diff --git a/.gitignore b/.gitignore index c78f6a3..df05a67 100644 --- a/.gitignore +++ b/.gitignore @@ -154,3 +154,6 @@ krb5-1.8.3-pdf.tar.gz /krb5-1.15.2-pdfs.tar /krb5-1.15.2.tar.gz /krb5-1.15.2.tar.gz.asc +/krb5-1.16-beta1-pdfs.tar +/krb5-1.16-beta1.tar.gz +/krb5-1.16-beta1.tar.gz.asc diff --git a/Add-German-translation.patch b/Add-German-translation.patch deleted file mode 100644 index bb3ecb3..0000000 --- a/Add-German-translation.patch +++ /dev/null @@ -1,9333 +0,0 @@ -From 914be6ccfa5e3cb52d0e0e72720eca8f2e528250 Mon Sep 17 00:00:00 2001 -From: Chris Leick -Date: Wed, 6 Apr 2016 18:14:40 -0400 -Subject: [PATCH] Add German translation - -ticket: 8515 (new) -(cherry picked from commit 0c9a4d9734c29a77d3c7ac267e8e885a75f44b4f) ---- - src/po/Makefile.in | 2 +- - src/po/de.po | 9301 ++++++++++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 9302 insertions(+), 1 deletion(-) - create mode 100644 src/po/de.po - -diff --git a/src/po/Makefile.in b/src/po/Makefile.in -index fdaf872a1..6753447dc 100644 ---- a/src/po/Makefile.in -+++ b/src/po/Makefile.in -@@ -18,7 +18,7 @@ ETSRCS= $(BUILDTOP)/lib/gssapi/generic/gssapi_err_generic.c \ - $(BUILDTOP)/lib/krb5/error_tables/kv5m_err.c \ - $(BUILDTOP)/lib/krb5/error_tables/krb524_err.c - # This is a placeholder until we have an actual translation. --CATALOGS=en_US.mo -+CATALOGS=en_US.mo de.mo - - .SUFFIXES: .po .mo - .po.mo: -diff --git a/src/po/de.po b/src/po/de.po -new file mode 100644 -index 000000000..2144d7833 ---- /dev/null -+++ b/src/po/de.po -@@ -0,0 +1,9301 @@ -+# German translation of mit-krb5. -+# This file is distributed under the same license as the mit-krb5 package. -+# Copyright (C) 1985-2013 by the Massachusetts Institute of Technology. -+# Copyright (C) of this file 2014-2016 Chris Leick . -+# -+msgid "" -+msgstr "" -+"Project-Id-Version: mit-krb5 13.2\n" -+"Report-Msgid-Bugs-To: krbdev@mit.edu\n" -+"POT-Creation-Date: 2015-05-06 14:59-0400\n" -+"PO-Revision-Date: 2016-04-07 08:15+0200\n" -+"Last-Translator: Chris Leick \n" -+"Language-Team: German \n" -+"Language: de\n" -+"MIME-Version: 1.0\n" -+"Content-Type: text/plain; charset=UTF-8\n" -+"Content-Transfer-Encoding: 8bit\n" -+"Plural-Forms: nplurals=2; plural=n != 1;\n" -+ -+#: ../../src/clients/kdestroy/kdestroy.c:62 -+#, c-format -+msgid "Usage: %s [-A] [-q] [-c cache_name]\n" -+msgstr "Aufruf: %s [-A] [-q] [-c Zwischenspeichername]\n" -+ -+#: ../../src/clients/kdestroy/kdestroy.c:63 -+#, c-format -+msgid "\t-A destroy all credential caches in collection\n" -+msgstr "\t-A vernichtet alle Anmeldedatenzwischenspeicher in der Sammlung.\n" -+ -+#: ../../src/clients/kdestroy/kdestroy.c:64 -+#, c-format -+msgid "\t-q quiet mode\n" -+msgstr "\t-q stiller Modus\n" -+ -+#: ../../src/clients/kdestroy/kdestroy.c:65 -+#: ../../src/clients/kswitch/kswitch.c:45 -+#, c-format -+msgid "\t-c specify name of credentials cache\n" -+msgstr "\t-c gibt den Namen des Zwischenspeichers für Anmeldedaten an.\n" -+ -+#: ../../src/clients/kdestroy/kdestroy.c:98 -+#: ../../src/clients/kinit/kinit.c:383 ../../src/clients/ksu/main.c:284 -+#, c-format -+msgid "Only one -c option allowed\n" -+msgstr "Nur eine »-c«-Option ist erlaubt.\n" -+ -+#: ../../src/clients/kdestroy/kdestroy.c:105 -+#: ../../src/clients/kinit/kinit.c:412 ../../src/clients/klist/klist.c:182 -+#, c-format -+msgid "Kerberos 4 is no longer supported\n" -+msgstr "Kerberos 4 wird nicht mehr unterstützt.\n" -+ -+#: ../../src/clients/kdestroy/kdestroy.c:126 -+#: ../../src/clients/klist/klist.c:253 ../../src/clients/ksu/main.c:131 -+#: ../../src/clients/ksu/main.c:137 ../../src/clients/kswitch/kswitch.c:97 -+#: ../../src/kadmin/ktutil/ktutil.c:52 ../../src/kdc/main.c:926 -+#: ../../src/slave/kprop.c:102 ../../src/slave/kpropd.c:1052 -+msgid "while initializing krb5" -+msgstr "beim Initialisieren von Krb5" -+ -+#: ../../src/clients/kdestroy/kdestroy.c:133 -+msgid "while listing credential caches" -+msgstr "beim Auflisten der Anmeldedatenzwischenspeicher" -+ -+#: ../../src/clients/kdestroy/kdestroy.c:140 -+msgid "composing ccache name" -+msgstr "Ccache-Name wird zusammengesetzt." -+ -+#: ../../src/clients/kdestroy/kdestroy.c:145 -+#, c-format -+msgid "while destroying cache %s" -+msgstr "beim Zerstören des Zwischenspeichers %s" -+ -+#: ../../src/clients/kdestroy/kdestroy.c:157 -+#: ../../src/clients/kswitch/kswitch.c:104 -+#, c-format -+msgid "while resolving %s" -+msgstr "beim Auflösen von %s" -+ -+#: ../../src/clients/kdestroy/kdestroy.c:163 -+#: ../../src/clients/kinit/kinit.c:501 ../../src/clients/klist/klist.c:460 -+msgid "while getting default ccache" -+msgstr "beim Holen des Standard-Ccaches" -+ -+#: ../../src/clients/kdestroy/kdestroy.c:170 ../../src/clients/ksu/main.c:986 -+msgid "while destroying cache" -+msgstr "beim Zerstören des Zwischenspeichers" -+ -+#: ../../src/clients/kdestroy/kdestroy.c:173 -+#, c-format -+msgid "Ticket cache NOT destroyed!\n" -+msgstr "Ticketzwischenspeicher NICHT vernichtet!\n" -+ -+#: ../../src/clients/kdestroy/kdestroy.c:175 -+#, c-format -+msgid "Ticket cache %cNOT%c destroyed!\n" -+msgstr "Ticketzwischenspeicher %cNICHT%c vernichtet!\n" -+ -+#: ../../src/clients/kinit/kinit.c:213 -+#, c-format -+msgid "\t-V verbose\n" -+msgstr "\t-V detaillierte Ausgabe\n" -+ -+#: ../../src/clients/kinit/kinit.c:214 -+#, c-format -+msgid "\t-l lifetime\n" -+msgstr "\t-l Lebensdauer\n" -+ -+#: ../../src/clients/kinit/kinit.c:215 -+#, c-format -+msgid "\t-s start time\n" -+msgstr "\t-s Startzeit\n" -+ -+#: ../../src/clients/kinit/kinit.c:216 -+#, c-format -+msgid "\t-r renewable lifetime\n" -+msgstr "\t-r verlängerbare Lebensdauer\n" -+ -+#: ../../src/clients/kinit/kinit.c:217 -+#, c-format -+msgid "\t-f forwardable\n" -+msgstr "\t-f weiterleitbar\n" -+ -+#: ../../src/clients/kinit/kinit.c:218 -+#, c-format -+msgid "\t-F not forwardable\n" -+msgstr "\t-F nicht weiterleitbar\n" -+ -+#: ../../src/clients/kinit/kinit.c:219 -+#, c-format -+msgid "\t-p proxiable\n" -+msgstr "\t-p Proxy nutzbar\n" -+ -+#: ../../src/clients/kinit/kinit.c:220 -+#, c-format -+msgid "\t-P not proxiable\n" -+msgstr "\t-P Proxy nicht nutzbar\n" -+ -+#: ../../src/clients/kinit/kinit.c:221 -+#, c-format -+msgid "\t-n anonymous\n" -+msgstr "\t-n anonym\n" -+ -+#: ../../src/clients/kinit/kinit.c:222 -+#, c-format -+msgid "\t-a include addresses\n" -+msgstr "\t-a bezieht Adressen ein.\n" -+ -+#: ../../src/clients/kinit/kinit.c:223 -+#, c-format -+msgid "\t-A do not include addresses\n" -+msgstr "\t-a bezieht Adressen nicht ein.\n" -+ -+#: ../../src/clients/kinit/kinit.c:224 -+#, c-format -+msgid "\t-v validate\n" -+msgstr "\t-v überprüft\n" -+ -+#: ../../src/clients/kinit/kinit.c:225 -+#, c-format -+msgid "\t-R renew\n" -+msgstr "\t-R erneuert\n" -+ -+#: ../../src/clients/kinit/kinit.c:226 -+#, c-format -+msgid "\t-C canonicalize\n" -+msgstr "\t-C bringt in Normalform\n" -+ -+#: ../../src/clients/kinit/kinit.c:227 -+#, c-format -+msgid "\t-E client is enterprise principal name\n" -+msgstr "\t-E Client ist der Principal-Name des Unternehmens\n" -+ -+#: ../../src/clients/kinit/kinit.c:228 -+#, c-format -+msgid "\t-k use keytab\n" -+msgstr "\t-k verwendet Schlüsseltabelle\n" -+ -+#: ../../src/clients/kinit/kinit.c:229 -+#, c-format -+msgid "\t-i use default client keytab (with -k)\n" -+msgstr "\t-i verwendet die Standardschlüsseltabelle des Clients (mit -k).\n" -+ -+#: ../../src/clients/kinit/kinit.c:230 -+#, c-format -+msgid "\t-t filename of keytab to use\n" -+msgstr "\t-t Dateiname der zu verwendenden Schlüsseltabelle\n" -+ -+#: ../../src/clients/kinit/kinit.c:231 -+#, c-format -+msgid "\t-c Kerberos 5 cache name\n" -+msgstr "\t-c Kerberos-5-Zwischenspeichername\n" -+ -+#: ../../src/clients/kinit/kinit.c:232 -+#, c-format -+msgid "\t-S service\n" -+msgstr "\t-S Dienst\n" -+ -+#: ../../src/clients/kinit/kinit.c:233 -+#, c-format -+msgid "\t-T armor credential cache\n" -+msgstr "\t-T gehärteter Anmeldedatenzwischenspeicher\n" -+ -+#: ../../src/clients/kinit/kinit.c:234 -+#, c-format -+msgid "\t-X [=]\n" -+msgstr "\t-X [=]\n" -+ -+#: ../../src/clients/kinit/kinit.c:301 ../../src/clients/kinit/kinit.c:309 -+#, c-format -+msgid "Bad lifetime value %s\n" -+msgstr "falscher Wert für die Lebensdauer %s\n" -+ -+#: ../../src/clients/kinit/kinit.c:343 -+#, c-format -+msgid "Bad start time value %s\n" -+msgstr "falscher Wert für die Startzeit %s\n" -+ -+#: ../../src/clients/kinit/kinit.c:362 -+#, c-format -+msgid "Only one -t option allowed.\n" -+msgstr "Nur eine -t-Option ist erlaubt.\n" -+ -+#: ../../src/clients/kinit/kinit.c:370 -+#, c-format -+msgid "Only one armor_ccache\n" -+msgstr "nur ein gehärteter Ccache\n" -+ -+#: ../../src/clients/kinit/kinit.c:391 -+#, c-format -+msgid "Only one -I option allowed\n" -+msgstr "Nur eine -I-Option ist erlaubt.\n" -+ -+#: ../../src/clients/kinit/kinit.c:401 -+msgid "while adding preauth option" -+msgstr "beim Hinzufügen der Option »preauth«" -+ -+#: ../../src/clients/kinit/kinit.c:425 -+#, c-format -+msgid "Only one of -f and -F allowed\n" -+msgstr "Nur eine der Optionen -f und -F ist erlaubt.\n" -+ -+#: ../../src/clients/kinit/kinit.c:430 -+#, c-format -+msgid "Only one of -p and -P allowed\n" -+msgstr "Nur eine der Optionen -p und -P ist erlaubt.\n" -+ -+#: ../../src/clients/kinit/kinit.c:435 -+#, c-format -+msgid "Only one of -a and -A allowed\n" -+msgstr "Nur eine der Optionen -a und -A ist erlaubt.\n" -+ -+#: ../../src/clients/kinit/kinit.c:440 -+#, c-format -+msgid "Only one of -t and -i allowed\n" -+msgstr "Nur eine der Optionen -t und-i ist erlaubt.\n" -+ -+#: ../../src/clients/kinit/kinit.c:447 -+#, c-format -+msgid "keytab specified, forcing -k\n" -+msgstr "Schlüsseltabelle angegeben, -k wird erzwungen\n" -+ -+#: ../../src/clients/kinit/kinit.c:451 ../../src/clients/klist/klist.c:221 -+#, c-format -+msgid "Extra arguments (starting with \"%s\").\n" -+msgstr "zusätzliche Argumente (beginnend mit »%s«)\n" -+ -+#: ../../src/clients/kinit/kinit.c:480 -+msgid "while initializing Kerberos 5 library" -+msgstr "beim Initialisieren der Kerberos-5-Bibliothek" -+ -+#: ../../src/clients/kinit/kinit.c:488 ../../src/clients/kinit/kinit.c:644 -+#, c-format -+msgid "resolving ccache %s" -+msgstr "Ccache %s wird ermittelt" -+ -+#: ../../src/clients/kinit/kinit.c:493 -+#, c-format -+msgid "Using specified cache: %s\n" -+msgstr "Angegebener Zwischenspeicher wird verwendet: %s\n" -+ -+#: ../../src/clients/kinit/kinit.c:515 ../../src/clients/kinit/kinit.c:595 -+#: ../../src/clients/kpasswd/kpasswd.c:28 ../../src/clients/ksu/main.c:238 -+#, c-format -+msgid "when parsing name %s" -+msgstr "wenn der Name %s ausgewertet wird" -+ -+#: ../../src/clients/kinit/kinit.c:523 ../../src/kadmin/dbutil/kdb5_util.c:307 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:391 -+#: ../../src/slave/kprop.c:203 -+msgid "while getting default realm" -+msgstr "beim Holen des Standard-Realms" -+ -+#: ../../src/clients/kinit/kinit.c:535 -+msgid "while building principal" -+msgstr "beim Erstellen des Principals" -+ -+#: ../../src/clients/kinit/kinit.c:543 -+msgid "When resolving the default client keytab" -+msgstr "beim Auflösen der Standardschlüsseltabelle des Clients" -+ -+#: ../../src/clients/kinit/kinit.c:550 -+msgid "When determining client principal name from keytab" -+msgstr "beim Bestimmen des Dienst-Principal-Namens anhand der Schlüsseltabelle" -+ -+#: ../../src/clients/kinit/kinit.c:559 -+msgid "when creating default server principal name" -+msgstr "wenn der Standard-Principal-Name des Servers erstellt wird" -+ -+#: ../../src/clients/kinit/kinit.c:566 -+#, c-format -+msgid "(principal %s)" -+msgstr "(Principal %s)" -+ -+#: ../../src/clients/kinit/kinit.c:569 -+msgid "for local services" -+msgstr "für lokale Dienste" -+ -+#: ../../src/clients/kinit/kinit.c:590 ../../src/clients/kpasswd/kpasswd.c:42 -+#, c-format -+msgid "Unable to identify user\n" -+msgstr "Benutzer kann nicht identifiziert werden\n" -+ -+#: ../../src/clients/kinit/kinit.c:605 ../../src/clients/kswitch/kswitch.c:116 -+#, c-format -+msgid "while searching for ccache for %s" -+msgstr "beim Suchen nach Ccache für %s" -+ -+#: ../../src/clients/kinit/kinit.c:611 -+#, c-format -+msgid "Using existing cache: %s\n" -+msgstr "Existierender Zwischenspeicher wird verwendet: %s\n" -+ -+#: ../../src/clients/kinit/kinit.c:620 -+msgid "while generating new ccache" -+msgstr "beim Erstellen von neuem Ccache" -+ -+#: ../../src/clients/kinit/kinit.c:624 -+#, c-format -+msgid "Using new cache: %s\n" -+msgstr "Neuer Zwischenspeicher wird verwendet: %s\n" -+ -+#: ../../src/clients/kinit/kinit.c:636 -+#, c-format -+msgid "Using default cache: %s\n" -+msgstr "Standardzwischenspeicher wird verwendet: %s\n" -+ -+#: ../../src/clients/kinit/kinit.c:649 -+#, c-format -+msgid "Using specified input cache: %s\n" -+msgstr "Angegebener Eingabezwischenspeicher wird verwendet: %s\n" -+ -+#: ../../src/clients/kinit/kinit.c:657 ../../src/clients/ksu/krb_auth_su.c:160 -+msgid "when unparsing name" -+msgstr "beim Rückgängigmachen der Auswertung des Namens" -+ -+#: ../../src/clients/kinit/kinit.c:661 -+#, c-format -+msgid "Using principal: %s\n" -+msgstr "verwendeter Principal: %s\n" -+ -+#: ../../src/clients/kinit/kinit.c:752 -+msgid "getting local addresses" -+msgstr "Lokale Adressen werden geholt." -+ -+#: ../../src/clients/kinit/kinit.c:771 -+#, c-format -+msgid "while setting up KDB keytab for realm %s" -+msgstr "beim Einrichten der KDB-Schlüsseltabelle für Realm %s" -+ -+#: ../../src/clients/kinit/kinit.c:780 ../../src/clients/kvno/kvno.c:201 -+#, c-format -+msgid "resolving keytab %s" -+msgstr "Schlüsseltabelle wird ermittelt: %s" -+ -+#: ../../src/clients/kinit/kinit.c:785 -+#, c-format -+msgid "Using keytab: %s\n" -+msgstr "Schlüsseltabelle wird verwendet: %s\n" -+ -+#: ../../src/clients/kinit/kinit.c:789 -+msgid "resolving default client keytab" -+msgstr "Standardschlüsseltabelle des Clients wird ermittelt." -+ -+#: ../../src/clients/kinit/kinit.c:799 -+#, c-format -+msgid "while setting '%s'='%s'" -+msgstr "beim Setzen von »%s«=»%s«" -+ -+#: ../../src/clients/kinit/kinit.c:804 -+#, c-format -+msgid "PA Option %s = %s\n" -+msgstr "PA-Option %s = %s\n" -+ -+#: ../../src/clients/kinit/kinit.c:849 -+msgid "getting initial credentials" -+msgstr "Anfängliche Anmeldedaten werden geholt." -+ -+#: ../../src/clients/kinit/kinit.c:852 -+msgid "validating credentials" -+msgstr "Anmeldedaten werden geprüft." -+ -+#: ../../src/clients/kinit/kinit.c:855 -+msgid "renewing credentials" -+msgstr "Anmeldedaten werden erneuert." -+ -+#: ../../src/clients/kinit/kinit.c:860 -+#, c-format -+msgid "%s: Password incorrect while %s\n" -+msgstr "%s: Passwort bei %s falsch\n" -+ -+#: ../../src/clients/kinit/kinit.c:863 -+#, c-format -+msgid "while %s" -+msgstr "bei %s" -+ -+#: ../../src/clients/kinit/kinit.c:871 ../../src/slave/kprop.c:224 -+#, c-format -+msgid "when initializing cache %s" -+msgstr "beim Initialisieren des Zwischenspeichers %s" -+ -+#: ../../src/clients/kinit/kinit.c:876 -+#, c-format -+msgid "Initialized cache\n" -+msgstr "initialisierter Zwischenspeicher\n" -+ -+#: ../../src/clients/kinit/kinit.c:880 -+msgid "while storing credentials" -+msgstr "beim Speichern der Anmeldedaten" -+ -+#: ../../src/clients/kinit/kinit.c:884 -+#, c-format -+msgid "Stored credentials\n" -+msgstr "gespeicherte Anmeldedaten\n" -+ -+#: ../../src/clients/kinit/kinit.c:891 -+msgid "while switching to new ccache" -+msgstr "beim Wechsel zum neuen Ccache" -+ -+#: ../../src/clients/kinit/kinit.c:946 -+#, c-format -+msgid "Authenticated to Kerberos v5\n" -+msgstr "Authentifiziert für Kerberos v5\n" -+ -+#: ../../src/clients/klist/klist.c:91 -+#, c-format -+msgid "" -+"Usage: %s [-e] [-V] [[-c] [-l] [-A] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] " -+"[name]\n" -+msgstr "" -+"Aufruf: %s [-e] [-V] [[-c] [-l] [-A] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-" -+"K]] [Name]\n" -+ -+#: ../../src/clients/klist/klist.c:93 -+#, c-format -+msgid "\t-c specifies credentials cache\n" -+msgstr "\t-c gibt den Anmeldedatenzwischenspeicher an\n" -+ -+#: ../../src/clients/klist/klist.c:94 -+#, c-format -+msgid "\t-k specifies keytab\n" -+msgstr "\t-k gibt die Schlüsseltabelle an.\n" -+ -+#: ../../src/clients/klist/klist.c:95 -+#, c-format -+msgid "\t (Default is credentials cache)\n" -+msgstr "\t (Voreinstellung ist Anmeldedatenzwischenspeicher)\n" -+ -+#: ../../src/clients/klist/klist.c:96 -+#, c-format -+msgid "\t-i uses default client keytab if no name given\n" -+msgstr "" -+"\t-i verwendet die Standardschlüsseltabelle des Clients, falls kein Name " -+"angegeben wurde.\n" -+ -+#: ../../src/clients/klist/klist.c:97 -+#, c-format -+msgid "\t-l lists credential caches in collection\n" -+msgstr "\t-l listet gesammelte Anmeldedatenzwischenspeicher auf.\n" -+ -+#: ../../src/clients/klist/klist.c:98 -+#, c-format -+msgid "\t-A shows content of all credential caches\n" -+msgstr "\t-A zeigt den Inhalt aller Anmeldedatenzwischenspeicher an.\n" -+ -+#: ../../src/clients/klist/klist.c:99 -+#, c-format -+msgid "\t-e shows the encryption type\n" -+msgstr "\t-e zeigt den Verschlüsselungstyp.\n" -+ -+#: ../../src/clients/klist/klist.c:100 -+#, c-format -+msgid "\t-V shows the Kerberos version and exits\n" -+msgstr "\t-V zeigt die Kerberos-Version und wird beendet.\n" -+ -+#: ../../src/clients/klist/klist.c:101 -+#, c-format -+msgid "\toptions for credential caches:\n" -+msgstr "\tOptionen für Anmeldedatenzwischenspeicher:\n" -+ -+#: ../../src/clients/klist/klist.c:102 -+#, c-format -+msgid "\t\t-d shows the submitted authorization data types\n" -+msgstr "\t\t-d zeigt die übertragenen Autorisierungsdatentypen.\n" -+ -+#: ../../src/clients/klist/klist.c:104 -+#, c-format -+msgid "\t\t-f shows credentials flags\n" -+msgstr "t\t-f zeigt die Anmeldedatenschalter.\n" -+ -+#: ../../src/clients/klist/klist.c:105 -+#, c-format -+msgid "\t\t-s sets exit status based on valid tgt existence\n" -+msgstr "" -+"\t\t-s setzt den Exit-Status auf Basis der Existenz eines gültigen TGTs.\n" -+ -+#: ../../src/clients/klist/klist.c:107 -+#, c-format -+msgid "\t\t-a displays the address list\n" -+msgstr "\t\t-a zeigt die Adressliste.\n" -+ -+#: ../../src/clients/klist/klist.c:108 -+#, c-format -+msgid "\t\t\t-n do not reverse-resolve\n" -+msgstr "\t\t\t-n löst nicht rückwärts auf.\n" -+ -+#: ../../src/clients/klist/klist.c:109 -+#, c-format -+msgid "\toptions for keytabs:\n" -+msgstr "\tOptionen für Schlüsseltabellen:\n" -+ -+#: ../../src/clients/klist/klist.c:110 -+#, c-format -+msgid "\t\t-t shows keytab entry timestamps\n" -+msgstr "\t\t-t zeigt die Zeitstempel der Schlüsseltabelleneinträge.\n" -+ -+#: ../../src/clients/klist/klist.c:111 -+#, c-format -+msgid "\t\t-K shows keytab entry keys\n" -+msgstr "\t\t-K zeigt die Schlüssel der Schlüsseltabelleneinträge.\n" -+ -+#: ../../src/clients/klist/klist.c:230 -+#, c-format -+msgid "%s version %s\n" -+msgstr "%s Version %s\n" -+ -+#: ../../src/clients/klist/klist.c:282 -+msgid "while getting default client keytab" -+msgstr "beim Holen der Standardschlüsseltabelle des Clients" -+ -+#: ../../src/clients/klist/klist.c:287 -+msgid "while getting default keytab" -+msgstr "beim Holen der Standardschlüsseltabelle" -+ -+#: ../../src/clients/klist/klist.c:292 ../../src/kadmin/cli/keytab.c:108 -+#, c-format -+msgid "while resolving keytab %s" -+msgstr "beim Ermitteln der Schlüsseltabelle %s" -+ -+#: ../../src/clients/klist/klist.c:298 ../../src/kadmin/cli/keytab.c:92 -+msgid "while getting keytab name" -+msgstr "beim Holen des Schlüsseltabellennamens" -+ -+#: ../../src/clients/klist/klist.c:305 ../../src/kadmin/cli/keytab.c:399 -+msgid "while starting keytab scan" -+msgstr "beim Start des Schlüsseltabellen-Scans" -+ -+#: ../../src/clients/klist/klist.c:326 ../../src/clients/klist/klist.c:500 -+#: ../../src/clients/ksu/ccache.c:465 ../../src/kadmin/dbutil/dump.c:550 -+msgid "while unparsing principal name" -+msgstr "beim Rückgängigmachen des Auswertens des Principal-Namens" -+ -+#: ../../src/clients/klist/klist.c:350 ../../src/kadmin/cli/keytab.c:443 -+msgid "while scanning keytab" -+msgstr "beim Scannen der Schlüsseltabelle" -+ -+#: ../../src/clients/klist/klist.c:354 ../../src/kadmin/cli/keytab.c:448 -+msgid "while ending keytab scan" -+msgstr "beim Beenden des Schlüsseltabellen-Scans" -+ -+#: ../../src/clients/klist/klist.c:371 ../../src/clients/klist/klist.c:434 -+msgid "while listing ccache collection" -+msgstr "beim Aufführen der Ccache-Sammlung" -+ -+#: ../../src/clients/klist/klist.c:411 -+msgid "(Expired)" -+msgstr "(abgelaufen)" -+ -+#: ../../src/clients/klist/klist.c:466 -+#, c-format -+msgid "while resolving ccache %s" -+msgstr "beim Ermitteln des Ccaches %s" -+ -+#: ../../src/clients/klist/klist.c:504 -+#, c-format -+msgid "" -+"Ticket cache: %s:%s\n" -+"Default principal: %s\n" -+"\n" -+msgstr "" -+"Ticketzwischenspeicher: %s:%s\n" -+"Standard-Principal: %s\n" -+"\n" -+ -+#: ../../src/clients/klist/klist.c:518 -+msgid "while starting to retrieve tickets" -+msgstr "während das Abfragen der Tickets beginnt" -+ -+#: ../../src/clients/klist/klist.c:539 -+msgid "while finishing ticket retrieval" -+msgstr "während das Abfragem der Tickets endet" -+ -+#: ../../src/clients/klist/klist.c:545 -+msgid "while closing ccache" -+msgstr "beim Schließen des Ccaches" -+ -+#: ../../src/clients/klist/klist.c:555 -+msgid "while retrieving a ticket" -+msgstr "beim Abfragen eines Tickets" -+ -+#: ../../src/clients/klist/klist.c:667 ../../src/clients/ksu/ccache.c:450 -+#: ../../src/slave/kpropd.c:1225 ../../src/slave/kpropd.c:1285 -+msgid "while unparsing client name" -+msgstr "beim Rückgängigmachen des Auswertens des Client-Namens" -+ -+#: ../../src/clients/klist/klist.c:672 ../../src/clients/ksu/ccache.c:455 -+#: ../../src/slave/kprop.c:240 -+msgid "while unparsing server name" -+msgstr "beim Rückgängigmachen des Auswertens des Server-Namens" -+ -+#: ../../src/clients/klist/klist.c:701 ../../src/clients/ksu/ccache.c:480 -+#, c-format -+msgid "\tfor client %s" -+msgstr "\tfür Client %s" -+ -+#: ../../src/clients/klist/klist.c:713 ../../src/clients/ksu/ccache.c:489 -+msgid "renew until " -+msgstr "erneuern bis " -+ -+#: ../../src/clients/klist/klist.c:730 ../../src/clients/ksu/ccache.c:499 -+#, c-format -+msgid "Flags: %s" -+msgstr "Schalter: %s" -+ -+#: ../../src/clients/klist/klist.c:749 -+#, c-format -+msgid "Etype (skey, tkt): %s, " -+msgstr "Etype (Skey, TKT): %s, " -+ -+#: ../../src/clients/klist/klist.c:766 -+#, c-format -+msgid "AD types: " -+msgstr "AD-Typen" -+ -+#: ../../src/clients/klist/klist.c:783 -+#, c-format -+msgid "\tAddresses: (none)\n" -+msgstr "\tAdressen: (keine)\n" -+ -+#: ../../src/clients/klist/klist.c:785 -+#, c-format -+msgid "\tAddresses: " -+msgstr "\tAdressen: " -+ -+#: ../../src/clients/klist/klist.c:818 -+#, c-format -+msgid "broken address (type %d length %d)" -+msgstr "kaputte Adresse (Typ %d Länge %d)" -+ -+#: ../../src/clients/klist/klist.c:838 -+#, c-format -+msgid "unknown addrtype %d" -+msgstr "unbekannter »addrtype« %d" -+ -+#: ../../src/clients/klist/klist.c:847 -+#, c-format -+msgid "unprintable address (type %d, error %d %s)" -+msgstr "nicht druckbare Adresse (Typ %d Fehler %d %s)" -+ -+#: ../../src/clients/kpasswd/kpasswd.c:12 ../../src/lib/krb5/krb/gic_pwd.c:396 -+msgid "Enter new password" -+msgstr "Geben Sie ein neues Passwort ein." -+ -+#: ../../src/clients/kpasswd/kpasswd.c:13 ../../src/lib/krb5/krb/gic_pwd.c:404 -+msgid "Enter it again" -+msgstr "Geben Sie es erneut ein." -+ -+#: ../../src/clients/kpasswd/kpasswd.c:33 -+#, c-format -+msgid "Unable to identify user from password file\n" -+msgstr "" -+"Der Benutzer kann nicht anhand der Passwortdatei identifiziert werden.\n" -+ -+#: ../../src/clients/kpasswd/kpasswd.c:65 -+#, c-format -+msgid "usage: %s [principal]\n" -+msgstr "Aufruf: %s [Principal]\n" -+ -+#: ../../src/clients/kpasswd/kpasswd.c:73 -+msgid "initializing kerberos library" -+msgstr "Kerberos-Bibliothek wird initialisiert." -+ -+#: ../../src/clients/kpasswd/kpasswd.c:77 -+msgid "allocating krb5_get_init_creds_opt" -+msgstr "krb5_get_init_creds_opt wird reserviert." -+ -+#: ../../src/clients/kpasswd/kpasswd.c:92 -+msgid "opening default ccache" -+msgstr "Standard-Ccache wird geöffnet." -+ -+#: ../../src/clients/kpasswd/kpasswd.c:97 -+msgid "getting principal from ccache" -+msgstr "Principal wird vom Ccache geholt." -+ -+#: ../../src/clients/kpasswd/kpasswd.c:104 -+msgid "while setting FAST ccache" -+msgstr "beim Setzen des FAST-Ccaches" -+ -+#: ../../src/clients/kpasswd/kpasswd.c:111 -+msgid "closing ccache" -+msgstr "Ccache wird geschlossen." -+ -+#: ../../src/clients/kpasswd/kpasswd.c:118 -+msgid "parsing client name" -+msgstr "Client-Name wird ausgewertet." -+ -+#: ../../src/clients/kpasswd/kpasswd.c:135 -+msgid "Password incorrect while getting initial ticket" -+msgstr "Passwort beim Holen des anfänglichen Tickets falsch" -+ -+#: ../../src/clients/kpasswd/kpasswd.c:137 -+msgid "getting initial ticket" -+msgstr "Anfängliches Ticket wird geholt." -+ -+#: ../../src/clients/kpasswd/kpasswd.c:144 -+msgid "while reading password" -+msgstr "beim Lesen des Passworts" -+ -+#: ../../src/clients/kpasswd/kpasswd.c:152 -+msgid "changing password" -+msgstr "Passwort wird geändert." -+ -+#: ../../src/clients/kpasswd/kpasswd.c:174 -+#: ../lib/kadm5/chpass_util_strings.c:30 -+#, c-format -+msgid "Password changed.\n" -+msgstr "Passwort geändert\n" -+ -+#: ../../src/clients/ksu/authorization.c:369 -+#, c-format -+msgid "" -+"Error: bad entry - %s in %s file, must be either full path or just the cmd " -+"name\n" -+msgstr "" -+"Fehler: falscher Eintrag – %s in Datei %s muss entweder ein vollständiger " -+"Pfad oder nur ein Befehlsname sein.\n" -+ -+#: ../../src/clients/ksu/authorization.c:377 -+#, c-format -+msgid "" -+"Error: bad entry - %s in %s file, since %s is just the cmd name, CMD_PATH " -+"must be defined \n" -+msgstr "" -+"Fehler: falscher Eintrag – %s in Datei %s. Da %s nur ein Befehlsname ist, " -+"muss CMD_PATH definiert sein.\n" -+ -+#: ../../src/clients/ksu/authorization.c:392 -+#, c-format -+msgid "Error: bad entry - %s in %s file, CMD_PATH contains no paths \n" -+msgstr "" -+"Fehler: falscher Eintrag – %s in Datei %s. CMD_PATH enthält keine Pfade.\n" -+ -+#: ../../src/clients/ksu/authorization.c:401 -+#, c-format -+msgid "Error: bad path %s in CMD_PATH for %s must start with '/' \n" -+msgstr "Fehler: falscher Pfad %s in CMD_PATH für %s muss mit »/« beginnen\n" -+ -+#: ../../src/clients/ksu/authorization.c:517 -+msgid "Error: not found -> " -+msgstr "Fehler: nicht gefunden -> " -+ -+#: ../../src/clients/ksu/authorization.c:723 -+#, c-format -+msgid "home directory name `%s' too long, can't search for .k5login\n" -+msgstr "" -+"Name des Home-Verzeichnisses »%s« ist zu lang, Suche nach .k5login nicht " -+"möglich\n" -+ -+#: ../../src/clients/ksu/ccache.c:368 -+#, c-format -+msgid "home directory path for %s too long\n" -+msgstr "Home-Verzeichnispfad für %s zu lang\n" -+ -+#: ../../src/clients/ksu/ccache.c:461 -+msgid "while retrieving principal name" -+msgstr "beim Abfragen des Principal-Namens" -+ -+#: ../../src/clients/ksu/krb_auth_su.c:57 -+#: ../../src/clients/ksu/krb_auth_su.c:62 ../../src/slave/kprop.c:247 -+msgid "while copying client principal" -+msgstr "beim Kopieren des Client-Principals" -+ -+#: ../../src/clients/ksu/krb_auth_su.c:69 -+msgid "while creating tgt for local realm" -+msgstr "beim Erstellen des TGTs für lokalen Realm" -+ -+#: ../../src/clients/ksu/krb_auth_su.c:84 -+msgid "while retrieving creds from cache" -+msgstr "beim Abfragen der Anmeldedaten aus dem Zwischenspeicher" -+ -+#: ../../src/clients/ksu/krb_auth_su.c:95 -+msgid "while switching to target uid" -+msgstr "beim Umschalten auf die Ziel-UID" -+ -+#: ../../src/clients/ksu/krb_auth_su.c:100 -+#, c-format -+msgid "" -+"WARNING: Your password may be exposed if you enter it here and are logged \n" -+msgstr "" -+"WARNUNG: Ihr Passwort könnte offengelegt werden, falls Sie es hier eingeben " -+"und\n" -+ -+#: ../../src/clients/ksu/krb_auth_su.c:102 -+#, c-format -+msgid " in remotely using an unsecure (non-encrypted) channel. \n" -+msgstr "" -+" in der Ferne mittels eines unsicheren (unverschlüsselten) Kanals\n" -+" angemeldet sind.\n" -+ -+#: ../../src/clients/ksu/krb_auth_su.c:114 ../../src/clients/ksu/main.c:464 -+msgid "while reclaiming root uid" -+msgstr "beim erneuten Beanspruchen der Root-UID" -+ -+#: ../../src/clients/ksu/krb_auth_su.c:121 -+#, c-format -+msgid "does not have any appropriate tickets in the cache.\n" -+msgstr "hat keine geeigneten Tickets im Zwischenspeicher.\n" -+ -+#: ../../src/clients/ksu/krb_auth_su.c:133 -+msgid "while verifying ticket for server" -+msgstr "beim Prüfen des Tickets für Server" -+ -+#: ../../src/clients/ksu/krb_auth_su.c:167 -+msgid "while getting time of day" -+msgstr "beim Holen der Tageszeit" -+ -+#: ../../src/clients/ksu/krb_auth_su.c:171 -+#, c-format -+msgid "Kerberos password for %s: " -+msgstr "Kerberos-Passwort für %s: " -+ -+#: ../../src/clients/ksu/krb_auth_su.c:175 -+#, c-format -+msgid "principal name %s too long for internal buffer space\n" -+msgstr "Principal-Name %s für den internen Pufferbereich zu groß\n" -+ -+#: ../../src/clients/ksu/krb_auth_su.c:184 -+#, c-format -+msgid "while reading password for '%s'\n" -+msgstr "beim Lesen des Passworts für »%s«\n" -+ -+#: ../../src/clients/ksu/krb_auth_su.c:191 -+#, c-format -+msgid "No password given\n" -+msgstr "kein Passwort angegeben\n" -+ -+#: ../../src/clients/ksu/krb_auth_su.c:204 -+#, c-format -+msgid "%s: Password incorrect\n" -+msgstr "%s: Passwort falsch\n" -+ -+#: ../../src/clients/ksu/krb_auth_su.c:206 -+msgid "while getting initial credentials" -+msgstr "beim Holen der Anfangsanmeldedaten" -+ -+#: ../../src/clients/ksu/krb_auth_su.c:226 -+#: ../../src/clients/ksu/krb_auth_su.c:240 -+#, c-format -+msgid " %s while unparsing name\n" -+msgstr "%s beim Rückgängigmachen der Namensauswertung\n" -+ -+#: ../../src/clients/ksu/main.c:68 -+#, c-format -+msgid "" -+"Usage: %s [target user] [-n principal] [-c source cachename] [-k] [-D] [-r " -+"time] [-pf] [-l lifetime] [-zZ] [-q] [-e command [args... ] ] [-a " -+"[args... ] ]\n" -+msgstr "" -+"Aufruf: %s [Zielbenutzer] [-n Principal] [-c Quellenzwischenspeichername] [-" -+"k] [-D] [-r Zeit] [-pf] [-l Lebensdauer] [-zZ] [-q] [-e Befehl [Argumente " -+"…] ] [-a [Argumente …] ]\n" -+ -+#: ../../src/clients/ksu/main.c:147 -+msgid "" -+"program name too long - quitting to avoid triggering system logging bugs" -+msgstr "" -+"Programmname zu lang – wird beendet, um das Auslösen von " -+"Systemprotokollierungsfehlern zu vermeiden" -+ -+#: ../../src/clients/ksu/main.c:173 -+msgid "while allocating memory" -+msgstr "bei Reservieren von Speicher" -+ -+#: ../../src/clients/ksu/main.c:186 -+msgid "while setting euid to source user" -+msgstr "beim Setzen der EUID auf dem Quellbenutzer" -+ -+#: ../../src/clients/ksu/main.c:196 ../../src/clients/ksu/main.c:231 -+#, c-format -+msgid "Bad lifetime value (%s hours?)\n" -+msgstr "falscher Wert für Lebensdauer (%s Stunden?)\n" -+ -+#: ../../src/clients/ksu/main.c:208 ../../src/clients/ksu/main.c:292 -+msgid "when gathering parameters" -+msgstr "beim Zusammenstellen der Parameter" -+ -+#: ../../src/clients/ksu/main.c:251 -+#, c-format -+msgid "-z option is mutually exclusive with -Z.\n" -+msgstr "Die Optionen -z und -Z schließen sich gegenseitig aus.\n" -+ -+#: ../../src/clients/ksu/main.c:259 -+#, c-format -+msgid "-Z option is mutually exclusive with -z.\n" -+msgstr "Die Optionen -Z und -z schließen sich gegenseitig aus.\n" -+ -+#: ../../src/clients/ksu/main.c:272 -+#, c-format -+msgid "while looking for credentials cache %s" -+msgstr "beim Suchen nach dem Anmeldedatenzwischenspeicher %s" -+ -+#: ../../src/clients/ksu/main.c:278 -+#, c-format -+msgid "malformed credential cache name %s\n" -+msgstr "falsch gebildeter Anmeldedatenzwischenspeichername %s\n" -+ -+# ksu ist eine Kerberos-Variante von su -+#: ../../src/clients/ksu/main.c:336 -+#, c-format -+msgid "ksu: who are you?\n" -+msgstr "ksu: Wer sind Sie?\n" -+ -+#: ../../src/clients/ksu/main.c:340 -+#, c-format -+msgid "Your uid doesn't match your passwd entry?!\n" -+msgstr "Ihre UID passt nicht zu Ihrem Passworteintrag.\n" -+ -+#: ../../src/clients/ksu/main.c:355 -+#, c-format -+msgid "ksu: unknown login %s\n" -+msgstr "ksu: unbekannter Anmeldename %s\n" -+ -+#: ../../src/clients/ksu/main.c:375 -+msgid "while getting source cache" -+msgstr "beim Holen des Quellenzwischenspeichers" -+ -+#: ../../src/clients/ksu/main.c:381 ../../src/clients/kvno/kvno.c:194 -+msgid "while opening ccache" -+msgstr "beim Öffnen des Ccaches" -+ -+#: ../../src/clients/ksu/main.c:389 -+msgid "while selecting the best principal" -+msgstr "beim Auswählen des besten Principals" -+ -+#: ../../src/clients/ksu/main.c:397 -+msgid "while returning to source uid after finding best principal" -+msgstr "" -+"bei der Rückkehr zur Quell-UID, nachdem der beste Principal gefunden wurde" -+ -+#: ../../src/clients/ksu/main.c:417 -+#, c-format -+msgid "account %s: authorization failed\n" -+msgstr "Konto %s: Autorisierung fehlgeschlagen\n" -+ -+#: ../../src/clients/ksu/main.c:442 -+msgid "while parsing temporary name" -+msgstr "beim Auswertens des temporären Namens" -+ -+#: ../../src/clients/ksu/main.c:447 -+msgid "while creating temporary cache" -+msgstr "bei Erstellen des temporären Zwischenspeichers" -+ -+#: ../../src/clients/ksu/main.c:453 ../../src/clients/ksu/main.c:693 -+#, c-format -+msgid "while copying cache %s to %s" -+msgstr "beim Kopieren des Zwischenspeichers %s nach %s" -+ -+#: ../../src/clients/ksu/main.c:471 -+#, c-format -+msgid "" -+"WARNING: Your password may be exposed if you enter it here and are logged\n" -+msgstr "" -+"WARNUNG: Ihr Passwort könnte offengelegt werden, falls Sie es hier eingeben " -+"und\n" -+ -+#: ../../src/clients/ksu/main.c:473 -+#, c-format -+msgid " in remotely using an unsecure (non-encrypted) channel.\n" -+msgstr "" -+" in der Ferne über einen unsicheren (unverschlüsselten) Kanal " -+"angemeldet\n" -+"sind.\n" -+ -+#: ../../src/clients/ksu/main.c:479 -+#, c-format -+msgid "Goodbye\n" -+msgstr "Auf Wiedersehen\n" -+ -+#: ../../src/clients/ksu/main.c:483 -+#, c-format -+msgid "Could not get a tgt for " -+msgstr "Es konnte kein TGT geholt werden für " -+ -+#: ../../src/clients/ksu/main.c:505 -+#, c-format -+msgid "Authentication failed.\n" -+msgstr "Authentifizierung fehlgeschlagen.\n" -+ -+#: ../../src/clients/ksu/main.c:513 -+msgid "When unparsing name" -+msgstr "beim Rückgängigmachen der Namensauswertung" -+ -+#: ../../src/clients/ksu/main.c:517 -+#, c-format -+msgid "Authenticated %s\n" -+msgstr "Authentifiziert %s\n" -+ -+#: ../../src/clients/ksu/main.c:524 -+msgid "while switching to target for authorization check" -+msgstr "beim Wechsel des Ziels der Autorisierungsprüfung" -+ -+#: ../../src/clients/ksu/main.c:531 -+msgid "while checking authorization" -+msgstr "beim Prüfen der Autorisierung" -+ -+#: ../../src/clients/ksu/main.c:537 -+msgid "while switching back from target after authorization check" -+msgstr "beim Zurückwechsel vom Ziel nach der Autorisierungsprüfung" -+ -+#: ../../src/clients/ksu/main.c:544 -+#, c-format -+msgid "Account %s: authorization for %s for execution of\n" -+msgstr "Konto %s: Autorisierung für %s zum Ausführen von\n" -+ -+#: ../../src/clients/ksu/main.c:546 -+#, c-format -+msgid " %s successful\n" -+msgstr " %s erfolgreich\n" -+ -+#: ../../src/clients/ksu/main.c:552 -+#, c-format -+msgid "Account %s: authorization for %s successful\n" -+msgstr "Konto %s: Autorisierung für %s erfolgreich\n" -+ -+#: ../../src/clients/ksu/main.c:564 -+#, c-format -+msgid "Account %s: authorization for %s for execution of %s failed\n" -+msgstr "Konto %s: Autorisierung für %s zum Ausführen von %s fehlgeschlagen\n" -+ -+#: ../../src/clients/ksu/main.c:572 -+#, c-format -+msgid "Account %s: authorization of %s failed\n" -+msgstr "Konto %s: Autorisierung von %s fehlgeschlagen\n" -+ -+#: ../../src/clients/ksu/main.c:587 -+msgid "while calling cc_filter" -+msgstr "beim Aufruf von »cc_filter«" -+ -+#: ../../src/clients/ksu/main.c:595 -+msgid "while erasing target cache" -+msgstr "bei Löschen des Zielzwischenspeichers" -+ -+#: ../../src/clients/ksu/main.c:615 -+#, c-format -+msgid "ksu: permission denied (shell).\n" -+msgstr "ksu: Zugriff verweigert (Shell)\n" -+ -+#: ../../src/clients/ksu/main.c:624 -+#, c-format -+msgid "ksu: couldn't set environment variable USER\n" -+msgstr "ksu: Umgebungsvariable USER kann nicht gesetzt werden\n" -+ -+#: ../../src/clients/ksu/main.c:630 -+#, c-format -+msgid "ksu: couldn't set environment variable HOME\n" -+msgstr "ksu: Umgebungsvariable HOME kann nicht gesetzt werden\n" -+ -+#: ../../src/clients/ksu/main.c:635 -+#, c-format -+msgid "ksu: couldn't set environment variable SHELL\n" -+msgstr "ksu: Umgebungsvariable SHELL kann nicht gesetzt werden\n" -+ -+#: ../../src/clients/ksu/main.c:646 -+#, c-format -+msgid "ksu: initgroups failed.\n" -+msgstr "ksu: »initgroups« fehlgeschlagen\n" -+ -+#: ../../src/clients/ksu/main.c:651 -+#, c-format -+msgid "Leaving uid as %s (%ld)\n" -+msgstr "UID bleibt %s (%ld)\n" -+ -+#: ../../src/clients/ksu/main.c:654 -+#, c-format -+msgid "Changing uid to %s (%ld)\n" -+msgstr "UID wird zu %s (%ld) geändert\n" -+ -+#: ../../src/clients/ksu/main.c:680 -+msgid "while getting name of target ccache" -+msgstr "beim Holen des Ziel-Ccache-Namens" -+ -+#: ../../src/clients/ksu/main.c:700 -+#, c-format -+msgid "%s does not have correct permissions for %s, %s aborted" -+msgstr "%s hat nicht die korrekten Rechte für %s, %s wird abgebrochen." -+ -+#: ../../src/clients/ksu/main.c:721 -+#, c-format -+msgid "Internal error: command %s did not get resolved\n" -+msgstr "Interner Fehler: Befehl %s wurde nicht aufgelöst\n" -+ -+#: ../../src/clients/ksu/main.c:738 ../../src/clients/ksu/main.c:774 -+#, c-format -+msgid "while trying to execv %s" -+msgstr "beim Versuch von »execv %s«" -+ -+#: ../../src/clients/ksu/main.c:764 -+msgid "while calling waitpid" -+msgstr "beim Aufruf von »waitpid«" -+ -+#: ../../src/clients/ksu/main.c:769 -+msgid "while trying to fork." -+msgstr "beim Versuch zu verzweigen." -+ -+#: ../../src/clients/ksu/main.c:791 -+msgid "while reading cache name from ccache" -+msgstr "beim Lesen des Zwischenspeichernamens aus dem Ccache" -+ -+#: ../../src/clients/ksu/main.c:797 -+#, c-format -+msgid "ksu: couldn't set environment variable %s\n" -+msgstr "ksu: Umgebungsvariable %s kann nicht gesetzt werden\n" -+ -+#: ../../src/clients/ksu/main.c:820 -+#, c-format -+msgid "while clearing the value of %s" -+msgstr "beim Leeren des Werts von %s" -+ -+#: ../../src/clients/ksu/main.c:828 -+msgid "while resetting target ccache name" -+msgstr "beim Zurücksetzen des Ziel-Ccache-Namens" -+ -+#: ../../src/clients/ksu/main.c:842 -+msgid "while determining target ccache name" -+msgstr "beim Bestimmen des Ziel-Ccache-Namens" -+ -+#: ../../src/clients/ksu/main.c:881 -+msgid "while generating part of the target ccache name" -+msgstr "beim Erzeugen eines Teils des Ziel-Ccache-Namens" -+ -+#: ../../src/clients/ksu/main.c:887 -+msgid "while allocating memory for the target ccache name" -+msgstr "beim Reservieren von Speicher für den Ziel-Ccache-Namen" -+ -+#: ../../src/clients/ksu/main.c:906 -+msgid "while creating new target ccache" -+msgstr "bei Erstellen von neuem Ziel-Ccache" -+ -+#: ../../src/clients/ksu/main.c:912 -+msgid "while initializing target cache" -+msgstr "beim Initialisieren des Zielzwischenspeichers" -+ -+#: ../../src/clients/ksu/main.c:952 -+#, c-format -+msgid "terminal name %s too long\n" -+msgstr "Terminal-Name %s ist zu lang.\n" -+ -+#: ../../src/clients/ksu/main.c:980 -+msgid "while changing to target uid for destroying ccache" -+msgstr "beim Ändern der Ziel-UID für das Zerstören von Ccache" -+ -+#: ../../src/clients/kswitch/kswitch.c:44 -+#, c-format -+msgid "Usage: %s {-c cache_name | -p principal}\n" -+msgstr "Aufruf: %s {-c Zwischenspeichername | -p Principal}\n" -+ -+#: ../../src/clients/kswitch/kswitch.c:46 -+#, c-format -+msgid "\t-p specify name of principal\n" -+msgstr "\t-p gibt den Namen des Principals an.\n" -+ -+#: ../../src/clients/kswitch/kswitch.c:69 -+#, c-format -+msgid "Only one -c or -p option allowed\n" -+msgstr "Nur eine der Optionen -c oder -p ist erlaubt.\n" -+ -+#: ../../src/clients/kswitch/kswitch.c:88 -+#, c-format -+msgid "One of -c or -p must be specified\n" -+msgstr "Entweder -c oder -p muss angegeben werden.\n" -+ -+#: ../../src/clients/kswitch/kswitch.c:110 ../../src/clients/kvno/kvno.c:211 -+#: ../../src/clients/kvno/kvno.c:245 ../../src/kadmin/cli/keytab.c:350 -+#: ../../src/kadmin/dbutil/kdb5_util.c:576 -+#, c-format -+msgid "while parsing principal name %s" -+msgstr "beim Auswerten des Principal-Namens %s" -+ -+#: ../../src/clients/kswitch/kswitch.c:124 -+msgid "while switching to credential cache" -+msgstr "beim Wechsel auf den Anmeldedatenzwischenspeicher" -+ -+#: ../../src/clients/kvno/kvno.c:46 -+#, c-format -+msgid "usage: %s [-C] [-u] [-c ccache] [-e etype]\n" -+msgstr "Aufruf: %s [-C] [-u] [-c Ccache] [-e Etype]\n" -+ -+#: ../../src/clients/kvno/kvno.c:47 -+#, c-format -+msgid "\t[-k keytab] [-S sname] [-U for_user [-P]]\n" -+msgstr "\t[-k Schlüsseltabelle] [-S Sname] [-U für_Benutzer [-P]]\n" -+ -+#: ../../src/clients/kvno/kvno.c:48 -+#, c-format -+msgid "\tservice1 service2 ...\n" -+msgstr "\tDienst1 Dienst2 …\n" -+ -+#: ../../src/clients/kvno/kvno.c:103 ../../src/clients/kvno/kvno.c:111 -+#, c-format -+msgid "Options -u and -S are mutually exclusive\n" -+msgstr "Die Optionen -u und -S schließen sich gegenseitig aus.\n" -+ -+#: ../../src/clients/kvno/kvno.c:126 -+#, c-format -+msgid "Option -P (constrained delegation) requires keytab to be specified\n" -+msgstr "" -+"Die Option -P (eingeschränkte Abtretung) erfordert zur Angabe eine " -+"Schlüsseltabelle.\n" -+ -+#: ../../src/clients/kvno/kvno.c:130 -+#, c-format -+msgid "" -+"Option -P (constrained delegation) requires option -U (protocol transition)\n" -+msgstr "" -+"Die Option -P (eingeschränkte Abtretung) erfordert die Option -U " -+"(Protokollübergang)\n" -+ -+#: ../../src/clients/kvno/kvno.c:175 ../../src/kadmin/cli/kadmin.c:280 -+msgid "while initializing krb5 library" -+msgstr "beim Initialisieren der Krb5-Bibliothek" -+ -+#: ../../src/clients/kvno/kvno.c:182 -+msgid "while converting etype" -+msgstr "bei der Etype-Umwandlung" -+ -+#: ../../src/clients/kvno/kvno.c:218 -+msgid "while getting client principal name" -+msgstr "beim Holen des Client-Principal-Namens" -+ -+#: ../../src/clients/kvno/kvno.c:256 -+#, c-format -+msgid "while formatting parsed principal name for '%s'" -+msgstr "beim Formatieren des ausgewerteten Principal-Namens für »%s«" -+ -+#: ../../src/clients/kvno/kvno.c:267 -+msgid "client and server principal names must match" -+msgstr "Die Principal-Namen von Client und Server müssen übereinstimmen." -+ -+#: ../../src/clients/kvno/kvno.c:284 -+#, c-format -+msgid "while getting credentials for %s" -+msgstr "beim Holen der Anmeldedaten für %s" -+ -+#: ../../src/clients/kvno/kvno.c:291 -+#, c-format -+msgid "while decoding ticket for %s" -+msgstr "beim Dekodieren des Tickets für %s" -+ -+#: ../../src/clients/kvno/kvno.c:302 -+#, c-format -+msgid "while decrypting ticket for %s" -+msgstr "beim Entschlüsseln des Tickets für %s" -+ -+#: ../../src/clients/kvno/kvno.c:306 -+#, c-format -+msgid "%s: kvno = %d, keytab entry valid\n" -+msgstr "%s: KVNO = %d, Schlüsseltabelleneintrag gültig\n" -+ -+#: ../../src/clients/kvno/kvno.c:324 -+#, c-format -+msgid "%s: constrained delegation failed" -+msgstr "%s: eingeschränkte Abtretung fehlgeschlagen" -+ -+#: ../../src/clients/kvno/kvno.c:330 -+#, c-format -+msgid "%s: kvno = %d\n" -+msgstr "%s: KVNO = %d\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:118 -+#, c-format -+msgid "" -+"Usage: %s [-r realm] [-p principal] [-q query] [clnt|local args]\n" -+"\tclnt args: [-s admin_server[:port]] [[-c ccache]|[-k [-t keytab]]]|[-n]\n" -+"\tlocal args: [-x db_args]* [-d dbname] [-e \"enc:salt ...\"] [-m]\n" -+"where,\n" -+"\t[-x db_args]* - any number of database specific arguments.\n" -+"\t\t\tLook at each database documentation for supported arguments\n" -+msgstr "" -+"Aufruf: %s [-r Realm] [-p Principal] [-q Abfrage] [clnt|lokale Argumente]\n" -+"\tclnt Argumente: [-s Admin-Server[:Port]] [[-c Ccache]|\n" -+"\t[-k [-t Schlüsseltabelle]]]|[-n] lokale Argumente: [-x DB-Argumente]*\n" -+"\t[-d Datenbankname] [-e \"enc:Salt …\"] [-m]\n" -+"wobei\n" -+"\t[-x DB-Argumente]* - eine beliebige Anzahl datenbankspezifischer " -+"Argumente\n" -+"\tist. Die unterstützten Argumente finden Sie in den jeweiligen " -+"\tDatenbankdokumentationen\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:292 ../../src/kadmin/cli/kadmin.c:333 -+#, c-format -+msgid "%s: Cannot initialize. Not enough memory\n" -+msgstr "%s: Zu wenig Speicher zum Initialisieren\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:353 ../../src/kadmin/cli/kadmin.c:804 -+#: ../../src/kadmin/cli/kadmin.c:1084 ../../src/kadmin/cli/kadmin.c:1634 -+#: ../../src/kadmin/cli/keytab.c:159 ../../src/kadmin/dbutil/kdb5_util.c:591 -+#, c-format -+msgid "while parsing keysalts %s" -+msgstr "beim Auswerten der Schlüssel-Salts %s" -+ -+#: ../../src/kadmin/cli/kadmin.c:376 -+#, c-format -+msgid "%s: unable to get default realm\n" -+msgstr "%s: Standard-Realm kann nicht geholt werden\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:396 -+msgid "while opening default credentials cache" -+msgstr "beim Öffnen des Standardanmeldedatenzwischenspeichers" -+ -+#: ../../src/kadmin/cli/kadmin.c:402 -+#, c-format -+msgid "while opening credentials cache %s" -+msgstr "beim Öffnen des Anmeldedatenzwischenspeichers %s" -+ -+#: ../../src/kadmin/cli/kadmin.c:424 ../../src/kadmin/cli/kadmin.c:479 -+#: ../../src/kadmin/cli/kadmin.c:487 ../../src/kadmin/cli/kadmin.c:494 -+#, c-format -+msgid "%s: out of memory\n" -+msgstr "%s: Speicherplatz reicht nicht aus\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:433 ../../src/kadmin/cli/kadmin.c:448 -+#: ../../src/slave/kpropd.c:681 -+msgid "while canonicalizing principal name" -+msgstr "während der Principal-Name in die normale Form gebracht wird" -+ -+#: ../../src/kadmin/cli/kadmin.c:442 -+msgid "creating host service principal" -+msgstr "Principal des Rechnerdienstes wird erstellt" -+ -+#: ../../src/kadmin/cli/kadmin.c:455 -+#, c-format -+msgid "%s: unable to canonicalize principal\n" -+msgstr "%s: Principal kann nicht in die normale Form gebracht werden\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:499 -+#, c-format -+msgid "%s: unable to figure out a principal name\n" -+msgstr "%s: Es kann kein Principal-Name herausgefunden werden.\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:507 -+msgid "while setting up logging" -+msgstr "beim Einrichten der Protokollierung" -+ -+#: ../../src/kadmin/cli/kadmin.c:516 -+#, c-format -+msgid "Authenticating as principal %s with existing credentials.\n" -+msgstr "Authentifizierung als Principal %s mit existierenden Anmeldedaten\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:522 -+#, c-format -+msgid "Authenticating as principal %s with password; anonymous requested.\n" -+msgstr "" -+"Authentifizierung als Principal %s mit Passwort; Anonymität erwünscht\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:529 -+#, c-format -+msgid "Authenticating as principal %s with keytab %s.\n" -+msgstr "Authentifizierung als Principal %s mit Schlüsseltabelle %s\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:532 -+#, c-format -+msgid "Authenticating as principal %s with default keytab.\n" -+msgstr "Authentifizierung als Principal %s mit Standardschlüsseltabelle\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:538 -+#, c-format -+msgid "Authenticating as principal %s with password.\n" -+msgstr "Authentifizierung als Principal %s mit Passwort\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:546 ../../src/slave/kpropd.c:728 -+#, c-format -+msgid "while initializing %s interface" -+msgstr "beim Initialisieren der Schnittstelle %s" -+ -+#: ../../src/kadmin/cli/kadmin.c:560 -+#, c-format -+msgid "while closing ccache %s" -+msgstr "beim Schließen von Ccache %s" -+ -+#: ../../src/kadmin/cli/kadmin.c:566 -+msgid "while mapping update log" -+msgstr "beim Abbilden des Aktualisierungsprotokolls" -+ -+#: ../../src/kadmin/cli/kadmin.c:581 -+msgid "while unlocking locked database" -+msgstr "beim Entsperren der Datenbank" -+ -+#: ../../src/kadmin/cli/kadmin.c:590 -+msgid "Administration credentials NOT DESTROYED.\n" -+msgstr "Verwaltungsanmeldedaten NICHT VERNICHTET\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:639 -+#, c-format -+msgid "usage: delete_principal [-force] principal\n" -+msgstr "Aufruf: delete_principal [-force] Principal\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:644 ../../src/kadmin/cli/kadmin.c:819 -+msgid "while parsing principal name" -+msgstr "beim Auswerten des Principal-Namens" -+ -+#: ../../src/kadmin/cli/kadmin.c:650 ../../src/kadmin/cli/kadmin.c:825 -+#: ../../src/kadmin/cli/kadmin.c:1217 ../../src/kadmin/cli/kadmin.c:1339 -+#: ../../src/kadmin/cli/kadmin.c:1409 ../../src/kadmin/cli/kadmin.c:1858 -+#: ../../src/kadmin/cli/kadmin.c:1902 ../../src/kadmin/cli/kadmin.c:1948 -+#: ../../src/kadmin/cli/kadmin.c:1988 -+msgid "while canonicalizing principal" -+msgstr "während der Principal in die normale Form gebracht wird" -+ -+#: ../../src/kadmin/cli/kadmin.c:654 -+#, c-format -+msgid "Are you sure you want to delete the principal \"%s\"? (yes/no): " -+msgstr "" -+"Sind Sie sicher, dass Sie den Principal »%s« löschen möchten? (yes/no): " -+ -+#: ../../src/kadmin/cli/kadmin.c:658 -+#, c-format -+msgid "Principal \"%s\" not deleted\n" -+msgstr "Principal »%s« nicht gelöscht\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:665 -+#, c-format -+msgid "while deleting principal \"%s\"" -+msgstr "beim Löschen von Principal »%s«" -+ -+#: ../../src/kadmin/cli/kadmin.c:668 -+#, c-format -+msgid "Principal \"%s\" deleted.\n" -+msgstr "Principal »%s« gelöscht\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:669 -+#, c-format -+msgid "" -+"Make sure that you have removed this principal from all ACLs before " -+"reusing.\n" -+msgstr "" -+"Stellen Sie sicher, dass Sie diesen Principal aus allen ACLs entfernt haben, " -+"bevor Sie ihn erneut benutzen.\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:686 -+#, c-format -+msgid "usage: rename_principal [-force] old_principal new_principal\n" -+msgstr "Aufruf: rename_principal [-force] alter_Principal neuer_Principal\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:693 -+msgid "while parsing old principal name" -+msgstr "beim Auswerten des alten Principal-Namens" -+ -+#: ../../src/kadmin/cli/kadmin.c:699 -+msgid "while parsing new principal name" -+msgstr "beim Auswerten des neuen Principal-Namens" -+ -+#: ../../src/kadmin/cli/kadmin.c:705 -+msgid "while canonicalizing old principal" -+msgstr "während der alte Principal in die normale Form gebracht wird" -+ -+#: ../../src/kadmin/cli/kadmin.c:711 -+msgid "while canonicalizing new principal" -+msgstr "während der neue Principal in die normale Form gebracht wird" -+ -+#: ../../src/kadmin/cli/kadmin.c:715 -+#, c-format -+msgid "" -+"Are you sure you want to rename the principal \"%s\" to \"%s\"? (yes/no): " -+msgstr "" -+"Sind Sie sicher, dass Sie den Principal »%s« in »%s« umbenennen möchten? " -+"(yes/no): " -+ -+#: ../../src/kadmin/cli/kadmin.c:719 -+#, c-format -+msgid "Principal \"%s\" not renamed\n" -+msgstr "Principal »%s« wurde nicht umbenannt.\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:726 -+#, c-format -+msgid "while renaming principal \"%s\" to \"%s\"" -+msgstr "beim Umbenennen von Principal »%s« in »%s«" -+ -+#: ../../src/kadmin/cli/kadmin.c:730 -+#, c-format -+msgid "Principal \"%s\" renamed to \"%s\".\n" -+msgstr "Principal »%s« wurde in »%s« umbenannt.\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:731 -+#, c-format -+msgid "" -+"Make sure that you have removed the old principal from all ACLs before " -+"reusing.\n" -+msgstr "" -+"Stellen Sie sicher, dass Sie den alten Principal aus allen ACLs entfernt " -+"haben, bevor Sie ihn erneut benutzen.\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:746 -+#, c-format -+msgid "" -+"usage: change_password [-randkey] [-keepold] [-e keysaltlist] [-pw password] " -+"principal\n" -+msgstr "" -+"Aufruf: change_password [-randkey] [-keepold] [-e Schlüssel-Salt-Liste] [-pw " -+"Passwort] Principal\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:772 -+msgid "change_password: missing db argument" -+msgstr "change_password: fehlendes Datenbankargument" -+ -+#: ../../src/kadmin/cli/kadmin.c:778 -+#, c-format -+msgid "change_password: Not enough memory\n" -+msgstr "change_password: zu wenig Speicher\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:786 -+msgid "change_password: missing password arg" -+msgstr "change_password: fehlendes Passwortargument" -+ -+#: ../../src/kadmin/cli/kadmin.c:797 -+msgid "change_password: missing keysaltlist arg" -+msgstr "change_password: fehlendes Schlüssel-Salt-Listenargument" -+ -+#: ../../src/kadmin/cli/kadmin.c:813 -+msgid "missing principal name" -+msgstr "fehlender Principal-Name" -+ -+#: ../../src/kadmin/cli/kadmin.c:837 ../../src/kadmin/cli/kadmin.c:874 -+#, c-format -+msgid "while changing password for \"%s\"." -+msgstr "beim Ändern des Passworts von »%s«." -+ -+#: ../../src/kadmin/cli/kadmin.c:840 ../../src/kadmin/cli/kadmin.c:877 -+#, c-format -+msgid "Password for \"%s\" changed.\n" -+msgstr "Passwort von »%s« geändert\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:846 ../../src/kadmin/cli/kadmin.c:1290 -+#, c-format -+msgid "while randomizing key for \"%s\"." -+msgstr "beim Erzeugen eines zufälligen Schlüssels für »%s«." -+ -+#: ../../src/kadmin/cli/kadmin.c:849 -+#, c-format -+msgid "Key for \"%s\" randomized.\n" -+msgstr "Es wurde ein zufälliger Schlüssel für %s erzeugt\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:854 ../../src/kadmin/cli/kadmin.c:1250 -+#, c-format -+msgid "Enter password for principal \"%s\"" -+msgstr "Geben Sie das Passwort für Principal »%s« ein." -+ -+#: ../../src/kadmin/cli/kadmin.c:856 ../../src/kadmin/cli/kadmin.c:1252 -+#, c-format -+msgid "Re-enter password for principal \"%s\"" -+msgstr "Geben Sie das Passwort für Principal »%s« erneut ein." -+ -+#: ../../src/kadmin/cli/kadmin.c:861 ../../src/kadmin/cli/kadmin.c:1256 -+#, c-format -+msgid "while reading password for \"%s\"." -+msgstr "beim Lesen des Passworts von »%s«." -+ -+#: ../../src/kadmin/cli/kadmin.c:915 -+#, c-format -+msgid "Not enough memory\n" -+msgstr "Speicher reicht nicht aus\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:945 ../../src/kadmin/dbutil/kdb5_util.c:623 -+msgid "while getting time" -+msgstr "beim Holen der Zeit" -+ -+#: ../../src/kadmin/cli/kadmin.c:994 ../../src/kadmin/cli/kadmin.c:1007 -+#: ../../src/kadmin/cli/kadmin.c:1020 ../../src/kadmin/cli/kadmin.c:1033 -+#: ../../src/kadmin/cli/kadmin.c:1546 ../../src/kadmin/cli/kadmin.c:1558 -+#: ../../src/kadmin/cli/kadmin.c:1601 ../../src/kadmin/cli/kadmin.c:1618 -+#, c-format -+msgid "Invalid date specification \"%s\".\n" -+msgstr "ungültige Datumsangabe »%s«\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1118 ../../src/kadmin/cli/kadmin.c:1333 -+#: ../../src/kadmin/cli/kadmin.c:1404 ../../src/kadmin/cli/kadmin.c:1852 -+#: ../../src/kadmin/cli/kadmin.c:1896 ../../src/kadmin/cli/kadmin.c:1942 -+#: ../../src/kadmin/cli/kadmin.c:1982 -+msgid "while parsing principal" -+msgstr "beim Auswerten des Principals" -+ -+#: ../../src/kadmin/cli/kadmin.c:1127 -+#, c-format -+msgid "usage: add_principal [options] principal\n" -+msgstr "Aufruf: add_principal [Optionen] Principal\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1128 ../../src/kadmin/cli/kadmin.c:1155 -+#: ../../src/kadmin/cli/kadmin.c:1657 -+#, c-format -+msgid "\toptions are:\n" -+msgstr "\tEs gibt folgende Optionen:\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1130 -+#, c-format -+msgid "" -+"\t\t[-randkey|-nokey] [-x db_princ_args]* [-expire expdate] [-pwexpire " -+"pwexpdate] [-maxlife maxtixlife]\n" -+"\t\t[-kvno kvno] [-policy policy] [-clearpolicy]\n" -+"\t\t[-pw password] [-maxrenewlife maxrenewlife]\n" -+"\t\t[-e keysaltlist]\n" -+"\t\t[{+|-}attribute]\n" -+msgstr "" -+"\t\t[-randkey|-nokey] [-x DB-Principal-Argumente]* [-expire Ablaufdatum] [-" -+"pwexpire Passwortablaufdatum] [-maxlife maximale_Ticketlebensdauer]\n" -+"\t\t[-kvno KVNO] [-policy Richtlinie] [-clearpolicy]\n" -+"\t\t[-pw Passwort] [-maxrenewlife maximale_Dauer_bis_zum_Erneuern]\n" -+"\t\t[-e Schlüssel-Salt-Liste]\n" -+"\t\t[{+|-}Attribut]\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1136 -+#, c-format -+msgid "\tattributes are:\n" -+msgstr "\tEs gibt folgende Attribute:\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1138 ../../src/kadmin/cli/kadmin.c:1164 -+#, c-format -+msgid "" -+"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n" -+"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n" -+"\t\trequires_hwauth needchange allow_svr password_changing_service\n" -+"\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n" -+"\n" -+"where,\n" -+"\t[-x db_princ_args]* - any number of database specific arguments.\n" -+"\t\t\tLook at each database documentation for supported arguments\n" -+msgstr "" -+"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n" -+"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n" -+"\t\trequires_hwauth needchange allow_svr password_changing_service\n" -+"\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n" -+"\n" -+"wobei\n" -+"\t[-x DB-Principal-Argumente]* - eine beliebige Zahl\n" -+"\tdatenbankspezifischer Argumente ist.\n" -+"\t\t\tDie unterstützten Argumente finden Sie in der jeweiligen\n" -+"Datenbankdokumentation.\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1154 -+#, c-format -+msgid "usage: modify_principal [options] principal\n" -+msgstr "Aufruf: modify_principal [Optionen] Principal\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1157 -+#, c-format -+msgid "" -+"\t\t[-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife " -+"maxtixlife]\n" -+"\t\t[-kvno kvno] [-policy policy] [-clearpolicy]\n" -+"\t\t[-maxrenewlife maxrenewlife] [-unlock] [{+|-}attribute]\n" -+msgstr "" -+"\t\t[-x DB-Principal-Argumente]* [-expire Ablaufdatum] [-pwexpire " -+"Passwortablaufdatum] [-maxlife maximale_Ticketlebensdauer]\n" -+"\t\t[-kvno KVNO] [-policy Richtlinie] [-clearpolicy]\n" -+"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern] [-unlock] [{+|-}" -+"Attribut]\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1224 ../../src/kadmin/cli/kadmin.c:1362 -+#, c-format -+msgid "WARNING: policy \"%s\" does not exist\n" -+msgstr "WARNUNG: Richtlinie »%s« existiert nicht.\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1230 -+#, c-format -+msgid "NOTICE: no policy specified for %s; assigning \"default\"\n" -+msgstr "" -+"HINWEIS: Für %s wurde keine Richtlinie angegeben, es wird »default« " -+"zugewiesen\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1235 -+#, c-format -+msgid "WARNING: no policy specified for %s; defaulting to no policy\n" -+msgstr "" -+"WARNUNG: Für %s wurde keine Richtlinie angegeben, es wird die Vorgabe " -+"»keine\n" -+"Richtlinie« verwandt.\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1276 -+#, c-format -+msgid "Admin server does not support -nokey while creating \"%s\"\n" -+msgstr "" -+"Der Administrationsrechner unterstützt beim Erstellen von »%s« kein -nokey\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1298 -+#, c-format -+msgid "while clearing DISALLOW_ALL_TIX for \"%s\"." -+msgstr "beim Löschen von DISALLOW_ALL_TIX für »%s«." -+ -+#: ../../src/kadmin/cli/kadmin.c:1345 -+#, c-format -+msgid "while getting \"%s\"." -+msgstr "beim Holen von »%s«." -+ -+#: ../../src/kadmin/cli/kadmin.c:1371 -+#, c-format -+msgid "while modifying \"%s\"." -+msgstr "beim Ändern von »%s«." -+ -+#: ../../src/kadmin/cli/kadmin.c:1375 -+#, c-format -+msgid "Principal \"%s\" modified.\n" -+msgstr "Principal »%s« wurde geändert.\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1396 -+#, c-format -+msgid "usage: get_principal [-terse] principal\n" -+msgstr "Aufruf: get_principal [-terse] Principal\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1415 -+#, c-format -+msgid "while retrieving \"%s\"." -+msgstr "beim Abfragen von »%s«." -+ -+#: ../../src/kadmin/cli/kadmin.c:1420 ../../src/kadmin/cli/kadmin.c:1425 -+msgid "while unparsing principal" -+msgstr "beim Rückgängigmachen der Auswertung des Principals" -+ -+#: ../../src/kadmin/cli/kadmin.c:1429 -+#, c-format -+msgid "Principal: %s\n" -+msgstr "Principal: %s\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1430 -+#, c-format -+msgid "Expiration date: %s\n" -+msgstr "Ablaufdatum: %s\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1431 ../../src/kadmin/cli/kadmin.c:1433 -+#: ../../src/kadmin/cli/kadmin.c:1444 -+msgid "[never]" -+msgstr "[niemals]" -+ -+#: ../../src/kadmin/cli/kadmin.c:1432 -+#, c-format -+msgid "Last password change: %s\n" -+msgstr "Letzte Passwortänderung: %s\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1434 -+#, c-format -+msgid "Password expiration date: %s\n" -+msgstr "Passwortablaufdatum: %s\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1436 ../../src/kadmin/cli/kadmin.c:1478 -+msgid "[none]" -+msgstr "[keins]" -+ -+#: ../../src/kadmin/cli/kadmin.c:1437 -+#, c-format -+msgid "Maximum ticket life: %s\n" -+msgstr "maximale Ticketlebensdauer: %s\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1438 -+#, c-format -+msgid "Maximum renewable life: %s\n" -+msgstr "maximale verlängerbare Lebensdauer: %s\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1440 -+#, c-format -+msgid "Last modified: %s (%s)\n" -+msgstr "zuletzt geändert: %s (%s)\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1442 -+#, c-format -+msgid "Last successful authentication: %s\n" -+msgstr "letzte erfolgreiche Authentifizierung: %s\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1448 -+#, c-format -+msgid "Failed password attempts: %d\n" -+msgstr "Fehlgeschlagene Anmeldeversuche: %d\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1450 -+#, c-format -+msgid "Number of keys: %d\n" -+msgstr "Anzahl der Schlüssel: %d\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1457 -+#, c-format -+msgid "" -+msgstr "" -+ -+#: ../../src/kadmin/cli/kadmin.c:1464 -+#, c-format -+msgid "" -+msgstr "" -+ -+#: ../../src/kadmin/cli/kadmin.c:1470 -+#, c-format -+msgid "MKey: vno %d\n" -+msgstr "MKey: vno %d\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1472 -+#, c-format -+msgid "Attributes:" -+msgstr "Attribute:" -+ -+#: ../../src/kadmin/cli/kadmin.c:1480 -+msgid " [does not exist]" -+msgstr " [existiert nicht]" -+ -+#: ../../src/kadmin/cli/kadmin.c:1481 -+#, c-format -+msgid "Policy: %s%s\n" -+msgstr "Richtlinie: %s%s\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1517 -+#, c-format -+msgid "usage: get_principals [expression]\n" -+msgstr "Aufruf: get_principals [Ausdruck]\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1522 ../../src/kadmin/cli/kadmin.c:1794 -+msgid "while retrieving list." -+msgstr "beim Abfragen der Liste." -+ -+#: ../../src/kadmin/cli/kadmin.c:1647 -+#, c-format -+msgid "%s: parser lost count!\n" -+msgstr "%s: Auswertungsprogramm verlor Anzahl!\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1656 -+#, c-format -+msgid "usage; %s [options] policy\n" -+msgstr "Aufruf: %s [Optionen] Richtlinie\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1659 -+#, c-format -+msgid "" -+"\t\t[-maxlife time] [-minlife time] [-minlength length]\n" -+"\t\t[-minclasses number] [-history number]\n" -+"\t\t[-maxfailure number] [-failurecountinterval time]\n" -+"\t\t[-allowedkeysalts keysalts]\n" -+msgstr "" -+"\t\t[-maxlife Zeit] [-minlife Zeit] [-minlength Länge]\n" -+"\t\t[-minclasses Anzahl] [-history Nummer]\n" -+"\t\t[-maxfailure Anzahl] [-failurecountinterval Zeit]\n" -+"\t\t[-allowedkeysalts Schlüssel-Salts]\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1663 -+#, c-format -+msgid "\t\t[-lockoutduration time]\n" -+msgstr "\t\t[-lockoutduration Dauer]\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1682 -+#, c-format -+msgid "while creating policy \"%s\"." -+msgstr "beim Erstellen der Richtlinie »%s«" -+ -+#: ../../src/kadmin/cli/kadmin.c:1703 -+#, c-format -+msgid "while modifying policy \"%s\"." -+msgstr "beim Ändern der Richtlinie »%s«" -+ -+#: ../../src/kadmin/cli/kadmin.c:1715 -+#, c-format -+msgid "usage: delete_policy [-force] policy\n" -+msgstr "Aufruf: delete_policy [-force] Richtlinie\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1719 -+#, c-format -+msgid "Are you sure you want to delete the policy \"%s\"? (yes/no): " -+msgstr "" -+"Sind Sie sicher, dass Sie die Richtlinie »%s« löschen möchten? (yes/no): " -+ -+#: ../../src/kadmin/cli/kadmin.c:1723 -+#, c-format -+msgid "Policy \"%s\" not deleted.\n" -+msgstr "Richtlinie »%s« nicht gelöscht\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1729 -+#, c-format -+msgid "while deleting policy \"%s\"" -+msgstr "bei Löschen der Richtlinie »%s«" -+ -+#: ../../src/kadmin/cli/kadmin.c:1741 -+#, c-format -+msgid "usage: get_policy [-terse] policy\n" -+msgstr "Aufruf: get_policy [-terse] Richtlinie\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1746 -+#, c-format -+msgid "while retrieving policy \"%s\"." -+msgstr "beim Abfragen der Richtlinie »%s«." -+ -+#: ../../src/kadmin/cli/kadmin.c:1751 -+#, c-format -+msgid "Policy: %s\n" -+msgstr "Richtlinie: »%s«\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1752 -+#, c-format -+msgid "Maximum password life: %ld\n" -+msgstr "maximale Passwortlebensdauer: %ld\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1753 -+#, c-format -+msgid "Minimum password life: %ld\n" -+msgstr "minimale Passwortlebensdauer: %ld\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1754 -+#, c-format -+msgid "Minimum password length: %ld\n" -+msgstr "minimale Passwortlänge: %ld\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1755 -+#, c-format -+msgid "Minimum number of password character classes: %ld\n" -+msgstr "minimale Anzahl von Passwortzeichenklassen: %ld\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1757 -+#, c-format -+msgid "Number of old keys kept: %ld\n" -+msgstr "Anzahl aufbewahrter alter Schlüssel: %ld\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1758 -+#, c-format -+msgid "Maximum password failures before lockout: %lu\n" -+msgstr "maximale Anzahl falscher Passworteingaben vor dem Sperren: %lu\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1760 -+#, c-format -+msgid "Password failure count reset interval: %s\n" -+msgstr "Rücksetzintervall für zu viele falsch eingebene Passwörter: %s\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1762 -+#, c-format -+msgid "Password lockout duration: %s\n" -+msgstr "Passwortsperrdauer: %s\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1765 -+#, c-format -+msgid "Allowed key/salt types: %s\n" -+msgstr "erlaubte Schlüssel-/Salt-Typen: %s\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1789 -+#, c-format -+msgid "usage: get_policies [expression]\n" -+msgstr "Aufruf: get_policies [Ausdruck]\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1811 -+#, c-format -+msgid "usage: get_privs\n" -+msgstr "Aufruf: get_privs\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1816 -+msgid "while retrieving privileges" -+msgstr "beim Abfragen von Rechten" -+ -+#: ../../src/kadmin/cli/kadmin.c:1819 -+#, c-format -+msgid "current privileges:" -+msgstr "aktuelle Rechte:" -+ -+#: ../../src/kadmin/cli/kadmin.c:1845 -+#, c-format -+msgid "usage: purgekeys [-all|-keepkvno oldest_kvno_to_keep] principal\n" -+msgstr "" -+"Aufruf: purgekeys [-all|-keepkvno älteste_KVNO_die_behalten_wird] Principal\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1865 -+#, c-format -+msgid "while purging keys for principal \"%s\"" -+msgstr "beim vollständigen Löschen der Schlüssel für Principal »%s«" -+ -+#: ../../src/kadmin/cli/kadmin.c:1870 -+#, c-format -+msgid "All keys for principal \"%s\" removed.\n" -+msgstr "Alle Schlüssel für Principal »%s« wurden entfernt.\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1872 -+#, c-format -+msgid "Old keys for principal \"%s\" purged.\n" -+msgstr "Alte Schlüssel für Principal »%s« wurden entfernt.\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1889 -+#, c-format -+msgid "usage: get_strings principal\n" -+msgstr "Aufruf: get_strings Principal\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1909 -+#, c-format -+msgid "while getting attributes for principal \"%s\"" -+msgstr "beim Holen von Attributen für Principal »%s«" -+ -+#: ../../src/kadmin/cli/kadmin.c:1914 -+#, c-format -+msgid "(No string attributes.)\n" -+msgstr "(keine Zeichenkettenattribute)\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1933 -+#, c-format -+msgid "usage: set_string principal key value\n" -+msgstr "Aufruf: set_string Principal Schlüssel Wert\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1955 -+#, c-format -+msgid "while setting attribute on principal \"%s\"" -+msgstr "beim Setzen eines Attributes für Principal »%s«" -+ -+#: ../../src/kadmin/cli/kadmin.c:1959 -+#, c-format -+msgid "Attribute set for principal \"%s\".\n" -+msgstr "Attribute für Principal »%s« wurden gesetzt.\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1974 -+#, c-format -+msgid "usage: del_string principal key\n" -+msgstr "Aufruf: del_string Principal Schlüssel\n" -+ -+#: ../../src/kadmin/cli/kadmin.c:1995 -+#, c-format -+msgid "while deleting attribute from principal \"%s\"" -+msgstr "beim Löschen eines Attributs von Principal »%s«" -+ -+#: ../../src/kadmin/cli/kadmin.c:1999 -+#, c-format -+msgid "Attribute removed from principal \"%s\".\n" -+msgstr "Attribut von Principal »%s« wurde gelöscht.\n" -+ -+#: ../../src/kadmin/cli/keytab.c:56 -+#, c-format -+msgid "" -+"Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [-norandkey] " -+"[principal | -glob princ-exp] [...]\n" -+msgstr "" -+"Aufruf: ktadd [-k[eytab] Schlüsseltabelle] [-q] [-e Schlüssel-Salt-Liste] [-" -+"norandkey] [Principal | -glob Principal-Ausdruck] […]\n" -+ -+#: ../../src/kadmin/cli/keytab.c:59 -+#, c-format -+msgid "" -+"Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [principal | -glob " -+"princ-exp] [...]\n" -+msgstr "" -+"Aufruf: ktadd [-k[eytab] Schlüsseltabelle] [-q] [-e Schlüssel-Salt-Liste] " -+"[Principal | -glob Principal-Ausdruck] […]\n" -+ -+#: ../../src/kadmin/cli/keytab.c:67 -+#, c-format -+msgid "" -+"Usage: ktremove [-k[eytab] keytab] [-q] principal [kvno|\"all\"|\"old\"]\n" -+msgstr "" -+"Aufruf: ktremove [-k[eytab] Schlüsseltabelle] [-q] Principal " -+"[kvno|»all«|»old«]\n" -+ -+#: ../../src/kadmin/cli/keytab.c:81 ../../src/kadmin/cli/keytab.c:102 -+msgid "while creating keytab name" -+msgstr "beim Erstellen des Schlüsseltabellennamens" -+ -+#: ../../src/kadmin/cli/keytab.c:86 -+msgid "while opening default keytab" -+msgstr "beim Öffnen der Standardschlüsseltabelle" -+ -+#: ../../src/kadmin/cli/keytab.c:147 -+#, c-format -+msgid "-norandkey option only valid for kadmin.local\n" -+msgstr "Die Option »-norandkey« ist nur für »kadmin.local« gültig.\n" -+ -+#: ../../src/kadmin/cli/keytab.c:176 -+#, c-format -+msgid "cannot specify keysaltlist when not changing key\n" -+msgstr "" -+"Schlüssel-Salt-Liste kann nicht angegeben werden, wenn der Schlüssel nicht " -+"geändert wird\n" -+ -+#: ../../src/kadmin/cli/keytab.c:192 -+#, c-format -+msgid "while expanding expression \"%s\"." -+msgstr "beim Expandieren des Ausdrucks »%s«." -+ -+#: ../../src/kadmin/cli/keytab.c:211 ../../src/kadmin/cli/keytab.c:251 -+msgid "while closing keytab" -+msgstr "beim Schließen der Schlüsseltabelle" -+ -+#: ../../src/kadmin/cli/keytab.c:275 -+#, c-format -+msgid "while parsing -add principal name %s" -+msgstr "beim Auswerten von »-add Principal-Name %s«" -+ -+#: ../../src/kadmin/cli/keytab.c:289 -+#, c-format -+msgid "%s: Principal %s does not exist.\n" -+msgstr "%s: Principal %s existiert nicht.\n" -+ -+#: ../../src/kadmin/cli/keytab.c:292 -+#, c-format -+msgid "while changing %s's key" -+msgstr "beim Ändern des Schlüssels von %s" -+ -+#: ../../src/kadmin/cli/keytab.c:299 -+msgid "while retrieving principal" -+msgstr "beim Abfragen des Principals" -+ -+#: ../../src/kadmin/cli/keytab.c:311 -+msgid "while adding key to keytab" -+msgstr "beim Hinzufügen des Schlüssels zur Schlüsseltabelle" -+ -+#: ../../src/kadmin/cli/keytab.c:317 -+#, c-format -+msgid "" -+"Entry for principal %s with kvno %d, encryption type %s added to keytab %s.\n" -+msgstr "" -+"Der Eintrag für Principal %s mit KVNO %d und Verschlüsselungstyp %s wurde " -+"der Schlüsseltabelle %s hinzugefügt.\n" -+ -+#: ../../src/kadmin/cli/keytab.c:326 -+msgid "while freeing principal entry" -+msgstr "beim Freigeben des Principal-Eintrags" -+ -+#: ../../src/kadmin/cli/keytab.c:373 -+#, c-format -+msgid "%s: Keytab %s does not exist.