 31 files changed, 1988 insertions(+), 1724 deletions(-) - -commit e1c6b2cc02b0b28cf3037e20f2ef418db22d8cd3 +commit 7208dace8bfbdf5b930e26a19c8ff31c13ea1ef3 Author: Greg Hudson Date: Fri Aug 8 13:32:51 2014 -0400 @@ -1806,16 +7068,14 @@ [ghudson@mit.edu: rewrote commit message, added comment to NTLMSSP OID] - (cherry picked from commit 7208dace8bfbdf5b930e26a19c8ff31c13ea1ef3) - ticket: 7975 - version_fixed: 1.13 - status: resolved + target_version: 1.13 + tags: pullup src/lib/gssapi/spnego/spnego_mech.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) -commit f678ea7b849248d678b9369edfc124b0589e6eb4 +commit bca1191210eb582fe09e94486e2631d72b8a5ca5 Author: Nalin Dahyabhai Date: Fri Aug 8 16:58:03 2014 -0400 @@ -1827,16 +7087,14 @@ Go ahead and preemptively create it, as we do during krb5_cc_resolve, before attempting to create a new file under it. - (cherry picked from commit bca1191210eb582fe09e94486e2631d72b8a5ca5) - - ticket: 7988 - version_fixed: 1.13 - status: resolved + ticket: 7988 (new) + target_version: 1.13 + tags: pullup src/lib/krb5/ccache/cc_dir.c | 3 +++ 1 file changed, 3 insertions(+) -commit 7b4bf661ecc39459f78665a356858de9f6daaabc +commit d899084e24555dc8fd091eb08187ca2a45a08324 Author: Greg Hudson Date: Fri Aug 8 16:50:38 2014 -0400 @@ -1852,15 +7110,25 @@ Fix both of these cases. - (cherry picked from commit d899084e24555dc8fd091eb08187ca2a45a08324) - - ticket: 7987 - version_fixed: 1.13 - status: resolved + ticket: 7987 (new) + target_version: 1.13 + tags: pullup src/lib/gssapi/krb5/accept_sec_context.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) +commit 6087423239b23667bc74dc39f8f00a8796f09736 +Author: Tom Yu +Date: Fri Aug 8 15:35:04 2014 -0400 + + krb5-1.14 prerelease + + Now that krb5-1.13 is branched, master is krb5-1.14 prerelease. + + README | 6 +++--- + src/patchlevel.h | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + commit 69c8e20b18577781e17c5959e23514134dfb5755 Author: Nalin Dahyabhai Date: Thu Jul 24 16:43:21 2014 -0400 diff -Nru krb5-1.13.2+dfsg/doc/conf.py krb5-1.14.2+dfsg/doc/conf.py --- krb5-1.13.2+dfsg/doc/conf.py 2015-05-13 21:11:13.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/conf.py 2016-05-30 16:14:07.000000000 +0000 @@ -45,7 +45,7 @@ # General information about the project. project = u'MIT Kerberos' -copyright = u'1985-2015, MIT' +copyright = u'1985-2016, MIT' # The version info for the project you're documenting, acts as replacement for # |version| and |release|, also used in various other places throughout the diff -Nru krb5-1.13.2+dfsg/doc/copyright.rst krb5-1.14.2+dfsg/doc/copyright.rst --- krb5-1.13.2+dfsg/doc/copyright.rst 2015-05-13 21:11:13.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/copyright.rst 2016-05-30 16:14:07.000000000 +0000 @@ -1,7 +1,7 @@ Copyright ========= -Copyright |copy| 1985-2015 by the Massachusetts Institute of +Copyright |copy| 1985-2016 by the Massachusetts Institute of Technology and its contributors. All rights reserved. See :ref:`mitK5license` for additional copyright and license diff -Nru krb5-1.13.2+dfsg/doc/formats/cookie.rst krb5-1.14.2+dfsg/doc/formats/cookie.rst --- krb5-1.13.2+dfsg/doc/formats/cookie.rst 1970-01-01 00:00:00.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/formats/cookie.rst 2016-05-30 16:14:07.000000000 +0000 @@ -0,0 +1,60 @@ +KDC cookie format +================= + +:rfc:`6113` section 5.2 specifies a pa-data type PA-FX-COOKIE, which +clients are required to reflect back to the KDC during +pre-authentication. The MIT krb5 KDC uses the following formats for +cookies. + + +Trivial cookie (version 0) +-------------------------- + +If there is no pre-authentication mechanism state information to save, +a trivial cookie containing the value "MIT" is used. A trivial cookie +is needed to indicate that the conversation can continue. + + +Secure cookie (version 1) +------------------------- + +In release 1.14 and later, a secure cookie can be sent if there is any +mechanism state to save for the next request. A secure cookie +contains the concatenation of the following: + +* the four bytes "MIT1" +* a four-byte big-endian kvno value +* an :rfc:`3961` ciphertext + +The ciphertext is encrypted in the cookie key with key usage +number 513. The cookie key is derived from a key in the local krbtgt +principal entry for the realm (e.g. ``krbtgt/KRBTEST.COM@KRBTEST.COM`` +if the request is to the ``KRBTEST.COM`` realm). The first krbtgt key +for the indicated kvno value is combined with the client principal as +follows:: + + cookie-key <- random-to-key(PRF+(tgt-key, "COOKIE" | client-princ)) + +where **random-to-key** is the :rfc:`3961` random-to-key operation for +the krbtgt key's encryption type, **PRF+** is defined in :rfc:`6113`, +and ``|`` denotes concatenation. *client-princ* is the request client +principal name with realm, marshalled according to :rfc:`1964` section +2.1.1. + +The plain text of the encrypted part of a cookie is the DER encoding +of the following ASN.1 type:: + + SecureCookie ::= SEQUENCE { + time INTEGER, + data SEQUENCE OF PA-DATA, + ... + } + +The time field represents the cookie creation time; for brevity, it is +encoded as an integer giving the POSIX timestamp rather than as an +ASN.1 GeneralizedTime value. The data field contains one element for +each pre-authentication type which requires saved state. For +mechanisms which have separate request and reply types, the request +type is used; this allows the KDC to determine whether a cookie is +relevant to a request by comparing the request pa-data types to the +cookie data types. diff -Nru krb5-1.13.2+dfsg/doc/formats/index.rst krb5-1.14.2+dfsg/doc/formats/index.rst --- krb5-1.13.2+dfsg/doc/formats/index.rst 2015-05-13 21:11:13.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/formats/index.rst 2016-05-30 16:14:07.000000000 +0000 @@ -6,3 +6,4 @@ ccache_file_format keytab_file_format + cookie diff -Nru krb5-1.13.2+dfsg/doc/formats/keytab_file_format.rst krb5-1.14.2+dfsg/doc/formats/keytab_file_format.rst --- krb5-1.13.2+dfsg/doc/formats/keytab_file_format.rst 2015-05-13 21:11:13.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/formats/keytab_file_format.rst 2016-05-30 16:14:07.000000000 +0000 @@ -29,11 +29,12 @@ timestamp (32 bits) key version (8 bits) enctype (16 bits) - key length (32 bits) + key length (16 bits) key contents + key version (32 bits) [in release 1.14 and later] principal ::= - count of components (32 bits) [includes realm in version 1] + count of components (16 bits) [includes realm in version 1] realm (data) component1 (data) component2 (data) @@ -44,8 +45,7 @@ length (16 bits) value (length bytes) -Some implementations of Kerberos recognize a 32-bit key version at the -end of an entry, if the record length is at least 4 bytes longer than -the entry and the value of those 32 bits is not 0. If present, this -key version supersedes the 8-bit key version. MIT krb5 does not yet -implement this extension. +The 32-bit key version overrides the 8-bit key version. To determine +if it is present, the implementation must check that at least 4 bytes +remain in the record after the other fields are read, and that the +value of the 32-bit integer contained in those bytes is non-zero. diff -Nru krb5-1.13.2+dfsg/doc/html/about.html krb5-1.14.2+dfsg/doc/html/about.html --- krb5-1.13.2+dfsg/doc/html/about.html 2015-05-13 21:11:13.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/html/about.html 2016-05-30 16:14:07.000000000 +0000 @@ -15,7 +15,7 @@ + + + + + + + + + + + +
+
+ + +