\n" -+msgstr "%s: Schlüsseltabelle %s existiert nicht.\n" -+ -+#: ../../src/kadmin/cli/keytab.c:377 -+#, c-format -+msgid "%s: No entry for principal %s exists in keytab %s\n" -+msgstr "" -+"%s: Für Principal %s existiert kein Eintrag in der Schlüsseltabelle %s.\n" -+ -+#: ../../src/kadmin/cli/keytab.c:381 -+#, c-format -+msgid "%s: No entry for principal %s with kvno %d exists in keytab %s\n" -+msgstr "" -+"%s: Für den Principal %s mit der KVNO %d existiert kein Eintrag in der " -+"Schlüsseltabelle %s.\n" -+ -+#: ../../src/kadmin/cli/keytab.c:387 -+msgid "while retrieving highest kvno from keytab" -+msgstr "beim Abfragen der höchsten KVNO der Schlüsseltabelle" -+ -+#: ../../src/kadmin/cli/keytab.c:420 -+msgid "while temporarily ending keytab scan" -+msgstr "beim Unterbrechen des Schlüsseltabellen-Scans" -+ -+#: ../../src/kadmin/cli/keytab.c:425 -+msgid "while deleting entry from keytab" -+msgstr "beim Löschen eines Eintrags aus der Schlüsseltabelle" -+ -+#: ../../src/kadmin/cli/keytab.c:430 -+msgid "while restarting keytab scan" -+msgstr "bei der Wiederaufnahme des Schlüsseltabellen-Scans" -+ -+#: ../../src/kadmin/cli/keytab.c:436 -+#, c-format -+msgid "Entry for principal %s with kvno %d removed from keytab %s.\n" -+msgstr "" -+"Der Eintrag für Principal %s mit KVNO %d wurde aus der Schlüsseltabelle %s " -+"entfernt.\n" -+ -+#: ../../src/kadmin/cli/keytab.c:458 -+#, c-format -+msgid "%s: There is only one entry for principal %s in keytab %s\n" -+msgstr "" -+"%s: Es gibt nur einen Eintrag für Principal %s in der Schlüsseltabelle %s.\n" -+ -+#: ../../src/kadmin/cli/ss_wrapper.c:49 ../../src/kadmin/ktutil/ktutil.c:58 -+msgid "creating invocation" -+msgstr "Aufruf wird erstellt" -+ -+#: ../../src/kadmin/dbutil/dump.c:165 -+msgid "while allocating temporary filename dump" -+msgstr "beim Reservieren des temporären Dateinamenspeicherauszugs" -+ -+#: ../../src/kadmin/dbutil/dump.c:176 -+msgid "while renaming dump file into place" -+msgstr "während das Umbenennen der Auszugsdateien Gestalt annimmt" -+ -+#: ../../src/kadmin/dbutil/dump.c:192 -+msgid "while allocating dump_ok filename" -+msgstr "beim Reservieren des »dump_ok«-Dateinamens" -+ -+#: ../../src/kadmin/dbutil/dump.c:199 -+#, c-format -+msgid "while creating 'ok' file, '%s'" -+msgstr "beim Erstellen der Datei »ok«, »%s«" -+ -+#: ../../src/kadmin/dbutil/dump.c:206 -+#, c-format -+msgid "while locking 'ok' file, '%s'" -+msgstr "beim Sperren der Datei »ok«, »%s«" -+ -+#: ../../src/kadmin/dbutil/dump.c:248 ../../src/kadmin/dbutil/dump.c:277 -+#, c-format -+msgid "%s: regular expression error: %s\n" -+msgstr "%s: Fehler im regulären Ausdruck: %s\n" -+ -+#: ../../src/kadmin/dbutil/dump.c:260 -+#, c-format -+msgid "%s: regular expression match error: %s\n" -+msgstr "%s: Fehler beim Abgleich mit regulärem Ausdruck: %s\n" -+ -+#: ../../src/kadmin/dbutil/dump.c:361 -+#, c-format -+msgid "%s: tagged data list inconsistency for %s (counted %d, stored %d)\n" -+msgstr "" -+"%s: Unstimmigkeit in der markierten Datenliste für %s (%d gezählt, %d " -+"gespeichert)\n" -+ -+#: ../../src/kadmin/dbutil/dump.c:519 -+#, c-format -+msgid "" -+"Warning! Multiple DES-CBC-CRC keys for principal %s; skipping duplicates.\n" -+msgstr "" -+"Warnung! Mehrere DES-CBC-CRC-Schlüssel für Principal %s, Duplikate werden " -+"übersprungen.\n" -+ -+#: ../../src/kadmin/dbutil/dump.c:530 -+#, c-format -+msgid "" -+"Warning! No DES-CBC-CRC key for principal %s, cannot generate OV-compatible " -+"record; skipping\n" -+msgstr "" -+"Warnung! Kein DES-CBC-CRC-Schlüssel für Principal %s, es kann kein OV-" -+"kompatibler Datensatz erzeugt werden, wird übersprungen\n" -+ -+#: ../../src/kadmin/dbutil/dump.c:558 -+#, c-format -+msgid "while converting %s to new master key" -+msgstr "beim Umwandeln von %s in den neuen Hauptschlüssel" -+ -+#: ../../src/kadmin/dbutil/dump.c:579 -+#, c-format -+msgid "%s(%d): %s\n" -+msgstr "%s(%d): %s\n" -+ -+#: ../../src/kadmin/dbutil/dump.c:622 -+#, c-format -+msgid "%s(%d): ignoring trash at end of line: " -+msgstr "%s(%d): Müll am Zeilenende wird ignoriert: " -+ -+#: ../../src/kadmin/dbutil/dump.c:685 -+msgid "cannot read tagged data type and length" -+msgstr "Markierter Datentyp und Länge können nicht gelesen werden." -+ -+#: ../../src/kadmin/dbutil/dump.c:692 -+msgid "cannot read tagged data contents" -+msgstr "Inhalt der markierten Daten kann nicht gelesen werden." -+ -+#: ../../src/kadmin/dbutil/dump.c:726 -+msgid "cannot match size tokens" -+msgstr "Größenmerkmale können nicht zugeordnet werden." -+ -+#: ../../src/kadmin/dbutil/dump.c:755 -+msgid "cannot read name string" -+msgstr "Namenszeichenkette kann nicht gelesen werden." -+ -+#: ../../src/kadmin/dbutil/dump.c:760 -+#, c-format -+msgid "while parsing name %s" -+msgstr "beim Auswerten des Namens %s" -+ -+#: ../../src/kadmin/dbutil/dump.c:768 -+msgid "cannot read principal attributes" -+msgstr "Principal-Attribute können nicht gelesen werden." -+ -+#: ../../src/kadmin/dbutil/dump.c:821 -+msgid "cannot read key size and version" -+msgstr "Schlüssellänge und -version können nicht gelesen werden." -+ -+#: ../../src/kadmin/dbutil/dump.c:832 -+msgid "cannot read key type and length" -+msgstr "Schlüsseltyp und -länge können nicht gelesen werden." -+ -+#: ../../src/kadmin/dbutil/dump.c:838 -+msgid "cannot read key data" -+msgstr "Schlüsseldaten können nicht gelesen werden." -+ -+#: ../../src/kadmin/dbutil/dump.c:848 -+msgid "cannot read extra data" -+msgstr "Zusätzliche Daten können nicht gelesen werden." -+ -+#: ../../src/kadmin/dbutil/dump.c:857 -+#, c-format -+msgid "while storing %s" -+msgstr "beim Speichern von %s" -+ -+#: ../../src/kadmin/dbutil/dump.c:896 ../../src/kadmin/dbutil/dump.c:935 -+#: ../../src/kadmin/dbutil/dump.c:981 -+#, c-format -+msgid "cannot parse policy (%d read)\n" -+msgstr "Richtlinie kann nicht ausgewertet werden (%d gelesen)\n" -+ -+#: ../../src/kadmin/dbutil/dump.c:904 ../../src/kadmin/dbutil/dump.c:943 -+#: ../../src/kadmin/dbutil/dump.c:1001 -+msgid "while creating policy" -+msgstr "beim Erstellen der Richtlinie" -+ -+#: ../../src/kadmin/dbutil/dump.c:908 -+#, c-format -+msgid "created policy %s\n" -+msgstr "erstellte Richtlinie %s\n" -+ -+#: ../../src/kadmin/dbutil/dump.c:1038 -+#, c-format -+msgid "unknown record type \"%s\"\n" -+msgstr "unbekannter Datensatztyp »%s«\n" -+ -+#: ../../src/kadmin/dbutil/dump.c:1167 -+#, c-format -+msgid "%s: Unknown iprop dump version %d\n" -+msgstr "%s: unbekannte Iprop-Auszugsversion %d\n" -+ -+#: ../../src/kadmin/dbutil/dump.c:1270 ../../src/kadmin/dbutil/dump.c:1498 -+#, c-format -+msgid "Iprop not enabled\n" -+msgstr "Iprop nicht aktiviert\n" -+ -+#: ../../src/kadmin/dbutil/dump.c:1308 -+msgid "Conditional dump is an undocumented option for use only for iprop dumps" -+msgstr "" -+"Bedingter Auszug ist eine nicht dokumentierte Option, die nur für Iprop-" -+"Auszüge benutzt wird." -+ -+#: ../../src/kadmin/dbutil/dump.c:1321 -+msgid "Database not currently opened!" -+msgstr "Die Datenbank ist zur Zeit nicht geöffnet!" -+ -+#: ../../src/kadmin/dbutil/dump.c:1335 -+#: ../../src/kadmin/dbutil/kdb5_stash.c:116 -+#: ../../src/kadmin/dbutil/kdb5_util.c:479 -+msgid "while reading master key" -+msgstr "beim Lesen des Hauptschlüssels" -+ -+#: ../../src/kadmin/dbutil/dump.c:1341 -+msgid "while verifying master key" -+msgstr "beim Prüfen des Hauptschlüssels" -+ -+#: ../../src/kadmin/dbutil/dump.c:1360 ../../src/kadmin/dbutil/dump.c:1370 -+msgid "while reading new master key" -+msgstr "beim Lesen des neuen Hauptschlüssels" -+ -+#: ../../src/kadmin/dbutil/dump.c:1364 -+#, c-format -+msgid "Please enter new master key....\n" -+msgstr "Bitte geben Sie den neuen Hauptschlüssel ein …\n" -+ -+#: ../../src/kadmin/dbutil/dump.c:1388 -+#, c-format -+msgid "while opening %s for writing" -+msgstr "beim Öffnen von %s zum Schreiben" -+ -+#: ../../src/kadmin/dbutil/dump.c:1403 -+msgid "while reading update log header" -+msgstr "beim Lesen der Aktualisierungsprotokollkopfzeilen" -+ -+#: ../../src/kadmin/dbutil/dump.c:1418 ../../src/kadmin/dbutil/dump.c:1425 -+#, c-format -+msgid "performing %s dump" -+msgstr "Auszug von %s wird durchgeführt" -+ -+#: ../../src/kadmin/dbutil/dump.c:1455 -+#, c-format -+msgid "%s: error processing line %d of %s\n" -+msgstr "%s: Fehler beim Verarbeiten von Zeile %d von %s\n" -+ -+#: ../../src/kadmin/dbutil/dump.c:1507 -+msgid "while parsing options" -+msgstr "beim Auswerten der Optionen" -+ -+#: ../../src/kadmin/dbutil/dump.c:1522 -+#, c-format -+msgid "while opening %s" -+msgstr "beim Öffnen von %s" -+ -+#: ../../src/kadmin/dbutil/dump.c:1527 ../../src/kadmin/dbutil/dump.c:1626 -+msgid "standard input" -+msgstr "Standardeingabe" -+ -+#: ../../src/kadmin/dbutil/dump.c:1532 -+#, c-format -+msgid "%s: can't read dump header in %s\n" -+msgstr "%s: Kopfzeilen des Auszugs in %s können nicht gelesen werden.\n" -+ -+#: ../../src/kadmin/dbutil/dump.c:1540 ../../src/kadmin/dbutil/dump.c:1557 -+#, c-format -+msgid "%s: dump header bad in %s\n" -+msgstr "%s: falsche Kopfzeilen des Auszugs in %s\n" -+ -+#: ../../src/kadmin/dbutil/dump.c:1566 -+#, c-format -+msgid "Could not open iprop ulog\n" -+msgstr "Iprop-Ulog kann nicht geöffnet werden.\n" -+ -+#: ../../src/kadmin/dbutil/dump.c:1571 -+#, c-format -+msgid "%s: dump version %s can only be loaded with the -update flag\n" -+msgstr "" -+"%s: Die Auszugsversion %s kann nur mit dem Schalter -update geladen werden.\n" -+ -+#: ../../src/kadmin/dbutil/dump.c:1580 ../../src/kadmin/dbutil/dump.c:1585 -+msgid "computing parameters for database" -+msgstr "Parameter für die Datenbank werden berechnet." -+ -+#: ../../src/kadmin/dbutil/dump.c:1591 -+msgid "while creating database" -+msgstr "beim Erstellen der Datenbank" -+ -+#: ../../src/kadmin/dbutil/dump.c:1600 -+msgid "while opening database" -+msgstr "beim Öffnen der Datenbank" -+ -+#: ../../src/kadmin/dbutil/dump.c:1610 -+msgid "while permanently locking database" -+msgstr "beim dauerhaften Sperren der Datenbank" -+ -+#: ../../src/kadmin/dbutil/dump.c:1628 -+#, c-format -+msgid "%s: %s restore failed\n" -+msgstr "%s: Wiederherstellen von %s fehlgeschlagen\n" -+ -+#: ../../src/kadmin/dbutil/dump.c:1633 -+msgid "while unlocking database" -+msgstr "beim Aufheben der Datenbanksperre" -+ -+#: ../../src/kadmin/dbutil/dump.c:1643 ../../src/kadmin/dbutil/dump.c:1662 -+msgid "while reinitializing update log" -+msgstr "beim erneuten Initialisieren des Aktualisierungsprotokolls" -+ -+#: ../../src/kadmin/dbutil/dump.c:1653 -+msgid "while making newly loaded database live" -+msgstr "beim Aktivieren der neu geladenen Datenbank" -+ -+#: ../../src/kadmin/dbutil/dump.c:1669 -+msgid "while writing update log header" -+msgstr "beim Schreiben der Aktualisierungsprotokollkopfzeilen" -+ -+#: ../../src/kadmin/dbutil/dump.c:1683 -+#, c-format -+msgid "while deleting bad database %s" -+msgstr "beim Löschen der falschen Datenbank %s" -+ -+#: ../../src/kadmin/dbutil/kadm5_create.c:84 -+msgid "while looking up the Kerberos configuration" -+msgstr "beim Nachschlagen der Kerberos-Konfiguration" -+ -+#: ../../src/kadmin/dbutil/kadm5_create.c:111 -+msgid "while initializing the Kerberos admin interface" -+msgstr "beim Initialisieren der Kerberos-Administrationsoberfläche" -+ -+#: ../../src/kadmin/dbutil/kadm5_create.c:169 -+#, c-format -+msgid "getaddrinfo(%s): Cannot determine canonical hostname.\n" -+msgstr "" -+"getaddrinfo(%s): Die Normalform des Rechnernamens kann nicht bestimmt " -+"werden.\n" -+ -+#: ../../src/kadmin/dbutil/kadm5_create.c:190 -+#: ../../src/kadmin/dbutil/kadm5_create.c:196 -+#, c-format -+msgid "Out of memory\n" -+msgstr "Speicherplatz reicht nicht aus.\n" -+ -+#: ../../src/kadmin/dbutil/kadm5_create.c:270 -+msgid "while appending realm to principal" -+msgstr "beim Anhängen des Realms an den Principal" -+ -+#: ../../src/kadmin/dbutil/kadm5_create.c:275 -+msgid "while parsing admin principal name" -+msgstr "beim Auswerten des Principal-Namens des Administrators" -+ -+#: ../../src/kadmin/dbutil/kadm5_create.c:286 -+#, c-format -+msgid "while creating principal %s" -+msgstr "beim Erstellen des Principals %s" -+ -+#: ../../src/kadmin/dbutil/kdb5_create.c:175 -+#: ../../src/kadmin/dbutil/kdb5_util.c:241 -+#: ../../src/kadmin/dbutil/kdb5_util.c:248 -+msgid "while parsing command arguments\n" -+msgstr "beim Auswerten der Befehlsargumente\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_create.c:198 -+#, c-format -+msgid "Loading random data\n" -+msgstr "Zufällige Daten werden geladen.\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_create.c:201 -+msgid "Loading random data" -+msgstr "Zufällige Daten werden geladen." -+ -+#: ../../src/kadmin/dbutil/kdb5_create.c:211 -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:242 -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:435 -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:591 -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1149 -+#: ../../src/kadmin/dbutil/kdb5_util.c:423 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:606 -+msgid "while setting up master key name" -+msgstr "beim Einrichten des Hauptschlüsselnamens" -+ -+#: ../../src/kadmin/dbutil/kdb5_create.c:222 -+#, c-format -+msgid "" -+"Initializing database '%s' for realm '%s',\n" -+"master key name '%s'\n" -+msgstr "" -+"Datenbank »%s« für Realm »%s« wird initialisiert,\n" -+"Hauptschlüsselname »%s«\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_create.c:227 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:516 -+#, c-format -+msgid "You will be prompted for the database Master Password.\n" -+msgstr "Sie werden nach dem Master-Passwort der Datenbank gefragt.\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_create.c:228 -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:260 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:517 -+#, c-format -+msgid "It is important that you NOT FORGET this password.\n" -+msgstr "Es ist wichtig, dass Sie dieses Passwort NICHT VERGESSEN.\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_create.c:234 -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:266 -+msgid "while creating new master key" -+msgstr "beim Erstellen des neuen Hauptschlüssels" -+ -+#: ../../src/kadmin/dbutil/kdb5_create.c:242 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:527 -+msgid "while reading master key from keyboard" -+msgstr "beim Lesen des Hauptschlüssels von der Tastatur" -+ -+#: ../../src/kadmin/dbutil/kdb5_create.c:252 -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:285 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:618 -+msgid "while calculating master key salt" -+msgstr "beim Berechnen des Hauptschlüssel-Salts" -+ -+#: ../../src/kadmin/dbutil/kdb5_create.c:260 -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:294 -+#: ../../src/kadmin/dbutil/kdb5_util.c:465 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:630 -+msgid "while transforming master key from password" -+msgstr "beim Umwandeln des Hauptschlüssels vom Passwort" -+ -+#: ../../src/kadmin/dbutil/kdb5_create.c:270 -+msgid "while initializing random key generator" -+msgstr "beim Initialisieren des Zufallsschlüsselgenerators" -+ -+#: ../../src/kadmin/dbutil/kdb5_create.c:275 -+#, c-format -+msgid "while creating database '%s'" -+msgstr "beim Erstellen der Datenbank »%s«" -+ -+#: ../../src/kadmin/dbutil/kdb5_create.c:293 -+msgid "while creating update log" -+msgstr "beim Erstellen des Aktualisierungsprotokolls" -+ -+#: ../../src/kadmin/dbutil/kdb5_create.c:304 -+msgid "while initializing update log" -+msgstr "beim Initialisieren des Aktualisierungsprotokolls" -+ -+#: ../../src/kadmin/dbutil/kdb5_create.c:320 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:642 -+msgid "while adding entries to the database" -+msgstr "beim Hinzufügen von Einträgen in die Datenbank" -+ -+#: ../../src/kadmin/dbutil/kdb5_create.c:348 -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:339 -+#: ../../src/kadmin/dbutil/kdb5_stash.c:133 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:667 -+msgid "while storing key" -+msgstr "beim Speichern des Schlüssels" -+ -+#: ../../src/kadmin/dbutil/kdb5_create.c:349 -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:340 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:668 -+#, c-format -+msgid "Warning: couldn't stash master key.\n" -+msgstr "Warnung: Hauptschlüssel kann nicht gelagert werden.\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_destroy.c:57 -+msgid "while initializing krb5_context" -+msgstr "beim Initialisieren von »krb5_context«" -+ -+#: ../../src/kadmin/dbutil/kdb5_destroy.c:63 -+#: ../../src/kadmin/dbutil/kdb5_util.c:259 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:291 -+msgid "while setting default realm name" -+msgstr "beim Einstellen des Standard-Realm-Namens" -+ -+#: ../../src/kadmin/dbutil/kdb5_destroy.c:83 -+#, c-format -+msgid "Deleting KDC database stored in '%s', are you sure?\n" -+msgstr "" -+"Die in »%s« gespeicherte KDC-Datenbank wird gelöscht. Sind Sie sicher?\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_destroy.c:85 -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1166 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:360 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1482 -+#, c-format -+msgid "(type 'yes' to confirm)? " -+msgstr "(Geben Sie als Bestätigung »yes« ein)? " -+ -+#: ../../src/kadmin/dbutil/kdb5_destroy.c:92 -+#, c-format -+msgid "OK, deleting database '%s'...\n" -+msgstr "OK, Datenbank »%s« wird gelöscht …\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_destroy.c:97 -+#, c-format -+msgid "deleting database '%s'" -+msgstr "Datenbank »%s« wird gelöscht." -+ -+#: ../../src/kadmin/dbutil/kdb5_destroy.c:106 -+#, c-format -+msgid "** Database '%s' destroyed.\n" -+msgstr "** Datenbank »%s« vernichtet\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:218 -+#, c-format -+msgid "%s is an invalid enctype" -+msgstr "%s ist ein ungültiger Verschlüsselungstyp" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:250 -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:443 -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:599 -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:986 -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1157 -+#, c-format -+msgid "while getting master key principal %s" -+msgstr "beim Holen des Hauptschlüssels von Principal %s" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:256 -+#, c-format -+msgid "Creating new master key for master key principal '%s'\n" -+msgstr "" -+"Es wird ein neuer Hauptschlüssel für den Hauptschlüssel-Principal »%s« " -+"erstellt.\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:259 -+#, c-format -+msgid "You will be prompted for a new database Master Password.\n" -+msgstr "Sie werden nach einem neuen Datenbank-Master-Passwort gefragt.\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:275 -+msgid "while reading new master key from keyboard" -+msgstr "beim Lesen des neuen Hauptschlüssels von der Tastatur" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:304 -+msgid "adding new master key to master principal" -+msgstr "dem Haupt-Principal wird ein neuer Hauptschlüssel hinzugefügt" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:310 -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:402 -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:843 -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1356 -+msgid "while getting current time" -+msgstr "beim Holen der aktuellen Zeit" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:317 -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:544 -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1363 -+msgid "while updating the master key principal modification time" -+msgstr "beim Aktulisieren der Änderungszeit des Hauptschlüssel-Principals" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:325 -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:553 -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1374 -+msgid "while adding master key entry to the database" -+msgstr "beim Hinzufügen des Hauptschlüsseleintrags zur Datenbank" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:383 -+msgid "0 is an invalid KVNO value" -+msgstr "0 ist kein gültiger KVNO-Wert" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:394 -+#, c-format -+msgid "%d is an invalid KVNO value" -+msgstr "%d ist kein gültiger KVNO-Wert" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:410 -+#, c-format -+msgid "could not parse date-time string '%s'" -+msgstr "»date-time«-Zeichenkette »%s« konnte nicht ausgewertet werden" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:452 -+msgid "while looking up active version of master key" -+msgstr "beim Nachschlagen der aktiven Version des Hauptschlüssels" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:491 -+msgid "while adding new master key" -+msgstr "beim Hinzufügen eines neuen Hauptschlüssels" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:529 -+msgid "there must be one master key currently active" -+msgstr "ein Hauptschlüssel muss derzeit aktiv sein" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:537 -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1342 -+msgid "while updating actkvno data for master principal entry" -+msgstr "beim Aktualisieren der Actkvno-Daten für den Haupt-Principal-Eintrag" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:581 -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:948 -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1116 -+msgid "master keylist not initialized" -+msgstr "Hauptschlüsselliste ist nicht initialisiert" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:607 -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:994 -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1254 -+msgid "while looking up active kvno list" -+msgstr "beim Nachschlagen der Liste aktiver KVNOs" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:615 -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1002 -+msgid "while looking up active master key" -+msgstr "beim Nachschlagen des aktiven Hauptschlüssels" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:627 -+msgid "while getting enctype description" -+msgstr "beim Holen des Verschlüsselungsbeschreibung" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:644 -+#, c-format -+msgid "KVNO: %d, Enctype: %s, Active on: %s *\n" -+msgstr "KVNO: %d, Verschlüsselungstyp: %s, aktiviert auf: %s *\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:649 -+#, c-format -+msgid "KVNO: %d, Enctype: %s, Active on: %s\n" -+msgstr "KVNO: %d, Verschlüsselungstyp: %s, aktiviert auf: %s\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:653 -+#, c-format -+msgid "KVNO: %d, Enctype: %s, No activate time set\n" -+msgstr "KVNO: %d, Verschlüsselungstyp: %s, keine Aktivierungszeit gesetzt\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:658 -+msgid "asprintf could not allocate enough memory to hold output" -+msgstr "" -+"Asprintf konnte nicht genug Speicher reservieren, um die Ausgabe " -+"bereitzuhalten" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:793 -+msgid "getting string representation of principal name" -+msgstr "Principal-Name wird im Klartext geholt" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:817 -+#, c-format -+msgid "determining master key used for principal '%s'" -+msgstr "Hauptschlüssel, der für Principal »%s« benutzt wird, wird bestimmt" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:823 -+#, c-format -+msgid "would skip: %s\n" -+msgstr "würde übersprungen: %s\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:825 -+#, c-format -+msgid "skipping: %s\n" -+msgstr "wird übersprungen: %s\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:831 -+#, c-format -+msgid "would update: %s\n" -+msgstr "würde aktualisiert: %s\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:835 -+#, c-format -+msgid "updating: %s\n" -+msgstr "wird aktualisiert: %s\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:839 -+#, c-format -+msgid "error re-encrypting key for principal '%s'" -+msgstr "Fehler beim erneuten Verschlüsseln des Schlüssels für Principal »%s«" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:850 -+#, c-format -+msgid "while updating principal '%s' modification time" -+msgstr "beim Aktualisieren der Änderungszeit von Principal »%s«" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:857 -+#, c-format -+msgid "while updating principal '%s' key data in the database" -+msgstr "" -+"beim Aktualisieren der Schlüsseldaten von Principal »%s« in der Datenbank" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:889 -+#, c-format -+msgid "" -+"\n" -+"(type 'yes' to confirm)? " -+msgstr "" -+"\n" -+"(Geben Sie als Bestätigung »yes« ein) " -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:942 -+msgid "while formatting master principal name" -+msgstr "beim Formatieren des Haupt-Principal-Namens" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:959 -+#, c-format -+msgid "converting glob pattern '%s' to regular expression" -+msgstr "Platzhalter »%s« wird in einen regulären Ausdruck umgewandelt" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:977 -+#, c-format -+msgid "error compiling converted regexp '%s'" -+msgstr "Fehler beim Kompilieren des umgewandelten regulären Ausdrucks »%s«" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1010 -+#, c-format -+msgid "Re-encrypt all keys not using master key vno %u?" -+msgstr "" -+"Sollen alle Schlüssel neu verschlüsselt werden, die nicht die Hauptschlüssel-" -+"VNO %u verwenden?" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1012 -+#, c-format -+msgid "OK, doing nothing.\n" -+msgstr "Ok, es wird nichts getan.\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1018 -+#, c-format -+msgid "Principals whose keys WOULD BE re-encrypted to master key vno %u:\n" -+msgstr "" -+"Principals, deren Schlüssel mit dem Hauptschlüssel VNO %u neu verschlüsselt " -+"WÜRDEN:\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1021 -+#, c-format -+msgid "" -+"Principals whose keys are being re-encrypted to master key vno %u if " -+"necessary:\n" -+msgstr "" -+"Principals, deren Schlüssel mit dem Hauptschlüssel VNO %u neu verschlüsselt " -+"werden, falls nötig:\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1037 -+msgid "trying to process principal database" -+msgstr "es wird versucht, die Principal-Datenbank zu verarbeiten" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1042 -+#, c-format -+msgid "%u principals processed: %u would be updated, %u already current\n" -+msgstr "" -+"%u Principals verarbeitet: %u würden aktualisiert, %u bereits aktuell\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1046 -+#, c-format -+msgid "%u principals processed: %u updated, %u already current\n" -+msgstr "%u Principals verarbeitet: %u aktualisiert, %u bereits aktuell\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1164 -+#, c-format -+msgid "" -+"Will purge all unused master keys stored in the '%s' principal, are you " -+"sure?\n" -+msgstr "" -+"Sind Sie sicher, dass alle nicht verwendeten Hauptschlüssel, die für " -+"Principal »%s« gespeichert sind, vollständig entfernt werden sollen?\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1175 -+#, c-format -+msgid "OK, purging unused master keys from '%s'...\n" -+msgstr "" -+"Ok, die nicht verwendeten Hauptschlüssel von »%s« werden vollständig " -+"entfernt …\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1183 -+#, c-format -+msgid "There is only one master key which can not be purged.\n" -+msgstr "" -+"Es gibt nur einen einzigen Hauptschlüssel, der nicht vollständig entfernt " -+"werden kann.\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1192 -+msgid "while allocating args.kvnos" -+msgstr "beim Reservieren von »args.kvnos«" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1208 -+msgid "while finding master keys in use" -+msgstr "bei der Suche nach den gerade verwendeten Hauptschlüsseln" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1217 -+#, c-format -+msgid "Would purge the following master key(s) from %s:\n" -+msgstr "" -+"Der/Die folgende(n) Hauptschlüssel würden/würde von %s vollständig " -+"entfernt:\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1220 -+#, c-format -+msgid "Purging the following master key(s) from %s:\n" -+msgstr "" -+"Der/Die folgende(n) Hauptschlüssel werden/wird von %s vollständig entfernt:\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1232 -+msgid "master key stash file needs updating, command aborting" -+msgstr "" -+"Ablagedatei des Hauptschlüssels erfordert Aktualisierung, Befehl abgebrochen" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1238 -+#, c-format -+msgid "KVNO: %d\n" -+msgstr "KVNO: %d\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1243 -+#, c-format -+msgid "All keys in use, nothing purged.\n" -+msgstr "Alle Schlüssel sind in Gebrauch, keiner wurde vollständig entfernt.\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1248 -+#, c-format -+msgid "%d key(s) would be purged.\n" -+msgstr "%d Schlüssel würde(n) vollständig entfernt.\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1261 -+msgid "while looking up mkey aux data list" -+msgstr "beim Nachschlagen der Mkey-Aux-Datenliste" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1269 -+msgid "while allocating key_data" -+msgstr "beim Reservieren von »key_data«" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1350 -+msgid "while updating mkey_aux data for master principal entry" -+msgstr "beim Aktualisieren der Mkey-Aux-Daten für den Haupt-Principal-Eintrag" -+ -+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1378 -+#, c-format -+msgid "%d key(s) purged.\n" -+msgstr "%d Schlüssel vollständig entfernt\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_stash.c:97 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:538 -+#, c-format -+msgid "while setting up enctype %d" -+msgstr "beim Einrichten des Verschlüsselungstyps %d" -+ -+#: ../../src/kadmin/dbutil/kdb5_stash.c:123 -+msgid "while getting master key list" -+msgstr "beim Holen der Hauptschlüsselliste" -+ -+#: ../../src/kadmin/dbutil/kdb5_stash.c:127 -+#, c-format -+msgid "Using existing stashed keys to update stash file.\n" -+msgstr "" -+"Zur Aktualisierung der Ablagedatei werden existierende gelagert Schlüssel " -+"verwendet.\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_util.c:80 -+#, c-format -+msgid "" -+"Usage: kdb5_util [-x db_args]* [-r realm] [-d dbname] [-k mkeytype] [-M " -+"mkeyname]\n" -+"\t [-kv mkeyVNO] [-sf stashfilename] [-m] cmd [cmd_options]\n" -+"\tcreate [-s]\n" -+"\tdestroy [-f]\n" -+"\tstash [-f keyfile]\n" -+"\tdump [-old|-ov|-b6|-b7|-r13|-r18] [-verbose]\n" -+"\t [-mkey_convert] [-new_mkey_file mkey_file]\n" -+"\t [-rev] [-recurse] [filename [princs...]]\n" -+"\tload [-old|-ov|-b6|-b7|-r13|-r18] [-verbose] [-update] filename\n" -+"\tark [-e etype_list] principal\n" -+"\tadd_mkey [-e etype] [-s]\n" -+"\tuse_mkey kvno [time]\n" -+"\tlist_mkeys\n" -+msgstr "" -+"Aufruf: kdb5_util [-x Datenbankargumente]* [-r Realm] [-d Datenbankname] [-k " -+"Mkeytype] [-M Mkeyname]\n" -+"\t [-kv MkeyVNO] [-sf Ablagedateiname] [-m] Befehl [Befehlsoptionen]\n" -+"\tcreate [-s]\n" -+"\tdestroy [-f]\n" -+"\tstash [-f Schlüsseldatei]\n" -+"\tdump [-old|-ov|-b6|-b7|-r13|-r18] [-verbose]\n" -+"\t [-mkey_convert] [-new_mkey_file mkey-Datei]\n" -+"\t [-rev] [-recurse] [Dateiname [Principals …]]\n" -+"\tload [-old|-ov|-b6|-b7|-r13|-r18] [-verbose] [-update] Dateiname\n" -+"\tark [-e Etype-Liste] Principal\n" -+"\tadd_mkey [-e Etype] [-s]\n" -+"\tuse_mkey kvno [Zeit]\n" -+"\tlist_mkeys\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_util.c:98 -+#, c-format -+msgid "" -+"\tupdate_princ_encryption [-f] [-n] [-v] [princ-pattern]\n" -+"\tpurge_mkeys [-f] [-n] [-v]\n" -+"\n" -+"where,\n" -+"\t[-x db_args]* - any number of database specific arguments.\n" -+"\t\t\tLook at each database documentation for supported arguments\n" -+msgstr "" -+"\tupdate_princ_encryption [-f] [-n] [-v] [Principal-Muster]\n" -+"\tpurge_mkeys [-f] [-n] [-v]\n" -+"\n" -+"dabei sind\n" -+"\t[-x Datenbankargumente]* - eine beliebige Anzahl datenbankspezifischer " -+"Argumente.\n" -+"\t\t\tWelche Argumente unterstützt werden, finden Sie in der Dokumentation " -+"der jeweiligen Datenbank.\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_util.c:211 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:260 -+msgid "while initializing Kerberos code" -+msgstr "beim Initialisieren von Kerberos-Code" -+ -+#: ../../src/kadmin/dbutil/kdb5_util.c:217 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:267 -+msgid "while creating sub-command arguments" -+msgstr "beim Erstellen von Unterbefehlsargumenten" -+ -+#: ../../src/kadmin/dbutil/kdb5_util.c:235 -+msgid "while parsing command arguments" -+msgstr "beim Auswerten von Befehlsargumenten" -+ -+#: ../../src/kadmin/dbutil/kdb5_util.c:264 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:298 -+#, c-format -+msgid ": %s is an invalid enctype" -+msgstr ": %s ist kein gültiger Verschlüsselungstyp" -+ -+#: ../../src/kadmin/dbutil/kdb5_util.c:272 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:307 -+#, c-format -+msgid ": %s is an invalid mkeyVNO" -+msgstr ": %s ist kein gültiger MkeyVNO" -+ -+# FIXME s/retreiving/retrieving/ -+#: ../../src/kadmin/dbutil/kdb5_util.c:317 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:431 -+msgid "while retreiving configuration parameters" -+msgstr "beim Abfragen der Konfigurationsparameter" -+ -+#: ../../src/kadmin/dbutil/kdb5_util.c:368 -+msgid "Too few arguments" -+msgstr "zu wenige Argumente" -+ -+#: ../../src/kadmin/dbutil/kdb5_util.c:369 -+#, c-format -+msgid "Usage: %s dbpathname realmname" -+msgstr "Aufruf: %s Datenbankpfadname Realm-Name" -+ -+#: ../../src/kadmin/dbutil/kdb5_util.c:375 -+msgid "while closing previous database" -+msgstr "beim Schließen der vorherigen Datenbank" -+ -+#: ../../src/kadmin/dbutil/kdb5_util.c:412 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:877 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1497 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:564 -+msgid "while initializing database" -+msgstr "beim Initialisieren der Datenbank" -+ -+#: ../../src/kadmin/dbutil/kdb5_util.c:429 -+msgid "while retrieving master entry" -+msgstr "beim Abfragen des Haupteintrags" -+ -+#: ../../src/kadmin/dbutil/kdb5_util.c:448 -+msgid "while calculated master key salt" -+msgstr "beim Berechnen des Hauptschlüssel-Salts" -+ -+#: ../../src/kadmin/dbutil/kdb5_util.c:480 -+msgid "Warning: proceeding without master key" -+msgstr "Warnung: Es wird ohne Hauptschlüssel fortgefahren" -+ -+#: ../../src/kadmin/dbutil/kdb5_util.c:498 -+msgid "while seeding random number generator" -+msgstr "beim Erzeugen des Startwerts des Zufallszahlengenerators" -+ -+#: ../../src/kadmin/dbutil/kdb5_util.c:508 -+#, c-format -+msgid "%s: Could not map log\n" -+msgstr "%s: Protokolldatei konnte nicht abgebildet werden\n" -+ -+#: ../../src/kadmin/dbutil/kdb5_util.c:535 -+msgid "while closing database" -+msgstr "beim Schließen der Datenbank" -+ -+#: ../../src/kadmin/dbutil/kdb5_util.c:582 -+#, c-format -+msgid "while fetching principal %s" -+msgstr "beim Abrufen von Principal %s" -+ -+#: ../../src/kadmin/dbutil/kdb5_util.c:605 -+msgid "while finding mkey" -+msgstr "beim Suchen nach Mkey" -+ -+#: ../../src/kadmin/dbutil/kdb5_util.c:630 -+msgid "while setting changetime" -+msgstr "beim Setzen der Änderungszeit der Datei" -+ -+#: ../../src/kadmin/dbutil/kdb5_util.c:638 -+#, c-format -+msgid "while saving principal %s" -+msgstr "beim Speichern von Principal %s" -+ -+#: ../../src/kadmin/dbutil/kdb5_util.c:642 -+#, c-format -+msgid "%s changed\n" -+msgstr "%s geändert\n" -+ -+#: ../../src/kadmin/ktutil/ktutil.c:73 -+#, c-format -+msgid "%s: invalid arguments\n" -+msgstr "%s: ungültige Argumente\n" -+ -+#: ../../src/kadmin/ktutil/ktutil.c:78 -+msgid "while freeing ktlist" -+msgstr "beim Freigeben von »ktlist«" -+ -+#: ../../src/kadmin/ktutil/ktutil.c:89 -+#, c-format -+msgid "%s: must specify keytab to read\n" -+msgstr "" -+"%s: Die Schlüsseltabelle, die gelesen werden soll, muss angegeben werden.\n" -+ -+#: ../../src/kadmin/ktutil/ktutil.c:94 -+#, c-format -+msgid "while reading keytab \"%s\"" -+msgstr "beim Lesen der Schlüsseltabelle »%s«" -+ -+#: ../../src/kadmin/ktutil/ktutil.c:104 -+#, c-format -+msgid "%s: must specify the srvtab to read\n" -+msgstr "%s: Die zu lesende Dienstschlüsseltabelle muss angegeben werden.\n" -+ -+#: ../../src/kadmin/ktutil/ktutil.c:109 -+#, c-format -+msgid "while reading srvtab \"%s\"" -+msgstr "beim Lesen der Dienstschlüsseltabelle »%s«" -+ -+#: ../../src/kadmin/ktutil/ktutil.c:119 -+#, c-format -+msgid "%s: must specify keytab to write\n" -+msgstr "%s: Die zu schreibende Schlüsseltabelle muss angegeben werden.\n" -+ -+#: ../../src/kadmin/ktutil/ktutil.c:124 -+#, c-format -+msgid "while writing keytab \"%s\"" -+msgstr "beim Schreiben der Schlüsseltabelle »%s«" -+ -+#: ../../src/kadmin/ktutil/ktutil.c:131 -+#, c-format -+msgid "%s: writing srvtabs is no longer supported\n" -+msgstr "" -+"%s: Schreiben der Dienstschlüsseltabelle wird nicht länger unterstützt\n" -+ -+#: ../../src/kadmin/ktutil/ktutil.c:169 -+#, c-format -+msgid "usage: %s (-key | -password) -p principal -k kvno -e enctype\n" -+msgstr "" -+"Aufruf: %s (-key | -password) -p Principal -k KVNO -e Verschlüsselungstyp\n" -+ -+#: ../../src/kadmin/ktutil/ktutil.c:176 -+msgid "while adding new entry" -+msgstr "beim Hinzufügen eines neuen Eintrags" -+ -+#: ../../src/kadmin/ktutil/ktutil.c:186 -+#, c-format -+msgid "%s: must specify entry to delete\n" -+msgstr "%s: zu löschender Eintrag muss angegeben werden\n" -+ -+#: ../../src/kadmin/ktutil/ktutil.c:191 -+#, c-format -+msgid "while deleting entry %d" -+msgstr "beim Löschen von Eintrag %d" -+ -+#: ../../src/kadmin/ktutil/ktutil.c:219 -+#, c-format -+msgid "%s: usage: %s [-t] [-k] [-e]\n" -+msgstr "%s: Aufruf: %s [-t] [-k] [-e]\n" -+ -+#: ../../src/kadmin/ktutil/ktutil.c:259 -+msgid "While converting enctype to string" -+msgstr "beim Umwandeln des Verschlüsselungstyps in eine Zeichenkette" -+ -+#: ../../src/kadmin/ktutil/ktutil_funcs.c:162 -+#, c-format -+msgid "Password for %.1000s" -+msgstr "Passwort für %.1000s" -+ -+#: ../../src/kadmin/ktutil/ktutil_funcs.c:179 -+#, c-format -+msgid "Key for %s (hex): " -+msgstr "Schlüssel für %s (hexadezimal): " -+ -+#: ../../src/kadmin/ktutil/ktutil_funcs.c:191 -+#, c-format -+msgid "addent: Error reading key.\n" -+msgstr "addent: Fehler beim Lesen des Schlüssels\n" -+ -+#: ../../src/kadmin/ktutil/ktutil_funcs.c:206 -+#, c-format -+msgid "addent: Illegal character in key.\n" -+msgstr "addent: unerlaubtes Zeichen im Schlüssel\n" -+ -+#: ../../src/kadmin/server/ipropd_svc.c:48 -+#, c-format -+msgid "Unauthorized request: %s, client=%s, service=%s, addr=%s" -+msgstr "unberechtigte Anfrage: %s, Client=%s, Dienst=%s, Adresse=%s" -+ -+#: ../../src/kadmin/server/ipropd_svc.c:49 -+#: ../../src/kadmin/server/ipropd_svc.c:212 -+#, c-format -+msgid "Request: %s, %s, %s, client=%s, service=%s, addr=%s" -+msgstr "Anfrage: %s, %s, %s, Client=%s, Dienst=%s, Adresse=%s" -+ -+#: ../../src/kadmin/server/ipropd_svc.c:146 -+#: ../../src/kadmin/server/ipropd_svc.c:271 -+#, c-format -+msgid "%s: server handle is NULL" -+msgstr "%s: Server-Identifikator ist NULL" -+ -+#: ../../src/kadmin/server/ipropd_svc.c:156 -+#: ../../src/kadmin/server/ipropd_svc.c:284 -+#, c-format -+msgid "%s: setup_gss_names failed" -+msgstr "%s: setup_gss_names fehlgeschlagen" -+ -+#: ../../src/kadmin/server/ipropd_svc.c:166 -+#: ../../src/kadmin/server/ipropd_svc.c:295 -+#, c-format -+msgid "%s: out of memory recording principal names" -+msgstr "%s: Speicher reicht nicht zur Aufzeichnung der Principal-Namen aus" -+ -+#: ../../src/kadmin/server/ipropd_svc.c:195 -+#, c-format -+msgid "%s; Incoming SerialNo=%lu; Outgoing SerialNo=%lu" -+msgstr "%s; eingehende Seriennummer=%lu; ausgehende Seriennummer=%lu" -+ -+#: ../../src/kadmin/server/ipropd_svc.c:201 -+#, c-format -+msgid "%s; Incoming SerialNo=%lu; Outgoing SerialNo=N/A" -+msgstr "%s; eingehende Seriennummer=%lu; ausgehende Seriennummer=N/A" -+ -+#: ../../src/kadmin/server/ipropd_svc.c:320 -+#, c-format -+msgid "%s: getclhoststr failed" -+msgstr "%s: getclhoststr fehlgeschlagen" -+ -+#: ../../src/kadmin/server/ipropd_svc.c:342 -+#, c-format -+msgid "%s: cannot construct kdb5 util dump string too long; out of memory" -+msgstr "" -+"Ausgabenzeichenkette des KDB5-Hilfswerkzeugs nicht konstruierbar, da zu " -+"lang; Speicher reicht nicht aus.%s: Die Ausgabezeichenkette des KDB5-" -+"Hilfswerkzeugs kann nicht erstellt werden, weil sie zu lang ist. Der " -+"Speicherplatz reicht nicht aus." -+ -+#: ../../src/kadmin/server/ipropd_svc.c:362 -+#, c-format -+msgid "%s: fork failed: %s" -+msgstr "%s: Verzweigen fehlgeschlagen: %s" -+ -+#: ../../src/kadmin/server/ipropd_svc.c:374 -+#, c-format -+msgid "%s: popen failed: %s" -+msgstr "%s: popen fehlgeschlagen: %s" -+ -+#: ../../src/kadmin/server/ipropd_svc.c:388 -+#, c-format -+msgid "%s: pclose(popen) failed: %s" -+msgstr "%s: pclose(popen) fehlgeschlagen: %s" -+ -+#: ../../src/kadmin/server/ipropd_svc.c:405 -+#, c-format -+msgid "%s: exec failed: %s" -+msgstr "%s: exec fehlgeschlagen: %s" -+ -+#: ../../src/kadmin/server/ipropd_svc.c:421 -+#, c-format -+msgid "Request: %s, spawned resync process %d, client=%s, service=%s, addr=%s" -+msgstr "" -+"Anfrage: %s, hervorgebrachter Neusynchronisationsprozess %d, Client=%s, " -+"Dienst=%s, Adresse=%s" -+ -+#: ../../src/kadmin/server/ipropd_svc.c:485 -+#: ../../src/kadmin/server/kadm_rpc_svc.c:275 -+#, c-format -+msgid "check_rpcsec_auth: failed inquire_context, stat=%u" -+msgstr "check_rpcsec_auth: inquire_context fehlgeschlagen, Stat=%u" -+ -+#: ../../src/kadmin/server/ipropd_svc.c:515 -+#: ../../src/kadmin/server/kadm_rpc_svc.c:304 -+#, c-format -+msgid "bad service principal %.*s%s" -+msgstr "falscher Dienst-Principal %.*s%s" -+ -+#: ../../src/kadmin/server/ipropd_svc.c:538 -+#, c-format -+msgid "authentication attempt failed: %s, RPC authentication flavor %d" -+msgstr "" -+"Authentifizierungsversuche gescheitert: %s, PRC-Authentifizierungsvariante %d" -+ -+#: ../../src/kadmin/server/ipropd_svc.c:572 -+#, c-format -+msgid "RPC unknown request: %d (%s)" -+msgstr "unbekannte PRC-Anfrage: %d (%s)" -+ -+#: ../../src/kadmin/server/ipropd_svc.c:580 -+#, c-format -+msgid "RPC svc_getargs failed (%s)" -+msgstr "RPC-»svc_getargs« fehlgeschlagen (%s)" -+ -+#: ../../src/kadmin/server/ipropd_svc.c:590 -+#, c-format -+msgid "RPC svc_sendreply failed (%s)" -+msgstr "RPC-»svc_sendreply« fehlgeschlagen (%s)" -+ -+#: ../../src/kadmin/server/ipropd_svc.c:596 -+#, c-format -+msgid "RPC svc_freeargs failed (%s)" -+msgstr "RPC-»svc_freeargs« fehlgeschlagen (%s)" -+ -+#: ../../src/kadmin/server/kadm_rpc_svc.c:325 -+#, c-format -+msgid "gss_to_krb5_name: failed display_name status %d" -+msgstr "gss_to_krb5_name: display_name fehlgeschlagen, Status %d" -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:86 -+#, c-format -+msgid "" -+"Usage: kadmind [-x db_args]* [-r realm] [-m] [-nofork] [-port port-number]\n" -+"\t\t[-proponly] [-p path-to-kdb5_util] [-F dump-file]\n" -+"\t\t[-K path-to-kprop] [-P pid_file]\n" -+"\n" -+"where,\n" -+"\t[-x db_args]* - any number of database specific arguments.\n" -+"\t\t\tLook at each database documentation for supported arguments\n" -+msgstr "" -+"Aufruf: kadmind [-x Datenbankargumente]* [-r Realm] [-m] [-nofork]\n" -+"\t\t[-port Portummer] [-p Pfad_zum_KDB5-Hilfswerkzeug] [-F Auszugsdatei]\n" -+"\t\t[-K Pfad_zu_Kprop] [-P PID-Datei]\n" -+"\n" -+"dabei sind\n" -+"\t[-x Datenbankargumente]* - eine beliebige Anzahl datenbankspezifischer " -+"Argumente.\n" -+"\t\t\tWelche Argumente unterstützt werden, finden Sie in der Dokumentation " -+"der jeweiligen Datenbank.\n" -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:111 -+#, c-format -+msgid "%s: %s while %s, aborting\n" -+msgstr "%s: %s bei %s, wird abgebrochen\n" -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:113 -+#, c-format -+msgid "%s while %s, aborting\n" -+msgstr "%s bei %s, wird abgebrochen\n" -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:115 -+#, c-format -+msgid "%s: %s, aborting\n" -+msgstr "%s: %s, wird abgebrochen\n" -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:116 -+#, c-format -+msgid "%s, aborting" -+msgstr "%s, wird abgebrochen" -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:282 -+#, c-format -+msgid "" -+"WARNING! Forged/garbled request: %s, claimed client = %.*s%s, server = %.*s" -+"%s, addr = %s" -+msgstr "" -+"WARNUNG! Gefälschte/verstümmelte Anfrage: %s, geforderter Client = %.*s%s, " -+"Server = %.*s%s, Adresse = %s" -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:288 -+#, c-format -+msgid "" -+"WARNING! Forged/garbled request: %d, claimed client = %.*s%s, server = %.*s" -+"%s, addr = %s" -+msgstr "" -+"WARNUNG! Gefälschte/verstümmelte Anfrage: %d, Client = %.*s%s, Server = " -+"%.*s%s, Adresse = %s" -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:302 -+#, c-format -+msgid "Miscellaneous RPC error: %s, %s" -+msgstr "sonstiger PRC-Fehler: %s, %s" -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:318 -+#, c-format -+msgid "%s Cannot decode status %d" -+msgstr "%s: Status %d kann nicht dekodiert werden" -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:336 -+#, c-format -+msgid "Authentication attempt failed: %s, GSS-API error strings are:" -+msgstr "Authentifizierungsversuch fehlgeschlagen: %s, GSS-API-Fehlermeldungen:" -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:341 -+msgid " GSS-API error strings complete." -+msgstr " GSS-API-Fehlermeldungen vollständig" -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:378 -+#, c-format -+msgid "%s: cannot initialize. Not enough memory\n" -+msgstr "%s: kann nicht initialisiert werden: Speicher reicht nicht aus.\n" -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:445 -+#, c-format -+msgid "%s: %s while initializing context, aborting\n" -+msgstr "%s: %s beim Initialisieren des Kontextes, wird abgebrochen\n" -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:456 -+msgid "initializing" -+msgstr "wird initialisiert" -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:460 -+msgid "getting config parameters" -+msgstr "beim Holen der Konfigurationsparameter" -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:462 -+msgid "Missing required realm configuration" -+msgstr "erforderliche Realm-Konfiguration fehlt" -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:464 -+msgid "Missing required ACL file configuration" -+msgstr "erforderliche ACL-Dateikonfiguration fehlt" -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:468 -+msgid "initializing network" -+msgstr "Netzwerk wird initialisiert" -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:473 -+msgid "Cannot build GSSAPI auth names" -+msgstr "GSS-API-Authentifizierungsnamen können nicht gebildet werden." -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:477 -+msgid "Cannot set up KDB keytab" -+msgstr "Die KDB-Schlüsseltabelle kann nicht eingerichtet werden." -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:480 -+msgid "Cannot set GSSAPI authentication names" -+msgstr "GSS-API-Authentifizierungsnamen können nicht gesetzt werden." -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:497 -+msgid "Cannot initialize GSSAPI service name" -+msgstr "GSSAPI-Dienstname kann nicht initialisiert werden" -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:501 -+msgid "initializing ACL file" -+msgstr "ACL-Datei wird initialisiert" -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:504 -+msgid "spawning daemon process" -+msgstr "Daemon-Prozess wird erzeugt" -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:508 -+msgid "creating PID file" -+msgstr "PID-Datei wird erstellt" -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:511 -+msgid "Seeding random number generator" -+msgstr "Startwert des Zufallszahlengenerators wird erzeugt" -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:514 -+msgid "getting random seed" -+msgstr "Zufallsstartwert wird geholt" -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:521 -+msgid "mapping update log" -+msgstr "Aktualisierungsprotokoll wird abgebildet" -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:525 -+#, c-format -+msgid "%s: create IPROP svc (PROG=%d, VERS=%d)\n" -+msgstr "%s: IPROP-Dienst wird erstellt (PROG=%d, VERS=%d)\n" -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:530 -+msgid "starting" -+msgstr "startet" -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:532 ../../src/kdc/main.c:1061 -+#, c-format -+msgid "%s: starting...\n" -+msgstr "%s: startet …\n" -+ -+#: ../../src/kadmin/server/ovsec_kadmd.c:535 -+msgid "finished, exiting" -+msgstr "fertig, wird beendet" -+ -+#: ../../src/kadmin/server/schpw.c:282 -+#, c-format -+msgid "setpw request from %s by %.*s%s for %.*s%s: %s" -+msgstr "»setpw«-Anfrage von %s durch %.*s%s für %.*s%s: %s" -+ -+#: ../../src/kadmin/server/schpw.c:287 -+#, c-format -+msgid "chpw request from %s for %.*s%s: %s" -+msgstr "»chpw«-Anfrage von %s für %.*s%s: %s" -+ -+#: ../../src/kadmin/server/schpw.c:464 -+#, c-format -+msgid "chpw: Couldn't open admin keytab %s" -+msgstr "chpw«: Administratorschlüsseltabelle %s konnte nicht geöffnet werden" -+ -+#: ../../src/kadmin/server/server_stubs.c:293 -+#, c-format -+msgid "" -+"Unauthorized request: %s, %.*s%s, client=%.*s%s, service=%.*s%s, addr=%s" -+msgstr "" -+"Unauthorisierte Anfrage: %s, %.*s%s, Client=%.*s%s, Dienst=%.*s%s, Adresse=%s" -+ -+#: ../../src/kadmin/server/server_stubs.c:314 -+#: ../../src/kadmin/server/server_stubs.c:649 -+#: ../../src/kadmin/server/server_stubs.c:1792 -+msgid "success" -+msgstr "erfolgreich" -+ -+#: ../../src/kadmin/server/server_stubs.c:324 -+#, c-format -+msgid "Request: %s, %.*s%s, %s, client=%.*s%s, service=%.*s%s, addr=%s" -+msgstr "Anfrage: %s, %.*s%s, %s, Client=%.*s%s, Dienst=%.*s%s, Adresse=%s" -+ -+#: ../../src/kadmin/server/server_stubs.c:628 -+#, c-format -+msgid "" -+"Unauthorized request: kadm5_rename_principal, %.*s%s to %.*s%s, client=%.*s" -+"%s, service=%.*s%s, addr=%s" -+msgstr "" -+"Unauthorisierte Anfrage: kadm5_rename_principal, %.*s%s bis %.*s%s, Client=" -+"%.*s%s, Dienst=%.*s%s, Adresse=%s" -+ -+#: ../../src/kadmin/server/server_stubs.c:644 -+#, c-format -+msgid "" -+"Request: kadm5_rename_principal, %.*s%s to %.*s%s, %s, client=%.*s%s, " -+"service=%.*s%s, addr=%s" -+msgstr "" -+"Anfrage: kadm5_rename_principal, %.*s%s bis %.*s%s, %s, Client=%.*s%s, " -+"Dienst=%.*s%s, Adresse=%s" -+ -+#: ../../src/kadmin/server/server_stubs.c:1788 -+#, c-format -+msgid "" -+"Request: kadm5_init, %.*s%s, %s, client=%.*s%s, service=%.*s%s, addr=%s, " -+"vers=%d, flavor=%d" -+msgstr "" -+"Anfrage: kadm5_init, %.*s%s, %s, Client=%.*s%s, Dienst=%.*s%s, Adresse=%s, " -+"Version=%d, Variante=%d" -+ -+#: ../../src/kdc/do_as_req.c:273 -+#, c-format -+msgid "AS_REQ : handle_authdata (%d)" -+msgstr "AS_REQ: handle_authdata (%d)" -+ -+#: ../../src/kdc/do_tgs_req.c:593 -+#, c-format -+msgid "TGS_REQ : handle_authdata (%d)" -+msgstr "TGS_REQ: handle_authdata (%d)" -+ -+#: ../../src/kdc/do_tgs_req.c:655 -+msgid "not checking transit path" -+msgstr "Übergangspfad wird nicht geprüft" -+ -+#: ../../src/kdc/fast_util.c:62 -+#, c-format -+msgid "%s while handling ap-request armor" -+msgstr "%s bei der Handhabung des »ap-request«-Schutzes" -+ -+#: ../../src/kdc/fast_util.c:71 -+msgid "ap-request armor for something other than the local TGS" -+msgstr "»ap-request«-Schutz für etwas anderes als den lokalen TGS" -+ -+#: ../../src/kdc/fast_util.c:80 -+msgid "ap-request armor without subkey" -+msgstr "»ap-request«-Schutz ohne Unterschlüssel" -+ -+#: ../../src/kdc/fast_util.c:162 -+msgid "Ap-request armor not permitted with TGS" -+msgstr "»ap-request«-Schutz nicht mit TGS gestattet" -+ -+#: ../../src/kdc/fast_util.c:169 -+#, c-format -+msgid "Unknown FAST armor type %d" -+msgstr "unbekanntet FAST-Schutztyp %d" -+ -+#: ../../src/kdc/fast_util.c:183 -+msgid "No armor key but FAST armored request present" -+msgstr "Es gibt keinen Schutzschlüssel aber eine FAST-geschützte Anfrage" -+ -+#: ../../src/kdc/fast_util.c:219 -+msgid "FAST req_checksum invalid; request modified" -+msgstr "FAST-»req_checksum« ungültig; Anfrage geändert" -+ -+#: ../../src/kdc/fast_util.c:225 -+msgid "Unkeyed checksum used in fast_req" -+msgstr "in fast_req wurde eine Prüfsumme ohne Schlüssel benutzt" -+ -+#: ../../src/kdc/kdc_audit.c:110 -+#, c-format -+msgid "audit plugin %s failed to open. error=%i" -+msgstr "Öffnen der Audit-Erweiterung %s fehlgeschlagen. Fehler=%i" -+ -+#: ../../src/kdc/kdc_authdata.c:292 ../../src/kdc/kdc_authdata.c:328 -+#, c-format -+msgid "authdata %s failed to initialize: %s" -+msgstr "Initialisieren von »authdata« %s fehlgeschlagen: %s" -+ -+#: ../../src/kdc/kdc_authdata.c:779 -+#, c-format -+msgid "authdata (%s) handling failure: %s" -+msgstr "Handhabung von »authdata« %s fehlgeschlagen: %s" -+ -+#: ../../src/kdc/kdc_log.c:82 -+#, c-format -+msgid "AS_REQ (%s) %s: ISSUE: authtime %d, %s, %s for %s" -+msgstr "AS_REQ (%s) %s: PROBLEM: Authentifizierungszeit %d, %s, %s für %s" -+ -+#: ../../src/kdc/kdc_log.c:88 -+#, c-format -+msgid "AS_REQ (%s) %s: %s: %s for %s%s%s" -+msgstr "AS_REQ (%s) %s: %s: %s für %s%s%s" -+ -+#: ../../src/kdc/kdc_log.c:159 -+#, c-format -+msgid "TGS_REQ (%s) %s: %s: authtime %d, %s%s %s for %s%s%s" -+msgstr "TGS_REQ (%s) %s: %s: Authentifizierungszeit %d, %s%s %s für %s%s%s" -+ -+#: ../../src/kdc/kdc_log.c:166 -+#, c-format -+msgid "... PROTOCOL-TRANSITION s4u-client=%s" -+msgstr "… PROTOKOLLÜBERGANG s4u-client=%s" -+ -+#: ../../src/kdc/kdc_log.c:170 -+#, c-format -+msgid "... CONSTRAINED-DELEGATION s4u-client=%s" -+msgstr "… EINHESCHRÄNKTE DELEGIERUNG s4u-client=%s" -+ -+#: ../../src/kdc/kdc_log.c:174 -+#, c-format -+msgid "TGS_REQ %s: %s: authtime %d, %s for %s, 2nd tkt client %s" -+msgstr "TGS_REQ %s: %s: Authentifizierungszeit %d, %s für %s, 2. TKT-Client %s" -+ -+#: ../../src/kdc/kdc_log.c:208 -+#, c-format -+msgid "bad realm transit path from '%s' to '%s' via '%.*s%s'" -+msgstr "falscher Realm-Übergangspfad von »%s« zu »%s« über »%.*s%s«" -+ -+#: ../../src/kdc/kdc_log.c:214 -+#, c-format -+msgid "unexpected error checking transit from '%s' to '%s' via '%.*s%s': %s" -+msgstr "" -+"unerwarteter Fehler bei der Prüfung des Übergangs von »%s« zu »%s« über »%.*s" -+"%s«: %s" -+ -+#: ../../src/kdc/kdc_log.c:232 -+msgid "TGS_REQ: issuing alternate TGT" -+msgstr "TGS_REQ: alternativer TGT wird erstellt" -+ -+#: ../../src/kdc/kdc_log.c:235 -+#, c-format -+msgid "TGS_REQ: issuing TGT %s" -+msgstr "TGS_REQ: TGT %s wird erstellt" -+ -+#: ../../src/kdc/kdc_preauth.c:328 -+#, c-format -+msgid "preauth %s failed to initialize: %s" -+msgstr "Initialisieren von »preauth« %s fehlgeschlagen: %s" -+ -+#: ../../src/kdc/kdc_preauth.c:339 -+#, c-format -+msgid "preauth %s failed to setup loop: %s" -+msgstr "Einrichten der Schleife von »preauth« %s fehlgeschlagen: %s" -+ -+#: ../../src/kdc/kdc_preauth.c:760 -+#, c-format -+msgid "%spreauth required but hint list is empty" -+msgstr "%spreauth benötigt, aber Hinweisliste ist leer" -+ -+#: ../../src/kdc/kdc_preauth_ec.c:75 -+msgid "Encrypted Challenge used outside of FAST tunnel" -+msgstr "verschlüsselte Aufforderung wurde außerhalb des FAST-Tunnels verwendet" -+ -+#: ../../src/kdc/kdc_preauth_ec.c:110 -+msgid "Incorrect password in encrypted challenge" -+msgstr "falsches Passwort in verschlüsselter Aufforderung" -+ -+#: ../../src/kdc/kdc_util.c:236 -+msgid "TGS_REQ: SESSION KEY or MUTUAL" -+msgstr "TGS_REQ: SITZUNGSSCHLÜSSEL oder BEIDERSEITIG" -+ -+#: ../../src/kdc/kdc_util.c:314 -+msgid "PROCESS_TGS: failed lineage check" -+msgstr "PROCESS_TGS: Abstammungsprüfung fehlgeschlagen" -+ -+#: ../../src/kdc/kdc_util.c:468 -+#, c-format -+msgid "TGS_REQ: UNKNOWN SERVER: server='%s'" -+msgstr "TGS_REQ: UNBEKANNTER SERVER: Server=»%s«" -+ -+#: ../../src/kdc/main.c:231 -+#, c-format -+msgid "while getting context for realm %s" -+msgstr "beim Holen des Kontextes für Realm %s" -+ -+#: ../../src/kdc/main.c:329 -+#, c-format -+msgid "while setting default realm to %s" -+msgstr "beim Setzen des Standard-Realms auf %s" -+ -+#: ../../src/kdc/main.c:337 -+#, c-format -+msgid "while initializing database for realm %s" -+msgstr "beim Initialisieren der Datenbank für Realm %s" -+ -+#: ../../src/kdc/main.c:346 -+#, c-format -+msgid "while setting up master key name %s for realm %s" -+msgstr "beim Einrichten des Hauptschlüsselnamens %s für Realm %s" -+ -+#: ../../src/kdc/main.c:359 -+#, c-format -+msgid "while fetching master key %s for realm %s" -+msgstr "beim Abholen des Hauptschlüssels %s für Realm %s" -+ -+#: ../../src/kdc/main.c:367 -+#, c-format -+msgid "while fetching master keys list for realm %s" -+msgstr "beim Abholen der Hauptschlüsselliste für Realm %s" -+ -+#: ../../src/kdc/main.c:376 -+#, c-format -+msgid "while resolving kdb keytab for realm %s" -+msgstr "beim Ermitteln der KDB-Schlüsseltabelle für Realm %s" -+ -+#: ../../src/kdc/main.c:385 -+#, c-format -+msgid "while building TGS name for realm %s" -+msgstr "beim Bilden des TGS-Namens für Realm %s" -+ -+#: ../../src/kdc/main.c:503 -+#, c-format -+msgid "creating %d worker processes" -+msgstr "%d Arbeitsprozesse werden erzeugt" -+ -+#: ../../src/kdc/main.c:513 -+msgid "Unable to reinitialize main loop" -+msgstr "Hauptschleife konnte nicht neu initialisiert werden" -+ -+#: ../../src/kdc/main.c:518 -+#, c-format -+msgid "Unable to initialize signal handlers in pid %d" -+msgstr "" -+"Signalbehandlungsprogramme in PID %d konnten nicht initialisiert werden" -+ -+#: ../../src/kdc/main.c:548 -+#, c-format -+msgid "worker %ld exited with status %d" -+msgstr "Arbeitsprozess %ld endete mit Status %d" -+ -+#: ../../src/kdc/main.c:572 -+#, c-format -+msgid "signal %d received in supervisor" -+msgstr "Überwachungsprogramm empfing Signal %d" -+ -+#: ../../src/kdc/main.c:591 -+#, c-format -+msgid "" -+"usage: %s [-x db_args]* [-d dbpathname] [-r dbrealmname]\n" -+"\t\t[-R replaycachename] [-m] [-k masterenctype]\n" -+"\t\t[-M masterkeyname] [-p port] [-P pid_file]\n" -+"\t\t[-n] [-w numworkers] [/]\n" -+"\n" -+"where,\n" -+"\t[-x db_args]* - Any number of database specific arguments.\n" -+"\t\t\tLook at each database module documentation for \t\t\tsupported " -+"arguments\n" -+msgstr "" -+"Aufruf: %s [-x Datenbankargumente]* [-d Datenbankpfadname]\n" -+"\t\t[-r Datenbank-Realm-Name] [-m] [-k Hauptverschlüsselungstyp]\n" -+"\t\t[-M Hauptschlüsselname] [-p Port] [-P PID-Datei]\n" -+"\t\t[-n] [-w Arbeitsprozessanzahl] [/]\n" -+"\n" -+"dabei sind\n" -+"\t[-x Datenbankargumente]* - eine beliebige Anzahl datenbankspezifischer " -+"Argumente.\n" -+"\t\t\tWelche Argumente unterstützt werden, finden Sie in der Dokumentation " -+"der jeweiligen Datenbank.\n" -+ -+#: ../../src/kdc/main.c:653 ../../src/kdc/main.c:660 ../../src/kdc/main.c:774 -+#, c-format -+msgid " KDC cannot initialize. Not enough memory\n" -+msgstr "KDC kann nicht initialisiert werden. Speicher reicht nicht aus\n" -+ -+#: ../../src/kdc/main.c:679 ../../src/kdc/main.c:722 ../../src/kdc/main.c:733 -+#, c-format -+msgid "%s: KDC cannot initialize. Not enough memory\n" -+msgstr "%s: KDC kann nicht initialisiert werden. Speicher reicht nicht aus\n" -+ -+#: ../../src/kdc/main.c:699 ../../src/kdc/main.c:816 -+#, c-format -+msgid "%s: cannot initialize realm %s - see log file for details\n" -+msgstr "" -+"%s: Realm %s kann nicht initialisiert werden - Einzelheiten finden Sie in " -+"der Protokolldatei\n" -+ -+#: ../../src/kdc/main.c:710 -+#, c-format -+msgid "%s: cannot initialize realm %s. Not enough memory\n" -+msgstr "" -+"%s: Realm %s kann nicht initialisiert werden. Speicher reicht nicht aus\n" -+ -+#: ../../src/kdc/main.c:761 -+#, c-format -+msgid "invalid enctype %s" -+msgstr "ungültiger Verschlüsselungstyp %s" -+ -+#: ../../src/kdc/main.c:804 -+msgid "while attempting to retrieve default realm" -+msgstr "beim Versuch, den Standard-Realm abzufragen" -+ -+#: ../../src/kdc/main.c:806 -+#, c-format -+msgid "%s: %s, attempting to retrieve default realm\n" -+msgstr "%s: %s, es wird versucht, den Standard-Realm abzufragen\n" -+ -+#: ../../src/kdc/main.c:912 -+#, c-format -+msgid "%s: cannot get memory for realm list\n" -+msgstr "%s: Speicher für die Realm-Liste kann nicht erlangt werden\n" -+ -+# http://www.oreilly.de/german/freebooks/linuxdrive2ger/getcache.html -+#: ../../src/kdc/main.c:947 -+msgid "while initializing lookaside cache" -+msgstr "beim Initialisieren des Lookaside-Zwischenspeichers" -+ -+#: ../../src/kdc/main.c:955 -+msgid "while creating main loop" -+msgstr "beim Erzeugen der Hauptschleife" -+ -+# SAM=Security Accounts Manager -+#: ../../src/kdc/main.c:965 -+msgid "while initializing SAM" -+msgstr "beim Initialisieren des SAMs" -+ -+#: ../../src/kdc/main.c:1011 -+msgid "while initializing routing socket" -+msgstr "beim Initialisieren des Routing-Sockets" -+ -+#: ../../src/kdc/main.c:1017 -+msgid "while initializing signal handlers" -+msgstr "beim Initialisieren des Signalbehandlungsprogramms" -+ -+#: ../../src/kdc/main.c:1024 -+msgid "while initializing network" -+msgstr "beim Initialisieren des Netzwerks" -+ -+#: ../../src/kdc/main.c:1029 -+msgid "while detaching from tty" -+msgstr "beim Lösen vom Terminal" -+ -+#: ../../src/kdc/main.c:1036 -+msgid "while creating PID file" -+msgstr "beim Erstellen der PID-Datei" -+ -+#: ../../src/kdc/main.c:1045 -+msgid "creating worker processes" -+msgstr "Arbeitsprozesse werden erzeugt" -+ -+#: ../../src/kdc/main.c:1055 -+msgid "while loading audit plugin module(s)" -+msgstr "beim Laden des/der Auditerweiterungsmoduls/Auditerweiterungsmodule" -+ -+#: ../../src/kdc/main.c:1059 -+msgid "commencing operation" -+msgstr "Aktion wird begonnen" -+ -+#: ../../src/kdc/main.c:1067 -+msgid "shutting down" -+msgstr "wird heruntergefahren" -+ -+#: ../../src/lib/apputils/net-server.c:258 -+msgid "Got signal to request exit" -+msgstr "Signal zur Anfrage des Beendens empfangen" -+ -+#: ../../src/lib/apputils/net-server.c:272 -+msgid "Got signal to reset" -+msgstr "Signal zum Zurücksetzen empfangen" -+ -+#: ../../src/lib/apputils/net-server.c:429 -+#, c-format -+msgid "closing down fd %d" -+msgstr "Dateideskriptor %d wird geschlossen" -+ -+#: ../../src/lib/apputils/net-server.c:443 -+#, c-format -+msgid "descriptor %d closed but still in svc_fdset" -+msgstr "Deskriptor %d geschlossen, aber immer noch in »svc_fdset«" -+ -+#: ../../src/lib/apputils/net-server.c:469 -+msgid "cannot create io event" -+msgstr "E/A-Ereignis kann nicht erzeugt werden" -+ -+#: ../../src/lib/apputils/net-server.c:475 -+msgid "cannot save event" -+msgstr "Ereignis kann nicht gesichert werden" -+ -+#: ../../src/lib/apputils/net-server.c:495 -+#, c-format -+msgid "file descriptor number %d too high" -+msgstr "Dateideskriptornummer %d zu hoch" -+ -+#: ../../src/lib/apputils/net-server.c:503 -+msgid "cannot allocate storage for connection info" -+msgstr "Speicher für Verbindungsinformation kann nicht reserviert werden" -+ -+#: ../../src/lib/apputils/net-server.c:562 -+#, c-format -+msgid "Cannot create TCP server socket on %s" -+msgstr "Auf %s kann kein TCP-Server-Socket erstellt werden." -+ -+#: ../../src/lib/apputils/net-server.c:571 -+#, c-format -+msgid "TCP socket fd number %d (for %s) too high" -+msgstr "TCP-Socket-Deskriptornummer %d (für %s) zu hoch" -+ -+#: ../../src/lib/apputils/net-server.c:579 -+#, c-format -+msgid "Cannot enable SO_REUSEADDR on fd %d" -+msgstr "SO_REUSEADDR kann nicht für Dateideskriptor %d aktiviert werden" -+ -+#: ../../src/lib/apputils/net-server.c:586 -+#, c-format -+msgid "setsockopt(%d,IPV6_V6ONLY,1) failed" -+msgstr "setsockopt(%d,IPV6_V6ONLY,1) fehlgeschlagen" -+ -+#: ../../src/lib/apputils/net-server.c:588 -+#, c-format -+msgid "setsockopt(%d,IPV6_V6ONLY,1) worked" -+msgstr "setsockopt(%d,IPV6_V6ONLY,1) funktioniert" -+ -+#: ../../src/lib/apputils/net-server.c:591 -+msgid "no IPV6_V6ONLY socket option support" -+msgstr "keine Socket-Option für IPV6_V6ONLY unterstützt" -+ -+#: ../../src/lib/apputils/net-server.c:597 -+#, c-format -+msgid "Cannot bind server socket on %s" -+msgstr "Server-Socket kann nicht an %s gebunden werden" -+ -+#: ../../src/lib/apputils/net-server.c:624 -+#, c-format -+msgid "Cannot create RPC service: %s; continuing" -+msgstr "RPC-Dienst kann nicht erstellt werden: %s; es wird fortgefahren" -+ -+#: ../../src/lib/apputils/net-server.c:633 -+#, c-format -+msgid "Cannot register RPC service: %s; continuing" -+msgstr "RPC-Dienst kann nicht registriert werden: %s; es wird fortgefahren" -+ -+#: ../../src/lib/apputils/net-server.c:682 -+#, c-format -+msgid "Cannot listen on TCP server socket on %s" -+msgstr "" -+"Auf dem TCP-Server-Socket kann nicht auf eine Verbindung gewartet werden auf " -+"%s." -+ -+#: ../../src/lib/apputils/net-server.c:688 -+#, c-format -+msgid "cannot set listening tcp socket on %s non-blocking" -+msgstr "" -+"Das auf eine Verbindung wartende TCP-Socket kann nicht auf nicht-" -+"blockierendes %s gesetzt werden." -+ -+#: ../../src/lib/apputils/net-server.c:695 -+#, c-format -+msgid "disabling SO_LINGER on TCP socket on %s" -+msgstr "SO_LINGER auf dem TCP-Socket auf %s wird deaktiviert" -+ -+#: ../../src/lib/apputils/net-server.c:743 -+#: ../../src/lib/apputils/net-server.c:752 -+#, c-format -+msgid "listening on fd %d: tcp %s" -+msgstr "auf Dateideskriptor %d wird auf eine Verbindung gewartet: TCP %s" -+ -+#: ../../src/lib/apputils/net-server.c:757 -+msgid "assuming IPv6 socket accepts IPv4" -+msgstr "es wird davon ausgegangen, dass das IPv6-Socket IPv4 akzeptiert" -+ -+#: ../../src/lib/apputils/net-server.c:791 -+#: ../../src/lib/apputils/net-server.c:804 -+#, c-format -+msgid "listening on fd %d: rpc %s" -+msgstr "auf Dateideskriptor %d wird auf eine Verbindung gewartet: RPC %s" -+ -+#: ../../src/lib/apputils/net-server.c:883 -+#, c-format -+msgid "Cannot request packet info for udp socket address %s port %d" -+msgstr "" -+"Paketinformation für UDP-Socket-Adresse %s, Port %d, kann nicht abgefragt " -+"werden" -+ -+#: ../../src/lib/apputils/net-server.c:889 -+#, c-format -+msgid "listening on fd %d: udp %s%s" -+msgstr "auf Dateideskriptor %d wird auf eine Verbindung gewartet: UDP %s%s" -+ -+#: ../../src/lib/apputils/net-server.c:918 -+msgid "Failed to reconfigure network, exiting" -+msgstr "Neukonfiguration des Netzwerks fehlgeschlagen, wird beendet" -+ -+#: ../../src/lib/apputils/net-server.c:979 -+#, c-format -+msgid "" -+"unhandled routing message type %d, will reconfigure just for the fun of it" -+msgstr "" -+"nicht behandelter Routing-Meldungstyp %d, es wird es nur zum Spaß neu " -+"konfiguriert" -+ -+#: ../../src/lib/apputils/net-server.c:1013 -+#, c-format -+msgid "short read (%d/%d) from routing socket" -+msgstr "ungenügende Daten (%d/%d) vom Routing-Socket gelesen" -+ -+#: ../../src/lib/apputils/net-server.c:1023 -+#, c-format -+msgid "read %d from routing socket but msglen is %d" -+msgstr "%d vom Routing-Socket gelesen, Nachrichtenlänge ist jedoch %d" -+ -+#: ../../src/lib/apputils/net-server.c:1055 -+#, c-format -+msgid "couldn't set up routing socket: %s" -+msgstr "Routing-Socket konnte nicht eingerichtet werden: %s" -+ -+#: ../../src/lib/apputils/net-server.c:1058 -+#, c-format -+msgid "routing socket is fd %d" -+msgstr "Das Routing-Socket hat den Dateideskriptor %d." -+ -+#: ../../src/lib/apputils/net-server.c:1084 -+msgid "setting up network..." -+msgstr "Netzwerk wird eingerichtet …" -+ -+#: ../../src/lib/apputils/net-server.c:1101 -+#, c-format -+msgid "set up %d sockets" -+msgstr "%d Sockets werden eingerichtet" -+ -+#: ../../src/lib/apputils/net-server.c:1103 -+msgid "no sockets set up?" -+msgstr "keine Sockets eingerichtet?" -+ -+#: ../../src/lib/apputils/net-server.c:1351 -+#: ../../src/lib/apputils/net-server.c:1405 -+msgid "while dispatching (udp)" -+msgstr "beim Versenden (UDP)" -+ -+#: ../../src/lib/apputils/net-server.c:1380 -+#, c-format -+msgid "while sending reply to %s/%s from %s" -+msgstr "beim Senden der Antwort zu %s/%s von %s" -+ -+#: ../../src/lib/apputils/net-server.c:1385 -+#, c-format -+msgid "short reply write %d vs %d\n" -+msgstr "ungenügende Ausgabe der Antwort %d gegenüber %d\n" -+ -+#: ../../src/lib/apputils/net-server.c:1430 -+msgid "while receiving from network" -+msgstr "beim Empfangen vom Netzwerk" -+ -+#: ../../src/lib/apputils/net-server.c:1446 -+#, c-format -+msgid "pktinfo says local addr is %s" -+msgstr "Pktinfo sagt, die lokale Adresse sei %s" -+ -+#: ../../src/lib/apputils/net-server.c:1479 -+msgid "too many connections" -+msgstr "zu viele Verbindungen" -+ -+#: ../../src/lib/apputils/net-server.c:1502 -+#, c-format -+msgid "dropping %s fd %d from %s" -+msgstr "%s Dateideskriptor %d von %s wird verworfen" -+ -+#: ../../src/lib/apputils/net-server.c:1580 -+#, c-format -+msgid "allocating buffer for new TCP session from %s" -+msgstr "Puffer für neue TCP-Sitzung von %s wird reserviert" -+ -+#: ../../src/lib/apputils/net-server.c:1610 -+msgid "while dispatching (tcp)" -+msgstr "beim Versenden (TCP)" -+ -+#: ../../src/lib/apputils/net-server.c:1642 -+msgid "error allocating tcp dispatch private!" -+msgstr "Fehler beim Reservieren zum nicht öffentlichen TCP-Versand!" -+ -+#: ../../src/lib/apputils/net-server.c:1689 -+#, c-format -+msgid "TCP client %s wants %lu bytes, cap is %lu" -+msgstr "TCP-Client %s will %lu Byte, Cap ist %lu" -+ -+#: ../../src/lib/apputils/net-server.c:1697 -+#, c-format -+msgid "error constructing KRB_ERR_FIELD_TOOLONG error! %s" -+msgstr "Fehler beim Erzeugen des KRB_ERR_FIELD_TOOLONG-Fehlers! %s" -+ -+#: ../../src/lib/apputils/net-server.c:1876 -+#, c-format -+msgid "accepted RPC connection on socket %d from %s" -+msgstr "akzeptierte PRC-Verbindung auf Socket %d von %s" -+ -+# pseudo random function -+#: ../../src/lib/crypto/krb/cf2.c:114 -+#, c-format -+msgid "Enctype %d has no PRF" -+msgstr "Verschlüsselungstyp %d hat keine PRF" -+ -+#: ../../src/lib/crypto/krb/prng_fortuna.c:428 -+msgid "Random number generator could not be seeded" -+msgstr "Zufallszahlengenerator konnte kein Startwert zugewiesen werden" -+ -+#: ../../src/lib/gssapi/generic/disp_major_status.c:43 -+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:165 -+msgid "A required input parameter could not be read" -+msgstr "Ein benötigter Eingabeparameter konnte nicht gelesen werden." -+ -+#: ../../src/lib/gssapi/generic/disp_major_status.c:44 -+msgid "A required input parameter could not be written" -+msgstr "Ein benötigter Eingabeparameter konnte nicht geschrieben werden." -+ -+#: ../../src/lib/gssapi/generic/disp_major_status.c:45 -+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:175 -+msgid "A parameter was malformed" -+msgstr "Ein Parameter hatte eine falsche Form" -+ -+#: ../../src/lib/gssapi/generic/disp_major_status.c:48 -+msgid "calling error" -+msgstr "Aufruffehler" -+ -+#: ../../src/lib/gssapi/generic/disp_major_status.c:59 -+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:195 -+msgid "An unsupported mechanism was requested" -+msgstr "Ein nicht unterstützter Mechanismus wurde angefordert." -+ -+#: ../../src/lib/gssapi/generic/disp_major_status.c:60 -+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:199 -+msgid "An invalid name was supplied" -+msgstr "Ein ungültiger Name wurde übergeben." -+ -+#: ../../src/lib/gssapi/generic/disp_major_status.c:61 -+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:203 -+msgid "A supplied name was of an unsupported type" -+msgstr "Ein übergebener Name hatte einen nicht unterstützten Typ." -+ -+#: ../../src/lib/gssapi/generic/disp_major_status.c:62 -+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:208 -+msgid "Incorrect channel bindings were supplied" -+msgstr "Falsche Kanalbindungen wurden übergeben." -+ -+#: ../../src/lib/gssapi/generic/disp_major_status.c:63 -+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:179 -+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:274 -+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:334 -+msgid "An invalid status code was supplied" -+msgstr "Ein ungültiger Statuscode wurde übergeben." -+ -+#: ../../src/lib/gssapi/generic/disp_major_status.c:64 -+msgid "A token had an invalid signature" -+msgstr "Ein Merkmal hatte eine ungültige Signatur." -+ -+#: ../../src/lib/gssapi/generic/disp_major_status.c:65 -+msgid "No credentials were supplied" -+msgstr "Es wurden keine Anmeldedaten übergeben." -+ -+#: ../../src/lib/gssapi/generic/disp_major_status.c:66 -+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:223 -+msgid "No context has been established" -+msgstr "Es wurde keine Kontext etabliert." -+ -+#: ../../src/lib/gssapi/generic/disp_major_status.c:67 -+msgid "A token was invalid" -+msgstr "Ein Merkmal war ungültig." -+ -+#: ../../src/lib/gssapi/generic/disp_major_status.c:68 -+msgid "A credential was invalid" -+msgstr "Eine der Anmeldedaten war ungültig." -+ -+#: ../../src/lib/gssapi/generic/disp_major_status.c:69 -+msgid "The referenced credentials have expired" -+msgstr "Die referenzierten Anmeldedaten sind abgelaufen." -+ -+#: ../../src/lib/gssapi/generic/disp_major_status.c:70 -+msgid "The context has expired" -+msgstr "Der Kontext ist abgelaufen." -+ -+#: ../../src/lib/gssapi/generic/disp_major_status.c:71 -+msgid "Miscellaneous failure" -+msgstr "sonstiger Fehlschlag" -+ -+#: ../../src/lib/gssapi/generic/disp_major_status.c:72 -+msgid "The quality-of-protection requested could not be provided" -+msgstr "" -+"Die angeforderte Qualität des Schutzes konnte nicht bereitgestellt werden." -+ -+#: ../../src/lib/gssapi/generic/disp_major_status.c:73 -+msgid "The operation is forbidden by the local security policy" -+msgstr "Die Aktion wird durch die lokale Sicherheitsrichtinie verboten." -+ -+#: ../../src/lib/gssapi/generic/disp_major_status.c:74 -+msgid "The operation or option is not available" -+msgstr "Die Aktion oder Option ist nicht verfügbar." -+ -+#: ../../src/lib/gssapi/generic/disp_major_status.c:77 -+msgid "routine error" -+msgstr "Fehler in einer Routine" -+ -+#: ../../src/lib/gssapi/generic/disp_major_status.c:89 -+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:311 -+msgid "The routine must be called again to complete its function" -+msgstr "" -+"Die Routine muss erneut aufgerufen werden, um ihre Funktion zu " -+"vervollständigen." -+ -+#: ../../src/lib/gssapi/generic/disp_major_status.c:90 -+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:316 -+msgid "The token was a duplicate of an earlier token" -+msgstr "Das Merkmal war ein Zweitexemplar eines früheren Merkmals." -+ -+#: ../../src/lib/gssapi/generic/disp_major_status.c:91 -+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:321 -+msgid "The token's validity period has expired" -+msgstr "Die Gültigkeitsperiode des Merkmals ist abgelaufen." -+ -+#: ../../src/lib/gssapi/generic/disp_major_status.c:92 -+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:325 -+msgid "A later token has already been processed" -+msgstr "Es wurde bereits ein neueres Merkmal verarbeitet." -+ -+#: ../../src/lib/gssapi/generic/disp_major_status.c:95 -+msgid "supplementary info code" -+msgstr "zusätzlicher Informationscode" -+ -+#: ../../src/lib/gssapi/generic/disp_major_status.c:106 -+#: ../lib/krb5/error_tables/krb5_err.c:23 -+msgid "No error" -+msgstr "kein Fehler" -+ -+#: ../../src/lib/gssapi/generic/disp_major_status.c:107 -+#, c-format -+msgid "Unknown %s (field = %d)" -+msgstr "%s unbekannt (Feld = %d)" -+ -+#: ../../src/lib/gssapi/krb5/acquire_cred.c:165 -+#, c-format -+msgid "No key table entry found matching %s" -+msgstr "Es wurde kein zu %s passender Schlüsseltabelleneintrag gefunden." -+ -+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:161 -+msgid "The routine completed successfully" -+msgstr "Die Routine wurde erfolgreich abgeschlossen" -+ -+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:170 -+msgid "A required output parameter could not be written" -+msgstr "Ein erforderlicher Ausgabeparameter konnte nicht geschrieben werden." -+ -+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:212 -+msgid "A token had an invalid Message Integrity Check (MIC)" -+msgstr "" -+"Ein Merkmal hatte eine ungültige Meldungsintegritätsprüfung (Message " -+"Integrity Check/MIC)." -+ -+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:217 -+msgid "" -+"No credentials were supplied, or the credentials were unavailable or " -+"inaccessible" -+msgstr "" -+"Es wurden keine Anmeldedaten übergeben oder die Anmeldedaten waren nicht " -+"verfügbar bzw. ein Zugriff darauf nicht möglich." -+ -+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:227 -+msgid "Invalid token was supplied" -+msgstr "Es wurde ein ungültiges Token übergeben." -+ -+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:231 -+msgid "Invalid credential was supplied" -+msgstr "ungültige Anmeldedaten wurden übergeben" -+ -+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:235 -+msgid "The referenced credential has expired" -+msgstr "Die referenzierten Anmeldedaten sind abgelaufen." -+ -+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:239 -+msgid "The referenced context has expired" -+msgstr "Der referenzierte Kontext ist abgelaufen." -+ -+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:243 -+msgid "Unspecified GSS failure. Minor code may provide more information" -+msgstr "" -+"nicht spezifizierter GSS-Fehlschlag. Möglicherweise stellt der " -+"untergeordnete Code weitere Informationen bereit." -+ -+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:248 -+msgid "The quality-of-protection (QOP) requested could not be provided" -+msgstr "" -+"Die Qualität des Schutzes (quality-of-protection/QOP) konnte nicht " -+"bereitgestellt werden." -+ -+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:253 -+msgid "The operation is forbidden by local security policy" -+msgstr "Die Aktion wird durch die lokale Sicherheitsrichtinie verboten." -+ -+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:258 -+msgid "The operation or option is not available or unsupported" -+msgstr "" -+"Die Aktion oder Option ist nicht verfügbar oder wird nicht unterstützt." -+ -+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:263 -+msgid "The requested credential element already exists" -+msgstr "Das angeforderte Anmeldedatenelement existiert bereits." -+ -+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:268 -+msgid "The provided name was not mechanism specific (MN)" -+msgstr "Der bereitgestellte Name war nicht mechanismusspezifisch (MN)." -+ -+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:329 -+msgid "An expected per-message token was not received" -+msgstr "Ein erwartetes nachrichtenspezifisches Token wurde nicht empfangen." -+ -+#: ../../src/lib/gssapi/spnego/spnego_mech.c:1860 -+msgid "SPNEGO cannot find mechanisms to negotiate" -+msgstr "SPNEGO kann keine Mechanismen zum Aushandeln finden." -+ -+#: ../../src/lib/gssapi/spnego/spnego_mech.c:1865 -+msgid "SPNEGO failed to acquire creds" -+msgstr "SPNEGO ist beim Beschaffen von Anmeldedaten gescheitert" -+ -+#: ../../src/lib/gssapi/spnego/spnego_mech.c:1870 -+msgid "SPNEGO acceptor did not select a mechanism" -+msgstr "SPNEGO-Abnehmer hat keinen Mechanismus ausgewählt" -+ -+#: ../../src/lib/gssapi/spnego/spnego_mech.c:1875 -+msgid "SPNEGO failed to negotiate a mechanism" -+msgstr "SPNEGO ist beim Aushandeln eines Mechanismus gescheitert." -+ -+#: ../../src/lib/gssapi/spnego/spnego_mech.c:1880 -+msgid "SPNEGO acceptor did not return a valid token" -+msgstr "SPNEGO-Abnehmer hat kein gültiges Token zurückgeliefert" -+ -+#: ../../src/lib/kadm5/alt_prof.c:854 -+#, c-format -+msgid "Cannot resolve address of admin server \"%s\" for realm \"%s\"" -+msgstr "" -+"Adresse des Admin-Servers »%s« für Realm »%s« kann nicht ermittelt werden" -+ -+#: ../../src/lib/kadm5/logger.c:56 -+#, c-format -+msgid "%s: cannot parse <%s>\n" -+msgstr "%s: <%s> kann nicht ausgewertet werden\n" -+ -+#: ../../src/lib/kadm5/logger.c:57 -+#, c-format -+msgid "%s: warning - logging entry syntax error\n" -+msgstr "%s: Warnung – Syntaxfehler bei Protokolleintrag\n" -+ -+#: ../../src/lib/kadm5/logger.c:58 -+#, c-format -+msgid "%s: error writing to %s\n" -+msgstr "%s: Fehler beim Schreiben auf %s\n" -+ -+#: ../../src/lib/kadm5/logger.c:59 -+#, c-format -+msgid "%s: error writing to %s device\n" -+msgstr "%s: Fehler beim Schreiben auf Gerät %s\n" -+ -+#: ../../src/lib/kadm5/logger.c:61 -+msgid "EMERGENCY" -+msgstr "NOTFALL" -+ -+#: ../../src/lib/kadm5/logger.c:62 -+msgid "ALERT" -+msgstr "ALARM" -+ -+#: ../../src/lib/kadm5/logger.c:63 -+msgid "CRITICAL" -+msgstr "KRITISCH" -+ -+#: ../../src/lib/kadm5/logger.c:64 -+msgid "Error" -+msgstr "Fehler" -+ -+#: ../../src/lib/kadm5/logger.c:65 -+msgid "Warning" -+msgstr "Warnung" -+ -+#: ../../src/lib/kadm5/logger.c:66 -+msgid "Notice" -+msgstr "Hinweis" -+ -+#: ../../src/lib/kadm5/logger.c:67 -+msgid "info" -+msgstr "Information" -+ -+#: ../../src/lib/kadm5/logger.c:68 -+msgid "debug" -+msgstr "Fehlersuchmeldung" -+ -+#: ../../src/lib/kadm5/logger.c:967 -+#, c-format -+msgid "Couldn't open log file %s: %s\n" -+msgstr "Protokolldatei %s konnte nicht geöffnet werden: %s\n" -+ -+#: ../../src/lib/kadm5/srv/kadm5_hook.c:119 -+#, c-format -+msgid "kadm5_hook %s failed postcommit %s: %s" -+msgstr "»kadm5_hook« %s ist beim Nach-Commit %s gescheitert: %s" -+ -+#: ../../src/lib/kadm5/srv/pwqual_dict.c:106 -+msgid "No dictionary file specified, continuing without one." -+msgstr "keine Wörterbuchdatei angegeben, es wird ohne fortgefahren" -+ -+#: ../../src/lib/kadm5/srv/pwqual_dict.c:113 -+#, c-format -+msgid "WARNING! Cannot find dictionary file %s, continuing without one." -+msgstr "" -+"WARNUNG! Wörterbuchdatei %s kann nicht gefunden werden, es wird ohne " -+"fortgefahren" -+ -+#: ../../src/lib/kadm5/srv/pwqual_empty.c:42 -+msgid "Empty passwords are not allowed" -+msgstr "Leere Passwörter sind nicht erlaubt." -+ -+#: ../../src/lib/kadm5/srv/pwqual_hesiod.c:114 -+msgid "Password may not match user information." -+msgstr "Das Passwort darf keinen Anwenderdaten entsprechen." -+ -+#: ../../src/lib/kadm5/srv/pwqual_princ.c:54 -+msgid "Password may not match principal name" -+msgstr "Das Passwort darf nicht mit dem Principal-Namen übereinstimmen." -+ -+#: ../../src/lib/kadm5/srv/server_acl.c:89 -+#, c-format -+msgid "%s: line %d too long, truncated" -+msgstr "%s: Zeile %d zu lang, wurde gekürzt" -+ -+#: ../../src/lib/kadm5/srv/server_acl.c:90 -+#, c-format -+msgid "Unrecognized ACL operation '%c' in %s" -+msgstr "unbekannte ACL-Aktion »%c« in %s" -+ -+#: ../../src/lib/kadm5/srv/server_acl.c:92 -+#, c-format -+msgid "%s: syntax error at line %d <%10s...