MIT Kerberos Documentation

+ +
+ + Contents | + previous | + next | + index | + Search | + feedback +
+
+
+ +
+
+
+ +
+
+
+ +
+

Authentication indicators

+

As of release 1.14, the KDC can be configured to annotate tickets if +the client authenticated using a stronger preauthentication mechanism +such as PKINIT or OTP. These +annotations are called “authentication indicators.” Service +principals can be configured to require particular authentication +indicators in order to authenticate to that service. An +authentication indicator value can be any string chosen by the KDC +administrator; there are no pre-set values.

+

To use authentication indicators with PKINIT or OTP, first configure +the KDC to include an indicator when that preauthentication mechanism +is used. For PKINIT, use the pkinit_indicator variable in +kdc.conf. For OTP, use the indicator variable in the +token type definition, or specify the indicators in the otp user +string as described in OTP Preauthentication.

+

To require an indicator to be present in order to authenticate to a +service principal, set the require_auth string attribute on the +principal to the indicator value to be required. If you wish to allow +one of several indicators to be accepted, you can specify multiple +indicator values separated by spaces.

+

For example, a realm could be configured to set the authentication +indicator value “strong” when PKINIT is used to authenticate, using a +setting in the [realms] subsection:

+
pkinit_indicator = strong
+
+
+

A service principal could be configured to require the “strong” +authentication indicator value:

+
$ kadmin setstr host/high.value.server require_auth strong
+Password for user/admin@KRBTEST.COM:
+
+
+

A user who authenticates with PKINIT would be able to obtain a ticket +for the service principal:

+
$ kinit -X X509_user_identity=FILE:/my/cert.pem,/my/key.pem user
+$ kvno host/high.value.server
+host/high.value.server@KRBTEST.COM: kvno = 1
+
+
+

but a user who authenticates with a password would not:

+
$ kinit user
+Password for user@KRBTEST.COM:
+$ kvno host/high.value.server
+kvno: KDC policy rejects request while getting credentials for
+  host/high.value.server@KRBTEST.COM
+
+
+
+ + +
+
+
+
+
+

On this page

+ + +
+

Table of contents

+ + +
+

Full Table of Contents

+

Search

+
+ + + + +
+
+
+
+
+ +
+
+
Release: 1.14.2
+ © Copyright 1985-2016, MIT. +
+
+ + Contents | + previous | + next | + index | + Search | + feedback +
+
+
+ + + \ No newline at end of file diff -Nru krb5-1.13.2+dfsg/doc/html/admin/backup_host.html krb5-1.14.2+dfsg/doc/html/admin/backup_host.html --- krb5-1.13.2+dfsg/doc/html/admin/backup_host.html 2015-05-13 21:11:13.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/html/admin/backup_host.html 2016-05-30 16:14:07.000000000 +0000 @@ -15,7 +15,7 @@ + + + + + + + + + + + +
+
+ + +

MIT Kerberos Documentation

+ +
+ + Contents | + previous | + next | + index | + Search | + feedback +
+
+
+ +
+
+
+ +
+
+
+ +
+

krb5_c_derive_prfplus - Derive a key using some input data (via RFC 6113 PRF+).

+
+
+krb5_error_code krb5_c_derive_prfplus(krb5_context context, const krb5_keyblock * k, const krb5_data * input, krb5_enctype enctype, krb5_keyblock ** out)
+
+ + +++ + + + +
param:

[in] context - Library context

+

[in] k - KDC contribution key

+

[in] input - Input string

+

[in] enctype - Output key enctype (or ENCTYPE_NULL )

+

[out] out - Derived keyblock

+
+

This function uses PRF+ as defined in RFC 6113 to derive a key from another key and an input string. If enctype is ENCTYPE_NULL , the output key will have the same enctype as the input key.

+
+ + +
+
+
+
+
+

On this page

+ + +
+

Table of contents

+ + +
+

Full Table of Contents

+

Search

+
+ + + + +
+
+
+
+
+ +
+
+
Release: 1.14.2
+ © Copyright 1985-2016, MIT. +
+
+ + Contents | + previous | + next | + index | + Search | + feedback +
+
+
+ + + \ No newline at end of file diff -Nru krb5-1.13.2+dfsg/doc/html/appdev/refs/api/krb5_c_encrypt.html krb5-1.14.2+dfsg/doc/html/appdev/refs/api/krb5_c_encrypt.html --- krb5-1.13.2+dfsg/doc/html/appdev/refs/api/krb5_c_encrypt.html 2015-05-13 21:11:13.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/html/appdev/refs/api/krb5_c_encrypt.html 2016-05-30 16:14:07.000000000 +0000 @@ -15,7 +15,7 @@ + + + + + + + + + + + +
+
+ + +

MIT Kerberos Documentation

+ +
+ + Contents | + previous | + next | + index | + Search | + feedback +
+
+
+ +
+
+
+ +
+
+
+ +
+

krb5_c_prfplus - Generate pseudo-random bytes using RFC 6113 PRF+.

+
+
+krb5_error_code krb5_c_prfplus(krb5_context context, const krb5_keyblock * k, const krb5_data * input, krb5_data * output)
+
+ + +++ + + + +
param:

[in] context - Library context

+

[in] k - KDC contribution key

+

[in] input - Input data

+

[out] output - Pseudo-random output buffer

+
+ +++ + + + +
return:
    +
  • 0 on success, E2BIG if output->length is too large for PRF+ to generate, ENOMEM on allocation failure, or an error code from krb5_c_prf()
    • +
+
+

This function fills output with PRF+(k, input) as defined in RFC 6113 section 5.1. The caller must preinitialize output and allocate the desired amount of space. The length of the pseudo-random output will match the length of output .

+
+

Note

+

RFC 4402 defines a different PRF+ operation. This function does not implement that operation.

+
+
+ + +
+
+
+
+
+

On this page

+ + +
+

Table of contents

+ + +
+

Full Table of Contents

+

Search

+
+ + + + +
+
+
+
+
+ +
+
+
Release: 1.14.2
+ © Copyright 1985-2016, MIT. +
+
+ + Contents | + previous | + next | + index | + Search | + feedback +
+
+
+ + + \ No newline at end of file diff -Nru krb5-1.13.2+dfsg/doc/html/appdev/refs/api/krb5_c_random_add_entropy.html krb5-1.14.2+dfsg/doc/html/appdev/refs/api/krb5_c_random_add_entropy.html --- krb5-1.13.2+dfsg/doc/html/appdev/refs/api/krb5_c_random_add_entropy.html 2015-05-13 21:11:13.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/html/appdev/refs/api/krb5_c_random_add_entropy.html 2016-05-30 16:14:07.000000000 +0000 @@ -15,7 +15,7 @@ + + + + + + + + + + + +
+
+ + +

MIT Kerberos Documentation

+ +
+ + Contents | + previous | + next | + index | + Search | + feedback +
+
+
+ +
+
+
+ +
+
+
+ +
+

krb5_prepend_error_message - Add a prefix to the message for an error code.

+
+
+void krb5_prepend_error_message(krb5_context ctx, krb5_error_code code, const char * fmt, ...)
+
+ + +++ + + + +
param:

[in] ctx - Library context

+

[in] code - Error code

+

[in] fmt - Format string for error message prefix

+
+

Format a message and prepend it to the current message for code . The prefix will be separated from the old message with a colon and space.