>" -+msgstr "%s: Syntaxfehler in Zeile %d <%10s …>" -+ -+#: ../../src/lib/kadm5/srv/server_acl.c:94 -+#, c-format -+msgid "%s while opening ACL file %s" -+msgstr "%s beim Öffnen der ACL-Datei %s" -+ -+#: ../../src/lib/kadm5/srv/server_acl.c:353 -+#, c-format -+msgid "%s: invalid restrictions: %s" -+msgstr "%s: ungültige Beschränkung: %s" -+ -+#: ../../src/lib/kadm5/srv/server_kdb.c:192 -+msgid "History entry contains no key data" -+msgstr "Chronikeintrag enthält keine Schlüsseldaten" -+ -+#: ../../src/lib/kadm5/srv/server_misc.c:128 -+#, c-format -+msgid "password quality module %s rejected password for %s: %s" -+msgstr "" -+"Das Modul %s für Passwortqualität hat das Passwort für %s abgelehnt: %s" -+ -+#: ../../src/lib/kadm5/str_conv.c:80 -+msgid "Not Postdateable" -+msgstr "nicht vordatierbar" -+ -+#: ../../src/lib/kadm5/str_conv.c:81 -+msgid "Not Forwardable" -+msgstr "nicht weiterleitbar" -+ -+#: ../../src/lib/kadm5/str_conv.c:82 -+msgid "No TGT-based requests" -+msgstr "keine TGT-basierten Anfragen" -+ -+#: ../../src/lib/kadm5/str_conv.c:83 -+msgid "Not renewable" -+msgstr "nicht erneuerbar" -+ -+#: ../../src/lib/kadm5/str_conv.c:84 -+msgid "Not proxiable" -+msgstr "Proxy nicht nutzbar" -+ -+#: ../../src/lib/kadm5/str_conv.c:85 -+msgid "No DUP_SKEY requests" -+msgstr "keine DUP_SKEY-Anfragen" -+ -+#: ../../src/lib/kadm5/str_conv.c:86 -+msgid "All Tickets Disallowed" -+msgstr "keine Tickets erlaubt" -+ -+#: ../../src/lib/kadm5/str_conv.c:87 -+msgid "Preauthentication required" -+msgstr "Vorauthentifizierung erforderlich" -+ -+#: ../../src/lib/kadm5/str_conv.c:88 -+msgid "HW authentication required" -+msgstr "HW-Authentifizierung erforderlich" -+ -+#: ../../src/lib/kadm5/str_conv.c:89 -+msgid "OK as Delegate" -+msgstr "OK als Vertreter" -+ -+#: ../../src/lib/kadm5/str_conv.c:90 -+msgid "Password Change required" -+msgstr "Passwortänderung erforderlich" -+ -+#: ../../src/lib/kadm5/str_conv.c:91 -+msgid "Service Disabled" -+msgstr "Dienst deaktiviert" -+ -+#: ../../src/lib/kadm5/str_conv.c:92 -+msgid "Password Changing Service" -+msgstr "Passwortänderungsdienst" -+ -+#: ../../src/lib/kadm5/str_conv.c:93 -+msgid "RSA-MD5 supported" -+msgstr "RSA-MD5 unterstützt" -+ -+#: ../../src/lib/kadm5/str_conv.c:94 -+msgid "Protocol transition with delegation allowed" -+msgstr "Protokollübergang mit Vertretung erlaubt" -+ -+#: ../../src/lib/kadm5/str_conv.c:95 -+msgid "No authorization data required" -+msgstr "keine Autorisierungsdaten erforderlich" -+ -+#: ../../src/lib/kdb/kdb5.c:219 -+msgid "No default realm set; cannot initialize KDB" -+msgstr "kein Standard-Realm gesetzt; KDB kann nicht initialisiert werden" -+ -+#: ../../src/lib/kdb/kdb5.c:324 ../../src/lib/kdb/kdb5.c:406 -+#, c-format -+msgid "Unable to find requested database type: %s" -+msgstr "angeforderter Datenbanktyp kann nicht gefunden werden. %s" -+ -+#: ../../src/lib/kdb/kdb5.c:416 -+#, c-format -+msgid "plugin symbol 'kdb_function_table' lookup failed: %s" -+msgstr "" -+"Nachschlagen des Erweiterungssymbols »kdb_function_table« fehlgeschlagen: %s" -+ -+#: ../../src/lib/kdb/kdb5.c:426 -+#, c-format -+msgid "" -+"Unable to load requested database module '%s': plugin symbol " -+"'kdb_function_table' not found" -+msgstr "" -+"angefordertes Datenbankmodul »%s« kann nicht geladen werden: " -+"Erweiterungssymbol »kdb_function_table« nicht gefunden" -+ -+#: ../../src/lib/kdb/kdb5.c:1650 -+#, c-format -+msgid "Illegal version number for KRB5_TL_MKEY_AUX %d\n" -+msgstr "Ungültige Versionsnummer für KRB5_TL_MKEY_AUX %d\n" -+ -+#: ../../src/lib/kdb/kdb5.c:1819 -+#, c-format -+msgid "Illegal version number for KRB5_TL_ACTKVNO %d\n" -+msgstr "Ungültige Versionsnummer für KRB5_TL_ACTKVNO %d\n" -+ -+#: ../../src/lib/kdb/kdb_default.c:164 -+#, c-format -+msgid "keyfile (%s) is not a regular file: %s" -+msgstr "Schlüsseldatei (%s) ist keine normale Datei: %s" -+ -+#: ../../src/lib/kdb/kdb_default.c:177 -+msgid "Could not create temp keytab file name." -+msgstr "Temporärer Schlüsseltabellendateiname konnte nicht erstellt werden." -+ -+#: ../../src/lib/kdb/kdb_default.c:202 -+#, c-format -+msgid "Temporary stash file already exists: %s." -+msgstr "Temporäre Ablagedatei existiert bereits: %s." -+ -+#: ../../src/lib/kdb/kdb_default.c:230 -+#, c-format -+msgid "rename of temporary keyfile (%s) to (%s) failed: %s" -+msgstr "" -+"Umbenennen von temporärer Schlüsseldatei (%s) in (%s) fehlgeschlagen: %s" -+ -+#: ../../src/lib/kdb/kdb_default.c:419 -+#, c-format -+msgid "Can not fetch master key (error: %s)." -+msgstr "Hauptschlüssel kann nicht abgeholt werden (Fehler: %s)" -+ -+#: ../../src/lib/kdb/kdb_default.c:482 -+msgid "Unable to decrypt latest master key with the provided master key\n" -+msgstr "" -+"Letzter Hauptschlüssel kann nicht mit dem bereitgestellten Hauptschlüssel " -+"entschlüsselt werden.\n" -+ -+#: ../../src/lib/kdb/kdb_log.c:83 -+msgid "could not sync ulog header to disk" -+msgstr "Ulog-Kopfzeilen konnten nicht auf die Platte synchronisiert werden" -+ -+#: ../../src/lib/krb5/ccache/cc_dir.c:122 -+#, c-format -+msgid "Subsidiary cache path %s has no parent directory" -+msgstr "" -+"Ergänzender Zwischenspeicherpfad %s hat kein übergeordnetes Verzeichnis." -+ -+#: ../../src/lib/krb5/ccache/cc_dir.c:128 -+#, c-format -+msgid "Subsidiary cache path %s filename does not begin with \"tkt\"" -+msgstr "" -+"Dateiname des ergänzenden Zwischenspeicherpfads %s beginnt nicht mit »tkt«" -+ -+#: ../../src/lib/krb5/ccache/cc_dir.c:169 -+#, c-format -+msgid "%s contains invalid filename" -+msgstr "%s enthält einen ungültigen Dateinamen." -+ -+#: ../../src/lib/krb5/ccache/cc_dir.c:229 -+#, c-format -+msgid "Credential cache directory %s does not exist" -+msgstr "Anmeldedatenzwischenspeicherverzeichnis %s existiert nicht." -+ -+#: ../../src/lib/krb5/ccache/cc_dir.c:235 -+#, c-format -+msgid "Credential cache directory %s exists but is not a directory" -+msgstr "" -+"Anmeldedatenzwischenspeicherverzeichnis %s existiert, ist jedoch kein " -+"Verzeichnis" -+ -+#: ../../src/lib/krb5/ccache/cc_dir.c:400 -+msgid "" -+"Can't create new subsidiary cache because default cache is not a directory " -+"collection" -+msgstr "" -+"Der neue ergänzende Zwischenspeicher kann nicht erstellt werden, da der " -+"Standardzwischenspeicher keine Ansammlung von Verzeichnissen ist." -+ -+#: ../../src/lib/krb5/ccache/cc_file.c:569 -+#, c-format -+msgid "Credentials cache file '%s' not found" -+msgstr "Anmeldedatenzwischenspeicherdatei »%s« nicht gefunden" -+ -+#: ../../src/lib/krb5/ccache/cc_file.c:1575 -+#, c-format -+msgid "Credentials cache I/O operation failed (%s)" -+msgstr "Anmeldedatenzwischenspeicher-E/A-Aktion fehlgeschlagen (%s)" -+ -+#: ../../src/lib/krb5/ccache/cc_keyring.c:1151 -+msgid "" -+"Can't create new subsidiary cache because default cache is already a " -+"subsidiary" -+msgstr "" -+"Der neue ergänzende Zwischenspeicher kann nicht erstellt werden, da der " -+"Standardzwischenspeicher bereits eine Ergänzung ist." -+ -+#: ../../src/lib/krb5/ccache/cc_keyring.c:1219 -+#, c-format -+msgid "Credentials cache keyring '%s' not found" -+msgstr "Schlüsselbund %s des Anmeldedatenzwischenspeichers nicht gefunden" -+ -+#: ../../src/lib/krb5/ccache/cccursor.c:212 -+#, c-format -+msgid "Can't find client principal %s in cache collection" -+msgstr "" -+"Client-Principal %s kann nicht in der Zwischenspeicheransammlung gefunden " -+"werden" -+ -+#: ../../src/lib/krb5/ccache/cccursor.c:253 -+msgid "No Kerberos credentials available" -+msgstr "keine Kerberos-Anmeldedaten verfügbar" -+ -+#: ../../src/lib/krb5/keytab/kt_file.c:398 -+#, c-format -+msgid "No key table entry found for %s" -+msgstr "Für %s wurde kein Schlüsseltabelleneintrag gefunden." -+ -+#: ../../src/lib/krb5/keytab/kt_file.c:815 -+#: ../../src/lib/krb5/keytab/kt_file.c:848 -+msgid "Cannot change keytab with keytab iterators active" -+msgstr "" -+"Schlüsseltabelle mit aktiven Schlüsseltabelleniteratoren kann nicht geändert " -+"werden" -+ -+#: ../../src/lib/krb5/keytab/kt_file.c:1047 -+#, c-format -+msgid "Key table file '%s' not found" -+msgstr "Schlüsseltabellendatei »%s« nicht gefunden" -+ -+#: ../../src/lib/krb5/keytab/ktfns.c:127 -+#, c-format -+msgid "Keytab %s is nonexistent or empty" -+msgstr "Schlüsseltabelle %s existiert nicht oder ist leer" -+ -+#: ../../src/lib/krb5/krb/chpw.c:251 -+msgid "Malformed request error" -+msgstr "Fehler wegen Anfrage in falscher Form" -+ -+#: ../../src/lib/krb5/krb/chpw.c:254 ../lib/krb5/error_tables/kdb5_err.c:58 -+msgid "Server error" -+msgstr "Serverfehler" -+ -+#: ../../src/lib/krb5/krb/chpw.c:257 -+msgid "Authentication error" -+msgstr "Authentifizierungsfehler" -+ -+#: ../../src/lib/krb5/krb/chpw.c:260 -+msgid "Password change rejected" -+msgstr "Passwortänderung abgelehnt" -+ -+#: ../../src/lib/krb5/krb/chpw.c:263 -+msgid "Access denied" -+msgstr "Zugriff verweigert" -+ -+#: ../../src/lib/krb5/krb/chpw.c:266 -+msgid "Wrong protocol version" -+msgstr "falsche Protokollversion" -+ -+#: ../../src/lib/krb5/krb/chpw.c:269 -+msgid "Initial password required" -+msgstr "Erstpasswort erforderlich" -+ -+#: ../../src/lib/krb5/krb/chpw.c:272 -+msgid "Success" -+msgstr "Erfolg" -+ -+#: ../../src/lib/krb5/krb/chpw.c:275 ../lib/krb5/error_tables/krb5_err.c:257 -+msgid "Password change failed" -+msgstr "Ändern des Passworts fehlgeschlagen" -+ -+#: ../../src/lib/krb5/krb/chpw.c:433 -+msgid "" -+"The password must include numbers or symbols. Don't include any part of " -+"your name in the password." -+msgstr "" -+"Das Passwort muss Zahlen oder Symbole enthalten. Fügen Sie keinen Teil Ihres " -+"Namens in das Passwort ein." -+ -+#: ../../src/lib/krb5/krb/chpw.c:439 -+#, c-format -+msgid "The password must contain at least %d character." -+msgid_plural "The password must contain at least %d characters." -+msgstr[0] "Das Passwort muss mindestens %d Zeichen enthalten." -+msgstr[1] "Das Passwort muss mindestens %d Zeichen enthalten." -+ -+#: ../../src/lib/krb5/krb/chpw.c:448 -+#, c-format -+msgid "The password must be different from the previous password." -+msgid_plural "The password must be different from the previous %d passwords." -+msgstr[0] "Das Passwort muss sich vom vorhergehenden Passwort unterscheiden." -+msgstr[1] "" -+"Das Passwort muss sich von den vorhergehenden %d Passwörtern unterscheiden." -+ -+#: ../../src/lib/krb5/krb/chpw.c:460 -+#, c-format -+msgid "The password can only be changed once a day." -+msgid_plural "The password can only be changed every %d days." -+msgstr[0] "Das Passwort kann nur einmal täglich geändert werden." -+msgstr[1] "Das Passwort kann nur alle %d Tage geändert werden." -+ -+#: ../../src/lib/krb5/krb/chpw.c:506 -+msgid "Try a more complex password, or contact your administrator." -+msgstr "" -+"Versuchen Sie es mit einem etwas komplexeren Passwort oder wenden Sie sich " -+"an Ihren Administrator." -+ -+#: ../../src/lib/krb5/krb/fast.c:217 -+#, c-format -+msgid "%s constructing AP-REQ armor" -+msgstr "%s-Konstruktion von AP-REQ-Schutz" -+ -+#: ../../src/lib/krb5/krb/fast.c:399 -+#, c-format -+msgid "%s while decrypting FAST reply" -+msgstr "%s beim Entschlüsseln der FAST-Antwort" -+ -+#: ../../src/lib/krb5/krb/fast.c:408 -+msgid "nonce modified in FAST response: KDC response modified" -+msgstr "" -+"Nummer für einmaligen Gebrauch in der FAST-Anwort geändert: KDC-Anwort " -+"geändert" -+ -+#: ../../src/lib/krb5/krb/fast.c:474 -+msgid "Expecting FX_ERROR pa-data inside FAST container" -+msgstr "Innerhalb des FAST-Containers wird »FX_ERROR pa-data« erwartet." -+ -+#: ../../src/lib/krb5/krb/fast.c:545 -+msgid "FAST response missing finish message in KDC reply" -+msgstr "Der FAST-Anwort fehlt die Beendigungsnachricht in der KDC-Anwort" -+ -+#: ../../src/lib/krb5/krb/fast.c:558 -+msgid "Ticket modified in KDC reply" -+msgstr "Ticket in der KDC-Antwort verändert" -+ -+#: ../../src/lib/krb5/krb/gc_via_tkt.c:208 -+#, c-format -+msgid "KDC returned error string: %.*s" -+msgstr "KDC gab eine Fehlermeldung zurück: %.*s" -+ -+#: ../../src/lib/krb5/krb/gc_via_tkt.c:217 -+#, c-format -+msgid "Server %s not found in Kerberos database" -+msgstr "Server %s wurde nicht in der Kerberos-Datenbank gefunden" -+ -+#: ../../src/lib/krb5/krb/get_in_tkt.c:133 -+msgid "Reply has wrong form of session key for anonymous request" -+msgstr "" -+"Antwort hat die falsche Form des Sitzungschlüssels für eine anonyme Anfrage" -+ -+#: ../../src/lib/krb5/krb/get_in_tkt.c:1628 -+#, c-format -+msgid "%s while storing credentials" -+msgstr "%s beim Speichern der Anmeldedaten" -+ -+#: ../../src/lib/krb5/krb/get_in_tkt.c:1715 -+#, c-format -+msgid "Client '%s' not found in Kerberos database" -+msgstr "Client »%s« wurde nicht in der Kerberos-Datenbank gefunden" -+ -+#: ../../src/lib/krb5/krb/gic_keytab.c:207 -+#, c-format -+msgid "Keytab contains no suitable keys for %s" -+msgstr "Schlüsseltabelle enthält keine passenden Schlüssel für %s" -+ -+#: ../../src/lib/krb5/krb/gic_pwd.c:75 -+#, c-format -+msgid "Password for %s" -+msgstr "Passwort for %s" -+ -+#: ../../src/lib/krb5/krb/gic_pwd.c:227 -+#, c-format -+msgid "Warning: Your password will expire in less than one hour on %s" -+msgstr "" -+"Warnung: Ihr Passwort auf %s wird in weniger als einer Stunde ablaufen." -+ -+# FIXME in German impossible; plural without »s« -+#: ../../src/lib/krb5/krb/gic_pwd.c:231 -+#, c-format -+msgid "Warning: Your password will expire in %d hour%s on %s" -+msgstr "Warnung: Ihr Passwort wird in %d Stunden%s auf %s ablaufen." -+ -+#: ../../src/lib/krb5/krb/gic_pwd.c:235 -+#, c-format -+msgid "Warning: Your password will expire in %d days on %s" -+msgstr "Warnung: Ihr Passwort wird in %d Tagen auf %s ablaufen." -+ -+#: ../../src/lib/krb5/krb/gic_pwd.c:409 -+msgid "Password expired. You must change it now." -+msgstr "Passwort abgelaufen. Sie müssen es nun ändern." -+ -+#: ../../src/lib/krb5/krb/gic_pwd.c:428 ../../src/lib/krb5/krb/gic_pwd.c:432 -+#, c-format -+msgid "%s. Please try again." -+msgstr "%s. Bitte versuchen Sie es erneut." -+ -+#: ../../src/lib/krb5/krb/gic_pwd.c:471 -+#, c-format -+msgid "%.*s%s%s. Please try again.\n" -+msgstr "%.*s%s%s. Bitte versuchen Sie es erneut.\n" -+ -+#: ../../src/lib/krb5/krb/parse.c:203 -+#, c-format -+msgid "Principal %s is missing required realm" -+msgstr "Principal %s fehlt erforderlicher Realm" -+ -+#: ../../src/lib/krb5/krb/parse.c:215 -+#, c-format -+msgid "Principal %s has realm present" -+msgstr "Für Principal %s ist Realm vorhanden" -+ -+#: ../../src/lib/krb5/krb/plugin.c:165 -+#, c-format -+msgid "Invalid module specifier %s" -+msgstr "ungültiger Modulbezeichner %s" -+ -+#: ../../src/lib/krb5/krb/plugin.c:402 -+#, c-format -+msgid "Could not find %s plugin module named '%s'" -+msgstr "Das Erweiterungsmodul %s namens »%s« konnte nicht gefunden werden." -+ -+#: ../../src/lib/krb5/krb/preauth2.c:1018 -+msgid "Unable to initialize preauth context" -+msgstr "Vorauthentifizierungskontext konnte nicht initialisiert werden." -+ -+#: ../../src/lib/krb5/krb/preauth2.c:1032 -+#, c-format -+msgid "Preauth module %s: %s" -+msgstr "Vorauthentifizierungsmodul %s: %s" -+ -+#: ../../src/lib/krb5/krb/preauth_otp.c:510 -+msgid "Please choose from the following:\n" -+msgstr "Bitte wählen Sie aus dem Folgenden aus:\n" -+ -+#: ../../src/lib/krb5/krb/preauth_otp.c:511 -+msgid "Vendor:" -+msgstr "Anbieter:" -+ -+#: ../../src/lib/krb5/krb/preauth_otp.c:523 -+msgid "Enter #" -+msgstr "Geben Sie # ein" -+ -+#: ../../src/lib/krb5/krb/preauth_otp.c:559 -+msgid "OTP Challenge:" -+msgstr "Anforderung des Einwegpassworts:" -+ -+#: ../../src/lib/krb5/krb/preauth_otp.c:588 -+msgid "OTP Token PIN" -+msgstr "Einwegpasswort-Token-PIN" -+ -+#: ../../src/lib/krb5/krb/preauth_otp.c:702 -+msgid "OTP value doesn't match any token formats" -+msgstr "Wert des Einwegpassworts entspricht keinem Token-Format" -+ -+#: ../../src/lib/krb5/krb/preauth_otp.c:769 -+msgid "Enter OTP Token Value" -+msgstr "Geben Sie den Wert des Einwegpasswort-Tokens an" -+ -+#: ../../src/lib/krb5/krb/preauth_otp.c:914 -+msgid "No supported tokens" -+msgstr "keine unterstützten Token" -+ -+#: ../../src/lib/krb5/krb/preauth_sam2.c:49 -+msgid "Challenge for Enigma Logic mechanism" -+msgstr "Anforderung für Enigma-Logic-Mechanismus" -+ -+#: ../../src/lib/krb5/krb/preauth_sam2.c:53 -+msgid "Challenge for Digital Pathways mechanism" -+msgstr "Anforderung für Digital-Pathway-Mechanismus" -+ -+#: ../../src/lib/krb5/krb/preauth_sam2.c:57 -+msgid "Challenge for Activcard mechanism" -+msgstr "Anforderung für Activcard-Mechanismus" -+ -+#: ../../src/lib/krb5/krb/preauth_sam2.c:60 -+msgid "Challenge for Enhanced S/Key mechanism" -+msgstr "Anforderung für erweiterten S/Key-Mechanismus" -+ -+#: ../../src/lib/krb5/krb/preauth_sam2.c:63 -+msgid "Challenge for Traditional S/Key mechanism" -+msgstr "Anforderung für traditionellen S/Key-Mechanismus" -+ -+#: ../../src/lib/krb5/krb/preauth_sam2.c:66 -+#: ../../src/lib/krb5/krb/preauth_sam2.c:69 -+msgid "Challenge for Security Dynamics mechanism" -+msgstr "Anforderung für Security-Dynamics-Mechanismus" -+ -+#: ../../src/lib/krb5/krb/preauth_sam2.c:72 -+msgid "Challenge from authentication server" -+msgstr "Anforderung vom Authentifizierungsserver" -+ -+#: ../../src/lib/krb5/krb/preauth_sam2.c:166 -+msgid "SAM Authentication" -+msgstr "SAM-Authentifizierung" -+ -+#: ../../src/lib/krb5/krb/rd_req_dec.c:145 -+#, c-format -+msgid "Cannot find key for %s kvno %d in keytab" -+msgstr "" -+"Schlüssel für %s-KNVO %d kann nicht in der Schlüsseltabelle gefunden werden" -+ -+#: ../../src/lib/krb5/krb/rd_req_dec.c:150 -+#, c-format -+msgid "Cannot find key for %s kvno %d in keytab (request ticket server %s)" -+msgstr "" -+"Schlüssel für %s-KNVO %d kann nicht in der Schlüsseltabelle gefunden werden " -+"(angefragter Ticketserver %s)" -+ -+#: ../../src/lib/krb5/krb/rd_req_dec.c:175 -+#, c-format -+msgid "Cannot decrypt ticket for %s using keytab key for %s" -+msgstr "" -+"Ticket für %s kann nicht mittels des Schlüsseltabellenschlüssels für %s " -+"entschlüsselt werden" -+ -+#: ../../src/lib/krb5/krb/rd_req_dec.c:197 -+#, c-format -+msgid "Server principal %s does not match request ticket server %s" -+msgstr "Server-Principal %s passt nicht zum abgefragten Ticketserver %s" -+ -+#: ../../src/lib/krb5/krb/rd_req_dec.c:226 -+msgid "No keys in keytab" -+msgstr "keine Schlüssel in der Schlüsseltabelle" -+ -+#: ../../src/lib/krb5/krb/rd_req_dec.c:229 -+#, c-format -+msgid "Server principal %s does not match any keys in keytab" -+msgstr "" -+"Server-Principal %s hat keinen passenden Schlüssel in der Schlüsseltabelle" -+ -+#: ../../src/lib/krb5/krb/rd_req_dec.c:236 -+#, c-format -+msgid "" -+"Request ticket server %s found in keytab but does not match server principal " -+"%s" -+msgstr "" -+"abgefragter Ticketserver %s wurde in der Schlüsseltabelle gefunden, er passte " -+"jedoch nicht zu Server-Principal %s" -+ -+#: ../../src/lib/krb5/krb/rd_req_dec.c:241 -+#, c-format -+msgid "Request ticket server %s not found in keytab (ticket kvno %d)" -+msgstr "" -+"Abgefragter Ticketserver %s wurde nicht in der Schlüsseltabelle gefunden " -+"(Ticket KVNO %d)." -+ -+#: ../../src/lib/krb5/krb/rd_req_dec.c:247 -+#, c-format -+msgid "" -+"Request ticket server %s kvno %d not found in keytab; ticket is likely out " -+"of date" -+msgstr "" -+"Abgefragter Ticketserver %s KVNO %d wurde nicht in der Schlüsseltabelle " -+"gefunden; Ticket ist wahrscheinlich abgelaufen." -+ -+#: ../../src/lib/krb5/krb/rd_req_dec.c:252 -+#, c-format -+msgid "" -+"Request ticket server %s kvno %d not found in keytab; keytab is likely out " -+"of date" -+msgstr "" -+"Abgefragter Ticketserver %s KVNO %d wurde nicht in der Schlüsseltabelle " -+"gefunden; Schlüsseltabelle ist wahrscheinlich nicht mehr aktuell." -+ -+#: ../../src/lib/krb5/krb/rd_req_dec.c:261 -+#, c-format -+msgid "" -+"Request ticket server %s kvno %d found in keytab but not with enctype %s" -+msgstr "" -+"Abgefragter Ticketserver %s KVNO %d wurde in der Schlüsseltabelle gefunden, " -+"jedoch nicht mit Verschlüsselungstyp %s." -+ -+#: ../../src/lib/krb5/krb/rd_req_dec.c:266 -+#, c-format -+msgid "" -+"Request ticket server %s kvno %d enctype %s found in keytab but cannot " -+"decrypt ticket" -+msgstr "" -+"Abgefragter Ticketserver %s KVNO %d mit Verschlüsselungstyp %s in der " -+"Schlüsseltabelle gefunden, Ticket kann jedoch nicht entschlüsselt werden." -+ -+#: ../../src/lib/krb5/krb/rd_req_dec.c:897 -+#, c-format -+msgid "Encryption type %s not permitted" -+msgstr "Verschlüsselungstyp %s nicht erlaubt" -+ -+#: ../../src/lib/krb5/os/expand_path.c:316 -+#, c-format -+msgid "Can't find username for uid %lu" -+msgstr "Zu UID %lu kann kein Benutzername gefunden werden." -+ -+#: ../../src/lib/krb5/os/expand_path.c:405 -+#: ../../src/lib/krb5/os/expand_path.c:421 -+msgid "Invalid token" -+msgstr "ungültiges Token" -+ -+#: ../../src/lib/krb5/os/expand_path.c:506 -+msgid "variable missing }" -+msgstr "Variable fehlt }" -+ -+#: ../../src/lib/krb5/os/locate_kdc.c:660 -+#, c-format -+msgid "Cannot find KDC for realm \"%.*s\"" -+msgstr "KDC für Realm »%.*s« kann nicht gefunden werden" -+ -+#: ../../src/lib/krb5/os/sendto_kdc.c:475 -+#, c-format -+msgid "Cannot contact any KDC for realm '%.*s'" -+msgstr "für Realm »%.*s« kann nicht KDC kontaktiert werden" -+ -+#: ../../src/lib/krb5/rcache/rc_io.c:106 -+#, c-format -+msgid "Cannot fstat replay cache file %s: %s" -+msgstr "»fstat« für Antwortzwischenspeicherdatei %s nicht möglich: %s" -+ -+#: ../../src/lib/krb5/rcache/rc_io.c:112 -+#, c-format -+msgid "" -+"Insecure mkstemp() file mode for replay cache file %s; try running this " -+"program with umask 077" -+msgstr "" -+"unsicherer mkstemp()-Dateimodus für Antwortzwischenspeicherdatei %s; " -+"versuchen Sie, dieses Programm mit der Umask 077 auszuführen" -+ -+#: ../../src/lib/krb5/rcache/rc_io.c:144 -+#, c-format -+msgid "Cannot %s replay cache file %s: %s" -+msgstr "%s der Wiederholungszwischenspeicherdatei %s nicht möglich: %s" -+ -+#: ../../src/lib/krb5/rcache/rc_io.c:149 -+#, c-format -+msgid "Cannot %s replay cache: %s" -+msgstr "%s des Wiederholungszwischenspeichers nicht möglich: %s" -+ -+#: ../../src/lib/krb5/rcache/rc_io.c:272 -+#, c-format -+msgid "Insecure file mode for replay cache file %s" -+msgstr "unsicherer Dateimodus für Wiederholungszwischenspeicherdatei %s" -+ -+#: ../../src/lib/krb5/rcache/rc_io.c:278 -+#, c-format -+msgid "rcache not owned by %d" -+msgstr "Rcache gehört nicht %d" -+ -+#: ../../src/lib/krb5/rcache/rc_io.c:402 ../../src/lib/krb5/rcache/rc_io.c:406 -+#: ../../src/lib/krb5/rcache/rc_io.c:411 -+#, c-format -+msgid "Can't write to replay cache: %s" -+msgstr "" -+"in Wiederholungszwischenspeicherdatei kann nicht geschrieben werden: %s" -+ -+#: ../../src/lib/krb5/rcache/rc_io.c:432 -+#, c-format -+msgid "Cannot sync replay cache file: %s" -+msgstr "" -+"Wiederholungszwischenspeicherdatei kann nicht synchronisiert werden: %s" -+ -+#: ../../src/lib/krb5/rcache/rc_io.c:451 -+#, c-format -+msgid "Can't read from replay cache: %s" -+msgstr "aus dem Wiederholungszwischenspeicher kann nicht gelesen werden: %s" -+ -+#: ../../src/lib/krb5/rcache/rc_io.c:482 ../../src/lib/krb5/rcache/rc_io.c:488 -+#: ../../src/lib/krb5/rcache/rc_io.c:493 -+#, c-format -+msgid "Can't destroy replay cache: %s" -+msgstr "Wiederholungszwischenspeicher kann nicht vernichtet werden: %s" -+ -+#: ../../src/plugins/kdb/db2/kdb_db2.c:245 -+#: ../../src/plugins/kdb/db2/kdb_db2.c:830 -+#, c-format -+msgid "Unsupported argument \"%s\" for db2" -+msgstr "nicht unterstütztes Argument »%s« für DB2" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:69 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:887 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1088 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1507 -+msgid "while reading kerberos container information" -+msgstr "beim Lesen der Kerberos-Container-Information" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:129 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:143 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:504 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:518 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:151 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:166 -+msgid "while providing time specification" -+msgstr "beim Bereitstellen der Zeitspezifikation" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:268 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:304 -+msgid "while creating policy object" -+msgstr "beim Erstellen des Richtlinienobjekts" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:279 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1515 -+msgid "while reading realm information" -+msgstr "beim Lesen der Realm-Information" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:348 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:407 -+msgid "while destroying policy object" -+msgstr "beim Zerstören des Richtlinienobjekts" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:358 -+#, c-format -+msgid "This will delete the policy object '%s', are you sure?\n" -+msgstr "Dies wird das Richtlinienobjekt »%s« löschen, sind Sie sicher?\n" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:473 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:663 -+msgid "while modifying policy object" -+msgstr "beim Ändern des Richtlinienobjekts" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:487 -+#, c-format -+msgid "while reading information of policy '%s'" -+msgstr "beim Lesen der Information der Richtlinie »%s«" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:692 -+msgid "while viewing policy" -+msgstr "beim Betrachten der Richtlinie" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:701 -+#, c-format -+msgid "while viewing policy '%s'" -+msgstr "beim Betrachten der Richtlinie »%s«" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:835 -+msgid "while listing policy objects" -+msgstr "beim Auflisten der Richtlinienobjekte" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:453 -+#, c-format -+msgid "for subtree while creating realm '%s'" -+msgstr "für einen Teilbaum beim Erstellen von Realm »%s«" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:465 -+#, c-format -+msgid "for container reference while creating realm '%s'" -+msgstr "für Container-Bezug beim Erstellen von Realm »%s«" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:489 -+#, c-format -+msgid "invalid search scope while creating realm '%s'" -+msgstr "ungültiger Suchbereich beim Erstellen von Realm »%s«" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:504 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:823 -+#, c-format -+msgid "'%s' is an invalid option\n" -+msgstr "»%s« ist keine gültige Option\n" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:512 -+#, c-format -+msgid "Initializing database for realm '%s'\n" -+msgstr "Datenbank für Realm »%s« wird initialisiert\n" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:536 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:696 -+#, c-format -+msgid "while creating realm '%s'" -+msgstr "beim Erstellen von Realm »%s«" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:556 -+#, c-format -+msgid "Enter DN of Kerberos container: " -+msgstr "Geben Sie die den DN des Kerberos-Containers ein: " -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:591 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:894 -+#, c-format -+msgid "while reading information of realm '%s'" -+msgstr "beim Lesen der Information von Realm »%s«" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:733 -+msgid "while reading Kerberos container information" -+msgstr "beim Lesen der Kerberos-Container-Information" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:774 -+#, c-format -+msgid "for subtree while modifying realm '%s'" -+msgstr "für einen Teilbaum beim Ändern von Realm »%s«" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:785 -+#, c-format -+msgid "for container reference while modifying realm '%s'" -+msgstr "für Container-Bezug beim Ändern von Realm »%s«" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:812 -+#, c-format -+msgid "specified for search scope while modifying information of realm '%s'" -+msgstr "" -+"angegeben für Suchbereich, während die Information für Realm »%s« geändert " -+"wird" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:851 -+#, c-format -+msgid "while modifying information of realm '%s'" -+msgstr "beim Ändern der Information von Realm »%s«" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:940 -+msgid "Realm Name" -+msgstr "Realm-Name" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:943 -+msgid "Subtree" -+msgstr "Teilbaum" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:946 -+msgid "Principal Container Reference" -+msgstr "Principal-Container-Bezug" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:951 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:953 -+msgid "SearchScope" -+msgstr "Suchbereich" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:951 -+msgid "Invalid !" -+msgstr "ungültig!" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:958 -+msgid "KDC Services" -+msgstr "KDC-Dienste" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:973 -+msgid "Admin Services" -+msgstr "Administratordienste" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:988 -+msgid "Passwd Services" -+msgstr "Passwortdienste" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1004 -+msgid "Maximum Ticket Life" -+msgstr "maximale Ticketlebensdauer" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1009 -+msgid "Maximum Renewable Life" -+msgstr "maximale verlängerbare Lebensdauer" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1016 -+msgid "Ticket flags" -+msgstr "Ticket-Flags" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1095 -+msgid "while listing realms" -+msgstr "beim Auflisten der Realms" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1439 -+msgid "while adding entries to database" -+msgstr "beim Hinzufügen von Einträgen zur Datenbank" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1480 -+#, c-format -+msgid "Deleting KDC database of '%s', are you sure?\n" -+msgstr "" -+"Sind Sie sicher, dass die KDC-Datenbank von »%s« gelöscht werden soll?\n" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1491 -+#, c-format -+msgid "OK, deleting database of '%s'...\n" -+msgstr "OK, die Datenbank von »%s« wird gelöscht …\n" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1524 -+#, c-format -+msgid "deleting database of '%s'" -+msgstr "Die Datenbank von »%s« wird gelöscht." -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1529 -+#, c-format -+msgid "** Database of '%s' destroyed.\n" -+msgstr "** Datenbank von »%s« vernichtet\n" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:81 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:88 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:96 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:104 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:120 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:148 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:227 -+msgid "while setting service object password" -+msgstr "beim Setzen des Passworts für das Dienstobjekt" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:140 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:477 -+#, c-format -+msgid "Password for \"%s\"" -+msgstr "Passwort für »%s«" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:143 -+#, c-format -+msgid "Re-enter password for \"%s\"" -+msgstr "Geben Sie das Passwort für »%s« erneut ein." -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:154 -+#, c-format -+msgid "%s: Invalid password\n" -+msgstr "%s: ungültiges Passwort\n" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:170 -+msgid "Failed to convert the password to hexadecimal" -+msgstr "Das Umwandeln des Passworts in Dezimalschreibweise ist fehlgeschlagen." -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:183 -+#, c-format -+msgid "Failed to open file %s: %s" -+msgstr "Datei %s konnte nicht geöffnet werden: %s" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:205 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:247 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:256 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:283 -+msgid "Failed to write service object password to file" -+msgstr "" -+"Schreiben des Passworts für das Dienstobjekt in eine Datei fehlgeschlagen" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:211 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:268 -+msgid "Error reading service object password file" -+msgstr "Fehler beim Lesen der Passwortdatei für das Dienstobjekt" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:236 -+#, c-format -+msgid "Error creating file %s" -+msgstr "Fehler beim Erstellen der Datei %s" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:105 -+#, c-format -+msgid "" -+"Usage: kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri]\n" -+"\tcmd [cmd_options]\n" -+"create [-subtrees subtree_dn_list] [-sscope search_scope] [-" -+"containerref container_reference_dn]\n" -+"\t\t[-m|-P password|-sf stashfilename] [-k mkeytype] [-kv mkeyVNO] [-s]\n" -+"\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n" -+"\t\t[ticket_flags] [-r realm]\n" -+"modify [-subtrees subtree_dn_list] [-sscope search_scope] [-" -+"containerref container_reference_dn]\n" -+"\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n" -+"\t\t[ticket_flags] [-r realm]\n" -+"view [-r realm]\n" -+"destroy [-f] [-r realm]\n" -+"list\n" -+"stashsrvpw [-f filename] service_dn\n" -+"create_policy [-r realm] [-maxtktlife max_ticket_life]\n" -+"\t\t[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy\n" -+"modify_policy [-r realm] [-maxtktlife max_ticket_life]\n" -+"\t\t[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy\n" -+"view_policy [-r realm] policy\n" -+"destroy_policy [-r realm] [-force] policy\n" -+"list_policy [-r realm]\n" -+msgstr "" -+"Aufruf: kdb5_ldap_util [-D Benutzer-DN [-w Passwort]] [-H LDAP-URI]\n" -+"\tcmd [Befehlsoptionen]\n" -+"create [-subtrees DN-Liste_Teilbäume] [-sscope Suchbereich] [-" -+"containerref Container-Bezug-DN]\n" -+"\t\t[-m|-P Passwort|-sf Ablagedateiname] [-k mkeytype] [-kv mkeyVNO] [-s]\n" -+"\t\t[-maxtktlife maximale_Ticketlebensdauer]\n" -+"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern_des_Tickets]\n" -+"\t\t[Ticket_Flags] [-r Realm]\n" -+"modify [-subtrees DN-Liste_Teilbäume] [-sscope Suchbereich] [-" -+"containerref Container-Bezug-DN]\n" -+"\t\t[-maxtktlife maximale_Ticketlebensdauer]\n" -+"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern_des_Tickets]\n" -+"\t\t[Ticket_Flags] [-r Realm]\n" -+"view [-r Realm]\n" -+"destroy [-f] [-r Realm]\n" -+"list\n" -+"stashsrvpw [-f Dateiname] Dienst-DN\n" -+"create_policy [-r Realm] [-maxtktlife maximale_Ticketlebensdauer]\n" -+"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern_des_Tickets]\n" -+"\t\t[Ticket_Flags] Richtlinie\n" -+"modify_policy [-r Realm] [-maxtktlife maximale_Ticketlebensdauer]\n" -+"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern_des_Tickets]\n" -+"\t\t[Ticket_Flags] Richtlinie\n" -+"view_policy [-r Realm] Richtlinie\n" -+"destroy_policy [-r Realm] [-force] Richtlinie\n" -+"list_policy [-r Realm]\n" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:325 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:333 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:341 -+msgid "while reading ldap parameters" -+msgstr "beim Lesen der LDAP-Parameter" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:439 -+msgid "while initializing error handling" -+msgstr "beim Initialisieren der Fehlerbehandlung" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:447 -+msgid "while initializing ldap handle" -+msgstr "beim Initialisieren des LDAP-Identifikators" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:461 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:470 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:483 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:525 -+msgid "while retrieving ldap configuration" -+msgstr "beim Abfragen der LDAP-Konfiguration" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:500 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:507 -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:516 -+msgid "while initializing server list" -+msgstr "beim Initialisieren der Serverliste" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:547 -+msgid "while setting up lib handle" -+msgstr "ein Einrichten der BibliotheksIdentifikators" -+ -+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:556 -+msgid "while reading ldap configuration" -+msgstr "beim Lesen der LDAP-Konfiguration" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:68 -+msgid "Unable to read Kerberos container" -+msgstr "Kerberos-Container kann nicht gelesen werden" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:74 -+msgid "Unable to read Realm" -+msgstr "Realm kann nicht gelesen werden" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:215 -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:73 -+msgid "Error processing LDAP DB params:" -+msgstr "Fehler beim Verarbeiten der LDAP-Datenbankparameter:" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:222 -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:80 -+msgid "Error reading LDAP server params:" -+msgstr "Fehler beim Lesen der LDAP-Server-Parameters:" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:64 -+msgid "LDAP bind dn value missing" -+msgstr "LDAP-Bindungs-DN-Wert fehlt" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:69 -+msgid "LDAP bind password value missing" -+msgstr "LDAP-Bindungs-Passwortwert fehlt" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:77 -+msgid "Error reading password from stash: " -+msgstr "Fehler beim Lesen des Passworts aus der Ablage: " -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:85 -+msgid "Service password length is zero" -+msgstr "Länge des Dienstpassworts ist Null" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:145 -+#, c-format -+msgid "Cannot bind to LDAP server '%s' with SASL mechanism '%s': %s" -+msgstr "" -+"mit LDAP-Server »%s« kann keine Verbindung mit SASL-Mechanismus »%s« " -+"hergestellt werden: %s" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:158 -+#, c-format -+msgid "Cannot bind to LDAP server '%s' as '%s': %s" -+msgstr "" -+"mit LDAP-Server »%s« kann keine Verbindung als »%s« hergestellt werden: %s" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:183 -+#, c-format -+msgid "Cannot create LDAP handle for '%s': %s" -+msgstr "LDAP-Identifikator für »%s« kann nicht erstellt werden: %s" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:131 -+msgid "could not complete roll-back, error deleting Kerberos Container" -+msgstr "" -+"Zurücksetzen kann nicht abgeschlossen werden, Fehler beim Löschen des " -+"Kerberos-Containers" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:56 -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:67 -+msgid "Error reading kerberos container location from krb5.conf" -+msgstr "" -+"Fehler beim Lesen des Kerberos-Container-Speicherorts aus der »krb5.conf«." -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:75 -+msgid "Kerberos container location not specified" -+msgstr "Kerberos-Container-Speicherort nicht angegeben" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:55 -+#, c-format -+msgid "Error reading '%s' attribute: %s" -+msgstr "Fehler beim Lesen des Attributs »%s«: %s" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:218 -+msgid "KDB module requires -update argument" -+msgstr "KDB-Modul benötigt Argument »-update«" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:224 -+#, c-format -+msgid "'%s' value missing" -+msgstr "Wert »%s« fehlt" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:282 -+#, c-format -+msgid "unknown option '%s'" -+msgstr "unbekannte Option »%s«" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:342 -+msgid "Minimum connections required per server is 2" -+msgstr "Die benötigte Mindestanzahl von Verbindungen pro Server ist zwei" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c:159 -+msgid "Default realm not set" -+msgstr "Standard-Realm nicht gesetzt" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c:262 -+msgid "DN information missing" -+msgstr "DN-Information fehlt" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:108 -+msgid "Principal does not belong to realm" -+msgstr "Principal gehört nicht zum Realm" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:278 -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:287 -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:295 -+#, c-format -+msgid "%s option not supported" -+msgstr "Option %s wird nicht unterstützt" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:302 -+#, c-format -+msgid "unknown option: %s" -+msgstr "unbekannte Option: %s" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:309 -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:316 -+#, c-format -+msgid "%s option value missing" -+msgstr "Wert der Option %s fehlt" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:542 -+msgid "Principal does not belong to the default realm" -+msgstr "Principal gehört nicht zum Standard-Realm" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:610 -+#, c-format -+msgid "" -+"operation can not continue, more than one entry with principal name \"%s\" " -+"found" -+msgstr "" -+"Die Aktion kann nicht fortfahren, da mehr als ein Principal namens »%s« " -+"gefunden wurde." -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:673 -+#, c-format -+msgid "'%s' not found: " -+msgstr "»%s« nicht gefunden: " -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:751 -+msgid "DN is out of the realm subtree" -+msgstr "DN liegt außerhalb ders Teilbaums des Realms" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:807 -+#, c-format -+msgid "ldap object is already kerberized" -+msgstr "LDAP-Objekt ist bereits an Kerberos angepasst" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:827 -+#, c-format -+msgid "" -+"link information can not be set/updated as the kerberos principal belongs to " -+"an ldap object" -+msgstr "" -+"Verweisinformation kann nicht eingerichtet/aktualisiert werden, da der " -+"Kerberos-Principal zu einem LDAP-Objekt gehört." -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:842 -+#, c-format -+msgid "Failed getting object references" -+msgstr "Holen von Objektbezügen fehlgeschlagen" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:849 -+#, c-format -+msgid "kerberos principal is already linked to a ldap object" -+msgstr "Kerberos-Principal ist bereits mit einem LDAP-Objekt verknüpft" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1167 -+msgid "ticket policy object value: " -+msgstr "Wert des Ticket-Richtlinienobjekts: " -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1215 -+#, c-format -+msgid "Principal delete failed (trying to replace entry): %s" -+msgstr "" -+"Löschen des Principals fehlgeschlagen (es wird versucht, den Eintrag zu " -+"ersetzen): %s" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1225 -+#, c-format -+msgid "Principal add failed: %s" -+msgstr "Hinzufügen des Principals fehlgeschlagen: %s" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1263 -+#, c-format -+msgid "User modification failed: %s" -+msgstr "Änderung des Benutzers fehlgeschlagen: %s" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1336 -+msgid "Error reading ticket policy. " -+msgstr "Fehler beim Lesen der Ticket-Richtlinie" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1402 -+#, c-format -+msgid "unable to decode stored principal key data (%s)" -+msgstr "" -+"Die gespeicherten Schlüsseldaten des Principals (%s) konnten nicht " -+"dekodiert werden." -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:223 -+msgid "Realm information not available" -+msgstr "Realm-Information nicht verfügbar" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:294 -+msgid "Error reading ticket policy: " -+msgstr "Fehler beim Lesen der Ticket-Richtlinie:" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:307 -+#, c-format -+msgid "Realm Delete FAILED: %s" -+msgstr "Löschen des Realms FEHLGESCHLAGEN: %s" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:387 -+msgid "subtree value: " -+msgstr "Wert des Teilbaums: " -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:404 -+msgid "container reference value: " -+msgstr "Wert des Container-Bezugs: " -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:487 -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:550 -+msgid "Kerberos Container information is missing" -+msgstr "Kerberos-Container-Information fehlt" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:499 -+msgid "Invalid Kerberos container DN" -+msgstr "ungültiger Kerberos-Container-DN" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:515 -+#, c-format -+msgid "Kerberos Container create FAILED: %s" -+msgstr "Erstellen des Kerberos-Containers FEHLGESCHLAGEN: %s" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:558 -+#, c-format -+msgid "Kerberos Container delete FAILED: %s" -+msgstr "Löschen des Kerberos-Containers FEHLGESCHLAGEN: %s" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:634 -+msgid "realm object value: " -+msgstr "Wert des Realm-Objekts: " -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:48 -+msgid "Not a hexadecimal password" -+msgstr "kein hexadezimales Passwort" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:55 -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:66 -+msgid "Password corrupt" -+msgstr "Passwort beschädigt" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:93 -+#, c-format -+msgid "Cannot open LDAP password file '%s': %s" -+msgstr "LDAP-Passwortdatei »%s« kann nicht geöffnet werden: %s" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:123 -+#, c-format -+msgid "Bind DN entry '%s' missing in LDAP password file '%s'" -+msgstr "Bind-DN-Eintrag »%s« fehlt in der LDAP-Passwortdatei »%s«" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:56 -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:132 -+msgid "Ticket Policy Name missing" -+msgstr "Ticket-Richtlinienname fehlt" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:144 -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:221 -+msgid "ticket policy object: " -+msgstr "Ticket-Richtlinienobjekt: " -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:209 -+msgid "Ticket Policy Object information missing" -+msgstr "Ticket-Richtlinienobjekt-Information fehlt" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:300 -+msgid "Ticket Policy Object DN missing" -+msgstr "DN des Ticket-Richtlinienobjekts fehlt" -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:327 -+msgid "Delete Failed: One or more Principals associated with the Ticket Policy" -+msgstr "" -+"Löschen fehlgeschlagen: Ein oder mehrere Principals gehören zur Ticket-" -+"Richtlinie." -+ -+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:435 -+msgid "Error reading container object: " -+msgstr "Fehler beim Lesen des Container-Objekts: " -+ -+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_nss.c:667 -+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:652 -+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4153 -+msgid "Pass phrase for" -+msgstr "Passphrase für" -+ -+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1081 -+#, c-format -+msgid "Cannot create cert chain: %s" -+msgstr "Zertifikatskette kann nicht erstellt werden: %s" -+ -+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1408 -+msgid "Invalid pkinit packet: octet string expected" -+msgstr "ungültiges Pkinit-Paket: Achtbit-Zeichenkette erwartet" -+ -+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1427 -+msgid "wrong oid\n" -+msgstr "falsche OID\n" -+ -+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:5994 -+#, c-format -+msgid "unknown code 0x%x" -+msgstr "unbekannter Code 0x%x" -+ -+#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:424 -+#, c-format -+msgid "Unsupported type while processing '%s'\n" -+msgstr "nicht unterstützter Typ bei der Verarbeitung von »%s«\n" -+ -+#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:465 -+msgid "Internal error parsing X509_user_identity\n" -+msgstr "interner Fehler beim Auswerten von »X509_user_identity«\n" -+ -+#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:560 -+msgid "No user identity options specified" -+msgstr "keine Optionen der Nutzeridentität angegeben" -+ -+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:414 -+msgid "Pkinit request not signed, but client not anonymous." -+msgstr "Pkinit-Anfrage nicht signiert, Client ist jedoch nicht anonym" -+ -+# DH = Diffie-Hellman -+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:447 -+msgid "Anonymous pkinit without DH public value not supported." -+msgstr "Anonymes Pkinit wird nicht ohne öffentlichen DH-Wert unterstützt." -+ -+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1147 -+#, c-format -+msgid "No pkinit_identity supplied for realm %s" -+msgstr "Für Realm %s wird keine »pkinit_identity« bereitgestellt." -+ -+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1158 -+#, c-format -+msgid "No pkinit_anchors supplied for realm %s" -+msgstr "Für Realm %s werden keine »pkinit_anchors« bereitgestellt." -+ -+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1346 -+msgid "No realms configured correctly for pkinit support" -+msgstr "Für Pkinit-Unterstützung wurden keine Realms korrekt konfiguriert." -+ -+#: ../../src/slave/kprop.c:85 -+#, c-format -+msgid "" -+"\n" -+"Usage: %s [-r realm] [-f file] [-d] [-P port] [-s srvtab] slave_host\n" -+"\n" -+msgstr "" -+"\n" -+"Aufruf: %s [-r Realm] [-f Datei] [-d] [-P Port] [-s Dienstschlüsseltabelle] " -+"untergeordneter_Rechner\n" -+"\n" -+ -+#: ../../src/slave/kprop.c:114 -+#, c-format -+msgid "Database propagation to %s: SUCCEEDED\n" -+msgstr "Datenbankverbreitung auf %s: ERFOLGREICH\n" -+ -+#: ../../src/slave/kprop.c:187 -+msgid "while setting client principal name" -+msgstr "beim Setzen des Client-Principal-Namens" -+ -+#: ../../src/slave/kprop.c:194 ../../src/slave/kprop.c:209 -+msgid "while setting client principal realm" -+msgstr "beim Setzen des Client-Principal-Realms" -+ -+#: ../../src/slave/kprop.c:217 -+#, c-format -+msgid "while opening credential cache %s" -+msgstr "beim Öffnen des Anmeldedatenzwischenspeichers %s" -+ -+#: ../../src/slave/kprop.c:233 -+msgid "while setting server principal name" -+msgstr "beim Setzen des Server-Principal-Namens" -+ -+#: ../../src/slave/kprop.c:255 -+msgid "while resolving keytab" -+msgstr "beim Ermitteln der Schlüsseltabelle" -+ -+#: ../../src/slave/kprop.c:264 -+msgid "while getting initial credentials\n" -+msgstr "beim Holen der Anfangsanmeldedaten\n" -+ -+#: ../../src/slave/kprop.c:301 -+msgid "while creating socket" -+msgstr "beim Erstellen eines Sockets" -+ -+#: ../../src/slave/kprop.c:317 -+msgid "while converting server address" -+msgstr "beim Umwandeln der Server-Adresse" -+ -+#: ../../src/slave/kprop.c:327 -+msgid "while connecting to server" -+msgstr "beim Verbinden mit dem Server" -+ -+#: ../../src/slave/kprop.c:334 ../../src/slave/kpropd.c:1215 -+msgid "while getting local socket address" -+msgstr "beim Holen der lokalen Socket-Adresse" -+ -+#: ../../src/slave/kprop.c:339 -+msgid "while converting local address" -+msgstr "beim Umwandeln der lokalen Socket-Adresse" -+ -+#: ../../src/slave/kprop.c:362 -+msgid "in krb5_auth_con_setaddrs" -+msgstr "in »krb5_auth_con_setaddrs«" -+ -+#: ../../src/slave/kprop.c:370 -+msgid "while authenticating to server" -+msgstr "beim Authentifizieren am Server" -+ -+#: ../../src/slave/kprop.c:374 ../../src/slave/kprop.c:573 -+#: ../../src/slave/kpropd.c:1521 -+#, c-format -+msgid "Generic remote error: %s\n" -+msgstr "allgemeiner ferner Fehler: %s\n" -+ -+#: ../../src/slave/kprop.c:380 ../../src/slave/kprop.c:579 -+msgid "signalled from server" -+msgstr "signalisiert vom Server" -+ -+#: ../../src/slave/kprop.c:382 ../../src/slave/kprop.c:581 -+#, c-format -+msgid "Error text from server: %s\n" -+msgstr "Fehlermeldung vom Server: %s\n" -+ -+#: ../../src/slave/kprop.c:410 -+#, c-format -+msgid "allocating database file name '%s'" -+msgstr "Datenbankdateiname »%s« wird reserviert" -+ -+#: ../../src/slave/kprop.c:416 -+#, c-format -+msgid "while trying to open %s" -+msgstr "beim Versuch, %s zu öffnen" -+ -+#: ../../src/slave/kprop.c:423 -+msgid "database locked" -+msgstr "Datenbank gesperrt" -+ -+#: ../../src/slave/kprop.c:426 ../../src/slave/kpropd.c:525 -+#, c-format -+msgid "while trying to lock '%s'" -+msgstr "beim Versuch, »%s« zu sperren" -+ -+#: ../../src/slave/kprop.c:430 ../../src/slave/kprop.c:438 -+#, c-format -+msgid "while trying to stat %s" -+msgstr "beim Versuch, »stat« für %s auszuführen" -+ -+#: ../../src/slave/kprop.c:434 -+msgid "while trying to malloc data_ok_fn" -+msgstr "beim Versuch, Speicher für »data_ok_fn« zu reservieren" -+ -+#: ../../src/slave/kprop.c:443 -+#, c-format -+msgid "'%s' more recent than '%s'." -+msgstr "»%s« ist aktueller als »%s«." -+ -+#: ../../src/slave/kprop.c:459 -+#, c-format -+msgid "while unlocking database '%s'" -+msgstr "beim Entsperren von Datenbank »%s«" -+ -+#: ../../src/slave/kprop.c:492 ../../src/slave/kprop.c:493 -+msgid "while encoding database size" -+msgstr "beim Aufbereiten der Datenbankgröße" -+ -+#: ../../src/slave/kprop.c:501 -+msgid "while sending database size" -+msgstr "beim Senden der Datenbankgröße" -+ -+#: ../../src/slave/kprop.c:511 -+msgid "while allocating i_vector" -+msgstr "beim Reservieren von »i_vector«" -+ -+#: ../../src/slave/kprop.c:534 -+#, c-format -+msgid "while sending database block starting at %d" -+msgstr "beim Senden des Datenbankblocks, der bei %d beginnt" -+ -+#: ../../src/slave/kprop.c:544 -+msgid "Premature EOF found for database file!" -+msgstr "vorzeitiges EOF für Datenbankdatei gefunden!" -+ -+#: ../../src/slave/kprop.c:557 -+msgid "while reading response from server" -+msgstr "beim Lesen der Antwort vom Servers" -+ -+#: ../../src/slave/kprop.c:568 -+msgid "while decoding error response from server" -+msgstr "beim Aufschlüsseln der Fehlerantwort vom Server" -+ -+#: ../../src/slave/kprop.c:599 -+#, c-format -+msgid "Kpropd sent database size %d, expecting %d" -+msgstr "Kpropd sendet Datenbankgröße %d, erwartet wurde %d" -+ -+#: ../../src/slave/kprop.c:643 -+msgid "while allocating filename for update_last_prop_file" -+msgstr "beim Reservieren des Dateinamens für »update_last_prop_file«" -+ -+#: ../../src/slave/kprop.c:648 -+#, c-format -+msgid "while creating 'last_prop' file, '%s'" -+msgstr "beim Erstellen der Datei »last_prop«, »%s«" -+ -+#: ../../src/slave/kpropd.c:170 -+#, c-format -+msgid "" -+"\n" -+"Usage: %s [-r realm] [-s srvtab] [-dS] [-f slave_file]\n" -+msgstr "" -+"\n" -+"Aufruf: %s [-r Realm] [-s Dienstschlüsseltabelle] [-dS] [-f " -+"untergeordnete_Datei]\n" -+ -+#: ../../src/slave/kpropd.c:172 -+#, c-format -+msgid "\t[-F kerberos_db_file ] [-p kdb5_util_pathname]\n" -+msgstr "\t[-F Kerberos-Datenbankdatei ] [-p KDB5-Hilfswerkzeugpfadname]\n" -+ -+#: ../../src/slave/kpropd.c:173 -+#, c-format -+msgid "\t[-x db_args]* [-P port] [-a acl_file]\n" -+msgstr "\t[-x Datenbankargumente]* [-P Port] [-a ACL-Datei]\n" -+ -+#: ../../src/slave/kpropd.c:174 -+#, c-format -+msgid "\t[-A admin_server]\n" -+msgstr "\t[-A Serveradministrator]\n" -+ -+#: ../../src/slave/kpropd.c:215 -+#, c-format -+msgid "Killing fullprop child (%d)\n" -+msgstr "Beenden des Fullprop-Kindprozesses (%d) wird erzwungen\n" -+ -+#: ../../src/slave/kpropd.c:244 -+msgid "while checking if stdin is a socket" -+msgstr "beim Prüfen, ob die Standardeingabe ein Socket ist" -+ -+#: ../../src/slave/kpropd.c:262 -+#, c-format -+msgid "ready\n" -+msgstr "bereit\n" -+ -+#: ../../src/slave/kpropd.c:272 -+#, c-format -+msgid "Could not open /dev/null: %s" -+msgstr "/dev/null konnte nicht geöffnet werden: %s" -+ -+#: ../../src/slave/kpropd.c:279 -+#, c-format -+msgid "Could not dup the inetd socket: %s" -+msgstr "Das Inetd-Socket konnte nicht dupliziert werden: %s" -+ -+#: ../../src/slave/kpropd.c:314 ../../src/slave/kpropd.c:327 -+msgid "do_iprop failed.\n" -+msgstr "»do_iprop« fehlgeschlagen\n" -+ -+#: ../../src/slave/kpropd.c:366 -+#, c-format -+msgid "getaddrinfo: %s\n" -+msgstr "getaddrinfo: %s\n" -+ -+#: ../../src/slave/kpropd.c:372 -+msgid "while obtaining socket" -+msgstr "beim Erlangen des Sockets" -+ -+#: ../../src/slave/kpropd.c:378 -+msgid "while setting SO_REUSEADDR option" -+msgstr "beim Setzen der Option SO_REUSEADDR" -+ -+#: ../../src/slave/kpropd.c:386 -+msgid "while unsetting IPV6_V6ONLY option" -+msgstr "beim Entfernen der Option IPV6_V6ONLY" -+ -+#: ../../src/slave/kpropd.c:391 -+msgid "while binding listener socket" -+msgstr "beim Anbinden an das auf Verbindung wartende Socket" -+ -+#: ../../src/slave/kpropd.c:402 -+#, c-format -+msgid "waiting for a kprop connection\n" -+msgstr "warten auf Kprop-Verbindung\n" -+ -+#: ../../src/slave/kpropd.c:408 -+msgid "while accepting connection" -+msgstr "beim Akzeptieren der Verbindung" -+ -+#: ../../src/slave/kpropd.c:414 -+msgid "while forking" -+msgstr "beim Erzeugen eines Kindprozesses" -+ -+#: ../../src/slave/kpropd.c:429 -+#, c-format -+msgid "waitpid() failed to wait for doit() (%d %s)\n" -+msgstr "waitpid() schlug beim Warten auf doit() fehl (%d %s)\n" -+ -+#: ../../src/slave/kpropd.c:433 -+msgid "while waiting to receive database" -+msgstr "beim Warten auf den Erhalt der Datenbank" -+ -+#: ../../src/slave/kpropd.c:437 -+#, c-format -+msgid "Database load process for full propagation completed.\n" -+msgstr "" -+"Der Datenbankladeprozess für eine vollständige Verbreitung ist " -+"abgeschlossen.\n" -+ -+#: ../../src/slave/kpropd.c:471 -+#, c-format -+msgid "" -+"%s: Standard input does not appear to be a network socket.\n" -+"\t(Not run from inetd, and missing the -S option?)\n" -+msgstr "" -+"%s: Bei der Standardeingabe scheint es sich nicht um ein Netzwerk-Socket zu\n" -+"\thandeln (läuft nicht aus Inetd und die Option -S fehlt?).\n" -+ -+#: ../../src/slave/kpropd.c:485 -+msgid "while attempting setsockopt (SO_KEEPALIVE)" -+msgstr "beim Versuch, »setsockopt« auszuführen (SO_KEEPALIVE)" -+ -+#: ../../src/slave/kpropd.c:490 -+#, c-format -+msgid "Connection from %s" -+msgstr "Verbindung von %s" -+ -+#: ../../src/slave/kpropd.c:510 -+#, c-format -+msgid "Rejected connection from unauthorized principal %s\n" -+msgstr "Zurückgewiesene Verbindung von nicht autorisiertem Principal %s\n" -+ -+#: ../../src/slave/kpropd.c:514 -+#, c-format -+msgid "Rejected connection from unauthorized principal %s" -+msgstr "Zurückgewiesene Verbindung von nicht authorisiertem Principal %s" -+ -+#: ../../src/slave/kpropd.c:531 -+#, c-format -+msgid "while opening database file, '%s'" -+msgstr "beim Öffnen der Datenbankdatei, »%s«" -+ -+#: ../../src/slave/kpropd.c:537 -+#, c-format -+msgid "while renaming %s to %s" -+msgstr "beim Umbenennen von %s in %s" -+ -+#: ../../src/slave/kpropd.c:543 -+#, c-format -+msgid "while downgrading lock on '%s'" -+msgstr "beim Downgrade der Sperre auf »%s«" -+ -+#: ../../src/slave/kpropd.c:550 -+#, c-format -+msgid "while unlocking '%s'" -+msgstr "beim Aufheben der Sperre »%s«" -+ -+#: ../../src/slave/kpropd.c:562 -+msgid "while sending # of received bytes" -+msgstr "beim Senden n empfangener Byte" -+ -+#: ../../src/slave/kpropd.c:568 -+msgid "while trying to close database file" -+msgstr "beim Versuch, die Datenbankdatei zu schließen" -+ -+#: ../../src/slave/kpropd.c:624 -+#, c-format -+msgid "Incremental propagation enabled\n" -+msgstr "inkrementelle Verbreitung aktiviert\n" -+ -+#: ../../src/slave/kpropd.c:634 -+msgid "Unable to get default realm" -+msgstr "Standard-Realm kann nicht geholt werden" -+ -+#: ../../src/slave/kpropd.c:647 -+#, c-format -+msgid "%s: unable to get kiprop host based service name for realm %s\n" -+msgstr "" -+"%s: Kiprop-rechnerbasierter Dienstname für Realm %s kann nicht geholt " -+"werden\n" -+ -+#: ../../src/slave/kpropd.c:658 -+msgid "while trying to construct host service principal" -+msgstr "beim Versuch, den Rechnerdienst-Principal zu erstellen" -+ -+#: ../../src/slave/kpropd.c:672 -+msgid "while determining local service principal name" -+msgstr "beim Bestimmen des lokalen Dienst-Principal-Namens" -+ -+#: ../../src/slave/kpropd.c:692 -+#, c-format -+msgid "Initializing kadm5 as client %s\n" -+msgstr "Kadm5 wird als Client %s initialisiert\n" -+ -+#: ../../src/slave/kpropd.c:706 -+#, c-format -+msgid "kadm5 initialization failed!\n" -+msgstr "Initialisierung von Kadm5 fehlgeschlagen!\n" -+ -+#: ../../src/slave/kpropd.c:715 -+msgid "while attempting to connect to master KDC ... retrying" -+msgstr "" -+"beim Versuch, eine Verbindung zum Master-KDC aufzubauen … wird erneut " -+"versucht" -+ -+#: ../../src/slave/kpropd.c:719 -+#, c-format -+msgid "Sleeping %d seconds to re-initialize kadm5 (RPC ERROR)\n" -+msgstr "" -+"Um Kadm5 neu zu initialisieren, wird %d Sekunden gewartet (RPC-FEHLER).\n" -+ -+#: ../../src/slave/kpropd.c:735 -+#, c-format -+msgid "while initializing %s interface, retrying" -+msgstr "beim Initialisieren der Schnittstelle %s, wird erneut versucht" -+ -+#: ../../src/slave/kpropd.c:739 -+#, c-format -+msgid "Sleeping %d seconds to re-initialize kadm5 (krb5kdc not running?)\n" -+msgstr "" -+"Um Kadm5 neu zu initialisieren, wird %d Sekunden gewartet (läuft Krb5kdc " -+"nicht?).\n" -+ -+#: ../../src/slave/kpropd.c:749 -+#, c-format -+msgid "kadm5 initialization succeeded\n" -+msgstr "Initialisieren von Kadm5 erfolgreich\n" -+ -+#: ../../src/slave/kpropd.c:771 -+msgid "reading update log header" -+msgstr "Aktualisierungsprotokollkopfzeilen werden gelesen" -+ -+#: ../../src/slave/kpropd.c:782 -+#, c-format -+msgid "Calling iprop_get_updates_1 (sno=%u sec=%u usec=%u)\n" -+msgstr "»iprop_get_updates_1()« wird aufgerufen (sno=%u sec=%u usec=%u)\n" -+ -+#: ../../src/slave/kpropd.c:792 -+msgid "iprop_get_updates call failed" -+msgstr "Aufruf von »iprop_get_updates« fehlgeschlagen" -+ -+#: ../../src/slave/kpropd.c:798 -+#, c-format -+msgid "Reinitializing iprop because get updates failed\n" -+msgstr "" -+"Iprop wird neu initialisiert, da Aktualisierungen fehlgeschlagen sind\n" -+ -+#: ../../src/slave/kpropd.c:819 -+#, c-format -+msgid "Still waiting for full resync\n" -+msgstr "" -+"Es wird immer noch auf das vollständige erneute Synchronisieren gewartet.