+
+ + +
+
+
+
+
+

On this page

+ + +
+

Table of contents

+ + +
+

Full Table of Contents

+

Search

+
+ + + + +
+
+
+
+
+ +
+
+
Release: 1.14.2
+ © Copyright 1985-2016, MIT. +
+
+ + Contents | + previous | + next | + index | + Search | + feedback +
+
+
+ + + \ No newline at end of file diff -Nru krb5-1.13.2+dfsg/doc/html/appdev/refs/api/krb5_principal2salt.html krb5-1.14.2+dfsg/doc/html/appdev/refs/api/krb5_principal2salt.html --- krb5-1.13.2+dfsg/doc/html/appdev/refs/api/krb5_principal2salt.html 2015-05-13 21:11:13.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/html/appdev/refs/api/krb5_principal2salt.html 2016-05-30 16:14:07.000000000 +0000 @@ -15,7 +15,7 @@ + + + + + + + + + + + +
+
+ + +

MIT Kerberos Documentation

+ +
+ + Contents | + previous | + next | + index | + Search | + feedback +
+
+
+ +
+
+
+ +
+
+
+ +
+

krb5_vprepend_error_message - Add a prefix to the message for an error code using a va_list.

+
+
+void krb5_vprepend_error_message(krb5_context ctx, krb5_error_code code, const char * fmt, va_list args)
+
+ + +++ + + + +
param:

[in] ctx - Library context

+

[in] code - Error code

+

[in] fmt - Format string for error message prefix

+

[in] args - List of vprintf(3) style arguments

+
+

This function is similar to krb5_prepend_error_message() , but uses a va_list instead of variadic arguments.

+
+ + +
+
+
+
+
+

On this page

+ + +
+

Table of contents

+ + +
+

Full Table of Contents

+

Search

+
+ + + + +
+
+
+
+
+ +
+
+
Release: 1.14.2
+ © Copyright 1985-2016, MIT. +
+
+ + Contents | + previous | + next | + index | + Search | + feedback +
+
+
+ + + \ No newline at end of file diff -Nru krb5-1.13.2+dfsg/doc/html/appdev/refs/api/krb5_vset_error_message.html krb5-1.14.2+dfsg/doc/html/appdev/refs/api/krb5_vset_error_message.html --- krb5-1.13.2+dfsg/doc/html/appdev/refs/api/krb5_vset_error_message.html 2015-05-13 21:11:13.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/html/appdev/refs/api/krb5_vset_error_message.html 2016-05-30 16:14:07.000000000 +0000 @@ -15,7 +15,7 @@ + + + + + + + + + + + +
+
+ + +

MIT Kerberos Documentation

+ +
+ + Contents | + previous | + next | + index | + Search | + feedback +
+
+
+ +
+
+
+ +
+
+
+ +
+

krb5_vwrap_error_message - Add a prefix to a different error code’s message using a va_list.

+
+
+void krb5_vwrap_error_message(krb5_context ctx, krb5_error_code old_code, krb5_error_code code, const char * fmt, va_list args)
+
+ + +++ + + + +
param:

[in] ctx - Library context

+

[in] old_code - Previous error code

+

[in] code - Error code

+

[in] fmt - Format string for error message prefix

+

[in] args - List of vprintf(3) style arguments

+
+

This function is similar to krb5_wrap_error_message() , but uses a va_list instead of variadic arguments.

+
+ + +
+
+
+
+
+

On this page

+ + +
+

Table of contents

+ + +
+

Full Table of Contents

+

Search

+
+ + + + +
+
+
+
+
+ +
+
+
Release: 1.14.2
+ © Copyright 1985-2016, MIT. +
+
+ + Contents | + previous | + next | + index | + Search | + feedback +
+
+
+ + + \ No newline at end of file diff -Nru krb5-1.13.2+dfsg/doc/html/appdev/refs/api/krb5_wrap_error_message.html krb5-1.14.2+dfsg/doc/html/appdev/refs/api/krb5_wrap_error_message.html --- krb5-1.13.2+dfsg/doc/html/appdev/refs/api/krb5_wrap_error_message.html 1970-01-01 00:00:00.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/html/appdev/refs/api/krb5_wrap_error_message.html 2016-05-30 16:14:07.000000000 +0000 @@ -0,0 +1,164 @@ + + + + + + + + krb5_wrap_error_message - Add a prefix to a different error code’s message. — MIT Kerberos Documentation + + + + + + + + + + + + + + + + + +
+
+ + +

MIT Kerberos Documentation

+ +
+ + Contents | + previous | + next | + index | + Search | + feedback +
+
+
+ +
+
+
+ +
+
+
+ +
+

krb5_wrap_error_message - Add a prefix to a different error code’s message.

+
+
+void krb5_wrap_error_message(krb5_context ctx, krb5_error_code old_code, krb5_error_code code, const char * fmt, ...)
+
+ + +++ + + + +
param:

[in] ctx - Library context

+

[in] old_code - Previous error code

+

[in] code - Error code

+

[in] fmt - Format string for error message prefix

+
+

Format a message and prepend it to the message for old_code . The prefix will be separated from the old message with a colon and space. Set the resulting message as the extended error message for code .

+
+ + +
+
+
+
+
+

On this page

+ + +
+

Table of contents

+ + +
+

Full Table of Contents

+

Search

+
+ + + + +
+
+
+
+
+ +
+
+
Release: 1.14.2
+ © Copyright 1985-2016, MIT. +
+
+ + Contents | + previous | + next | + index | + Search | + feedback +
+
+
+ + + \ No newline at end of file diff -Nru krb5-1.13.2+dfsg/doc/html/appdev/refs/index.html krb5-1.14.2+dfsg/doc/html/appdev/refs/index.html --- krb5-1.13.2+dfsg/doc/html/appdev/refs/index.html 2015-05-13 21:11:13.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/html/appdev/refs/index.html 2016-05-30 16:14:07.000000000 +0000 @@ -15,7 +15,7 @@ + + + + + + + + + + + +
+
+ + +

MIT Kerberos Documentation

+ +
+ + Contents | + previous | + next | + index | + Search | + feedback +
+
+
+ +
+
+
+ +
+
+
+ +
+

KRB5_AUTHDATA_AUTH_INDICATOR

+
+
+KRB5_AUTHDATA_AUTH_INDICATOR
+
+ + ++++ + + + + + +
KRB5_AUTHDATA_AUTH_INDICATOR97
+
+ + +
+
+
+
+
+

On this page

+ + +
+

Table of contents

+ + +
+

Full Table of Contents

+

Search

+
+ + + + +
+
+
+
+
+ +
+
+
Release: 1.14.2
+ © Copyright 1985-2016, MIT. +
+
+ + Contents | + previous | + next | + index | + Search | + feedback +
+
+
+ + + \ No newline at end of file diff -Nru krb5-1.13.2+dfsg/doc/html/appdev/refs/macros/KRB5_AUTHDATA_CAMMAC.html krb5-1.14.2+dfsg/doc/html/appdev/refs/macros/KRB5_AUTHDATA_CAMMAC.html --- krb5-1.13.2+dfsg/doc/html/appdev/refs/macros/KRB5_AUTHDATA_CAMMAC.html 1970-01-01 00:00:00.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/html/appdev/refs/macros/KRB5_AUTHDATA_CAMMAC.html 2016-05-30 16:14:07.000000000 +0000 @@ -0,0 +1,162 @@ + + + + + + + + KRB5_AUTHDATA_CAMMAC — MIT Kerberos Documentation + + + + + + + + + + + + + + + + + +
+
+ + +

MIT Kerberos Documentation

+ +
+ + Contents | + previous | + next | + index | + Search | + feedback +
+
+
+ +
+
+
+ +
+
+
+ +
+