\n" -+ -+#: ../../src/slave/kpropd.c:824 -+#, c-format -+msgid "Full resync needed\n" -+msgstr "erneutes vollständiges Synchronisieren erforderlich\n" -+ -+#: ../../src/slave/kpropd.c:825 -+msgid "kpropd: Full resync needed." -+msgstr "Kpropd: erneutes vollständiges Synchronisieren erforderlich" -+ -+#: ../../src/slave/kpropd.c:830 -+msgid "iprop_full_resync call failed" -+msgstr "Aufruf von »iprop_full_resync« fehlgeschlagen" -+ -+#: ../../src/slave/kpropd.c:841 -+#, c-format -+msgid "Full resync request granted\n" -+msgstr "Anfrage nach vollständigem erneuten Synchronisieren genehmigt\n" -+ -+#: ../../src/slave/kpropd.c:842 -+msgid "Full resync request granted." -+msgstr "Anfrage nach vollständigem erneuten Synchronisieren genehmigt" -+ -+# FIXME s/backoff/back-off/ -+#: ../../src/slave/kpropd.c:851 -+#, c-format -+msgid "Exponential backoff\n" -+msgstr "exponentieller Wartezyklus\n" -+ -+#: ../../src/slave/kpropd.c:857 -+#, c-format -+msgid "Full resync permission denied\n" -+msgstr "vollständiges erneutes Synchronisieren nicht gestattet\n" -+ -+#: ../../src/slave/kpropd.c:858 -+msgid "Full resync, permission denied." -+msgstr "vollständiges erneutes Synchronisieren, nicht gestattet" -+ -+#: ../../src/slave/kpropd.c:863 -+#, c-format -+msgid "Full resync error from master\n" -+msgstr "Fehler beim vollständigen erneuten Synchronisieren vom Master\n" -+ -+#: ../../src/slave/kpropd.c:864 -+msgid " Full resync, error returned from master KDC." -+msgstr "" -+"vollständiges erneutes Synchronisieren, das Master-KDC gab einen Fehler " -+"zurück" -+ -+#: ../../src/slave/kpropd.c:872 -+#, c-format -+msgid "Full resync invalid result from master\n" -+msgstr "" -+"Beim vollständigen erneuten Synchronisieren gab der Master ein ungültiges " -+"Ergebnis zurück.\n" -+ -+#: ../../src/slave/kpropd.c:874 -+msgid "Full resync, invalid return from master KDC." -+msgstr "" -+"vollständiges erneutes Synchronisieren, ungültiger Rückgabewert vom Master-" -+"KDC" -+ -+#: ../../src/slave/kpropd.c:890 -+#, c-format -+msgid "Got incremental updates (sno=%u sec=%u usec=%u)\n" -+msgstr "" -+"inkrementelle Aktualisierungen erhalten (sno=%u sec=%u usec=%u)\n" -+ -+#: ../../src/slave/kpropd.c:902 -+#, c-format -+msgid "ulog_replay failed (%s), updates not registered\n" -+msgstr "" -+"»ulog_replay« fehlgeschlagen (%s), Aktualisierungen nicht registriert\n" -+ -+#: ../../src/slave/kpropd.c:905 -+#, c-format -+msgid "ulog_replay failed (%s), updates not registered." -+msgstr "»ulog_replay« fehlgeschlagen (%s), Aktualisierungen nicht registriert" -+ -+#: ../../src/slave/kpropd.c:914 -+#, c-format -+msgid "Incremental updates: %d updates / %lu us" -+msgstr "inkrementelle Aktualisierungen: %d Aktualisierungen / %lu us" -+ -+#: ../../src/slave/kpropd.c:917 -+#, c-format -+msgid "Incremental updates: %d updates / %lu us\n" -+msgstr "inkrementelle Aktualisierungen: %d Aktualisierungen / %lu us\n" -+ -+#: ../../src/slave/kpropd.c:925 -+#, c-format -+msgid "get_updates permission denied\n" -+msgstr "Zugriff bei »get_updates« verweigert\n" -+ -+#: ../../src/slave/kpropd.c:926 -+msgid "get_updates, permission denied." -+msgstr "»get_updates«, Zugriff verweigert" -+ -+#: ../../src/slave/kpropd.c:931 -+#, c-format -+msgid "get_updates error from master\n" -+msgstr "»get_updates«-Fehler vom Master\n" -+ -+#: ../../src/slave/kpropd.c:932 -+msgid "get_updates, error returned from master KDC." -+msgstr "Vom Master-KDC wurde ein »get_updates«-Fehler zurückgegeben." -+ -+# FIXME s/backoff/back-off/ -+#: ../../src/slave/kpropd.c:940 -+#, c-format -+msgid "get_updates master busy; backoff\n" -+msgstr "»get_updates«-Master ausgelastet; hält sich zurück\n" -+ -+#: ../../src/slave/kpropd.c:949 -+#, c-format -+msgid "KDC is synchronized with master.\n" -+msgstr "KDC wurde mit dem Master synchronisiert.\n" -+ -+#: ../../src/slave/kpropd.c:957 -+#, c-format -+msgid "get_updates invalid result from master\n" -+msgstr "ungültiges »get_updates«-Ergebnis vom Master\n" -+ -+#: ../../src/slave/kpropd.c:958 -+msgid "get_updates, invalid return from master KDC." -+msgstr "»get_updates«, ungültiger Rückgabewert vom Master-KDC" -+ -+# FIXME s/backoff/back-off/ -+#: ../../src/slave/kpropd.c:973 -+#, c-format -+msgid "Busy signal received from master, backoff for %d secs\n" -+msgstr "" -+"Vom Master wurde ein Signal empfangen, dass er ausgelastet ist, " -+"Zurückhaltung für %d Sekunden\n" -+ -+#: ../../src/slave/kpropd.c:980 -+#, c-format -+msgid "Waiting for %d seconds before checking for updates again\n" -+msgstr "" -+"vor der erneuten Prufung auf Aktualisierungen wird %d Sekunden gewartet\n" -+ -+#: ../../src/slave/kpropd.c:991 -+#, c-format -+msgid "ERROR returned by master, bailing\n" -+msgstr "FEHLER vom Master zurückgegeben, Ausstieg\n" -+ -+#: ../../src/slave/kpropd.c:992 -+msgid "ERROR returned by master KDC, bailing.\n" -+msgstr "FEHLER vom Master-KDC zurückgegeben, Ausstieg\n" -+ -+#: ../../src/slave/kpropd.c:1134 -+msgid "copying db args" -+msgstr "Datenbankargumente werden kopiert" -+ -+#: ../../src/slave/kpropd.c:1161 -+msgid "while trying to construct my service name" -+msgstr "beim Versuch, meinen Dienstnamen zu erstellen" -+ -+#: ../../src/slave/kpropd.c:1167 -+msgid "while constructing my service realm" -+msgstr "beim Erstellen meines Dienst-Realms" -+ -+#: ../../src/slave/kpropd.c:1175 -+msgid "while allocating filename for temp file" -+msgstr "beim Reservieren des Dateinamens für die temporäre Datei" -+ -+#: ../../src/slave/kpropd.c:1181 -+msgid "while initializing" -+msgstr "bei der Initialisierung" -+ -+#: ../../src/slave/kpropd.c:1189 -+msgid "Unable to map log!\n" -+msgstr "Protokoll kann nicht abgebildet werden!\n" -+ -+#: ../../src/slave/kpropd.c:1235 -+#, c-format -+msgid "Error in krb5_auth_con_ini: %s" -+msgstr "Fehler in »krb5_auth_con_ini«: %s" -+ -+#: ../../src/slave/kpropd.c:1243 -+#, c-format -+msgid "Error in krb5_auth_con_setflags: %s" -+msgstr "Fehler in »krb5_auth_con_setflags«: %s" -+ -+#: ../../src/slave/kpropd.c:1251 -+#, c-format -+msgid "Error in krb5_auth_con_setaddrs: %s" -+msgstr "Fehler in »krb5_auth_con_setaddrs«: %s" -+ -+#: ../../src/slave/kpropd.c:1259 -+#, c-format -+msgid "Error in krb5_kt_resolve: %s" -+msgstr "Fehler in »krb5_kt_resolve«: %s" -+ -+#: ../../src/slave/kpropd.c:1268 -+#, c-format -+msgid "Error in krb5_recvauth: %s" -+msgstr "Fehler in »krb5_recvauth«: %s" -+ -+#: ../../src/slave/kpropd.c:1275 -+#, c-format -+msgid "Error in krb5_copy_prinicpal: %s" -+msgstr "Fehler in »krb5_copy_prinicpal«: %s" -+ -+#: ../../src/slave/kpropd.c:1291 -+msgid "while unparsing ticket etype" -+msgstr "beim Rückgängigmachen der Auswertung des »etype«s des Tickets" -+ -+#: ../../src/slave/kpropd.c:1295 -+#, c-format -+msgid "authenticated client: %s (etype == %s)\n" -+msgstr "Authentifizierter Client: %s (etype == %s)\n" -+ -+#: ../../src/slave/kpropd.c:1374 -+msgid "while reading size of database from client" -+msgstr "beim Lesen der Datenbankgröße vom Client" -+ -+#: ../../src/slave/kpropd.c:1384 -+msgid "while decoding database size from client" -+msgstr "beim Dekodieren der Datenbankgröße vom Client" -+ -+#: ../../src/slave/kpropd.c:1397 -+msgid "while initializing i_vector" -+msgstr "beim Initialisieren von »i_vector«" -+ -+#: ../../src/slave/kpropd.c:1402 -+#, c-format -+msgid "Full propagation transfer started.\n" -+msgstr "vollständige Verbreitungsübertragung gestartet\n" -+ -+#: ../../src/slave/kpropd.c:1455 -+#, c-format -+msgid "Full propagation transfer finished.\n" -+msgstr "vollständige Verbreitungsübertragung beendet\n" -+ -+#: ../../src/slave/kpropd.c:1516 -+msgid "while decoding error packet from client" -+msgstr "beim Dekodieren des Fehlerpakets vom Client" -+ -+#: ../../src/slave/kpropd.c:1525 -+msgid "signaled from server" -+msgstr "signalisiert vom Server" -+ -+#: ../../src/slave/kpropd.c:1527 -+#, c-format -+msgid "Error text from client: %s\n" -+msgstr "Fehlermeldung vom Client: %s\n" -+ -+#: ../../src/slave/kpropd.c:1576 -+#, c-format -+msgid "while trying to fork %s" -+msgstr "beim Versuch, einen Kindprozess von %s zu erzeugen" -+ -+#: ../../src/slave/kpropd.c:1580 -+#, c-format -+msgid "while trying to exec %s" -+msgstr "beim Versuch, %s auszuführen" -+ -+#: ../../src/slave/kpropd.c:1587 -+#, c-format -+msgid "while waiting for %s" -+msgstr "beim Warten auf %s" -+ -+#: ../../src/slave/kpropd.c:1593 -+#, c-format -+msgid "%s load terminated" -+msgstr "Laden von %s beendet" -+ -+#: ../../src/slave/kpropd.c:1599 -+#, c-format -+msgid "%s returned a bad exit status (%d)" -+msgstr "%s gab einen falschen Exit-Status (%d) zurück" -+ -+#: ../../src/slave/kproplog.c:27 -+#, c-format -+msgid "" -+"\n" -+"Usage: %s [-h] [-v] [-v] [-e num]\n" -+"\t%s -R\n" -+"\n" -+msgstr "" -+"\n" -+"Aufruf: %s [-h] [-v] [-v] [-e Zahl]\n" -+"\t%s -R\n" -+"\n" -+ -+#: ../../src/slave/kproplog.c:129 -+#, c-format -+msgid "" -+"\n" -+"Couldn't allocate memory" -+msgstr "" -+"\n" -+"Speicher konnte nicht reserviert werden" -+ -+#: ../../src/slave/kproplog.c:223 -+#, c-format -+msgid "\t\tAttribute flags\n" -+msgstr "\t\tAttributschalter\n" -+ -+#: ../../src/slave/kproplog.c:228 -+#, c-format -+msgid "\t\tMaximum ticket life\n" -+msgstr "\t\tmaximale Ticketlebensdauer\n" -+ -+#: ../../src/slave/kproplog.c:233 -+#, c-format -+msgid "\t\tMaximum renewable life\n" -+msgstr "\t\tmaximale verlängerbare Lebensdauer\n" -+ -+#: ../../src/slave/kproplog.c:238 -+#, c-format -+msgid "\t\tPrincipal expiration\n" -+msgstr "\t\tAblauf des Principals\n" -+ -+#: ../../src/slave/kproplog.c:243 -+#, c-format -+msgid "\t\tPassword expiration\n" -+msgstr "\t\tAblauf des Passworts\n" -+ -+#: ../../src/slave/kproplog.c:248 -+#, c-format -+msgid "\t\tLast successful auth\n" -+msgstr "\t\tletzte erfolgreiche Authentifizierung\n" -+ -+#: ../../src/slave/kproplog.c:253 -+#, c-format -+msgid "\t\tLast failed auth\n" -+msgstr "\t\tletzte fehlgeschlagene Authentifizierung\n" -+ -+#: ../../src/slave/kproplog.c:258 -+#, c-format -+msgid "\t\tFailed passwd attempt\n" -+msgstr "\t\tfehlgeschlagener Passwortversuch\n" -+ -+#: ../../src/slave/kproplog.c:263 -+#, c-format -+msgid "\t\tPrincipal\n" -+msgstr "\t\tPrincipal\n" -+ -+#: ../../src/slave/kproplog.c:268 -+#, c-format -+msgid "\t\tKey data\n" -+msgstr "\t\tSchlüsseldaten\n" -+ -+#: ../../src/slave/kproplog.c:275 -+#, c-format -+msgid "\t\tTL data\n" -+msgstr "\t\tTL-Daten\n" -+ -+#: ../../src/slave/kproplog.c:282 -+#, c-format -+msgid "\t\tLength\n" -+msgstr "\t\tLänge\n" -+ -+#: ../../src/slave/kproplog.c:287 -+#, c-format -+msgid "\t\tPassword last changed\n" -+msgstr "\t\tletzte Passwortänderung\n" -+ -+#: ../../src/slave/kproplog.c:292 -+#, c-format -+msgid "\t\tModifying principal\n" -+msgstr "\t\ttPrincipal wird geändert\n" -+ -+#: ../../src/slave/kproplog.c:297 -+#, c-format -+msgid "\t\tModification time\n" -+msgstr "\t\tÄnderungszeit\n" -+ -+#: ../../src/slave/kproplog.c:302 -+#, c-format -+msgid "\t\tModified where\n" -+msgstr "\t\tGeändert wobei\n" -+ -+#: ../../src/slave/kproplog.c:307 -+#, c-format -+msgid "\t\tPassword policy\n" -+msgstr "\t\tPasswortrichtlinie\n" -+ -+#: ../../src/slave/kproplog.c:312 -+#, c-format -+msgid "\t\tPassword policy switch\n" -+msgstr "\t\tPasswortrichtlinienumschalter\n" -+ -+#: ../../src/slave/kproplog.c:317 -+#, c-format -+msgid "\t\tPassword history KVNO\n" -+msgstr "\t\tPasswortchronik KVNO\n" -+ -+#: ../../src/slave/kproplog.c:322 -+#, c-format -+msgid "\t\tPassword history\n" -+msgstr "\t\tPasswortchronik\n" -+ -+#: ../../src/slave/kproplog.c:356 -+#, c-format -+msgid "" -+"Corrupt update entry\n" -+"\n" -+msgstr "" -+"beschädigter Aktualisierungseintrag\n" -+"\n" -+ -+#: ../../src/slave/kproplog.c:364 -+#, c-format -+msgid "" -+"Entry data decode failure\n" -+"\n" -+msgstr "" -+"Dekodieren der eingetragenen Daten fehlgeschlagen\n" -+"\n" -+ -+#: ../../src/slave/kproplog.c:369 -+#, c-format -+msgid "Update Entry\n" -+msgstr "Aktualisierungseintrag\n" -+ -+#: ../../src/slave/kproplog.c:371 -+#, c-format -+msgid "\tUpdate serial # : %u\n" -+msgstr "\tAktualisierung der Seriennummer: %u\n" -+ -+#: ../../src/slave/kproplog.c:373 -+#, c-format -+msgid "\tUpdate operation : " -+msgstr "\tAktualisierungsaktion: " -+ -+#: ../../src/slave/kproplog.c:375 -+#, c-format -+msgid "Delete\n" -+msgstr "Löschen\n" -+ -+#: ../../src/slave/kproplog.c:377 -+#, c-format -+msgid "Add\n" -+msgstr "Hinzufügen\n" -+ -+#: ../../src/slave/kproplog.c:381 -+#, c-format -+msgid "" -+"Could not allocate principal name\n" -+"\n" -+msgstr "" -+"Der Principal-Name konnte nicht reserviert werden.\n" -+"\n" -+ -+#: ../../src/slave/kproplog.c:387 -+#, c-format -+msgid "\tUpdate principal : %s\n" -+msgstr "\tAktualisierung des Principals: %s\n" -+ -+#: ../../src/slave/kproplog.c:389 -+#, c-format -+msgid "\tUpdate size : %u\n" -+msgstr "\tGröße der Aktualisierung: %u\n" -+ -+#: ../../src/slave/kproplog.c:390 -+#, c-format -+msgid "\tUpdate committed : %s\n" -+msgstr "\tAktualisierung übergeben: %s\n" -+ -+#: ../../src/slave/kproplog.c:394 -+#, c-format -+msgid "\tUpdate time stamp : None\n" -+msgstr "\tZeitstempel der Aktualisierung: keiner\n" -+ -+#: ../../src/slave/kproplog.c:396 -+#, c-format -+msgid "\tUpdate time stamp : %s" -+msgstr "\tZeitstempel der Aktualisierung: %s" -+ -+#: ../../src/slave/kproplog.c:400 -+#, c-format -+msgid "\tAttributes changed : %d\n" -+msgstr "\tgeänderte Attribute: %d\n" -+ -+#: ../../src/slave/kproplog.c:465 -+#, c-format -+msgid "" -+"Unable to initialize Kerberos\n" -+"\n" -+msgstr "" -+"Kerberos kann nicht initialisiert werden\n" -+"\n" -+ -+#: ../../src/slave/kproplog.c:472 -+#, c-format -+msgid "" -+"Couldn't read database_name\n" -+"\n" -+msgstr "" -+"»database_name« kann nicht gelesen werden\n" -+"\n" -+ -+#: ../../src/slave/kproplog.c:476 -+#, c-format -+msgid "" -+"\n" -+"Kerberos update log (%s)\n" -+msgstr "" -+"\n" -+"Kerberos-Aktualisierungsprotokoll (%s)\n" -+ -+#: ../../src/slave/kproplog.c:480 ../../src/slave/kproplog.c:495 -+#, c-format -+msgid "" -+"Unable to map log file %s\n" -+"\n" -+msgstr "" -+"Protokolldatei %s kann nicht abgebildet werden\n" -+"\n" -+ -+#: ../../src/slave/kproplog.c:485 -+#, c-format -+msgid "" -+"Couldn't reinitialize ulog file %s\n" -+"\n" -+msgstr "" -+"Ulog-Datei %s konnte nicht neu initialisiert werden\n" -+"\n" -+ -+#: ../../src/slave/kproplog.c:489 -+#, c-format -+msgid "Reinitialized the ulog.\n" -+msgstr "Das Ulog wurde neu initialisiert.\n" -+ -+#: ../../src/slave/kproplog.c:501 -+#, c-format -+msgid "" -+"Corrupt header log, exiting\n" -+"\n" -+msgstr "" -+"beschädigtes Kopfzeilenprotokoll, wird beendet\n" -+"\n" -+ -+#: ../../src/slave/kproplog.c:505 -+#, c-format -+msgid "Update log dump :\n" -+msgstr "Aktualisierungsprotokollauszug :\n" -+ -+#: ../../src/slave/kproplog.c:506 -+#, c-format -+msgid "\tLog version # : %u\n" -+msgstr "\tProtokollversion #: %u\n" -+ -+#: ../../src/slave/kproplog.c:507 -+#, c-format -+msgid "\tLog state : " -+msgstr "\tProtokollstatus: " -+ -+#: ../../src/slave/kproplog.c:510 -+#, c-format -+msgid "Stable\n" -+msgstr "stabil\n" -+ -+#: ../../src/slave/kproplog.c:513 -+#, c-format -+msgid "Unstable\n" -+msgstr "instabil\n" -+ -+#: ../../src/slave/kproplog.c:516 -+#, c-format -+msgid "Corrupt\n" -+msgstr "beschädigt\n" -+ -+#: ../../src/slave/kproplog.c:519 -+#, c-format -+msgid "Unknown state: %d\n" -+msgstr "unbekannter Status: %d\n" -+ -+#: ../../src/slave/kproplog.c:522 -+#, c-format -+msgid "\tEntry block size : %u\n" -+msgstr "\tBlockgrößeneintrag: %u\n" -+ -+#: ../../src/slave/kproplog.c:523 -+#, c-format -+msgid "\tNumber of entries : %u\n" -+msgstr "\tAnzahl der Einträge: %u\n" -+ -+#: ../../src/slave/kproplog.c:526 -+#, c-format -+msgid "\tLast serial # : None\n" -+msgstr "\tletzte Seriennummer: keine\n" -+ -+#: ../../src/slave/kproplog.c:529 -+#, c-format -+msgid "\tFirst serial # : None\n" -+msgstr "\terste Seriennummer: keine\n" -+ -+#: ../../src/slave/kproplog.c:531 -+#, c-format -+msgid "\tFirst serial # : " -+msgstr "\terste Seriennummer: " -+ -+#: ../../src/slave/kproplog.c:535 -+#, c-format -+msgid "\tLast serial # : " -+msgstr "\tletzte Seriennummer: " -+ -+#: ../../src/slave/kproplog.c:540 -+#, c-format -+msgid "\tLast time stamp : None\n" -+msgstr "\tletzter Zeitstempel: keiner\n" -+ -+#: ../../src/slave/kproplog.c:543 -+#, c-format -+msgid "\tFirst time stamp : None\n" -+msgstr "\terster Zeitstempel: keiner\n" -+ -+#: ../../src/slave/kproplog.c:545 -+#, c-format -+msgid "\tFirst time stamp : %s" -+msgstr "\terster Zeitstempel: %s" -+ -+#: ../../src/slave/kproplog.c:549 -+#, c-format -+msgid "\tLast time stamp : %s\n" -+msgstr "\tletzter Zeitstempel: %s\n" -+ -+#: ../../src/util/support/errors.c:77 -+msgid "Kerberos library initialization failure" -+msgstr "Initialisieren der Kerberos-Bibliothek fehlgeschlagen" -+ -+#: ../../src/util/support/errors.c:93 -+#, c-format -+msgid "error %ld" -+msgstr "Fehler %ld" -+ -+#: ../../src/util/support/plugins.c:186 -+#, c-format -+msgid "unable to find plugin [%s]: %s" -+msgstr "Erweiterung [%s] konnte nicht gefunden werden: %s" -+ -+#: ../../src/util/support/plugins.c:274 -+msgid "unknown failure" -+msgstr "unbekannter Fehlschlag" -+ -+#: ../../src/util/support/plugins.c:277 -+#, c-format -+msgid "unable to load plugin [%s]: %s" -+msgstr "Erweiterung [%s] konnte nicht geladen werden: %s" -+ -+#: ../../src/util/support/plugins.c:300 -+#, c-format -+msgid "unable to load DLL [%s]" -+msgstr "DLL [%s] konnte nicht geladen werden" -+ -+#: ../../src/util/support/plugins.c:316 -+#, c-format -+msgid "plugin unavailable: %s" -+msgstr "Erweiterung nicht verfügbar: %s" -+ -+#: ../lib/gssapi/generic/gssapi_err_generic.c:23 -+msgid "No @ in SERVICE-NAME name string" -+msgstr "keine @ in der Namenszeichenkette SERVICE-NAME" -+ -+#: ../lib/gssapi/generic/gssapi_err_generic.c:24 -+msgid "STRING-UID-NAME contains nondigits" -+msgstr "STRING-UID-NAME enthält etwas anderes als Ziffern" -+ -+#: ../lib/gssapi/generic/gssapi_err_generic.c:25 -+msgid "UID does not resolve to username" -+msgstr "UID lässt sich nicht zu Benutzernamen ermitteln" -+ -+#: ../lib/gssapi/generic/gssapi_err_generic.c:26 -+msgid "Validation error" -+msgstr "Überprüfungsfehler" -+ -+#: ../lib/gssapi/generic/gssapi_err_generic.c:27 -+msgid "Couldn't allocate gss_buffer_t data" -+msgstr "»gss_buffer_t«-Daten konnten reserviert werden" -+ -+#: ../lib/gssapi/generic/gssapi_err_generic.c:28 -+msgid "Message context invalid" -+msgstr "Nachrichtenkontext ungültig" -+ -+#: ../lib/gssapi/generic/gssapi_err_generic.c:29 -+msgid "Buffer is the wrong size" -+msgstr "Puffer hat die falsche Größe" -+ -+#: ../lib/gssapi/generic/gssapi_err_generic.c:30 -+msgid "Credential usage type is unknown" -+msgstr "Typ des Anmeldedatenaufrufs ist unbekannt" -+ -+#: ../lib/gssapi/generic/gssapi_err_generic.c:31 -+msgid "Unknown quality of protection specified" -+msgstr "unbekannte Schutzqualität angegeben" -+ -+#: ../lib/gssapi/generic/gssapi_err_generic.c:32 -+msgid "Local host name could not be determined" -+msgstr "lokaler Rechnername konnte nicht bestimmt werden" -+ -+#: ../lib/gssapi/generic/gssapi_err_generic.c:33 -+msgid "Hostname in SERVICE-NAME string could not be canonicalized" -+msgstr "" -+"Rechnername in der Zeichenkette »SERVICE-NAME« konnte nicht in Normalform " -+"gebracht werden" -+ -+#: ../lib/gssapi/generic/gssapi_err_generic.c:34 -+msgid "Mechanism is incorrect" -+msgstr "Mechanismus ist nicht korrekt" -+ -+#: ../lib/gssapi/generic/gssapi_err_generic.c:35 -+msgid "Token header is malformed or corrupt" -+msgstr "Token-Kopfzeilen haben die falsche Form oder sind beschädigt" -+ -+#: ../lib/gssapi/generic/gssapi_err_generic.c:36 -+msgid "Packet was replayed in wrong direction" -+msgstr "Paket wurde in falscher Richtung erneut abgespielt" -+ -+#: ../lib/gssapi/generic/gssapi_err_generic.c:37 -+msgid "Token is missing data" -+msgstr "dem Token fehlen Daten" -+ -+#: ../lib/gssapi/generic/gssapi_err_generic.c:38 -+msgid "Token was reflected" -+msgstr "Token wurde zurückgeworfen" -+ -+#: ../lib/gssapi/generic/gssapi_err_generic.c:39 -+msgid "Received token ID does not match expected token ID" -+msgstr "Die empfangene Token-Kennung passt nicht zur erwarteten Token-Kennung." -+ -+#: ../lib/gssapi/generic/gssapi_err_generic.c:40 -+msgid "The given credential's usage does not match the requested usage" -+msgstr "" -+"Die Verwendung der angegebenen Anmeldedaten passt nicht zur angeforderten " -+"Verwendung." -+ -+#: ../lib/gssapi/generic/gssapi_err_generic.c:41 -+msgid "Storing of acceptor credentials is not supported by the mechanism" -+msgstr "" -+"Das Speichern von Abnehmeranmeldedaten wird nicht durch den Mechanismus " -+"unterstützt." -+ -+#: ../lib/gssapi/generic/gssapi_err_generic.c:42 -+msgid "Storing of non-default credentials is not supported by the mechanism" -+msgstr "" -+"Das Speichern von Nichtstandardanmeldedaten wird nicht durch den Mechanismus " -+"unterstützt." -+ -+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:23 -+msgid "Principal in credential cache does not match desired name" -+msgstr "" -+"Principal im Anmeldedatenzwischenspeicher entspricht nicht dem gewünschten " -+"Namen" -+ -+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:24 -+msgid "No principal in keytab matches desired name" -+msgstr "Kein Principal in der Schlüsseltabelle passt zum gewünschten Namen." -+ -+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:25 -+msgid "Credential cache has no TGT" -+msgstr "Anmeldedatenzwischenspeicher hat kein TGT" -+ -+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:26 -+msgid "Authenticator has no subkey" -+msgstr "Schlüsselziffer hat keinen Unterschlüssel" -+ -+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:27 -+msgid "Context is already fully established" -+msgstr "Kontext wurde bereits vollständig eingerichtet" -+ -+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:28 -+msgid "Unknown signature type in token" -+msgstr "unbekannter Signaturtyp im Token" -+ -+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:29 -+msgid "Invalid field length in token" -+msgstr "falsche Feldlänge im Token" -+ -+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:30 -+msgid "Attempt to use incomplete security context" -+msgstr "" -+"Es wurde versucht, einen unvollständigen Sicherheitskontext zu verwenden." -+ -+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:31 -+msgid "Bad magic number for krb5_gss_ctx_id_t" -+msgstr "falsche magische Zahl für »krb5_gss_ctx_id_t«" -+ -+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:32 -+msgid "Bad magic number for krb5_gss_cred_id_t" -+msgstr "falsche magische Zahl für »krb5_gss_cred_id_t«" -+ -+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:33 -+msgid "Bad magic number for krb5_gss_enc_desc" -+msgstr "falsche magische Zahl für »krb5_gss_enc_desc«" -+ -+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:34 -+msgid "Sequence number in token is corrupt" -+msgstr "Sequnznummer im Token ist beschädigt" -+ -+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:35 -+msgid "Credential cache is empty" -+msgstr "Anmeldedatenzwischenspeicher ist leer" -+ -+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:36 -+msgid "Acceptor and Initiator share no checksum types" -+msgstr "Abnehmer und Initiator haben keinen gemeinsamen Prüfsummentyp" -+ -+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:37 -+msgid "Requested lucid context version not supported" -+msgstr "angeforderte »lucid«-Kontextversion nicht unterstützt" -+ -+# PRF = Pseudo Random Function -+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:38 -+msgid "PRF input too long" -+msgstr "PRF-Eingabe zu lang" -+ -+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:39 -+msgid "Bad magic number for iakerb_ctx_id_t" -+msgstr "falsche magische Zahl für »iakerb_ctx_id_t«" -+ -+#: ../lib/kadm5/chpass_util_strings.c:23 -+msgid "while getting policy info." -+msgstr "beim Holen der Richtlinieninformation." -+ -+#: ../lib/kadm5/chpass_util_strings.c:24 -+msgid "while getting principal info." -+msgstr "beim Holen der Principal-Information." -+ -+#: ../lib/kadm5/chpass_util_strings.c:25 -+msgid "New passwords do not match - password not changed.\n" -+msgstr "neue Passwörter stimmen nicht überein – Passwort nicht geändert\n" -+ -+#: ../lib/kadm5/chpass_util_strings.c:26 -+msgid "New password" -+msgstr "neues Passwort" -+ -+#: ../lib/kadm5/chpass_util_strings.c:27 -+msgid "New password (again)" -+msgstr "neues Passwort (erneut)" -+ -+#: ../lib/kadm5/chpass_util_strings.c:28 -+msgid "" -+"You must type a password. Passwords must be at least one character long.\n" -+msgstr "" -+"Sie müssen ein Passwort eingeben. Passwörter müssen mindestens ein Zeichen " -+"lang sein.\n" -+ -+#: ../lib/kadm5/chpass_util_strings.c:29 -+msgid "yet no policy set! Contact your system security administrator." -+msgstr "" -+"noch keine Richtlinie gesetzt! Kontaktieren Sie Ihren " -+"Systemsicherheitsadministrator" -+ -+#: ../lib/kadm5/chpass_util_strings.c:31 -+msgid "" -+"New password was found in a dictionary of possible passwords and\n" -+"therefore may be easily guessed. Please choose another password.\n" -+"See the kpasswd man page for help in choosing a good password." -+msgstr "" -+"Das neue Passwort wurde in einem Wörterbuch mit möglichen Passwörtern " -+"gefunden\n" -+"und kann daher leicht erraten werden. Bitte wählen Sie ein anderes " -+"Passwort.\n" -+"Hilfe bei der Wahl guter Passwörter finden Sie in der Handbuchseite von\n" -+"»kpasswd«." -+ -+#: ../lib/kadm5/chpass_util_strings.c:32 -+msgid "Password not changed." -+msgstr "Passwort nicht geändert" -+ -+#: ../lib/kadm5/chpass_util_strings.c:33 -+#, c-format -+msgid "" -+"New password is too short.\n" -+"Please choose a password which is at least %d characters long." -+msgstr "" -+"Das neue Passwort ist zu kurz.\n" -+"Bitte wählen Sie ein Passwort, das mindestens %d Zeichen lang ist." -+ -+#: ../lib/kadm5/chpass_util_strings.c:34 -+#, c-format -+msgid "" -+"New password does not have enough character classes.\n" -+"The character classes are:\n" -+"\t- lower-case letters,\n" -+"\t- upper-case letters,\n" -+"\t- digits,\n" -+"\t- punctuation, and\n" -+"\t- all other characters (e.g., control characters).\n" -+"Please choose a password with at least %d character classes." -+msgstr "" -+"Das neue Passwort besteht aus zu wenigen Zeichenklassen.\n" -+"Die Zeichenklassen sind:\n" -+"\t- Kleinbuchstaben,\n" -+"\t- Großbuchstaben,\n" -+"\t- Ziffern,\n" -+"\t- Satzzeichen und\n" -+"\t- alle anderen Zeichen (z.B. Steuerzeichen).\n" -+"Bitte wählen Sie ein Passwort mit mindestens %d Zeichenklassen." -+ -+#: ../lib/kadm5/chpass_util_strings.c:35 -+#, c-format -+msgid "" -+"Password cannot be changed because it was changed too recently.\n" -+"Please wait until %s before you change it.\n" -+"If you need to change your password before then, contact your system\n" -+"security administrator." -+msgstr "" -+"Das Passwort kann nicht geändert werden, da es erst vor kurzem geändert " -+"wurde.\n" -+"Bitte warten Sie bis %s, ehe Sie es ändern.\n" -+"Falls Sie es vorher ändern müssen, kontaktieren Sie Ihren\n" -+"Systemsicherheitsadministrator." -+ -+#: ../lib/kadm5/chpass_util_strings.c:36 -+msgid "New password was used previously. Please choose a different password." -+msgstr "" -+"Das neue Passwort wurde zuvor schon benutzt. Bitte wählen Sie ein anderes " -+"Passwort." -+ -+#: ../lib/kadm5/chpass_util_strings.c:37 -+msgid "while trying to change password." -+msgstr "beim Versuch, das Passwort zu ändern." -+ -+#: ../lib/kadm5/chpass_util_strings.c:38 -+msgid "while reading new password." -+msgstr "beim Lesen des neuen Passworts." -+ -+#: ../lib/kadm5/kadm_err.c:23 -+msgid "Operation failed for unspecified reason" -+msgstr "Aktion aus nicht näher beschriebenem Grund fehlgeschlagen" -+ -+#: ../lib/kadm5/kadm_err.c:24 -+msgid "Operation requires ``get'' privilege" -+msgstr "Aktion erfordert »get«-Recht" -+ -+#: ../lib/kadm5/kadm_err.c:25 -+msgid "Operation requires ``add'' privilege" -+msgstr "Aktion erfordert »add«-Recht" -+ -+#: ../lib/kadm5/kadm_err.c:26 -+msgid "Operation requires ``modify'' privilege" -+msgstr "Aktion erfordert »modify«-Recht" -+ -+#: ../lib/kadm5/kadm_err.c:27 -+msgid "Operation requires ``delete'' privilege" -+msgstr "Aktion erfordert »delete«-Recht" -+ -+#: ../lib/kadm5/kadm_err.c:28 -+msgid "Insufficient authorization for operation" -+msgstr "unzureichende Berechtigung für diese Aktion" -+ -+#: ../lib/kadm5/kadm_err.c:29 ../lib/kdb/adb_err.c:29 -+msgid "Database inconsistency detected" -+msgstr "Datenbankinkonsistenz entdeckt" -+ -+#: ../lib/kadm5/kadm_err.c:30 ../lib/kdb/adb_err.c:24 -+msgid "Principal or policy already exists" -+msgstr "Principal oder Richtlinie existiert bereits" -+ -+#: ../lib/kadm5/kadm_err.c:31 -+msgid "Communication failure with server" -+msgstr "Kommunikation mit dem Server fehlgeschlagen" -+ -+#: ../lib/kadm5/kadm_err.c:32 -+msgid "No administration server found for realm" -+msgstr "kein Administrationsserver für den Realm gefunden" -+ -+#: ../lib/kadm5/kadm_err.c:33 -+msgid "Password history principal key version mismatch" -+msgstr "Die Passwortchronikschlüssel des Principals passen nicht zusammen." -+ -+#: ../lib/kadm5/kadm_err.c:34 -+msgid "Connection to server not initialized" -+msgstr "Verbindung zum Server nicht initialisiert" -+ -+#: ../lib/kadm5/kadm_err.c:35 -+msgid "Principal does not exist" -+msgstr "Principal existiert nicht" -+ -+#: ../lib/kadm5/kadm_err.c:36 -+msgid "Policy does not exist" -+msgstr "Richtlinie existiert nicht" -+ -+#: ../lib/kadm5/kadm_err.c:37 -+msgid "Invalid field mask for operation" -+msgstr "ungültige Feldmaske für Aktion" -+ -+#: ../lib/kadm5/kadm_err.c:38 -+msgid "Invalid number of character classes" -+msgstr "ungültige Anzahl von Zeichenklassen" -+ -+#: ../lib/kadm5/kadm_err.c:39 -+msgid "Invalid password length" -+msgstr "ungültige Passwortlänge" -+ -+#: ../lib/kadm5/kadm_err.c:40 -+msgid "Illegal policy name" -+msgstr "unzulässiger Richtlinienname" -+ -+#: ../lib/kadm5/kadm_err.c:41 -+msgid "Illegal principal name" -+msgstr "unzulässiger Principal-Name" -+ -+# FIXME s/auxillary/auxilary/ -+#: ../lib/kadm5/kadm_err.c:42 -+msgid "Invalid auxillary attributes" -+msgstr "ungültige Zusatzattribute" -+ -+#: ../lib/kadm5/kadm_err.c:43 -+msgid "Invalid password history count" -+msgstr "ungültige Passwortchronikanzahl" -+ -+#: ../lib/kadm5/kadm_err.c:44 -+msgid "Password minimum life is greater than password maximum life" -+msgstr "Die minimale Lebensdauer des Passworts ist größer als die maximale." -+ -+#: ../lib/kadm5/kadm_err.c:45 -+msgid "Password is too short" -+msgstr "Das Passwort ist zu kurz." -+ -+#: ../lib/kadm5/kadm_err.c:46 -+msgid "Password does not contain enough character classes" -+msgstr "Das Passwort enthält nicht genug Zeichenklassen." -+ -+#: ../lib/kadm5/kadm_err.c:47 -+msgid "Password is in the password dictionary" -+msgstr "Das Passwort steht im Passwortwörterbuch." -+ -+#: ../lib/kadm5/kadm_err.c:48 -+msgid "Cannot reuse password" -+msgstr "Das Passwort kann nicht erneut verwendet werden." -+ -+#: ../lib/kadm5/kadm_err.c:49 -+msgid "Current password's minimum life has not expired" -+msgstr "Die aktuell minimale Lebensdauer des Passworts ist nicht abgelaufen." -+ -+#: ../lib/kadm5/kadm_err.c:50 ../lib/krb5/error_tables/kdb5_err.c:67 -+msgid "Policy is in use" -+msgstr "Richtlinie ist in Benutzung" -+ -+#: ../lib/kadm5/kadm_err.c:51 -+msgid "Connection to server already initialized" -+msgstr "Verbindung zum Server ist bereits initialisiert" -+ -+#: ../lib/kadm5/kadm_err.c:52 -+msgid "Incorrect password" -+msgstr "falsches Passwort" -+ -+#: ../lib/kadm5/kadm_err.c:53 -+msgid "Cannot change protected principal" -+msgstr "geschützter Principal kann nicht geändert werden" -+ -+#: ../lib/kadm5/kadm_err.c:54 -+msgid "Programmer error! Bad Admin server handle" -+msgstr "Fehler des Programmierers! Falscher Admin-Server-Identifikator" -+ -+#: ../lib/kadm5/kadm_err.c:55 -+msgid "Programmer error! Bad API structure version" -+msgstr "Fehler des Programmierers! Falsche API-Strukturversion" -+ -+#: ../lib/kadm5/kadm_err.c:56 -+msgid "" -+"API structure version specified by application is no longer supported (to " -+"fix, recompile application against current KADM5 API header files and " -+"libraries)" -+msgstr "" -+"Die von der Anwendung angegebene Version der API-Struktur wird nicht länger " -+"unterstützt. (Kompilieren Sie die Anwendung mit den aktuellen KADM5-API-" -+"Header-Dateien und -Bibliotheken, um dies zu beheben.)" -+ -+#: ../lib/kadm5/kadm_err.c:57 -+msgid "" -+"API structure version specified by application is unknown to libraries (to " -+"fix, obtain current KADM5 API header files and libraries and recompile " -+"application)" -+msgstr "" -+"Die von der Anwendung angegebene Version der API-Struktur ist den " -+"Bibliotheken unbekannt. (Besorgen Sie sich die aktuellen KADM5-API-Header-" -+"Dateien und -Bibliotheken und kompilieren Sie die Anwendung neu, um dies zu " -+"beheben.)" -+ -+#: ../lib/kadm5/kadm_err.c:58 -+msgid "Programmer error! Bad API version" -+msgstr "Fehler des Programmierers! Falsche API-Version" -+ -+#: ../lib/kadm5/kadm_err.c:59 -+msgid "" -+"API version specified by application is no longer supported by libraries (to " -+"fix, update application to adhere to current API version and recompile)" -+msgstr "" -+"Die von der Anwendung angegebene Version der API-Struktur wird nicht länger " -+"von den Bibliotheken unterstützt. (Aktualisieren Sie die Anwendung, dass sie " -+"zu der aktuellen API-Version passt, und kompilieren Sie sie, um dies zu " -+"beheben.)" -+ -+#: ../lib/kadm5/kadm_err.c:60 -+msgid "" -+"API version specified by application is no longer supported by server (to " -+"fix, update application to adhere to current API version and recompile)" -+msgstr "" -+"Die von der Anwendung angegebene Version der API-Struktur wird nicht länger " -+"vom Server unterstützt. (Aktualisieren Sie die Anwendung, dass sie zu der " -+"aktuellen API-Version passt, und kompilieren Sie sie, um dies zu beheben.)" -+ -+#: ../lib/kadm5/kadm_err.c:61 -+msgid "" -+"API version specified by application is unknown to libraries (to fix, obtain " -+"current KADM5 API header files and libraries and recompile application)" -+msgstr "" -+"Die von der Anwendung angegebenene API-Version ist den Bibliotheken " -+"unbekannt. (Besorgen Sie sich die aktuellen KADM5-API-Header-Dateien und -" -+"Bibliotheken und kompilieren Sie die Anwendung neu, um dies zu beheben.)" -+ -+#: ../lib/kadm5/kadm_err.c:62 -+msgid "" -+"API version specified by application is unknown to server (to fix, obtain " -+"and install newest KADM5 Admin Server)" -+msgstr "" -+"Die von der Anwendung angegebene API-Version ist dem Server unbekannt. " -+"(Besorgen und installieren Sie sich den neuesten KADM5-Admin-Server, um dies " -+"zu beheben.)" -+ -+#: ../lib/kadm5/kadm_err.c:63 -+msgid "Database error! Required KADM5 principal missing" -+msgstr "Datenbankfehler! Erforderlicher KADM5-Principal fehlt" -+ -+#: ../lib/kadm5/kadm_err.c:64 -+msgid "The salt type of the specified principal does not support renaming" -+msgstr "Der Salt-Typ des angegebenen Principals unterstützt kein Umbenennen." -+ -+#: ../lib/kadm5/kadm_err.c:65 -+msgid "Illegal configuration parameter for remote KADM5 client" -+msgstr "widerrechtlicher Konfigurationsparameter für fernen KADM5-Client" -+ -+#: ../lib/kadm5/kadm_err.c:66 -+msgid "Illegal configuration parameter for local KADM5 client" -+msgstr "widerrechtlicher Konfigurationsparameter für lokalen KADM5-Client" -+ -+#: ../lib/kadm5/kadm_err.c:67 -+msgid "Operation requires ``list'' privilege" -+msgstr "Aktion erfordert das »list«-Recht" -+ -+#: ../lib/kadm5/kadm_err.c:68 -+msgid "Operation requires ``change-password'' privilege" -+msgstr "Aktion erfordert das »change-password«-Recht" -+ -+#: ../lib/kadm5/kadm_err.c:69 -+msgid "GSS-API (or Kerberos) error" -+msgstr "GSS-API- (oder Kerberos-) Fehler" -+ -+#: ../lib/kadm5/kadm_err.c:70 -+msgid "Programmer error! Illegal tagged data list type" -+msgstr "" -+"Fehler des Programmierers! Widerrechlicher Listentyp für gekennzeichnete " -+"Daten" -+ -+#: ../lib/kadm5/kadm_err.c:71 -+msgid "Required parameters in kdc.conf missing" -+msgstr "erforderliche Parameter in »kdc.conf« fehlen" -+ -+#: ../lib/kadm5/kadm_err.c:72 -+msgid "Bad krb5 admin server hostname" -+msgstr "falscher Rechnername des KRB5-Admin-Servers" -+ -+#: ../lib/kadm5/kadm_err.c:73 -+msgid "Operation requires ``set-key'' privilege" -+msgstr "Aktion erfordert das »set-key«-Recht" -+ -+#: ../lib/kadm5/kadm_err.c:74 -+msgid "Multiple values for single or folded enctype" -+msgstr "" -+"mehrere Werte für einzelnen Verschlüsselungstyp oder Verschlüsselungstyp mit " -+"Salt" -+ -+#: ../lib/kadm5/kadm_err.c:75 -+msgid "Invalid enctype for setv4key" -+msgstr "widerrechtlicher Verschlüsselungstyp für Setv4key" -+ -+#: ../lib/kadm5/kadm_err.c:76 -+msgid "Mismatched enctypes for setkey3" -+msgstr "nicht zusammenpassende Verschlüsselungstypen für Setkey3" -+ -+#: ../lib/kadm5/kadm_err.c:77 -+msgid "Missing parameters in krb5.conf required for kadmin client" -+msgstr "für Kadmin-Client benötigte Parameter fehlen in »krb5.conf«" -+ -+#: ../lib/kadm5/kadm_err.c:78 ../lib/kdb/adb_err.c:30 -+msgid "XDR encoding error" -+msgstr "XDR-Verschlüsselungsfehler" -+ -+#: ../lib/kadm5/kadm_err.c:79 -+msgid "Cannot resolve network address for admin server in requested realm" -+msgstr "" -+"Die Netzwerkadresse für den Admin-Server im angeforderten Realm kann nicht " -+"aufgelöst werden." -+ -+#: ../lib/kadm5/kadm_err.c:80 -+msgid "Unspecified password quality failure" -+msgstr "nicht näher angegebener Passwortqualitätsfehlschlag" -+ -+#: ../lib/kadm5/kadm_err.c:81 -+msgid "Invalid key/salt tuples" -+msgstr "ungültige Schlüssel-/Salt-Tupel" -+ -+#: ../lib/kdb/adb_err.c:23 -+msgid "No Error" -+msgstr "kein Fehler" -+ -+#: ../lib/kdb/adb_err.c:25 -+msgid "Principal or policy does not exist" -+msgstr "Principal oder Richtlinie existiert nicht" -+ -+#: ../lib/kdb/adb_err.c:26 -+msgid "Database not initialized" -+msgstr "Datenbank nicht initialisiert" -+ -+#: ../lib/kdb/adb_err.c:27 -+msgid "Invalid policy name" -+msgstr "ungültiger Richtlinienname" -+ -+#: ../lib/kdb/adb_err.c:28 -+msgid "Invalid principal name" -+msgstr "ungültiger Principal-Name" -+ -+#: ../lib/kdb/adb_err.c:31 -+msgid "Failure!" -+msgstr "Fehlschlag!" -+ -+#: ../lib/kdb/adb_err.c:32 -+msgid "Bad lock mode" -+msgstr "falscher Sperrmodus" -+ -+#: ../lib/kdb/adb_err.c:33 -+msgid "Cannot lock database" -+msgstr "Datenbank kann nicht gesperrt werden" -+ -+#: ../lib/kdb/adb_err.c:34 -+msgid "Database not locked" -+msgstr "Datenbank nicht gesperrt" -+ -+#: ../lib/kdb/adb_err.c:35 -+msgid "KADM5 administration database lock file missing" -+msgstr "Sperrdatei der KADM5-Verwaltungsdatenbank fehlt" -+ -+#: ../lib/kdb/adb_err.c:36 -+msgid "Insufficient permission to lock file" -+msgstr "keine ausreichenden Rechte zum Sperren der Datei" -+ -+#: ../lib/krb5/error_tables/k5e1_err.c:23 -+msgid "Plugin does not support interface version" -+msgstr "Erweiterung unterstützt nicht die Schnittstellenversion" -+ -+#: ../lib/krb5/error_tables/k5e1_err.c:24 -+msgid "Invalid module specifier" -+msgstr "ungültige Modulangabe" -+ -+#: ../lib/krb5/error_tables/k5e1_err.c:25 -+msgid "Plugin module name not found" -+msgstr "Erweiterungsmodulname nicht gefunden" -+ -+#: ../lib/krb5/error_tables/k5e1_err.c:26 -+msgid "The KDC should discard this request" -+msgstr "Das KDC sollte diese Anfrage verwerfen" -+ -+#: ../lib/krb5/error_tables/k5e1_err.c:27 -+msgid "Can't create new subsidiary cache" -+msgstr "Der neue ergänzende Zwischenspeicher kann nicht erzeugt werden" -+ -+#: ../lib/krb5/error_tables/k5e1_err.c:28 -+msgid "Invalid keyring anchor name" -+msgstr "ungültiger Schlüsselbundverankerungsname" -+ -+#: ../lib/krb5/error_tables/k5e1_err.c:29 -+msgid "Unknown keyring collection version" -+msgstr "unbekannte Schlüsselbundsammlungsversion" -+ -+#: ../lib/krb5/error_tables/k5e1_err.c:30 -+msgid "Invalid UID in persistent keyring name" -+msgstr "ungültige UID im beständigen Schlüsselbundnamen" -+ -+#: ../lib/krb5/error_tables/k5e1_err.c:31 -+msgid "Malformed reply from KCM daemon" -+msgstr "Antwort des KCM-Daemons hat die falsche Form" -+ -+#: ../lib/krb5/error_tables/k5e1_err.c:32 -+msgid "Mach RPC error communicating with KCM daemon" -+msgstr "Mach-RPC-Fehler beim der Kommunikation mit dem KCM-Daemon" -+ -+#: ../lib/krb5/error_tables/k5e1_err.c:33 -+msgid "KCM daemon reply too big" -+msgstr "Antwort des KCM-Daemons zu groß" -+ -+#: ../lib/krb5/error_tables/k5e1_err.c:34 -+msgid "No KCM server found" -+msgstr "Kein KCM-Server gefunden" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:24 -+msgid "Client's entry in database has expired" -+msgstr "Eintrag des Clients in der Datenbank ist abgelaufen" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:25 -+msgid "Server's entry in database has expired" -+msgstr "Eintrag des Servers in der Datenbank ist abgelaufen" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:26 -+msgid "Requested protocol version not supported" -+msgstr "angeforderte Protokollversion nicht unterstützt" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:27 -+msgid "Client's key is encrypted in an old master key" -+msgstr "" -+"Der Schlüssel des Clients wurde mit einem alten Hauptschlüssel verschlüsselt." -+ -+#: ../lib/krb5/error_tables/krb5_err.c:28 -+msgid "Server's key is encrypted in an old master key" -+msgstr "" -+"Der Schlüssel des Servers wurde mit einem alten Hauptschlüssel verschlüsselt." -+ -+#: ../lib/krb5/error_tables/krb5_err.c:29 -+msgid "Client not found in Kerberos database" -+msgstr "Client nicht in der Kerberos-Datenbank gefunden" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:30 -+msgid "Server not found in Kerberos database" -+msgstr "Server nicht in der Kerberos-Datenbank gefunden" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:31 -+msgid "Principal has multiple entries in Kerberos database" -+msgstr "Principal hat in der Kerberos-Datenbank mehrere Einträge" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:32 -+msgid "Client or server has a null key" -+msgstr "Client oder Server hat einen Nullschlüssel" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:33 -+msgid "Ticket is ineligible for postdating" -+msgstr "Ticket ist zum Vordatieren ungeeignet" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:34 -+msgid "Requested effective lifetime is negative or too short" -+msgstr "Die angeforderte effektive Lebensdauer ist negativ oder zu kurz." -+ -+#: ../lib/krb5/error_tables/krb5_err.c:35 -+msgid "KDC policy rejects request" -+msgstr "KDC-Richtlinie weist die Anfrage zurück" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:36 -+msgid "KDC can't fulfill requested option" -+msgstr "KDC kann erforderliche Option nicht erfüllen" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:37 -+msgid "KDC has no support for encryption type" -+msgstr "KDC unterstützt diesen Verschlüsselungstyp nicht" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:38 -+msgid "KDC has no support for checksum type" -+msgstr "KDC unterstützt diesen Prüfsummentyp nicht" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:39 -+msgid "KDC has no support for padata type" -+msgstr "KDC unterstützt diesen Padata-Typ nicht" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:40 -+msgid "KDC has no support for transited type" -+msgstr "KDC unterstützt diesen Übergangstyp nicht" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:41 -+msgid "Clients credentials have been revoked" -+msgstr "Anmeldedaten des Clients wurden widerrufen" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:42 -+msgid "Credentials for server have been revoked" -+msgstr "Anmeldedaten für den Server wurden widerrufen" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:43 -+msgid "TGT has been revoked" -+msgstr "TGT wurde widerrufen" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:44 -+msgid "Client not yet valid - try again later" -+msgstr "Client noch nicht gültig – versuchen Sie es später noch einmal" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:45 -+msgid "Server not yet valid - try again later" -+msgstr "Server noch nicht gültig – versuchen Sie es später noch einmal" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:46 -+msgid "Password has expired" -+msgstr "Passwort ist abgelaufen" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:47 -+msgid "Preauthentication failed" -+msgstr "Vorauthentifizierung fehlgeschlagen" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:48 -+msgid "Additional pre-authentication required" -+msgstr "zusätzlich Vorauthentifizierung erforderlich" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:49 -+msgid "Requested server and ticket don't match" -+msgstr "abgefragter Server und Ticket passen nicht zusammen" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:50 -+msgid "Server principal valid for user2user only" -+msgstr "Der Server-Principal ist nur für »user2user« gültig" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:51 -+msgid "KDC policy rejects transited path" -+msgstr "KDC-Richtlinie verwirft durchgereichten Pfad" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:52 -+msgid "A service is not available that is required to process the request" -+msgstr "" -+"Ein Dienst, der zum Verarbeiten der Abfrage erforderlich ist, ist nicht " -+"verfügbar." -+ -+#: ../lib/krb5/error_tables/krb5_err.c:53 -+msgid "KRB5 error code 30" -+msgstr "KRB5-Fehlercode 30" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:54 -+msgid "Decrypt integrity check failed" -+msgstr "Entschlüsselungsintegritätsprüfung fehlgeschlagen" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:55 -+msgid "Ticket expired" -+msgstr "Ticket abgelaufen" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:56 -+msgid "Ticket not yet valid" -+msgstr "Ticket noch nicht gültig" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:57 -+msgid "Request is a replay" -+msgstr "Anfrage ist eine Wiederholung" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:58 -+msgid "The ticket isn't for us" -+msgstr "Das Ticket ist nicht für uns." -+ -+#: ../lib/krb5/error_tables/krb5_err.c:59 -+msgid "Ticket/authenticator don't match" -+msgstr "Ticket/Schlüsselziffer passen nicht zueinander" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:60 -+msgid "Clock skew too great" -+msgstr "Uhrzeitabweichung zu groß" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:61 -+msgid "Incorrect net address" -+msgstr "falsche Netzwerkadresse" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:62 -+msgid "Protocol version mismatch" -+msgstr "Protokollversion passt nicht" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:63 -+msgid "Invalid message type" -+msgstr "ungültiger Nachrichtentyp" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:64 -+msgid "Message stream modified" -+msgstr "Nachrichtendatenstrom geändert" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:65 -+msgid "Message out of order" -+msgstr "Nachricht nicht in Ordnung" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:66 -+msgid "Illegal cross-realm ticket" -+msgstr "Widerrechliches Realm-übergreifendes Ticket" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:67 -+msgid "Key version is not available" -+msgstr "Schlüsselversion ist nicht verfügbar" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:68 -+msgid "Service key not available" -+msgstr "Dienstschlüssel nicht verfügbar" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:69 -+#: ../lib/krb5/error_tables/krb5_err.c:181 -+msgid "Mutual authentication failed" -+msgstr "gegenseitige Authentifizierung fehlgeschlagen" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:70 -+msgid "Incorrect message direction" -+msgstr "falsche Nachrichtenrichtung" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:71 -+msgid "Alternative authentication method required" -+msgstr "alternative Authentifizierungsmethode erforderlich" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:72 -+msgid "Incorrect sequence number in message" -+msgstr "falsche Sequenznummer in der Nachricht" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:73 -+msgid "Inappropriate type of checksum in message" -+msgstr "ungeeigneter Prüfsummentyp in der Nachricht" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:74 -+msgid "Policy rejects transited path" -+msgstr "Richtlinie verwirft durchgereichten Pfad" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:75 -+msgid "Response too big for UDP, retry with TCP" -+msgstr "Antwort für UDP zu groß, erneuter Versuch mit TCP" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:76 -+msgid "KRB5 error code 53" -+msgstr "KRB5-Fehlercode 53" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:77 -+msgid "KRB5 error code 54" -+msgstr "KRB5-Fehlercode 54" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:78 -+msgid "KRB5 error code 55" -+msgstr "KRB5-Fehlercode 55" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:79 -+msgid "KRB5 error code 56" -+msgstr "KRB5-Fehlercode 56" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:80 -+msgid "KRB5 error code 57" -+msgstr "KRB5-Fehlercode 57" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:81 -+msgid "KRB5 error code 58" -+msgstr "KRB5-Fehlercode 58" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:82 -+msgid "KRB5 error code 59" -+msgstr "KRB5-Fehlercode 59" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:83 -+msgid "Generic error (see e-text)" -+msgstr "allgemeiner Fehler (siehe E-Text)" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:84 -+msgid "Field is too long for this implementation" -+msgstr "Feld ist für diese Implementierung zu lang" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:85 -+msgid "Client not trusted" -+msgstr "Client nicht vertrauenswürdig" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:86 -+msgid "KDC not trusted" -+msgstr "KDC nicht vertrauenswürdig" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:87 -+msgid "Invalid signature" -+msgstr "ungültige Signatur" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:88 -+msgid "Key parameters not accepted" -+msgstr "Schlüsselparameter nicht akzeptiert" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:89 -+msgid "Certificate mismatch" -+msgstr "Zertifikat passt nicht" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:90 -+msgid "No ticket granting ticket" -+msgstr "kein ticketgewährendes Ticket" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:91 -+msgid "Realm not local to KDC" -+msgstr "Realm für KDC nicht lokal" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:92 -+msgid "User to user required" -+msgstr "Benutzer-zu-Benutzer erforderlich" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:93 -+msgid "Can't verify certificate" -+msgstr "Zertifikat kann nicht überprüft werden" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:94 -+msgid "Invalid certificate" -+msgstr "ungültiges Zertifikat" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:95 -+msgid "Revoked certificate" -+msgstr "widerrufenes Zertifikat" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:96 -+msgid "Revocation status unknown" -+msgstr "Widerrufsstatus unbekannt" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:97 -+msgid "Revocation status unavailable" -+msgstr "Widerrufsstatus nicht verfügbar" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:98 -+msgid "Client name mismatch" -+msgstr "Client-Name passt nicht" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:99 -+msgid "KDC name mismatch" -+msgstr "KDC-Name passt nicht" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:100 -+msgid "Inconsistent key purpose" -+msgstr "inkonstistenter Schlüsselzweck" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:101 -+msgid "Digest in certificate not accepted" -+msgstr "Kurzfassung im Zertifikat nicht akzeptiert" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:102 -+msgid "Checksum must be included" -+msgstr "Prüfsumme muss enthalten sein" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:103 -+msgid "Digest in signed-data not accepted" -+msgstr "Kurzfassung in signierten Daten nicht akzeptiert" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:104 -+msgid "Public key encryption not supported" -+msgstr "Asymetrische Verschlüsselung nicht unterstützt" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:105 -+msgid "KRB5 error code 82" -+msgstr "KRB5-Fehlercode 82" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:106 -+msgid "KRB5 error code 83" -+msgstr "KRB5-Fehlercode 83" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:107 -+msgid "KRB5 error code 84" -+msgstr "KRB5-Fehlercode 84" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:108 -+msgid "The IAKERB proxy could not find a KDC" -+msgstr "Der IAKERB-Proxy konnte kein KDC finden." -+ -+#: ../lib/krb5/error_tables/krb5_err.c:109 -+msgid "The KDC did not respond to the IAKERB proxy" -+msgstr "Das KDC anwortete dem IAKERB-Proxy nicht." -+ -+#: ../lib/krb5/error_tables/krb5_err.c:110 -+msgid "KRB5 error code 87" -+msgstr "KRB5-Fehlercode 87" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:111 -+msgid "KRB5 error code 88" -+msgstr "KRB5-Fehlercode 88" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:112 -+msgid "KRB5 error code 89" -+msgstr "KRB5-Fehlercode 89" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:113 -+msgid "KRB5 error code 90" -+msgstr "KRB5-Fehlercode 90" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:114 -+msgid "KRB5 error code 91" -+msgstr "KRB5-Fehlercode 91" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:115 -+msgid "KRB5 error code 92" -+msgstr "KRB5-Fehlercode 92" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:116 -+msgid "An unsupported critical FAST option was requested" -+msgstr "Es wurde eine nicht unterstützte kritische FAST-Aktion angefordert." -+ -+#: ../lib/krb5/error_tables/krb5_err.c:117 -+msgid "KRB5 error code 94" -+msgstr "KRB5-Fehlercode 94" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:118 -+msgid "KRB5 error code 95" -+msgstr "KRB5-Fehlercode 95" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:119 -+msgid "KRB5 error code 96" -+msgstr "KRB5-Fehlercode 96" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:120 -+msgid "KRB5 error code 97" -+msgstr "KRB5-Fehlercode 97" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:121 -+msgid "KRB5 error code 98" -+msgstr "KRB5-Fehlercode 98" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:122 -+msgid "KRB5 error code 99" -+msgstr "KRB5-Fehlercode 99" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:123 -+msgid "No acceptable KDF offered" -+msgstr "kein akzeptables KDF angeboten" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:124 -+msgid "KRB5 error code 101" -+msgstr "KRB5-Fehlercode 101" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:125 -+msgid "KRB5 error code 102" -+msgstr "KRB5-Fehlercode 102" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:126 -+msgid "KRB5 error code 103" -+msgstr "KRB5-Fehlercode 103" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:127 -+msgid "KRB5 error code 104" -+msgstr "KRB5-Fehlercode 104" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:128 -+msgid "KRB5 error code 105" -+msgstr "KRB5-Fehlercode 105" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:129 -+msgid "KRB5 error code 106" -+msgstr "KRB5-Fehlercode 106" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:130 -+msgid "KRB5 error code 107" -+msgstr "KRB5-Fehlercode 107" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:131 -+msgid "KRB5 error code 108" -+msgstr "KRB5-Fehlercode 108" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:132 -+msgid "KRB5 error code 109" -+msgstr "KRB5-Fehlercode 109" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:133 -+msgid "KRB5 error code 110" -+msgstr "KRB5-Fehlercode 110" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:134 -+msgid "KRB5 error code 111" -+msgstr "KRB5-Fehlercode 111" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:135 -+msgid "KRB5 error code 112" -+msgstr "KRB5-Fehlercode 112" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:136 -+msgid "KRB5 error code 113" -+msgstr "KRB5-Fehlercode 113" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:137 -+msgid "KRB5 error code 114" -+msgstr "KRB5-Fehlercode 114" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:138 -+msgid "KRB5 error code 115" -+msgstr "KRB5-Fehlercode 115" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:139 -+msgid "KRB5 error code 116" -+msgstr "KRB5-Fehlercode 116" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:140 -+msgid "KRB5 error code 117" -+msgstr "KRB5-Fehlercode 117" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:141 -+msgid "KRB5 error code 118" -+msgstr "KRB5-Fehlercode 118" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:142 -+msgid "KRB5 error code 119" -+msgstr "KRB5-Fehlercode 119" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:143 -+msgid "KRB5 error code 120" -+msgstr "KRB5-Fehlercode 120" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:144 -+msgid "KRB5 error code 121" -+msgstr "KRB5-Fehlercode 121" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:145 -+msgid "KRB5 error code 122" -+msgstr "KRB5-Fehlercode 122" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:146 -+msgid "KRB5 error code 123" -+msgstr "KRB5-Fehlercode 123" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:147 -+msgid "KRB5 error code 124" -+msgstr "KRB5-Fehlercode 124" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:148 -+msgid "KRB5 error code 125" -+msgstr "KRB5-Fehlercode 125" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:149 -+msgid "KRB5 error code 126" -+msgstr "KRB5-Fehlercode 126" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:150 -+msgid "KRB5 error code 127" -+msgstr "KRB5-Fehlercode 127" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:151 -+#: ../lib/krb5/error_tables/kdb5_err.c:23 -+msgid "$Id$" -+msgstr "$Id$" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:152 -+msgid "Invalid flag for file lock mode" -+msgstr "ungültiger Schalter für den Datei-Sperrmodus" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:153 -+msgid "Cannot read password" -+msgstr "Passwort kann nicht gelesen werden" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:154 -+msgid "Password mismatch" -+msgstr "Passwort stimmt nicht überein" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:155 -+msgid "Password read interrupted" -+msgstr "Lesen des Passworts unterbrochen" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:156 -+msgid "Illegal character in component name" -+msgstr "ungültiges Zeichen in Komponentenname" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:157 -+msgid "Malformed representation of principal" -+msgstr "Darstellung des Principals in falscher Form" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:158 -+msgid "Can't open/find Kerberos configuration file" -+msgstr "Kerberos-Konfigurationsdatei kann nicht geöffnet/gefunden werden" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:159 -+msgid "Improper format of Kerberos configuration file" -+msgstr "Format der Kerberos-Konfigurationsdatei ist ungeeignet" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:160 -+msgid "Insufficient space to return complete information" -+msgstr "Platz reicht nicht zur Rückgabe aller Informationen aus" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:161 -+msgid "Invalid message type specified for encoding" -+msgstr "der zum Kodieren angegebene Nachrichtentyp ist ungültig" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:162 -+msgid "Credential cache name malformed" -+msgstr "falsche Form des Anmeldedatenzwischenspeichernamens" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:163 -+msgid "Unknown credential cache type" -+msgstr "unbekannter Anmeldedatenzwischenspeichertyp" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:164 -+msgid "Matching credential not found" -+msgstr "keine passenden Anmeldedaten gefunden" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:165 -+msgid "End of credential cache reached" -+msgstr "Ende des Anmeldedatenzwischenspeichers erreicht" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:166 -+msgid "Request did not supply a ticket" -+msgstr "Anfrage lieferte kein Ticket" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:167 -+msgid "Wrong principal in request" -+msgstr "falscher Principal in der Anfrage" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:168 -+msgid "Ticket has invalid flag set" -+msgstr "Das Ticket hat einen falsch gesetzten Schalter." -+ -+#: ../lib/krb5/error_tables/krb5_err.c:169 -+msgid "Requested principal and ticket don't match" -+msgstr "angeforderter Principal und Ticket passen nicht zusammen" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:170 -+msgid "KDC reply did not match expectations" -+msgstr "KDC-Antwort entsprach nicht den Erwartungen" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:171 -+msgid "Clock skew too great in KDC reply" -+msgstr "Zeitversatz in der KDC-Antwort zu groß" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:172 -+msgid "Client/server realm mismatch in initial ticket request" -+msgstr "" -+"Client-/Server-Realm passen in der anfänglichen Ticketanfrage nicht zusammen." -+ -+#: ../lib/krb5/error_tables/krb5_err.c:173 -+msgid "Program lacks support for encryption type" -+msgstr "" -+"Dem Programm fehlt es an der Unterstützung für den Verschlüsselungstyp." -+ -+#: ../lib/krb5/error_tables/krb5_err.c:174 -+msgid "Program lacks support for key type" -+msgstr "Dem Programm fehlt es an der Unterstützung für den Schlüsseltyp." -+ -+#: ../lib/krb5/error_tables/krb5_err.c:175 -+msgid "Requested encryption type not used in message" -+msgstr "" -+"Der angeforderte Verschlüsselungstyp wird in der Nachricht nicht verwendet." -+ -+#: ../lib/krb5/error_tables/krb5_err.c:176 -+msgid "Program lacks support for checksum type" -+msgstr "Dem Programm fehlt es an der Unterstützung für den Prüfsummentyp." -+ -+#: ../lib/krb5/error_tables/krb5_err.c:177 -+msgid "Cannot find KDC for requested realm" -+msgstr "KDC für angeforderten Realm kann nicht gefunden werden" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:178 -+msgid "Kerberos service unknown" -+msgstr "Kerberos-Dienst unbekannt" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:179 -+msgid "Cannot contact any KDC for requested realm" -+msgstr "Für den angeforderten Realm kann kein KDC kontaktiert werden." -+ -+#: ../lib/krb5/error_tables/krb5_err.c:180 -+msgid "No local name found for principal name" -+msgstr "Für den Principal-Namen wurde kein lokaler Name gefunden." -+ -+#: ../lib/krb5/error_tables/krb5_err.c:182 -+msgid "Replay cache type is already registered" -+msgstr "Wiederholungszwischenspeichertyp ist bereits registriert" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:183 -+msgid "No more memory to allocate (in replay cache code)" -+msgstr "" -+"kein Speicher mehr zu reservieren (im Wiederholungszwischenspeichercode)" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:184 -+msgid "Replay cache type is unknown" -+msgstr "Wiederholungszwischenspeichertyp ist unbekannt" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:185 -+msgid "Generic unknown RC error" -+msgstr "allgemeiner unbekannter Wiederholungszwischenspeicherfehler" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:186 -+msgid "Message is a replay" -+msgstr "Nachricht ist eine Wiederholung" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:187 -+msgid "Replay cache I/O operation failed" -+msgstr "Wiederholungszwischenspeicher-E/A-Aktion fehlgeschlagen" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:188 -+msgid "Replay cache type does not support non-volatile storage" -+msgstr "" -+"Wiederholungszwischenspeichertyp unterstützt keinen beständigen Speicher" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:189 -+msgid "Replay cache name parse/format error" -+msgstr "Auswerte-/Formatfehler im Wiederholungszwischenspeichernamens" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:190 -+msgid "End-of-file on replay cache I/O" -+msgstr "Dateiende bei der E/A des Wiederholungszwischenspeichers" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:191 -+msgid "No more memory to allocate (in replay cache I/O code)" -+msgstr "" -+"kein weiterer Speicher reservierbar (im Wiederholungszwischenspeicher-E/A-" -+"Code)" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:192 -+msgid "Permission denied in replay cache code" -+msgstr "Zugriff im Wiederholungszwischenspeichercode verweigert" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:193 -+msgid "I/O error in replay cache i/o code" -+msgstr "E/A-Fehler im Wiederholungszwischenspeicher-E/A-Code" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:194 -+msgid "Generic unknown RC/IO error" -+msgstr "allgemeiner unbekannter Wiederholungszwischenspeicher-/E/A-Fehler" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:195 -+msgid "Insufficient system space to store replay information" -+msgstr "" -+"Platz im System reicht nicht zum Speichern der Wiederholungsinformationen" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:196 -+msgid "Can't open/find realm translation file" -+msgstr "Realm-Übersetzungsdatei kann nicht geöffnet/gefunden werden" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:197 -+msgid "Improper format of realm translation file" -+msgstr "Format der Realm-Übersetzungsdatei ist ungeeignet" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:198 -+msgid "Can't open/find lname translation database" -+msgstr "die Lname-Übersetzungsdatenbank kann nicht geöffnet/gefunden werden" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:199 -+msgid "No translation available for requested principal" -+msgstr "Für den angeforderten Principal ist keine Übersetzung verfügbar." -+ -+#: ../lib/krb5/error_tables/krb5_err.c:200 -+msgid "Improper format of translation database entry" -+msgstr "Format des Eintrags der Übersetzungsdatenbank ist ungeeignet" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:201 -+msgid "Cryptosystem internal error" -+msgstr "interner Fehler des Verschlüsselungssystems" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:202 -+msgid "Key table name malformed" -+msgstr "falsche Form des Schlüsseltabellennamens" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:203 -+msgid "Unknown Key table type" -+msgstr "unbekannter Schlüsseltabellentyp" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:204 -+msgid "Key table entry not found" -+msgstr "Schlüsseltabelleneintrag nicht gefunden" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:205 -+msgid "End of key table reached" -+msgstr "Ende der Schlüsseltabelle erreicht" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:206 -+msgid "Cannot write to specified key table" -+msgstr "in angegebene Schlüsseltabelle kann nicht geschrieben werden" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:207 -+msgid "Error writing to key table" -+msgstr "Fehler beim Schreiben in Schlüsseltabelle" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:208 -+msgid "Cannot find ticket for requested realm" -+msgstr "Ticket für angeforderten Realm kann nicht gefunden werden" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:209 -+msgid "DES key has bad parity" -+msgstr "DES-Schlüssel hat falsche Parität" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:210 -+msgid "DES key is a weak key" -+msgstr "DES-Schlüssel ist schwach" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:211 -+msgid "Bad encryption type" -+msgstr "falscher Verschlüsselungstyp" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:212 -+msgid "Key size is incompatible with encryption type" -+msgstr "Schlüssellänge ist nicht mit dem Verschlüsselungstyp kompatibel" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:213 -+msgid "Message size is incompatible with encryption type" -+msgstr "Nachrichtengröße ist nicht mit Verschlüsselungstyp kompatibel" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:214 -+msgid "Credentials cache type is already registered." -+msgstr "Anmeldedatenzwischenspeichertyp ist bereits registriert" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:215 -+msgid "Key table type is already registered." -+msgstr "Schlüsseltabellentyp ist bereits registriert" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:216 -+msgid "Credentials cache I/O operation failed XXX" -+msgstr "E/A-Aktion für Anmeldedatenzwischenspeicher fehlgeschlagen XXX" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:217 -+msgid "Credentials cache permissions incorrect" -+msgstr "Anmeldedatenzwischenspeicherrechte nicht korrekt" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:218 -+msgid "No credentials cache found" -+msgstr "kein Anmeldedatenzwischenspeicher gefunden" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:219 -+msgid "Internal credentials cache error" -+msgstr "interner Anmeldedatenzwischenspeicherfehler" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:220 -+msgid "Error writing to credentials cache" -+msgstr "Fehler beim Schreiben in den Anmeldedatenzwischenspeicher" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:221 -+msgid "No more memory to allocate (in credentials cache code)" -+msgstr "" -+"kein weiterer Speicher zu reservieren (im Anmeldedatenzwischenspeichercode)" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:222 -+msgid "Bad format in credentials cache" -+msgstr "falsches Format im Anmeldedatenzwischenspeicher" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:223 -+msgid "No credentials found with supported encryption types" -+msgstr "keine Anmeldedaten mit unterstützten Verschlüsselungstypen gefunden" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:224 -+msgid "Invalid KDC option combination (library internal error)" -+msgstr "ungültige Kombination von KDC-Optionen (interner Bibliotheksfehler)" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:225 -+msgid "Request missing second ticket" -+msgstr "Der Anfrage fehlt das zweite Ticket." -+ -+#: ../lib/krb5/error_tables/krb5_err.c:226 -+msgid "No credentials supplied to library routine" -+msgstr "der Bibliotheks-Routine wurden keine Anmeldedaten geliefert" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:227 -+msgid "Bad sendauth version was sent" -+msgstr "Es wurde eine falsche Sendauth-Version verschickt" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:228 -+msgid "Bad application version was sent (via sendauth)" -+msgstr "Es wurde eine falsche Anwendungsversion (über Sendauth) verschickt" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:229 -+msgid "Bad response (during sendauth exchange)" -+msgstr "falsche Antwort (beim Sendauth-Austausch)" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:230 -+msgid "Server rejected authentication (during sendauth exchange)" -+msgstr "Server wies Authentifizierung (beim Sendauth-Austausch) zurück" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:231 -+msgid "Unsupported preauthentication type" -+msgstr "nicht unterstützter Vorauthentifizierungstyp" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:232 -+msgid "Required preauthentication key not supplied" -+msgstr "erforderlicher Vorauthentifizierungsschlüssel nicht bereitgestellt" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:233 -+msgid "Generic preauthentication failure" -+msgstr "allgemeiner Fehlschlag der Vorauthentifizierung" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:234 -+msgid "Unsupported replay cache format version number" -+msgstr "" -+"nicht unterstütztes Versionsnummernformat des Wiederholungszwischenspeichers" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:235 -+msgid "Unsupported credentials cache format version number" -+msgstr "" -+"nicht unterstütztes Versionsnummernformat des Anmeldedatenzwischenspeichers" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:236 -+msgid "Unsupported key table format version number" -+msgstr "nicht unterstütztes Versionsnummernformat der Schlüsseltabelle" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:237 -+msgid "Program lacks support for address type" -+msgstr "Dem Programm fehlt es an der Unterstützung des Adresstyps." -+ -+#: ../lib/krb5/error_tables/krb5_err.c:238 -+msgid "Message replay detection requires rcache parameter" -+msgstr "Erkennung der Antwortnachricht erfordert den Parameter »rcache«" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:239 -+msgid "Hostname cannot be canonicalized" -+msgstr "Rechnername kann nicht in Normalform gebracht werden" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:240 -+msgid "Cannot determine realm for host" -+msgstr "Realm für Rechner kann nicht bestimmt werden" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:241 -+msgid "Conversion to service principal undefined for name type" -+msgstr "Umwandlung in Dienst-Principal für Namenstyp nicht definiert" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:242 -+msgid "Initial Ticket response appears to be Version 4 error" -+msgstr "anfängliche Ticket-Antwort scheint ein Fehler der Version 4 zu sein" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:243 -+msgid "Cannot resolve network address for KDC in requested realm" -+msgstr "" -+"Netzwerkadresse für KDC im angeforderten Realm kann nicht aufgelöst werden" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:244 -+msgid "Requesting ticket can't get forwardable tickets" -+msgstr "anforderndes Ticket kann keine weiterleitbaren Tickets holen" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:245 -+msgid "Bad principal name while trying to forward credentials" -+msgstr "falscher Principal beim Versuch, Anmeldedaten weiterzuleiten" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:246 -+msgid "Looping detected inside krb5_get_in_tkt" -+msgstr "Schleife innerhalb von »krb5_get_in_tkt« entdeckt" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:247 -+msgid "Configuration file does not specify default realm" -+msgstr "Konfigurationsdatei gibt keinen Standard-Realm an" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:248 -+msgid "Bad SAM flags in obtain_sam_padata" -+msgstr "falsche SAM-Schalter in »obtain_sam_padata«" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:249 -+msgid "Invalid encryption type in SAM challenge" -+msgstr "ungültiger Verschlüsselungstyp in der SAM-Aufforderung" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:250 -+msgid "Missing checksum in SAM challenge" -+msgstr "fehlende Prüfsumme in der SAM-Aufforderung" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:251 -+msgid "Bad checksum in SAM challenge" -+msgstr "falsche Prüfsumme in der SAM-Aufforderung" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:252 -+msgid "Keytab name too long" -+msgstr "Schlüsseltabellennamen zu lang" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:253 -+msgid "Key version number for principal in key table is incorrect" -+msgstr "" -+"Schlüsselversionsnummer des Principals in der Schlüsseltabelle ist nicht " -+"korrekt" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:254 -+msgid "This application has expired" -+msgstr "Diese Anwendung ist abgelaufen." -+ -+#: ../lib/krb5/error_tables/krb5_err.c:255 -+msgid "This Krb5 library has expired" -+msgstr "Diese Krb5-Bibliothek ist abgelaufen." -+ -+#: ../lib/krb5/error_tables/krb5_err.c:256 -+msgid "New password cannot be zero length" -+msgstr "Das neue Passwort kann nicht die Länge Null haben." -+ -+#: ../lib/krb5/error_tables/krb5_err.c:258 -+msgid "Bad format in keytab" -+msgstr "falsches Format in der Schlüsseltabelle" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:259 -+msgid "Encryption type not permitted" -+msgstr "Verschlüsselungstyp nicht erlaubt" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:260 -+msgid "No supported encryption types (config file error?)" -+msgstr "" -+"keine unterstützten Verschlüsselungstypen (Fehler in der " -+"Konfigurationsdatei?)" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:261 -+msgid "Program called an obsolete, deleted function" -+msgstr "Das Programm rief eine veraltete, gelöschte Funktion auf." -+ -+#: ../lib/krb5/error_tables/krb5_err.c:262 -+msgid "unknown getaddrinfo failure" -+msgstr "unbekannter Getaddrinfo-Fehlschlag" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:263 -+msgid "no data available for host/domain name" -+msgstr "keine Daten für Rechner/Domain-Namen verfügbar" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:264 -+msgid "host/domain name not found" -+msgstr "Rechner/Domain-Name nicht gefunden" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:265 -+msgid "service name unknown" -+msgstr "Dienstname unbekannt" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:266 -+msgid "Cannot determine realm for numeric host address" -+msgstr "Realm für numerische Rechneradresse kann nicht bestimmt werden" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:267 -+msgid "Invalid key generation parameters from KDC" -+msgstr "ungültige Parameter zum Erzeugen von Schlüsseln vom KDC" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:268 -+msgid "service not available" -+msgstr "Dienst nicht verfügbar" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:269 -+msgid "Ccache function not supported: read-only ccache type" -+msgstr "Ccache-Funktion nicht unterstützt: Ccache-Typ nur lesbar" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:270 -+msgid "Ccache function not supported: not implemented" -+msgstr "Ccache-Funktion nicht unterstützt: nicht implementiert" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:271 -+msgid "Invalid format of Kerberos lifetime or clock skew string" -+msgstr "" -+"ungültiges Format der Kerberos-Lebensdauer oder der Zeitversatzzeichenkette" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:272 -+msgid "Supplied data not handled by this plugin" -+msgstr "" -+"Die bereitgestellten Daten werden nicht von dieser Erweiterung behandelt." -+ -+#: ../lib/krb5/error_tables/krb5_err.c:273 -+msgid "Plugin does not support the operation" -+msgstr "Erweiterung unterstützt diese Aktion nicht" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:274 -+msgid "Invalid UTF-8 string" -+msgstr "ungültige UTF-8-Zeichenkette" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:275 -+msgid "FAST protected pre-authentication required but not supported by KDC" -+msgstr "" -+"FAST-geschützte Vorauthentifizierung erforderlich, aber nicht vom KDC " -+"unterstützt" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:276 -+msgid "Auth context must contain local address" -+msgstr "Authentifizierungskontext muss lokale Adresse enthalten" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:277 -+msgid "Auth context must contain remote address" -+msgstr "Authentifizierungskontext muss ferne Adresse enthalten" -+ -+#: ../lib/krb5/error_tables/krb5_err.c:278 -+msgid "Tracing unsupported" -+msgstr "Verfolgung nicht unterstützt" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:24 -+msgid "Entry already exists in database" -+msgstr "Eintrag existiert bereits in der Datenbank" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:25 -+msgid "Database store error" -+msgstr "Datenbank-Speicherfehler" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:26 -+msgid "Database read error" -+msgstr "Datenbank-Lesefehler" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:27 -+msgid "Insufficient access to perform requested operation" -+msgstr "Zugriffsrechte reichen nicht zur Durchführung der angeforderten Aktion" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:28 -+msgid "No such entry in the database" -+msgstr "kein derartiger Eintrag in der Datenbank" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:29 -+msgid "Illegal use of wildcard" -+msgstr "ungültige Verwendung eines Platzhalters" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:30 -+msgid "Database is locked or in use--try again later" -+msgstr "" -+"Datenbank ist gesperrt oder wird gerade benutzt – versuchen Sie es später " -+"wieder" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:31 -+msgid "Database was modified during read" -+msgstr "Datenbank wurde während des Lesens geändert" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:32 -+msgid "Database record is incomplete or corrupted" -+msgstr "Datensatz ist unvollständig oder beschädigt" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:33 -+msgid "Attempt to lock database twice" -+msgstr "Es wurde zweimal versucht, die Datenbank zu sperren." -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:34 -+msgid "Attempt to unlock database when not locked" -+msgstr "" -+"Es wurde versucht, die Datenbank zu entsperren, obwohl sie nicht gesperrt " -+"ist." -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:35 -+msgid "Invalid kdb lock mode" -+msgstr "ungültiger KDB-Sperrmodus" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:36 -+msgid "Database has not been initialized" -+msgstr "Datenbank wurde nicht initialisiert" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:37 -+msgid "Database has already been initialized" -+msgstr "Datenbank wurde bereits initialisiert" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:38 -+msgid "Bad direction for converting keys" -+msgstr "falsche Richtung zum Umwandeln von Schlüsseln" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:39 -+msgid "Cannot find master key record in database" -+msgstr "Hauptschlüsseldatensatz kann nicht in der Datenbank gefunden werden" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:40 -+msgid "Master key does not match database" -+msgstr "Hauptschlüssel passt nicht zur Datenbank" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:41 -+msgid "Key size in database is invalid" -+msgstr "Die Schlüssellänge in der Datenbank ist ungültig," -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:42 -+msgid "Cannot find/read stored master key" -+msgstr "Der gespeicherte Hauptschlüssel kann nicht gefunden/gelesen werden." -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:43 -+msgid "Stored master key is corrupted" -+msgstr "Der gespeicherte Hauptschlüssel ist beschädigt." -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:44 -+msgid "Cannot find active master key" -+msgstr "Der aktive Hauptschlüssel kann nicht gefunden werden." -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:45 -+msgid "KVNO of new master key does not match expected value" -+msgstr "KVNO des neuen Hauptschlüssels passt nicht zum erwarteten Wert" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:46 -+msgid "Stored master key is not current" -+msgstr "gespeicherter Hauptschlüssel ist nicht aktuell" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:47 -+msgid "Insufficient access to lock database" -+msgstr "keine ausreichenden Zugriffsrechte zum Sperren der Datenbank" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:48 -+msgid "Database format error" -+msgstr "fehlerhaftes Datenbankformat" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:49 -+msgid "Unsupported version in database entry" -+msgstr "nicht unterstützte Version im Datenbankeintrag" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:50 -+msgid "Unsupported salt type" -+msgstr "nicht unterstützter Salt-Typ" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:51 -+msgid "Unsupported encryption type" -+msgstr "nicht unterstützter Verschlüsselungstyp" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:52 -+msgid "Bad database creation flags" -+msgstr "falsche Schalter zum Erstellen der Datenbank" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:53 -+msgid "No matching key in entry having a permitted enctype" -+msgstr "" -+"kein passender Schlüssel in einem Eintrag mit erlaubtem Verschlüsselungstyp" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:54 -+msgid "No matching key in entry" -+msgstr "kein passender Schlüssel im Eintrag" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:55 -+msgid "Unable to find requested database type" -+msgstr "angeforderter Datenbanktyp kann nicht gefunden werden" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:56 -+msgid "Database type not supported" -+msgstr "Datenbanktyp nicht unterstützt" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:57 -+msgid "Database library failed to initialize" -+msgstr "Initialisieren der Datenbankbibliothek fehlgeschlagen" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:59 -+msgid "Unable to access Kerberos database" -+msgstr "auf die Kerberos-Datenbank kann nicht zugegriffen werden" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:60 -+msgid "Kerberos database internal error" -+msgstr "interner Kerberos-Datenbankfehler" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:61 -+msgid "Kerberos database constraints violated" -+msgstr "Kerberos-Datenbankbeschränkungen verletzt" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:62 -+msgid "Update log conversion error" -+msgstr "Fehler beim Umwandeln des Aktualisierungsprotokolls" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:63 -+msgid "Update log is unstable" -+msgstr "Aktualisierungsprotokoll ist instabil" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:64 -+msgid "Update log is corrupt" -+msgstr "Aktualisierungsprotokoll ist beschädigt" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:65 -+msgid "Generic update log error" -+msgstr "allgemeiner Aktualisierungsprotokollfehler" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:66 -+msgid "Database module does not match KDC version" -+msgstr "Datenbankmodul passt nicht zur KDC-Version" -+ -+#: ../lib/krb5/error_tables/kdb5_err.c:68 -+msgid "Too much string mapping data" -+msgstr "zu viele zeichenkettenabbildenden Daten" -+ -+#: ../lib/krb5/error_tables/asn1_err.c:23 -+msgid "ASN.1 failed call to system time library" -+msgstr "ASN.1 beim Aufruf der Systemzeitbibliothek gescheitert" -+ -+#: ../lib/krb5/error_tables/asn1_err.c:24 -+msgid "ASN.1 structure is missing a required field" -+msgstr "ein erforderliches Feld fehlt in der ASN.1-Struktur" -+ -+#: ../lib/krb5/error_tables/asn1_err.c:25 -+msgid "ASN.1 unexpected field number" -+msgstr "ASN.1 unerwartete Feldnummer" -+ -+#: ../lib/krb5/error_tables/asn1_err.c:26 -+msgid "ASN.1 type numbers are inconsistent" -+msgstr "ASN.1-Typnummern sind inkonsistent" -+ -+#: ../lib/krb5/error_tables/asn1_err.c:27 -+msgid "ASN.1 value too large" -+msgstr "ASN.1-Wert zu groß" -+ -+#: ../lib/krb5/error_tables/asn1_err.c:28 -+msgid "ASN.1 encoding ended unexpectedly" -+msgstr "ASN.1-Kodierung endete unerwartet" -+ -+#: ../lib/krb5/error_tables/asn1_err.c:29 -+msgid "ASN.1 identifier doesn't match expected value" -+msgstr "ASN.1-Bezeichner passt nicht zum erwarteten Wert" -+ -+#: ../lib/krb5/error_tables/asn1_err.c:30 -+msgid "ASN.1 length doesn't match expected value" -+msgstr "Länge von ASN.1 passt nicht zum erwarteten Wert" -+ -+#: ../lib/krb5/error_tables/asn1_err.c:31 -+msgid "ASN.1 badly-formatted encoding" -+msgstr "fehlerhaft formatierte ASN.1-Kodierung" -+ -+#: ../lib/krb5/error_tables/asn1_err.c:32 -+msgid "ASN.1 parse error" -+msgstr "ASN.1-Auswertungsfehler" -+ -+#: ../lib/krb5/error_tables/asn1_err.c:33 -+msgid "ASN.1 bad return from gmtime" -+msgstr "ASN.1 falscher Rückgabewert von Gmtime" -+ -+#: ../lib/krb5/error_tables/asn1_err.c:34 -+msgid "ASN.1 non-constructed indefinite encoding" -+msgstr "nicht konstruierte unbestimmte ASN.1-Kodierung" -+ -+#: ../lib/krb5/error_tables/asn1_err.c:35 -+msgid "ASN.1 missing expected EOC" -+msgstr "ASN.1 fehlt erwartetes EOC" -+ -+#: ../lib/krb5/error_tables/asn1_err.c:36 -+msgid "ASN.1 object omitted in sequence" -+msgstr "ASN.1-Objekt in Sequenz ausgelassen" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:23 -+msgid "Kerberos V5 magic number table" -+msgstr "Tabelle magischer Zahlen von Kerberos V5" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:24 -+msgid "Bad magic number for krb5_principal structure" -+msgstr "falsche magische Zahl für Krb5_principal-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:25 -+msgid "Bad magic number for krb5_data structure" -+msgstr "falsche magische Zahl für Krb5_data-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:26 -+msgid "Bad magic number for krb5_keyblock structure" -+msgstr "falsche magische Zahl für Krb5_krb5_keyblock-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:27 -+msgid "Bad magic number for krb5_checksum structure" -+msgstr "falsche magische Zahl für Krb5_krb5_checksum-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:28 -+msgid "Bad magic number for krb5_encrypt_block structure" -+msgstr "falsche magische Zahl für Krb5_encrypt_bloc-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:29 -+msgid "Bad magic number for krb5_enc_data structure" -+msgstr "falsche magische Zahl für Krb5_enc_data-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:30 -+msgid "Bad magic number for krb5_cryptosystem_entry structure" -+msgstr "falsche magische Zahl für Krb5_cryptosystem_entry-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:31 -+msgid "Bad magic number for krb5_cs_table_entry structure" -+msgstr "falsche magische Zahl für Krb5_cs_table_entry-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:32 -+msgid "Bad magic number for krb5_checksum_entry structure" -+msgstr "falsche magische Zahl für Krb5_checksum_entry-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:33 -+msgid "Bad magic number for krb5_authdata structure" -+msgstr "falsche magische Zahl für Krb5_authdata-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:34 -+msgid "Bad magic number for krb5_transited structure" -+msgstr "falsche magische Zahl für Krb5_transited-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:35 -+msgid "Bad magic number for krb5_enc_tkt_part structure" -+msgstr "falsche magische Zahl für Krb5_enc_tkt_part-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:36 -+msgid "Bad magic number for krb5_ticket structure" -+msgstr "falsche magische Zahl für Krb5_ticket-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:37 -+msgid "Bad magic number for krb5_authenticator structure" -+msgstr "falsche magische Zahl für Krb5_authenticator-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:38 -+msgid "Bad magic number for krb5_tkt_authent structure" -+msgstr "falsche magische Zahl für Krb5_tkt_authent-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:39 -+msgid "Bad magic number for krb5_creds structure" -+msgstr "falsche magische Zahl für Krb5_creds-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:40 -+msgid "Bad magic number for krb5_last_req_entry structure" -+msgstr "falsche magische Zahl für Krb5_last_req_entry-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:41 -+msgid "Bad magic number for krb5_pa_data structure" -+msgstr "falsche magische Zahl für Krb5_pa_data-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:42 -+msgid "Bad magic number for krb5_kdc_req structure" -+msgstr "falsche magische Zahl für Krb5_kdc_req-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:43 -+msgid "Bad magic number for krb5_enc_kdc_rep_part structure" -+msgstr "falsche magische Zahl für Krb5_enc_kdc_rep_part-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:44 -+msgid "Bad magic number for krb5_kdc_rep structure" -+msgstr "falsche magische Zahl für Krb5_kdc_rep-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:45 -+msgid "Bad magic number for krb5_error structure" -+msgstr "falsche magische Zahl für Krb5_error-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:46 -+msgid "Bad magic number for krb5_ap_req structure" -+msgstr "falsche magische Zahl für Krb5_ap_req-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:47 -+msgid "Bad magic number for krb5_ap_rep structure" -+msgstr "falsche magische Zahl für Krb5_ap_rep-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:48 -+msgid "Bad magic number for krb5_ap_rep_enc_part structure" -+msgstr "falsche magische Zahl für Krb5_ap_rep_enc_part-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:49 -+msgid "Bad magic number for krb5_response structure" -+msgstr "falsche magische Zahl für Krb5_response-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:50 -+msgid "Bad magic number for krb5_safe structure" -+msgstr "falsche magische Zahl für Krb5_safe-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:51 -+msgid "Bad magic number for krb5_priv structure" -+msgstr "falsche magische Zahl für Krb5_priv-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:52 -+msgid "Bad magic number for krb5_priv_enc_part structure" -+msgstr "falsche magische Zahl für Krb5_priv_enc_part-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:53 -+msgid "Bad magic number for krb5_cred structure" -+msgstr "falsche magische Zahl für Krb5_cred-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:54 -+msgid "Bad magic number for krb5_cred_info structure" -+msgstr "falsche magische Zahl für Krb5_cred_info-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:55 -+msgid "Bad magic number for krb5_cred_enc_part structure" -+msgstr "falsche magische Zahl für Krb5_cred_enc_part-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:56 -+msgid "Bad magic number for krb5_pwd_data structure" -+msgstr "falsche magische Zahl für Krb5_pwd_data-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:57 -+msgid "Bad magic number for krb5_address structure" -+msgstr "falsche magische Zahl für Krb5_address-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:58 -+msgid "Bad magic number for krb5_keytab_entry structure" -+msgstr "falsche magische Zahl für Krb5_keytab_entry-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:59 -+msgid "Bad magic number for krb5_context structure" -+msgstr "falsche magische Zahl für Krb5_context-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:60 -+msgid "Bad magic number for krb5_os_context structure" -+msgstr "falsche magische Zahl für Krb5_os_context-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:61 -+msgid "Bad magic number for krb5_alt_method structure" -+msgstr "falsche magische Zahl für Krb5_alt_method-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:62 -+msgid "Bad magic number for krb5_etype_info_entry structure" -+msgstr "falsche magische Zahl für Krb5_etype_info_entry-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:63 -+msgid "Bad magic number for krb5_db_context structure" -+msgstr "falsche magische Zahl für Krb5_db_context-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:64 -+msgid "Bad magic number for krb5_auth_context structure" -+msgstr "falsche magische Zahl für Krb5_auth_context-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:65 -+msgid "Bad magic number for krb5_keytab structure" -+msgstr "falsche magische Zahl für Krb5_keytab-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:66 -+msgid "Bad magic number for krb5_rcache structure" -+msgstr "falsche magische Zahl für Krb5_rcache-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:67 -+msgid "Bad magic number for krb5_ccache structure" -+msgstr "falsche magische Zahl für Krb5_ccache-Struktur" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:68 -+msgid "Bad magic number for krb5_preauth_ops" -+msgstr "falsche magische Zahl für Krb5_preauth_ops" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:69 -+msgid "Bad magic number for krb5_sam_challenge" -+msgstr "falsche magische Zahl für Krb5_sam_challenge" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:70 -+msgid "Bad magic number for krb5_sam_challenge_2" -+msgstr "falsche magische Zahl für Krb5_sam_challenge_2" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:71 -+msgid "Bad magic number for krb5_sam_key" -+msgstr "falsche magische Zahl für Krb5_sam_key" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:72 -+#: ../lib/krb5/error_tables/kv5m_err.c:73 -+msgid "Bad magic number for krb5_enc_sam_response_enc" -+msgstr "falsche magische Zahl für Krb5_enc_sam_response_enc" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:74 -+msgid "Bad magic number for krb5_sam_response" -+msgstr "falsche magische Zahl für Krb5_sam_response" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:75 -+msgid "Bad magic number for krb5_sam_response 2" -+msgstr "falsche magische Zahl für Krb5_sam_response 2" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:76 -+msgid "Bad magic number for krb5_predicted_sam_response" -+msgstr "falsche magische Zahl für Krb5_predicted_sam_response" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:77 -+msgid "Bad magic number for passwd_phrase_element" -+msgstr "falsche magische Zahl für Passwd_phrase_element" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:78 -+msgid "Bad magic number for GSSAPI OID" -+msgstr "falsche magische Zahl für GSSAPI OID" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:79 -+msgid "Bad magic number for GSSAPI QUEUE" -+msgstr "falsche magische Zahl für GSSAPI QUEUE" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:80 -+msgid "Bad magic number for fast armored request" -+msgstr "falsche magische Zahl für per FAST geschützte Anfrage" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:81 -+msgid "Bad magic number for FAST request" -+msgstr "falsche magische Zahl für FAST-Anfrage" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:82 -+msgid "Bad magic number for FAST response" -+msgstr "falsche magische Zahl für FAST-Antwort" -+ -+#: ../lib/krb5/error_tables/kv5m_err.c:83 -+msgid "Bad magic number for krb5_authdata_context" -+msgstr "falsche magische Zahl für Krb5_authdata_context" -+ -+#: ../lib/krb5/error_tables/krb524_err.c:23 -+msgid "Cannot convert V5 keyblock" -+msgstr "V5-Schlüsselblock kann nicht umgewandelt werden" -+ -+#: ../lib/krb5/error_tables/krb524_err.c:24 -+msgid "Cannot convert V5 address information" -+msgstr "V5-Adressinformationen können nicht umgewandelt werden" -+ -+#: ../lib/krb5/error_tables/krb524_err.c:25 -+msgid "Cannot convert V5 principal" -+msgstr "V5-Principal kann nicht umgewandelt werden" -+ -+#: ../lib/krb5/error_tables/krb524_err.c:26 -+msgid "V5 realm name longer than V4 maximum" -+msgstr "V5-Realm-Name ist länger als die V4-Maximallänge" -+ -+#: ../lib/krb5/error_tables/krb524_err.c:27 -+msgid "Kerberos V4 error" -+msgstr "Kerberos-V4-Fehler" -+ -+#: ../lib/krb5/error_tables/krb524_err.c:28 -+msgid "Encoding too large" -+msgstr "Kodierung zu lang" -+ -+#: ../lib/krb5/error_tables/krb524_err.c:29 -+msgid "Decoding out of data" -+msgstr "Dekodieren außerhalb der Daten" -+ -+#: ../lib/krb5/error_tables/krb524_err.c:30 -+msgid "Service not responding" -+msgstr "Dienst antwortet nicht" -+ -+#: ../lib/krb5/error_tables/krb524_err.c:31 -+msgid "Kerberos version 4 support is disabled" -+msgstr "Kerberos 4 Unterstützung ist deaktiviert" -+ -+#~ msgid "while creating server %s principal name" -+#~ msgstr "beim Erstellen des Principal-Namens für Server %s" -+ -+# KDC = Key Distribution Center -+#~ msgid "while getting credentials from kdc" -+#~ msgstr "beim Holen der Anmeldedaten vom KDC" -+ -+# FIXME s/Retrieving/retrieving/ -+#~ msgid "while Retrieving credentials" -+#~ msgstr "beim Abfragen der Anmeldedaten" -+ -+#~ msgid "while copying principal" -+#~ msgstr "beim Kopieren des Principals" -+ -+#~ msgid "%s does not have correct permissions for %s\n" -+#~ msgstr "%s hat nicht die erforderlichen Zugriffsrechte für %s\n" -+ -+#~ msgid "no salt\n" -+#~ msgstr "kein Salt\n" -+ -+#~ msgid "%s: Couldn't grab lock\n" -+#~ msgstr "%s: Es konnte keine Sperre erlangt werden.\n" -+ -+#~ msgid "%s: Loads disallowed when iprop is enabled and a ulog is present\n" -+#~ msgstr "" -+#~ "%s: Wenn Iprop aktiviert und Ulog vorhanden ist, ist Laden nicht " -+#~ "möglich.\n" -+ -+#~ msgid "trying to lock database" -+#~ msgstr "es wird versucht, die Datenbank zu sperren" -+ -+#~ msgid "GSS-API error %s: %s\n" -+#~ msgstr "GSS-API-Fehler %s: %s\n" -+ -+#~ msgid "Couldn't create KRB5 Name NameType OID\n" -+#~ msgstr "KRB5 Name NameType OID konnte nicht erstellt werden.\n" -+ -+#~ msgid "%s: %s while initializing, aborting" -+#~ msgstr "%s: %s beim Initialisieren, wird abgebrochen" -+ -+#~ msgid "" -+#~ "%s: Missing required configuration values (%lx) while initializing, " -+#~ "aborting" -+#~ msgstr "" -+#~ "%s: Beim Initialisieren fehlen die erforderlichen Konfigurationswerte " -+#~ "(%lx), wird abgebrochen" -+ -+#~ msgid "" -+#~ "%s: Missing required configuration values (%lx) while initializing, " -+#~ "aborting\n" -+#~ msgstr "" -+#~ "%s: Beim Initialisieren fehlen die erforderlichen Konfigurationswerte " -+#~ "(%lx), wird abgebrochen\n" -+ -+#~ msgid "%s: could not initialize loop, aborting" -+#~ msgstr "%s: Schleife konnte nicht initialisiert werden, wird abgebrochen" -+ -+#~ msgid "%s: could not initialize loop, aborting\n" -+#~ msgstr "%s: Schleife konnte nicht initialisiert werden, wird abgebrochen\n" -+ -+#~ msgid "%s: %s while initializing signal handlers, aborting" -+#~ msgstr "" -+#~ "%s: %s beim Initialisieren des Signalbehandlungsprogramms, wird " -+#~ "abgebrochen" -+ -+#~ msgid "%s: %s while initializing signal handlers, aborting\n" -+#~ msgstr "" -+#~ "%s: %s beim Initialisieren des Signalbehandlungsprogramms, wird " -+#~ "abgebrochen\n" -+ -+#~ msgid "%s: %s while initializing network, aborting" -+#~ msgstr "%s: %s beim Initialisieren des Netzwerks, wird abgebrochen" -+ -+#~ msgid "%s: %s while initializing network, aborting\n" -+#~ msgstr "%s: %s beim Initialisieren des Netzwerks, wird abgebrochen\n" -+ -+#~ msgid "Cannot build GSS-API authentication names, failing." -+#~ msgstr "" -+#~ "GSS-API-Authentifizierungsnamen können nicht gebildet werden, " -+#~ "fehlgeschlagen" -+ -+#~ msgid "Can't set kdb keytab's internal context." -+#~ msgstr "" -+#~ "Der interne Kontext von KDBs Schlüsseltabelle kann nicht gesetzt werden." -+ -+#~ msgid "Can't register kdb keytab." -+#~ msgstr "Die KDB-Schlüsseltabelle kann nicht registriert werden." -+ -+#~ msgid "Can't register acceptor keytab." -+#~ msgstr "Die Empfängerschlüsseltabelle kann nicht registriert werden." -+ -+#~ msgid "" -+#~ "Cannot set GSS-API authentication names (keytab not present?), failing." -+#~ msgstr "" -+#~ "GSS-API-Authentifizierungsnamen können nicht gesetzt werden " -+#~ "(Schlüsseltabelle nicht vorhanden?), fehlgeschlagen" -+ -+#~ msgid "Cannot initialize acl file: %s" -+#~ msgstr "ACL-Datei kann nicht initialisiert werden: %s" -+ -+#~ msgid "%s: Cannot initialize acl file: %s\n" -+#~ msgstr "%s: ACL-Datei kann nicht initialisiert werden: %s\n" -+ -+#~ msgid "Cannot detach from tty: %s" -+#~ msgstr "kann nicht vom Terminal gelöst werden: %s" -+ -+#~ msgid "Cannot create PID file %s: %s" -+#~ msgstr "PID-Datei %s kann nicht erstellt werden: %s" -+ -+#~ msgid "%s: %s while mapping update log (`%s.ulog')\n" -+#~ msgstr "%s: %s beim Abbilden des Aktualisierungsprotokolls (»%s.ulog«)\n" -+ -+#~ msgid "%s while mapping update log (`%s.ulog')" -+#~ msgstr "%s beim Abbilden des Aktualisierungsprotokolls (»%s.ulog«)" -+ -+#~ msgid "%s: Cannot create IProp RPC service (PROG=%d, VERS=%d)\n" -+#~ msgstr "" -+#~ "%s: IProp-RPC-Dienst kann nicht erstellt werden (PROG=%d, VERS=%d)\n" -+ -+#~ msgid "Cannot create IProp RPC service (PROG=%d, VERS=%d), failing." -+#~ msgstr "" -+#~ "IProp-RPC-Dienst kann nicht erstellt werden (PROG=%d, VERS=%d), " -+#~ "fehlgeschlagen" -+ -+#~ msgid "%s while getting IProp svc name, failing" -+#~ msgstr "%s beim Holen des IProp-Dienstnamens, fehlgeschlagen" -+ -+#~ msgid "%s: %s while getting IProp svc name, failing\n" -+#~ msgstr "%s: %s beim Holen des IProp-Dienstnamens, fehlgeschlagen\n" -+ -+#~ msgid "Unable to set RPCSEC_GSS service name (`%s'), failing." -+#~ msgstr "" -+#~ "der RPCSEC_GSS-Dienstname (»%s«) kann nicht gesetzt werden, fehlgeschlagen" -+ -+#~ msgid "%s: Unable to set RPCSEC_GSS service name (`%s'), failing.\n" -+#~ msgstr "" -+#~ "%s: der RPCSEC_GSS-Dienstname (»%s«) kann nicht gesetzt werden, " -+#~ "fehlgeschlagen\n" -+ -+#~ msgid "GSS-API authentication error %.*s: recursive failure!" -+#~ msgstr "GSS-API-Authentifizierungsfehler %.*s: rekursiver Fehlschlag!" -+ -+#~ msgid "skipping unrecognized local address family %d" -+#~ msgstr "nicht erkannte lokale Adressfamilie %d wird übersprungen" -+ -+#~ msgid "got routing msg type %d(%s) v%d" -+#~ msgstr "Routing-Meldungstyp %d(%s) v%d erhalten" -+ -+#~ msgid "Could not create temp stash file: %s" -+#~ msgstr "Temporäre Ablagedatei konnte nicht erstellt werden: %s" -+ -+#~ msgid "ulog_sync_header: could not sync to disk" -+#~ msgstr "ulog_sync_header: kann nicht auf Platte sychronisiert werden" -+ -+#~ msgid "%s: attempt to convert non-extended krb5_get_init_creds_opt" -+#~ msgstr "" -+#~ "%s: Es wird versucht, nicht erweiterte »krb5_get_init_creds_opt« " -+#~ "umzuwandeln" -+ -+#~ msgid "krb5_sname_to_principal, while adding entries to the database" -+#~ msgstr "" -+#~ "»krb5_sname_to_principal« beim Hinzufügen von Einträgen zur Datenbank" -+ -+#~ msgid "krb5_copy_principal, while adding entries to the database" -+#~ msgstr "»krb5_copy_principal« beim Hinzufügen von Einträgen zur Datenbank" -+ -+#~ msgid "" -+#~ "Unable to check if SASL EXTERNAL mechanism is supported by LDAP server. " -+#~ "Proceeding anyway ..." -+#~ msgstr "" -+#~ "Es konnte nicht geprüft werden, ob der Mechanismus SASL EXTERNAL vom LDAP-" -+#~ "Server unterstützt wird. Es wird trotzdem fortgesetzt …" -+ -+#~ msgid "" -+#~ "SASL EXTERNAL mechanism not supported by LDAP server. Can't perform " -+#~ "certificate-based bind." -+#~ msgstr "" -+#~ "Der Mechanismus SASL EXTERNAL wird nicht vom LDAP-Server unterstützt. Es " -+#~ "kann keine zertifikatbasierte Verbindung hergestellt werden." -+ -+#~ msgid "Error reading 'ldap_servers' attribute" -+#~ msgstr "Fehler beim Lesen des Attributs »ldap_servers«" -+ -+#~ msgid "Stash file entry corrupt" -+#~ msgstr "Eintrag in der Ablagedatei beschädigt" -+ -+#~ msgid "while setting server principal realm" -+#~ msgstr "beim Setzen des Server-Principal-Realms" -+ -+#~ msgid "while getting initial ticket\n" -+#~ msgstr "beim Holen eines Anfangs-Tickets\n" -+ -+#~ msgid "while destroying ticket cache" -+#~ msgstr "beim Zerstören des Ticket-Zwischenspeichers" -+ -+#~ msgid "while closing default ccache" -+#~ msgstr "beim Schließen des Standard-Ccaches" diff --git a/Add-KDC-policy-pluggable-interface.patch b/Add-KDC-policy-pluggable-interface.patch deleted file mode 100644 index a5e029e..0000000 --- a/Add-KDC-policy-pluggable-interface.patch +++ /dev/null @@ -1,994 +0,0 @@ -From 78a1f155701f94a228c4f58f98846195a39991c4 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Tue, 27 Jun 2017 17:15:39 -0400 -Subject: [PATCH] Add KDC policy pluggable interface - -Add the header include/krb5/kdcpolicy_plugin.h, defining a pluggable -interface for modules to deny AS and TGS requests and set maximum -ticket lifetimes. This interface replaces the policy.c stub functions. - -Add check_kdcpolicy_as() and check_kdcpolicy_tgs() as entry functions. -Call them after auth indicators and ticket lifetimes have been -determined. - -Add a test module and a test script with basic kdcpolicy tests. Add -plugin interface documentation in doc/plugindev/policy.rst. - -Also authored by Matt Rogers . - -ticket: 8606 (new) -(cherry picked from commit d0969f6a8170344031ef58fd2a161190f1edfb96) -[rharwood@redhat.com: mention but do not use kadm_auth] ---- - doc/plugindev/index.rst | 1 + - doc/plugindev/kdcpolicy.rst | 24 +++ - src/Makefile.in | 1 + - src/configure.in | 1 + - src/include/Makefile.in | 1 + - src/include/k5-int.h | 4 +- - src/include/k5-trace.h | 5 + - src/include/krb5/kdcpolicy_plugin.h | 128 ++++++++++++ - src/kdc/do_as_req.c | 7 + - src/kdc/do_tgs_req.c | 6 + - src/kdc/kdc_util.c | 7 - - src/kdc/kdc_util.h | 11 - - src/kdc/main.c | 8 + - src/kdc/policy.c | 267 +++++++++++++++++++++---- - src/kdc/policy.h | 19 +- - src/kdc/tgs_policy.c | 6 - - src/lib/krb5/krb/plugin.c | 4 +- - src/plugins/kdcpolicy/test/Makefile.in | 20 ++ - src/plugins/kdcpolicy/test/deps | 0 - src/plugins/kdcpolicy/test/main.c | 111 ++++++++++ - src/plugins/kdcpolicy/test/policy_test.exports | 1 + - src/tests/Makefile.in | 1 + - src/tests/t_kdcpolicy.py | 57 ++++++ - 23 files changed, 616 insertions(+), 74 deletions(-) - create mode 100644 doc/plugindev/kdcpolicy.rst - create mode 100644 src/include/krb5/kdcpolicy_plugin.h - create mode 100644 src/plugins/kdcpolicy/test/Makefile.in - create mode 100644 src/plugins/kdcpolicy/test/deps - create mode 100644 src/plugins/kdcpolicy/test/main.c - create mode 100644 src/plugins/kdcpolicy/test/policy_test.exports - create mode 100644 src/tests/t_kdcpolicy.py - -diff --git a/doc/plugindev/index.rst b/doc/plugindev/index.rst -index 67dbc2790..0a012b82b 100644 ---- a/doc/plugindev/index.rst -+++ b/doc/plugindev/index.rst -@@ -32,5 +32,6 @@ Contents - gssapi.rst - internal.rst - certauth.rst -+ kdcpolicy.rst - - .. TODO: GSSAPI mechanism plugins -diff --git a/doc/plugindev/kdcpolicy.rst b/doc/plugindev/kdcpolicy.rst -new file mode 100644 -index 000000000..74f21f08f ---- /dev/null -+++ b/doc/plugindev/kdcpolicy.rst -@@ -0,0 +1,24 @@ -+.. _kdcpolicy_plugin: -+ -+KDC policy interface (kdcpolicy) -+================================ -+ -+The kdcpolicy interface was first introduced in release 1.16. It -+allows modules to veto otherwise valid AS and TGS requests or restrict -+the lifetime and renew time of the resulting ticket. For a detailed -+description of the kdcpolicy interface, see the header file -+````. -+ -+The optional **check_as** and **check_tgs** functions allow the module -+to perform access control. Additionally, a module can create and -+destroy module data with the **init** and **fini** methods. Module -+data objects last for the lifetime of the KDC process, and are -+provided to all other methods. The data has the type -+krb5_kdcpolicy_moddata, which should be cast to the appropriate -+internal type. -+ -+kdcpolicy modules can optionally inspect principal entries. To do -+this, the module must also include ```` to gain access to the -+principal entry structure definition. As the KDB interface is -+explicitly not as stable as other public interfaces, modules which do -+this may not retain compatibility across releases. -diff --git a/src/Makefile.in b/src/Makefile.in -index ad8565056..e47bddcb1 100644 ---- a/src/Makefile.in -+++ b/src/Makefile.in -@@ -21,6 +21,7 @@ SUBDIRS=util include lib \ - plugins/kdb/db2 \ - @ldap_plugin_dir@ \ - plugins/kdb/test \ -+ plugins/kdcpolicy/test \ - plugins/preauth/otp \ - plugins/preauth/pkinit \ - plugins/preauth/test \ -diff --git a/src/configure.in b/src/configure.in -index 4ae2c07d5..ee1983043 100644 ---- a/src/configure.in -+++ b/src/configure.in -@@ -1470,6 +1470,7 @@ dnl ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test - plugins/kdb/db2/libdb2/recno - plugins/kdb/db2/libdb2/test - plugins/kdb/test -+ plugins/kdcpolicy/test - plugins/preauth/otp - plugins/preauth/test - plugins/authdata/greet_client -diff --git a/src/include/Makefile.in b/src/include/Makefile.in -index 0239338a1..6a3fa8242 100644 ---- a/src/include/Makefile.in -+++ b/src/include/Makefile.in -@@ -144,6 +144,7 @@ install-headers-unix install: krb5/krb5.h profile.h - $(INSTALL_DATA) $(srcdir)/krb5/ccselect_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)ccselect_plugin.h - $(INSTALL_DATA) $(srcdir)/krb5/clpreauth_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)clpreauth_plugin.h - $(INSTALL_DATA) $(srcdir)/krb5/hostrealm_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)hostrealm_plugin.h -+ $(INSTALL_DATA) $(srcdir)/krb5/kdcpolicy_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)kdcpolicy_plugin.h - $(INSTALL_DATA) $(srcdir)/krb5/kdcpreauth_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)kdcpreauth_plugin.h - $(INSTALL_DATA) $(srcdir)/krb5/localauth_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)localauth_plugin.h - $(INSTALL_DATA) $(srcdir)/krb5/locate_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)locate_plugin.h -diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index ed9c7bf75..39ffb9568 100644 ---- a/src/include/k5-int.h -+++ b/src/include/k5-int.h -@@ -1157,7 +1157,9 @@ struct plugin_interface { - #define PLUGIN_INTERFACE_TLS 8 - #define PLUGIN_INTERFACE_KDCAUTHDATA 9 - #define PLUGIN_INTERFACE_CERTAUTH 10 --#define PLUGIN_NUM_INTERFACES 11 -+#define PLUGIN_INTERFACE_KADM5_AUTH 11 -+#define PLUGIN_INTERFACE_KDCPOLICY 12 -+#define PLUGIN_NUM_INTERFACES 13 - - /* Retrieve the plugin module of type interface_id and name modname, - * storing the result into module. */ -diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h -index c75e264e0..2885408a2 100644 ---- a/src/include/k5-trace.h -+++ b/src/include/k5-trace.h -@@ -454,4 +454,9 @@ void krb5int_trace(krb5_context context, const char *fmt, ...); - #define TRACE_GET_CRED_VIA_TKT_EXT_RETURN(c, ret) \ - TRACE(c, "Got cred; {kerr}", ret) - -+#define TRACE_KDCPOLICY_VTINIT_FAIL(c, ret) \ -+ TRACE(c, "KDC policy module failed to init vtable: {kerr}", ret) -+#define TRACE_KDCPOLICY_INIT_SKIP(c, name) \ -+ TRACE(c, "kadm5_auth module {str} declined to initialize", name) -+ - #endif /* K5_TRACE_H */ -diff --git a/src/include/krb5/kdcpolicy_plugin.h b/src/include/krb5/kdcpolicy_plugin.h -new file mode 100644 -index 000000000..c7592c5db ---- /dev/null -+++ b/src/include/krb5/kdcpolicy_plugin.h -@@ -0,0 +1,128 @@ -+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -+/* include/krb5/kdcpolicy_plugin.h - KDC policy plugin interface */ -+/* -+ * Copyright (C) 2017 by Red Hat, Inc. -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * * Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * * Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+/* -+ * Declarations for kdcpolicy plugin module implementors. -+ * -+ * The kdcpolicy pluggable interface currently has only one supported major -+ * version, which is 1. Major version 1 has a current minor version number of -+ * 1. -+ * -+ * kdcpolicy plugin modules should define a function named -+ * kdcpolicy__initvt, matching the signature: -+ * -+ * krb5_error_code -+ * kdcpolicy_modname_initvt(krb5_context context, int maj_ver, int min_ver, -+ * krb5_plugin_vtable vtable); -+ * -+ * The initvt function should: -+ * -+ * - Check that the supplied maj_ver number is supported by the module, or -+ * return KRB5_PLUGIN_VER_NOTSUPP if it is not. -+ * -+ * - Cast the vtable pointer as appropriate for maj_ver: -+ * maj_ver == 1: Cast to krb5_kdcpolicy_vtable -+ * -+ * - Initialize the methods of the vtable, stopping as appropriate for the -+ * supplied min_ver. Optional methods may be left uninitialized. -+ * -+ * Memory for the vtable is allocated by the caller, not by the module. -+ */ -+ -+#ifndef KRB5_POLICY_PLUGIN_H -+#define KRB5_POLICY_PLUGIN_H -+ -+#include -+ -+/* Abstract module datatype. */ -+typedef struct krb5_kdcpolicy_moddata_st *krb5_kdcpolicy_moddata; -+ -+/* A module can optionally include kdb.h to inspect principal entries when -+ * authorizing requests. */ -+struct _krb5_db_entry_new; -+ -+/* -+ * Optional: Initialize module data. Return 0 on success, -+ * KRB5_PLUGIN_NO_HANDLE if the module is inoperable (due to configuration, for -+ * example), and any other error code to abort KDC startup. Optionally set -+ * *data_out to a module data object to be passed to future calls. -+ */ -+typedef krb5_error_code -+(*krb5_kdcpolicy_init_fn)(krb5_context context, -+ krb5_kdcpolicy_moddata *data_out); -+ -+/* Optional: Clean up module data. */ -+typedef krb5_error_code -+(*krb5_kdcpolicy_fini_fn)(krb5_context context, -+ krb5_kdcpolicy_moddata moddata); -+ -+/* -+ * Optional: return an error code and set status to an appropriate string -+ * literal to deny an AS request; otherwise return 0. lifetime_out, if set, -+ * restricts the ticket lifetime. renew_lifetime_out, if set, restricts the -+ * ticket renewable lifetime. -+ */ -+typedef krb5_error_code -+(*krb5_kdcpolicy_check_as_fn)(krb5_context context, -+ krb5_kdcpolicy_moddata moddata, -+ const krb5_kdc_req *request, -+ const struct _krb5_db_entry_new *client, -+ const struct _krb5_db_entry_new *server, -+ const char *const *auth_indicators, -+ const char **status, krb5_deltat *lifetime_out, -+ krb5_deltat *renew_lifetime_out); -+ -+/* -+ * Optional: return an error code and set status to an appropriate string -+ * literal to deny a TGS request; otherwise return 0. lifetime_out, if set, -+ * restricts the ticket lifetime. renew_lifetime_out, if set, restricts the -+ * ticket renewable lifetime. -+ */ -+typedef krb5_error_code -+(*krb5_kdcpolicy_check_tgs_fn)(krb5_context context, -+ krb5_kdcpolicy_moddata moddata, -+ const krb5_kdc_req *request, -+ const struct _krb5_db_entry_new *server, -+ const krb5_ticket *ticket, -+ const char *const *auth_indicators, -+ const char **status, krb5_deltat *lifetime_out, -+ krb5_deltat *renew_lifetime_out); -+ -+typedef struct krb5_kdcpolicy_vtable_st { -+ const char *name; -+ krb5_kdcpolicy_init_fn init; -+ krb5_kdcpolicy_fini_fn fini; -+ krb5_kdcpolicy_check_as_fn check_as; -+ krb5_kdcpolicy_check_tgs_fn check_tgs; -+} *krb5_kdcpolicy_vtable; -+ -+#endif /* KRB5_POLICY_PLUGIN_H */ -diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c -index f85da6da6..f5cf8ad89 100644 ---- a/src/kdc/do_as_req.c -+++ b/src/kdc/do_as_req.c -@@ -207,6 +207,13 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) - - state->ticket_reply.enc_part2 = &state->enc_tkt_reply; - -+ errcode = check_kdcpolicy_as(kdc_context, state->request, state->client, -+ state->server, state->auth_indicators, -+ state->kdc_time, &state->enc_tkt_reply.times, -+ &state->status); -+ if (errcode) -+ goto egress; -+ - /* - * Find the server key - */ -diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c -index ac5864603..0009a9319 100644 ---- a/src/kdc/do_tgs_req.c -+++ b/src/kdc/do_tgs_req.c -@@ -518,6 +518,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, - kdc_get_ticket_renewtime(kdc_active_realm, request, header_enc_tkt, client, - server, &enc_tkt_reply); - -+ errcode = check_kdcpolicy_tgs(kdc_context, request, server, header_ticket, -+ auth_indicators, kdc_time, -+ &enc_tkt_reply.times, &status); -+ if (errcode) -+ goto cleanup; -+ - /* - * Set authtime to be the same as header or evidence ticket's - */ -diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c -index b710aefe4..5455e2a67 100644 ---- a/src/kdc/kdc_util.c -+++ b/src/kdc/kdc_util.c -@@ -642,7 +642,6 @@ validate_as_request(kdc_realm_t *kdc_active_realm, - krb5_db_entry server, krb5_timestamp kdc_time, - const char **status, krb5_pa_data ***e_data) - { -- int errcode; - krb5_error_code ret; - - /* -@@ -750,12 +749,6 @@ validate_as_request(kdc_realm_t *kdc_active_realm, - if (ret && ret != KRB5_PLUGIN_OP_NOTSUPP) - return errcode_to_protocol(ret); - -- /* Check against local policy. */ -- errcode = against_local_policy_as(request, client, server, -- kdc_time, status, e_data); -- if (errcode) -- return errcode; -- - return 0; - } - -diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h -index 672f94380..dcedfd538 100644 ---- a/src/kdc/kdc_util.h -+++ b/src/kdc/kdc_util.h -@@ -166,17 +166,6 @@ kdc_err(krb5_context call_context, errcode_t code, const char *fmt, ...) - #endif - ; - --/* policy.c */ --int --against_local_policy_as (krb5_kdc_req *, krb5_db_entry, -- krb5_db_entry, krb5_timestamp, -- const char **, krb5_pa_data ***); -- --int --against_local_policy_tgs (krb5_kdc_req *, krb5_db_entry, -- krb5_ticket *, const char **, -- krb5_pa_data ***); -- - /* kdc_preauth.c */ - krb5_boolean - enctype_requires_etype_info_2(krb5_enctype enctype); -diff --git a/src/kdc/main.c b/src/kdc/main.c -index a4dffb29a..ccac3a759 100644 ---- a/src/kdc/main.c -+++ b/src/kdc/main.c -@@ -31,6 +31,7 @@ - #include "kdc_util.h" - #include "kdc_audit.h" - #include "extern.h" -+#include "policy.h" - #include "kdc5_err.h" - #include "kdb_kt.h" - #include "net-server.h" -@@ -986,6 +987,12 @@ int main(int argc, char **argv) - - load_preauth_plugins(&shandle, kcontext, ctx); - load_authdata_plugins(kcontext); -+ retval = load_kdcpolicy_plugins(kcontext); -+ if (retval) { -+ kdc_err(kcontext, retval, _("while loading KDC policy plugin")); -+ finish_realms(); -+ return 1; -+ } - - retval = setup_sam(); - if (retval) { -@@ -1068,6 +1075,7 @@ int main(int argc, char **argv) - krb5_klog_syslog(LOG_INFO, _("shutting down")); - unload_preauth_plugins(kcontext); - unload_authdata_plugins(kcontext); -+ unload_kdcpolicy_plugins(kcontext); - unload_audit_modules(kcontext); - krb5_klog_close(kcontext); - finish_realms(); -diff --git a/src/kdc/policy.c b/src/kdc/policy.c -index 6cba4303f..e49644e06 100644 ---- a/src/kdc/policy.c -+++ b/src/kdc/policy.c -@@ -1,67 +1,246 @@ - /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ - /* kdc/policy.c - Policy decision routines for KDC */ - /* -- * Copyright 1990 by the Massachusetts Institute of Technology. -+ * Copyright (C) 2017 by Red Hat, Inc. -+ * All rights reserved. - * -- * Export of this software from the United States of America may -- * require a specific license from the United States Government. -- * It is the responsibility of any person or organization contemplating -- * export to obtain such a license before exporting. -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: - * -- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -- * distribute this software and its documentation for any purpose and -- * without fee is hereby granted, provided that the above copyright -- * notice appear in all copies and that both that copyright notice and -- * this permission notice appear in supporting documentation, and that -- * the name of M.I.T. not be used in advertising or publicity pertaining -- * to distribution of the software without specific, written prior -- * permission. Furthermore if you modify this software you must label -- * your software as modified software and not distribute it in such a -- * fashion that it might be confused with the original M.I.T. software. -- * M.I.T. makes no representations about the suitability of -- * this software for any purpose. It is provided "as is" without express -- * or implied warranty. -+ * * Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * * Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. - */ - - #include "k5-int.h" - #include "kdc_util.h" - #include "extern.h" -+#include "policy.h" -+#include "adm_proto.h" -+#include -+#include - --int --against_local_policy_as(register krb5_kdc_req *request, krb5_db_entry client, -- krb5_db_entry server, krb5_timestamp kdc_time, -- const char **status, krb5_pa_data ***e_data) -+typedef struct kdcpolicy_handle_st { -+ struct krb5_kdcpolicy_vtable_st vt; -+ krb5_kdcpolicy_moddata moddata; -+} *kdcpolicy_handle; -+ -+static kdcpolicy_handle *handles; -+ -+static void -+free_indicators(char **ais) - { --#if 0 -- /* An AS request must include the addresses field */ -- if (request->addresses == 0) { -- *status = "NO ADDRESS"; -- return KRB5KDC_ERR_POLICY; -- } --#endif -+ size_t i; - -- return 0; /* not against policy */ -+ if (ais == NULL) -+ return; -+ for (i = 0; ais[i] != NULL; i++) -+ free(ais[i]); -+ free(ais); -+} -+ -+/* Convert inds to a null-terminated list of C strings. */ -+static krb5_error_code -+authind_strings(krb5_data *const *inds, char ***strs_out) -+{ -+ krb5_error_code ret; -+ char **list = NULL; -+ size_t i, count; -+ -+ *strs_out = NULL; -+ -+ for (count = 0; inds != NULL && inds[count] != NULL; count++); -+ list = k5calloc(count + 1, sizeof(*list), &ret); -+ if (list == NULL) -+ goto error; -+ -+ for (i = 0; i < count; i++) { -+ list[i] = k5memdup0(inds[i]->data, inds[i]->length, &ret); -+ if (list[i] == NULL) -+ goto error; -+ } -+ -+ *strs_out = list; -+ return 0; -+ -+error: -+ free_indicators(list); -+ return ret; -+} -+ -+/* Constrain times->endtime to life and times->renew_till to rlife, relative to -+ * now. */ -+static void -+update_ticket_times(krb5_ticket_times *times, krb5_timestamp now, -+ krb5_deltat life, krb5_deltat rlife) -+{ -+ if (life) -+ times->endtime = ts_min(ts_incr(now, life), times->endtime); -+ if (rlife) -+ times->renew_till = ts_min(ts_incr(now, rlife), times->renew_till); -+} -+ -+/* Check an AS request against kdcpolicy modules, updating times with any -+ * module endtime constraints. Set an appropriate status string on error. */ -+krb5_error_code -+check_kdcpolicy_as(krb5_context context, const krb5_kdc_req *request, -+ const krb5_db_entry *client, const krb5_db_entry *server, -+ krb5_data *const *auth_indicators, krb5_timestamp kdc_time, -+ krb5_ticket_times *times, const char **status) -+{ -+ krb5_deltat life, rlife; -+ krb5_error_code ret; -+ kdcpolicy_handle *hp, h; -+ char **ais = NULL; -+ -+ *status = NULL; -+ -+ ret = authind_strings(auth_indicators, &ais); -+ if (ret) -+ goto done; -+ -+ for (hp = handles; *hp != NULL; hp++) { -+ h = *hp; -+ if (h->vt.check_as == NULL) -+ continue; -+ -+ ret = h->vt.check_as(context, h->moddata, request, client, server, -+ (const char **)ais, status, &life, &rlife); -+ if (ret) -+ goto done; -+ -+ update_ticket_times(times, kdc_time, life, rlife); -+ } -+ -+done: -+ free_indicators(ais); -+ return ret; - } - - /* -- * This is where local policy restrictions for the TGS should placed. -+ * Check the TGS request against the local TGS policy. Accepts an -+ * authentication indicator for the module policy decisions. Returns 0 and a -+ * NULL status string on success. - */ - krb5_error_code --against_local_policy_tgs(register krb5_kdc_req *request, krb5_db_entry server, -- krb5_ticket *ticket, const char **status, -- krb5_pa_data ***e_data) -+check_kdcpolicy_tgs(krb5_context context, const krb5_kdc_req *request, -+ const krb5_db_entry *server, const krb5_ticket *ticket, -+ krb5_data *const *auth_indicators, krb5_timestamp kdc_time, -+ krb5_ticket_times *times, const char **status) - { --#if 0 -- /* -- * For example, if your site wants to disallow ticket forwarding, -- * you might do something like this: -- */ -+ krb5_deltat life, rlife; -+ krb5_error_code ret; -+ kdcpolicy_handle *hp, h; -+ char **ais = NULL; - -- if (isflagset(request->kdc_options, KDC_OPT_FORWARDED)) { -- *status = "FORWARD POLICY"; -- return KRB5KDC_ERR_POLICY; -+ *status = NULL; -+ -+ ret = authind_strings(auth_indicators, &ais); -+ if (ret) -+ goto done; -+ -+ for (hp = handles; *hp != NULL; hp++) { -+ h = *hp; -+ if (h->vt.check_tgs == NULL) -+ continue; -+ -+ ret = h->vt.check_tgs(context, h->moddata, request, server, ticket, -+ (const char **)ais, status, &life, &rlife); -+ if (ret) -+ goto done; -+ -+ update_ticket_times(times, kdc_time, life, rlife); - } --#endif - -- return 0; /* not against policy */ -+done: -+ free_indicators(ais); -+ return ret; -+} -+ -+void -+unload_kdcpolicy_plugins(krb5_context context) -+{ -+ kdcpolicy_handle *hp, h; -+ -+ for (hp = handles; *hp != NULL; hp++) { -+ h = *hp; -+ if (h->vt.fini != NULL) -+ h->vt.fini(context, h->moddata); -+ free(h); -+ } -+ free(handles); -+ handles = NULL; -+} -+ -+krb5_error_code -+load_kdcpolicy_plugins(krb5_context context) -+{ -+ krb5_error_code ret; -+ krb5_plugin_initvt_fn *modules = NULL, *mod; -+ kdcpolicy_handle h; -+ size_t count; -+ -+ ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_KDCPOLICY, &modules); -+ if (ret) -+ goto cleanup; -+ -+ for (count = 0; modules[count] != NULL; count++); -+ handles = k5calloc(count + 1, sizeof(*handles), &ret); -+ if (handles == NULL) -+ goto cleanup; -+ -+ count = 0; -+ for (mod = modules; *mod != NULL; mod++) { -+ h = k5calloc(1, sizeof(*h), &ret); -+ if (h == NULL) -+ goto cleanup; -+ -+ ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&h->vt); -+ if (ret) { /* Version mismatch. */ -+ TRACE_KDCPOLICY_VTINIT_FAIL(context, ret); -+ free(h); -+ continue; -+ } -+ if (h->vt.init != NULL) { -+ ret = h->vt.init(context, &h->moddata); -+ if (ret == KRB5_PLUGIN_NO_HANDLE) { -+ TRACE_KADM5_AUTH_INIT_SKIP(context, h->vt.name); -+ free(h); -+ continue; -+ } -+ if (ret) { -+ kdc_err(context, ret, _("while loading policy module %s"), -+ h->vt.name); -+ free(h); -+ goto cleanup; -+ } -+ } -+ handles[count++] = h; -+ } -+ -+ ret = 0; -+ -+cleanup: -+ if (ret) -+ unload_kdcpolicy_plugins(context); -+ k5_plugin_free_modules(context, modules); -+ return ret; - } -diff --git a/src/kdc/policy.h b/src/kdc/policy.h -index 6b000dc90..2a57b0a01 100644 ---- a/src/kdc/policy.h -+++ b/src/kdc/policy.h -@@ -26,11 +26,22 @@ - #ifndef __KRB5_KDC_POLICY__ - #define __KRB5_KDC_POLICY__ - --extern int against_postdate_policy (krb5_timestamp); -+krb5_error_code -+load_kdcpolicy_plugins(krb5_context context); - --extern int against_flag_policy_as (const krb5_kdc_req *); -+void -+unload_kdcpolicy_plugins(krb5_context context); - --extern int against_flag_policy_tgs (const krb5_kdc_req *, -- const krb5_ticket *); -+krb5_error_code -+check_kdcpolicy_as(krb5_context context, const krb5_kdc_req *request, -+ const krb5_db_entry *client, const krb5_db_entry *server, -+ krb5_data *const *auth_indicators, krb5_timestamp kdc_time, -+ krb5_ticket_times *times, const char **status); -+ -+krb5_error_code -+check_kdcpolicy_tgs(krb5_context context, const krb5_kdc_req *request, -+ const krb5_db_entry *server, const krb5_ticket *ticket, -+ krb5_data *const *auth_indicators, krb5_timestamp kdc_time, -+ krb5_ticket_times *times, const char **status); - - #endif /* __KRB5_KDC_POLICY__ */ -diff --git a/src/kdc/tgs_policy.c b/src/kdc/tgs_policy.c -index d0f25d1b7..33cfbcd81 100644 ---- a/src/kdc/tgs_policy.c -+++ b/src/kdc/tgs_policy.c -@@ -375,11 +375,5 @@ validate_tgs_request(kdc_realm_t *kdc_active_realm, - if (ret && ret != KRB5_PLUGIN_OP_NOTSUPP) - return errcode_to_protocol(ret); - -- /* Check local policy. */ -- errcode = against_local_policy_tgs(request, server, ticket, -- status, e_data); -- if (errcode) -- return errcode; -- - return 0; - } -diff --git a/src/lib/krb5/krb/plugin.c b/src/lib/krb5/krb/plugin.c -index 17dd6bd30..31aaf661d 100644 ---- a/src/lib/krb5/krb/plugin.c -+++ b/src/lib/krb5/krb/plugin.c -@@ -58,7 +58,9 @@ const char *interface_names[] = { - "audit", - "tls", - "kdcauthdata", -- "certauth" -+ "certauth", -+ "kadm5_auth", -+ "kdcpolicy", - }; - - /* Return the context's interface structure for id, or NULL if invalid. */ -diff --git a/src/plugins/kdcpolicy/test/Makefile.in b/src/plugins/kdcpolicy/test/Makefile.in -new file mode 100644 -index 000000000..b81f1a7ce ---- /dev/null -+++ b/src/plugins/kdcpolicy/test/Makefile.in -@@ -0,0 +1,20 @@ -+mydir=plugins$(S)policy$(S)test -+BUILDTOP=$(REL)..$(S)..$(S).. -+ -+LIBBASE=policy_test -+LIBMAJOR=0 -+LIBMINOR=0 -+RELDIR=../plugins/kdcpolicy/test -+SHLIB_EXPDEPS=$(KRB5_BASE_DEPLIBS) -+SHLIB_EXPLIBS=$(KRB5_BASE_LIBS) -+ -+STLIBOBJS=main.o -+ -+SRCS=$(srcdir)/main.c -+ -+all-unix: all-libs -+install-unix: -+clean-unix:: clean-libs clean-libobjs -+ -+@libnover_frag@ -+@libobj_frag@ -diff --git a/src/plugins/kdcpolicy/test/deps b/src/plugins/kdcpolicy/test/deps -new file mode 100644 -index 000000000..e69de29bb -diff --git a/src/plugins/kdcpolicy/test/main.c b/src/plugins/kdcpolicy/test/main.c -new file mode 100644 -index 000000000..eb8fde053 ---- /dev/null -+++ b/src/plugins/kdcpolicy/test/main.c -@@ -0,0 +1,111 @@ -+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -+/* include/krb5/kdcpolicy_plugin.h - KDC policy plugin interface */ -+/* -+ * Copyright (C) 2017 by Red Hat, Inc. -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * * Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * * Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include "k5-int.h" -+#include "kdb.h" -+#include -+ -+static krb5_error_code -+output_from_indicator(const char *const *auth_indicators, -+ krb5_deltat *lifetime_out, -+ krb5_deltat *renew_lifetime_out, -+ const char **status) -+{ -+ if (auth_indicators[0] == NULL) { -+ *status = NULL; -+ return 0; -+ } -+ -+ if (strcmp(auth_indicators[0], "ONE_HOUR") == 0) { -+ *lifetime_out = 3600; -+ *renew_lifetime_out = *lifetime_out * 2; -+ return 0; -+ } else if (strcmp(auth_indicators[0], "SEVEN_HOURS") == 0) { -+ *lifetime_out = 7 * 3600; -+ *renew_lifetime_out = *lifetime_out * 2; -+ return 0; -+ } -+ -+ *status = "LOCAL_POLICY"; -+ return KRB5KDC_ERR_POLICY; -+} -+ -+static krb5_error_code -+test_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata, -+ const krb5_kdc_req *request, const krb5_db_entry *client, -+ const krb5_db_entry *server, const char *const *auth_indicators, -+ const char **status, krb5_deltat *lifetime_out, -+ krb5_deltat *renew_lifetime_out) -+{ -+ if (request->client != NULL && request->client->length >= 1 && -+ data_eq_string(request->client->data[0], "fail")) { -+ *status = "LOCAL_POLICY"; -+ return KRB5KDC_ERR_POLICY; -+ } -+ return output_from_indicator(auth_indicators, lifetime_out, -+ renew_lifetime_out, status); -+} -+ -+static krb5_error_code -+test_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata, -+ const krb5_kdc_req *request, const krb5_db_entry *server, -+ const krb5_ticket *ticket, const char *const *auth_indicators, -+ const char **status, krb5_deltat *lifetime_out, -+ krb5_deltat *renew_lifetime_out) -+{ -+ if (request->server != NULL && request->server->length >= 1 && -+ data_eq_string(request->server->data[0], "fail")) { -+ *status = "LOCAL_POLICY"; -+ return KRB5KDC_ERR_POLICY; -+ } -+ return output_from_indicator(auth_indicators, lifetime_out, -+ renew_lifetime_out, status); -+} -+ -+krb5_error_code -+kdcpolicy_test_initvt(krb5_context context, int maj_ver, int min_ver, -+ krb5_plugin_vtable vtable); -+krb5_error_code -+kdcpolicy_test_initvt(krb5_context context, int maj_ver, int min_ver, -+ krb5_plugin_vtable vtable) -+{ -+ krb5_kdcpolicy_vtable vt; -+ -+ if (maj_ver != 1) -+ return KRB5_PLUGIN_VER_NOTSUPP; -+ -+ vt = (krb5_kdcpolicy_vtable)vtable; -+ vt->name = "test"; -+ vt->check_as = test_check_as; -+ vt->check_tgs = test_check_tgs; -+ return 0; -+} -diff --git a/src/plugins/kdcpolicy/test/policy_test.exports b/src/plugins/kdcpolicy/test/policy_test.exports -new file mode 100644 -index 000000000..9682ec74f ---- /dev/null -+++ b/src/plugins/kdcpolicy/test/policy_test.exports -@@ -0,0 +1 @@ -+kdcpolicy_test_initvt -diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in -index 2b3112537..a2093108b 100644 ---- a/src/tests/Makefile.in -+++ b/src/tests/Makefile.in -@@ -169,6 +169,7 @@ check-pytests: localauth plugorder rdreq responder s2p s4u2proxy unlockiter - $(RUNPYTEST) $(srcdir)/t_tabdump.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_certauth.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_y2038.py $(PYTESTFLAGS) -+ $(RUNPYTEST) $(srcdir)/t_kdcpolicy.py $(PYTESTFLAGS) - - clean: - $(RM) adata etinfo forward gcred hist hooks hrealm icred kdbtest -diff --git a/src/tests/t_kdcpolicy.py b/src/tests/t_kdcpolicy.py -new file mode 100644 -index 000000000..6a745b959 ---- /dev/null -+++ b/src/tests/t_kdcpolicy.py -@@ -0,0 +1,57 @@ -+#!/usr/bin/python -+from k5test import * -+from datetime import datetime -+import re -+ -+testpreauth = os.path.join(buildtop, 'plugins', 'preauth', 'test', 'test.so') -+testpolicy = os.path.join(buildtop, 'plugins', 'kdcpolicy', 'test', -+ 'policy_test.so') -+krb5_conf = {'plugins': {'kdcpreauth': {'module': 'test:' + testpreauth}, -+ 'clpreauth': {'module': 'test:' + testpreauth}, -+ 'kdcpolicy': {'module': 'test:' + testpolicy}}} -+kdc_conf = {'realms': {'$realm': {'default_principal_flags': '+preauth', -+ 'max_renewable_life': '1d'}}} -+realm = K5Realm(krb5_conf=krb5_conf, kdc_conf=kdc_conf) -+ -+realm.run([kadminl, 'addprinc', '-pw', password('fail'), 'fail']) -+ -+def verify_time(out, target_time): -+ times = re.findall(r'\d\d/\d\d/\d\d \d\d:\d\d:\d\d', out) -+ times = [datetime.strptime(t, '%m/%d/%y %H:%M:%S') for t in times] -+ while len(times) > 0: -+ starttime = times.pop(0) -+ endtime = times.pop(0) -+ renewtime = times.pop(0) -+ -+ if str(endtime - starttime) != target_time: -+ fail('unexpected lifetime value') -+ if str(renewtime - endtime) != target_time: -+ fail('unexpected renewable value') -+ -+rflags = ['-r', '1d', '-l', '12h'] -+ -+# Test AS+TGS success path. -+realm.kinit(realm.user_princ, password('user'), -+ rflags + ['-X', 'indicators=SEVEN_HOURS']) -+realm.run([kvno, realm.host_princ]) -+realm.run(['./adata', realm.host_princ], expected_msg='+97: [SEVEN_HOURS]') -+out = realm.run([klist, realm.ccache, '-e']) -+verify_time(out, '7:00:00') -+ -+# Test AS+TGS success path with different values. -+realm.kinit(realm.user_princ, password('user'), -+ rflags + ['-X', 'indicators=ONE_HOUR']) -+realm.run([kvno, realm.host_princ]) -+realm.run(['./adata', realm.host_princ], expected_msg='+97: [ONE_HOUR]') -+out = realm.run([klist, realm.ccache, '-e']) -+verify_time(out, '1:00:00') -+ -+# Test TGS failure path (using previous creds). -+realm.run([kvno, 'fail@%s' % realm.realm], expected_code=1, -+ expected_msg='KDC policy rejects request') -+ -+# Test AS failure path. -+realm.kinit('fail@%s' % realm.realm, password('fail'), -+ expected_code=1, expected_msg='KDC policy rejects request') -+ -+success('kdcpolicy tests') diff --git a/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch b/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch deleted file mode 100644 index 94370dc..0000000 --- a/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 6ce3a9416ee73fee41d0190e3fd0fde0a097c774 Mon Sep 17 00:00:00 2001 -From: Matt Rogers -Date: Fri, 9 Dec 2016 11:43:27 -0500 -Subject: [PATCH] Add PKINIT UPN tests to t_pkinit.py - -[ghudson@mit.edu: simplify and explain tests; add test for -id-pkinit-san match against canonicalized client principal] - -ticket: 8528 -(cherry picked from commit d520fd3f032121b61b22681838af96ee505fe44d) ---- - src/tests/t_pkinit.py | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 57 insertions(+) - -diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py -index 526473b42..ac4d326b6 100755 ---- a/src/tests/t_pkinit.py -+++ b/src/tests/t_pkinit.py -@@ -23,6 +23,9 @@ privkey_pem = os.path.join(certs, 'privkey.pem') - privkey_enc_pem = os.path.join(certs, 'privkey-enc.pem') - user_p12 = os.path.join(certs, 'user.p12') - user_enc_p12 = os.path.join(certs, 'user-enc.p12') -+user_upn_p12 = os.path.join(certs, 'user-upn.p12') -+user_upn2_p12 = os.path.join(certs, 'user-upn2.p12') -+user_upn3_p12 = os.path.join(certs, 'user-upn3.p12') - path = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs') - path_enc = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs-enc') - -@@ -36,6 +39,20 @@ pkinit_kdc_conf = {'realms': {'$realm': { - restrictive_kdc_conf = {'realms': {'$realm': { - 'restrict_anonymous_to_tgt': 'true' }}} - -+testprincs = {'krbtgt/KRBTEST.COM': {'keys': 'aes128-cts'}, -+ 'user': {'keys': 'aes128-cts', 'flags': '+preauth'}, -+ 'user2': {'keys': 'aes128-cts', 'flags': '+preauth'}} -+alias_kdc_conf = {'realms': {'$realm': { -+ 'default_principal_flags': '+preauth', -+ 'pkinit_eku_checking': 'none', -+ 'pkinit_allow_upn': 'true', -+ 'pkinit_identity': 'FILE:%s,%s' % (kdc_pem, privkey_pem), -+ 'database_module': 'test'}}, -+ 'dbmodules': {'test': { -+ 'db_library': 'test', -+ 'alias': {'user@krbtest.com': 'user'}, -+ 'princs': testprincs}}} -+ - file_identity = 'FILE:%s,%s' % (user_pem, privkey_pem) - file_enc_identity = 'FILE:%s,%s' % (user_pem, privkey_enc_pem) - dir_identity = 'DIR:%s' % path -@@ -45,11 +62,51 @@ dir_file_identity = 'FILE:%s,%s' % (os.path.join(path, 'user.crt'), - dir_file_enc_identity = 'FILE:%s,%s' % (os.path.join(path_enc, 'user.crt'), - os.path.join(path_enc, 'user.key')) - p12_identity = 'PKCS12:%s' % user_p12 -+p12_upn_identity = 'PKCS12:%s' % user_upn_p12 -+p12_upn2_identity = 'PKCS12:%s' % user_upn2_p12 -+p12_upn3_identity = 'PKCS12:%s' % user_upn3_p12 - p12_enc_identity = 'PKCS12:%s' % user_enc_p12 - p11_identity = 'PKCS11:soft-pkcs11.so' - p11_token_identity = ('PKCS11:module_name=soft-pkcs11.so:' - 'slotid=1:token=SoftToken (token)') - -+# Start a realm with the test kdb module for the following UPN SAN tests. -+realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=alias_kdc_conf, -+ create_kdb=False) -+realm.start_kdc() -+ -+# Compatibility check: cert contains UPN "user", which matches the -+# request principal user@KRBTEST.COM if parsed as a normal principal. -+realm.kinit(realm.user_princ, -+ flags=['-X', 'X509_user_identity=%s' % p12_upn2_identity]) -+ -+# Compatibility check: cert contains UPN "user@KRBTEST.COM", which matches -+# the request principal user@KRBTEST.COM if parsed as a normal principal. -+realm.kinit(realm.user_princ, -+ flags=['-X', 'X509_user_identity=%s' % p12_upn3_identity]) -+ -+# Cert contains UPN "user@krbtest.com" which is aliased to the request -+# principal. -+realm.kinit(realm.user_princ, -+ flags=['-X', 'X509_user_identity=%s' % p12_upn_identity]) -+ -+# Test an id-pkinit-san match to a post-canonical principal. -+realm.kinit('user@krbtest.com', -+ flags=['-E', '-X', 'X509_user_identity=%s' % p12_identity]) -+ -+# Test a UPN match to a post-canonical principal. (This only works -+# for the cert with the UPN containing just "user", as we don't allow -+# UPN reparsing when comparing to the canonicalized client principal.) -+realm.kinit('user@krbtest.com', -+ flags=['-E', '-X', 'X509_user_identity=%s' % p12_upn2_identity]) -+ -+# Test a mismatch. -+out = realm.run([kinit, '-X', 'X509_user_identity=%s' % p12_upn2_identity, -+ 'user2'], expected_code=1) -+if 'kinit: Client name mismatch while getting initial credentials' not in out: -+ fail('Wrong error for UPN SAN mismatch') -+realm.stop() -+ - realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf, - get_creds=False) - diff --git a/Add-PKINIT-test-case-for-generic-client-cert.patch b/Add-PKINIT-test-case-for-generic-client-cert.patch deleted file mode 100644 index e77dd5f..0000000 --- a/Add-PKINIT-test-case-for-generic-client-cert.patch +++ /dev/null @@ -1,51 +0,0 @@ -From e267849bcc3813989470c03565b22d25c71af91e Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Fri, 25 Aug 2017 12:39:14 -0400 -Subject: [PATCH] Add PKINIT test case for generic client cert - -In t_pkinit.py, add a test case where a client cert with no extensions -is authorized via subject and issuer using a pkinit_cert_match string -attribute. - -ticket: 8562 -(cherry picked from commit 8c5d50888aab554239fd51306e79c5213833c898) -[rharwood@redhat.com: backport around dbmatch module] ---- - src/tests/t_pkinit.py | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py -index e943f4974..fa5c5199e 100755 ---- a/src/tests/t_pkinit.py -+++ b/src/tests/t_pkinit.py -@@ -26,6 +26,7 @@ user_enc_p12 = os.path.join(certs, 'user-enc.p12') - user_upn_p12 = os.path.join(certs, 'user-upn.p12') - user_upn2_p12 = os.path.join(certs, 'user-upn2.p12') - user_upn3_p12 = os.path.join(certs, 'user-upn3.p12') -+generic_p12 = os.path.join(certs, 'generic.p12') - path = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs') - path_enc = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs-enc') - -@@ -65,6 +66,7 @@ p12_identity = 'PKCS12:%s' % user_p12 - p12_upn_identity = 'PKCS12:%s' % user_upn_p12 - p12_upn2_identity = 'PKCS12:%s' % user_upn2_p12 - p12_upn3_identity = 'PKCS12:%s' % user_upn3_p12 -+p12_generic_identity = 'PKCS12:%s' % generic_p12 - p12_enc_identity = 'PKCS12:%s' % user_enc_p12 - p11_identity = 'PKCS11:soft-pkcs11.so' - p11_token_identity = ('PKCS11:module_name=soft-pkcs11.so:' -@@ -284,6 +286,14 @@ realm.run(['./responder', '-X', 'X509_user_identity=%s' % p12_enc_identity, - realm.klist(realm.user_princ) - realm.run([kvno, realm.host_princ]) - -+# Authorize a client cert with no PKINIT extensions using subject and -+# issuer. (Relies on EKU checking being turned off.) -+rule = '&&CN=user$O=MIT,' -+realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule]) -+realm.kinit(realm.user_princ, -+ flags=['-X', 'X509_user_identity=%s' % p12_generic_identity]) -+realm.klist(realm.user_princ) -+ - if not have_soft_pkcs11: - skip_rest('PKINIT PKCS11 tests', 'soft-pkcs11.so not found') - diff --git a/Add-certauth-pluggable-interface.patch b/Add-certauth-pluggable-interface.patch deleted file mode 100644 index a9adc3e..0000000 --- a/Add-certauth-pluggable-interface.patch +++ /dev/null @@ -1,1146 +0,0 @@ -From 43418f21de72060932661242126fe611b6b17d84 Mon Sep 17 00:00:00 2001 -From: Matt Rogers -Date: Tue, 28 Feb 2017 15:55:24 -0500 -Subject: [PATCH] Add certauth pluggable interface - -Add the header include/krb5/certauth_plugin.h, defining a pluggable -interface to control authorization of PKINIT client certificates. - -Add the "pkinit_san" and "pkinit_eku" builtin certauth modules and -related PKINIT crypto X.509 helper functions. Add authorize_cert() as -the entry function for certauth plugin module checks called in -pkinit_server_verify_padata(). Modify kdcpreauth_moddata to hold the -list of certauth module handles, and load the modules when the PKINIT -kdcpreauth server plugin is initialized. Change -crypto_retrieve_X509_sans() to return ENOENT when no SAN is found. - -Add test modules in plugins/certauth/test. Create t_certauth.py with -basic certauth tests. Add plugin interface documentation in -doc/plugindev/certauth.rst and doc/admin/krb5_conf.rst. - -[ghudson@mit.edu: simplified code, edited docs] - -ticket: 8561 (new) -(cherry picked from commit b619ce84470519bea65470be3263cd85fba94f57) ---- - doc/admin/conf_files/krb5_conf.rst | 21 ++ - doc/plugindev/certauth.rst | 27 ++ - doc/plugindev/index.rst | 1 + - src/Makefile.in | 1 + - src/configure.in | 1 + - src/include/Makefile.in | 1 + - src/include/k5-int.h | 3 +- - src/include/krb5/certauth_plugin.h | 103 +++++++ - src/lib/krb5/krb/plugin.c | 3 +- - src/plugins/certauth/test/Makefile.in | 20 ++ - src/plugins/certauth/test/certauth_test.exports | 2 + - src/plugins/certauth/test/deps | 14 + - src/plugins/certauth/test/main.c | 209 +++++++++++++ - src/plugins/preauth/pkinit/pkinit_crypto.h | 4 + - src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 30 ++ - src/plugins/preauth/pkinit/pkinit_srv.c | 335 ++++++++++++++++++--- - src/plugins/preauth/pkinit/pkinit_trace.h | 5 + - src/tests/Makefile.in | 1 + - src/tests/t_certauth.py | 47 +++ - 19 files changed, 786 insertions(+), 42 deletions(-) - create mode 100644 doc/plugindev/certauth.rst - create mode 100644 src/include/krb5/certauth_plugin.h - create mode 100644 src/plugins/certauth/test/Makefile.in - create mode 100644 src/plugins/certauth/test/certauth_test.exports - create mode 100644 src/plugins/certauth/test/deps - create mode 100644 src/plugins/certauth/test/main.c - create mode 100644 src/tests/t_certauth.py - -diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst -index 02a935961..1d9bc9e34 100644 ---- a/doc/admin/conf_files/krb5_conf.rst -+++ b/doc/admin/conf_files/krb5_conf.rst -@@ -859,6 +859,27 @@ built-in modules exist for this interface: - This module authorizes a principal to a local account if the - principal name maps to the local account name. - -+.. _certauth: -+ -+certauth interface -+################## -+ -+The certauth section (introduced in release 1.16) controls modules for -+the certificate authorization interface, which determines whether a -+certificate is allowed to preauthenticate a user via PKINIT. The -+following built-in modules exist for this interface: -+ -+**pkinit_san** -+ This module authorizes the certificate if it contains a PKINIT -+ Subject Alternative Name for the requested client principal, or a -+ Microsoft UPN SAN matching the principal if **pkinit_allow_upn** -+ is set to true for the realm. -+ -+**pkinit_eku** -+ This module rejects the certificate if it does not contain an -+ Extended Key Usage attribute consistent with the -+ **pkinit_eku_checking** value for the realm. -+ - - PKINIT options - -------------- -diff --git a/doc/plugindev/certauth.rst b/doc/plugindev/certauth.rst -new file mode 100644 -index 000000000..8a7f7c5eb ---- /dev/null -+++ b/doc/plugindev/certauth.rst -@@ -0,0 +1,27 @@ -+.. _certauth_plugin: -+ -+PKINIT certificate authorization interface (certauth) -+===================================================== -+ -+The certauth interface was first introduced in release 1.16. It -+allows customization of the X.509 certificate attribute requirements -+placed on certificates used by PKINIT enabled clients. For a detailed -+description of the certauth interface, see the header file -+```` -+ -+A certauth module implements the **authorize** method to determine -+whether a client's certificate is authorized to authenticate a client -+principal. **authorize** receives the DER-encoded certificate, the -+requested client principal, and a pointer to the client's -+krb5_db_entry (for modules that link against libkdb5). It returns the -+authorization status and optionally outputs a list of authentication -+indicator strings to be added to the ticket. A module must use its -+own internal or library-provided ASN.1 certificate decoder. -+ -+A module can optionally create and destroy module data with the -+**init** and **fini** methods. Module data objects last for the -+lifetime of the KDC process. -+ -+If a module allocates and returns a list of authentication indicators -+from **authorize**, it must also implement the **free_ind** method -+to free the list. -diff --git a/doc/plugindev/index.rst b/doc/plugindev/index.rst -index 3fb921778..67dbc2790 100644 ---- a/doc/plugindev/index.rst -+++ b/doc/plugindev/index.rst -@@ -31,5 +31,6 @@ Contents - profile.rst - gssapi.rst - internal.rst -+ certauth.rst - - .. TODO: GSSAPI mechanism plugins -diff --git a/src/Makefile.in b/src/Makefile.in -index 2ebf2fb4d..b0249778c 100644 ---- a/src/Makefile.in -+++ b/src/Makefile.in -@@ -17,6 +17,7 @@ SUBDIRS=util include lib \ - plugins/pwqual/test \ - plugins/authdata/greet_server \ - plugins/authdata/greet_client \ -+ plugins/certauth/test \ - plugins/kdb/db2 \ - @ldap_plugin_dir@ \ - plugins/kdb/test \ -diff --git a/src/configure.in b/src/configure.in -index acf3a458b..24f653f0d 100644 ---- a/src/configure.in -+++ b/src/configure.in -@@ -1451,6 +1451,7 @@ dnl ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test - - kdc slave config-files build-tools man doc include - -+ plugins/certauth/test - plugins/hostrealm/test - plugins/localauth/test - plugins/kadm5_hook/test -diff --git a/src/include/Makefile.in b/src/include/Makefile.in -index f5b921833..0239338a1 100644 ---- a/src/include/Makefile.in -+++ b/src/include/Makefile.in -@@ -140,6 +140,7 @@ install-headers-unix install: krb5/krb5.h profile.h - $(INSTALL_DATA) $(srcdir)/krb5.