KRB5_AUTHDATA_CAMMAC

+
+
+KRB5_AUTHDATA_CAMMAC
+
+ + ++++ + + + + + +
KRB5_AUTHDATA_CAMMAC96
+
+ + +
+
+
+
+
+

On this page

+ + +
+

Table of contents

+ + +
+

Full Table of Contents

+

Search

+
+ + + + +
+
+
+
+
+ +
+
+
Release: 1.14.2
+ © Copyright 1985-2016, MIT. +
+
+ + Contents | + previous | + next | + index | + Search | + feedback +
+
+
+ + + \ No newline at end of file diff -Nru krb5-1.13.2+dfsg/doc/html/appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION.html krb5-1.14.2+dfsg/doc/html/appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION.html --- krb5-1.13.2+dfsg/doc/html/appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION.html 2015-05-13 21:11:13.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/html/appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION.html 2016-05-30 16:14:07.000000000 +0000 @@ -15,7 +15,7 @@ + + + + + + + + + + + +
+
+ + +

MIT Kerberos Documentation

+ +
+ + Contents | + previous | + next | + index | + Search | + feedback +
+
+
+ +
+
+
+ +
+
+
+ +
+

KRB5_KEYUSAGE_CAMMAC

+
+
+KRB5_KEYUSAGE_CAMMAC
+
+ + ++++ + + + + + +
KRB5_KEYUSAGE_CAMMAC64
+
+ + +
+
+
+
+
+

On this page

+ + +
+

Table of contents

+ + +
+

Full Table of Contents

+

Search

+
+ + + + +
+
+
+
+
+ +
+
+
Release: 1.14.2
+ © Copyright 1985-2016, MIT. +
+
+ + Contents | + previous | + next | + index | + Search | + feedback +
+
+
+ + + \ No newline at end of file diff -Nru krb5-1.13.2+dfsg/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.html krb5-1.14.2+dfsg/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.html --- krb5-1.13.2+dfsg/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.html 2015-05-13 21:11:13.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.html 2016-05-30 16:14:07.000000000 +0000 @@ -15,7 +15,7 @@ + + + + + + + + + + + +
+
+ + +

MIT Kerberos Documentation

+ +
+ + Contents | + previous | + next | + index | + Search | + feedback +
+
+
+ +
+
+
+ +
+
+
+ + + + +
+
+
+
+
+

On this page

+ + +
+

Table of contents

+ + +
+

Full Table of Contents

+

Search

+
+ + + + +
+
+
+
+
+ +
+
+
Release: 1.14.2
+ © Copyright 1985-2016, MIT. +
+
+ + Contents | + previous | + next | + index | + Search | + feedback +
+
+
+ + + \ No newline at end of file diff -Nru krb5-1.13.2+dfsg/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST.html krb5-1.14.2+dfsg/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST.html --- krb5-1.13.2+dfsg/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST.html 2015-05-13 21:11:13.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST.html 2016-05-30 16:14:07.000000000 +0000 @@ -15,7 +15,7 @@ + + + + + + + + + + + +
+
+ + +

MIT Kerberos Documentation

+ +
+ + Contents | + previous | + next | + index | + Search | + feedback +
+
+
+ +
+
+
+ +
+
+
+ + + + +
+
+
+
+
+

On this page

+ + +
+

Table of contents

+ + +
+

Full Table of Contents

+

Search

+
+ + + + +
+
+
+
+
+ +
+
+
Release: 1.14.2
+ © Copyright 1985-2016, MIT. +
+
+ + Contents | + previous | + next | + index | + Search | + feedback +
+
+
+ + + \ No newline at end of file diff -Nru krb5-1.13.2+dfsg/doc/html/formats/index.html krb5-1.14.2+dfsg/doc/html/formats/index.html --- krb5-1.13.2+dfsg/doc/html/formats/index.html 2015-05-13 21:11:13.000000000 +0000 +++ krb5-1.14.2+dfsg/doc/html/formats/index.html 2016-05-30 16:14:07.000000000 +0000 @@ -15,7 +15,7 @@