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5.h - $(INSTALL_DATA) $(srcdir)/kdb.h $(DESTDIR)$(KRB5_INCDIR)$(S)kdb.h - $(INSTALL_DATA) krb5/krb5.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)krb5.h -+ $(INSTALL_DATA) $(srcdir)/krb5/certauth_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)certauth_plugin.h - $(INSTALL_DATA) $(srcdir)/krb5/ccselect_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)ccselect_plugin.h - $(INSTALL_DATA) $(srcdir)/krb5/clpreauth_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)clpreauth_plugin.h - $(INSTALL_DATA) $(srcdir)/krb5/hostrealm_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)hostrealm_plugin.h -diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index 173cb0264..cea644d0a 100644 ---- a/src/include/k5-int.h -+++ b/src/include/k5-int.h -@@ -1156,7 +1156,8 @@ struct plugin_interface { - #define PLUGIN_INTERFACE_AUDIT 7 - #define PLUGIN_INTERFACE_TLS 8 - #define PLUGIN_INTERFACE_KDCAUTHDATA 9 --#define PLUGIN_NUM_INTERFACES 10 -+#define PLUGIN_INTERFACE_CERTAUTH 10 -+#define PLUGIN_NUM_INTERFACES 11 - - /* Retrieve the plugin module of type interface_id and name modname, - * storing the result into module. */ -diff --git a/src/include/krb5/certauth_plugin.h b/src/include/krb5/certauth_plugin.h -new file mode 100644 -index 000000000..f22fc1e84 ---- /dev/null -+++ b/src/include/krb5/certauth_plugin.h -@@ -0,0 +1,103 @@ -+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -+/* include/krb5/certauth_plugin.h - certauth plugin header. */ -+/* -+ * Copyright (C) 2017 by Red Hat, Inc. -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * * Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * * Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+/* -+ * Certificate authorization plugin interface. The PKINIT server module uses -+ * this interface to check client certificate attributes after the certificate -+ * signature has been verified. -+ */ -+#ifndef KRB5_CERTAUTH_PLUGIN_H -+#define KRB5_CERTAUTH_PLUGIN_H -+ -+#include -+#include -+ -+/* Abstract module data type. */ -+typedef struct krb5_certauth_moddata_st *krb5_certauth_moddata; -+ -+typedef struct _krb5_db_entry_new krb5_db_entry; -+ -+/* -+ * Optional: Initialize module data. -+ */ -+typedef krb5_error_code -+(*krb5_certauth_init_fn)(krb5_context context, -+ krb5_certauth_moddata *moddata_out); -+ -+/* -+ * Optional: Clean up the module data. -+ */ -+typedef void -+(*krb5_certauth_fini_fn)(krb5_context context, krb5_certauth_moddata moddata); -+ -+/* -+ * Mandatory: -+ * Return 0 if the DER-encoded cert is authorized for PKINIT authentication by -+ * princ; otherwise return one of the following error codes: -+ * - KRB5KDC_ERR_CLIENT_NAME_MISMATCH - incorrect SAN value -+ * - KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE - incorrect EKU -+ * - KRB5KDC_ERR_CERTIFICATE_MISMATCH - other extension error -+ * - KRB5_PLUGIN_NO_HANDLE - the module has no opinion about cert -+ * -+ * - opts is used by built-in modules to receive internal data, and must be -+ * ignored by other modules. -+ * - db_entry receives the client principal database entry, and can be ignored -+ * by modules that do not link with libkdb5. -+ * - *authinds_out optionally returns a null-terminated list of authentication -+ * indicator strings upon KRB5_PLUGIN_NO_HANDLE or accepted authorization. -+ */ -+typedef krb5_error_code -+(*krb5_certauth_authorize_fn)(krb5_context context, -+ krb5_certauth_moddata moddata, -+ const uint8_t *cert, size_t cert_len, -+ krb5_const_principal princ, const void *opts, -+ const krb5_db_entry *db_entry, -+ char ***authinds_out); -+ -+/* -+ * Free indicators allocated by a module. Mandatory if authorize returns -+ * authentication indicators. -+ */ -+typedef void -+(*krb5_certauth_free_indicator_fn)(krb5_context context, -+ krb5_certauth_moddata moddata, -+ char **authinds); -+ -+typedef struct krb5_certauth_vtable_st { -+ char *name; -+ krb5_certauth_init_fn init; -+ krb5_certauth_fini_fn fini; -+ krb5_certauth_authorize_fn authorize; -+ krb5_certauth_free_indicator_fn free_ind; -+} *krb5_certauth_vtable; -+ -+#endif /* KRB5_CERTAUTH_PLUGIN_H */ -diff --git a/src/lib/krb5/krb/plugin.c b/src/lib/krb5/krb/plugin.c -index 7d64b7c7e..17dd6bd30 100644 ---- a/src/lib/krb5/krb/plugin.c -+++ b/src/lib/krb5/krb/plugin.c -@@ -57,7 +57,8 @@ const char *interface_names[] = { - "hostrealm", - "audit", - "tls", -- "kdcauthdata" -+ "kdcauthdata", -+ "certauth" - }; - - /* Return the context's interface structure for id, or NULL if invalid. */ -diff --git a/src/plugins/certauth/test/Makefile.in b/src/plugins/certauth/test/Makefile.in -new file mode 100644 -index 000000000..d3524084c ---- /dev/null -+++ b/src/plugins/certauth/test/Makefile.in -@@ -0,0 +1,20 @@ -+mydir=plugins$(S)certauth$(S)test -+BUILDTOP=$(REL)..$(S)..$(S).. -+ -+LIBBASE=certauth_test -+LIBMAJOR=0 -+LIBMINOR=0 -+RELDIR=../plugins/certauth/test -+SHLIB_EXPDEPS=$(KRB5_BASE_DEPLIBS) -+SHLIB_EXPLIBS=$(KRB5_BASE_LIBS) -+ -+STLIBOBJS=main.o -+ -+SRCS=$(srcdir)/main.c -+ -+all-unix: all-libs -+install-unix: -+clean-unix:: clean-libs clean-libobjs -+ -+@libnover_frag@ -+@libobj_frag@ -diff --git a/src/plugins/certauth/test/certauth_test.exports b/src/plugins/certauth/test/certauth_test.exports -new file mode 100644 -index 000000000..1c8cd24e2 ---- /dev/null -+++ b/src/plugins/certauth/test/certauth_test.exports -@@ -0,0 +1,2 @@ -+certauth_test1_initvt -+certauth_test2_initvt -diff --git a/src/plugins/certauth/test/deps b/src/plugins/certauth/test/deps -new file mode 100644 -index 000000000..2974b3b57 ---- /dev/null -+++ b/src/plugins/certauth/test/deps -@@ -0,0 +1,14 @@ -+# -+# Generated makefile dependencies follow. -+# -+main.so main.po $(OUTPRE)main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ -+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ -+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ -+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ -+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ -+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ -+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ -+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ -+ $(top_srcdir)/include/krb5/certauth_plugin.h $(top_srcdir)/include/krb5/plugin.h \ -+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ -+ main.c -diff --git a/src/plugins/certauth/test/main.c b/src/plugins/certauth/test/main.c -new file mode 100644 -index 000000000..7ef7377fb ---- /dev/null -+++ b/src/plugins/certauth/test/main.c -@@ -0,0 +1,209 @@ -+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -+/* plugins/certauth/main.c - certauth plugin test modules. */ -+/* -+ * Copyright (C) 2017 by Red Hat, Inc. -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * * Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * * Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include -+#include "krb5/certauth_plugin.h" -+ -+struct krb5_certauth_moddata_st { -+ int initialized; -+}; -+ -+/* Test module 1 returns OK with an indicator. */ -+static krb5_error_code -+test1_authorize(krb5_context context, krb5_certauth_moddata moddata, -+ const uint8_t *cert, size_t cert_len, -+ krb5_const_principal princ, const void *opts, -+ const krb5_db_entry *db_entry, char ***authinds_out) -+{ -+ char **ais = NULL; -+ -+ ais = calloc(2, sizeof(*ais)); -+ assert(ais != NULL); -+ ais[0] = strdup("test1"); -+ assert(ais[0] != NULL); -+ *authinds_out = ais; -+ return KRB5_PLUGIN_NO_HANDLE; -+} -+ -+static void -+test_free_ind(krb5_context context, krb5_certauth_moddata moddata, -+ char **authinds) -+{ -+ size_t i; -+ -+ if (authinds == NULL) -+ return; -+ for (i = 0; authinds[i] != NULL; i++) -+ free(authinds[i]); -+ free(authinds); -+} -+ -+/* A basic moddata test. */ -+static krb5_error_code -+test2_init(krb5_context context, krb5_certauth_moddata *moddata_out) -+{ -+ krb5_certauth_moddata mod; -+ -+ mod = calloc(1, sizeof(*mod)); -+ assert(mod != NULL); -+ mod->initialized = 1; -+ *moddata_out = mod; -+ return 0; -+} -+ -+static void -+test2_fini(krb5_context context, krb5_certauth_moddata moddata) -+{ -+ free(moddata); -+} -+ -+/* Return true if cert appears to contain the CN name, based on a search of the -+ * DER encoding. */ -+static krb5_boolean -+has_cn(krb5_context context, const uint8_t *cert, size_t cert_len, -+ const char *name) -+{ -+ krb5_boolean match = FALSE; -+ uint8_t name_len, cntag[5] = "\x06\x03\x55\x04\x03"; -+ const uint8_t *c; -+ struct k5buf buf; -+ size_t c_left; -+ -+ /* Construct a DER search string of the CN AttributeType encoding followed -+ * by a UTF8String encoding containing name as the AttributeValue. */ -+ k5_buf_init_dynamic(&buf); -+ k5_buf_add_len(&buf, cntag, sizeof(cntag)); -+ k5_buf_add(&buf, "\x0C"); -+ assert(strlen(name) < 128); -+ name_len = strlen(name); -+ k5_buf_add_len(&buf, &name_len, 1); -+ k5_buf_add_len(&buf, name, name_len); -+ assert(k5_buf_status(&buf) == 0); -+ -+ /* Check for the CN needle in the certificate haystack. */ -+ c_left = cert_len; -+ c = memchr(cert, *cntag, c_left); -+ while (c != NULL) { -+ c_left = cert_len - (c - cert); -+ if (buf.len > c_left) -+ break; -+ if (memcmp(c, buf.data, buf.len) == 0) { -+ match = TRUE; -+ break; -+ } -+ assert(c_left >= 1); -+ c = memchr(c + 1, *cntag, c_left - 1); -+ } -+ -+ k5_buf_free(&buf); -+ return match; -+} -+ -+/* -+ * Test module 2 returns OK if princ matches the CN part of the subject name, -+ * and returns indicators of the module name and princ. -+ */ -+static krb5_error_code -+test2_authorize(krb5_context context, krb5_certauth_moddata moddata, -+ const uint8_t *cert, size_t cert_len, -+ krb5_const_principal princ, const void *opts, -+ const krb5_db_entry *db_entry, char ***authinds_out) -+{ -+ krb5_error_code ret; -+ char *name = NULL, **ais = NULL; -+ -+ *authinds_out = NULL; -+ -+ assert(moddata != NULL && moddata->initialized); -+ -+ ret = krb5_unparse_name_flags(context, princ, -+ KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name); -+ if (ret) -+ goto cleanup; -+ -+ if (!has_cn(context, cert, cert_len, name)) { -+ ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH; -+ goto cleanup; -+ } -+ -+ /* Create an indicator list with the module name and CN. */ -+ ais = calloc(3, sizeof(*ais)); -+ assert(ais != NULL); -+ ais[0] = strdup("test2"); -+ ais[1] = strdup(name); -+ assert(ais[0] != NULL && ais[1] != NULL); -+ *authinds_out = ais; -+ -+ ais = NULL; -+ -+cleanup: -+ krb5_free_unparsed_name(context, name); -+ return ret; -+} -+ -+krb5_error_code -+certauth_test1_initvt(krb5_context context, int maj_ver, int min_ver, -+ krb5_plugin_vtable vtable); -+krb5_error_code -+certauth_test1_initvt(krb5_context context, int maj_ver, int min_ver, -+ krb5_plugin_vtable vtable) -+{ -+ krb5_certauth_vtable vt; -+ -+ if (maj_ver != 1) -+ return KRB5_PLUGIN_VER_NOTSUPP; -+ vt = (krb5_certauth_vtable)vtable; -+ vt->name = "test1"; -+ vt->authorize = test1_authorize; -+ vt->free_ind = test_free_ind; -+ return 0; -+} -+ -+krb5_error_code -+certauth_test2_initvt(krb5_context context, int maj_ver, int min_ver, -+ krb5_plugin_vtable vtable); -+krb5_error_code -+certauth_test2_initvt(krb5_context context, int maj_ver, int min_ver, -+ krb5_plugin_vtable vtable) -+{ -+ krb5_certauth_vtable vt; -+ -+ if (maj_ver != 1) -+ return KRB5_PLUGIN_VER_NOTSUPP; -+ vt = (krb5_certauth_vtable)vtable; -+ vt->name = "test2"; -+ vt->authorize = test2_authorize; -+ vt->init = test2_init; -+ vt->fini = test2_fini; -+ vt->free_ind = test_free_ind; -+ return 0; -+} -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h -index b483affed..49b96b8ee 100644 ---- a/src/plugins/preauth/pkinit/pkinit_crypto.h -+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h -@@ -664,4 +664,8 @@ extern const size_t krb5_pkinit_sha512_oid_len; - */ - extern krb5_data const * const supported_kdf_alg_ids[]; - -+krb5_error_code -+crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx, -+ uint8_t **der_out, size_t *der_len); -+ - #endif /* _PKINIT_CRYPTO_H */ -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index 8def8c542..a5b010b26 100644 ---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -@@ -2137,6 +2137,7 @@ crypto_retrieve_X509_sans(krb5_context context, - - if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) { - pkiDebug("%s: found no subject alt name extensions\n", __FUNCTION__); -+ retval = ENOENT; - goto cleanup; - } - num_sans = sk_GENERAL_NAME_num(ialt); -@@ -6176,3 +6177,32 @@ crypto_get_deferred_ids(krb5_context context, - ret = (const pkinit_deferred_id *)deferred; - return ret; - } -+ -+/* Return the received certificate as DER-encoded data. */ -+krb5_error_code -+crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx, -+ uint8_t **der_out, size_t *der_len) -+{ -+ int len; -+ unsigned char *der, *p; -+ -+ *der_out = NULL; -+ *der_len = 0; -+ -+ if (reqctx->received_cert == NULL) -+ return EINVAL; -+ p = NULL; -+ len = i2d_X509(reqctx->received_cert, NULL); -+ if (len <= 0) -+ return EINVAL; -+ p = der = malloc(len); -+ if (p == NULL) -+ return ENOMEM; -+ if (i2d_X509(reqctx->received_cert, &p) <= 0) { -+ free(p); -+ return EINVAL; -+ } -+ *der_out = der; -+ *der_len = len; -+ return 0; -+} -diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c -index b5638a367..731d14eb8 100644 ---- a/src/plugins/preauth/pkinit/pkinit_srv.c -+++ b/src/plugins/preauth/pkinit/pkinit_srv.c -@@ -31,6 +31,25 @@ - - #include - #include "pkinit.h" -+#include "krb5/certauth_plugin.h" -+ -+/* Aliases used by the built-in certauth modules */ -+struct certauth_req_opts { -+ krb5_kdcpreauth_callbacks cb; -+ krb5_kdcpreauth_rock rock; -+ pkinit_kdc_context plgctx; -+ pkinit_kdc_req_context reqctx; -+}; -+ -+typedef struct certauth_module_handle_st { -+ struct krb5_certauth_vtable_st vt; -+ krb5_certauth_moddata moddata; -+} *certauth_handle; -+ -+struct krb5_kdcpreauth_moddata_st { -+ pkinit_kdc_context *realm_contexts; -+ certauth_handle *certauth_modules; -+}; - - static krb5_error_code - pkinit_init_kdc_req_context(krb5_context, pkinit_kdc_req_context *blob); -@@ -51,6 +70,34 @@ pkinit_find_realm_context(krb5_context context, - krb5_kdcpreauth_moddata moddata, - krb5_principal princ); - -+static void -+free_realm_contexts(krb5_context context, pkinit_kdc_context *realm_contexts) -+{ -+ int i; -+ -+ if (realm_contexts == NULL) -+ return; -+ for (i = 0; realm_contexts[i] != NULL; i++) -+ pkinit_server_plugin_fini_realm(context, realm_contexts[i]); -+ pkiDebug("%s: freeing context at %p\n", __FUNCTION__, realm_contexts); -+ free(realm_contexts); -+} -+ -+static void -+free_certauth_handles(krb5_context context, certauth_handle *list) -+{ -+ int i; -+ -+ if (list == NULL) -+ return; -+ for (i = 0; list[i] != NULL; i++) { -+ if (list[i]->vt.fini != NULL) -+ list[i]->vt.fini(context, list[i]->moddata); -+ free(list[i]); -+ } -+ free(list); -+} -+ - static krb5_error_code - pkinit_create_edata(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, -@@ -123,7 +170,7 @@ verify_client_san(krb5_context context, - pkinit_kdc_req_context reqctx, - krb5_kdcpreauth_callbacks cb, - krb5_kdcpreauth_rock rock, -- krb5_principal client, -+ krb5_const_principal client, - int *valid_san) - { - krb5_error_code retval; -@@ -134,12 +181,15 @@ verify_client_san(krb5_context context, - char *client_string = NULL, *san_string; - #endif - -+ *valid_san = 0; - retval = crypto_retrieve_cert_sans(context, plgctx->cryptoctx, - reqctx->cryptoctx, plgctx->idctx, - &princs, - plgctx->opts->allow_upn ? &upns : NULL, - NULL); -- if (retval) { -+ if (retval == ENOENT) { -+ goto out; -+ } else if (retval) { - pkiDebug("%s: error from retrieve_certificate_sans()\n", __FUNCTION__); - retval = KRB5KDC_ERR_CLIENT_NAME_MISMATCH; - goto out; -@@ -273,6 +323,73 @@ out: - return retval; - } - -+ -+/* Run the received, verified certificate through certauth modules, to verify -+ * that it is authorized to authenticate as client. */ -+static krb5_error_code -+authorize_cert(krb5_context context, certauth_handle *certauth_modules, -+ pkinit_kdc_context plgctx, pkinit_kdc_req_context reqctx, -+ krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock, -+ krb5_principal client) -+{ -+ krb5_error_code ret; -+ certauth_handle h; -+ struct certauth_req_opts opts; -+ krb5_boolean accepted = FALSE; -+ uint8_t *cert; -+ size_t i, cert_len; -+ void *db_ent = NULL; -+ char **ais = NULL, **ai = NULL; -+ -+ /* Re-encode the received certificate into DER, which is extra work, but -+ * avoids creating an X.509 library dependency in the interface. */ -+ ret = crypto_encode_der_cert(context, reqctx->cryptoctx, &cert, &cert_len); -+ if (ret) -+ goto cleanup; -+ -+ /* Set options for the builtin module. */ -+ opts.plgctx = plgctx; -+ opts.reqctx = reqctx; -+ opts.cb = cb; -+ opts.rock = rock; -+ -+ db_ent = cb->client_entry(context, rock); -+ -+ /* -+ * Check the certificate against each certauth module. For the certificate -+ * to be authorized at least one module must return 0, and no module can an -+ * error code other than KRB5_PLUGIN_NO_HANDLE (pass). Add indicators from -+ * modules that return 0 or pass. -+ */ -+ ret = KRB5_PLUGIN_NO_HANDLE; -+ for (i = 0; certauth_modules != NULL && certauth_modules[i] != NULL; i++) { -+ h = certauth_modules[i]; -+ ret = h->vt.authorize(context, h->moddata, cert, cert_len, client, -+ &opts, db_ent, &ais); -+ if (ret == 0) -+ accepted = TRUE; -+ else if (ret != KRB5_PLUGIN_NO_HANDLE) -+ goto cleanup; -+ -+ if (ais != NULL) { -+ /* Assert authentication indicators from the module. */ -+ for (ai = ais; *ai != NULL; ai++) { -+ ret = cb->add_auth_indicator(context, rock, *ai); -+ if (ret) -+ goto cleanup; -+ } -+ h->vt.free_ind(context, h->moddata, ais); -+ ais = NULL; -+ } -+ } -+ -+ ret = accepted ? 0 : KRB5KDC_ERR_CLIENT_NAME_MISMATCH; -+ -+cleanup: -+ free(cert); -+ return ret; -+} -+ - static void - pkinit_server_verify_padata(krb5_context context, - krb5_data *req_pkt, -@@ -295,7 +412,6 @@ pkinit_server_verify_padata(krb5_context context, - pkinit_kdc_req_context reqctx = NULL; - krb5_checksum cksum = {0, 0, 0, NULL}; - krb5_data *der_req = NULL; -- int valid_eku = 0, valid_san = 0; - krb5_data k5data; - int is_signed = 1; - krb5_pa_data **e_data = NULL; -@@ -388,27 +504,11 @@ pkinit_server_verify_padata(krb5_context context, - goto cleanup; - } - if (is_signed) { -- -- retval = verify_client_san(context, plgctx, reqctx, cb, rock, -- request->client, &valid_san); -- if (retval) -- goto cleanup; -- if (!valid_san) { -- pkiDebug("%s: did not find an acceptable SAN in user " -- "certificate\n", __FUNCTION__); -- retval = KRB5KDC_ERR_CLIENT_NAME_MISMATCH; -- goto cleanup; -- } -- retval = verify_client_eku(context, plgctx, reqctx, &valid_eku); -+ retval = authorize_cert(context, moddata->certauth_modules, plgctx, -+ reqctx, cb, rock, request->client); - if (retval) - goto cleanup; - -- if (!valid_eku) { -- pkiDebug("%s: did not find an acceptable EKU in user " -- "certificate\n", __FUNCTION__); -- retval = KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE; -- goto cleanup; -- } - } else { /* !is_signed */ - if (!krb5_principal_compare(context, request->client, - krb5_anonymous_principal())) { -@@ -1245,11 +1345,15 @@ pkinit_find_realm_context(krb5_context context, - krb5_principal princ) - { - int i; -- pkinit_kdc_context *realm_contexts = (pkinit_kdc_context *)moddata; -+ pkinit_kdc_context *realm_contexts; - - if (moddata == NULL) - return NULL; - -+ realm_contexts = moddata->realm_contexts; -+ if (realm_contexts == NULL) -+ return NULL; -+ - for (i = 0; realm_contexts[i] != NULL; i++) { - pkinit_kdc_context p = realm_contexts[i]; - -@@ -1331,6 +1435,155 @@ errout: - return retval; - } - -+static krb5_error_code -+pkinit_san_authorize(krb5_context context, krb5_certauth_moddata moddata, -+ const uint8_t *cert, size_t cert_len, -+ krb5_const_principal princ, const void *opts, -+ const krb5_db_entry *db_entry, char ***authinds_out) -+{ -+ krb5_error_code ret; -+ int valid_san; -+ const struct certauth_req_opts *req_opts = opts; -+ -+ *authinds_out = NULL; -+ -+ ret = verify_client_san(context, req_opts->plgctx, req_opts->reqctx, -+ req_opts->cb, req_opts->rock, princ, &valid_san); -+ if (ret == ENOENT) -+ return KRB5_PLUGIN_NO_HANDLE; -+ else if (ret) -+ return ret; -+ -+ if (!valid_san) { -+ pkiDebug("%s: did not find an acceptable SAN in user certificate\n", -+ __FUNCTION__); -+ return KRB5KDC_ERR_CLIENT_NAME_MISMATCH; -+ } -+ -+ return 0; -+} -+ -+static krb5_error_code -+pkinit_eku_authorize(krb5_context context, krb5_certauth_moddata moddata, -+ const uint8_t *cert, size_t cert_len, -+ krb5_const_principal princ, const void *opts, -+ const krb5_db_entry *db_entry, char ***authinds_out) -+{ -+ krb5_error_code ret; -+ int valid_eku; -+ const struct certauth_req_opts *req_opts = opts; -+ -+ *authinds_out = NULL; -+ -+ /* Verify the client EKU. */ -+ ret = verify_client_eku(context, req_opts->plgctx, req_opts->reqctx, -+ &valid_eku); -+ if (ret) -+ return ret; -+ -+ if (!valid_eku) { -+ pkiDebug("%s: did not find an acceptable EKU in user certificate\n", -+ __FUNCTION__); -+ return KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE; -+ } -+ -+ return 0; -+} -+ -+static krb5_error_code -+certauth_pkinit_san_initvt(krb5_context context, int maj_ver, int min_ver, -+ krb5_plugin_vtable vtable) -+{ -+ krb5_certauth_vtable vt; -+ -+ if (maj_ver != 1) -+ return KRB5_PLUGIN_VER_NOTSUPP; -+ vt = (krb5_certauth_vtable)vtable; -+ vt->name = "pkinit_san"; -+ vt->authorize = pkinit_san_authorize; -+ return 0; -+} -+ -+static krb5_error_code -+certauth_pkinit_eku_initvt(krb5_context context, int maj_ver, int min_ver, -+ krb5_plugin_vtable vtable) -+{ -+ krb5_certauth_vtable vt; -+ -+ if (maj_ver != 1) -+ return KRB5_PLUGIN_VER_NOTSUPP; -+ vt = (krb5_certauth_vtable)vtable; -+ vt->name = "pkinit_eku"; -+ vt->authorize = pkinit_eku_authorize; -+ return 0; -+} -+ -+static krb5_error_code -+load_certauth_plugins(krb5_context context, certauth_handle **handle_out) -+{ -+ krb5_error_code ret; -+ krb5_plugin_initvt_fn *modules = NULL, *mod; -+ certauth_handle *list = NULL, h; -+ size_t count; -+ -+ /* Register the builtin modules. */ -+ ret = k5_plugin_register(context, PLUGIN_INTERFACE_CERTAUTH, -+ "pkinit_san", certauth_pkinit_san_initvt); -+ if (ret) -+ goto cleanup; -+ -+ ret = k5_plugin_register(context, PLUGIN_INTERFACE_CERTAUTH, -+ "pkinit_eku", certauth_pkinit_eku_initvt); -+ if (ret) -+ goto cleanup; -+ -+ ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_CERTAUTH, &modules); -+ if (ret) -+ goto cleanup; -+ -+ /* Allocate handle list. */ -+ for (count = 0; modules[count]; count++); -+ list = k5calloc(count + 1, sizeof(*list), &ret); -+ if (list == NULL) -+ goto cleanup; -+ -+ /* Initialize each module, ignoring ones that fail. */ -+ count = 0; -+ for (mod = modules; *mod != NULL; mod++) { -+ h = k5calloc(1, sizeof(*h), &ret); -+ if (h == NULL) -+ goto cleanup; -+ -+ ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&h->vt); -+ if (ret) { -+ TRACE_CERTAUTH_VTINIT_FAIL(context, ret); -+ free(h); -+ continue; -+ } -+ h->moddata = NULL; -+ if (h->vt.init != NULL) { -+ ret = h->vt.init(context, &h->moddata); -+ if (ret) { -+ TRACE_CERTAUTH_INIT_FAIL(context, h->vt.name, ret); -+ free(h); -+ continue; -+ } -+ } -+ list[count++] = h; -+ list[count] = NULL; -+ } -+ list[count] = NULL; -+ -+ ret = 0; -+ *handle_out = list; -+ list = NULL; -+ -+cleanup: -+ k5_plugin_free_modules(context, modules); -+ free_certauth_handles(context, list); -+ return ret; -+} -+ - static int - pkinit_server_plugin_init(krb5_context context, - krb5_kdcpreauth_moddata *moddata_out, -@@ -1338,6 +1591,8 @@ pkinit_server_plugin_init(krb5_context context, - { - krb5_error_code retval = ENOMEM; - pkinit_kdc_context plgctx, *realm_contexts = NULL; -+ certauth_handle *certauth_modules = NULL; -+ krb5_kdcpreauth_moddata moddata; - size_t i, j; - size_t numrealms; - -@@ -1368,16 +1623,22 @@ pkinit_server_plugin_init(krb5_context context, - goto errout; - } - -- *moddata_out = (krb5_kdcpreauth_moddata)realm_contexts; -- retval = 0; -- pkiDebug("%s: returning context at %p\n", __FUNCTION__, realm_contexts); -+ retval = load_certauth_plugins(context, &certauth_modules); -+ if (retval) -+ goto errout; -+ -+ moddata = k5calloc(1, sizeof(*moddata), &retval); -+ if (moddata == NULL) -+ goto errout; -+ moddata->realm_contexts = realm_contexts; -+ moddata->certauth_modules = certauth_modules; -+ *moddata_out = moddata; -+ pkiDebug("%s: returning context at %p\n", __FUNCTION__, moddata); -+ return 0; - - errout: -- if (retval) { -- pkinit_server_plugin_fini(context, -- (krb5_kdcpreauth_moddata)realm_contexts); -- } -- -+ free_realm_contexts(context, realm_contexts); -+ free_certauth_handles(context, certauth_modules); - return retval; - } - -@@ -1405,17 +1666,11 @@ static void - pkinit_server_plugin_fini(krb5_context context, - krb5_kdcpreauth_moddata moddata) - { -- pkinit_kdc_context *realm_contexts = (pkinit_kdc_context *)moddata; -- int i; -- -- if (realm_contexts == NULL) -+ if (moddata == NULL) - return; -- -- for (i = 0; realm_contexts[i] != NULL; i++) { -- pkinit_server_plugin_fini_realm(context, realm_contexts[i]); -- } -- pkiDebug("%s: freeing context at %p\n", __FUNCTION__, realm_contexts); -- free(realm_contexts); -+ free_realm_contexts(context, moddata->realm_contexts); -+ free_certauth_handles(context, moddata->certauth_modules); -+ free(moddata); - } - - static krb5_error_code -diff --git a/src/plugins/preauth/pkinit/pkinit_trace.h b/src/plugins/preauth/pkinit/pkinit_trace.h -index b3f5cbb20..458d0961e 100644 ---- a/src/plugins/preauth/pkinit/pkinit_trace.h -+++ b/src/plugins/preauth/pkinit/pkinit_trace.h -@@ -91,4 +91,9 @@ - #define TRACE_PKINIT_OPENSSL_ERROR(c, msg) \ - TRACE(c, "PKINIT OpenSSL error: {str}", msg) - -+#define TRACE_CERTAUTH_VTINIT_FAIL(c, ret) \ -+ TRACE(c, "certauth module failed to init vtable: {kerr}", ret) -+#define TRACE_CERTAUTH_INIT_FAIL(c, name, ret) \ -+ TRACE(c, "certauth module {str} failed to init: {kerr}", name, ret) -+ - #endif /* PKINIT_TRACE_H */ -diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in -index b55469146..0e93d6b59 100644 ---- a/src/tests/Makefile.in -+++ b/src/tests/Makefile.in -@@ -167,6 +167,7 @@ check-pytests: localauth plugorder rdreq responder s2p s4u2proxy unlockiter - $(RUNPYTEST) $(srcdir)/t_preauth.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_princflags.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_tabdump.py $(PYTESTFLAGS) -+ $(RUNPYTEST) $(srcdir)/t_certauth.py $(PYTESTFLAGS) - - clean: - $(RM) adata etinfo forward gcred hist hooks hrealm icred kdbtest -diff --git a/src/tests/t_certauth.py b/src/tests/t_certauth.py -new file mode 100644 -index 000000000..e64a57b0d ---- /dev/null -+++ b/src/tests/t_certauth.py -@@ -0,0 +1,47 @@ -+#!/usr/bin/python -+from k5test import * -+ -+# Skip this test if pkinit wasn't built. -+if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')): -+ skip_rest('certauth tests', 'PKINIT module not built') -+ -+certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs') -+ca_pem = os.path.join(certs, 'ca.pem') -+kdc_pem = os.path.join(certs, 'kdc.pem') -+privkey_pem = os.path.join(certs, 'privkey.pem') -+user_pem = os.path.join(certs, 'user.pem') -+ -+modpath = os.path.join(buildtop, 'plugins', 'certauth', 'test', -+ 'certauth_test.so') -+pkinit_krb5_conf = {'realms': {'$realm': { -+ 'pkinit_anchors': 'FILE:%s' % ca_pem}}, -+ 'plugins': {'certauth': {'module': ['test1:' + modpath, -+ 'test2:' + modpath], -+ 'enable_only': ['test1', 'test2']}}} -+pkinit_kdc_conf = {'realms': {'$realm': { -+ 'default_principal_flags': '+preauth', -+ 'pkinit_eku_checking': 'none', -+ 'pkinit_identity': 'FILE:%s,%s' % (kdc_pem, privkey_pem), -+ 'pkinit_indicator': ['indpkinit1', 'indpkinit2']}}} -+ -+file_identity = 'FILE:%s,%s' % (user_pem, privkey_pem) -+ -+realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf, -+ get_creds=False) -+ -+# Let the test module match user to CN=user, with indicators. -+realm.kinit(realm.user_princ, -+ flags=['-X', 'X509_user_identity=%s' % file_identity]) -+realm.klist(realm.user_princ) -+realm.run([kvno, realm.host_princ]) -+realm.run(['./adata', realm.host_princ], -+ expected_msg='+97: [test1, test2, user, indpkinit1, indpkinit2]') -+ -+# Let the test module mismatch with user2 to CN=user. -+realm.addprinc("user2@KRBTEST.COM") -+out = realm.kinit("user2@KRBTEST.COM", -+ flags=['-X', 'X509_user_identity=%s' % file_identity], -+ expected_code=1, -+ expected_msg='kinit: Certificate mismatch') -+ -+success("certauth tests") diff --git a/Add-hostname-based-ccselect-module.patch b/Add-hostname-based-ccselect-module.patch deleted file mode 100644 index b56b8d3..0000000 --- a/Add-hostname-based-ccselect-module.patch +++ /dev/null @@ -1,293 +0,0 @@ -From 632575ab12fc5d6c9bdc83cb8200fb8f4f422b83 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Wed, 23 Aug 2017 17:25:17 -0400 -Subject: [PATCH] Add hostname-based ccselect module - -The hostname module selects the ccache whose realm is the longest -parent domain tail of the uppercase server hostname. - -[ghudson@mit.edu: minor edits] - -ticket: 8613 (new) -(cherry picked from commit a4ddc6cf576b4155e6b994307902567f26f752b2) ---- - doc/admin/conf_files/krb5_conf.rst | 4 + - src/lib/krb5/ccache/Makefile.in | 3 + - src/lib/krb5/ccache/cc-int.h | 4 + - src/lib/krb5/ccache/ccselect.c | 5 ++ - src/lib/krb5/ccache/ccselect_hostname.c | 146 ++++++++++++++++++++++++++++++++ - src/tests/gssapi/t_ccselect.py | 9 ++ - 6 files changed, 171 insertions(+) - create mode 100644 src/lib/krb5/ccache/ccselect_hostname.c - -diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst -index 1d9bc9e34..9c1ee94a4 100644 ---- a/doc/admin/conf_files/krb5_conf.rst -+++ b/doc/admin/conf_files/krb5_conf.rst -@@ -745,6 +745,10 @@ disabled with the disable tag): - Uses the service realm to guess an appropriate cache from the - collection - -+**hostname** -+ If the service principal is host-based, uses the service hostname -+ to guess an appropriate cache from the collection -+ - .. _pwqual: - - pwqual interface -diff --git a/src/lib/krb5/ccache/Makefile.in b/src/lib/krb5/ccache/Makefile.in -index 5ac870728..f84cf793e 100644 ---- a/src/lib/krb5/ccache/Makefile.in -+++ b/src/lib/krb5/ccache/Makefile.in -@@ -34,6 +34,7 @@ STLIBOBJS= \ - ccdefops.o \ - ccmarshal.o \ - ccselect.o \ -+ ccselect_hostname.o \ - ccselect_k5identity.o \ - ccselect_realm.o \ - cc_dir.o \ -@@ -52,6 +53,7 @@ OBJS= $(OUTPRE)ccbase.$(OBJEXT) \ - $(OUTPRE)ccdefops.$(OBJEXT) \ - $(OUTPRE)ccmarshal.$(OBJEXT) \ - $(OUTPRE)ccselect.$(OBJEXT) \ -+ $(OUTPRE)ccselect_hostname.$(OBJEXT) \ - $(OUTPRE)ccselect_k5identity.$(OBJEXT) \ - $(OUTPRE)ccselect_realm.$(OBJEXT) \ - $(OUTPRE)cc_dir.$(OBJEXT) \ -@@ -70,6 +72,7 @@ SRCS= $(srcdir)/ccbase.c \ - $(srcdir)/ccdefops.c \ - $(srcdir)/ccmarshal.c \ - $(srcdir)/ccselect.c \ -+ $(srcdir)/ccselect_hostname.c \ - $(srcdir)/ccselect_k5identity.c \ - $(srcdir)/ccselect_realm.c \ - $(srcdir)/cc_dir.c \ -diff --git a/src/lib/krb5/ccache/cc-int.h b/src/lib/krb5/ccache/cc-int.h -index ee9b5e0e9..d920367ce 100644 ---- a/src/lib/krb5/ccache/cc-int.h -+++ b/src/lib/krb5/ccache/cc-int.h -@@ -123,6 +123,10 @@ k5_cccol_force_unlock(void); - krb5_error_code - krb5int_fcc_new_unique(krb5_context context, char *template, krb5_ccache *id); - -+krb5_error_code -+ccselect_hostname_initvt(krb5_context context, int maj_ver, int min_ver, -+ krb5_plugin_vtable vtable); -+ - krb5_error_code - ccselect_realm_initvt(krb5_context context, int maj_ver, int min_ver, - krb5_plugin_vtable vtable); -diff --git a/src/lib/krb5/ccache/ccselect.c b/src/lib/krb5/ccache/ccselect.c -index ee4b83a9b..393d39733 100644 ---- a/src/lib/krb5/ccache/ccselect.c -+++ b/src/lib/krb5/ccache/ccselect.c -@@ -71,6 +71,11 @@ load_modules(krb5_context context) - if (ret != 0) - goto cleanup; - -+ ret = k5_plugin_register(context, PLUGIN_INTERFACE_CCSELECT, "hostname", -+ ccselect_hostname_initvt); -+ if (ret != 0) -+ goto cleanup; -+ - ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_CCSELECT, &modules); - if (ret != 0) - goto cleanup; -diff --git a/src/lib/krb5/ccache/ccselect_hostname.c b/src/lib/krb5/ccache/ccselect_hostname.c -new file mode 100644 -index 000000000..475cfabae ---- /dev/null -+++ b/src/lib/krb5/ccache/ccselect_hostname.c -@@ -0,0 +1,146 @@ -+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -+/* lib/krb5/ccache/ccselect_hostname.c - hostname ccselect module */ -+/* -+ * Copyright (C) 2017 by Red Hat, Inc. -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * * Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * * Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include "k5-int.h" -+#include "cc-int.h" -+#include -+#include -+ -+/* Swap a and b, using tmp as an intermediate. */ -+#define SWAP(a, b, tmp) \ -+ tmp = a; \ -+ a = b; \ -+ b = tmp; -+ -+static krb5_error_code -+hostname_init(krb5_context context, krb5_ccselect_moddata *data_out, -+ int *priority_out) -+{ -+ *data_out = NULL; -+ *priority_out = KRB5_CCSELECT_PRIORITY_HEURISTIC; -+ return 0; -+} -+ -+static krb5_error_code -+hostname_choose(krb5_context context, krb5_ccselect_moddata data, -+ krb5_principal server, krb5_ccache *ccache_out, -+ krb5_principal *princ_out) -+{ -+ krb5_error_code ret; -+ char *p, *host = NULL; -+ size_t hostlen; -+ krb5_cccol_cursor col_cursor; -+ krb5_ccache ccache, tmp_ccache, best_ccache = NULL; -+ krb5_principal princ, tmp_princ, best_princ = NULL; -+ krb5_data domain; -+ -+ *ccache_out = NULL; -+ *princ_out = NULL; -+ -+ if (server->type != KRB5_NT_SRV_HST || server->length < 2) -+ return KRB5_PLUGIN_NO_HANDLE; -+ -+ /* Compute upper-case hostname. */ -+ hostlen = server->data[1].length; -+ host = k5memdup0(server->data[1].data, hostlen, &ret); -+ if (host == NULL) -+ return ret; -+ for (p = host; *p != '\0'; p++) { -+ if (islower(*p)) -+ *p = toupper(*p); -+ } -+ -+ /* Scan the collection for a cache with a client principal whose realm is -+ * the longest tail of the server hostname. */ -+ ret = krb5_cccol_cursor_new(context, &col_cursor); -+ if (ret) -+ goto done; -+ -+ for (ret = krb5_cccol_cursor_next(context, col_cursor, &ccache); -+ ret == 0 && ccache != NULL; -+ ret = krb5_cccol_cursor_next(context, col_cursor, &ccache)) { -+ ret = krb5_cc_get_principal(context, ccache, &princ); -+ if (ret) { -+ krb5_cc_close(context, ccache); -+ break; -+ } -+ -+ /* Check for a longer match than we have. */ -+ domain = make_data(host, hostlen); -+ while (best_princ == NULL || -+ best_princ->realm.length < domain.length) { -+ if (data_eq(princ->realm, domain)) { -+ SWAP(best_ccache, ccache, tmp_ccache); -+ SWAP(best_princ, princ, tmp_princ); -+ break; -+ } -+ -+ /* Try the next parent domain. */ -+ p = memchr(domain.data, '.', domain.length); -+ if (p == NULL) -+ break; -+ domain = make_data(p + 1, hostlen - (p + 1 - host)); -+ } -+ -+ if (ccache != NULL) -+ krb5_cc_close(context, ccache); -+ krb5_free_principal(context, princ); -+ } -+ -+ krb5_cccol_cursor_free(context, &col_cursor); -+ -+ if (best_ccache != NULL) { -+ *ccache_out = best_ccache; -+ *princ_out = best_princ; -+ } else { -+ ret = KRB5_PLUGIN_NO_HANDLE; -+ } -+ -+done: -+ free(host); -+ return ret; -+} -+ -+krb5_error_code -+ccselect_hostname_initvt(krb5_context context, int maj_ver, int min_ver, -+ krb5_plugin_vtable vtable) -+{ -+ krb5_ccselect_vtable vt; -+ -+ if (maj_ver != 1) -+ return KRB5_PLUGIN_VER_NOTSUPP; -+ vt = (krb5_ccselect_vtable)vtable; -+ vt->name = "hostname"; -+ vt->init = hostname_init; -+ vt->choose = hostname_choose; -+ return 0; -+} -diff --git a/src/tests/gssapi/t_ccselect.py b/src/tests/gssapi/t_ccselect.py -index 668a2cc62..3503f9269 100755 ---- a/src/tests/gssapi/t_ccselect.py -+++ b/src/tests/gssapi/t_ccselect.py -@@ -33,6 +33,7 @@ host1 = 'p:' + r1.host_princ - host2 = 'p:' + r2.host_princ - foo = 'foo.krbtest.com' - foo2 = 'foo.krbtest2.com' -+foobar = "foo.bar.krbtest.com" - - # These strings specify the target as a GSS name. The resulting - # principal will have the host-based type, with the referral realm -@@ -42,6 +43,7 @@ foo2 = 'foo.krbtest2.com' - # single component. - gssserver = 'h:host@' + foo - gssserver2 = 'h:host@' + foo2 -+gssserver_bar = 'h:host@' + foobar - gsslocal = 'h:host@localhost' - - # refserver specifies the target as a principal in the referral realm. -@@ -77,10 +79,12 @@ r1.addprinc('host/localhost') - r2.addprinc('host/localhost') - r1.addprinc('host/' + foo) - r2.addprinc('host/' + foo2) -+r1.addprinc('host/' + foobar) - r1.extract_keytab('host/localhost', r1.keytab) - r2.extract_keytab('host/localhost', r2.keytab) - r1.extract_keytab('host/' + foo, r1.keytab) - r2.extract_keytab('host/' + foo2, r2.keytab) -+r1.extract_keytab('host/' + foobar, r1.keytab) - - # Get tickets for one user in each realm (zaphod will be primary). - r1.kinit(alice, password('alice')) -@@ -128,6 +132,11 @@ output = r2.run(['./t_ccselect', gsslocal]) - if output != (zaphod + '\n'): - fail('zaphod not chosen via default realm fallback') - -+# Check that realm ccselect fallback works correctly -+r1.run(['./t_ccselect', gssserver_bar], expected_msg=alice) -+r2.kinit(zaphod, password('zaphod')) -+r1.run(['./t_ccselect', gssserver_bar], expected_msg=alice) -+ - # Get a second cred in r1 (bob will be primary). - r1.kinit(bob, password('bob')) - diff --git a/Add-k5test-expected_msg-expected_trace.patch b/Add-k5test-expected_msg-expected_trace.patch deleted file mode 100644 index 16c1012..0000000 --- a/Add-k5test-expected_msg-expected_trace.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 9c6f61e30e11eca5c04daa3f0dce398602ef5801 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Tue, 17 Jan 2017 11:24:41 -0500 -Subject: [PATCH] Add k5test expected_msg, expected_trace - -In k5test.py, add the optional keyword argument "expected_msg" to -methods that run commands, to make it easier to look for substrings in -the command output. Add the optional keyword "expected_trace" to run -the command with KRB5_TRACE enabled and look for an ordered series of -substrings in the trace output. - -(cherry picked from commit 8bb5fce69a4aa6c3082fa7def66a93974e10e17a) -[rharwood@redhat.com: Removed .gitignore change] ---- - src/config/post.in | 2 +- - src/util/k5test.py | 37 ++++++++++++++++++++++++++++++++++--- - 2 files changed, 35 insertions(+), 4 deletions(-) - -diff --git a/src/config/post.in b/src/config/post.in -index 7c7d86dc9..3643abad1 100644 ---- a/src/config/post.in -+++ b/src/config/post.in -@@ -156,7 +156,7 @@ clean: clean-$(WHAT) - - clean-unix:: - $(RM) $(OBJS) $(DEPTARGETS_CLEAN) $(EXTRA_FILES) -- $(RM) et-[ch]-*.et et-[ch]-*.[ch] testlog -+ $(RM) et-[ch]-*.et et-[ch]-*.[ch] testlog testtrace - -$(RM) -r testdir - - clean-windows:: -diff --git a/src/util/k5test.py b/src/util/k5test.py -index c3d026377..4d30baf40 100644 ---- a/src/util/k5test.py -+++ b/src/util/k5test.py -@@ -223,8 +223,11 @@ Scripts may use the following realm methods and attributes: - command-line debugging options. Fail if the command does not return - 0. Log the command output appropriately, and return it as a single - multi-line string. Keyword arguments can contain input='string' to -- send an input string to the command, and expected_code=N to expect a -- return code other than 0. -+ send an input string to the command, expected_code=N to expect a -+ return code other than 0, expected_msg=MSG to expect a substring in -+ the command output, and expected_trace=('a', 'b', ...) to expect an -+ ordered series of line substrings in the command's KRB5_TRACE -+ output. - - * realm.kprop_port(): Returns a port number based on realm.portbase - intended for use by kprop and kpropd. -@@ -647,10 +650,31 @@ def _stop_or_shell(stop, shell, env, ind): - subprocess.call(os.getenv('SHELL'), env=env) - - --def _run_cmd(args, env, input=None, expected_code=0): -+# Read tracefile and look for the expected strings in successive lines. -+def _check_trace(tracefile, expected): -+ output('*** Trace output for previous command:\n') -+ i = 0 -+ with open(tracefile, 'r') as f: -+ for line in f: -+ output(line) -+ if i < len(expected) and expected[i] in line: -+ i += 1 -+ if i < len(expected): -+ fail('Expected string not found in trace output: ' + expected[i]) -+ -+ -+def _run_cmd(args, env, input=None, expected_code=0, expected_msg=None, -+ expected_trace=None): - global null_input, _cmd_index, _last_cmd, _last_cmd_output, _debug - global _stop_before, _stop_after, _shell_before, _shell_after - -+ if expected_trace is not None: -+ tracefile = 'testtrace' -+ if os.path.exists(tracefile): -+ os.remove(tracefile) -+ env = env.copy() -+ env['KRB5_TRACE'] = tracefile -+ - if (_match_cmdnum(_debug, _cmd_index)): - return _debug_cmd(args, env, input) - -@@ -679,6 +703,13 @@ def _run_cmd(args, env, input=None, expected_code=0): - # Check the return code and return the output. - if code != expected_code: - fail('%s failed with code %d.' % (args[0], code)) -+ -+ if expected_msg is not None and expected_msg not in outdata: -+ fail('Expected string not found in command output: ' + expected_msg) -+ -+ if expected_trace is not None: -+ _check_trace(tracefile, expected_trace) -+ - return outdata - - diff --git a/Add-support-to-query-the-SSF-of-a-GSS-context.patch b/Add-support-to-query-the-SSF-of-a-GSS-context.patch deleted file mode 100644 index 299b0a4..0000000 --- a/Add-support-to-query-the-SSF-of-a-GSS-context.patch +++ /dev/null @@ -1,419 +0,0 @@ -From a3408731e3d73f99028f20c3f33caa5a411b430c Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Thu, 30 Mar 2017 11:27:09 -0400 -Subject: [PATCH] Add support to query the SSF of a GSS context - -Cyrus SASL provides a Security Strength Factor number to assess the -relative "strength" of the negotiated mechanism, and applications -sometimes make access control decisions based on it. - -Add a call that allows us to query the mechanism that established the -GSS security context to ask what is the current SSF, based on the -enctype of the session key. - -ticket: 8569 (new) -(cherry picked from commit 7feb7da54c0321b5a3eeb6c3797846a3cf7eda28) -[rharwood@redhat.com: hide GSS_KRB5_GET_CRED_IMPERSONATOR symbol] ---- - src/include/k5-int.h | 1 + - src/lib/crypto/krb/crypto_int.h | 1 + - src/lib/crypto/krb/enctype_util.c | 16 ++++++++++++++++ - src/lib/crypto/krb/etypes.c | 33 ++++++++++++++++++--------------- - src/lib/crypto/libk5crypto.exports | 1 + - src/lib/gssapi/generic/gssapi_ext.h | 11 +++++++++++ - src/lib/gssapi/generic/gssapi_generic.c | 9 +++++++++ - src/lib/gssapi/krb5/gssapiP_krb5.h | 6 ++++++ - src/lib/gssapi/krb5/gssapi_krb5.c | 4 ++++ - src/lib/gssapi/krb5/inq_context.c | 27 +++++++++++++++++++++++++++ - src/lib/gssapi/libgssapi_krb5.exports | 1 + - src/lib/gssapi32.def | 3 +++ - src/lib/krb5_32.def | 3 +++ - src/tests/gssapi/t_enctypes.c | 14 ++++++++++++++ - 14 files changed, 115 insertions(+), 15 deletions(-) - -diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index cea644d0a..06ca2b66d 100644 ---- a/src/include/k5-int.h -+++ b/src/include/k5-int.h -@@ -2114,6 +2114,7 @@ krb5_get_tgs_ktypes(krb5_context, krb5_const_principal, krb5_enctype **); - krb5_boolean krb5_is_permitted_enctype(krb5_context, krb5_enctype); - - krb5_boolean KRB5_CALLCONV krb5int_c_weak_enctype(krb5_enctype); -+krb5_error_code k5_enctype_to_ssf(krb5_enctype enctype, unsigned int *ssf_out); - - krb5_error_code krb5_kdc_rep_decrypt_proc(krb5_context, const krb5_keyblock *, - krb5_const_pointer, krb5_kdc_rep *); -diff --git a/src/lib/crypto/krb/crypto_int.h b/src/lib/crypto/krb/crypto_int.h -index d75b49c69..e5099291e 100644 ---- a/src/lib/crypto/krb/crypto_int.h -+++ b/src/lib/crypto/krb/crypto_int.h -@@ -111,6 +111,7 @@ struct krb5_keytypes { - prf_func prf; - krb5_cksumtype required_ctype; - krb5_flags flags; -+ unsigned int ssf; - }; - - #define ETYPE_WEAK 1 -diff --git a/src/lib/crypto/krb/enctype_util.c b/src/lib/crypto/krb/enctype_util.c -index 0ed74bd6e..b1b40e7ec 100644 ---- a/src/lib/crypto/krb/enctype_util.c -+++ b/src/lib/crypto/krb/enctype_util.c -@@ -131,3 +131,19 @@ krb5_enctype_to_name(krb5_enctype enctype, krb5_boolean shortest, - return ENOMEM; - return 0; - } -+ -+/* The security of a mechanism cannot be summarized with a simple integer -+ * value, but we provide a per-enctype value for Cyrus SASL's SSF. */ -+krb5_error_code -+k5_enctype_to_ssf(krb5_enctype enctype, unsigned int *ssf_out) -+{ -+ const struct krb5_keytypes *ktp; -+ -+ *ssf_out = 0; -+ -+ ktp = find_enctype(enctype); -+ if (ktp == NULL) -+ return EINVAL; -+ *ssf_out = ktp->ssf; -+ return 0; -+} -diff --git a/src/lib/crypto/krb/etypes.c b/src/lib/crypto/krb/etypes.c -index 0e5e977d4..53d4a5c79 100644 ---- a/src/lib/crypto/krb/etypes.c -+++ b/src/lib/crypto/krb/etypes.c -@@ -42,7 +42,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { - krb5int_des_string_to_key, k5_rand2key_des, - krb5int_des_prf, - CKSUMTYPE_RSA_MD5_DES, -- ETYPE_WEAK }, -+ ETYPE_WEAK, 56 }, - { ENCTYPE_DES_CBC_MD4, - "des-cbc-md4", { 0 }, "DES cbc mode with RSA-MD4", - &krb5int_enc_des, &krb5int_hash_md4, -@@ -51,7 +51,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { - krb5int_des_string_to_key, k5_rand2key_des, - krb5int_des_prf, - CKSUMTYPE_RSA_MD4_DES, -- ETYPE_WEAK }, -+ ETYPE_WEAK, 56 }, - { ENCTYPE_DES_CBC_MD5, - "des-cbc-md5", { "des" }, "DES cbc mode with RSA-MD5", - &krb5int_enc_des, &krb5int_hash_md5, -@@ -60,7 +60,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { - krb5int_des_string_to_key, k5_rand2key_des, - krb5int_des_prf, - CKSUMTYPE_RSA_MD5_DES, -- ETYPE_WEAK }, -+ ETYPE_WEAK, 56 }, - { ENCTYPE_DES_CBC_RAW, - "des-cbc-raw", { 0 }, "DES cbc mode raw", - &krb5int_enc_des, NULL, -@@ -69,7 +69,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { - krb5int_des_string_to_key, k5_rand2key_des, - krb5int_des_prf, - 0, -- ETYPE_WEAK }, -+ ETYPE_WEAK, 56 }, - { ENCTYPE_DES3_CBC_RAW, - "des3-cbc-raw", { 0 }, "Triple DES cbc mode raw", - &krb5int_enc_des3, NULL, -@@ -78,7 +78,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { - krb5int_dk_string_to_key, k5_rand2key_des3, - NULL, /*PRF*/ - 0, -- ETYPE_WEAK }, -+ ETYPE_WEAK, 112 }, - - { ENCTYPE_DES3_CBC_SHA1, - "des3-cbc-sha1", { "des3-hmac-sha1", "des3-cbc-sha1-kd" }, -@@ -89,7 +89,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { - krb5int_dk_string_to_key, k5_rand2key_des3, - krb5int_dk_prf, - CKSUMTYPE_HMAC_SHA1_DES3, -- 0 /*flags*/ }, -+ 0 /*flags*/, 112 }, - - { ENCTYPE_DES_HMAC_SHA1, - "des-hmac-sha1", { 0 }, "DES with HMAC/sha1", -@@ -99,7 +99,10 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { - krb5int_dk_string_to_key, k5_rand2key_des, - NULL, /*PRF*/ - 0, -- ETYPE_WEAK }, -+ ETYPE_WEAK, 56 }, -+ -+ /* rc4-hmac uses a 128-bit key, but due to weaknesses in the RC4 cipher, we -+ * consider its strength degraded and assign it an SSF value of 64. */ - { ENCTYPE_ARCFOUR_HMAC, - "arcfour-hmac", { "rc4-hmac", "arcfour-hmac-md5" }, - "ArcFour with HMAC/md5", -@@ -110,7 +113,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { - krb5int_arcfour_decrypt, krb5int_arcfour_string_to_key, - k5_rand2key_direct, krb5int_arcfour_prf, - CKSUMTYPE_HMAC_MD5_ARCFOUR, -- 0 /*flags*/ }, -+ 0 /*flags*/, 64 }, - { ENCTYPE_ARCFOUR_HMAC_EXP, - "arcfour-hmac-exp", { "rc4-hmac-exp", "arcfour-hmac-md5-exp" }, - "Exportable ArcFour with HMAC/md5", -@@ -121,7 +124,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { - krb5int_arcfour_decrypt, krb5int_arcfour_string_to_key, - k5_rand2key_direct, krb5int_arcfour_prf, - CKSUMTYPE_HMAC_MD5_ARCFOUR, -- ETYPE_WEAK -+ ETYPE_WEAK, 40 - }, - - { ENCTYPE_AES128_CTS_HMAC_SHA1_96, -@@ -133,7 +136,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { - krb5int_aes_string_to_key, k5_rand2key_direct, - krb5int_dk_prf, - CKSUMTYPE_HMAC_SHA1_96_AES128, -- 0 /*flags*/ }, -+ 0 /*flags*/, 128 }, - { ENCTYPE_AES256_CTS_HMAC_SHA1_96, - "aes256-cts-hmac-sha1-96", { "aes256-cts", "aes256-sha1" }, - "AES-256 CTS mode with 96-bit SHA-1 HMAC", -@@ -143,7 +146,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { - krb5int_aes_string_to_key, k5_rand2key_direct, - krb5int_dk_prf, - CKSUMTYPE_HMAC_SHA1_96_AES256, -- 0 /*flags*/ }, -+ 0 /*flags*/, 256 }, - - { ENCTYPE_CAMELLIA128_CTS_CMAC, - "camellia128-cts-cmac", { "camellia128-cts" }, -@@ -155,7 +158,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { - krb5int_camellia_string_to_key, k5_rand2key_direct, - krb5int_dk_cmac_prf, - CKSUMTYPE_CMAC_CAMELLIA128, -- 0 /*flags*/ }, -+ 0 /*flags*/, 128 }, - { ENCTYPE_CAMELLIA256_CTS_CMAC, - "camellia256-cts-cmac", { "camellia256-cts" }, - "Camellia-256 CTS mode with CMAC", -@@ -166,7 +169,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { - krb5int_camellia_string_to_key, k5_rand2key_direct, - krb5int_dk_cmac_prf, - CKSUMTYPE_CMAC_CAMELLIA256, -- 0 /*flags */ }, -+ 0 /*flags */, 256 }, - - { ENCTYPE_AES128_CTS_HMAC_SHA256_128, - "aes128-cts-hmac-sha256-128", { "aes128-sha2" }, -@@ -177,7 +180,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { - krb5int_aes2_string_to_key, k5_rand2key_direct, - krb5int_aes2_prf, - CKSUMTYPE_HMAC_SHA256_128_AES128, -- 0 /*flags*/ }, -+ 0 /*flags*/, 128 }, - { ENCTYPE_AES256_CTS_HMAC_SHA384_192, - "aes256-cts-hmac-sha384-192", { "aes256-sha2" }, - "AES-256 CTS mode with 192-bit SHA-384 HMAC", -@@ -187,7 +190,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { - krb5int_aes2_string_to_key, k5_rand2key_direct, - krb5int_aes2_prf, - CKSUMTYPE_HMAC_SHA384_192_AES256, -- 0 /*flags*/ }, -+ 0 /*flags*/, 256 }, - }; - - const int krb5int_enctypes_length = -diff --git a/src/lib/crypto/libk5crypto.exports b/src/lib/crypto/libk5crypto.exports -index 447e45644..82eb5f30c 100644 ---- a/src/lib/crypto/libk5crypto.exports -+++ b/src/lib/crypto/libk5crypto.exports -@@ -108,3 +108,4 @@ krb5int_nfold - k5_allow_weak_pbkdf2iter - krb5_c_prfplus - krb5_c_derive_prfplus -+k5_enctype_to_ssf -diff --git a/src/lib/gssapi/generic/gssapi_ext.h b/src/lib/gssapi/generic/gssapi_ext.h -index 9ad44216d..9d3a7e736 100644 ---- a/src/lib/gssapi/generic/gssapi_ext.h -+++ b/src/lib/gssapi/generic/gssapi_ext.h -@@ -575,4 +575,15 @@ gss_import_cred( - } - #endif - -+/* -+ * When used with gss_inquire_sec_context_by_oid(), return a buffer set with -+ * the first member containing an unsigned 32-bit integer in network byte -+ * order. This is the Security Strength Factor (SSF) associated with the -+ * secure channel established by the security context. NOTE: This value is -+ * made available solely as an indication for use by APIs like Cyrus SASL that -+ * classify the strength of a secure channel via this number. The strength of -+ * a channel cannot necessarily be represented by a simple number. -+ */ -+GSS_DLLIMP extern gss_OID GSS_C_SEC_CONTEXT_SASL_SSF; -+ - #endif /* GSSAPI_EXT_H_ */ -diff --git a/src/lib/gssapi/generic/gssapi_generic.c b/src/lib/gssapi/generic/gssapi_generic.c -index 5496aa335..fa144c2bf 100644 ---- a/src/lib/gssapi/generic/gssapi_generic.c -+++ b/src/lib/gssapi/generic/gssapi_generic.c -@@ -157,6 +157,13 @@ static const gss_OID_desc const_oids[] = { - {7, (void *)"\x2b\x06\x01\x05\x05\x0d\x19"}, - {7, (void *)"\x2b\x06\x01\x05\x05\x0d\x1a"}, - {7, (void *)"\x2b\x06\x01\x05\x05\x0d\x1b"}, -+ -+ /* -+ * GSS_SEC_CONTEXT_SASL_SSF_OID 1.2.840.113554.1.2.2.5.15 -+ * iso(1) member-body(2) United States(840) mit(113554) -+ * infosys(1) gssapi(2) krb5(2) krb5-gssapi-ext(5) sasl-ssf(15) -+ */ -+ {11, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0f"}, - }; - - /* Here are the constants which point to the static structure above. -@@ -218,6 +225,8 @@ GSS_DLLIMP gss_const_OID GSS_C_MA_PFS = oids+33; - GSS_DLLIMP gss_const_OID GSS_C_MA_COMPRESS = oids+34; - GSS_DLLIMP gss_const_OID GSS_C_MA_CTX_TRANS = oids+35; - -+GSS_DLLIMP gss_OID GSS_C_SEC_CONTEXT_SASL_SSF = oids+36; -+ - static gss_OID_set_desc gss_ma_known_attrs_desc = { 27, oids+9 }; - gss_OID_set gss_ma_known_attrs = &gss_ma_known_attrs_desc; - -diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h -index d7bdef7e2..ef030707e 100644 ---- a/src/lib/gssapi/krb5/gssapiP_krb5.h -+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h -@@ -1144,6 +1144,12 @@ gss_krb5int_extract_authtime_from_sec_context(OM_uint32 *, - const gss_OID, - gss_buffer_set_t *); - -+#define GET_SEC_CONTEXT_SASL_SSF_OID_LENGTH 11 -+#define GET_SEC_CONTEXT_SASL_SSF_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0f" -+OM_uint32 -+gss_krb5int_sec_context_sasl_ssf(OM_uint32 *, const gss_ctx_id_t, -+ const gss_OID, gss_buffer_set_t *); -+ - #define GSS_KRB5_IMPORT_CRED_OID_LENGTH 11 - #define GSS_KRB5_IMPORT_CRED_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0d" - -diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c -index 99092ccab..de4131980 100644 ---- a/src/lib/gssapi/krb5/gssapi_krb5.c -+++ b/src/lib/gssapi/krb5/gssapi_krb5.c -@@ -352,6 +352,10 @@ static struct { - { - {GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH, GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID}, - gss_krb5int_extract_authtime_from_sec_context -+ }, -+ { -+ {GET_SEC_CONTEXT_SASL_SSF_OID_LENGTH, GET_SEC_CONTEXT_SASL_SSF_OID}, -+ gss_krb5int_sec_context_sasl_ssf - } - }; - -diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c -index 9024b3c7e..d2e466e60 100644 ---- a/src/lib/gssapi/krb5/inq_context.c -+++ b/src/lib/gssapi/krb5/inq_context.c -@@ -310,3 +310,30 @@ gss_krb5int_extract_authtime_from_sec_context(OM_uint32 *minor_status, - - return generic_gss_add_buffer_set_member(minor_status, &rep, data_set); - } -+ -+OM_uint32 -+gss_krb5int_sec_context_sasl_ssf(OM_uint32 *minor_status, -+ const gss_ctx_id_t context_handle, -+ const gss_OID desired_object, -+ gss_buffer_set_t *data_set) -+{ -+ krb5_gss_ctx_id_rec *ctx; -+ krb5_key key; -+ krb5_error_code code; -+ gss_buffer_desc ssfbuf; -+ unsigned int ssf; -+ uint8_t buf[4]; -+ -+ ctx = (krb5_gss_ctx_id_rec *)context_handle; -+ key = ctx->have_acceptor_subkey ? ctx->acceptor_subkey : ctx->subkey; -+ -+ code = k5_enctype_to_ssf(key->keyblock.enctype, &ssf); -+ if (code) -+ return GSS_S_FAILURE; -+ -+ store_32_be(ssf, buf); -+ ssfbuf.value = buf; -+ ssfbuf.length = sizeof(buf); -+ -+ return generic_gss_add_buffer_set_member(minor_status, &ssfbuf, data_set); -+} -diff --git a/src/lib/gssapi/libgssapi_krb5.exports b/src/lib/gssapi/libgssapi_krb5.exports -index 9facb3f42..936540e41 100644 ---- a/src/lib/gssapi/libgssapi_krb5.exports -+++ b/src/lib/gssapi/libgssapi_krb5.exports -@@ -37,6 +37,7 @@ GSS_C_MA_CBINDINGS - GSS_C_MA_PFS - GSS_C_MA_COMPRESS - GSS_C_MA_CTX_TRANS -+GSS_C_SEC_CONTEXT_SASL_SSF - gss_accept_sec_context - gss_acquire_cred - gss_acquire_cred_with_password -diff --git a/src/lib/gssapi32.def b/src/lib/gssapi32.def -index 362b9bce8..dff057754 100644 ---- a/src/lib/gssapi32.def -+++ b/src/lib/gssapi32.def -@@ -182,3 +182,6 @@ EXPORTS - gss_verify_mic_iov @146 - ; Added in 1.14 - GSS_KRB5_CRED_NO_CI_FLAGS_X @147 DATA -+; Added in 1.16 -+; GSS_KRB5_GET_CRED_IMPERSONATOR @148 DATA -+ GSS_C_SEC_CONTEXT_SASL_SSF @149 DATA -diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def -index e5b560dfc..f7b428e16 100644 ---- a/src/lib/krb5_32.def -+++ b/src/lib/krb5_32.def -@@ -470,3 +470,6 @@ EXPORTS - krb5_get_init_creds_opt_set_pac_request @435 - krb5int_trace @436 ; PRIVATE GSSAPI - krb5_expand_hostname @437 -+ -+; new in 1.16 -+ k5_enctype_to_ssf @438 ; PRIVATE GSSAPI -diff --git a/src/tests/gssapi/t_enctypes.c b/src/tests/gssapi/t_enctypes.c -index a2ad18f47..3fd31e2f8 100644 ---- a/src/tests/gssapi/t_enctypes.c -+++ b/src/tests/gssapi/t_enctypes.c -@@ -32,6 +32,7 @@ - - #include "k5-int.h" - #include "common.h" -+#include "gssapi_ext.h" - - /* - * This test program establishes contexts with the krb5 mech, the default -@@ -86,6 +87,9 @@ main(int argc, char *argv[]) - gss_krb5_lucid_context_v1_t *ilucid, *alucid; - gss_krb5_rfc1964_keydata_t *i1964, *a1964; - gss_krb5_cfx_keydata_t *icfx, *acfx; -+ gss_buffer_set_t bufset = GSS_C_NO_BUFFER_SET; -+ gss_OID ssf_oid = GSS_C_SEC_CONTEXT_SASL_SSF; -+ unsigned int ssf; - size_t count; - void *lptr; - int c; -@@ -139,6 +143,16 @@ main(int argc, char *argv[]) - establish_contexts(&mech_krb5, icred, acred, tname, flags, &ictx, &actx, - NULL, NULL, NULL); - -+ /* Query the SSF value and range-check the result. */ -+ major = gss_inquire_sec_context_by_oid(&minor, ictx, ssf_oid, &bufset); -+ check_gsserr("gss_inquire_sec_context_by_oid(ssf)", major, minor); -+ if (bufset->elements[0].length != 4) -+ errout("SSF buffer has unexpected length"); -+ ssf = load_32_be(bufset->elements[0].value); -+ if (ssf < 56 || ssf > 256) -+ errout("SSF value not within acceptable range (56-256)"); -+ (void)gss_release_buffer_set(&minor, &bufset); -+ - /* Export to lucid contexts. */ - major = gss_krb5_export_lucid_sec_context(&minor, &ictx, 1, &lptr); - check_gsserr("gss_export_lucid_sec_context(initiator)", major, minor); diff --git a/Add-test-case-for-PKINIT-DH-renegotiation.patch b/Add-test-case-for-PKINIT-DH-renegotiation.patch deleted file mode 100644 index 89d695d..0000000 --- a/Add-test-case-for-PKINIT-DH-renegotiation.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 5faadd66bb278bcc1c618e199444e3012eeec215 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Wed, 11 Jan 2017 10:49:30 -0500 -Subject: [PATCH] Add test case for PKINIT DH renegotiation - -In t_pkinit.py, add a PKINIT test case where the KDC sends -KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED and the client retries with the -KDC's TD_DH_PARAMETERS value, using the clpreauth tryagain method. -Use the trace log to verify that the renegotiation actually takes -place. - -(cherry picked from commit 7ad7eb7fd591e6c789ea24b94eccbf74ee4d79f8) ---- - src/tests/t_pkinit.py | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - -diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py -index ac4d326b6..183977750 100755 ---- a/src/tests/t_pkinit.py -+++ b/src/tests/t_pkinit.py -@@ -174,6 +174,24 @@ realm.kinit(realm.user_princ, - '-X', 'flag_RSA_PROTOCOL=yes']) - realm.klist(realm.user_princ) - -+# Test a DH parameter renegotiation by temporarily setting a 4096-bit -+# minimum on the KDC. -+tracefile = os.path.join(realm.testdir, 'trace') -+minbits_kdc_conf = {'realms': {'$realm': {'pkinit_dh_min_bits': '4096'}}} -+minbits_env = realm.special_env('restrict', True, kdc_conf=minbits_kdc_conf) -+realm.stop_kdc() -+realm.start_kdc(env=minbits_env) -+realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, '-X', -+ 'X509_user_identity=' + file_identity, realm.user_princ]) -+with open(tracefile, 'r') as f: -+ trace = f.read() -+if ('Key parameters not accepted' not in trace or -+ 'Preauth tryagain input types' not in trace or -+ 'trying again with KDC-provided parameters' not in trace): -+ fail('DH renegotiation steps not found in kinit trace log') -+realm.stop_kdc() -+realm.start_kdc() -+ - # Run the basic test - PKINIT with FILE: identity, with a password on the key, - # supplied by the prompter. - # Expect failure if the responder does nothing, and we have no prompter. diff --git a/Add-test-cert-generation-to-make-certs.sh.patch b/Add-test-cert-generation-to-make-certs.sh.patch deleted file mode 100644 index eb7df73..0000000 --- a/Add-test-cert-generation-to-make-certs.sh.patch +++ /dev/null @@ -1,968 +0,0 @@ -From 5e3885e9d7c7cd2a19a291cdb1e54312ca7f7e1f Mon Sep 17 00:00:00 2001 -From: Matt Rogers -Date: Mon, 5 Dec 2016 12:22:45 -0500 -Subject: [PATCH] Add test cert generation to make-certs.sh - -Add additional test certificates for UPN matching. Run make-certs.sh -to regenerate certs. - -ticket: 8528 -(cherry picked from commit 5a1d0388ba2e4ec510ed715ce5fbc7f748941425) ---- - src/tests/dejagnu/pkinit-certs/ca.pem | 54 ++++++++++++------------ - src/tests/dejagnu/pkinit-certs/kdc.pem | 50 ++++++++++++---------- - src/tests/dejagnu/pkinit-certs/make-certs.sh | 53 ++++++++++++++++++++++- - src/tests/dejagnu/pkinit-certs/privkey-enc.pem | 52 +++++++++++------------ - src/tests/dejagnu/pkinit-certs/privkey.pem | 50 +++++++++++----------- - src/tests/dejagnu/pkinit-certs/user-enc.p12 | Bin 3029 -> 2837 bytes - src/tests/dejagnu/pkinit-certs/user-upn.p12 | Bin 0 -> 2829 bytes - src/tests/dejagnu/pkinit-certs/user-upn.pem | 28 +++++++++++++ - src/tests/dejagnu/pkinit-certs/user-upn2.p12 | Bin 0 -> 2813 bytes - src/tests/dejagnu/pkinit-certs/user-upn2.pem | 28 +++++++++++++ - src/tests/dejagnu/pkinit-certs/user-upn3.csr | 16 +++++++ - src/tests/dejagnu/pkinit-certs/user-upn3.p12 | Bin 0 -> 2829 bytes - src/tests/dejagnu/pkinit-certs/user-upn3.pem | 28 +++++++++++++ - src/tests/dejagnu/pkinit-certs/user.p12 | Bin 3104 -> 2837 bytes - src/tests/dejagnu/pkinit-certs/user.pem | 56 ++++++++++++------------- - 15 files changed, 283 insertions(+), 132 deletions(-) - create mode 100644 src/tests/dejagnu/pkinit-certs/user-upn.p12 - create mode 100644 src/tests/dejagnu/pkinit-certs/user-upn.pem - create mode 100644 src/tests/dejagnu/pkinit-certs/user-upn2.p12 - create mode 100644 src/tests/dejagnu/pkinit-certs/user-upn2.pem - create mode 100644 src/tests/dejagnu/pkinit-certs/user-upn3.csr - create mode 100644 src/tests/dejagnu/pkinit-certs/user-upn3.p12 - create mode 100644 src/tests/dejagnu/pkinit-certs/user-upn3.pem - -diff --git a/src/tests/dejagnu/pkinit-certs/ca.pem b/src/tests/dejagnu/pkinit-certs/ca.pem -index 55fe02c92..44c917687 100644 ---- a/src/tests/dejagnu/pkinit-certs/ca.pem -+++ b/src/tests/dejagnu/pkinit-certs/ca.pem -@@ -1,29 +1,29 @@ - -----BEGIN CERTIFICATE----- --MIIE5TCCA82gAwIBAgIJANsFDWp1HgAaMA0GCSqGSIb3DQEBBQUAMIGnMQswCQYD --VQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czESMBAGA1UEBxMJQ2FtYnJp --ZGdlMQwwCgYDVQQKEwNNSVQxKTAnBgNVBAsTIEluc2VjdXJlIFBraW5pdCBLZXJi --ZXJvcyB0ZXN0IENBMTMwMQYDVQQDFCpwa2luaXQgdGVzdCBzdWl0ZSBDQTsgZG8g --bm90IHVzZSBvdGhlcndpc2UwHhcNMTAwMTA2MTQ1MTI3WhcNMjMwOTE1MTQ1MTI3 --WjCBpzELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNV --BAcTCUNhbWJyaWRnZTEMMAoGA1UEChMDTUlUMSkwJwYDVQQLEyBJbnNlY3VyZSBQ --a2luaXQgS2VyYmVyb3MgdGVzdCBDQTEzMDEGA1UEAxQqcGtpbml0IHRlc3Qgc3Vp --dGUgQ0E7IGRvIG5vdCB1c2Ugb3RoZXJ3aXNlMIIBIjANBgkqhkiG9w0BAQEFAAOC --AQ8AMIIBCgKCAQEAnYLMe58ny00MgskJP7tZ3PIQRpQkXGLJZKI0HfntCRbIuvmn --ZejPSKdNMyejzRIyjdw1FDJUAnpXYcic3TD5817G5H63UrllAGuy+lhQWNzE6c6K --ueerevR3pMaqHXonaflVasUu5e2AAWVnFbz4x04uLlQejqPwm5sR1xTeLUnVfSY7 --5NbXGIE488iDV0wW8nqGoVWn/TsRd+7KuQUIkJpt8+V6Jk6hPIcPqe6h7mXNGsgc --5dBSqBwVcjU9DbeT4xxxEmgQdLt7qdNwV1ZPLQnTQpogNrT5uf3oSbOTsyM02GOW --riIRmsqq81sfMrpviTRRDwoqTUEhoCSor0UmcwIDAQABo4IBEDCCAQwwHQYDVR0O --BBYEFFn82RUKgTvkFn0cgwyCQpNeWCxYMIHcBgNVHSMEgdQwgdGAFFn82RUKgTvk --Fn0cgwyCQpNeWCxYoYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFz --c2FjaHVzZXR0czESMBAGA1UEBxMJQ2FtYnJpZGdlMQwwCgYDVQQKEwNNSVQxKTAn --BgNVBAsTIEluc2VjdXJlIFBraW5pdCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQD --FCpwa2luaXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCCQDb --BQ1qdR4AGjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBVL2Q6Xubs --gm881cAy6esku17/BSTZur7hCLHTGof1ZKNcCXALjmwNYNC3tl6owqpX8CSdBdsD --Bw/Vs9p3mqnaVEoZc8uW8zS6LoAQbcqiYdQHdEXMh3ec8uvAfmdlQsIsm5Ux8q8L --NM6bKnUOqOFOHme+RC4FGOLb8JqnnuQdwyIZaUyQP6hXbw4zyDphfgo1ZlZn20xh --I555kPfAZKEi/d3WY0oN4k+sfCs9tWRNjmqZfKkH1OqRpjCFGG0b0vY77MFRMuPz --YtN2iD3plgla7KkUMljp9th/Z8Ok79uA1TNLYKzoBjlAX0vToxfa8rrSNo1dHFKT --e5Tj7+29DE4I -+MIIE5TCCA82gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx -+FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG -+A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz -+dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug -+b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowgacxCzAJ -+BgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRIwEAYDVQQHDAlDYW1i -+cmlkZ2UxDDAKBgNVBAoMA01JVDEpMCcGA1UECwwgSW5zZWN1cmUgUEtJTklUIEtl -+cmJlcm9zIHRlc3QgQ0ExMzAxBgNVBAMMKnBraW5pdCB0ZXN0IHN1aXRlIENBOyBk -+byBub3QgdXNlIG90aGVyd2lzZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC -+ggEBANOWvXDyubZ/Kf8QYdPSRk/rsogzqS0rycNEJp/6rPpTS40UxGae5MyLHfmN -+l2mSevRoHSqhb7cfT6n9kR2kb3HB0qhhhecHey4sGwd+m7WMhBQgVtYaiWkuEQDC -+7/SWkRYzmYX8J41vrQulXU2/2pOQCmG4NKPsNo+vcKoT2SHl6qr3lflUaIG0wDu4 -+bFrWszkxcuSkU7SSXDf2xTTTJ8QftO6WQY3g0+dAhbjZFKxRO5uipxURez5EemVs -+Re86vXEILka85tiVS4maCn3l3FWMqcBHRFNa+/osTb0J/OmvvdQ3bzvscG7KDRtM -+bRUnpWClr5R+AbGVvKocj5I1+G0CAwEAAaOCARgwggEUMB0GA1UdDgQWBBRrwMkO -+fMoN3ofjotSWjK0c27fYYjCB1AYDVR0jBIHMMIHJgBRrwMkOfMoN3ofjotSWjK0c -+27fYYqGBraSBqjCBpzELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0 -+dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoGA1UECgwDTUlUMSkwJwYDVQQLDCBJ -+bnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVzdCBDQTEzMDEGA1UEAwwqcGtpbml0 -+IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ugb3RoZXJ3aXNlggEBMAsGA1UdDwQE -+AwIB/jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAN82zurZwM -+TugUG6b1symxXxOdDqwinwIlQjzXJ8mTRv31q+YwNdYvdWn1aex8v44qjFDjEP80 -+83y18CjjBHznwxsHll80QmFHjpy6xtRrUC/Ak7jfKnDiTKQYBdgmF4/UiVQu354e -+QI6jPMQlrWZXThlRuBjM55hs4tgRYeTgbd4VSZzVQXdm2ViZkg8SGqw0R2ZRnG91 -+dfXkhu/tTruguPAT3MQ2pTK/CoHHA4W2piQbBDqIl83fphRhYxyW/cCF2mvZZUhE -+AfWhgYDeTDxHKG3Jfmm+ujMo5HscgeUpJ7XjZdobNhkQjD1piyuGzFkUfo2XzA6m -+kMz4Jq4cnvpz - -----END CERTIFICATE----- -diff --git a/src/tests/dejagnu/pkinit-certs/kdc.pem b/src/tests/dejagnu/pkinit-certs/kdc.pem -index 5575ab579..8820ad447 100644 ---- a/src/tests/dejagnu/pkinit-certs/kdc.pem -+++ b/src/tests/dejagnu/pkinit-certs/kdc.pem -@@ -1,25 +1,29 @@ - -----BEGIN CERTIFICATE----- --MIIEMjCCAxqgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBpzELMAkGA1UEBhMCVVMx --FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcTCUNhbWJyaWRnZTEMMAoG --A1UEChMDTUlUMSkwJwYDVQQLEyBJbnNlY3VyZSBQa2luaXQgS2VyYmVyb3MgdGVz --dCBDQTEzMDEGA1UEAxQqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug --b3RoZXJ3aXNlMB4XDTEwMDEwNjE0NTgwOFoXDTIzMDkxNTE0NTgwOFowSjELMAkG --A1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxFTATBgNVBAoTDEtSQlRF --U1QuQ09NIDEMMAoGA1UECxMDS0RDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB --CgKCAQEAnYLMe58ny00MgskJP7tZ3PIQRpQkXGLJZKI0HfntCRbIuvmnZejPSKdN --MyejzRIyjdw1FDJUAnpXYcic3TD5817G5H63UrllAGuy+lhQWNzE6c6KueerevR3 --pMaqHXonaflVasUu5e2AAWVnFbz4x04uLlQejqPwm5sR1xTeLUnVfSY75NbXGIE4 --88iDV0wW8nqGoVWn/TsRd+7KuQUIkJpt8+V6Jk6hPIcPqe6h7mXNGsgc5dBSqBwV --cjU9DbeT4xxxEmgQdLt7qdNwV1ZPLQnTQpogNrT5uf3oSbOTsyM02GOWriIRmsqq --81sfMrpviTRRDwoqTUEhoCSor0UmcwIDAQABo4HEMIHBMAkGA1UdEwQCMAAwCwYD --VR0PBAQDAgPoMBIGA1UdJQQLMAkGBysGAQUCAwUwHQYDVR0OBBYEFFn82RUKgTvk --Fn0cgwyCQpNeWCxYMB8GA1UdIwQYMBaAFFn82RUKgTvkFn0cgwyCQpNeWCxYMAkG --A1UdEgQCMAAwSAYDVR0RBEEwP6A9BgYrBgEFAgKgMzAxoA0bC0tSQlRFU1QuQ09N --oSAwHqADAgEBoRcwFRsGa3JidGd0GwtLUkJURVNULkNPTTANBgkqhkiG9w0BAQUF --AAOCAQEAP0byILHLWPyGlv/1HN34DfIpLdVkgGar2yceMtZ2v/7UjeA5PlZc8DFM --20bTq/vIN0eWDTPLI57e+MzQTMxs2UHsic4su0m5DG0cvQTsBXRK51CW/qUF+4n0 --qSEORULiDF6LNoo8akoLukNBhzBh+aqYt4aB46hhsmDmNZTDP1CXsNGHQI9/L52l --oqpUGx8tBpKIFos95PSajXrQn2u66rSMMi4aawitM2igurHPDMbC+XvEYMtXpOS5 --3PEzXEYiSV3TWLTzIE9ytswHeZyHCbp7XHx0LVZFxzqtIe4qmwJJOGhlbH21Izr4 --feF5h5e2ZrOVREY4cKkJmJhEwsqBVA== -+MIIE4TCCA8mgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx -+FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG -+A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz -+dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug -+b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowSTELMAkG -+A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF -+U1QuQ09NMQwwCgYDVQQDDANLREMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -+AoIBAQDTlr1w8rm2fyn/EGHT0kZP67KIM6ktK8nDRCaf+qz6U0uNFMRmnuTMix35 -+jZdpknr0aB0qoW+3H0+p/ZEdpG9xwdKoYYXnB3suLBsHfpu1jIQUIFbWGolpLhEA -+wu/0lpEWM5mF/CeNb60LpV1Nv9qTkAphuDSj7DaPr3CqE9kh5eqq95X5VGiBtMA7 -+uGxa1rM5MXLkpFO0klw39sU00yfEH7TulkGN4NPnQIW42RSsUTuboqcVEXs+RHpl -+bEXvOr1xCC5GvObYlUuJmgp95dxVjKnAR0RTWvv6LE29Cfzpr73UN2877HBuyg0b -+TG0VJ6Vgpa+UfgGxlbyqHI+SNfhtAgMBAAGjggFzMIIBbzAdBgNVHQ4EFgQUa8DJ -+DnzKDd6H46LUloytHNu32GIwgdQGA1UdIwSBzDCByYAUa8DJDnzKDd6H46LUloyt -+HNu32GKhga2kgaowgacxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNl -+dHRzMRIwEAYDVQQHDAlDYW1icmlkZ2UxDDAKBgNVBAoMA01JVDEpMCcGA1UECwwg -+SW5zZWN1cmUgUEtJTklUIEtlcmJlcm9zIHRlc3QgQ0ExMzAxBgNVBAMMKnBraW5p -+dCB0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZYIBATALBgNVHQ8E -+BAMCA+gwDAYDVR0TAQH/BAIwADBIBgNVHREEQTA/oD0GBisGAQUCAqAzMDGgDRsL -+S1JCVEVTVC5DT02hIDAeoAMCAQGhFzAVGwZrcmJ0Z3QbC0tSQlRFU1QuQ09NMBIG -+A1UdJQQLMAkGBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggEBABJpKRfoFxyOUp9i -+Z/fWql5anJuZElgBSbEC5sL2mMcmL/1vqkiYF3uF6/Z9g4X1LX4QDuvaXCJSdQ+b -+JpmhklSyFN+E/agxZtSim+AjTgYJ0y+jwNvX6kZQ8fW3VLNJZ+zbb4n4txfgSROn -+7ub+02mo4DYajyD9TE/qLzmVaiKLEKW0osjxX3fB1RN/d7zm//NDPsezzUzmKkgz -+u0ML7HGYUNY3+/SC4ShF/But1IoY3/I46lB6BMrIn9X6fsVKlipqrRFniUk0qDlJ -+fbKVB+MvGEFoqFNlMoGiufmDjnJl4PQZCVEmXO8wAVGeK8NpTBCjltAAsoVJVnjq -+AC5jSAM= - -----END CERTIFICATE----- -diff --git a/src/tests/dejagnu/pkinit-certs/make-certs.sh b/src/tests/dejagnu/pkinit-certs/make-certs.sh -index b82ef6f83..0f07709b0 100755 ---- a/src/tests/dejagnu/pkinit-certs/make-certs.sh -+++ b/src/tests/dejagnu/pkinit-certs/make-certs.sh -@@ -4,7 +4,9 @@ NAMETYPE=1 - KEYSIZE=2048 - DAYS=4000 - REALM=KRBTEST.COM -+LOWREALM=krbtest.com - KRB5_PRINCIPAL_SAN=1.3.6.1.5.2.2 -+KRB5_UPN_SAN=1.3.6.1.4.1.311.20.2.3 - PKINIT_KDC_EKU=1.3.6.1.5.2.3.5 - PKINIT_CLIENT_EKU=1.3.6.1.5.2.3.4 - TLS_SERVER_EKU=1.3.6.1.5.5.7.3.1 -@@ -85,6 +87,30 @@ keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement - basicConstraints = critical,CA:FALSE - subjectAltName = otherName:$KRB5_PRINCIPAL_SAN;SEQUENCE:krb5princ_client - extendedKeyUsage = $CLIENT_EKU_LIST -+ -+[exts_upn_client] -+subjectKeyIdentifier = hash -+authorityKeyIdentifier = keyid:always,issuer:always -+keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement -+basicConstraints = critical,CA:FALSE -+subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user@$LOWREALM -+extendedKeyUsage = $CLIENT_EKU_LIST -+ -+[exts_upn2_client] -+subjectKeyIdentifier = hash -+authorityKeyIdentifier = keyid:always,issuer:always -+keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement -+basicConstraints = critical,CA:FALSE -+subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user -+extendedKeyUsage = $CLIENT_EKU_LIST -+ -+[exts_upn3_client] -+subjectKeyIdentifier = hash -+authorityKeyIdentifier = keyid:always,issuer:always -+keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement -+basicConstraints = critical,CA:FALSE -+subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user@$REALM -+extendedKeyUsage = $CLIENT_EKU_LIST - EOF - - # Generate a private key. -@@ -113,5 +139,30 @@ openssl pkcs12 -export -in user.pem -inkey privkey.pem -out user.p12 \ - openssl pkcs12 -export -in user.pem -inkey privkey.pem -out user-enc.p12 \ - -passout pass:encrypted - -+# Generate a client certificate and PKCS#12 bundles with a UPN SAN. -+SUBJECT=user openssl req -config openssl.cnf -new -subj /CN=user \ -+ -key privkey.pem -out user-upn.csr -+SUBJECT=user openssl x509 -extfile openssl.cnf -extensions exts_upn_client \ -+ -set_serial 4 -days $DAYS -req -CA ca.pem -CAkey privkey.pem \ -+ -out user-upn.pem -in user-upn.csr -+openssl pkcs12 -export -in user-upn.pem -inkey privkey.pem -out user-upn.p12 \ -+ -passout pass: -+ -+SUBJECT=user openssl req -config openssl.cnf -new -subj /CN=user \ -+ -key privkey.pem -out user-upn2.csr -+SUBJECT=user openssl x509 -extfile openssl.cnf -extensions exts_upn2_client \ -+ -set_serial 5 -days $DAYS -req -CA ca.pem -CAkey privkey.pem \ -+ -out user-upn2.pem -in user-upn2.csr -+openssl pkcs12 -export -in user-upn2.pem -inkey privkey.pem \ -+ -out user-upn2.p12 -passout pass: -+ -+SUBJECT=user openssl req -config openssl.cnf -new -subj /CN=user \ -+ -key privkey.pem -out user-upn3.csr -+SUBJECT=user openssl x509 -extfile openssl.cnf -extensions exts_upn3_client \ -+ -set_serial 6 -days $DAYS -req -CA ca.pem -CAkey privkey.pem \ -+ -out user-upn3.pem -in user-upn3.csr -+openssl pkcs12 -export -in user-upn3.pem -inkey privkey.pem \ -+ -out user-upn3.p12 -passout pass: -+ - # Clean up. --rm -f openssl.cnf kdc.csr user.csr -+rm -f openssl.cnf kdc.csr user.csr user-upn.csr user-upn2.csr user-upn3.csr -diff --git a/src/tests/dejagnu/pkinit-certs/privkey-enc.pem b/src/tests/dejagnu/pkinit-certs/privkey-enc.pem -index 9f7816f17..837fd0b01 100644 ---- a/src/tests/dejagnu/pkinit-certs/privkey-enc.pem -+++ b/src/tests/dejagnu/pkinit-certs/privkey-enc.pem -@@ -1,30 +1,30 @@ - -----BEGIN RSA PRIVATE KEY----- - Proc-Type: 4,ENCRYPTED --DEK-Info: DES-EDE3-CBC,91CA660D6286E453 -+DEK-Info: DES-EDE3-CBC,19FEC334A4D4391D - --DpJ5bo/AN37NcxTNv0Z4d5YomWqyryqYhuA43FlzWWKubld4Gp+owAv5BUd4VLx7 --Efq23ODfuiuh5zna/ZXnY+9m8RHS5AxDd2Kr1s/fVsn+m2Lw9qS69DLjxTjEuDLU --AwmVADqQUbvocZEt0Byn9oY4ku2lGOY/ax7tZ1WegLInnoCqT2xGC6TLw7Gwr3mX --z6xFB2Yv4PbvVU8y4V+ka0p5manxptYkrbAkC+vrC4LPUACdbonmpeXUxAfVV9hL --EMzY74IqY2QS1xFMhbLh2HunfjjC3HZ1wXMf1/LtLl1nnodiOk5o+MTLEHO+npaO --rJn2z3V/eQsr93M8/K5ONQcPAKZGOCmNpNQUj1UHnUHEubhpI+nqRYe3vqem5GaH --8gn+uc1/N6c/Bs037iSLWvkgk8mvHgH/26JobZ8qg9yYgVUl3AIVkkGwLGhE5+Kn --593/p4E5Mb6ttv3ZJ4f3Mz/1b84guhTENY67zxnQEGnpEjfRKoEN1vmHi6mIuWld --rrUCJ/x1Yvy2tN9eyuTNsGCcfvPeY22RrKgl7Wi0EIvBlLPKBQxqXOA7Mi9Acapd --+n5pW2Ka2FABSifZ36owa7SJEJ0GLMtdHmZPirolgIjOZVOMbSj2UuR/kXVZjZUM --LcRcVI1z8NgKF3RKs653HqkphcyRQMMQrL/A38t+v0zFA2P3HPoNWcD+BfKg0H37 --bHPjXdlvAD5yiFXKb1XN99utW5G/qCq5CdzAirm7drxR0bs4ZIV4SwTulvWLW644 --RYes8x7WKg3WUxtair++c1eTwTPhMLz/SxERYXxSUqpxJiRgYTQhwwbE22P6FCWT --H9pso5IMi6AJp35CGaYHi78NPLWVmrxgkkv2uBoDFd/iIQTac60aG/F86aozQD7V --DmHINEcsN3lVUmHinoNTcIfc5EZVEbLQIBhy3XI0UDxWuLnchVlU3ad1OKqknbbi --Ik3lmeLz07JFbpCcMk+xDlQsZYbxcRzyRh0NsWvHXuG77Hbcrnk3ndxT8wADsfOn --foXf1/R/gf7PDmte3nFlpEcJCHyeY1haIqgk4WsnUUKP56O75cGF1ylkaBrDPlLw --WaN2Li537ALo6TyB0jspdCzPqIRt8Gr4muoX0tqFjSfKaWmRb3Y7i6jbVrh8d6KV --xqLse0Vkaip4Lgf/VUWOTvlfHz9nLD0xR6OUPeQ3jxGdhLxmcYec1oRj1aVMlp6f --PyC6TN+NlPEtv6KWWB9OMc420DGOWllvS5+zsm7Ff7/5TkXlWmlhfhrkyQVy8NOe --/3ygPbpSfCFjJMwdbEX+ic/Qjk04f3CluP3FYiIG/Pd6ny6rclrhPHg08X6+sciU --Rj7QtoFpVsDvde2QO0depdoysAG1j1a+sas2lYNPG8hdzbPe20xIJCmF0fWfdxOy --BxxtKzpq46S8xKLfxAMvKrZNuZy5xhs3JMUjpxTIam7ZiQXd752LdzGx2s4CII6d --mkeQ/d32TDACAxyEK8es4Mcm3IoCAq/NjIU/ICwGDeOmfDUpsV2TMrg+aKMKcwUE --UK4bMXercw7Cs0C3o6mdCTFrTtsihHNTrbb7yyN83XK76niSc+LREbuJ8T0vp1Yh -+S6pSicLj30Jlnu2OnYM0eXCvwAHR3xMhhl2N0gheWUGkjicqTdW6ft1qCmGBre9b -+/aTSF1ajvFC+YQ/iABznWNmRNZKCzTK1dQ6P73p83uNqWt/cfe+pVYdeHw3u8NKA -+fscciBtxnHNaAs16GX5/j1XXRPb+zmUe18A+VFMRgctbaurk+KbxO8qVUkzt9NNa -+v5zHkXnaJf6ixL6zR3cOCJWPGy4GmGeFIytQos5Jgn23Pjn8BHAXf39GMs2n6g5V -+eE5RAGDeXqPv/tO1kN0/RSKDeIPvKW6REklXraRUle0PNN5g5l3umSkg4fkplusp -+nTsQCRWkqyVcMpxcf0wy7F2ZPOYIWDt1/pzAHC7y/fl0uCQPz0Qd1smwt0ABKcZv -+m9zaMq6lkKYnBOxPiYIlWVlQi3RLDiQyAWQz/nF0SKsE88SUlB83quySJsZsLKzk -+MR/C+ccSiHqMiDKVj5Ts1go+gbj8Vhlto8jH6ynQj6lrOIczyMmgUa0v0dFH3i3/ -+WL/8ydJ0otY67A8w5yH3hMzRChXQZlpTmH2dDhAv6EzKBi8eIiB0Em+laz5lDv6C -+SfNxZa1/+bSAvXr7LwllUu+Gzbu7MNLwfB2ieTqdFQGA659DjnMqyBGLFzni4Ir0 -+Hi6Uh6yQubTm07oqyUHAsChGFE4Efh4O0rCbKKPZuSVfimUZcE6JM9IjRC/0DIwr -+LZSYqsFgn44byrc62qV2JAE2ua+/4aHHI28hIZ3MDLwyYpCQL/FAUZtqZvni+zgw -+yoHLRDbdrqPps6P71T6Pw6OQzAYC7AL/FsZnLJK78nI+Yai0dpyv/QWiFSXoDEVN -+6vQoDv/VZbNIctr31OE4XyjIMiTpn3FPa3VSbKM4/h7SthjwEV2ONNfR8XQF+siz -+3NhOjEFrZ6UGHvT06wo/hp4CM7u580fNu5HvyCyIwkx9CZRLHvG6Vu0emlzDfQhE -+qxQs6L7IM8A46/LPSTtmEA8Rrn51YY9NChMdY6j3rLe4NLxxOCE6JYaGWVWBBawK -+k3y9z6L9gWRwxEfCgWIutDrYtmA2aj6y/vRS6LrotCNeN5qBx+TdRnh6uCqbi1T8 -+4rF20TVhNZ/l+pkH/ehY9OJ/zpwdbTq4FlE0wWQZB/vwbYP5CZKF+rU6IXnCZEjt -+Ak6Bka9mFm9Z/TvnKIRYiXELq32zOJAuEOQ576tkDX2rAuIQAfE9biX2qo0gbsJo -+1RIfXekRurD/HX54blv5mNqUV34gl+ngPpV5nNDy7RuTAdP77Mu7/ynaPfnM7nqu -+rECbZVv1HZSgTi+7G9SUjn4Bg36p4NiF0/dZ2W70byYIQvNPNqU1kyeSrZk/43te -+NwFgpoAKVbMD1rZ+0xM2YCFFKQZZMN1a5tn8/1TWPlPU28Tu3ZliGeWMdeKd4/MP -+vfH1pE58qVcyOngjLqGkk0L5A7WOAgu+vibKrxGxywwVLx/GfDFqnNr6H0buwXrk -+vuKBTo0r3pcbaZt3kaYBm0d3zznQI1O/pX+eGiNr/rI86j4KC+jUSoKi4BdUeuDN -+p1x6qyEK37kgVXiUyiEXO7e1arLBZMfFRTNKVsN5ewL441eCIgs5gA== - -----END RSA PRIVATE KEY----- -diff --git a/src/tests/dejagnu/pkinit-certs/privkey.pem b/src/tests/dejagnu/pkinit-certs/privkey.pem -index 1825dec4e..7e9beb09a 100644 ---- a/src/tests/dejagnu/pkinit-certs/privkey.pem -+++ b/src/tests/dejagnu/pkinit-certs/privkey.pem -@@ -1,27 +1,27 @@ - -----BEGIN RSA PRIVATE KEY----- --MIIEpQIBAAKCAQEAnYLMe58ny00MgskJP7tZ3PIQRpQkXGLJZKI0HfntCRbIuvmn --ZejPSKdNMyejzRIyjdw1FDJUAnpXYcic3TD5817G5H63UrllAGuy+lhQWNzE6c6K --ueerevR3pMaqHXonaflVasUu5e2AAWVnFbz4x04uLlQejqPwm5sR1xTeLUnVfSY7 --5NbXGIE488iDV0wW8nqGoVWn/TsRd+7KuQUIkJpt8+V6Jk6hPIcPqe6h7mXNGsgc --5dBSqBwVcjU9DbeT4xxxEmgQdLt7qdNwV1ZPLQnTQpogNrT5uf3oSbOTsyM02GOW --riIRmsqq81sfMrpviTRRDwoqTUEhoCSor0UmcwIDAQABAoIBAQCSMh5Tu9S2yUwM --dEZmZiGxhuf+anAZZAOjqT4QeLI/Fmu3yBNM7rq+p7JrAabyp6pOq46EsXXyWtWS --SB742wWUk2quGMNVQAj0TAJyhNgGstr+XJu8k8BBPnlycobhF0lP/oH+uQifl0KR --iSoWLjEG5JTOoXs/UAD6nQMBDDhv9TweEwSyIY9jq1J5Q3wVXm/Nr/FJ/8O53guJ --/TQeo6dtdx6x2+oxKkeWinfxmy2nSoEZd0eb3WUNPZswijO7QgSJolOo83VNqFcn --lj8hYT41zUM4chple8kGnuSV4ql4a1w/52dSTLKJbgukIqvxeDtKNost344eQqkS --Lwcc+NO5AoGBAM0bR8TmFlbP4RJAEOOilXTYgP6Ttd1r1mRXGi3DRPyv4EWGT7WW --MmBHsqU6Mqz+fcoD/AIy1BBdenhaYrrwyCSvitJpoHPjqzOJDX33wUcrnYeincQ3 --PVzpF41O45vTmm692DSJ8t/uR8DhGpCzf/kxuA9ixvdKgMPgBHYeb5zlAoGBAMSY --KZvgwbtlRR25CGaUgOCHtW76puaPcyxEeCbJEKkJO1vZDAf8vi1zXOM4e/gorKHm --349ZrBQfFCrvtZG//KvI12MpjBs0Z/ijSCwS4EkYJaSH+Hm+1ygLdArwWEFkNncL --qQ+Wme1OUoDiAAxRiBKUxUF/pAQqn7X+0MGa2th3AoGBAJ8kRaFu7XJaRUZF01Ts --d4571kqxDXFKFMUyGCvd0Q9G33rSZdJ9QYUW3HP7HgrAQ5WVVdnW2lgAT+BGMUjf --PkvIsKvmLQr+YX3RH1jX/W1dWBM/h64RNll6uj14Mn5bxv2Z68GIL5y0Y5QylMwl --mmwdubSmbb6+Xf6dOJj1sKBJAoGBAJwP0tAMHp6daL2Mmk+cSaZz9KJx1bYnYB1f --CSZ47IHTc0yZQ0S/7VR1ROKXf0njOA+aEBRi8ghTF5ZyDefyySixWdI9NByQgIzP --Sca7AVLlGVTAH4694VzHosngO59FZzsfhYh7XBwW1cW8Ip+kxWlCskgphFFOaNR3 --wM5AGMRHAoGAJELs9VYPRJd7h4dPUa2RqfVPlYkcMwvoLYykY0wE5mjoNaJkQbUr --W5aKhidh4h48fImt2rpB6OYSofYC4yu3VDEr/Kl2nSb8UPE5qEd1pvmdkHSxMNkh --M2diIqot6s2v20lE/6UCqLXonlquRK1MAlyfPw9yZHP9meCvlBsYZXc= -+MIIEowIBAAKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJw0Qmn/qs+lNLjRTE -+Zp7kzIsd+Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7LiwbB36btYyEFCBW -+1hqJaS4RAMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2j69wqhPZIeXqqveV -++VRogbTAO7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT50CFuNkUrFE7m6Kn -+FRF7PkR6ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7+ixNvQn86a+91Ddv -+O+xwbsoNG0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABAoIBAH28SS0ygFvLq4gw -+EwJOJYxeswQvNuxp5gcMm6tbyqkjEHVxDtkwuSQ304M1ufF5o2lT6Wko7/sxNyT8 -+Utz7l2JRXL7E3U6R6ohgm1tTyHIVY3OWWCP5Nwjy4BXEwdVmGCfKWAP/+P0ajQmr -+pguK4/fmk9TIIzf6Kd4u0lOvYcu7AYfaBj9OSSF08IoE1EA9gY3Mh9k8C3d3JDhG -+hoJKwMAIX0PRyx6cvmpuAJyPf+19K0/SmzpbdNOHfIXZKtfYw3HxmebhhyCxqNsY -+opI2fpn8joasvfcXICBFRHreSu4nKc8ky6FkMIc5KZRiSP//N3oFM7ZLxciMjfgl -+bCYqST0CgYEA7xfrB4atDYApsmLk92uHnC2bOmJhncfAuLHh8M35fk09Jt6CMYPx -+Ydp4cKYzMemO5zzHxdMnlmISIWWtNbm/gR74KZwOmhFFEP2LE09hpAXRBfQvN5af -+RZwMZ9uyJU5ByecXbIt0cuNerl8sKJfG1S+/maD3dZvr78K4Jd6StTcCgYEA4ozu -+okBTEZ9h7lxdBBbZcO8i/eikPeKnCEBaSryf3K3Pr/k8Ssaa7MYOT9yD+iRwU/uV -+n13BA1I9PvdcWl6ewZdOYX4jCVCIsLs7ed4wfwLxGQMZIVHPZ59lRmVsZFO08g0D -+27U/rUZBpMHl+ppq/FfBjyyUSqayKjcBoFXx0XsCgYAOzQM+pwaldE6gfWDBNEXj -+1Crs1VRHqSr0BAcBmi6cs/laI6IZoJpbvWOBTbiTmWrAQ9H2HBkyRQXsTVgIoGQL -+gThJkyCQRwtoftmSK3LW7Yk//hrCLS/U5lEaSM5hYtPNxOF9VbCywAKHdtrL9IFZ -+hygsQXuwKyPS5tHxfjLExwKBgQC1D+Hg9vvtB67jLBqDHCfopJcYywgJFc5dP+Fp -+/dreKmPkxpMzSAul1Jy3owwvrVPBKz9nwSxzlRSx8Ex1RU4odt8D+CXUWfMFHH7q -+ZXPo7tb2II3DHXlf3fq5CnJYtLXXBiPhQriDqbTpErbVVPjQeOqPnRdfml6mcpPw -+KwA7ZQKBgFzqLmWqy7ZnZdbBo4CUUt6B12eaPCW6YNpOd53zHOphaiZLq4rEhpiZ -+S6JYQTEQYugr0yd6vxsVL2An58niRg1sM6gca9QqBlGMzaQoXaPx6OrLW2WoS5+I -+MmVTeh7yvdop+6gvR8Eoh4cI0HoiJw8oQOOneiXVnh7Izk+WjKXb - -----END RSA PRIVATE KEY----- -diff --git a/src/tests/dejagnu/pkinit-certs/user-enc.p12 b/src/tests/dejagnu/pkinit-certs/user-enc.p12 -index 107480c6d2564a2e60655f29a9984f3009c35a11..049602939def4be1fa9164649b39a801f417e74e 100644 -GIT binary patch -delta 2772 -zcmV;_3M=*17nK%3FoFva0s#Xsf(q9L2`Yw2hW8Bt2LYgh3djV43dAsi3cxUe1$PDs -zDuzgg_YDCD2B3lkXfT2WWC8&IFoFeLkw6`P>Pk7sT{fZm0s;sCfPw`u+L;oVmwM*l -z^A^(IMG+~hWX?aEZU^((3=^fBlyN^uJ1HdaB~86Bo9}9N+iX!V%5OEvtt$|1s1*AD -zSi4_@qyJcutzz!=uO|*1J0QdyMXJ9F0W$DQND|#_%aKA}$m?*9_9e@K*B!h=TVo7= -zMU9jzfb7^C(2Aqpo+PWbs`#J#x*BuH0)VGjB2ly(^0MI0lF7=F#Hzw2C+INlA^N4t -zQGyERj6sz8uZ>M&)xR&um+swj;`PYIw7WY^-c-*m>8DZZQKge>x$dqy#H-~)PY_BM$dd~(Onw}(9&Z?axg}0Z9>TNk$HM5;@0zFIm*-gU`117jbMl3DK%BxZTfFoaazy+Y;K&KQb%|%j4SGGNq>fa9~oCG -zwgvwvlgWm}c<(Owow5C6%<-HJ+#%w}d^yDVJj@KHm7O$cj$%wmqlApelQKGFkb>xi -z&5HN+ZW~fbxGRW%c2vkasI|;g8|kowoTpi`2d$&gAo5M+Cd@-p1~P_!Ft-zz7TTx- -zY=&;!yAmC`w_4KM$YX)1Rw*cdk0678Q7lj?36`+_J(4VyW}Tq4w1Njv41vgs&>dhV -zSy#O>l4{FWV8Oa^*jM@TB-&IwhQ^?iss8sqxRaAy73MP_getDL=XHMi>x{`9P;^eT -zX;^D`Rv!PAqmjC4%L#g1dGlx5N06S76*wky6q4>VTfaR`SZQ6zOcRNJ98dY`dEmKb -z8P}CmkW^L=n%B9Q9|IB&cjOfV8D0G*n}j#+Ae+CPG+aZe8MXo -z`F_a6PkRdLk^jg~O|0#pR0Kh4XB=|!R$IMS=fhN%1ASSURF+C{e}%w%@G#U5K0jS@ -zdqcB9wUuTBoobzl&7kLhWRVF4i_>Aob7rR*b{%KZvHim+x9m@8H0mf6Z^St4G8&LB -zHpTy;XI)>%!4A7DU(WgFp<~_!rjA?yBX>`Ll2{j!#;LZ@Ra|%q6ljZ~oCLM58DO2B -z@@qKlVxyM%_wk^S+2B<;eEl8dI;C75!305v&lHVB%?{%@{fN_lh0Fz3+WhU-rc;Co -zt{pd|08cdwp(y#Ey%DO75wgIM9oZx%m;M@)w+q%#yhOTzM{|0epFFl2%V2B*^zdb# -zLtg+*Pk!JU6r=SE96Y=uWXqmonUaq_U~mhe|Nhs11z$eYsq5r6GvdUIkxPbSa^!JucJ6lunrI!~CYCBHpo`Zlp7W6T -z0R}mN*!=ieFoIWHCQy@x2^a~s%8cQE!@vue=@_6@v&v+9@(+s>=GA{t>n(JibIAkC -zc_Cl8#TZq+<+)Jkbg%{Bk2vlkN)*Sm?_sK9U|~dPYRfTytvvra%6Swxv_}$>R4{GC -z9dlx?of)+8u)G1`(17)Ar}|)emc*7pvv9xmdyDM`V^qSXB8PVe5W(w!XdCZ@{~c9? -z{EuW@x+Vd(`s-b0^6A;0gJC-K(fJr!jN58A+Ayo=k&&lfG4=NM^i(BMI}xs%5TYP@ -z=E+!co_#J#@ZGJ~+ZKh%5>wJ?OBEbcqJ!fd06JoCD0sTevnh -zeYb}GmToDBVSi|c4c)}Znmx{Cob!CF^iezCh?0>3o=y9wlV)5pdPtsk3Dd6eJ&_}N -z40Iz(KJ#BVeo_0Mf!({!#P6toUoXX?w!oM7*9BVb~ -zIG--Gt9ix_oY;+?D3Yc*H_^D|!+$CDRYbeE*wlZk3z1mJyVvza8MJTbTVp{-MR$_Vb -z85o1|GO+9}*jSN6x`o$u_GevO|A1oH2-B5JUOqY2dO1Y3xg@ket~W;HF3_p3ch;8H -zA@hF(dD6pT!-L$M?9BB<@nkRrBfLfUa>Ey?Cx^`yKl#cDagwcp@|}$uh#okmH=tsN4bb+PHefW|Pj%3Vy}fha7a_E$bOa?P -z8FJ-bADHzv$dO)+ZeJzqb&rWk^O*C_S+sv1mnye;2bKg{7eI^pmn(XQKdP_lspwTr -zX3jc1V2jk!Qr(x}g`1t1=n8G+uvgT$sxT}{=y0^ob%Mg>npS<}){)aAx0%V$_o=B_ -z=~`SOSZjK3Bu&8!eRoGV7E#C8aL^u2%VNxK3R0dVoI`UXs6b26vcD9$2c%&DT-1N@ -zOi+2^=KXfZ0E|fDhH@NjFZ=~oJ&x0Gl83}Xbq*W-14JW -z5Npb?m|k`Fk1*3yniB}lEEU`;O%s240Z(1|b?~}E?*rj9DBGvik&Ix=3%@9Wr{Jf? -zK$@qQgGUoLG|`FO53OK&_7?s^fNVpBgzWs{{x=M{I0$#)RqH^t? -z%~@S*78!xW^UhVCcK6>Y=Dv}9xW+urfVcc -zu>g#>iAxh_@0-L1`M|BMF|<{62P8z2r?f5+qTVJtpE~#aF(oh~1_>&LNQU0g$6*WuPSm -z)&=BgN#*52!DdM7rK>Tl7p9;qj%3GuXDxAAtu*4h -zC~9=k?MXWaO9t8Iz|oL*2?Un2l9AE|a$=h6Ph7myik>RjLzPAKR~3exF~gXi7EvqW -zE~9J)1$c|Nk0{8hA?+9+)H9)`@X_yoFgT(r4IA^^MTMj{Qg_G_Ecp5%>Z9~6aEq$I -zqZ#8v{eFLJh^yhFyaXX+Wj){=eEmUmy`7~T2J1-8fxBIne8Km2YT>L%0ByK93;aq*c}2&1oN%Xv@sK}hC3l=wcLZg~cO)e4BA -z9A-09@Eafd$`l!^yiLb`C@H8+r5iaEM;12amg^s3a2XC}sPdDEl<$~&v&Pt^O1_1E -zQLtxqpx7ZB63jv2o#cE0mya%atND;ON*P9$5}aRRDv>sZ{ey&Aj(@1u1CJ9R>^DKP -z^ixMkvsI@5PQIVZ3yi;x99d6)uZU8`4H|tVT|k0A07DTdxKdUroElL%G2hIaX>&z- -zGBw+$uCgJ}c49uynU1`N7tso{NI`B)cx`w%*LIVJ;lKpsWLl6f9RZbB1vefXcRoxN -zf`j3p2&6|(LpTdfF`pzIs5HmQw0{t!f-w%I3Vn3;v*=k3Q$aN;z%(z;Q~Gd!!I0h)kqAw}+m -z)+NTjby%K`)VatpY0W8Hew#n^$E=RUK7nr1>4 -z>iwtm%PM>6uO=PfP>m?)-Gb0cP_7gNctp${p3IyR4R=HRqM7Ltg{E|SIaOHhlurhABd(0~x?Wl|2L82IQ(SU$e^JtfBDf7?-BFe^(x+A2}Ar^U?gLKFd_=+-4d3FF@XI)g-zh -z-YtUJqo^N$Ly5y6L8u>qux4^IlnY>!6%dVBhAqwN2zEP8eon_hpqFqKTTU&#sK5}O -zR_G2^6daRk?y%axch8{tVp@I}&7l#{P0Os;!v}UV1h?=i&-X=pfo-qbS+T++W?ZX%Us-H|5<*D)EJXiAg3Bf>mv`pr~(2A00e>r$U;JEGF6`VoCJzVa0|EX -z?r-cm#ze}S%!%psUL4|O7o)w?aL6CUL2C;@kcy;3mXmu9k5552^YysVU|y}Dt4Tre -zPV>~Ox;FGPu3FhmY0ynI1FpBTH20$$M^SakV6_70&$J`Hks;hNehz)Le^GJSJ=_GN -zH*39XikMG#7>%AiDZORRkOLt30;%lzH4I}kR@``X%@4PRBKiA11Q+_vN>vOuEud{H -z&<_ysqjijW)wp?Ok%G6mho{!?zW9O6j+^7LBvOZo|k^lr?BV+&1Np*EvfVARsB<$IWpEwLanuBXis{e8Dk%c%<_`_Vrl+ -zeqkeQsAX_5vbkPxufliV&E|2DwZd -zb0a{R1$ot?e^yQpL#pUx?VWYRLnMsW%7--ugt4*a$I(}Hbu=0C{2_Z-8}s81q&aI9 -zJV$jFX1!0#)!Qr);z4f0ALns&37-$Ja!$6RBT&!xakOnxj9v0?HEOIy+(jna|HALOL6>+lrjgECvKHr!Gf67D>%p^v_`gSa$$4e+m*4;}Ckz#l?vNJZm2-dM=-bp!>L=k|AGKa`?vcIahAIZmTnuxhxl{YICp3 -zbH$qBcKtQZ8KAYVKc9+^HbatsPu{fE0zFaZHYW(`rDO+*{EDYApMIT5Q32n4CqAZ* -z3o$&+QaVdGHLs9Cc0+|GA=Q3D8!`&+u~`8Oe;^^E@Vz;0#P`PM6$qBdZ)?J)lMoT) -zz)rs=&q(e@F^-GlakAu9)f*&p!LhhDMXuDwQi)vur?~mo6w(T -M3X5P3IRXL*0PAOtl>h($ - -diff --git a/src/tests/dejagnu/pkinit-certs/user-upn.p12 b/src/tests/dejagnu/pkinit-certs/user-upn.p12 -new file mode 100644 -index 0000000000000000000000000000000000000000..7a184f651e50d1443e5fe907b5a11455d69bc0d1 -GIT binary patch -literal 2829 -zcmV+o3-a_Zf(r=(0Ru3C3eN@!Duzgg_YDCD0ic2kzyyK{yfA_axG;hRZw3h}hDe6@ -z4FLxRpn?TpFoFeK0s#Opf(2Cu2`Yw2hW8Bt2LUh~1_~;MNQUKrWafC+r24#=H7D;`er=H*b_6X_JS?p@<Xs@2^$asn4KAS;Hr!s53%;M>!4_lI!jE@siDP@6({Y?SkW5h+LdIH$!` -z_-XqxelFC+82Tg$(YW7cLdVydSw%i;-Dj91iRUVJgL03EKjM>L^g{mUmKBVKsyAB4h;T<*EUp~k -z5rfW}jFu*r0k8Y^g;u6zO^A+%O_lMV@d%&03_Kg*X^^o_Uz{`U5MX67$xAr!e22Ui -zNAXN+;wkb+d}b~b&i1*3(p;Exz@ODQOofrIDJ4q$8bvI|QlJ^WxvF6?PHha;kGKy*Lw>`x5`pX#xOpU&t`! -z7)slT|4hs;jt~|+@{`;8_Mdj$GgX1D7bOQ^)Q}w75-Y#V2+pavIB(a*V$3IEP -zg?T;;_;l~R>6v}Ls7>PH|CSU4@((!&99d`8mJ4VP6tfU( -z4xw}bWH@+eq;9;I?L2T^2F%;7KMe9jrkMY5;~yqZdv|HCk0HHe6ELR7-?nEn3P5tpF1(5hLL=IZuz7bA2y^CwDO;azer* -z!C$qO=WhrA@3Sv;JL{~5A4{ohyNZWeqOYnSDSb7#hu$$uU(aKsIIcB?CZ9J;Z5$lu -z=Cjt}MYS&q`XV#P))k%qT34!b_#XJr>cQ`>q`i7hA!{`l0Mcf&{z`~2DbjCAeFaIZ -zsk<_2+ZB>2+Y`;uY#zb8doC4=Dl8MrvwAKUL`Q@5E -znq+%df~WK#qUD~jzbgmfQeAq_dvu$o@tNNmYJPp4oVJ2u0qBUy8Jxcoc2$6Hz}-~z -zxOwJtoxJUF&6R0oar=qp*4XgOz)zgalsD+2B(!V3Q|`x>a-lDmn?dh^U5F1;y2S0+ -zPRYG~!nEeag~ngC@l&LNQUM2ml0v1jyDvT%JrGqHcV|9L||!v`3Xn^r^f=@jKTTw|8IP`5&TRwiQNz -zuxF)@AE&AXjT8}6AiSS|MLo#|aBOswU;hdcU7DWCd`J>wJYfn542DWQmL+e#>?*H8 -zdH;kV9Zz*4#xxQrPTyNZM>hg4EpEgx#nP4#fobQPcfv18grG+nAHI;bL{ylamN8W@ -zKljh2Bb-jW^J?a^CKm+huNYxBjL<&hBZIF2SK -zVu{~Wpo9P=Pg;QoJ|*nw7DjGB4y_W^t4=uyCXy=!hMY3cGj*tx`I>011gj_pl(O=FX4%Pv8{?*qOk9 -ziMJ9kiDb%Rq~);boeQ_o6Gz>K3&BxCt+`@~nJAh%g!EqIPY9B0ewTqT;whOBDJtl59yda9Br}TXCfgC9#E~QjpuTlPa3D;Kuf{=3 -zeP!#*-6{&>E_LrM8`cuctXs|W@67%V=)pB@oy&Yus -z@2ph_mT_Bq{2J2QMk74-EEJMTAE*X9x#e!==1 -zfh0RBMQN77*2GhWj_q=-;Wz;n_ig?}US0W`OuQS?@DtZzW1f~nnyoPy(0Hx*GdchzpbQ0S0ir-J -zuHsr4irnU(ilPifZg3UpkOD}qmij*p0LDWB`u7D|00oR5NcER_L2r?C?;0s76-g9| -zoP$#^&~mk2OIS|=F_sMsnX8)@2#;-@M`*t=Bh1+Frmnm8t#fylmKL=Kk92~}LueGYkFoKdBM+&*L7DFr$HNMR#9xE?N?M^FnQZJ^OT}z~im)IwW1caxhYM;+?)l -z6FfS#9Zi+;8|~jLBE|RqTDAHS-Es(u*=ip2^4OkHCUs}hqma-3PAVfv2kYkUh7$_j -z2|o2WEq=(;OC)Sg0{2i&3wkEy+s&cco^Hy?ow{G9!#<1CX=U-w;l%M;QxsMc1X{6^ -z@6*5A?zKfo@cDpT+L%OfWgny?;`z+SIpl0Bg=fDrrRB=EaGDD+ODlERhx_l4t_MSA -zZ`6*wF0gJrmlz&9>PSWsZRGWzM9)1?B%hhQDZaPZz)@56+a=hTJ^Gd+X{KWGzD#mq -z-)pP0)q9px96kY?$-{@ArN#H3W~b5SQpD^r{( -zR2Aa>s|ul_3wCEtZPXyZ-^r|UbeSu}@3Tf;uCGgUPxvsJ_f8btP9L)4Gg}HiY);_2 -z+mOZkK=xZm%YI+y7HzaRSCY`jya)D=X|9p -z4i<_VEkh~=A|CY!+4#xR43GCR3n_n$#mB!Q*Caq98D{#S -zG2G6Qx>5L(CX1A+juY-*fdn6FiaFyDIVxdbcL^V(xEaKTCEGE?Eg-?Ir|*F}s^5!F -z?uPI=y0M>KgdCNtoMqO7WN&7|%urZN+YeMK2xf3r~lQ+GSa7%(FHQyBM;pW9P% -zaYm6(pg&99#xo>+!=(tb&Z%7-db}vcu*5eLkNkGZo -zzF*Fi3O>s*3bhY!SM}Vz^#%)mEr-e%Q@4;7yibf%Z7JO1P^k=rogOwEP53EasxnaeY|& -z@#_1`qn`I>sO}W|rUxMujvfdt)Pw>>jdIQ$6rBk!R?Dt3>HE(ioW+$zbs`si)M<^v -zD!WD8%JztN8Hd@%EZTZYNj~AzLgM)N-?t%C&ch~aytdUXOx4wsy9c5Nt&-Emq#f4- -zHl=P`cgVJINMbU#Kdm%;UPucqJ=;5x2HOrGV*FpO|#t8^HM1;b*9+* -z?Zrj8WYTa5?5X87{AmuhQ~{eUOrUJ)e#{c2RMvjrL*+(0axNW{6}k4rWO^+1h+8G`-UW2$QEGKUu2I^6J46a;(RUNp$Kxxh+7_@dXK -zD3E6J{uf}Muo{~}jVZQ{9-6OTAubq-@rVmDa-`b|`7@B!AeO10305~@Dr%6}iV8CQ -zX=X6;)T_SAFS7M$LiE@D+*=b7TUtKh#SiDT!#~CG=`dm~xS(|WMh2cwC -z9xApaX8)-#y$}a)r)<27$PL=Btmpkt47*NBvk8ah#FF41>VQUrT~(jsda)wttvb!- -zM+f8nK~3)SE8Uzv>G&lV4)_-4`%LMHreSl%ftOL3EVsbU&-o^)j+>LMjzQhwIHkzs -zj3_$2&5jM8($vnfB%~s(`|}Z1C!?xTVII!4JlFJ1^Re_w@F9G4mN$!!_KgcobwEi=6Y(|7ZRIDRJGT*_~94IW0yH%-kFs9feQJ1yJn96nt$lA -zzrxgdtPW^+9dj6s89v$x=KzGEryP`-O_BZ+GS2{l%GJ -z;Wg}AbQUBB4M?CzGy8Ssk9A|Hpi;6b7mn2$y?*zP>|QNHc|A(7fn(<1Cf>^n=D2i4 -zKzgEcD}!8bkWoA}X|O@i)yfYB<*)NprS!O-sZn>>{Fs%#IjfvVXcK`c!w>TZC_`)L -z+iDpL1H%ga{1M#fkH5W(UbJ6AdC5@ -zU_?h2EWjXR{7@lx`=c0sVEQ~^7P$v3nigDDUJKG8QvK%lSC^!oJ2OHT0o?DE{uPC?#3C(OA -zki6%DF9nBN!6h`eVtXs4W(A%(^dA#v!!&+b>kELYWpRq53rJne*K(ZpG~HB_^VCt? -zf}PYa%M7*9wP4L>v+TwLKvTK5;tbtW_0s`(G_#F47O@y)BStu}uBOf)QBy-Z*`=tIAm?i4u#!!!3KB7)I -z&S&h+XZ9MjAMs0e`O9!!0W;w!w{oKJ5c?VTVfMz1gdptZe|4k=ORxc1k(BTT-5~lg -z`SxY-DooVB&XB_ZCIRDzQB#oLrY9riA}0Z|8jeaL!SN1ZPMJZ5zHE}mPLR8nKq_{_ -NjEEGCzWl$H{1*d>HH`oO - -literal 0 -HcmV?d00001 - -diff --git a/src/tests/dejagnu/pkinit-certs/user-upn2.pem b/src/tests/dejagnu/pkinit-certs/user-upn2.pem -new file mode 100644 -index 000000000..3a5094c84 ---- /dev/null -+++ b/src/tests/dejagnu/pkinit-certs/user-upn2.pem -@@ -0,0 +1,28 @@ -+-----BEGIN CERTIFICATE----- -+MIIEuTCCA6GgAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx -+FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG -+A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz -+dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug -+b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowSjELMAkG -+A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF -+U1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -+CgKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJw0Qmn/qs+lNLjRTEZp7kzIsd -++Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7LiwbB36btYyEFCBW1hqJaS4R -+AMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2j69wqhPZIeXqqveV+VRogbTA -+O7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT50CFuNkUrFE7m6KnFRF7PkR6 -+ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7+ixNvQn86a+91DdvO+xwbsoN -+G0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABo4IBSjCCAUYwHQYDVR0OBBYEFGvA -+yQ58yg3eh+Oi1JaMrRzbt9hiMIHUBgNVHSMEgcwwgcmAFGvAyQ58yg3eh+Oi1JaM -+rRzbt9hioYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz -+ZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxKTAnBgNVBAsM -+IEluc2VjdXJlIFBLSU5JVCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQDDCpwa2lu -+aXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0P -+BAQDAgPoMAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFqAUBgorBgEEAYI3FAIDoAYM -+BHVzZXIwEgYDVR0lBAswCQYHKwYBBQIDBDANBgkqhkiG9w0BAQsFAAOCAQEAElYM -+786mUr91z82s6QC0TwP380ze8yJQiaWifHYXiqIPay19M+QG91PvSm7LLZw+ersC -+gEl/mPKrC89XlAFp8b+hJnGq6t6YmeC7OI+FapEMxpxX/X8eqAOQLrGnoq7Pm9/8 -+QtWaKgo09i7rmyykKl3xSU1VktBsmlhNPPNh3x+N4bxea9OIbZonPdDtr5/Yt87/ -+6kBPsGgvUUoIxLw03OmLu8AmKAwJja0FWyu93uCUP4UZWLEGpUhSYC1uUCpAZDNy -+2AtPnxfGUDtvI9eMmyeXVGYXTfkfGZyvB3m9lyIj3VVmhbvr7qLAGQn00dbOHz16 -+r6w2aye0Me0GcU0grg== -+-----END CERTIFICATE----- -diff --git a/src/tests/dejagnu/pkinit-certs/user-upn3.csr b/src/tests/dejagnu/pkinit-certs/user-upn3.csr -new file mode 100644 -index 000000000..958c1e043 ---- /dev/null -+++ b/src/tests/dejagnu/pkinit-certs/user-upn3.csr -@@ -0,0 +1,16 @@ -+-----BEGIN CERTIFICATE REQUEST----- -+MIICjzCCAXcCAQAwSjELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0 -+dHMxFDASBgNVBAoMC0tSQlRFU1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkq -+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJ -+w0Qmn/qs+lNLjRTEZp7kzIsd+Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7 -+LiwbB36btYyEFCBW1hqJaS4RAMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2 -+j69wqhPZIeXqqveV+VRogbTAO7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT -+50CFuNkUrFE7m6KnFRF7PkR6ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7 -++ixNvQn86a+91DdvO+xwbsoNG0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABoAAw -+DQYJKoZIhvcNAQELBQADggEBAEMxNp5md+jV5dFC1iSKh2CYl3P4g3UMQ9NjLcyq -+upjJmFiEGkEg/LpH4CoXI03BaD885S7akKPA1J/sG2YIrbl3TpjUJKZoJ8BjNT0L -+tYc+JIODZJEONR34Fh6/1uRU7UkRcJ8Crc83+ML+71O2SRZRJDEOS3tVbdzjEOTj -+HIed6Ia3cu0XeAvhoqRSjh8J0ufoIv3CRRCtRU8ChkmMD64p3kOTlORxWspAF8sm -+Xa53bWIpyuyz/vWwpWfr+fL+Q+BQ1TU39xvy+46AYuQIIKzK9vKZdCElQwFXZs26 -+f53OyZpFjcsT9jJAM54XUxLv5rE3fqZQiBhatPZa2ThHt08= -+-----END CERTIFICATE REQUEST----- -diff --git a/src/tests/dejagnu/pkinit-certs/user-upn3.p12 b/src/tests/dejagnu/pkinit-certs/user-upn3.p12 -new file mode 100644 -index 0000000000000000000000000000000000000000..a9d4780c47d33cd4d409d6ee657a7911381fe753 -GIT binary patch -literal 2829 -zcmV+o3-a_Zf(r=(0Ru3C3eN@!Duzgg_YDCD0ic2kzyyK{yfA_axG;hRZw3h}hDe6@ -z4FLxRpn?TpFoFeK0s#Opf(2Cu2`Yw2hW8Bt2LUh~1_~;MNQU4cR+h_S!1xwTJB>WLrfC_;4Q{WSMU*o- -zn@1qFp2kU-SDex#I*!6h8=!K8qv9pObzLDLmnzWdibwhCfJuy%lF%>17?*+`lBBJM -zmXpRI{I$vJ#9ra!;LI(a-Y;XQ;Lg(@=%$W%N@M`uG=dT?Us_5#Ydy@oR}Jqosz*ey -zVPGvYS6-Lg5~d9q+Kq_7hwvb*@x0}_hvi{GII8!JaJ+M3rIu;J>8y>3=gG`dH0^iR -z|2dL^4OS11LK|#C4SCTCdZoH|NY!h^jRkR_ZBdMalelZlJG~EQsb631B6Pems-P<2 -zy=ikP`PqC(+TZsM6awppC_f0Xl3g4K3t|VAQ*|@tqWP;7pCfxOI}DZ9(iJy)rS*nL -z8a}#DV!e3{QR4jj(Ty7a7d86H_%`o3)tY*5-w|QkembO|Ujs3}!86C73mgV0q^5iP -zuZU!CsXRr9j$1G307B=@uSo~fVS&hEIJ+>AH&cjQ2XBCfI;BM))U5*2LLkNN(0?0u`ndx|WU+*&cfWKL8;~Qf+dr$yMp*|3(UJ$X~0n_~&n<|bR -zOiCnb3@;b`fsYZW;zy3u!xk;pHehyodmHBK(b4`FY+RdV=I@k+phXazTua8A-KghY -zbHI;PA;HtNCqk1?WmxDfVMr;cPF-ev6fv2Fqj2|J6VMXUHxmH&PN -z7i%{(&ibQjorX+L&72F>74o;aDdTY|SfNampj*cW`)4?RC{QhRV~@au<4#(Y1RTbE -z+4)2+UV+lnFK&q(3AJu`R~b$_-o!)-dXZdz3uyEXkjR$GQ+@~Nrzj3Op78qsDTByr -z87^>(n=t}k--9Y2&($W_V$rpuB>QO?+3-dA-pr3g54LFhpSdbUZ|IdewW&nX@Id-7N;;8dTYiF$bj&+Vz -zp+$O4o`v}qtLqJumEjK!5TYC+&IxPxnPJ?qPwid3z%qigSZUd*O)r-j4oE29GsC=< -zw0myiDI9d*4E>t?xOcwEA~EKL0)VbEj&Uc^xro!On)Pjn$+w5R6#oT#|93jg*@V}Z -zk%j`((IQj&TOx`1Bp_153n75Eqw3)xRNoBq49xGry~PpA>RD@*p=h}-LFRPD=V~%O -zL!t(9?TCJvy{&-ipV)bfua3YR-|1T`d;?f_6b0}I+QRRVRCX;HVm@R2;PE+7K -z3Q|#cnBp2{Ho#|+7-NPyucnCX#eD8mEc6JWn6yVrPT1jqs)!%NzfUi>O@f`DTz7r- -zs6~@+cMQii)Zyfm5|I-1^j4{K7>B7|irNe8d;&TQyncnqec(ERvcvZ=HhwevKN)GU -zzDKIn4gl?ZdnRwvb(WT2#ZBk3!kjVDJEGu3Mj^N{FoFd^1_>&LNQU?&x>nfj%n^6>^V7CUp+ -zETM}jN%cj-MzspiSpQ6CYmqrq{b{-|Kj>-Fd1TKY;L3MOk&IO)fs00$bk5ZHGFaBf -zsRg6kCS^21bh?tWf1jQLIaT&uM>-1!L@?~)eWqce&iDF0qMSy`TNzT_)VB-&hdVeW -zjEeXb0i{%KpZeK!$PY01Wa=BLfB6xzk$J9wnQ+$8Q?cOhQWJ^oEshJdhCpbB9?+gW -z%#d0mHXCu4Kr$r>M+VFC+yRsa^lQ^YyqVejN5NolmXwl=j;AXtkvzSNzYdLcLS1M3v(LEqdCXAG^SL1Jy92cADy`hRveJZ&>9tO3Rq_n_U2brOPWo6XM -zre^&}huWluk$ -z+B?xm6(8=jJ-w!B_8@+OFo>mq_>DV#ryewM9%Z)!#3=XxhO#WL%G$~t4CS!5WVoB@ -z9IwU{Qb#y?ADZ8(K#I6quZz_TTCR&i8M?`ng1<++_9q(O>U=r;A$ep&O5PL~0ADX*&QcF)J*1tw=!Jp;oWW92 -zx_WL`bX!>KW=&X!8je^w5L8BljVzqd+B6(1iYw*+a2t*Og-{}@ahG~CSZjlKgN)_F -z_gX^4sG -z?|whq1p%Fu)%2@m@;098MdnS5un)e;6`RgFr)yc~xn2wcd|aAZWeZIH?b=2rqMuuF -zhM;R=1L3DiNIjP$4H_N4*lqU$eq7|>Ys3|ew5^EImFF1cx!T2jaX -zfyvmtstS0orV!Q7PL#g{*$ChxfS!0s;sCZ%;ud - -literal 0 -HcmV?d00001 - -diff --git a/src/tests/dejagnu/pkinit-certs/user-upn3.pem b/src/tests/dejagnu/pkinit-certs/user-upn3.pem -new file mode 100644 -index 000000000..ffedb0d1a ---- /dev/null -+++ b/src/tests/dejagnu/pkinit-certs/user-upn3.pem -@@ -0,0 +1,28 @@ -+-----BEGIN CERTIFICATE----- -+MIIExTCCA62gAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx -+FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG -+A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz -+dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug -+b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowSjELMAkG -+A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF -+U1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -+CgKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJw0Qmn/qs+lNLjRTEZp7kzIsd -++Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7LiwbB36btYyEFCBW1hqJaS4R -+AMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2j69wqhPZIeXqqveV+VRogbTA -+O7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT50CFuNkUrFE7m6KnFRF7PkR6 -+ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7+ixNvQn86a+91DdvO+xwbsoN -+G0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABo4IBVjCCAVIwHQYDVR0OBBYEFGvA -+yQ58yg3eh+Oi1JaMrRzbt9hiMIHUBgNVHSMEgcwwgcmAFGvAyQ58yg3eh+Oi1JaM -+rRzbt9hioYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz -+ZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxKTAnBgNVBAsM -+IEluc2VjdXJlIFBLSU5JVCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQDDCpwa2lu -+aXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0P -+BAQDAgPoMAwGA1UdEwEB/wQCMAAwKwYDVR0RBCQwIqAgBgorBgEEAYI3FAIDoBIM -+EHVzZXJAS1JCVEVTVC5DT00wEgYDVR0lBAswCQYHKwYBBQIDBDANBgkqhkiG9w0B -+AQsFAAOCAQEARVeLPouequn86P3LgOZQ9LpP6IHpY2ZQwvNviiA8Zk0hsqFXnmwx -+wr3JtESim3EPuwQtJ3jXp0rxQB02r5r8sg21OjCeAB+vOz3IoF/y6WEYlz67LjMB -+XCB6Fuq80IHhVXWRi7w8dVI8xcADwIOh6fgzwbbk8qV2Lgn2Giivstp+76PnRtEn -+tavWlWW7bQlXkiROYh6u3Y8IvYYoIdlDsXQBFSRE80Rc2jR2XGKAz5CDEZNC7RAH -+Z7ON9HH6IRBOX1ijmXhBl/39QQ5t+ZYgKk8OJpL1RAZlJZtGMBwJtA1aGiAFvqTr -+aCREHZfn9NAFE/szItH7hxWJv9RISUXYmA== -+-----END CERTIFICATE----- -diff --git a/src/tests/dejagnu/pkinit-certs/user.p12 b/src/tests/dejagnu/pkinit-certs/user.p12 -index a7c2baddf67f5a8c6ad97b661f6ff285ecd5bf37..67c3fa2eb01c9fdd543af9172dc63a3955987ed6 100644 -GIT binary patch -delta 2825 -zcmV+k3-L2N;;rqK -zSyqcBB#a`vq%RJm?UQRey5syNN;I{A1gyVwKE~n@jbWz;r@|AM -zlt-Dw4#5`C3%OE;suP^fKAkmd<0stTrax4cKBYi#wmDyWkH@HTEzF9Vzb4z(Px-u%2--OA4DL`@vMDzJ%k+he$KUV+etb#R@X1p^xjIQ -zHHCI2jR$-F?jK09io?qm@M_cn8*o;ql~XNl6dFi83)IqmcEQ`VgCdb<6p=l&wDNBh -zCsi)gZ^pn!adN6tfqjU59L{WP9ZTwex*A&&TJq-rK^pl7CaosnYypN4z4}f_$-a57 -zM>j1uIhmSFRBBso?WIxHcvNXh7@BuA#OSnOJLPr!CPo6T$^vk}CF!iZW?)pB$=3O@ -zrfxe$v8EVwa|3H6ER9y+OaA^AN?sy_V(?K!suZGEvWScYsU%j8Tm223XbjYUAviV< -zjRVqXMw@vdf|o5^9wFcIr=5rw4>$56__Xd6#^Qsv`g(v1=Q8> -ziP0(7aSZ@G=xc!){8#vY(P0#=2i#b!H0mS*tnBJn+%XiU^}ohqA;4n6-qyM>pihFy -z4Eln#fQ^@qtxx1ua<5>n{y3?85=BH@b`Rk06z{b>dCNW6Oo&}cxMKGgz!y(Zd1EKXWX|R6D%;V -zO%}A{2XK=U6Q9)>4CCpjR7Bmj5tGi0`fNAAiyy6Buzq`yQ7=G@(jo4kz~uX3a|leQ -znPbFK-QrsSWjW`ZE0l0RbzoN$EaUA3xKZT3H)vpww4;H4Y~@Fxa(N5MMgT3L3esA& -z#khOUkdtQeZ?ujc@i|b{Az$o6ji1SvfQ2P4Fl9xj(j2fRfXM91NY?TZi@9G~Q>8u> -znUEbT327qTp=2E;8j!deS!wcJtNPg6~u?|e$Cn#?wg>Gy;!h%T#ZZm!|+sp>F-1wjT0Duzgg_YDCD0ic2fG6aGJ -zE--=xDlmctCI$;ChDe6@4FL=a0Ro_c1nw|`1nMx8x&{${n%1@_Wccvq0s;sC1cC&} -z(RN}-FcTn?seem_$6vscHBDugxnx8L|3Ew+b;;a<>LT@K6&!=f&;v{-fr9J4)RI5E -zj@&%tk43H}?45`sk;yf*U$h5Rp|)9F6Mbkixr+=hea8YdyXbvVtQsqNcpBZ -z#n8MiO94WErRUY&{G8aC13PpOJ~sOK8;S<+Ie>LKd{9|1T9WiB_c>(}FfnAf;L;jb -zfNB;hfdYtGs0rLO^TE8t4y7e>6bF8CPHU5uP4jz$Yy -zbL9m*YvAtA8!^vfrnnrj&CCGA^^&svs%|+8*DEE?lL`tj- -zf`rq7l(SqSOVc@gT!bIJH%*ulo^Rrq8vp}!YD=*9th0b|XC4K5kKCIJ#G)UbZN)Ww -zSw`3^C#o(f`hsxT+he6hh$}M~2Q87|(edYIB5yDLZ(%;MTpajfq_bj!59ytas5{aU -zjlC6r#g*`SaxR%zzqQ6BW|Q6?cyz1Bvuy6fjt!Bo`$oo^9;J^!3#!XmSiw9*5%*N^ -zQ`2(jBGPjpt%+*4Ds-K8@v?N$LVXpWSJgCCtdxP8Ct2+e*4j(IdxkRy@~{XUZ}X+DyjPW+V9xWn;~GLbJO}s4^x6; -z6$reQw$IdY>X?kq_FmyYA+B|x6euPPHyfqnqwIO~_)n2=R;F+z4p%BJLy`c@dS(2- -zx1Ora8m!D>l^j=a<4^I_s^luw>R2~vsr^$6814D=So0R^I>^3!lj4S1`0<`!x&sk^ -zT)bs;3pPzQTN^KA4O2TRv6Lezb#;s2(3`&1@Is%>(bImh$?j2Wv3z`eh8z^5Kqwnx -zB9UF+NI^$^U>1@@y>$c-eUN_iXYM_d)Cc@f!jXT6&#y70UI?FBobSP=?)}8^=fZC{ -zH4+W5iQxFbHcNUHQfmMqnc71wJlHjVLAuoFS6%YV)&L9jzQ8?M-MXaXY8IG+q)TT3^jVwS*gQ@y;alU9 -zYt%DyI=C1o@+PH7AHTADb^xm{o(C~q=^;j5^A1;iPuz%5H<;GtbhX9NhsDtNX{U+Rl2#B;cyXCk!hT~J7*4P9Lt -z?sqAVi^dY}SlRgxYg^JcHm7@k-95OD4H6){G!Nrf%MW&7s(zR_*{b+Ys$MBCm0-*&fN2d -zLo!o!O^GGE95nVk4@7S03xTA;N(*fPCX`P8`Xm>azWsS23xZYFbkS9REW0}sxCq_W -zZA!1X2X1Q9)%6x;w#V%=r3cQCtdG~JmCf2ML+=s$*YLOY&xjJu6R*W@*bAA>)DitD -zLn3);mi?f8-j`_w`MPBdP9y){Ok{43vm0hfd|)sc>x+EAS}`RsBL)d7hDe6@4FL%i -zF%|?Aa~UTT2sI*=Z7gOy+Pr~M|3OA6;4m>TAutIB1uG5%0vZJX1Qf564%Dx{fH@}( -by5{;I{o2EAUPuH8o2f}+U#knW0s;sCTvk7E - -delta 3072 -zcmV+b4FB_$7N8hFFoFym0s#Xsf(zmX2`Yw2hW8Bt2LYgh3)2LG3(qiu3(GKq244mV -zDuzgg_YDCD2B3llP%wf9OacJ_FoFg}kw6`P!$C#iY;oVd0s;sCfPw}X{k^@yX8+%9 -zwBJ}5flvw?@^UAz@E_15;f|7 -z%=`IEmu8Fm{;M@9J1*`p_pIcRPLK(+FMWn?4Ww%T0x^GtUpOaX{(}d=6zfxU*O_P_ -z;{8-Vz=+PJ*fq5Q5}1P|h8#+LByXQ+P>3e*vahmych~z9*bcGZU>fX`OHPSi?VqiC -zB=Rqvb+r)J90J&GI+Fao+TB6@Z9^%48aMh$*5ZZ;bg}FUG;4;3aF(v8Mc%?$$0qwd -zc3^N%>ETq(6vTI$`2w_1OaX?h#=Tof#*z5MeSw0*v$CMQcQ$S>moyee?d|Ygd -zOSrQGiK>X-ozcDa;*JHQLCC}?$LH>?!Yi#hRsnX1OX -z*EB3%Xa}bdITw;zI$pm5MeS#lApv12PFz^)>i>;Kq;rwfsX%C~f|;W&4uX`4^{hYr=Sv0%nHrgoVxp@+Oa2pz6_!d%FIr;pRDqUYfO{2<~UWQ(O#?)HAW1rbVG%r -zq9bBAoA9db8X#}@U%8%J7?%N|4`BO{Kf`A)Bo>s1w3U?&wtbya#nq(}in*aOqVWwL -z54v^FBkaQkJ{{9QU=Swu92Ip%GvLLOIDd7VZmIBi##hu?f(v78%UHjEu7or)#XQ(K -z6nwxUcCasL?i8)8F(v3tkFjU0@B||ae%?*I6IKzV$B;Xlklq^f`Sg6cXaqJHeeaB= -zR|Kl&E3F1db<1&_nuDc1V^iiCJ{=(AE^+aqY5NBcI$5;qni~17mHn5(Ds))Qj>(fB -z!cAhp`uQ=F+SOD%%+Ha38w{~j -zo9@HR2C2O8b?-H5VC5*x&5I%i_u7WWj~_7^J#l4mNU^ZX$|TykZ>kn^P>m*4do=8) -z-lvs7RD7|XX;o@sWC$=qUP|t9tI!D(6aWp9r+d%S@i=hsUzZGj4`0ajob3mf39g=O -z%sLUXQul@047pG(XAo^Bzg#aTGeIP9XG%lsySCBt^BD;L!P?o>8|72>-F%bY1Wq+- -zQ&co>uVf4#KdH09JZl->qdH!j&5obWpC252k*~RRm`++aA -zb)ix=M5o -zkDSS^SpDZ46j6?8FSSEt!hzU2{_KAgGG#C6JOuiZ$dBlrIHJI>a!|_ci}n~u6wfBn -z1&}v(3R~EJEM#g)ZxZO$;#Uy*l%8e6KIeQxo6!Ev!p)g^jmB_%6GXqkLS>=3J;!BiP~zMs^7_ZV@z2e~h;XLQo=1(w3< -zKSrEW)`6L0#?Y=Y^OVjAPol3~Y2-UA_>BjuU<55l@tHF|>M7Zh5YYg$$Med8J1xt2 -zLP*MiFoFeS1_>&LNQUQ6J*E3t0>aCid|=?nFOo@xF7nMEwFSqGFL=q6+5@%_ -zt-z3k=H;LP>M5^($OYSZJ{(r}tFwIj -zvW>%k6&+&B`~)0-Gg;CuKJ}d10CU^>UaG3Eag)cBnkgpw6c$vz5a->`qeYY{qOzjV -z$lM&d7YnfSl+TL;$Z%XYD8P&u6+OPseP8BbQ`Co+4qNH^w^HP@t~i7h`yya}!u<oz#o;ZUj=Hp -z(TV68ifC2(4C2=wv3r~1104(jA4cs9gd=F=kJAOeb?#j`oJ0bKe65FiHPEx{!4^2M -zz^<`>c3WJhEzhxX)l8^flHtnoU_1>9oCV*rdmGdTgN`7ewco2nZuA--|EL=EaG4Nn -zpF~eT3tG2-f{+uROTHXdk{V0)X{9@F4mpkfDP7mjH8Tej5p$_wAOlRUsVV8eC0hd` -zl4Cv#L%OnpO;^-jK=n`BoqWJ#I2zzYA;sz+Y;icw<{th3N}p#_Xrp8*rEd6NEX=4@Qp-i%c1jGY-l^{T#gMCnLtFM}iUj!H}kK_5;CTggujzqx``SqC!?Fq@kO^ab0Yk*7|TX+l3@A8Z-brb&{t -zZX^wVHoyg=NeF)1EnnZ8*NrQU!QHwFx6a1u4+j8i75XaX{V` -zTejP79{ii}hnRQ)sO)7qj>Pd@U}lVl&(b}Ag$oc4za4|Y2`)pu(3@Q{oocgpL9XPg -z&ARc&g{ZqR#9lsFPr=r@2fK*A|lb4n3k%R8?I#c2D -z;=TTZZ*j*ygj57wLl>LICIh&x-2VrAPjpHqNvA6BWcuW0J`V>k -zX2DR;M<%0M5rj)YL!vo}Lr8*yNjn|jEon4LP>F3;n-~NKB>zj8a%?p*fZm_SEdJB6 -zP-Yt1+4};5@fwomsJaS~^N?NR6BXot?2jw}Jgj_7AnKjnZoO5nIY`wuDf(}pQfmod -zE}t2${x!MEq*UT6S13ie-bH%m!2V*Ai?V#!PB*W9mXC+U>&7FB$YbjRT!@-#?o3x& -ziB>ytwV(g|m}&0NES6Y|(~D_kcv$pTt6{{O5=Tjd*U#!Tli@}SuFK6QcZ9`%x3jAa -z9wib(pG>woZhqj$pub -Date: Fri, 25 Aug 2017 12:33:33 -0400 -Subject: [PATCH] Add test cert with no extensions - -Add commands to make-certs.sh to generate a test client certificate -with no certificate extensions. Re-run make-certs.sh. - -ticket: 8562 -(cherry picked from commit 0d23835660ab131d244d395e4568969b5c0dc678) ---- - src/tests/dejagnu/pkinit-certs/ca.pem | 32 +++++++-------- - src/tests/dejagnu/pkinit-certs/generic.p12 | Bin 0 -> 2477 bytes - src/tests/dejagnu/pkinit-certs/generic.pem | 21 ++++++++++ - src/tests/dejagnu/pkinit-certs/kdc.pem | 32 +++++++-------- - src/tests/dejagnu/pkinit-certs/make-certs.sh | 9 +++++ - src/tests/dejagnu/pkinit-certs/privkey-enc.pem | 52 ++++++++++++------------- - src/tests/dejagnu/pkinit-certs/privkey.pem | 50 ++++++++++++------------ - src/tests/dejagnu/pkinit-certs/user-enc.p12 | Bin 2837 -> 2837 bytes - src/tests/dejagnu/pkinit-certs/user-upn.p12 | Bin 2829 -> 2829 bytes - src/tests/dejagnu/pkinit-certs/user-upn.pem | 30 +++++++------- - src/tests/dejagnu/pkinit-certs/user-upn2.p12 | Bin 2813 -> 2813 bytes - src/tests/dejagnu/pkinit-certs/user-upn2.pem | 32 +++++++-------- - src/tests/dejagnu/pkinit-certs/user-upn3.csr | 16 -------- - src/tests/dejagnu/pkinit-certs/user-upn3.p12 | Bin 2829 -> 2829 bytes - src/tests/dejagnu/pkinit-certs/user-upn3.pem | 30 +++++++------- - src/tests/dejagnu/pkinit-certs/user.p12 | Bin 2837 -> 2837 bytes - src/tests/dejagnu/pkinit-certs/user.pem | 30 +++++++------- - 17 files changed, 174 insertions(+), 160 deletions(-) - create mode 100644 src/tests/dejagnu/pkinit-certs/generic.p12 - create mode 100644 src/tests/dejagnu/pkinit-certs/generic.pem - delete mode 100644 src/tests/dejagnu/pkinit-certs/user-upn3.csr - -diff --git a/src/tests/dejagnu/pkinit-certs/ca.pem b/src/tests/dejagnu/pkinit-certs/ca.pem -index 44c917687..f7421ba02 100644 ---- a/src/tests/dejagnu/pkinit-certs/ca.pem -+++ b/src/tests/dejagnu/pkinit-certs/ca.pem -@@ -3,27 +3,27 @@ MIIE5TCCA82gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx - FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG - A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz - dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug --b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowgacxCzAJ -+b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMFoXDTI4MDgwNzE4MzIxMFowgacxCzAJ - BgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRIwEAYDVQQHDAlDYW1i - cmlkZ2UxDDAKBgNVBAoMA01JVDEpMCcGA1UECwwgSW5zZWN1cmUgUEtJTklUIEtl - cmJlcm9zIHRlc3QgQ0ExMzAxBgNVBAMMKnBraW5pdCB0ZXN0IHN1aXRlIENBOyBk - byBub3QgdXNlIG90aGVyd2lzZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC --ggEBANOWvXDyubZ/Kf8QYdPSRk/rsogzqS0rycNEJp/6rPpTS40UxGae5MyLHfmN --l2mSevRoHSqhb7cfT6n9kR2kb3HB0qhhhecHey4sGwd+m7WMhBQgVtYaiWkuEQDC --7/SWkRYzmYX8J41vrQulXU2/2pOQCmG4NKPsNo+vcKoT2SHl6qr3lflUaIG0wDu4 --bFrWszkxcuSkU7SSXDf2xTTTJ8QftO6WQY3g0+dAhbjZFKxRO5uipxURez5EemVs --Re86vXEILka85tiVS4maCn3l3FWMqcBHRFNa+/osTb0J/OmvvdQ3bzvscG7KDRtM --bRUnpWClr5R+AbGVvKocj5I1+G0CAwEAAaOCARgwggEUMB0GA1UdDgQWBBRrwMkO --fMoN3ofjotSWjK0c27fYYjCB1AYDVR0jBIHMMIHJgBRrwMkOfMoN3ofjotSWjK0c --27fYYqGBraSBqjCBpzELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0 -+ggEBAL8HFT/+Uia/TcSFIJJd7Z7ZFvMOYLhEkCyqRhW1ggDp0xrIAoh/fyxq4qId -+S8f7Aurf39kzyS9NtDD2snKwfoLaZpunIXNLCujrlrqdhKsZdtl8aYLmjIhTLu4r -+rN5WZIRQULbkLiuqc6ZFOjOZxkR0NkC/CyfQTJO5a2TaMrweLswmY0k5KlAoevps -+h+LPXsLC66sqgYuWDD8c1Z9GlI8dW2abRPt+WUKskEgHqYJrCkjvPIZgS7UDAzpU -+OCXopDDr/qQ9dnAYzt98r/pCx621/2R4JttZbdsXQDbQaHhV69iJqACqZB0lLyKO -+Ka4Y2U5zy3++t6pd3oGlWCr96D0CAwEAAaOCARgwggEUMB0GA1UdDgQWBBSvEuBX -+VNKtIomCkLcxpsKp9Ag9qzCB1AYDVR0jBIHMMIHJgBSvEuBXVNKtIomCkLcxpsKp -+9Ag9q6GBraSBqjCBpzELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0 - dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoGA1UECgwDTUlUMSkwJwYDVQQLDCBJ - bnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVzdCBDQTEzMDEGA1UEAwwqcGtpbml0 - IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ugb3RoZXJ3aXNlggEBMAsGA1UdDwQE --AwIB/jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAN82zurZwM --TugUG6b1symxXxOdDqwinwIlQjzXJ8mTRv31q+YwNdYvdWn1aex8v44qjFDjEP80 --83y18CjjBHznwxsHll80QmFHjpy6xtRrUC/Ak7jfKnDiTKQYBdgmF4/UiVQu354e --QI6jPMQlrWZXThlRuBjM55hs4tgRYeTgbd4VSZzVQXdm2ViZkg8SGqw0R2ZRnG91 --dfXkhu/tTruguPAT3MQ2pTK/CoHHA4W2piQbBDqIl83fphRhYxyW/cCF2mvZZUhE --AfWhgYDeTDxHKG3Jfmm+ujMo5HscgeUpJ7XjZdobNhkQjD1piyuGzFkUfo2XzA6m --kMz4Jq4cnvpz -+AwIB/jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQArUoCjqxsY -+/m3nx/5BQSkBAL4T5RgWIX+L4y4GXloYYlafpw+SxRq0QffFm5fpCJBnMd21MbPl -+k/YA+oq0/76cKyQmJ6h/Wl4KHCKKMmvGuhCEXzmrevk/EJ8lJXNdPfbBueAuLeyU -+7X9tO8i9fJ59AZ9YWD9d//puOF+8xeHPxJIxHcR2jHpUOJPtm4yVu1LreHiJJTu4 -+Xotp9yMpJu/uJM3aBKVS5N/5JreraLj9N6N8nZ/7nEw9Dj1zzGHcHCcqtcxz1oOH -+Zbg5Jo8HhVhIHxKdKLvwEk60P+lkGFIE+IUmhWfcbbprTGs7VhxREwxaWyCapCOk -+qlhbJdEcjHr2 - -----END CERTIFICATE----- -diff --git a/src/tests/dejagnu/pkinit-certs/generic.p12 b/src/tests/dejagnu/pkinit-certs/generic.p12 -new file mode 100644 -index 0000000000000000000000000000000000000000..238baa56bc7b4ec4a4cd66861d9a54888ae6baf8 -GIT binary patch -literal 2477 -zcmV;e2~zejf(fYt0Ru3C32z1oDuzgg_YDCD0ic2jU<85*Trh$OSTKSF4+aS;hDe6@ -z4FLxRpn?PdFoFa80s#Opf&=vi2`Yw2hW8Bt2LUh~1_~;MNQU6Cwj5&?-ITdyp+x|XE-*3B|L8H?6tR9A4HUV -zXKXC4=L{;GYOU0TZ%YIlTM6d!F~cR^uf!*<@U_-l*QqJ>xt(al?+>_BvzoP^gL1N$ -z`F-->tkpYWJQUWTg*!blr__$E(F`vAa6$tp#&2s#wO{Z+x9Qj#E{tn`2{H -zg{vzUo0|{iV-+Q+#HBbV5=@9HX*$|bj>(CQqEHI)oQ(#V>5%ee;p0M7*Ncmla{Oaw`~Lk01PKR0)2+7#ypOR -zE<@*23b5&ny_nUSu&QRYf<9ZS$K+zIxKS{-TDjaw -zil6-nf!Sd?4znmK)|t(Kh;^hMN(xELd?H&?xwpdgxQuGz&lqkC*bt7YYcgZyhS`(_ -zV#Eei3)wjY67{AC<7Jdb$1DrskBFGeZl1_X_JSlij;_AeG&Ze&pK!02Uol4a -zAU3nTn}n!jf3MeflZTds*L87yad1DS(dZEx?R=EV`~wYbzuJ+gyipE3%clL}xH|uh -z*0lFO@p4PYUlRKizgu%`-6@}1$(>d}Hi|tilS_mz$63&pG)DTS?u#a3%DdCMr6nS= -zuqM$zP9u98I!aB)2ukr=BA^QLRczSH^0a)!b6RMWsc6m2lXG@=*;qxzKpg}Q;PWP$ -zSPdG{kzh|I5&?lP;`r@Y6C5-O-aNIi>snK{0uoVguzqbh?|wC|;ZdY*FoFd^1_>&L -zNQUi7=~UOR -zVu`0Rq`j%-S6Ff=&?TzqMFSM&gz}ICHc9bAOg}ADuoHHkw?kNR=9F1w*lYN{EG@Q( -z^&Z!5aJ#r-f4w{9{l_?xms3iieP1I%l~D*(t;Nk1aGOf}qn#GuBv85jI+6|9D>yt8 -z=`CiI1xSM|6#z}e8mUO30BVUlR!<3__7-RBW%t*-clA6mka`9Ep#J89G6;43;kLxp -z*-|yA&X1<^zP0+5jK3^7X7_8Ji!05N16zPQD?*Vmuu}Oqin+2p?#8~7bHAc6s#bFC -zBNktoPt|Xx$KKi92&|HGRDq~8=dk}B3c`50V14okG{eS4V-1zL#^Hl>} -zDnU~+pT_`PO~9}`Jv`1wS!fR(ZMPa4i`@TU5bt()(#ACb9{Y+&=*3 -z?16YQJcXXtc1SY}^F0^kPKKB2!~3O%n-3mC^{G$p0l|354kxz5D%&q&VtpxbBv{)* -zpMNnNpUwwe>D5nKequv57A`7WDkH{;SWnT$m6mFQM_4sCy6`Q6+R>fF3xV>`&)a%y -zB1l^2YMSpWB_)PDnwNbAr1q&CK9%#FU7a%regezQN#m#I@aB>MWA)qZGWrv>>pVj~&d(I8p??>w1k}$4P^X -zAWnN%6sS3RRKSDNfisfVQl0_dGxCM!+1Yl>tFQeHvTap~MEH7XV84MrcTfkph~OhN -z{o=b|+k%aoLEyQSSSCuJgEO`uIb&{+Z)uzyj^e7-ow^S5`Lr4TK3IX)>y>`8oiIWy -zH0hllKCxMqW=7K+*+}M2uMG#-iv4KGvA+{{p>ck6qZXw*_yoH?4r-2LxGhvU$-SJ& -z%}Cbjx7lK8OxbcYY6+T8eDcs^;Xvdw>6;}lnp8q -zOI2Bf

+yF}Y41&9t?C1#$YRn~NWY8C%6yHl*AOeW|@!q&2^AvuxK!KnnF`7+J)np -zj6bGtii!U}#abz=^y{$*-&7lSX?~Xs2w?6rihtbpW0dcnT=iZgshJw14vAdMlwyD6 -z|23bFWaw<;jHGdx+WL{QTwvP`6=BXmumW|@H&izw=M#i7|4o2kT^B@DwWN<09-mt* -zH_scbs?(Qg+gx};zbY90=8VD210!z1E&|~fxwzSLg-MMc62*ZwTWl5YDkMj->^Hv+ -zEh;f3Fe3&DDuzgg_YDCF6)_eB6ofmTa$1pK4AutIB1uG5% -r0vZJX1QbFHUUX|Bgz^@{lOae~ZgSk8C3^%24n#rsPDd1M0s;sCf8Be; - -literal 0 -HcmV?d00001 - -diff --git a/src/tests/dejagnu/pkinit-certs/generic.pem b/src/tests/dejagnu/pkinit-certs/generic.pem -new file mode 100644 -index 000000000..706c2f341 ---- /dev/null -+++ b/src/tests/dejagnu/pkinit-certs/generic.pem -@@ -0,0 +1,21 @@ -+-----BEGIN CERTIFICATE----- -+MIIDZjCCAk4CAQcwDQYJKoZIhvcNAQELBQAwgacxCzAJBgNVBAYTAlVTMRYwFAYD -+VQQIDA1NYXNzYWNodXNldHRzMRIwEAYDVQQHDAlDYW1icmlkZ2UxDDAKBgNVBAoM -+A01JVDEpMCcGA1UECwwgSW5zZWN1cmUgUEtJTklUIEtlcmJlcm9zIHRlc3QgQ0Ex -+MzAxBgNVBAMMKnBraW5pdCB0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVy -+d2lzZTAeFw0xNzA4MjUxODMyMTFaFw0yODA4MDcxODMyMTFaMEoxCzAJBgNVBAYT -+AlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRQwEgYDVQQKDAtLUkJURVNULkNP -+TTENMAsGA1UEAwwEdXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -+AL8HFT/+Uia/TcSFIJJd7Z7ZFvMOYLhEkCyqRhW1ggDp0xrIAoh/fyxq4qIdS8f7 -+Aurf39kzyS9NtDD2snKwfoLaZpunIXNLCujrlrqdhKsZdtl8aYLmjIhTLu4rrN5W -+ZIRQULbkLiuqc6ZFOjOZxkR0NkC/CyfQTJO5a2TaMrweLswmY0k5KlAoevpsh+LP -+XsLC66sqgYuWDD8c1Z9GlI8dW2abRPt+WUKskEgHqYJrCkjvPIZgS7UDAzpUOCXo -+pDDr/qQ9dnAYzt98r/pCx621/2R4JttZbdsXQDbQaHhV69iJqACqZB0lLyKOKa4Y -+2U5zy3++t6pd3oGlWCr96D0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAAniIG+xJ -+6rXbrH2kt40GE58fFzrIlzhG4VzncNnpFitvPEMzN0kMa5LBX5/zSYiMawQBQ7C0 -+FpCjz+n82VVW8iabCNoqUUNwOP7ZYmsoraHT9klSak/mLfAXOyOG3DUV9jntivnl -+HUIiDO7Pf6GnVVROio9psQEVOX1+W1uq9Vs79+F5GI/s0QR9dG0qXvdJ0h5UdVee -+8LVXQOi3cQKyBOwECwt0HA0pJwwcD6w9e8Y2NYTeOTamWGQVEV3NlcvtdSVuDJ8y -+lTke2YbEKyHdcsQ1vrDHtdyfEmJcgO5c9EL5ptYJB7Yv1QiwWJOhLdT13IBYvOtO -+ebOF6zAD73Bpkw== -+-----END CERTIFICATE----- -diff --git a/src/tests/dejagnu/pkinit-certs/kdc.pem b/src/tests/dejagnu/pkinit-certs/kdc.pem -index 8820ad447..4eb811deb 100644 ---- a/src/tests/dejagnu/pkinit-certs/kdc.pem -+++ b/src/tests/dejagnu/pkinit-certs/kdc.pem -@@ -3,27 +3,27 @@ MIIE4TCCA8mgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx - FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG - A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz - dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug --b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowSTELMAkG -+b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMFoXDTI4MDgwNzE4MzIxMFowSTELMAkG - A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF - U1QuQ09NMQwwCgYDVQQDDANLREMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK --AoIBAQDTlr1w8rm2fyn/EGHT0kZP67KIM6ktK8nDRCaf+qz6U0uNFMRmnuTMix35 --jZdpknr0aB0qoW+3H0+p/ZEdpG9xwdKoYYXnB3suLBsHfpu1jIQUIFbWGolpLhEA --wu/0lpEWM5mF/CeNb60LpV1Nv9qTkAphuDSj7DaPr3CqE9kh5eqq95X5VGiBtMA7 --uGxa1rM5MXLkpFO0klw39sU00yfEH7TulkGN4NPnQIW42RSsUTuboqcVEXs+RHpl --bEXvOr1xCC5GvObYlUuJmgp95dxVjKnAR0RTWvv6LE29Cfzpr73UN2877HBuyg0b --TG0VJ6Vgpa+UfgGxlbyqHI+SNfhtAgMBAAGjggFzMIIBbzAdBgNVHQ4EFgQUa8DJ --DnzKDd6H46LUloytHNu32GIwgdQGA1UdIwSBzDCByYAUa8DJDnzKDd6H46LUloyt --HNu32GKhga2kgaowgacxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNl -+AoIBAQC/BxU//lImv03EhSCSXe2e2RbzDmC4RJAsqkYVtYIA6dMayAKIf38sauKi -+HUvH+wLq39/ZM8kvTbQw9rJysH6C2mabpyFzSwro65a6nYSrGXbZfGmC5oyIUy7u -+K6zeVmSEUFC25C4rqnOmRTozmcZEdDZAvwsn0EyTuWtk2jK8Hi7MJmNJOSpQKHr6 -+bIfiz17CwuurKoGLlgw/HNWfRpSPHVtmm0T7fllCrJBIB6mCawpI7zyGYEu1AwM6 -+VDgl6KQw6/6kPXZwGM7ffK/6Qsettf9keCbbWW3bF0A20Gh4VevYiagAqmQdJS8i -+jimuGNlOc8t/vreqXd6BpVgq/eg9AgMBAAGjggFzMIIBbzAdBgNVHQ4EFgQUrxLg -+V1TSrSKJgpC3MabCqfQIPaswgdQGA1UdIwSBzDCByYAUrxLgV1TSrSKJgpC3MabC -+qfQIPauhga2kgaowgacxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNl - dHRzMRIwEAYDVQQHDAlDYW1icmlkZ2UxDDAKBgNVBAoMA01JVDEpMCcGA1UECwwg - SW5zZWN1cmUgUEtJTklUIEtlcmJlcm9zIHRlc3QgQ0ExMzAxBgNVBAMMKnBraW5p - dCB0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZYIBATALBgNVHQ8E - BAMCA+gwDAYDVR0TAQH/BAIwADBIBgNVHREEQTA/oD0GBisGAQUCAqAzMDGgDRsL - S1JCVEVTVC5DT02hIDAeoAMCAQGhFzAVGwZrcmJ0Z3QbC0tSQlRFU1QuQ09NMBIG --A1UdJQQLMAkGBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggEBABJpKRfoFxyOUp9i --Z/fWql5anJuZElgBSbEC5sL2mMcmL/1vqkiYF3uF6/Z9g4X1LX4QDuvaXCJSdQ+b --JpmhklSyFN+E/agxZtSim+AjTgYJ0y+jwNvX6kZQ8fW3VLNJZ+zbb4n4txfgSROn --7ub+02mo4DYajyD9TE/qLzmVaiKLEKW0osjxX3fB1RN/d7zm//NDPsezzUzmKkgz --u0ML7HGYUNY3+/SC4ShF/But1IoY3/I46lB6BMrIn9X6fsVKlipqrRFniUk0qDlJ --fbKVB+MvGEFoqFNlMoGiufmDjnJl4PQZCVEmXO8wAVGeK8NpTBCjltAAsoVJVnjq --AC5jSAM= -+A1UdJQQLMAkGBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggEBAFMX7ZTpNPdzFwkE -+hrab7fSDeoG+mN0yorY8e5Evx6sE7pXOtHgHIjQY2Ys0lk2mhbsIKptL/R6jTxWR -+rbmU6jFNFeJgn5ba3NWdhlUiZ8WKe2knp6uc9ZDIK007XaKA4rRoHlJ3vHXoF+ga -+JFOYwRzCtAlmsOCQ0UetoC3Ju6Y6NhCXIE8f81dsh6RMADoQT0n/fcLY/JtbbLXK -+ANTIWHm0oSX9wvOU/yZkYGuwcPd91cc6Mea8f3J8D/OiatMZXc3719extmeR6Cv6 -+aba31kv9wtbxVuxkR7HhjlJhzhqfzfIp3tNREaIxPb/qKGWBOjwxGRqSUkdEqMvD -+GjaSlyc= - -----END CERTIFICATE----- -diff --git a/src/tests/dejagnu/pkinit-certs/make-certs.sh b/src/tests/dejagnu/pkinit-certs/make-certs.sh -index 0f07709b0..f77ac5813 100755 ---- a/src/tests/dejagnu/pkinit-certs/make-certs.sh -+++ b/src/tests/dejagnu/pkinit-certs/make-certs.sh -@@ -164,5 +164,14 @@ SUBJECT=user openssl x509 -extfile openssl.cnf -extensions exts_upn3_client \ - openssl pkcs12 -export -in user-upn3.pem -inkey privkey.pem \ - -out user-upn3.p12 -passout pass: - -+# Generate a client certificate and PKCS#12 bundle with no PKINIT extensions. -+SUBJECT=user openssl req -config openssl.cnf -new -subj /CN=user \ -+ -key privkey.pem -out generic.csr -+SUBJECT=user openssl x509 -set_serial 7 -days $DAYS -req -CA ca.pem \ -+ -CAkey privkey.pem -out generic.pem -in generic.csr -+openssl pkcs12 -export -in generic.pem -inkey privkey.pem -out generic.p12 \ -+ -passout pass: -+ - # Clean up. - rm -f openssl.cnf kdc.csr user.csr user-upn.csr user-upn2.csr user-upn3.csr -+rm -f generic.csr -diff --git a/src/tests/dejagnu/pkinit-certs/privkey-enc.pem b/src/tests/dejagnu/pkinit-certs/privkey-enc.pem -index 837fd0b01..ee35e5cdc 100644 ---- a/src/tests/dejagnu/pkinit-certs/privkey-enc.pem -+++ b/src/tests/dejagnu/pkinit-certs/privkey-enc.pem -@@ -1,30 +1,30 @@ - -----BEGIN RSA PRIVATE KEY----- - Proc-Type: 4,ENCRYPTED --DEK-Info: DES-EDE3-CBC,19FEC334A4D4391D -+DEK-Info: DES-EDE3-CBC,7DF54DB740F92845 - --S6pSicLj30Jlnu2OnYM0eXCvwAHR3xMhhl2N0gheWUGkjicqTdW6ft1qCmGBre9b --/aTSF1ajvFC+YQ/iABznWNmRNZKCzTK1dQ6P73p83uNqWt/cfe+pVYdeHw3u8NKA --fscciBtxnHNaAs16GX5/j1XXRPb+zmUe18A+VFMRgctbaurk+KbxO8qVUkzt9NNa --v5zHkXnaJf6ixL6zR3cOCJWPGy4GmGeFIytQos5Jgn23Pjn8BHAXf39GMs2n6g5V --eE5RAGDeXqPv/tO1kN0/RSKDeIPvKW6REklXraRUle0PNN5g5l3umSkg4fkplusp --nTsQCRWkqyVcMpxcf0wy7F2ZPOYIWDt1/pzAHC7y/fl0uCQPz0Qd1smwt0ABKcZv --m9zaMq6lkKYnBOxPiYIlWVlQi3RLDiQyAWQz/nF0SKsE88SUlB83quySJsZsLKzk --MR/C+ccSiHqMiDKVj5Ts1go+gbj8Vhlto8jH6ynQj6lrOIczyMmgUa0v0dFH3i3/ --WL/8ydJ0otY67A8w5yH3hMzRChXQZlpTmH2dDhAv6EzKBi8eIiB0Em+laz5lDv6C --SfNxZa1/+bSAvXr7LwllUu+Gzbu7MNLwfB2ieTqdFQGA659DjnMqyBGLFzni4Ir0 --Hi6Uh6yQubTm07oqyUHAsChGFE4Efh4O0rCbKKPZuSVfimUZcE6JM9IjRC/0DIwr --LZSYqsFgn44byrc62qV2JAE2ua+/4aHHI28hIZ3MDLwyYpCQL/FAUZtqZvni+zgw --yoHLRDbdrqPps6P71T6Pw6OQzAYC7AL/FsZnLJK78nI+Yai0dpyv/QWiFSXoDEVN --6vQoDv/VZbNIctr31OE4XyjIMiTpn3FPa3VSbKM4/h7SthjwEV2ONNfR8XQF+siz --3NhOjEFrZ6UGHvT06wo/hp4CM7u580fNu5HvyCyIwkx9CZRLHvG6Vu0emlzDfQhE --qxQs6L7IM8A46/LPSTtmEA8Rrn51YY9NChMdY6j3rLe4NLxxOCE6JYaGWVWBBawK --k3y9z6L9gWRwxEfCgWIutDrYtmA2aj6y/vRS6LrotCNeN5qBx+TdRnh6uCqbi1T8 --4rF20TVhNZ/l+pkH/ehY9OJ/zpwdbTq4FlE0wWQZB/vwbYP5CZKF+rU6IXnCZEjt --Ak6Bka9mFm9Z/TvnKIRYiXELq32zOJAuEOQ576tkDX2rAuIQAfE9biX2qo0gbsJo --1RIfXekRurD/HX54blv5mNqUV34gl+ngPpV5nNDy7RuTAdP77Mu7/ynaPfnM7nqu --rECbZVv1HZSgTi+7G9SUjn4Bg36p4NiF0/dZ2W70byYIQvNPNqU1kyeSrZk/43te --NwFgpoAKVbMD1rZ+0xM2YCFFKQZZMN1a5tn8/1TWPlPU28Tu3ZliGeWMdeKd4/MP --vfH1pE58qVcyOngjLqGkk0L5A7WOAgu+vibKrxGxywwVLx/GfDFqnNr6H0buwXrk --vuKBTo0r3pcbaZt3kaYBm0d3zznQI1O/pX+eGiNr/rI86j4KC+jUSoKi4BdUeuDN --p1x6qyEK37kgVXiUyiEXO7e1arLBZMfFRTNKVsN5ewL441eCIgs5gA== -+3I3F5dJkYmjX49YRQub+AzWPOJock699vQZV3oxcAabcZWtLVbQ75QBXXBPEtm3j -+LAqb3gRxfETHNHsSIEwGtN3rYre1UdKs3Bu9ROQNTvlbCwRdss3JA1kGhJu2o5bu -+hf5sjpfR+ivf2prJ4whfhb4+efCHE0Ll669V33D2kbPKX0VCokkRmxsIoVtHd2qu -+d1HM/EkjxrOy/GHZ+93mkSeWC4hz56VL5ApGOV4wHuphdvKy121mU0mjtQRKF2El -+N7DtM9/AIAkLPx5wxrTJXuELd+BBDPbRMwmvgqCX1m8sJLJT2fBzVKRKWexowp7T -+d3j9hT+kMiWCTgd4vJ+i/KPkK460Cy9PzFrzCtWut4jh6rZ+F9Tdp1g4Np0ygWAg -+q9tV4RC7ylW0DeseRTXTLuohngfu0h7mXuhutr1Xmq+SoRuhBllZyexV4jJMc1kZ -+2nv9RJ+h7mCAQbLSVvWCZpngfK2IcZhi4hfNiiQ/wqc6rE3eaBIR9E60kaCeBpWB -+rxZm4VHOrwJw0GsaCRLQez1F65Ulk4TA+7TYJWnW/MGrvBptuBamwxk28Ts6eOee -+RVwb/AdY4QBVJKKT+/e3Lfy409evmdTAA2N+tbYzALC1cH4ex4sO0BifaLmKo3t1 -+fC2FLna4P9F17bbjcS1lSWVJKodofUEt4H03X7LaMhwe+sLRuKBIoTH2nLPHLIYg -+B8NO1yFiJPFL0a8fi9kG8JJlCPkASQC5vcYg6BE40b7h7T4qw0HmkuH3i6TX6bsG -+nQlryJ2BfQM+IT3MTEh/T1iHPZcTwFLPF9HMnZ/ydL/nM2kElF6YfMClFvuDGULQ -+zmsvG4D/ndSisapJQeoevAwtCHybh8/3cy8CoAjBE9C1JlHOvP2+64rzvFVUAKfa -+z5aZQQJKcdXcKcM8u8PgEyCN5x5tBqWQjSHR904k25KRkePAh8SoiSDuNQPwtzbB -+RHesvkaSXuUaN7q1+oJzeQvzO8i79ud0Diu5y2KePrlB4HBSWCuWmvz9U+WvGBiw -+KpEUAp/YpkqB1as4IUBDNjV1Y77cyUZ+/8EkPgAvB9wltCCAyQ5xi1h70cDJdabj -+swabRD5JV1JLalFMDrOeOPZh1heaTNHXV8f7m8rMVeYVzVTM1JoQLlvKxcc3LVfN -+9RLn/vTN7Ox//+385UiozC/PAo/Cep6Z1Wz+cwsd62HH0LVimVt2mrmHRKY983cw -+U6cZyhvcTB5UOdJdhwbHfnxQipWRu//XRYY/yVdB6W2J4Gzh//adJfKOmHd8+cB+ -+y8Q1yZP3diTGkhyY9pkXS7Gv2Q9mcXlMJtoyb7rqBIL/osVTKdsZn7Cj6ZYB6ftF -++hKQKNs/bKXYs3PF09UOInfUf57pENSr1AQBQceAisAsr8znRYsFlpqZ5L8G6um7 -+XBneZ1RBj41wheB8g3kL6hj2UrXrE2rxDAw175a3BaxP/Wc2JgGcBWyJTVcZ35Ab -+f24UNlrfcJdgEFETEiy12WY2VaqJCSY3J6YSimHDbffX+ku8QgU1shZf9z8K1l1A -+OJQzbjlxPZT/k4cfw/Xi0rHdgWGcmL7tKLkTcrG/AixdEoI9KCSlQGSksI8CfFmj - -----END RSA PRIVATE KEY----- -diff --git a/src/tests/dejagnu/pkinit-certs/privkey.pem b/src/tests/dejagnu/pkinit-certs/privkey.pem -index 7e9beb09a..548e5a8d5 100644 ---- a/src/tests/dejagnu/pkinit-certs/privkey.pem -+++ b/src/tests/dejagnu/pkinit-certs/privkey.pem -@@ -1,27 +1,27 @@ - -----BEGIN RSA PRIVATE KEY----- --MIIEowIBAAKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJw0Qmn/qs+lNLjRTE --Zp7kzIsd+Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7LiwbB36btYyEFCBW --1hqJaS4RAMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2j69wqhPZIeXqqveV --+VRogbTAO7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT50CFuNkUrFE7m6Kn --FRF7PkR6ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7+ixNvQn86a+91Ddv --O+xwbsoNG0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABAoIBAH28SS0ygFvLq4gw --EwJOJYxeswQvNuxp5gcMm6tbyqkjEHVxDtkwuSQ304M1ufF5o2lT6Wko7/sxNyT8 --Utz7l2JRXL7E3U6R6ohgm1tTyHIVY3OWWCP5Nwjy4BXEwdVmGCfKWAP/+P0ajQmr --pguK4/fmk9TIIzf6Kd4u0lOvYcu7AYfaBj9OSSF08IoE1EA9gY3Mh9k8C3d3JDhG --hoJKwMAIX0PRyx6cvmpuAJyPf+19K0/SmzpbdNOHfIXZKtfYw3HxmebhhyCxqNsY --opI2fpn8joasvfcXICBFRHreSu4nKc8ky6FkMIc5KZRiSP//N3oFM7ZLxciMjfgl --bCYqST0CgYEA7xfrB4atDYApsmLk92uHnC2bOmJhncfAuLHh8M35fk09Jt6CMYPx --Ydp4cKYzMemO5zzHxdMnlmISIWWtNbm/gR74KZwOmhFFEP2LE09hpAXRBfQvN5af --RZwMZ9uyJU5ByecXbIt0cuNerl8sKJfG1S+/maD3dZvr78K4Jd6StTcCgYEA4ozu --okBTEZ9h7lxdBBbZcO8i/eikPeKnCEBaSryf3K3Pr/k8Ssaa7MYOT9yD+iRwU/uV --n13BA1I9PvdcWl6ewZdOYX4jCVCIsLs7ed4wfwLxGQMZIVHPZ59lRmVsZFO08g0D --27U/rUZBpMHl+ppq/FfBjyyUSqayKjcBoFXx0XsCgYAOzQM+pwaldE6gfWDBNEXj --1Crs1VRHqSr0BAcBmi6cs/laI6IZoJpbvWOBTbiTmWrAQ9H2HBkyRQXsTVgIoGQL --gThJkyCQRwtoftmSK3LW7Yk//hrCLS/U5lEaSM5hYtPNxOF9VbCywAKHdtrL9IFZ --hygsQXuwKyPS5tHxfjLExwKBgQC1D+Hg9vvtB67jLBqDHCfopJcYywgJFc5dP+Fp --/dreKmPkxpMzSAul1Jy3owwvrVPBKz9nwSxzlRSx8Ex1RU4odt8D+CXUWfMFHH7q --ZXPo7tb2II3DHXlf3fq5CnJYtLXXBiPhQriDqbTpErbVVPjQeOqPnRdfml6mcpPw --KwA7ZQKBgFzqLmWqy7ZnZdbBo4CUUt6B12eaPCW6YNpOd53zHOphaiZLq4rEhpiZ --S6JYQTEQYugr0yd6vxsVL2An58niRg1sM6gca9QqBlGMzaQoXaPx6OrLW2WoS5+I --MmVTeh7yvdop+6gvR8Eoh4cI0HoiJw8oQOOneiXVnh7Izk+WjKXb -+MIIEpAIBAAKCAQEAvwcVP/5SJr9NxIUgkl3tntkW8w5guESQLKpGFbWCAOnTGsgC -+iH9/LGrioh1Lx/sC6t/f2TPJL020MPaycrB+gtpmm6chc0sK6OuWup2Eqxl22Xxp -+guaMiFMu7ius3lZkhFBQtuQuK6pzpkU6M5nGRHQ2QL8LJ9BMk7lrZNoyvB4uzCZj -+STkqUCh6+myH4s9ewsLrqyqBi5YMPxzVn0aUjx1bZptE+35ZQqyQSAepgmsKSO88 -+hmBLtQMDOlQ4JeikMOv+pD12cBjO33yv+kLHrbX/ZHgm21lt2xdANtBoeFXr2Imo -+AKpkHSUvIo4prhjZTnPLf763ql3egaVYKv3oPQIDAQABAoIBAEe7ACa8d9qm4SvX -+FYkAjjakq/JuxrDKxhyPf6utMXjoVGXtDs50matzI1DekVMxlUHe+O5VfMkvc2cj -+a5SXY5n9KqRuGKhzWFBoDnxao7Of5zn5dqE5szGJksjKS6pdZHcutXBHtHKfGbgo -+rJctuf6AaNLdKfI0TFz4NjRznrN2NyFQGhXzPpq34Qm3Rg91hVlU3A8FYjE7ez6b -+vlJBsbKqnvzxEQMWTk0z0bWC79zE1ElH3Hpwfwb2cG7H4EXf0j6N5k2zODg7C45I -+xWtlES+OpZqdDH6mKFBQojU375j6rb2plZGkTA+qxX9GvG7GsF5aOM6Wkge7SUeT -+NUY2lB0CgYEA83u0TtxCMye1p+ykZwQdcEKR+l4aSjNsM2V2s8Zy4eZseR7f5fgZ -+71ggIpzK9pjT55OiYJOwsEkZAPB0gBgiEcqJgow52w3Hg8sUU5LBEahUpx3Qm64W -+64WNIOL9oVXYQu1S/yJ3iWPMQcH1xIlDtPPC1LH+yHyEOnGe4szIeccCgYEAyNkN -+K2JEbbfK7Wsh3/MOtx5KCkzJzFClTSQZ55IxRUf+myauljKt+kI99jYV6eoicAJv -+SMHQeYurLtSkhuyptAHUqo5xgH0HZ7cE7LV1nfam2p588Yg21nIId9XLDPK4AvCx -+Phz1oznaiGMu4jB7esozuW4FKxB1kRmUikM8bdsCgYEA23jMRLFhsr6+jclPP9SD -+vKck8mtUg0Hq7EEvSEk/UMTlTiA4bhC/P/FNtiVjBfkoOXvoR+mYwK6DLUeRm80l -+GKhaXySLGhtHllK91b9Y7NOwypqjaVD5M/9EATraqEy7DUjjITsuSNd+TF/LawbX -+0wpOum5fXNRwVEYKlCFHLA0CgYApr3LeSDzvkK/batrTAj1RoEW5sYpIj4xfYFjI -+CT2UpYagaPzfS5F0WX9GtJ8Dt4aCPN8f+KnuMCDNTXEAV+o45BBhfcLs6gY5bnDl -+OBw7NtAWm8JO1viatXwwcvz7qPysD4yZ2aTZxc4ndH5sj6dxKrpliAIml/nuraJ4 -+t8+49QKBgQCxJ7ZDlM9J0quVivSui5aoZ7iLEiu6GSZ5yF1HSNXY69OnqQK3UxMl -+aERCn/cKqtquJQK3v1IE6k6uAaoM7PXDVKqKSH0Z1Jpqciqjg+J/i7Vym6oCdjer -+6zt6P7Q13f9X9uUlZBnNrT9jk5WjR9pSpxAc0vU78VKa0lZMZ3bROg== - -----END RSA PRIVATE KEY----- -diff --git a/src/tests/dejagnu/pkinit-certs/user-enc.p12 b/src/tests/dejagnu/pkinit-certs/user-enc.p12 -index 049602939def4be1fa9164649b39a801f417e74e..b2648ceaa04be6a560966a414a7bbc8ac022c20e 100644 -GIT binary patch -delta 2706 -zcmV;D3T^e37L^u|U4IAu_0R=Q$07m(2mpYB1u!tho?ixcuO0j=`>lGTs)`UgGm<_) -zpKPe)yNdVeYJWc`4 -zF|P^R?oh5stR*_(MT+TZR4{&W9qoqi)f&pBxOiQbYZZ1lmQ#Pc4q?TD!0ns{qlu}U -zz(Odv2K+dfougnpE_VouJ0!M7bt6;%w@&*9{%SfiDrvUdRZW6CSckeD^E--2MzmZD -zliS3w_y8kT@PFwptW_3@*xAKJ7u%{U_HfDf9jg*K{X<$ZK~Z=^`bq{K)M1SMGVQ^? -zv#j3vs0HG{g~oN&R6FPVPVchC^z{P@wq`t};KFoH0iPJC$e?G@1S`jv>DCV8RB0 -zmIsXlD|}<)cCDUm$lZ#mt_Z{Bv{YU=x+YDXTvPmRZqmcS#sZMLcxp_X>UsXy*q9%5!2Sahq`0+O!z?}T -zi$jc*@c*4b82s)hz9gxO-sN=XmM&gwlz*+BOwds}(8bcfnOwG9>c4M41I>BdyIE6( -zXbn>T;bsx#*{293>WqA>Y^T8DHfefzJaoF~ZIQJHExS&`Tva3s7=r%MBNe?|IHadr -z3;)tG~fkk%kK$~?KlYIw23fnj%9teHJ@ZW*2W?&0_g?~!F -zv4KH{ocV+%s=kSCbfuiTU@S3?HSk;9`=V>fXAVPQ5yJ-A3VGtMn$hyJjBL>)Xat*f -zk>LDwCgwH<7MZbk%enw@_RMCIr@ki6QHeb;WK_J`RwaC8Mfd`O!Ox)RKq~fUu_iU>d?3o -z{a5i;hDvlYB>6O@o?_&bd+Lyi(>Q~@du=M6Hgdv6`ogLgF)jrfhJv2PHS&O?EAOq?#SMnKNcb&pBwlq5g^OegV?n;MEw^ee; -zNAm2zd3N1vCWnEDkE2q@f3WB!pgs=2pUxlBhb1$h(bH{Eh$P!rF3CGZuuACYydDn`l00e>r$h%Gmj<@&l(&Xw}Eidkz -zz@_D66&yL_Rt&B;1I)=kuf6ANgrS(5a+rcm&O0Um(1W@-qtpcTe1y@SR`1y2+!Bjk -zQw=o(lgh9Kq4o>zszLR*B2s9LY?-=8`IIV7);U#dMhstBw7oiDXdQhCe+i9pk0cnV -zMlgF0u95BdPI`jmlfO~!!}altl{kMJXBOyAE&JL=v<&Va3rMzRzEl_6c~VY?np>Zo -zc?iAu&Mt}Dt}KDnI_!(wF&W;btDeR~!+4GFOI$qsL2rSj&Nf1Z`%l4{qYJ4Qo$_}# -zJwxm6gK(!^XH`H3GDvYMf6ZXiHexfG^(D-Fhn88u;X368WggB2*>Np*Ni+Go9sUe9 -z{=o5{uwK>`NVcYMf4tOHNIsnqr!Hx^gA~eWZks4J^1j{2p{HG?g@>qFF8lS7+k^J`&{T!%j#_zl8OmX0^a|L_Hb^Bf&;C%^ -zDRf4UJIncVpMKi6e_ptRh8&L~a0c+OZyUh4xk_H*ZiVT9oPj~^=?cH{ -zvVq3YVa|#w$>d?3-K=B$mSiz|5L=0aU%z0r5=NXvy%;*bv}`8zSe%or`$-|90;plD -zBMc35ZSO>Cs2V+WJaJ0#L+Y2{w9jWYmI~V$Xh0U}91I|Pf1})&1-$>cf4IK3avbmhiO_QH -zUzb|*rY0bBQH(2Dz0^m5V`6s!4}lu+2Z4sL!Z;_w`zlgnxe2p>);eKXeRgPbE8hM) -zh`oOs<_8p$e;6ws?`vcLw-*IKpOB*Ser86?AiRqkbxtkcVjVI7;D@#G#Zz{htm%|t -z{IL@z9azcPs?vP_JN_heR0Dg%Z|rV#jIu&Cz<+D|zX&(+Uz{)Hp2UasosM?7e~B}} -z@Uc>9Lbj7eqH5pI{>XB6W3)`4gbWgDP6bb^t$0U;e~hQjWsuc=W%5osyn#COy+0Wn -zfXyb`UV#nIfFOyKcTxpXT4y|ytF%_1G!x9h^LdFL>`qCd-xJuFe=Cka?oHZzMvv?F -z4Tv$#KpEY*>=SF~eJrHN-&}^_T`nbeQ#*zvBRah$g$#AJtiay_Dr(%Vf`f5yT3Wx4 -zPw9EGe{U+zCREP#EnqfSUY`b6mlSFbnd$rpIUC2?Bx* -z&*ahaHlnLZq_)8PFZU&7S##TPwtTI){S}rL@XarlH4%tMe*>vZ$pfl61)r>6REt#6 -zA1Tmhn;*&xXn8IimR;1v;fwKcbLt}hCu@0Ke_$`LZOuZ5IpYkzdoDeo7LH_jdX(6n -zI8<+LlcXr9=#AM@2Sx-NbWd|hrC&4HEsn(_cD0F-dOu17hU<54gBG6YK=4`U_l4`A -zqM(8cTN||R5H++bkzne?q5MIh^^GwlFe3&DDuzgg_YDCF6)_eB6ccK}Vdj_r1JjB8 -zJcW?bd-abN6XY;4Fd;Ar1_dh)0|FWa00b00NU*E?J0(4Y+o=|f0;Fia+%K{O2)&NJ -M-JAb8(*gnr07yzcC;$Ke - -delta 2706 -zcmV;D3T^e37L^u|U4QCIImcZ#q51*>2mpYB1u)u~5}22I=HT-d(%(f9DXV18Kbvj` -z^Vtj&rJIy-KS(<%B=99oy)c{aYIfUfQ83DHHOZ|j5N)Uw`u|wFUxcIoSdpz_?)9%H -z4jelm#2iJczX|~|@JmP%-E7N|LSD%0aE|sR%YoM&yhB@K41Yz9lq-Pj*c;G_qu!n* -ztG256pZmHRbI1aKr&uCUv>WoW;LeiC%96yY!X+o@FzzAxrOHu)3g?VLl=`oYO=8u* -zFUXhf-E-pg$i=j~J5AnH&n@YvQR-2plWV!|u18vsOGavYQq$5K0c{Y)cD=>F@sB1~ -z#Ce~xs1%rGd4G(-!z|O%#O_xY2j{voND30(DGP7NkMXu3u$QVLc=J6%CHpuQKR%i~VGy#97gZKGgC -zQ)7)_hvF$URord*Z(4C$&;M+0oSafecrT1A>TOAXhJPO!S1Yy!|0t8mhQxU9F8H0X -z{bS7WoDJL|;>UbB#Q8kT45pQxG--}vOh}`IjL4HRI%JT7=!MOS_w{ZYQc1Wgh<|oe -z$UCUD%v2lcu!NkaS+WPMqtPJpP30!cLsAAZhJP@(6PFg+r~_<zPu>L)gER|-RptQ7t2T%-w$coS%U?y2ty)u$&%U58*x^dW7 -z`SK*%R6K^ppp&Wo_dd9jlUx<%Ga!U2uD9oPe){W-$sAC0PPA!QYj{>3|COVWx@pS^ -zdR%$)XWB=Qo{$wdCUX>$?lfD!Jxy3?UC2xmiGLhV`RaM#xn>#Hl~j;aRu7ujxtJdV -z5)OCd6$2Sv{U)1)H|`*tznwIA_Lu0xM(g7cYqXUD@0)zWD;@cM$iz>33hI&n$WKkI -z?VwZyL273la`IMNy;tYMRF(sMS(#LpN^yUMz!Pw$N2vcnTC~i=mtZwXPXpou2Y*IPGGimihPbppn_& -zRXBY89ppNtTpqy$L5I&2jYQ23<2e0@(|?7`1y3bhH4C9A`JcTJ -zs*Mq{z>yus8k4sR)=<1ex`9V?dYzvH0P5C26D4493!(r1*M9|H -zKGdn}RlVi8Q0R29 -z1>lc3?jlMQ$F%QZs$yVaL}+TuF@LQ*|2oQf6gad;5|UIfZNwdOVy>MTwDGXK0pZYq -z^=+s6V0xCsmO-;{zxI2J?FM61!lojJcLxx`>wst*?}YyyRfPPHWL&x?0k-< -z*`9-8I`q-`7+Q?mYB$<2tLTxDr(QAj_V@HuB~m*PuA2~|AbRG>SaP0yE=us-t=HQY -zg~<|Cdt7j{a8>OwxZuklbr=dfAs{AYygi_jsgM*00e>r$Ow~3k+rOeO>(s`grF?$ -zJG{bdqli57x@xMkpB3?9W>*jR4I((MPl$BvNhVhbw?_vgtkh{C4|j=)L!maakLdv;I? -zQAlp`ykIYDUK>4ac3hrzJuJgy{liWNPtKgmw!Von2J@L_?kwdzL -z*LC)1U0nZwV%P}Nl}uhfIo5hPM76mjv_P&mM&vHgsjqj|mewKje*}5b!(zjO+??#p -z^+fSxFa#sKMfh^V7pW(Q%@sfS$_a6jt%35LjT(p^IHot23x3e7QBt|q8Bx!}hMy)p -zjHIkywUCO1=vwR+a-j{-_L(+dG~7>h(22dhbKe&sw5W6hB_qBi~5%rNy$JlVt9!<+)%x(%&o+O+@b0ergOVP5w6uAeaVE|mzfALIEdE(~%cEj*Nx1l?I)xNe5I~CB-XG7RdT=};;vL@W}qgN1X%CMMTb@z`j(^Hxg -z2+k}O+$v2Ie|Z5?WpteEE^-jk3x*2kq -z{l#-|^i)J+)WGL>*FSJ+u}4ad5!NiRTj*bBOEz4N1ylP -z>^0wkW58HZsCHK&O*4YkvSMBQ2tO%OVIE`(y0uWHS!>4~{B#t&21e9&djORBw&Q`g -z2)Kc2)NTqH_|x#q1O6HWS5W|}5BOBUZ%Vo9Qw5NOKV&)yHS`wX9$DV8 -zZ6V?M9adFv7f3LmPCzozft%9ptIIDEtwklxf0b0u(0L&L4qp#ge@p=B*bmxjw(;PV -z;Cshn-XXPKyoA+FG;h}OQpsj+-)bhjhBs`0k|`c7DQ>1~Bt@|RjJJtP6KC(6#0L4m -zt*tS%Rdoj>M3SepE)k;MCOV%w_xv#>Fe3&DDuzgg_YDCF6)_eB6muCT6bLmUm2E6$ -zJled0QvX3lDc~?MFd;Ar1_dh)0|FWa00b0Mw6Ml6`rPp>w1kFoo;UO4PXV|D2xTCM -Meh!`itO5cE0QPz^F#rGn - -diff --git a/src/tests/dejagnu/pkinit-certs/user-upn.p12 b/src/tests/dejagnu/pkinit-certs/user-upn.p12 -index 7a184f651e50d1443e5fe907b5a11455d69bc0d1..6daa5b378b83e9d4134ae48f8d1ebef715bf6cf5 100644 -GIT binary patch -delta 2698 -zcmV;53U&337L68=U4J7*Cd0h`aFqfA2mpYB1t^AZ29wx*eOgc}d`r>Q7K3iXfn7bI -z-h75b<#ho7#K*k@hvV0DY72cD-+GQbBx+_M+%n71zn -z#X29cB(NtFLejt8_}`1}u<)0Fa|N#PFrop1;9l4e3fW%nAm0812NzC2PWtG5Q-Le3SkbJQ8%$`CRQF5lvDMt^VA%Nf7 -z%gqA3e;};~*2a*2L2#V&7p#=9h0m8OkwZeltqP35E+5dzCHJJcdi2I@dxk4_kjEOT -zj0U8U0++mnH-9@Zh;5`5me2`GT}33BIrtwbrAtxQU_u1LtK|{6gpV~{xkE5ejT2ih -zN^~x-hZKe}PsA-74%;xY -z%1B^HDt0=soP3^{EKJ)&_b-pfV8cwL_(1dml;Sji;(r9YP~QfvMIR=;$|FM4HE^b6 -zOll6EI_7z*5>D_vgiic>K%ddTL?+VkF!(XYy-glao-W+_2?bN*!b-%g+(*LW1WU#4Df_kOw0G_-qaOq{v+SRpmK1m*tb3kPzLIGjVa^ -z2hUFOzaEpi%o&g2^lIMNwb&tG?#XFJz%l4U56fY`oz^klt?AK -zuXwGHf}vN7zq;z1mdw(fafua(ZnorQ`;=s@1b^+)-r`oP1|(c=7dWrTM*Y3X!S+-s -z6yvzsNy6{reSb#uzqXA*j?J{*SW(elo9x=4Tgvmk7340ZG;`lvBR3tL))izIU+caHn$AdqnrQly -ze+yjHVauRy-|J4u6<7{TTLNDLr4%Jx7=JHGUoO1>1Jcfv{I7f>&cx$XLd+C6{T;$@ -z!JSbO;_3Sm(&oAtwAZTwA;V25RbO9psZt* -zln}2yx+-4*YnuuI!9EkI82olCom|r^m3LOkVwF_AlZNQc;2PpCjjVZX)YexUPnw2 -z_$_(XXS$6%xZjS13_#*rgWL;?J<7vhZ&suuk^}1zTKrxKS~8Q14u?oGg}H -zlv+EHsJHLYhdzk>*1*x?GypZ%k$)pPwmu21v!s;VGk^k+YzPtgAL>R8DmBl>#+JNk -z9u*4ll2JG9`v}C4*CP{?T!#_a+ScwglwY1hLX}2-)3S}nNh}9HZ+}fv%zwfwr^~k! -z=rp+UoO0)meUalXvhV<156HPdXB0C2j3K;I>+=s(Buy-477MAi_(gcw~VJ;|J3AUk`);%Zg&6=cfM%r$Q?RW!0hdBllOO0 -zTK$e}^K!@?la&QVe>VvCGU(Vo?g9b`00e>r$fO@bT)QV0_0B1+RtRaRQU!+^G+F8ByUATuiqPku)}3=nLROGQxsSbkkY- -zasCODE@NO&{NkW~>X(G9%rXzSV@mm{^~LPTEK*0Wm{&=#e~+kA6Ku&p0j~W>F>f{_ -zePAde#=SNS#X0&z^HzqJYAyDwxNt&TfKJc%3yAgfrUZA4_&$b8o8XaNZw=|8qY -zljvN6gHeh`L6q!)aIAW3M| -zku8zILVI$GTwtMdU?^96# -zg~=M+e>pl9)d2Z?X8#?o-z0==7jEP#m#A>bdA2062BlD8Lkw*A-P*PsR8T~|$qx;D -zg^_hvYQOo650pOQ9dBiuA#&WAk;Ae&G*Kp;Mz#)6aM7P|YSDn6RK -z2FMmd^WV`rg9qo0*gPnx{M#w}w_jIXLt?Htq?997K%)maV%KC#Lbt!#l8-tKoQ$GB -zXiH8|epkkQXRPYNxML#!2-7pL2YG28Kjpo|2b}kK?f)J1gPw({=3$W^com8c3Ye7dJ}RHz -z*vvJzwpsR6M44c_{jk~~Myb{^rc(sqe>x=O*QBRH4UGQB?z&_Bm@zH!#+>l)4pTGr -z&x}!IZ*t34iEdy8K1?hC686S+fvw2MM4b6|ovWo{VfySc*qk^hH|y;Ox->fB-fZW3 -z9P`l12ah8*RP-+LVYybf -z<$s@pM^MUhoQy-XmtfWe_GYFerm2qLg%H>?7HBLGv~=PBmQW8Ay#|QIkK#;jO;$81 -z;Ec&>RSgW` -zXj?}J-UUPY8f7(HIC6UZGfOfO72c@ABwq8tiZ0?s3(7$ -zxM}RzJuAa0`@+dpgSHC=ye;ze6=fI5jLQm5(4O@ywKR%B(SKp;94zpF34Epw$elea -z9!~P+oiqK>Q_>yAd4Fbui&Gbz+?SuIr3+{gn2}D)4zKA -zw6q+|xyzFg{C~CJXs@2^$asn4KAS;Hr!s53%;M>!4_lI!j -zE@siDP@6({Y?SkW5h+LdIH$!`_-XqxelFC+82Tg$EY9PMt$UIeu5 -zj=iT7iUSA-e*52|0Dc!;kRC(OF6vpH^HL(#b3Wr8xr5SNtP6{wfsN>aHEory -zZz-!@F_mMHzsyrd5SFu-?*f)-4@0fWC;9#&dw*SQ32o63t5Zm+f1C1bL*s$N7grel -z=O+Y!#o8f?VAUB9+;Hl3)PR91eu?p_GHL`ZzV(YKX%{M`k(!63Bb|Ob1gX^X;@_0swMf$S~y?O52J5Ow2Ei5EeZ0liT|CpLX3dRe|Y?h-)%* -z1Ahy_Q}w75-Y#V2+pavIB(a*V$3IEPg?T;;_;l~R>6v}Ls7>PH|CSU4@((!&99d`8mJ4VP6tfU(4xw}bWH@+eq;9;I?L2T^2F%;7KMe9jrkMY5 -z;~yqZdv|HCk0HHe6ELR7-?n0PnLebvx^Hl$-REUwC2Ty#$UDZRB}HY213#mttD}( -zBu{Oz+8I6(k)MzWxr$ksqyo=hI1ZhXWX&Y5JiN0mzSsk}t- -zJJ%SucVFN6AEIBj6-I!tXQhuHr>X^w6cJM(yq|zYJ;?@eY;==f{|XXanx4vhND^Z_ -zVG0NghDtq_C2zj$Dz8C#|AZkOPjw>3G!iII-&;gSHv%p#e{RGu#nP4#fobQPcfv18 -zgrG+nAHI;bL{ylamN8W@lZ^DQ(sR -zT%P@xq9c;o5?_9TBIsOs|hcX>KKPL9C6IfhyjT9og;C -zTTYklra)`+#hT@j5b!vTCMRNv-&CN403}aafd@V%?CBOpZa@yL63{b_VYz#)84%BP -zfYP3we-mmC228v;c=3=b_ySr8pLt+9&oCknyR!6tdU*&t03h4#MVDePO!=PdJKgTE -zaHJvVh#iv(yLboW+T3TYbSszMmU_pnlTuRonrN;Bt0)GPvhsgs*~x?(edh&W?F?mzlkD$J3Hfwl`moP6Hg%s+6VJf4+~1Rx+6eBhwZUl;!=3s8jgC!;aQf -zD9Z@?L2PX$Ghgizq~7d-QhTd>iMJ9kiDb%Rq~);boeQ_o6Gz>K3&BxCt+`@~nJAh% -zg!EqIPY9B0ewTqT;i1r~)!+l+G9oP%4++@@;Yo|$z -zMwTf3)yGj9S(sW_1-Kzi6+3#SgOCRWU*>*BPfO6cBnql?REk}m2!l~16V`K&3x=#~ -z05!gcR0QYhTv!?>tIt7C*)hIDp`l^Ge?{+>tH@RY7FrUffN~A>;tlE(3sD|7LUANB -zis>fX5un78BnY6sbwqF=OpLF_K}&sQ>&x9L3ga$y?=2hF63nby&Kn+_8fYj=Q%qs9^LzWtFszxdqjsR&mys<{B|EGHk9GANU8t_m0Fe?x$v -zpy|a!(Wp`ffAoA3^XaeEa(HpQ9c1?JtW^k>aa()*8q(TFBZbOowXt_)DRU3xiT^R= -z=F~RNdSDu1@)T$jO}aMmZ0Z-E9f!w814*M^g*;BUCL)C0s^{0*#IGyLz;78!^?dxg -zVlRVeg08jZ18}h9;65v{AH^?-f8aiTOIbeJluz**@tGI6G+BB)7Q~kN!AQ{g!qteM -zhqd!L(uO>k74-EEJMTAE*X9x#e!==1fh0RBMQN77*2GhWj_q=-;Wz;n_ig?}US0W` -zOuQS?@DtZzW1f~nnyoPEU4QEdRHRCfek}q52mpYB1sD{K_#Ii+3SG3sHqthXJUvY<=YDAc -z9#;0PWo-O>j);dWavz`vlnJdRTmaQEo(0cc+s7lXMT_ckx;wyC2|pOcNMhk2NQEoc -z(*6LSNK&b;J(RKHcLgS$UbyOpsCkh&(Z&4JM6@2PAel3A~|!xb3Th5gvs -z+2ZyxIT3B%aetn&kjA>&caGx0pjK-&f8Q_X>G1awp^&srIY7Je-gw)mNU&6nAKeV@ -zDUyEhZo?kDw^KqVPWeWk-%0aRE+Wjuc3X9h@7jFk@Bt8^KtvL9oxdA)#3I|;*|BOo -z->lHL_8Whhtz?3eZXiK#wkl>sh(V2h>Rg}a(k;J|xPRt2O2Tj<96swuA_=jT#@8zR -zTsY*e-_N+_<&h_dPb%s`G69d~tdf<}E{REDc=M2s^y7fW{0hfw^3IhGV>@v#&Kq3} -zhwf5UAn^i(2RW!~epxan!iiQi1q9E*i^;IyPET${O0wgRN(&2aaM8OE5y7A05(S7? -zsYqm-b$@CJke2fvwgCDwtGEZSH5p4N)(<4?9_pX)FmKp#;CJk)fx47Q!Ji=>(`gLt -zB9@RMXeL6z=WsaVZGDZy -zS;DhvL?nwM{iQ)K1<=B|aQg-X&IDSl$A~zKkYo -zhV&KKYp^vG$Xo#98^t%_%B6ouEDxE%5^=ljeyV}hvfWi+B(755(_^ -zyBq^D^D)}0ODnN{tCc;IJ~a0+z_Z4F{>vTLxtG7v-n?O6^jolP-ZweAlZ6FFe`>0B -zfhbF<9s&Xg00e>r$je4%i&omIruPaAML(chuA&9Npn@rycZovGBZ#}MmPoP7HFyS+ -z5YP1fO@E2>32IZ)3U7So39tUWihv|bt@|JD=G>W@vLbuh$`t2r-H%|(HA#7Z7W-_6 -zMx(NU&So_YHnXHr{(L?L$F@_~eG6X?q6S`WCfKOSVZ2DhB(;a-fB!!0 -zx12RrgaWp -zY5qyxizI4x;ougu@A$3NK6q`unhku}7(r*IjuEbk_W?J+^#5)TU`GEu5)6)&$OQdF -z;-goaN}BKgkRb>#!sPGo0~l6y6J_wWv)T|RQ;IHAJzqBid4iXawd)P0rV6^HMLnb$ -z)*C7%K6%-JP9aAHs48ype~zwJly9JZ$}NYKx-Mp9`1s6RNNL#vLto*^@?m;nGW+I= -zWrFX-+Ya8`rQ6nHMD*!7*jvVb6y)NbtGwi4TGa~%?hH{~D+F~WCg$qzYa5~Jg_L|t -zRR4#x%vZ6tegWzpK5qbxOZlsQw9ed@cuy1?5hFwQI5x`5k*FI1f3=Bo6N?70(6E=! -z)=e3F8h{}lF=#L0^Xd)rP>R2*=*YJFpRmnBBqPdF6~Em{>vK>4KYMxGKc(f49lQR* -zpC5e;d4$#Ea4PR55SyjScaGF=qC5ad8W_NCb&1?YgbKORkd^;He$u%fp+PlI)X|mz -zVstj3!6b2+*r!Dke}#limlzF>9>fdN{BmbrZ}WBUCLIQZ!JJo(?`OTRR|!iY(4U7e -z$^v2Fxgs0I5*}XGJhGl7%`WX>-$vfL?F|tI;2fAi`BD5;7Bd#Vy+Sw;PxmH*ra_J0uID$f8R;tP|Zy-aDWv?@#W%h -zgadvFj)f%M9Vnn?eUJrGfhc=2RDa9V -z>FxIlgkKyC(TX_6Co);|LM8Y_i725KU9m*^TC$^0OB)4Q@!qg|><#|?M~Ctb+P+hI -zkbMqX>Z6#Xe>34_&bOc2;_=J{oyk_Ny}nc=NryDiE!$)Q7+PK!i92EIEojc$?P96m -zc?iK(OD1K6|1g4R+r<@Y5|Jg!GwO8#LjQ})>Ni^dMDAw0p*0`d{zeV3zaLZ3oYpEw -zH%D+{4}P!wbSfTH=8xk$*K9Gx2wGly)4dY^K_bE!e@dLK94%Iux!tn5oCu>-ve@+_7Qen#! -zCcQI#e_G{j=hkznNe7#RtdAbEF26Pu?E0(v%|h1m<)!3M1d@Njft3yg;C}h;Dso!= -zfAFsv_<1EcnjXbW)|JR|FCL)ej`wM6w&%hWM}7Gk&X#(57o~9AdT@&Zbv}$YQU*8&0v05$6?i~s-t - -delta 2682 -zcmV-=3WfFk75x>EU4Nojn7^Afzuf`?2mpYB1sEA6cU;`CoS+7>CyWFQ$f+`W0i)xX -z1IMo8fFTH+Sz>3S>Uht|Eny;NP)?BG$3gXhG8NY)?NxVg6aGis7v1YDigSP`x?im@ -z`?Db1bRoQBgcP>Q+5v3SBB~AyAzr+=xrsL^J*kw{1hZ5%a+ -zHc2Xg8*)=q>SP@L@CC{#w>L^Z+J&6pnI}#Mq2P6X*Nyqox5QLoU(Jpxpoq&?#cuXc -zXJAXQt}I!EzNSb2ejUPkjluI$|4N3SNcUzZvV&GsmZuciaq~wn*p_S%?j(No_hj!&e-e>lt2Pg<@@fsC`72#frhb+0TlAJiVEMe+^V -zdV&&N)e5!qVh}cr=ge)HA7V6&5DHAbYHMo2Cwb?2_HFi@NgTia_2J9}>VmG;PF11h -zuX{^wYCwv%P3F#g(FX%|k23^bb3@-HU&VT%}IkJ8+A94z3vJox8pxZTm -zh96kU7&>62DbVf_jg>pF8CWC|H9xpweRbyo-+3m`BB;l^m|n5?F~-UAw2Eo|Upr51 -zfzm`i1<%YQFY4E;7^kKDXL(Z>fhax#kUom*Hj0_R>A-22fRZK89x=g|&JSE{W{2vI -z^w^gDgMa^gOhBw$Ca*O&b-vw=S;5yL^$nwu8i^;~ -zmVO3ig006aRom{J8v_Oh6k7nJM^oOvgO$e?LIcUe@rCtq|s3&RB^ -zp*ri|HnLH%?bY0wu{FJ?nTgs5ZEh;!_`)$2#t+ZJDuWwlGEIQ!^sZWqrL^=L`giqm -z34aFCQ+hfGDFnHl9}q8BCSMbhWO{0LhibaOL`8zaZw)#kDfpVL!WS$Bf|Wp#SGs8z -zuMxe^2$FU%zGSVpNVe46cBmbY6hqiGm#PP&EQ$kq_W{$pm06H0I%gFf)9CYmtx{e` -zCJomci2D?Z;c$t;*dS$k%-x!+$E95H>*!vWXOLFkcWfP(8vvqEm^ -zD7?NEyE=lGE=5{3&E1qK?Pq*of+X=YNRd~ny(2zVQ$<$apcRzL@uGb_@^{?HAb*II -z$&EQT=ZqVQpB3Q~c_g!iYNSeNLJIbf9LS;cn*N*`225y4pWcO>;8=j3zmG!aoO6zN -zSv~SZC)THX1T9jO_hUY0^=Dn#Xf}@Po+cTbq?@TM`@ji}ttmn2n;Sr4S<{d4l2a2) -zPS}ZZea)SIItKpy^!VN -z+N>iElo8@Mr$PrK`e)v)F{}y9KcSe}c^NmRCcg8to5T>| -z))WBs=1!|VB#mFx`T^_p+=Pn>y_{Zw#nr0X{?<`094{ph7>-~kbq@olS=kAbC8n;u -zqo--UqoV^)&Jq=A_HU}Cbbqn(f6FcUJe4TRe&a}TeVj?vOMT*nA50LwT!xaLWC~?z -zuR;Q1O*uQ+^mH=6@E2eV!vRW8xN1V^ -z7CvAHrt*6lqf)z5mkVEybFjWWrp|)?J*)@-OENCPO5D86?t`Ru9vD!^e;eouy|I2+ -z)$WnuN?<+4|2P~77T6MX&E~%*V{m1X=w~b<4D1y6!fa8v^q-RT@mT(ydAbR9tx)Mg -za`UP#n<^-&N3T@x%5`|IYt`Dh8FG&3*k>3@-f8ZRSjJBYOX+8{Vp2tFEQl+0M92wn~XpZ4n$&REI$O|!A -z|C&upTLIlp;Cd-QTpjF8zK+*zVNtRL8TaU#8gXF2dW4AnLSjby@N|0|VUWjIwuzP7 -z2xQObW)|z43v)#`5QOv~WpJ>Wxk#=te<$e*%Nh%31rZ;eP4F -zCW8>)15kbf%VdCj6aFwL?c2SQo#n52WiFgQTPjU)KxSQV{S``6ngGtn -z|Lk(B1|^3OZUXEj6IkMTS+tQbc2JMX@jaF0-Y)3F&iIGWY3c-<&L!MH-FQs?2>rCo -zW)YfJ#J06pbph*0FRV?dVRUI9mZe(rkQ(0v9mAEpe?l>lDrmYvy^Rh&^F$bAg9aFx -zb;PX}B%WHxJK8;Gcqh-`?*P;qO4xaQT}m-W6F`5&om0=1){V^dwH-A)3GtCm7iP)scf7`!^ -zpcfWDpn~znhuv+jW45rkqMPDQT}e67FE|w_ESX(LKd}_=1_wtRDk{{ei?VevL^v4)*gHc4wiT(y#HLe -z4qSa#+Lf4khNXr}4Pq3ujwKQ%=*c1>#@tMjIH6+JG=JUgo3n9hbV2@&`^09UzLsXx -z1Q0;yi%cyg>96()dg6wn_&qzl`iL-O?IPE57!Zi%GjLm9XfP6c3OXaDg?zmXl_m|- -zD#I>Xh}5fP8${o7N)c1RcdbKF?oNOY6SjNF1NxBu?Xn2B5^2_>uDznS=+!Ntgao5u -zB_17l5`Tuv-3}{<8W0>JB~ZN>!|UwyTJ;p$j>5;?5;Y$w%BzS>?M_-N=&9H^M5*5VIABRGi2Gd*F0<%A61E4i|HUz -zX!OLlQeM2}Z={{ENfa0g*iW|uy6#x-f>|U_zzmuM>X>mvJm2MZn#=zwdTlT-NTv)n -z$gq@JThWUCy5?f5nUaHNcqc>Wi{@iB-%8J0m(YS!7p$&;U$Mx~#YgsS#hfS;=L)-0 -z4}bqab$|EYJ#yJjn${s(M^^4b`Y9ZM%%!e@ka;J&=%N+5kQpuV&Y*NQ6%bqqrp?0c -zvkASQ^E5U0TOV~zI*%0#ts88^z*()E+lgg{*<{;CjX2|_kR5t`3b)2*_|u7AS)zCI -zddqMp*eroBDYq6%$yo$Y{G=>O3TL-|_kTW!!P_2$POnW{>xFSfio_MXs0ww-mo~hi -z=(rSEzL&BlLd#CsC*oqs6C~Fo+9Hg8?ck})d&Mf}w3xopmhhLVP`QjiQyjND61#m- -z@Ti!l54-Aa1EIxMwvv%1+o8lC5XZ?$KpMOoo;_Rth{0DdmNF=oifNM6@T>e -z7}*!D{OdLG!LDBZFZ#;gcf%2Gl4oOl6Fn~r8DNFFQ~AA?eY^)C|5Ly1pjk;wx&r6# -zDrVnH0^2DH(;P{I=T})*lyeFUa6%tU6RtX@SZ<2mTs?v7BL{(|rzuaK5kMkSf)x!P -zMII;x>mr$R@xPVtr{^r7my}%1}E!A}WmbofvFM -zcS!kljv8Z%(&&Qf>ru913`}dK`R}b6!=OYQ|L5CpY15F!mbW2qYdr|JUF9YL8WSuf -ze*bNr&bN?B+Q@E1=uUeEjhQSIS?`-Af4;LXKn5N-XLq6xc|f%_#M%w-*Pn9 -z0f3p>$dACQCD|ZcE0T;i&hLLDWC+>2e_q0`-xh{n0FH%33ag~TcZ@rg112tzut(cYLAtgLWrFG9P}7g>GqSjUx=*%5=Ei(wi;B#qD!D0DdHB=5ne3p -zz7X)28kw|s=IQ-C@X=`XBrP#XfrYOchw)SmxSL>Lf2fV;6VyWK+tGI0@;#9o`ML}b -z=Efu{JvtPd@rn|9u&5^X|3=^8Ur|_(J(G1WEIKJ0`^x9%VSj#?Nk6WwjXxRnu-6m( -zjd)VmBbBWvY@1~+Vw#!O<(3tv)oh)ricul3Rfwl%X8C3a+<33*fD-2-GI5{qDV75o -z>LqpWe?G2-@V5x^ez4WY)5DkL6ZxDB*vBE9%u;E|A>H(s6n}9bH&KQb#zdIBW7MnaIzRarxL@n!O)O -zK=8REHm-D)+!QbFDD>eFGqQGle!kP6e|@)JpgdCP;~7UeyK0@F3NK#SJ0IUT4CA() -zo39%1U#tTOc@;VYuXNuOe?N1eS){UjB$ovmaX=}kj~2dJIL}s}NbDPCos#k!q0k~& -z6(yK2z2-dNY(yJA%`mY1gCo4XY$|Rb{VRvx>}p2VB)BS18|crUeYiOaX8I5uf9e;5 -z!Sp~;hom{dK*GcnV={{eZlquY3=K$u%N;dC3YcZ7Jwid9q$w720~h8_o0`rJ#+e>}#fXz~jOgIgpH5GUFmGfeNWtu%Y@mn$$D4=DMM -z<8V+G_ROuV$#I&3s%U2e{*tn{;XFo~vnDzTiDiOa;XL2_2q1G2#|Ib<`7((J_Ta?x -z6ma$u_FJom0HA=6G# -zp;0g~Fd;Ar1_dh)0|FWa00a~tK>i(z<@;kWV;*m?sLnLjiHbx72-=Fo1r5yv^#TG2 -E0EqGn4gdfE - -delta 2698 -zcmV;53U&337L68=U4OgPIH0Ma|Ih*g2mpYB1t^cgTby1_i4bV`ET($=&EQs+%VWU! -z7EL>iJi4Z78OaT9ubV}bGdi0`Ahw>yNtjoh(jz*K!b%&Ua)hJeCBb!FAt9G4(CLat -z`Rag4jFpnmFT)s@f*z8jt%jD9#v%N*$?L>k;p5=UEuP*lV}GdN&eI?0rjB?@WB}eY -zf)XxYT1q=>J -zymMlumTAK2tc{81$;?wU?RVDyIg)}6Ru7Is8*D-idC>`arMh=W)oa9!1#zHlQH+C= -zxNFQiy$@%pUw>ciB6Pems-P<2y=ikP`PqC(+TZsM6awppC_f0Xl3g4K3t|VAQ*|@t -zqWP;7pCfxOI}DZ9(iJy)rS*nL8a}#DV!e3{QR4jj(Ty7a7d86H_%`o3)tY*5-w|Qk -zembO|Ujs3}!86C73mgV0q^5iPuZU!CsXRr9j$1G30DnT~&96xZ(_w+gVmP}nkT+9^ -zTnBG}hdQN2AJnve+R?%pEbv=8E5(bzWG-#u#DzEycabv3EOTQ^KP}Xh8CNH%dMrC| -zl_ZZqKVqcBMJt^u$Fh!)FjVOw&dWSYUg?omm_rDHAOgriM49P$d0+1``GCJ!ZsQwc -zIeSn5N`Ij~5U5@dvEBjG{TiDpjvP!%Bx(#V7yW^c5vbxvj?}{zE!H+*c6xgo=IhbX -z{ugXqn`P$jl!c&05S&~~#+%)!=U#Kbk5wVT)3ql;lTT$>=q+JLDX30eW_%PenT4Zp -z_goXztU1Ch8>MHCoD|K5H4(V-ja(n=t}k--9Y2&($W_V$rpuB>QO?+3-dA -z-pr3g54LFhpSdbUZ -z|IdewW&nX@Id-7N;;8dTYiF$bj&+Vzp?^hsO`e7M7OU$Gla=8Q4G^LnBF+hG_nBeb -zu}|$?y}&Ypv{-4`sZB4J84gG&-!sF!m9%?q;wc<-;0*nm{J3|%$s#f4g#v)CGLCU4 -z(Yc7zteW+0h{?ByycGWhd;fPj&Dn(4myw17)6pVR`dcE2`6M7x!wVsRwxjCdAb(Wf -z4D$@k@4>yr5z6XWYn7pBxh_HGbj9atGCo7126F9)ewn?kfa;&vg>e{5+wgb3)|=NA -z`o8_Sx*VNIakI&`^qCUyxWkzJM}b~6qYN&iv+v+c(UQ5=%{ok(ekXq$lZ@xKgBHx0Tl@87a+hB943i -zFD%RA(jSI%C|Xca<$+=*lWL`yEop8}Q{X%bQc-xA;u>Z)z-N*eV}?4frikpteC|{% -z^a!Dtv`0%$*x`Vxh#$niPcOGkf}NjScYXD!MU!uL497Oq;pCJOkrMUvRzj(C7>B7| -zirNe8d;&TQyncnqec(ERvcvZ=HhwevKN)GUzDKIn4gl?ZdnRwvb(WT2#ZBk3!kjVD -zJEGu3Mj^N{la&QVe+@0G1;Pz3&jJDn00e>r$OX00Alr(atOG})P|bur1*6+0Wi&x_x{|YhpPm9aRrXy+e>w{XL@?~)eWqce&iDF0 -zqMSy`TNzT_)VB-&hdVeWjEeXb0i{%KpZeK!$PY01Wa=BLfB6xzk$J9wnQ+$8Q?cOh -zQWJ^oEshJdhCpbB9?+gW%#d0mHXCu4Kr$r>M+VFC+yRsa^lQ^YyqVejN5NolmXwl= -zj;AXtkvzSNf4>f%vSi6=NX>a2^%IT&;v29li&z4uXN8vz(uEM&T*Qo=&F?5rk#RQz -zC336+`bfFPsilPKn2a5|Np2S1s2;)B2v;glXVE<%O(u+#u~*}7ksKGB=)IwePkk!6 -zKOP3PmZY@6SqGV+fn{aX%cf@iNQisE!MeAT`8h7je{pcQ%DlZS83P&0<4$9^B?j!n -z0^s^wwN->E=~xLdD_)eKs$i$WQ?$&-S=N4)kY -z8sF-Ce>waid23??s6b(A4ogu;h++fH;y`eEvd@BSm#`s!Ry -z+6L`T@d*j+#(xh*)fPw%XJxi5_WgWEv1C&^jNYt_5ZCvbDlQ07M;HV(J|PE-03cDz -zI%m{>hShEl-wN=n~{2XZ{L*9dR&>p&O5P -zL~0ADX*&QcF)J*1tw=!e<$;FCS~Q>H`vQ6<^=_{tlE=R-j`1+-CyIrhMa^l@GsOkoi*b5gc{|O)u6y -z*Eybgfl##owFc|2DqiQ%>C%TLxKNZ2)Y8q^GKz)qUCCb^Y!~Ouk~utFj^%qDAD7$7 -z4|(O*(4Us`f{<2cXiaTtd7QygQM!6=e^+!{SnFm@Sce*pSUC_>Mud$loY2}d94m?| -z<^OOSjsAsDBC2thdNWvSgLi|B<-_+{K_gsBydMbNjR&C)NZ%Y(>Bs|d@Ni&G^NWGp&(#5%4Z5twBV>={4~8{UuyO)#6}%;xPIHyY{h_i55`b4<${ihODv=^X_GvM2$(ip)-{scMp=K6z4NT0 -zh9qH{M2vDnA%B4RMJV4L3g&uG{}^y>U@_^&s079+Uw;8UwQZawTn!vsnczNryXER< -z^4t|;quLw`bl;E|eEKmn>RrwfXq1zSpT$o-918IoaQn0K1Qcv~32@A!!Yk9d$5)cI -zy{aB^id7jlNY5I{?KJ6dEI`cwQ;~`h@bsE-*#wn1qLARY;aK^Be3VEOF^3YZC -z@z)+dYJm7<$cmm$-`oMA4%n3L(y&2%bYK#IC-~*C61&8wgQwA^>q1bHC}EtDjtVc1 -zELlaHTmHT=Yj$uxFYs(>usRFRqQvn&Y=h-QA_vyh{d+oN#SEVcRq3G;MW*B4{9l6v -zq4IfK2!A=Q^+R+st9#jqW4=?osK-Q)K4Hq5%bbPzj&C#dO##MJ7oXFI1vcvc70Jw{ -zEv_S72+LnOnU;)4y)s1`vlaV>-0o^K1+!777`l65f<`flFo5nDa<3{ccfhQZ2?{|o -z7c|F5o2|#B%7Rj;vzYt{Mut5sSc(Fb-e#e^-GBAX_{?R+=$MOl)HiG~U+;&08^mvP -zHNfv;+m0CZZAMc)NCYtA@^kdgq@Aok`CYuV8^FZ~W1mpM$Y|0UcYycv$Rw~Uk-pz- -z!Dy26%)YpIB<5W?r3BX^eu*^fEgSl~ReH*mqG<*`wedGDz+{; -zx4kLMqty}CrlV-aA&gVt>cAAtAE|kT{Gl>@GBfH-*I9Ut$$mL}Z;Gm~5u@3~UH3u; -zu*RcYkh532p}cjA>7*oslZ7OgH8tToL4TJC&l=yANqs|aNom00jp9FBDbRbjK3>*1 -z%t%A$fhz|l3Z2Gti}j5NxrXYzf=4jVC`TMPTZvUT-H%YSuYeGCOl)KMa1~`sWdLxxWOlH7Hp((U}SX!YNhgfJ)IPf=;Gx -zCA}LPUS!(0kh@$b!MG*{z^TG9-c9BlhSqSqv`*cklbr=df9nY*n}fvB!vX>b00e>r$RI81nSv?+Yi!SD63Wi? -zTpz5uAf~z86j38B#-LJmrSIOk*?dx5rdvPi*JcISr -z;GrMw4kJI_;L|8E8I7#QK@8J%06j|~QeRT5YPYz2e~m|0eC*+N -z;tTbW&k|>^&OYIQAQZ)=e!ZR$EefvbbEa%e@aTI~@iZEV&h?kl_iWbBu8gqL22EWO -z9%e@s!Ln9mn5gIkKyZEbno(BO|N92gh4zi>;+t!DB# -zUD*#wq%14Ws-EP3hBY-&Ihk~ywGtQqB8-6CEv895gq+Y?Ref!PVQoN$e}ep~l&{da -zqe>QuPg-wYhtPeEN!5YpIa21fnSW1kwM|Wu{MOd})a|@aJwy*geIt_-o -zf@_GTcauuKT26Cov}Jb>o;A$hT-*SD}c|OaKX(rQfx^MRmECJ-R!H{CDx2O -ztfI!lXTISDio|vGOxL+yF(#V^*FP|1>(VxK)_HV+LW+m+hM>6nHJtbPD8$YNAI`V} -zJxt8tv;~TeJ|us*$IFJ&gYiOXa5$hQD(6={4wTTv<(s?me|tUC1}n4%7sLR#^%2Z1 -z>wB$BQPVbOEZr-HbQu^qQZZDV0B=qKLSTk0OH6ViZg6t{x4jDwj>Q2g#8kQ3r>Eji -zoCHAsSfZI^gjaN%upLrFe;LL-L(-_It&su|RC&en#x}vk5N84OPL*8oFVPE6rr}-0qN*#i8!ZNM -z-lMCaJq9;t`UH;WVM3PeWlDBk&GJ8MW!kVJPop~_JfAJz8Tv~1W~R=A -zf#mg1W3o+d#@#T-2&}3LjtVGn(SoOHnQi>T=yg_;f6ZBqH!1J@yw>z^@>NitY+5GG -z$_K1gfo*y_T~t97XgHe91xGJb>0;+13X;T-03Pf6IfLg53{}XapD=~I*1UWMmfQ!D -z7Ze1;SJ|?3B4jg+a%x7qjgRh1J9NxeFNvzi*YlS;ci9S -z#DRe^Za5%?_JurFHR(9)uJQ)yN&4iz?H -zSw@t!Q))44>uN8OaX|V82359~wEHn7Fe3&DDuzgg_YDCF6)_eB6ccK}Vdj_r1JjB8 -zJcW?bd-abN6XY;4Fd;Ar1_dh)0|FWa00a~TEWhWcHtRjAj4t&h2$Cd#3qV%{2$+b8 -MPj+1S(*gnr0E_P~i~s-t - -delta 2706 -zcmV;D3T^e37L^u|U4L0@OZ+^lY6AiS2mpYB1u&$H6w%_X?Uh+pizOtCBDzx2lCMDmI_;E4nZypk7SId1QiiG% -zoX$R-HEZK1+~1}@RF*!aKybD>UweVLW#TM}CG=Kw((`3EMgCgE%Wh7i5_PDshVd9Oz|EjKxtnoLw`TW#&7 -zQPy}=X-XKHcQwT5v|u~sb^Inq0NJ4Lak7<6+3Ya}d< -zR^Uti{uWAJB7|b_QADZ~qF1trj0LGAR*qZ!4V-8U)PEs3HV=&h(r8ATc_D(AEnMV1 -zwuVIjs`^7H=|3CS`*aB@;CnPV&TlP!Yu&aLuDOS7Sg0Cqu0xGBQP5;o#gwP}e8{0B -z7jV-rq(ifyxm<=mq)wx^ScfIWLZ7^FtdIF5!b_#_SU{v)$6P6;3c{)K{n+@;OiiQ- -z)v(k`B7Y~QMMOz0exF+cpQ;~*F-}k8OW2c^cHxE_)brp6_t{vy8?fdPQ-ctCS#H(j -z$jQY05`;BJt5Y1_E&P`i?y7~+)+fF@I~p95YmggrA_kkXkLdVu+sQe~jV^LlG=Fp{ -zGMUwQ8FM7Kg20u!G&B)cCNQ!KA|~SY(%9(~dw)NYD5>AwQTYoOym#9ju3MlAj~yL! -z+9RAIsl?+#`6IQ~$`6sGmR#$qABV!__lx-g(mg2@c}g0+B+myWGZ@B1H-hdORvFBr11a5D -zD5mD8X#7lUgZJ09DQa34oE2MSOlRl*Pk;Loc@3DRHQ-tjjjDOpdmBQ1xk?t__INBb -zA2{y5_WewW14^G6WH^SY0hmJ8^Ng^zx=ZpuY7#VI+rLN#wJ0?Q;k^@dZ=X;S&RshD -zWP{?O$!sjtgM5;`y4Wj6`G$m`1OsXIXK)R(Jwf5Zy`3r9HV=gsO7Qi4jzaFFm49h7 -zfsyLIa}fYP4lU}*uw@gGo4t5v27iR`O@MAwyFq8%w;vNMFt1G(wBrYGlM@r4)ff!p -z>8Mmh-L?^v&W!qOH^7S@tzEEwdy!EuK#bBM?x4Wr`(bkkOsAP+#8TbjTL5J_=bS5) -za6olnR}(Db?FG0|ejvnzj -zP}Lz{>_d&8$(MkIB`z>!MW@mnuqJ@W?8->i@)3)j#DPAOs8q=yg6rJ-m=-Lk7xDaXe*1RV@>aTN~)U7 -zHjL@_ge{0Jt7~qq;qj^Jlbr=df11{|CuI2Wr$kBFUM=%p0lc|48g~wmO -zlQm6cm$_s_2>(DlA9cyxg6bmmW)&QR$peuE=vJIf2HTu-u#@{ -znFBj?5I#2g`5TG`?>T^VI($%BFj|uIDfc;L5->4jxZu(nSAc33NNkgSR!9J}GSx4y -z_4M@|c;BpN-D}R->!q&&aVy|TU2Cb!tnn_pGykac3R{dXLJEv0NPZVx+TTgAeJQji@`)5{g< -zcJZ=w(L#L{pjXv2RjibOnkQN957ydC_9_$?NmM?Po^Q&34Z7W?1h2;S>~cDOEpIB3e3RmaS@`juU%CSke_Xs}bPG03Hd`AnWDQe0 -zDzTI!DRp&=;Lw}C)$l@}&C%0-vB~aHYq5NMeTEzqqd+JdVj_`U-$+46eP9-nM7?zc -z5Pgt-^k?oplhg%4^}fJ8S>3v%<7ynPniiv_Z|t!~Z%up1%zf`A$#gTl -z|Itn@fJi}H(elXg%0X;2+!%;)-lR)s0rXj$+}J!$F5z3_l55m6b2_*fC-NqxNFTql -zdv*Y;FP;Z6UFji4Uh@uDeNWtoP&b(ZdpU59uCOvye<+Qgi5uA#^8lnW?w_X5a(Zcq -zqur4>A_O|0nJ|NBvfV)Jmkk!X>5(vIem$?G-`>87E-&XqHpVEiV;~i$OoPodAQ$zu -zHfA}RyWpW+OJ@WK!YX*SO<(GZEW~rTpl2eq>|IbuqzzqN8t!)~kBi0rn7;jaAq#?4)^yQTe=NH@6SxT7)@@3!xd(1))7AABX12%e -zGo=U4kgSi_sg=#zEko}S``7Td_RokC%@eQ1Z`cc&&D0V7DMKQ8X_oz -Date: Tue, 4 Apr 2017 16:54:56 -0400 -Subject: [PATCH] Add the client_name() kdcpreauth callback - -Add a kdcpreauth callback to returns the canonicalized client principal. - -ticket: 8570 (new) -(cherry picked from commit a84f39ec30f3deeda7836da6e8b3d8dcf7a045b1) ---- - src/include/krb5/kdcpreauth_plugin.h | 6 ++++++ - src/kdc/kdc_preauth.c | 9 ++++++++- - 2 files changed, 14 insertions(+), 1 deletion(-) - -diff --git a/src/include/krb5/kdcpreauth_plugin.h b/src/include/krb5/kdcpreauth_plugin.h -index 92aa5a5a5..fa4436b83 100644 ---- a/src/include/krb5/kdcpreauth_plugin.h -+++ b/src/include/krb5/kdcpreauth_plugin.h -@@ -232,6 +232,12 @@ typedef struct krb5_kdcpreauth_callbacks_st { - krb5_kdcpreauth_rock rock, - krb5_principal princ); - -+ /* -+ * Get an alias to the client DB entry principal (possibly canonicalized). -+ */ -+ krb5_principal (*client_name)(krb5_context context, -+ krb5_kdcpreauth_rock rock); -+ - /* End of version 4 kdcpreauth callbacks. */ - - } *krb5_kdcpreauth_callbacks; -diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c -index 0ce79c667..81d0b8cff 100644 ---- a/src/kdc/kdc_preauth.c -+++ b/src/kdc/kdc_preauth.c -@@ -591,6 +591,12 @@ match_client(krb5_context context, krb5_kdcpreauth_rock rock, - return match; - } - -+static krb5_principal -+client_name(krb5_context context, krb5_kdcpreauth_rock rock) -+{ -+ return rock->client->princ; -+} -+ - static struct krb5_kdcpreauth_callbacks_st callbacks = { - 4, - max_time_skew, -@@ -607,7 +613,8 @@ static struct krb5_kdcpreauth_callbacks_st callbacks = { - add_auth_indicator, - get_cookie, - set_cookie, -- match_client -+ match_client, -+ client_name - }; - - static krb5_error_code diff --git a/Add-timestamp-helper-functions.patch b/Add-timestamp-helper-functions.patch deleted file mode 100644 index 54e7f59..0000000 --- a/Add-timestamp-helper-functions.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 9b50a75e97cbe9cc8c0a4e37158b56b58e966f25 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Sat, 22 Apr 2017 09:49:12 -0400 -Subject: [PATCH] Add timestamp helper functions - -Add k5-int.h helper functions to manipulate krb5_timestamp values, -avoiding undefined behavior and treating negative timestamp values as -times between 2038 and 2106. Add a doxygen comment for krb5_timestamp -indicating how third-party code should use it safely. - -ticket: 8352 -(cherry picked from commit 58e9155060cd93b1a7557e37fbc9b077b76465c2) ---- - src/include/k5-int.h | 31 +++++++++++++++++++++++++++++++ - src/include/krb5/krb5.hin | 9 +++++++++ - 2 files changed, 40 insertions(+) - -diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index 06ca2b66d..82ee20760 100644 ---- a/src/include/k5-int.h -+++ b/src/include/k5-int.h -@@ -2353,6 +2353,37 @@ k5memdup0(const void *in, size_t len, krb5_error_code *code) - return ptr; - } - -+/* Convert a krb5_timestamp to a time_t value, treating the negative range of -+ * krb5_timestamp as times between 2038 and 2106 (if time_t is 64-bit). */ -+static inline time_t -+ts2tt(krb5_timestamp timestamp) -+{ -+ return (time_t)(uint32_t)timestamp; -+} -+ -+/* Return the delta between two timestamps (a - b) as a signed 32-bit value, -+ * without relying on undefined behavior. */ -+static inline krb5_deltat -+ts_delta(krb5_timestamp a, krb5_timestamp b) -+{ -+ return (krb5_deltat)((uint32_t)a - (uint32_t)b); -+} -+ -+/* Increment a timestamp by a signed 32-bit interval, without relying on -+ * undefined behavior. */ -+static inline krb5_timestamp -+ts_incr(krb5_timestamp ts, krb5_deltat delta) -+{ -+ return (krb5_timestamp)((uint32_t)ts + (uint32_t)delta); -+} -+ -+/* Return true if a comes after b. */ -+static inline krb5_boolean -+ts_after(krb5_timestamp a, krb5_timestamp b) -+{ -+ return (uint32_t)a > (uint32_t)b; -+} -+ - krb5_error_code KRB5_CALLCONV - krb5_get_credentials_for_user(krb5_context context, krb5_flags options, - krb5_ccache ccache, -diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index cf60d6c41..53ad85384 100644 ---- a/src/include/krb5/krb5.hin -+++ b/src/include/krb5/krb5.hin -@@ -187,7 +187,16 @@ typedef krb5_int32 krb5_cryptotype; - - typedef krb5_int32 krb5_preauthtype; /* This may change, later on */ - typedef krb5_int32 krb5_flags; -+ -+/** -+ * Represents a timestamp in seconds since the POSIX epoch. This legacy type -+ * is used frequently in the ABI, but cannot represent timestamps after 2038 as -+ * a positive number. Code which uses this type should cast values of it to -+ * uint32_t so that negative values are treated as timestamps between 2038 and -+ * 2106 on platforms with 64-bit time_t. -+ */ - typedef krb5_int32 krb5_timestamp; -+ - typedef krb5_int32 krb5_deltat; - - /** diff --git a/Add-timestamp-tests.patch b/Add-timestamp-tests.patch deleted file mode 100644 index ac64115..0000000 --- a/Add-timestamp-tests.patch +++ /dev/null @@ -1,599 +0,0 @@ -From 3a06f6a3cfad62da6dd8878d3446003f8293c3ae Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Sat, 29 Apr 2017 17:30:36 -0400 -Subject: [PATCH] Add timestamp tests - -Add a test program for krb5int_validate_times() covering cases before -and across the y2038 boundary. Add a GSSAPI test program to exercise -lifetime queries, and tests using it in t_gssapi.py for ticket end -times after y2038. Add a new test script t_y2038.py which only runs -on platforms with 64-bit time_t to exercise end-user operations across -and after y2038. Add an LDAP test case to test storage of post-y2038 -timestamps. - -ticket: 8352 -(cherry picked from commit 8ca62e54e89e2fbd6a089e8ab20b4e374a486003) -[rharwood@redhat.com: prune gitignore] ---- - src/Makefile.in | 1 + - src/config/pre.in | 2 + - src/configure.in | 3 + - src/lib/krb5/krb/Makefile.in | 14 ++-- - src/lib/krb5/krb/t_valid_times.c | 109 ++++++++++++++++++++++++++++++ - src/tests/Makefile.in | 1 + - src/tests/gssapi/Makefile.in | 27 ++++---- - src/tests/gssapi/t_gssapi.py | 32 +++++++++ - src/tests/gssapi/t_lifetime.c | 140 +++++++++++++++++++++++++++++++++++++++ - src/tests/t_kdb.py | 7 ++ - src/tests/t_y2038.py | 75 +++++++++++++++++++++ - 11 files changed, 395 insertions(+), 16 deletions(-) - create mode 100644 src/lib/krb5/krb/t_valid_times.c - create mode 100644 src/tests/gssapi/t_lifetime.c - create mode 100644 src/tests/t_y2038.py - -diff --git a/src/Makefile.in b/src/Makefile.in -index b0249778c..ad8565056 100644 ---- a/src/Makefile.in -+++ b/src/Makefile.in -@@ -521,6 +521,7 @@ pyrunenv.vals: Makefile - done > $@ - echo "tls_impl = '$(TLS_IMPL)'" >> $@ - echo "have_sasl = '$(HAVE_SASL)'" >> $@ -+ echo "sizeof_time_t = $(SIZEOF_TIME_T)" >> $@ - - runenv.py: pyrunenv.vals - echo 'env = {}' > $@ -diff --git a/src/config/pre.in b/src/config/pre.in -index d961b5621..f23c07d9d 100644 ---- a/src/config/pre.in -+++ b/src/config/pre.in -@@ -452,6 +452,8 @@ HAVE_SASL = @HAVE_SASL@ - # Whether we have libresolv 1.1.5 for URI discovery tests - HAVE_RESOLV_WRAPPER = @HAVE_RESOLV_WRAPPER@ - -+SIZEOF_TIME_T = @SIZEOF_TIME_T@ -+ - # error table rules - # - ### /* these are invoked as $(...) foo.et, which works, but could be better */ -diff --git a/src/configure.in b/src/configure.in -index 24f653f0d..4ae2c07d5 100644 ---- a/src/configure.in -+++ b/src/configure.in -@@ -744,6 +744,9 @@ fi - - AC_HEADER_TIME - AC_CHECK_TYPE(time_t, long) -+AC_CHECK_SIZEOF(time_t) -+SIZEOF_TIME_T=$ac_cv_sizeof_time_t -+AC_SUBST(SIZEOF_TIME_T) - - # Determine where to put the replay cache. - -diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in -index 0fe02a95d..55f82b147 100644 ---- a/src/lib/krb5/krb/Makefile.in -+++ b/src/lib/krb5/krb/Makefile.in -@@ -364,6 +364,7 @@ SRCS= $(srcdir)/addr_comp.c \ - $(srcdir)/t_in_ccache.c \ - $(srcdir)/t_response_items.c \ - $(srcdir)/t_sname_match.c \ -+ $(srcdir)/t_valid_times.c \ - $(srcdir)/t_vfy_increds.c - - # Someday, when we have a "maintainer mode", do this right: -@@ -457,9 +458,12 @@ t_response_items: t_response_items.o response_items.o $(KRB5_BASE_DEPLIBS) - t_sname_match: t_sname_match.o sname_match.o $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o $@ t_sname_match.o sname_match.o $(KRB5_BASE_LIBS) - -+t_valid_times: t_valid_times.o valid_times.o $(KRB5_BASE_DEPLIBS) -+ $(CC_LINK) -o $@ t_valid_times.o valid_times.o $(KRB5_BASE_LIBS) -+ - TEST_PROGS= t_walk_rtree t_kerb t_ser t_deltat t_expand t_authdata t_pac \ -- t_in_ccache t_cc_config t_copy_context \ -- t_princ t_etypes t_vfy_increds t_response_items t_sname_match -+ t_in_ccache t_cc_config t_copy_context t_princ t_etypes t_vfy_increds \ -+ t_response_items t_sname_match t_valid_times - - check-unix: $(TEST_PROGS) - $(RUN_TEST_LOCAL_CONF) ./t_kerb \ -@@ -496,6 +500,7 @@ check-unix: $(TEST_PROGS) - $(RUN_TEST) ./t_response_items - $(RUN_TEST) ./t_copy_context - $(RUN_TEST) ./t_sname_match -+ $(RUN_TEST) ./t_valid_times - - check-pytests: t_expire_warn t_vfy_increds - $(RUNPYTEST) $(srcdir)/t_expire_warn.py $(PYTESTFLAGS) -@@ -522,8 +527,9 @@ clean: - $(OUTPRE)t_ad_fx_armor$(EXEEXT) $(OUTPRE)t_ad_fx_armor.$(OBJEXT) \ - $(OUTPRE)t_vfy_increds$(EXEEXT) $(OUTPRE)t_vfy_increds.$(OBJEXT) \ - $(OUTPRE)t_response_items$(EXEEXT) \ -- $(OUTPRE)t_response_items.$(OBJEXT) $(OUTPRE)t_sname_match$(EXEEXT) \ -- $(OUTPRE)t_sname_match.$(OBJEXT) \ -+ $(OUTPRE)t_response_items.$(OBJEXT) \ -+ $(OUTPRE)t_sname_match$(EXEEXT) $(OUTPRE)t_sname_match.$(OBJEXT) \ -+ $(OUTPRE)t_valid_times$(EXEEXT) $(OUTPRE)t_valid_times.$(OBJECT) \ - $(OUTPRE)t_parse_host_string$(EXEEXT) \ - $(OUTPRE)t_parse_host_string.$(OBJEXT) - -diff --git a/src/lib/krb5/krb/t_valid_times.c b/src/lib/krb5/krb/t_valid_times.c -new file mode 100644 -index 000000000..1b469ffc2 ---- /dev/null -+++ b/src/lib/krb5/krb/t_valid_times.c -@@ -0,0 +1,109 @@ -+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -+/* lib/krb5/krb/t_valid_times.c - test program for krb5int_validate_times() */ -+/* -+ * Copyright (C) 2017 by the Massachusetts Institute of Technology. -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * * Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * * Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include "k5-int.h" -+#include "int-proto.h" -+ -+#define BOUNDARY (uint32_t)INT32_MIN -+ -+int -+main() -+{ -+ krb5_error_code ret; -+ krb5_context context; -+ krb5_ticket_times times = { 0, 0, 0, 0 }; -+ -+ ret = krb5_init_context(&context); -+ assert(!ret); -+ -+ /* Current time is within authtime and end time. */ -+ ret = krb5_set_debugging_time(context, 1000, 0); -+ times.authtime = 500; -+ times.endtime = 1500; -+ ret = krb5int_validate_times(context, ×); -+ assert(!ret); -+ -+ /* Current time is before starttime, but within clock skew. */ -+ times.starttime = 1100; -+ ret = krb5int_validate_times(context, ×); -+ assert(!ret); -+ -+ /* Current time is before starttime by more than clock skew. */ -+ times.starttime = 1400; -+ ret = krb5int_validate_times(context, ×); -+ assert(ret == KRB5KRB_AP_ERR_TKT_NYV); -+ -+ /* Current time is after end time, but within clock skew. */ -+ times.starttime = 500; -+ times.endtime = 800; -+ ret = krb5int_validate_times(context, ×); -+ assert(!ret); -+ -+ /* Current time is after end time by more than clock skew. */ -+ times.endtime = 600; -+ ret = krb5int_validate_times(context, ×); -+ assert(ret == KRB5KRB_AP_ERR_TKT_EXPIRED); -+ -+ /* Current time is within starttime and endtime; current time and -+ * endtime are across y2038 boundary. */ -+ ret = krb5_set_debugging_time(context, BOUNDARY - 100, 0); -+ assert(!ret); -+ times.starttime = BOUNDARY - 200; -+ times.endtime = BOUNDARY + 500; -+ ret = krb5int_validate_times(context, ×); -+ assert(!ret); -+ -+ /* Current time is before starttime, but by less than clock skew. */ -+ times.starttime = BOUNDARY + 100; -+ ret = krb5int_validate_times(context, ×); -+ assert(!ret); -+ -+ /* Current time is before starttime by more than clock skew. */ -+ times.starttime = BOUNDARY + 250; -+ ret = krb5int_validate_times(context, ×); -+ assert(ret == KRB5KRB_AP_ERR_TKT_NYV); -+ -+ /* Current time is after endtime, but by less than clock skew. */ -+ ret = krb5_set_debugging_time(context, BOUNDARY + 100, 0); -+ assert(!ret); -+ times.starttime = BOUNDARY - 1000; -+ times.endtime = BOUNDARY - 100; -+ ret = krb5int_validate_times(context, ×); -+ assert(!ret); -+ -+ /* Current time is after endtime by more than clock skew. */ -+ times.endtime = BOUNDARY - 300; -+ ret = krb5int_validate_times(context, ×); -+ assert(ret == KRB5KRB_AP_ERR_TKT_EXPIRED); -+ -+ return 0; -+} -diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in -index 0e93d6b59..2b3112537 100644 ---- a/src/tests/Makefile.in -+++ b/src/tests/Makefile.in -@@ -168,6 +168,7 @@ check-pytests: localauth plugorder rdreq responder s2p s4u2proxy unlockiter - $(RUNPYTEST) $(srcdir)/t_princflags.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_tabdump.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_certauth.py $(PYTESTFLAGS) -+ $(RUNPYTEST) $(srcdir)/t_y2038.py $(PYTESTFLAGS) - - clean: - $(RM) adata etinfo forward gcred hist hooks hrealm icred kdbtest -diff --git a/src/tests/gssapi/Makefile.in b/src/tests/gssapi/Makefile.in -index 6c1464297..604f926de 100644 ---- a/src/tests/gssapi/Makefile.in -+++ b/src/tests/gssapi/Makefile.in -@@ -15,15 +15,16 @@ SRCS= $(srcdir)/ccinit.c $(srcdir)/ccrefresh.c $(srcdir)/common.c \ - $(srcdir)/t_gssexts.c $(srcdir)/t_imp_cred.c $(srcdir)/t_imp_name.c \ - $(srcdir)/t_invalid.c $(srcdir)/t_inq_cred.c $(srcdir)/t_inq_ctx.c \ - $(srcdir)/t_inq_mechs_name.c $(srcdir)/t_iov.c \ -- $(srcdir)/t_namingexts.c $(srcdir)/t_oid.c $(srcdir)/t_pcontok.c \ -- $(srcdir)/t_prf.c $(srcdir)/t_s4u.c $(srcdir)/t_s4u2proxy_krb5.c \ -- $(srcdir)/t_saslname.c $(srcdir)/t_spnego.c $(srcdir)/t_srcattrs.c -+ $(srcdir)/t_lifetime.c $(srcdir)/t_namingexts.c $(srcdir)/t_oid.c \ -+ $(srcdir)/t_pcontok.c $(srcdir)/t_prf.c $(srcdir)/t_s4u.c \ -+ $(srcdir)/t_s4u2proxy_krb5.c $(srcdir)/t_saslname.c \ -+ $(srcdir)/t_spnego.c $(srcdir)/t_srcattrs.c - - OBJS= ccinit.o ccrefresh.o common.o t_accname.o t_ccselect.o t_ciflags.o \ - t_credstore.o t_enctypes.o t_err.o t_export_cred.o t_export_name.o \ - t_gssexts.o t_imp_cred.o t_imp_name.o t_invalid.o t_inq_cred.o \ -- t_inq_ctx.o t_inq_mechs_name.o t_iov.o t_namingexts.o t_oid.o \ -- t_pcontok.o t_prf.o t_s4u.o t_s4u2proxy_krb5.o t_saslname.o \ -+ t_inq_ctx.o t_inq_mechs_name.o t_iov.o t_lifetime.o t_namingexts.o \ -+ t_oid.o t_pcontok.o t_prf.o t_s4u.o t_s4u2proxy_krb5.o t_saslname.o \ - t_spnego.o t_srcattrs.o - - COMMON_DEPS= common.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) -@@ -31,9 +32,9 @@ COMMON_LIBS= common.o $(GSS_LIBS) $(KRB5_BASE_LIBS) - - all: ccinit ccrefresh t_accname t_ccselect t_ciflags t_credstore t_enctypes \ - t_err t_export_cred t_export_name t_gssexts t_imp_cred t_imp_name \ -- t_invalid t_inq_cred t_inq_ctx t_inq_mechs_name t_iov t_namingexts \ -- t_oid t_pcontok t_prf t_s4u t_s4u2proxy_krb5 t_saslname t_spnego \ -- t_srcattrs -+ t_invalid t_inq_cred t_inq_ctx t_inq_mechs_name t_iov t_lifetime \ -+ t_namingexts t_oid t_pcontok t_prf t_s4u t_s4u2proxy_krb5 t_saslname \ -+ t_spnego t_srcattrs - - check-unix: t_oid - $(RUN_TEST) ./t_invalid -@@ -42,8 +43,8 @@ check-unix: t_oid - - check-pytests: ccinit ccrefresh t_accname t_ccselect t_ciflags t_credstore \ - t_enctypes t_err t_export_cred t_export_name t_imp_cred t_inq_cred \ -- t_inq_ctx t_inq_mechs_name t_iov t_pcontok t_s4u t_s4u2proxy_krb5 \ -- t_spnego t_srcattrs -+ t_inq_ctx t_inq_mechs_name t_iov t_lifetime t_pcontok t_s4u \ -+ t_s4u2proxy_krb5 t_spnego t_srcattrs - $(RUNPYTEST) $(srcdir)/t_gssapi.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_ccselect.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_client_keytab.py $(PYTESTFLAGS) -@@ -88,6 +89,8 @@ t_inq_mechs_name: t_inq_mechs_name.o $(COMMON_DEPS) - $(CC_LINK) -o $@ t_inq_mechs_name.o $(COMMON_LIBS) - t_iov: t_iov.o $(COMMON_DEPS) - $(CC_LINK) -o $@ t_iov.o $(COMMON_LIBS) -+t_lifetime: t_lifetime.o $(COMMON_DEPS) -+ $(CC_LINK) -o $@ t_lifetime.o $(COMMON_LIBS) - t_namingexts: t_namingexts.o $(COMMON_DEPS) - $(CC_LINK) -o $@ t_namingexts.o $(COMMON_LIBS) - t_pcontok: t_pcontok.o $(COMMON_DEPS) -@@ -111,5 +114,5 @@ clean: - $(RM) ccinit ccrefresh t_accname t_ccselect t_ciflags t_credstore - $(RM) t_enctypes t_err t_export_cred t_export_name t_gssexts t_imp_cred - $(RM) t_imp_name t_invalid t_inq_cred t_inq_ctx t_inq_mechs_name t_iov -- $(RM) t_namingexts t_oid t_pcontok t_prf t_s4u t_s4u2proxy_krb5 -- $(RM) t_saslname t_spnego t_srcattrs -+ $(RM) t_lifetime t_namingexts t_oid t_pcontok t_prf t_s4u -+ $(RM) t_s4u2proxy_krb5 t_saslname t_spnego t_srcattrs -diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py -index 397e58962..98c8df25c 100755 ---- a/src/tests/gssapi/t_gssapi.py -+++ b/src/tests/gssapi/t_gssapi.py -@@ -185,4 +185,36 @@ realm.run(['./t_ciflags', 'p:' + realm.host_princ]) - # contexts. - realm.run(['./t_inq_ctx', 'user', password('user'), 'p:%s' % realm.host_princ]) - -+# Test lifetime results, using a realm with a large maximum lifetime -+# so that we can test ticket end dates after y2038. There are no -+# time_t conversions involved, so we can run these tests on platforms -+# with 32-bit time_t. -+realm.stop() -+conf = {'realms': {'$realm': {'max_life': '9000d'}}} -+realm = K5Realm(kdc_conf=conf, get_creds=False) -+ -+# Check a lifetime string result against an expected number value (or None). -+# Allow some variance due to time elapsed during the tests. -+def check_lifetime(msg, val, expected): -+ if expected is None and val != 'indefinite': -+ fail('%s: expected indefinite, got %s' % (msg, val)) -+ if expected is not None and val == 'indefinite': -+ fail('%s: expected %d, got indefinite' % (msg, expected)) -+ if expected is not None and abs(int(val) - expected) > 100: -+ fail('%s: expected %d, got %s' % (msg, expected, val)) -+ -+realm.kinit(realm.user_princ, password('user'), flags=['-l', '8500d']) -+out = realm.run(['./t_lifetime', 'p:' + realm.host_princ, str(8000 * 86400)]) -+ln = out.split('\n') -+check_lifetime('icred gss_acquire_cred', ln[0], 8500 * 86400) -+check_lifetime('icred gss_inquire_cred', ln[1], 8500 * 86400) -+check_lifetime('acred gss_acquire_cred', ln[2], None) -+check_lifetime('acred gss_inquire_cred', ln[3], None) -+check_lifetime('ictx gss_init_sec_context', ln[4], 8000 * 86400) -+check_lifetime('ictx gss_inquire_context', ln[5], 8000 * 86400) -+check_lifetime('ictx gss_context_time', ln[6], 8000 * 86400) -+check_lifetime('actx gss_accept_sec_context', ln[7], 8000 * 86400 + 300) -+check_lifetime('actx gss_inquire_context', ln[8], 8000 * 86400 + 300) -+check_lifetime('actx gss_context_time', ln[9], 8000 * 86400 + 300) -+ - success('GSSAPI tests') -diff --git a/src/tests/gssapi/t_lifetime.c b/src/tests/gssapi/t_lifetime.c -new file mode 100644 -index 000000000..8dcf18621 ---- /dev/null -+++ b/src/tests/gssapi/t_lifetime.c -@@ -0,0 +1,140 @@ -+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -+/* tests/gssapi/t_lifetime.c - display cred and context lifetimes */ -+/* -+ * Copyright (C) 2017 by the Massachusetts Institute of Technology. -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * * Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * * Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include -+#include -+#include -+#include "common.h" -+ -+/* -+ * Using the default credential, exercise the GSS functions which accept or -+ * produce lifetimes. Display the following results, one per line, as ASCII -+ * integers or the string "indefinite": -+ * -+ * initiator cred lifetime according to gss_acquire_cred() -+ * initiator cred lifetime according to gss_inquire_cred() -+ * acceptor cred lifetime according to gss_acquire_cred() -+ * acceptor cred lifetime according to gss_inquire_cred() -+ * initiator context lifetime according to gss_init_sec_context() -+ * initiator context lifetime according to gss_inquire_context() -+ * initiator context lifetime according to gss_context_time() -+ * acceptor context lifetime according to gss_init_sec_context() -+ * acceptor context lifetime according to gss_inquire_context() -+ * acceptor context lifetime according to gss_context_time() -+ */ -+ -+static void -+display_time(OM_uint32 tval) -+{ -+ if (tval == GSS_C_INDEFINITE) -+ puts("indefinite"); -+ else -+ printf("%u\n", (unsigned int)tval); -+} -+ -+int -+main(int argc, char *argv[]) -+{ -+ OM_uint32 minor, major; -+ gss_cred_id_t icred, acred; -+ gss_name_t tname; -+ gss_ctx_id_t ictx = GSS_C_NO_CONTEXT, actx = GSS_C_NO_CONTEXT; -+ gss_buffer_desc itok = GSS_C_EMPTY_BUFFER, atok = GSS_C_EMPTY_BUFFER; -+ OM_uint32 time_req = GSS_C_INDEFINITE, time_rec; -+ -+ if (argc < 2 || argc > 3) { -+ fprintf(stderr, "Usage: %s targetname [time_req]\n", argv[0]); -+ return 1; -+ } -+ tname = import_name(argv[1]); -+ if (argc >= 3) -+ time_req = atoll(argv[2]); -+ -+ /* Get initiator cred and display its lifetime according to -+ * gss_acquire_cred and gss_inquire_cred. */ -+ major = gss_acquire_cred(&minor, GSS_C_NO_NAME, time_req, &mechset_krb5, -+ GSS_C_INITIATE, &icred, NULL, &time_rec); -+ check_gsserr("gss_acquire_cred(initiate)", major, minor); -+ display_time(time_rec); -+ major = gss_inquire_cred(&minor, icred, NULL, &time_rec, NULL, NULL); -+ check_gsserr("gss_inquire_cred(initiate)", major, minor); -+ display_time(time_rec); -+ -+ /* Get acceptor cred and display its lifetime according to gss_acquire_cred -+ * and gss_inquire_cred. */ -+ major = gss_acquire_cred(&minor, GSS_C_NO_NAME, time_req, &mechset_krb5, -+ GSS_C_ACCEPT, &acred, NULL, &time_rec); -+ check_gsserr("gss_acquire_cred(accept)", major, minor); -+ display_time(time_rec); -+ major = gss_inquire_cred(&minor, acred, NULL, &time_rec, NULL, NULL); -+ check_gsserr("gss_inquire_cred(accept)", major, minor); -+ display_time(time_rec); -+ -+ /* Make an initiator context and display its lifetime according to -+ * gss_init_sec_context, gss_inquire_context, and gss_context_time. */ -+ major = gss_init_sec_context(&minor, icred, &ictx, tname, &mech_krb5, 0, -+ time_req, GSS_C_NO_CHANNEL_BINDINGS, &atok, -+ NULL, &itok, NULL, &time_rec); -+ check_gsserr("gss_init_sec_context", major, minor); -+ assert(major == GSS_S_COMPLETE); -+ display_time(time_rec); -+ major = gss_inquire_context(&minor, ictx, NULL, NULL, &time_rec, NULL, -+ NULL, NULL, NULL); -+ check_gsserr("gss_inquire_context(initiate)", major, minor); -+ display_time(time_rec); -+ major = gss_context_time(&minor, ictx, &time_rec); -+ check_gsserr("gss_context_time(initiate)", major, minor); -+ display_time(time_rec); -+ -+ major = gss_accept_sec_context(&minor, &actx, acred, &itok, -+ GSS_C_NO_CHANNEL_BINDINGS, NULL, -+ NULL, &atok, NULL, &time_rec, NULL); -+ check_gsserr("gss_accept_sec_context", major, minor); -+ assert(major == GSS_S_COMPLETE); -+ display_time(time_rec); -+ major = gss_inquire_context(&minor, actx, NULL, NULL, &time_rec, NULL, -+ NULL, NULL, NULL); -+ check_gsserr("gss_inquire_context(accept)", major, minor); -+ display_time(time_rec); -+ major = gss_context_time(&minor, actx, &time_rec); -+ check_gsserr("gss_context_time(accept)", major, minor); -+ display_time(time_rec); -+ -+ (void)gss_release_buffer(&minor, &itok); -+ (void)gss_release_buffer(&minor, &atok); -+ (void)gss_release_name(&minor, &tname); -+ (void)gss_release_cred(&minor, &icred); -+ (void)gss_release_cred(&minor, &acred); -+ (void)gss_delete_sec_context(&minor, &ictx, NULL); -+ (void)gss_delete_sec_context(&minor, &actx, NULL); -+ return 0; -+} -diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py -index 44635b089..ffc043709 100755 ---- a/src/tests/t_kdb.py -+++ b/src/tests/t_kdb.py -@@ -414,6 +414,13 @@ realm.run([kadminl, 'addprinc', '-policy', 'keepoldpasspol', '-pw', 'aaaa', - for p in ('bbbb', 'cccc', 'aaaa'): - realm.run([kadminl, 'cpw', '-keepold', '-pw', p, 'keepoldpassprinc']) - -+if runenv.sizeof_time_t <= 4: -+ skipped('y2038 LDAP test', 'platform has 32-bit time_t') -+else: -+ # Test storage of timestamps after y2038. -+ realm.run([kadminl, 'modprinc', '-pwexpire', '2040-02-03', 'user']) -+ realm.run([kadminl, 'getprinc', 'user'], expected_msg=' 2040\n') -+ - realm.stop() - - # Briefly test dump and load. -diff --git a/src/tests/t_y2038.py b/src/tests/t_y2038.py -new file mode 100644 -index 000000000..02e946df4 ---- /dev/null -+++ b/src/tests/t_y2038.py -@@ -0,0 +1,75 @@ -+#!/usr/bin/python -+from k5test import * -+ -+# These tests will become much less important after the y2038 boundary -+# has elapsed, and may start exhibiting problems around the year 2075. -+ -+if runenv.sizeof_time_t <= 4: -+ skip_rest('y2038 timestamp tests', 'platform has 32-bit time_t') -+ -+# Start a KDC running roughly 21 years in the future, after the y2038 -+# boundary. Set long maximum lifetimes for later tests. -+conf = {'realms': {'$realm': {'max_life': '9000d', -+ 'max_renewable_life': '9000d'}}} -+realm = K5Realm(start_kdc=False, kdc_conf=conf) -+realm.start_kdc(['-T', '662256000']) -+ -+# kinit without preauth should succeed with clock skew correction, but -+# will result in an expired ticket, because we sent an absolute end -+# time and didn't get a chance to correct it.. -+realm.kinit(realm.user_princ, password('user')) -+realm.run([kvno, realm.host_princ], expected_code=1, -+ expected_msg='Ticket expired') -+ -+# kinit with preauth should succeed and result in a valid ticket, as -+# we get a chance to correct the end time based on the KDC time. Try -+# with encrypted timestamp and encrypted challenge. -+realm.run([kadminl, 'modprinc', '+requires_preauth', 'user']) -+realm.kinit(realm.user_princ, password('user')) -+realm.run([kvno, realm.host_princ]) -+realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache]) -+realm.run([kvno, realm.host_princ]) -+ -+# Test that expiration warning works after y2038, by setting a -+# password expiration time ten minutes after the KDC time. -+realm.run([kadminl, 'modprinc', '-pwexpire', '662256600 seconds', 'user']) -+out = realm.kinit(realm.user_princ, password('user')) -+if 'will expire in less than one hour' not in out: -+ fail('password expiration message') -+year = int(out.split()[-1]) -+if year < 2038 or year > 9999: -+ fail('password expiration year') -+ -+realm.stop_kdc() -+realm.start_kdc() -+realm.start_kadmind() -+realm.prep_kadmin() -+ -+# Test getdate parsing of absolute timestamps after 2038 and -+# marshalling over the kadmin protocol. The local time zone will -+# affect the display time by a little bit, so just look for the year. -+realm.run_kadmin(['modprinc', '-pwexpire', '2040-02-03', realm.host_princ]) -+realm.run_kadmin(['getprinc', realm.host_princ], expected_msg=' 2040\n') -+ -+# Get a ticket whose lifetime crosses the y2038 boundary and -+# range-check the expiration year as reported by klist. -+realm.kinit(realm.user_princ, password('user'), -+ flags=['-l', '8000d', '-r', '8500d']) -+realm.run([kvno, realm.host_princ]) -+out = realm.run([klist]) -+if int(out.split('\n')[4].split()[2].split('/')[2]) < 39: -+ fail('unexpected tgt expiration year') -+if int(out.split('\n')[5].split()[2].split('/')[2]) < 40: -+ fail('unexpected tgt rtill year') -+if int(out.split('\n')[6].split()[2].split('/')[2]) < 39: -+ fail('unexpected service ticket expiration year') -+if int(out.split('\n')[7].split()[2].split('/')[2]) < 40: -+ fail('unexpected service ticket rtill year') -+realm.kinit(realm.user_princ, None, ['-R']) -+out = realm.run([klist]) -+if int(out.split('\n')[4].split()[2].split('/')[2]) < 39: -+ fail('unexpected renewed tgt expiration year') -+if int(out.split('\n')[5].split()[2].split('/')[2]) < 40: -+ fail('unexpected renewed tgt rtill year') -+ -+success('y2038 tests') diff --git a/Add-y2038-documentation.patch b/Add-y2038-documentation.patch deleted file mode 100644 index 693a1fb..0000000 --- a/Add-y2038-documentation.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 69ca5ff168f24792924b3cab0a9f27ada3eb4c4b Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Thu, 4 May 2017 17:03:35 -0400 -Subject: [PATCH] Add y2038 documentation - -ticket: 8352 -(cherry picked from commit 85d64c43dbf7a7faa56a1999494cdfa49e8bd2c9) ---- - doc/appdev/index.rst | 1 + - doc/appdev/y2038.rst | 28 ++++++++++++++++++++++++++++ - 2 files changed, 29 insertions(+) - create mode 100644 doc/appdev/y2038.rst - -diff --git a/doc/appdev/index.rst b/doc/appdev/index.rst -index 3d62045ca..961bb1e9e 100644 ---- a/doc/appdev/index.rst -+++ b/doc/appdev/index.rst -@@ -5,6 +5,7 @@ For application developers - :maxdepth: 1 - - gssapi.rst -+ y2038.rst - h5l_mit_apidiff.rst - init_creds.rst - princ_handle.rst -diff --git a/doc/appdev/y2038.rst b/doc/appdev/y2038.rst -new file mode 100644 -index 000000000..bc4122dad ---- /dev/null -+++ b/doc/appdev/y2038.rst -@@ -0,0 +1,28 @@ -+Year 2038 considerations for uses of krb5_timestamp -+=================================================== -+ -+POSIX time values, which measure the number of seconds since January 1 -+1970, will exceed the maximum value representable in a signed 32-bit -+integer in January 2038. This documentation describes considerations -+for consumers of the MIT krb5 libraries. -+ -+Applications or libraries which use libkrb5 and consume the timestamps -+included in credentials or other structures make use of the -+:c:type:`krb5_timestamp` type. For historical reasons, krb5_timestamp -+is a signed 32-bit integer, even on platforms where a larger type is -+natively used to represent time values. To behave properly for time -+values after January 2038, calling code should cast krb5_timestamp -+values to uint32_t, and then to time_t:: -+ -+ (time_t)(uint32_t)timestamp -+ -+Used in this way, krb5_timestamp values can represent time values up -+until February 2106, provided that the platform uses a 64-bit or -+larger time_t type. This usage will also remain safe if a later -+version of MIT krb5 changes krb5_timestamp to an unsigned 32-bit -+integer. -+ -+The GSSAPI only uses representations of time intervals, not absolute -+times. Callers of the GSSAPI should require no changes to behave -+correctly after January 2038, provided that they use MIT krb5 release -+1.16 or later. diff --git a/Build-with-Werror-implicit-int-where-supported.patch b/Build-with-Werror-implicit-int-where-supported.patch deleted file mode 100644 index 30e3ba8..0000000 --- a/Build-with-Werror-implicit-int-where-supported.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 5f2ea38f7ecd60184e510558bdb551d0153432e0 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Thu, 10 Nov 2016 13:20:49 -0500 -Subject: [PATCH] Build with -Werror-implicit-int where supported - -(cherry picked from commit 873d864230c9c64c65ff12a24199bac3adf3bc2f) ---- - src/aclocal.m4 | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index 2bfb99496..da1d6d8b4 100644 ---- a/src/aclocal.m4 -+++ b/src/aclocal.m4 -@@ -529,7 +529,7 @@ if test "$GCC" = yes ; then - TRY_WARN_CC_FLAG(-Wno-format-zero-length) - # Other flags here may not be supported on some versions of - # gcc that people want to use. -- for flag in overflow strict-overflow missing-format-attribute missing-prototypes return-type missing-braces parentheses switch unused-function unused-label unused-variable unused-value unknown-pragmas sign-compare newline-eof error=uninitialized error=pointer-arith error=int-conversion error=incompatible-pointer-types error=discarded-qualifiers ; do -+ for flag in overflow strict-overflow missing-format-attribute missing-prototypes return-type missing-braces parentheses switch unused-function unused-label unused-variable unused-value unknown-pragmas sign-compare newline-eof error=uninitialized error=pointer-arith error=int-conversion error=incompatible-pointer-types error=discarded-qualifiers error=implicit-int ; do - TRY_WARN_CC_FLAG(-W$flag) - done - # old-style-definition? generates many, many warnings diff --git a/Convert-some-pkiDebug-messages-to-TRACE-macros.patch b/Convert-some-pkiDebug-messages-to-TRACE-macros.patch deleted file mode 100644 index e9e27df..0000000 --- a/Convert-some-pkiDebug-messages-to-TRACE-macros.patch +++ /dev/null @@ -1,422 +0,0 @@ -From 686fa6476eb759532d566794fa8d430774d44cf7 Mon Sep 17 00:00:00 2001 -From: Matt Rogers -Date: Wed, 29 Mar 2017 10:35:13 -0400 -Subject: [PATCH] Convert some pkiDebug messages to TRACE macros - -ticket: 8568 (new) -(cherry picked from commit 9852862a83952a94300adfafa3e333f43396ec33) ---- - src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 46 ++++++--------- - src/plugins/preauth/pkinit/pkinit_identity.c | 3 - - src/plugins/preauth/pkinit/pkinit_matching.c | 1 + - src/plugins/preauth/pkinit/pkinit_srv.c | 24 ++++---- - src/plugins/preauth/pkinit/pkinit_trace.h | 68 +++++++++++++++++++++- - 5 files changed, 97 insertions(+), 45 deletions(-) - -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index 90c30dbf5..70e230ec2 100644 ---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -@@ -2320,7 +2320,6 @@ crypto_check_cert_eku(krb5_context context, - - X509_NAME_oneline(X509_get_subject_name(reqctx->received_cert), - buf, sizeof(buf)); -- pkiDebug("%s: looking for EKUs in cert = %s\n", __FUNCTION__, buf); - - if ((i = X509_get_ext_by_NID(reqctx->received_cert, - NID_ext_key_usage, -1)) >= 0) { -@@ -2354,7 +2353,6 @@ crypto_check_cert_eku(krb5_context context, - - if (found_eku) { - ASN1_BIT_STRING *usage = NULL; -- pkiDebug("%s: found acceptable EKU, checking for digitalSignature\n", __FUNCTION__); - - /* check that digitalSignature KeyUsage is present */ - X509_check_ca(reqctx->received_cert); -@@ -2363,12 +2361,10 @@ crypto_check_cert_eku(krb5_context context, - - if (!ku_reject(reqctx->received_cert, - X509v3_KU_DIGITAL_SIGNATURE)) { -- pkiDebug("%s: found digitalSignature KU\n", -- __FUNCTION__); -+ TRACE_PKINIT_EKU(context); - *valid_eku = 1; - } else -- pkiDebug("%s: didn't find digitalSignature KU\n", -- __FUNCTION__); -+ TRACE_PKINIT_EKU_NO_KU(context); - } - ASN1_BIT_STRING_free(usage); - } -@@ -4317,8 +4313,7 @@ pkinit_get_certs_pkcs12(krb5_context context, - - fp = fopen(idopts->cert_filename, "rb"); - if (fp == NULL) { -- pkiDebug("Failed to open PKCS12 file '%s', error %d\n", -- idopts->cert_filename, errno); -+ TRACE_PKINIT_PKCS_OPEN_FAIL(context, idopts->cert_filename, errno); - goto cleanup; - } - set_cloexec_file(fp); -@@ -4326,8 +4321,7 @@ pkinit_get_certs_pkcs12(krb5_context context, - p12 = d2i_PKCS12_fp(fp, NULL); - fclose(fp); - if (p12 == NULL) { -- pkiDebug("Failed to decode PKCS12 file '%s' contents\n", -- idopts->cert_filename); -+ TRACE_PKINIT_PKCS_DECODE_FAIL(context, idopts->cert_filename); - goto cleanup; - } - /* -@@ -4345,7 +4339,7 @@ pkinit_get_certs_pkcs12(krb5_context context, - char *p12name = reassemble_pkcs12_name(idopts->cert_filename); - const char *tmp; - -- pkiDebug("Initial PKCS12_parse with no password failed\n"); -+ TRACE_PKINIT_PKCS_PARSE_FAIL_FIRST(context); - - if (id_cryptoctx->defer_id_prompt) { - /* Supply the identity name to be passed to the responder. */ -@@ -4386,14 +4380,14 @@ pkinit_get_certs_pkcs12(krb5_context context, - NULL, NULL, 1, &kprompt); - k5int_set_prompt_types(context, 0); - if (r) { -- pkiDebug("Failed to prompt for PKCS12 password"); -+ TRACE_PKINIT_PKCS_PROMPT_FAIL(context); - goto cleanup; - } - } - - ret = PKCS12_parse(p12, rdat.data, &y, &x, NULL); - if (ret == 0) { -- pkiDebug("Second PKCS12_parse with password failed\n"); -+ TRACE_PKINIT_PKCS_PARSE_FAIL_SECOND(context); - goto cleanup; - } - } -@@ -4516,8 +4510,7 @@ pkinit_get_certs_fs(krb5_context context, - } - - if (idopts->key_filename == NULL) { -- pkiDebug("%s: failed to get user's private key location\n", -- __FUNCTION__); -+ TRACE_PKINIT_NO_PRIVKEY(context); - goto cleanup; - } - -@@ -4545,8 +4538,7 @@ pkinit_get_certs_dir(krb5_context context, - char *dirname, *suf; - - if (idopts->cert_filename == NULL) { -- pkiDebug("%s: failed to get user's certificate directory location\n", -- __FUNCTION__); -+ TRACE_PKINIT_NO_CERT(context); - return ENOENT; - } - -@@ -4590,8 +4582,7 @@ pkinit_get_certs_dir(krb5_context context, - retval = pkinit_load_fs_cert_and_key(context, id_cryptoctx, - certname, keyname, i); - if (retval == 0) { -- pkiDebug("%s: Successfully loaded cert (and key) for %s\n", -- __FUNCTION__, dentry->d_name); -+ TRACE_PKINIT_LOADED_CERT(context, dentry->d_name); - i++; - } - else -@@ -4599,8 +4590,7 @@ pkinit_get_certs_dir(krb5_context context, - } - - if (!id_cryptoctx->defer_id_prompt && i == 0) { -- pkiDebug("%s: No cert/key pairs found in directory '%s'\n", -- __FUNCTION__, idopts->cert_filename); -+ TRACE_PKINIT_NO_CERT_AND_KEY(context, idopts->cert_filename); - retval = ENOENT; - goto cleanup; - } -@@ -5370,9 +5360,7 @@ crypto_cert_select_default(krb5_context context, - goto errout; - } - if (cert_count != 1) { -- pkiDebug("%s: ERROR: There are %d certs to choose from, " -- "but there must be exactly one.\n", -- __FUNCTION__, cert_count); -+ TRACE_PKINIT_NO_DEFAULT_CERT(context, cert_count); - retval = EINVAL; - goto errout; - } -@@ -5520,7 +5508,7 @@ load_cas_and_crls(krb5_context context, - switch(catype) { - case CATYPE_ANCHORS: - if (sk_X509_num(ca_certs) == 0) { -- pkiDebug("no anchors in file, %s\n", filename); -+ TRACE_PKINIT_NO_CA_ANCHOR(context, filename); - if (id_cryptoctx->trustedCAs == NULL) - sk_X509_free(ca_certs); - } else { -@@ -5530,7 +5518,7 @@ load_cas_and_crls(krb5_context context, - break; - case CATYPE_INTERMEDIATES: - if (sk_X509_num(ca_certs) == 0) { -- pkiDebug("no intermediates in file, %s\n", filename); -+ TRACE_PKINIT_NO_CA_INTERMEDIATE(context, filename); - if (id_cryptoctx->intermediateCAs == NULL) - sk_X509_free(ca_certs); - } else { -@@ -5540,7 +5528,7 @@ load_cas_and_crls(krb5_context context, - break; - case CATYPE_CRLS: - if (sk_X509_CRL_num(ca_crls) == 0) { -- pkiDebug("no crls in file, %s\n", filename); -+ TRACE_PKINIT_NO_CRL(context, filename); - if (id_cryptoctx->revoked == NULL) - sk_X509_CRL_free(ca_crls); - } else { -@@ -5626,14 +5614,14 @@ crypto_load_cas_and_crls(krb5_context context, - int catype, - char *id) - { -- pkiDebug("%s: called with idtype %s and catype %s\n", -- __FUNCTION__, idtype2string(idtype), catype2string(catype)); - switch (idtype) { - case IDTYPE_FILE: -+ TRACE_PKINIT_LOAD_FROM_FILE(context); - return load_cas_and_crls(context, plg_cryptoctx, req_cryptoctx, - id_cryptoctx, catype, id); - break; - case IDTYPE_DIR: -+ TRACE_PKINIT_LOAD_FROM_DIR(context); - return load_cas_and_crls_dir(context, plg_cryptoctx, req_cryptoctx, - id_cryptoctx, catype, id); - break; -diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c -index a897efa25..737552e85 100644 ---- a/src/plugins/preauth/pkinit/pkinit_identity.c -+++ b/src/plugins/preauth/pkinit/pkinit_identity.c -@@ -608,7 +608,6 @@ pkinit_identity_prompt(krb5_context context, - retval = pkinit_cert_matching(context, plg_cryptoctx, - req_cryptoctx, id_cryptoctx, princ); - if (retval) { -- pkiDebug("%s: No matching certificate found\n", __FUNCTION__); - crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx, - id_cryptoctx); - goto errout; -@@ -621,8 +620,6 @@ pkinit_identity_prompt(krb5_context context, - retval = crypto_cert_select_default(context, plg_cryptoctx, - req_cryptoctx, id_cryptoctx); - if (retval) { -- pkiDebug("%s: Failed while selecting default certificate\n", -- __FUNCTION__); - crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx, - id_cryptoctx); - goto errout; -diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c -index a50c50c8d..cad4c2b9a 100644 ---- a/src/plugins/preauth/pkinit/pkinit_matching.c -+++ b/src/plugins/preauth/pkinit/pkinit_matching.c -@@ -812,6 +812,7 @@ pkinit_cert_matching(krb5_context context, - goto cleanup; - } - } else { -+ TRACE_PKINIT_NO_MATCHING_CERT(context); - retval = ENOENT; /* XXX */ - goto cleanup; - } -diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c -index 32ca122f2..9c6e96c9e 100644 ---- a/src/plugins/preauth/pkinit/pkinit_srv.c -+++ b/src/plugins/preauth/pkinit/pkinit_srv.c -@@ -188,6 +188,7 @@ verify_client_san(krb5_context context, - plgctx->opts->allow_upn ? &upns : NULL, - NULL); - if (retval == ENOENT) { -+ TRACE_PKINIT_SERVER_NO_SAN(context); - goto out; - } else if (retval) { - pkiDebug("%s: error from retrieve_certificate_sans()\n", __FUNCTION__); -@@ -224,7 +225,7 @@ verify_client_san(krb5_context context, - krb5_free_unparsed_name(context, san_string); - #endif - if (cb->match_client(context, rock, princs[i])) { -- pkiDebug("%s: pkinit san match found\n", __FUNCTION__); -+ TRACE_PKINIT_SERVER_MATCHING_SAN_FOUND(context); - *valid_san = 1; - retval = 0; - goto out; -@@ -252,7 +253,7 @@ verify_client_san(krb5_context context, - krb5_free_unparsed_name(context, san_string); - #endif - if (cb->match_client(context, rock, upns[i])) { -- pkiDebug("%s: upn san match found\n", __FUNCTION__); -+ TRACE_PKINIT_SERVER_MATCHING_UPN_FOUND(context); - *valid_san = 1; - retval = 0; - goto out; -@@ -300,7 +301,7 @@ verify_client_eku(krb5_context context, - *eku_accepted = 0; - - if (plgctx->opts->require_eku == 0) { -- pkiDebug("%s: configuration requests no EKU checking\n", __FUNCTION__); -+ TRACE_PKINIT_SERVER_EKU_SKIP(context); - *eku_accepted = 1; - retval = 0; - goto out; -@@ -364,6 +365,7 @@ authorize_cert(krb5_context context, certauth_handle *certauth_modules, - ret = KRB5_PLUGIN_NO_HANDLE; - for (i = 0; certauth_modules != NULL && certauth_modules[i] != NULL; i++) { - h = certauth_modules[i]; -+ TRACE_PKINIT_SERVER_CERT_AUTH(context, h->vt.name); - ret = h->vt.authorize(context, h->moddata, cert, cert_len, client, - &opts, db_ent, &ais); - if (ret == 0) -@@ -449,7 +451,7 @@ pkinit_server_verify_padata(krb5_context context, - - switch ((int)data->pa_type) { - case KRB5_PADATA_PK_AS_REQ: -- pkiDebug("processing KRB5_PADATA_PK_AS_REQ\n"); -+ TRACE_PKINIT_SERVER_PADATA_VERIFY(context); - retval = k5int_decode_krb5_pa_pk_as_req(&k5data, &reqp); - if (retval) { - pkiDebug("decode_krb5_pa_pk_as_req failed\n"); -@@ -472,7 +474,7 @@ pkinit_server_verify_padata(krb5_context context, - break; - case KRB5_PADATA_PK_AS_REP_OLD: - case KRB5_PADATA_PK_AS_REQ_OLD: -- pkiDebug("processing KRB5_PADATA_PK_AS_REQ_OLD\n"); -+ TRACE_PKINIT_SERVER_PADATA_VERIFY_OLD(context); - retval = k5int_decode_krb5_pa_pk_as_req_draft9(&k5data, &reqp9); - if (retval) { - pkiDebug("decode_krb5_pa_pk_as_req_draft9 failed\n"); -@@ -500,7 +502,7 @@ pkinit_server_verify_padata(krb5_context context, - goto cleanup; - } - if (retval) { -- pkiDebug("pkcs7_signeddata_verify failed\n"); -+ TRACE_PKINIT_SERVER_PADATA_VERIFY_FAIL(context); - goto cleanup; - } - if (is_signed) { -@@ -830,7 +832,7 @@ pkinit_server_return_padata(krb5_context context, - return ENOENT; - } - -- pkiDebug("pkinit_return_padata: entered!\n"); -+ TRACE_PKINIT_SERVER_RETURN_PADATA(context); - reqctx = (pkinit_kdc_req_context)modreq; - - if (encrypting_key->contents) { -@@ -1463,8 +1465,7 @@ pkinit_san_authorize(krb5_context context, krb5_certauth_moddata moddata, - return ret; - - if (!valid_san) { -- pkiDebug("%s: did not find an acceptable SAN in user certificate\n", -- __FUNCTION__); -+ TRACE_PKINIT_SERVER_SAN_REJECT(context); - return KRB5KDC_ERR_CLIENT_NAME_MISMATCH; - } - -@@ -1490,8 +1491,7 @@ pkinit_eku_authorize(krb5_context context, krb5_certauth_moddata moddata, - return ret; - - if (!valid_eku) { -- pkiDebug("%s: did not find an acceptable EKU in user certificate\n", -- __FUNCTION__); -+ TRACE_PKINIT_SERVER_EKU_REJECT(context); - return KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE; - } - -@@ -1617,7 +1617,7 @@ pkinit_server_plugin_init(krb5_context context, - return ENOMEM; - - for (i = 0, j = 0; i < numrealms; i++) { -- pkiDebug("%s: processing realm '%s'\n", __FUNCTION__, realmnames[i]); -+ TRACE_PKINIT_SERVER_INIT_REALM(context, realmnames[i]); - retval = pkinit_server_plugin_init_realm(context, realmnames[i], &plgctx); - if (retval == 0 && plgctx != NULL) - realm_contexts[j++] = plgctx; -diff --git a/src/plugins/preauth/pkinit/pkinit_trace.h b/src/plugins/preauth/pkinit/pkinit_trace.h -index 458d0961e..6abe28c0c 100644 ---- a/src/plugins/preauth/pkinit/pkinit_trace.h -+++ b/src/plugins/preauth/pkinit/pkinit_trace.h -@@ -52,7 +52,7 @@ - #define TRACE_PKINIT_CLIENT_REP_CHECKSUM_FAIL(c, expected, received) \ - TRACE(c, "PKINIT client checksum mismatch: expected {cksum}, " \ - "received {cksum}", expected, received) --#define TRACE_PKINIT_CLIENT_REP_DH(c) \ -+#define TRACE_PKINIT_CLIENT_REP_DH(c) \ - TRACE(c, "PKINIT client verified DH reply") - #define TRACE_PKINIT_CLIENT_REP_DH_FAIL(c) \ - TRACE(c, "PKINIT client could not verify DH reply") -@@ -91,6 +91,72 @@ - #define TRACE_PKINIT_OPENSSL_ERROR(c, msg) \ - TRACE(c, "PKINIT OpenSSL error: {str}", msg) - -+#define TRACE_PKINIT_SERVER_CERT_AUTH(c, modname) \ -+ TRACE(c, "PKINIT server authorizing cert with module {str}", \ -+ modname) -+#define TRACE_PKINIT_SERVER_EKU_REJECT(c) \ -+ TRACE(c, "PKINIT server found no acceptable EKU in client cert") -+#define TRACE_PKINIT_SERVER_EKU_SKIP(c) \ -+ TRACE(c, "PKINIT server skipping EKU check due to configuration") -+#define TRACE_PKINIT_SERVER_INIT_REALM(c, realm) \ -+ TRACE(c, "PKINIT server initializing realm {str}", realm) -+#define TRACE_PKINIT_SERVER_MATCHING_UPN_FOUND(c) \ -+ TRACE(c, "PKINIT server found a matching UPN SAN in client cert") -+#define TRACE_PKINIT_SERVER_MATCHING_SAN_FOUND(c) \ -+ TRACE(c, "PKINIT server found a matching SAN in client cert") -+#define TRACE_PKINIT_SERVER_NO_SAN(c) \ -+ TRACE(c, "PKINIT server found no SAN in client cert") -+#define TRACE_PKINIT_SERVER_PADATA_VERIFY(c) \ -+ TRACE(c, "PKINIT server verifying KRB5_PADATA_PK_AS_REQ") -+#define TRACE_PKINIT_SERVER_PADATA_VERIFY_OLD(c) \ -+ TRACE(c, "PKINIT server verifying KRB5_PADATA_PK_AS_REQ_OLD") -+#define TRACE_PKINIT_SERVER_PADATA_VERIFY_FAIL(c) \ -+ TRACE(c, "PKINIT server failed to verify PA data") -+#define TRACE_PKINIT_SERVER_RETURN_PADATA(c) \ -+ TRACE(c, "PKINIT server returning PA data") -+#define TRACE_PKINIT_SERVER_SAN_REJECT(c) \ -+ TRACE(c, "PKINIT server found no acceptable SAN in client cert") -+ -+#define TRACE_PKINIT_EKU(c) \ -+ TRACE(c, "PKINIT found acceptable EKU and digitalSignature KU") -+#define TRACE_PKINIT_EKU_NO_KU(c) \ -+ TRACE(c, "PKINIT found acceptable EKU but no digitalSignature KU") -+#define TRACE_PKINIT_LOADED_CERT(c, name) \ -+ TRACE(c, "PKINIT loaded cert and key for {str}", name) -+#define TRACE_PKINIT_LOAD_FROM_FILE(c) \ -+ TRACE(c, "PKINIT loading CA certs and CRLs from FILE") -+#define TRACE_PKINIT_LOAD_FROM_DIR(c) \ -+ TRACE(c, "PKINIT loading CA certs and CRLs from DIR") -+#define TRACE_PKINIT_NO_CA_ANCHOR(c, file) \ -+ TRACE(c, "PKINIT no anchor CA in file {str}", file) -+#define TRACE_PKINIT_NO_CA_INTERMEDIATE(c, file) \ -+ TRACE(c, "PKINIT no intermediate CA in file {str}", file) -+#define TRACE_PKINIT_NO_CERT(c) \ -+ TRACE(c, "PKINIT no certificate provided") -+#define TRACE_PKINIT_NO_CERT_AND_KEY(c, dirname) \ -+ TRACE(c, "PKINIT no cert and key pair found in directory {str}", \ -+ dirname) -+#define TRACE_PKINIT_NO_CRL(c, file) \ -+ TRACE(c, "PKINIT no CRL in file {str}", file) -+#define TRACE_PKINIT_NO_DEFAULT_CERT(c, count) \ -+ TRACE(c, "PKINIT error: There are {int} certs, but there must " \ -+ "be exactly one.", count) -+#define TRACE_PKINIT_NO_MATCHING_CERT(c) \ -+ TRACE(c, "PKINIT no matching certificate found") -+#define TRACE_PKINIT_NO_PRIVKEY(c) \ -+ TRACE(c, "PKINIT no private key provided") -+#define TRACE_PKINIT_PKCS_DECODE_FAIL(c, name) \ -+ TRACE(c, "PKINIT failed to decode PKCS12 file {str} contents", name) -+#define TRACE_PKINIT_PKCS_OPEN_FAIL(c, name, err) \ -+ TRACE(c, "PKINIT failed to open PKCS12 file {str}: err {errno}", \ -+ name, err) -+#define TRACE_PKINIT_PKCS_PARSE_FAIL_FIRST(c) \ -+ TRACE(c, "PKINIT initial PKCS12_parse with no password failed") -+#define TRACE_PKINIT_PKCS_PARSE_FAIL_SECOND(c) \ -+ TRACE(c, "PKINIT second PKCS12_parse with password failed") -+#define TRACE_PKINIT_PKCS_PROMPT_FAIL(c) \ -+ TRACE(c, "PKINIT failed to prompt for PKCS12 password") -+ - #define TRACE_CERTAUTH_VTINIT_FAIL(c, ret) \ - TRACE(c, "certauth module failed to init vtable: {kerr}", ret) - #define TRACE_CERTAUTH_INIT_FAIL(c, name, ret) \ diff --git a/Correct-error-handling-bug-in-prior-commit.patch b/Correct-error-handling-bug-in-prior-commit.patch deleted file mode 100644 index 6878e8c..0000000 --- a/Correct-error-handling-bug-in-prior-commit.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 08d995aaf48e75c174525ae0b47e12c3170b3f5f Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Thu, 23 Mar 2017 13:42:55 -0400 -Subject: [PATCH] Correct error handling bug in prior commit - -In crypto_encode_der_cert(), if the second i2d_X509() invocation -fails, make sure to free the allocated pointer and not the -possibly-modified alias. - -ticket: 8561 -(cherry picked from commit 7fdaef7c3280c86b5df25ae061fb04cc56d8620c) ---- - src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index a5b010b26..90c30dbf5 100644 ---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -@@ -6196,10 +6196,10 @@ crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx, - if (len <= 0) - return EINVAL; - p = der = malloc(len); -- if (p == NULL) -+ if (der == NULL) - return ENOMEM; - if (i2d_X509(reqctx->received_cert, &p) <= 0) { -- free(p); -+ free(der); - return EINVAL; - } - *der_out = der; diff --git a/Deindent-crypto_retrieve_X509_sans.patch b/Deindent-crypto_retrieve_X509_sans.patch deleted file mode 100644 index 9262e7d..0000000 --- a/Deindent-crypto_retrieve_X509_sans.patch +++ /dev/null @@ -1,263 +0,0 @@ -From d5462c96c9918ffa7d3f05de310c5aed34181941 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Wed, 4 Jan 2017 11:33:57 -0500 -Subject: [PATCH] Deindent crypto_retrieve_X509_sans() - -Fix some long lines in crypto_retrieve_X509_sans() by returning early -if X509_get_ext_by_NID() returns a negative result. Also ensure that -return parameters are always initialized. - -(cherry picked from commit c6b772523db9d7791ee1c56eb512c4626556a4e7) ---- - src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 224 +++++++++++---------- - 1 file changed, 114 insertions(+), 110 deletions(-) - -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index bc6e7662e..8def8c542 100644 ---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -@@ -2101,11 +2101,21 @@ crypto_retrieve_X509_sans(krb5_context context, - { - krb5_error_code retval = EINVAL; - char buf[DN_BUF_LEN]; -- int p = 0, u = 0, d = 0, l; -+ int p = 0, u = 0, d = 0, ret = 0, l; - krb5_principal *princs = NULL; - krb5_principal *upns = NULL; - unsigned char **dnss = NULL; -- unsigned int i, num_found = 0; -+ unsigned int i, num_found = 0, num_sans = 0; -+ X509_EXTENSION *ext = NULL; -+ GENERAL_NAMES *ialt = NULL; -+ GENERAL_NAME *gen = NULL; -+ -+ if (princs_ret != NULL) -+ *princs_ret = NULL; -+ if (upn_ret != NULL) -+ *upn_ret = NULL; -+ if (dns_ret != NULL) -+ *dns_ret = NULL; - - if (princs_ret == NULL && upn_ret == NULL && dns_ret == NULL) { - pkiDebug("%s: nowhere to return any values!\n", __FUNCTION__); -@@ -2121,118 +2131,112 @@ crypto_retrieve_X509_sans(krb5_context context, - buf, sizeof(buf)); - pkiDebug("%s: looking for SANs in cert = %s\n", __FUNCTION__, buf); - -- if ((l = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) >= 0) { -- X509_EXTENSION *ext = NULL; -- GENERAL_NAMES *ialt = NULL; -- GENERAL_NAME *gen = NULL; -- int ret = 0; -- unsigned int num_sans = 0; -+ l = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1); -+ if (l < 0) -+ return 0; - -- if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) { -- pkiDebug("%s: found no subject alt name extensions\n", -- __FUNCTION__); -+ if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) { -+ pkiDebug("%s: found no subject alt name extensions\n", __FUNCTION__); -+ goto cleanup; -+ } -+ num_sans = sk_GENERAL_NAME_num(ialt); -+ -+ pkiDebug("%s: found %d subject alt name extension(s)\n", __FUNCTION__, -+ num_sans); -+ -+ /* OK, we're likely returning something. Allocate return values */ -+ if (princs_ret != NULL) { -+ princs = calloc(num_sans + 1, sizeof(krb5_principal)); -+ if (princs == NULL) { -+ retval = ENOMEM; - goto cleanup; - } -- num_sans = sk_GENERAL_NAME_num(ialt); -- -- pkiDebug("%s: found %d subject alt name extension(s)\n", -- __FUNCTION__, num_sans); -- -- /* OK, we're likely returning something. Allocate return values */ -- if (princs_ret != NULL) { -- princs = calloc(num_sans + 1, sizeof(krb5_principal)); -- if (princs == NULL) { -- retval = ENOMEM; -- goto cleanup; -- } -- } -- if (upn_ret != NULL) { -- upns = calloc(num_sans + 1, sizeof(krb5_principal)); -- if (upns == NULL) { -- retval = ENOMEM; -- goto cleanup; -- } -- } -- if (dns_ret != NULL) { -- dnss = calloc(num_sans + 1, sizeof(*dnss)); -- if (dnss == NULL) { -- retval = ENOMEM; -- goto cleanup; -- } -- } -- -- for (i = 0; i < num_sans; i++) { -- krb5_data name = { 0, 0, NULL }; -- -- gen = sk_GENERAL_NAME_value(ialt, i); -- switch (gen->type) { -- case GEN_OTHERNAME: -- name.length = gen->d.otherName->value->value.sequence->length; -- name.data = (char *)gen->d.otherName->value->value.sequence->data; -- if (princs != NULL -- && OBJ_cmp(plgctx->id_pkinit_san, -- gen->d.otherName->type_id) == 0) { --#ifdef DEBUG_ASN1 -- print_buffer_bin((unsigned char *)name.data, name.length, -- "/tmp/pkinit_san"); --#endif -- ret = k5int_decode_krb5_principal_name(&name, &princs[p]); -- if (ret) { -- pkiDebug("%s: failed decoding pkinit san value\n", -- __FUNCTION__); -- } else { -- p++; -- num_found++; -- } -- } else if (upns != NULL -- && OBJ_cmp(plgctx->id_ms_san_upn, -- gen->d.otherName->type_id) == 0) { -- /* Prevent abuse of embedded null characters. */ -- if (memchr(name.data, '\0', name.length)) -- break; -- ret = krb5_parse_name_flags(context, name.data, -- KRB5_PRINCIPAL_PARSE_ENTERPRISE, -- &upns[u]); -- if (ret) { -- pkiDebug("%s: failed parsing ms-upn san value\n", -- __FUNCTION__); -- } else { -- u++; -- num_found++; -- } -- } else { -- pkiDebug("%s: unrecognized othername oid in SAN\n", -- __FUNCTION__); -- continue; -- } -- -- break; -- case GEN_DNS: -- if (dnss != NULL) { -- /* Prevent abuse of embedded null characters. */ -- if (memchr(gen->d.dNSName->data, '\0', -- gen->d.dNSName->length)) -- break; -- pkiDebug("%s: found dns name = %s\n", -- __FUNCTION__, gen->d.dNSName->data); -- dnss[d] = (unsigned char *) -- strdup((char *)gen->d.dNSName->data); -- if (dnss[d] == NULL) { -- pkiDebug("%s: failed to duplicate dns name\n", -- __FUNCTION__); -- } else { -- d++; -- num_found++; -- } -- } -- break; -- default: -- pkiDebug("%s: SAN type = %d expecting %d\n", -- __FUNCTION__, gen->type, GEN_OTHERNAME); -- } -- } -- sk_GENERAL_NAME_pop_free(ialt, GENERAL_NAME_free); - } -+ if (upn_ret != NULL) { -+ upns = calloc(num_sans + 1, sizeof(krb5_principal)); -+ if (upns == NULL) { -+ retval = ENOMEM; -+ goto cleanup; -+ } -+ } -+ if (dns_ret != NULL) { -+ dnss = calloc(num_sans + 1, sizeof(*dnss)); -+ if (dnss == NULL) { -+ retval = ENOMEM; -+ goto cleanup; -+ } -+ } -+ -+ for (i = 0; i < num_sans; i++) { -+ krb5_data name = { 0, 0, NULL }; -+ -+ gen = sk_GENERAL_NAME_value(ialt, i); -+ switch (gen->type) { -+ case GEN_OTHERNAME: -+ name.length = gen->d.otherName->value->value.sequence->length; -+ name.data = (char *)gen->d.otherName->value->value.sequence->data; -+ if (princs != NULL && -+ OBJ_cmp(plgctx->id_pkinit_san, -+ gen->d.otherName->type_id) == 0) { -+#ifdef DEBUG_ASN1 -+ print_buffer_bin((unsigned char *)name.data, name.length, -+ "/tmp/pkinit_san"); -+#endif -+ ret = k5int_decode_krb5_principal_name(&name, &princs[p]); -+ if (ret) { -+ pkiDebug("%s: failed decoding pkinit san value\n", -+ __FUNCTION__); -+ } else { -+ p++; -+ num_found++; -+ } -+ } else if (upns != NULL && -+ OBJ_cmp(plgctx->id_ms_san_upn, -+ gen->d.otherName->type_id) == 0) { -+ /* Prevent abuse of embedded null characters. */ -+ if (memchr(name.data, '\0', name.length)) -+ break; -+ ret = krb5_parse_name_flags(context, name.data, -+ KRB5_PRINCIPAL_PARSE_ENTERPRISE, -+ &upns[u]); -+ if (ret) { -+ pkiDebug("%s: failed parsing ms-upn san value\n", -+ __FUNCTION__); -+ } else { -+ u++; -+ num_found++; -+ } -+ } else { -+ pkiDebug("%s: unrecognized othername oid in SAN\n", -+ __FUNCTION__); -+ continue; -+ } -+ -+ break; -+ case GEN_DNS: -+ if (dnss != NULL) { -+ /* Prevent abuse of embedded null characters. */ -+ if (memchr(gen->d.dNSName->data, '\0', gen->d.dNSName->length)) -+ break; -+ pkiDebug("%s: found dns name = %s\n", __FUNCTION__, -+ gen->d.dNSName->data); -+ dnss[d] = (unsigned char *) -+ strdup((char *)gen->d.dNSName->data); -+ if (dnss[d] == NULL) { -+ pkiDebug("%s: failed to duplicate dns name\n", -+ __FUNCTION__); -+ } else { -+ d++; -+ num_found++; -+ } -+ } -+ break; -+ default: -+ pkiDebug("%s: SAN type = %d expecting %d\n", __FUNCTION__, -+ gen->type, GEN_OTHERNAME); -+ } -+ } -+ sk_GENERAL_NAME_pop_free(ialt, GENERAL_NAME_free); - - retval = 0; - if (princs) diff --git a/Fix-bugs-in-kdcpolicy-commit.patch b/Fix-bugs-in-kdcpolicy-commit.patch deleted file mode 100644 index c4c50a1..0000000 --- a/Fix-bugs-in-kdcpolicy-commit.patch +++ /dev/null @@ -1,130 +0,0 @@ -From c8c704cdaaa15a0908024f0917344048c0df5940 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Sat, 19 Aug 2017 19:09:24 -0400 -Subject: [PATCH] Fix bugs in kdcpolicy commit - -Commit d0969f6a8170344031ef58fd2a161190f1edfb96 added tests using -"klist ccachname -e", which does not work with a POSIX-conformant -getopt() implementation such as the one in Solaris. Fix -t_kdcpolicy.py to use "klist -e ccachename" instead. - -The tests could fail if the clock second rolled over between kinit and -kvno. Divide service ticket maximum lifetimes by 2 in the test module -to correctly exercise TGS policy restrictions and ensure that service -tickets are not constrained by the TGT end time. - -Also use the correct trace macro when a kdcpolicy module declines to -initialize (my mistake when revising the commit, noted by rharwood). - -ticket: 8606 -(cherry picked from commit 09acbd91efc6df54e1572285ffc94c6acb3a9113) ---- - src/kdc/policy.c | 2 +- - src/plugins/kdcpolicy/test/main.c | 10 +++++----- - src/tests/t_kdcpolicy.py | 13 +++++++++---- - 3 files changed, 15 insertions(+), 10 deletions(-) - -diff --git a/src/kdc/policy.c b/src/kdc/policy.c -index e49644e06..26c16f97c 100644 ---- a/src/kdc/policy.c -+++ b/src/kdc/policy.c -@@ -222,7 +222,7 @@ load_kdcpolicy_plugins(krb5_context context) - if (h->vt.init != NULL) { - ret = h->vt.init(context, &h->moddata); - if (ret == KRB5_PLUGIN_NO_HANDLE) { -- TRACE_KADM5_AUTH_INIT_SKIP(context, h->vt.name); -+ TRACE_KDCPOLICY_INIT_SKIP(context, h->vt.name); - free(h); - continue; - } -diff --git a/src/plugins/kdcpolicy/test/main.c b/src/plugins/kdcpolicy/test/main.c -index eb8fde053..86c808958 100644 ---- a/src/plugins/kdcpolicy/test/main.c -+++ b/src/plugins/kdcpolicy/test/main.c -@@ -35,7 +35,7 @@ - #include - - static krb5_error_code --output_from_indicator(const char *const *auth_indicators, -+output_from_indicator(const char *const *auth_indicators, int divisor, - krb5_deltat *lifetime_out, - krb5_deltat *renew_lifetime_out, - const char **status) -@@ -46,11 +46,11 @@ output_from_indicator(const char *const *auth_indicators, - } - - if (strcmp(auth_indicators[0], "ONE_HOUR") == 0) { -- *lifetime_out = 3600; -+ *lifetime_out = 3600 / divisor; - *renew_lifetime_out = *lifetime_out * 2; - return 0; - } else if (strcmp(auth_indicators[0], "SEVEN_HOURS") == 0) { -- *lifetime_out = 7 * 3600; -+ *lifetime_out = 7 * 3600 / divisor; - *renew_lifetime_out = *lifetime_out * 2; - return 0; - } -@@ -71,7 +71,7 @@ test_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata, - *status = "LOCAL_POLICY"; - return KRB5KDC_ERR_POLICY; - } -- return output_from_indicator(auth_indicators, lifetime_out, -+ return output_from_indicator(auth_indicators, 1, lifetime_out, - renew_lifetime_out, status); - } - -@@ -87,7 +87,7 @@ test_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata, - *status = "LOCAL_POLICY"; - return KRB5KDC_ERR_POLICY; - } -- return output_from_indicator(auth_indicators, lifetime_out, -+ return output_from_indicator(auth_indicators, 2, lifetime_out, - renew_lifetime_out, status); - } - -diff --git a/src/tests/t_kdcpolicy.py b/src/tests/t_kdcpolicy.py -index 6a745b959..b5d308461 100644 ---- a/src/tests/t_kdcpolicy.py -+++ b/src/tests/t_kdcpolicy.py -@@ -18,16 +18,21 @@ realm.run([kadminl, 'addprinc', '-pw', password('fail'), 'fail']) - def verify_time(out, target_time): - times = re.findall(r'\d\d/\d\d/\d\d \d\d:\d\d:\d\d', out) - times = [datetime.strptime(t, '%m/%d/%y %H:%M:%S') for t in times] -+ divisor = 1 - while len(times) > 0: - starttime = times.pop(0) - endtime = times.pop(0) - renewtime = times.pop(0) - -- if str(endtime - starttime) != target_time: -+ if str((endtime - starttime) * divisor) != target_time: - fail('unexpected lifetime value') -- if str(renewtime - endtime) != target_time: -+ if str((renewtime - endtime) * divisor) != target_time: - fail('unexpected renewable value') - -+ # Service tickets should have half the lifetime of initial -+ # tickets. -+ divisor = 2 -+ - rflags = ['-r', '1d', '-l', '12h'] - - # Test AS+TGS success path. -@@ -35,7 +40,7 @@ realm.kinit(realm.user_princ, password('user'), - rflags + ['-X', 'indicators=SEVEN_HOURS']) - realm.run([kvno, realm.host_princ]) - realm.run(['./adata', realm.host_princ], expected_msg='+97: [SEVEN_HOURS]') --out = realm.run([klist, realm.ccache, '-e']) -+out = realm.run([klist, '-e', realm.ccache]) - verify_time(out, '7:00:00') - - # Test AS+TGS success path with different values. -@@ -43,7 +48,7 @@ realm.kinit(realm.user_princ, password('user'), - rflags + ['-X', 'indicators=ONE_HOUR']) - realm.run([kvno, realm.host_princ]) - realm.run(['./adata', realm.host_princ], expected_msg='+97: [ONE_HOUR]') --out = realm.run([klist, realm.ccache, '-e']) -+out = realm.run([klist, '-e', realm.ccache]) - verify_time(out, '1:00:00') - - # Test TGS failure path (using previous creds). diff --git a/Fix-certauth-built-in-module-returns.patch b/Fix-certauth-built-in-module-returns.patch deleted file mode 100644 index 1c927d5..0000000 --- a/Fix-certauth-built-in-module-returns.patch +++ /dev/null @@ -1,124 +0,0 @@ -From 0d93e336e2cb8319bfd3e0fa096e5ee8ea3bbbbf Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Thu, 24 Aug 2017 11:11:46 -0400 -Subject: [PATCH] Fix certauth built-in module returns - -The PKINIT certauth eku module should never authoritatively authorize -a certificate, because an extended key usage does not establish a -relationship between the certificate and any specific user; it only -establishes that the certificate was created for PKINIT client -authentication. Therefore, pkinit_eku_authorize() should return -KRB5_PLUGIN_NO_HANDLE on success, not 0. - -The certauth san module should pass if it does not find any SANs of -the types it can match against; the presence of other types of SANs -should not cause it to explicitly deny a certificate. Check for an -empty result from crypto_retrieve_cert_sans() in verify_client_san(), -instead of returning ENOENT from crypto_retrieve_cert_sans() when -there are no SANs at all. - -ticket: 8561 -(cherry picked from commit 07243f85a760fb37f0622d7ff0177db3f19ab025) ---- - src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 39 ++++++++++------------ - src/plugins/preauth/pkinit/pkinit_srv.c | 14 +++++--- - 2 files changed, 27 insertions(+), 26 deletions(-) - -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index 70e230ec2..7fa2efd21 100644 ---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -@@ -2137,7 +2137,6 @@ crypto_retrieve_X509_sans(krb5_context context, - - if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) { - pkiDebug("%s: found no subject alt name extensions\n", __FUNCTION__); -- retval = ENOENT; - goto cleanup; - } - num_sans = sk_GENERAL_NAME_num(ialt); -@@ -2240,31 +2239,29 @@ crypto_retrieve_X509_sans(krb5_context context, - sk_GENERAL_NAME_pop_free(ialt, GENERAL_NAME_free); - - retval = 0; -- if (princs) -+ if (princs != NULL && *princs != NULL) { - *princs_ret = princs; -- if (upns) -+ princs = NULL; -+ } -+ if (upns != NULL && *upns != NULL) { - *upn_ret = upns; -- if (dnss) -+ upns = NULL; -+ } -+ if (dnss != NULL && *dnss != NULL) { - *dns_ret = dnss; -+ dnss = NULL; -+ } - - cleanup: -- if (retval) { -- if (princs != NULL) { -- for (i = 0; princs[i] != NULL; i++) -- krb5_free_principal(context, princs[i]); -- free(princs); -- } -- if (upns != NULL) { -- for (i = 0; upns[i] != NULL; i++) -- krb5_free_principal(context, upns[i]); -- free(upns); -- } -- if (dnss != NULL) { -- for (i = 0; dnss[i] != NULL; i++) -- free(dnss[i]); -- free(dnss); -- } -- } -+ for (i = 0; princs != NULL && princs[i] != NULL; i++) -+ krb5_free_principal(context, princs[i]); -+ free(princs); -+ for (i = 0; upns != NULL && upns[i] != NULL; i++) -+ krb5_free_principal(context, upns[i]); -+ free(upns); -+ for (i = 0; dnss != NULL && dnss[i] != NULL; i++) -+ free(dnss[i]); -+ free(dnss); - return retval; - } - -diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c -index 9c6e96c9e..8e77606f8 100644 ---- a/src/plugins/preauth/pkinit/pkinit_srv.c -+++ b/src/plugins/preauth/pkinit/pkinit_srv.c -@@ -187,14 +187,18 @@ verify_client_san(krb5_context context, - &princs, - plgctx->opts->allow_upn ? &upns : NULL, - NULL); -- if (retval == ENOENT) { -- TRACE_PKINIT_SERVER_NO_SAN(context); -- goto out; -- } else if (retval) { -+ if (retval) { - pkiDebug("%s: error from retrieve_certificate_sans()\n", __FUNCTION__); - retval = KRB5KDC_ERR_CLIENT_NAME_MISMATCH; - goto out; - } -+ -+ if (princs == NULL && upns == NULL) { -+ TRACE_PKINIT_SERVER_NO_SAN(context); -+ retval = ENOENT; -+ goto out; -+ } -+ - /* XXX Verify this is consistent with client side XXX */ - #if 0 - retval = call_san_checking_plugins(context, plgctx, reqctx, princs, -@@ -1495,7 +1499,7 @@ pkinit_eku_authorize(krb5_context context, krb5_certauth_moddata moddata, - return KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE; - } - -- return 0; -+ return KRB5_PLUGIN_NO_HANDLE; - } - - static krb5_error_code diff --git a/Fix-in_clock_skew-and-use-it-in-AS-client-code.patch b/Fix-in_clock_skew-and-use-it-in-AS-client-code.patch deleted file mode 100644 index a8a53cf..0000000 --- a/Fix-in_clock_skew-and-use-it-in-AS-client-code.patch +++ /dev/null @@ -1,58 +0,0 @@ -From e2d34698687c00504b83e1c0deb56dc6232bef42 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Mon, 24 Apr 2017 02:02:36 -0400 -Subject: [PATCH] Fix in_clock_skew() and use it in AS client code - -Add a context parameter to the in_clock_skew() macro so that it isn't -implicitly relying on a local variable. Use it in -get_in_tkt.c:verify_as_reply(). - -(cherry picked from commit 28a07a6461bb443b7fa75cc5cb859ad0db4cbb5a) ---- - src/lib/krb5/krb/gc_via_tkt.c | 2 +- - src/lib/krb5/krb/get_in_tkt.c | 4 ++-- - src/lib/krb5/krb/int-proto.h | 3 ++- - 3 files changed, 5 insertions(+), 4 deletions(-) - -diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c -index 4c0a1a461..c85d8b8d8 100644 ---- a/src/lib/krb5/krb/gc_via_tkt.c -+++ b/src/lib/krb5/krb/gc_via_tkt.c -@@ -305,7 +305,7 @@ krb5int_process_tgs_reply(krb5_context context, - goto cleanup; - - if (!in_cred->times.starttime && -- !in_clock_skew(dec_rep->enc_part2->times.starttime, -+ !in_clock_skew(context, dec_rep->enc_part2->times.starttime, - timestamp)) { - retval = KRB5_KDCREP_SKEW; - goto cleanup; -diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c -index 54badbbc3..a058f5bd7 100644 ---- a/src/lib/krb5/krb/get_in_tkt.c -+++ b/src/lib/krb5/krb/get_in_tkt.c -@@ -287,8 +287,8 @@ verify_as_reply(krb5_context context, - return retval; - } else { - if ((request->from == 0) && -- (labs(as_reply->enc_part2->times.starttime - time_now) -- > context->clockskew)) -+ !in_clock_skew(context, as_reply->enc_part2->times.starttime, -+ time_now)) - return (KRB5_KDCREP_SKEW); - } - return 0; -diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h -index 6da74858e..44eca359f 100644 ---- a/src/lib/krb5/krb/int-proto.h -+++ b/src/lib/krb5/krb/int-proto.h -@@ -83,7 +83,8 @@ krb5int_construct_matching_creds(krb5_context context, krb5_flags options, - krb5_creds *in_creds, krb5_creds *mcreds, - krb5_flags *fields); - --#define in_clock_skew(date, now) (labs((date)-(now)) < context->clockskew) -+#define in_clock_skew(context, date, now) \ -+ (labs((date) - (now)) < (context)->clockskew) - - #define IS_TGS_PRINC(p) ((p)->length == 2 && \ - data_eq_string((p)->data[0], KRB5_TGS_NAME)) diff --git a/Fix-more-time-manipulations-for-y2038.patch b/Fix-more-time-manipulations-for-y2038.patch deleted file mode 100644 index a57a64c..0000000 --- a/Fix-more-time-manipulations-for-y2038.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 7b28a408650c58d0ea98fddab5034642af32fdaf Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Wed, 17 May 2017 14:52:09 -0400 -Subject: [PATCH] Fix more time manipulations for y2038 - -Use timestamp helper functions to ensure that more operations are safe -after y2038, and display the current timestamp as unsigned in -krb5int_trace(). - -ticket: 8352 -(cherry picked from commit a60db180211a383bd382afe729e9309acb8dcf53) ---- - src/kadmin/server/misc.c | 2 +- - src/kdc/dispatch.c | 2 +- - src/lib/krb5/os/c_ustime.c | 8 ++++---- - src/lib/krb5/os/trace.c | 2 +- - 4 files changed, 7 insertions(+), 7 deletions(-) - -diff --git a/src/kadmin/server/misc.c b/src/kadmin/server/misc.c -index 27a6376af..a75b65a26 100644 ---- a/src/kadmin/server/misc.c -+++ b/src/kadmin/server/misc.c -@@ -184,7 +184,7 @@ check_min_life(void *server_handle, krb5_principal principal, - (void) kadm5_free_principal_ent(handle->lhandle, &princ); - return (ret == KADM5_UNK_POLICY) ? 0 : ret; - } -- if((now - princ.last_pwd_change) < pol.pw_min_life && -+ if(ts_delta(now, princ.last_pwd_change) < pol.pw_min_life && - !(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { - if (msg_ret != NULL) { - time_t until; -diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c -index 3a169ebc7..16a35d2be 100644 ---- a/src/kdc/dispatch.c -+++ b/src/kdc/dispatch.c -@@ -104,7 +104,7 @@ reseed_random(krb5_context kdc_err_context) - if (last_os_random == 0) - last_os_random = now; - /* Grab random data from OS every hour*/ -- if (now-last_os_random >= 60 * 60) { -+ if (ts_delta(now, last_os_random) >= 60 * 60) { - krb5_c_random_os_entropy(kdc_err_context, 0, NULL); - last_os_random = now; - } -diff --git a/src/lib/krb5/os/c_ustime.c b/src/lib/krb5/os/c_ustime.c -index 871d72183..68fb381f4 100644 ---- a/src/lib/krb5/os/c_ustime.c -+++ b/src/lib/krb5/os/c_ustime.c -@@ -102,17 +102,17 @@ krb5_crypto_us_timeofday(krb5_int32 *seconds, krb5_int32 *microseconds) - putting now.sec in the past. But don't just use '<' because we - need to properly handle the case where the administrator intentionally - adjusted time backwards. */ -- if ((now.sec == last_time.sec-1) || -- ((now.sec == last_time.sec) && (now.usec <= last_time.usec))) { -+ if (now.sec == ts_incr(last_time.sec, -1) || -+ (now.sec == last_time.sec && !ts_after(last_time.usec, now.usec))) { - /* Correct 'now' to be exactly one microsecond later than 'last_time'. - Note that _because_ we perform this hack, 'now' may be _earlier_ - than 'last_time', even though the system time is monotonically - increasing. */ - - now.sec = last_time.sec; -- now.usec = ++last_time.usec; -+ now.usec = ts_incr(last_time.usec, 1); - if (now.usec >= 1000000) { -- ++now.sec; -+ now.sec = ts_incr(now.sec, 1); - now.usec = 0; - } - } -diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c -index a19246128..74c315c90 100644 ---- a/src/lib/krb5/os/trace.c -+++ b/src/lib/krb5/os/trace.c -@@ -350,7 +350,7 @@ krb5int_trace(krb5_context context, const char *fmt, ...) - goto cleanup; - if (krb5_crypto_us_timeofday(&sec, &usec) != 0) - goto cleanup; -- if (asprintf(&msg, "[%d] %d.%d: %s\n", (int) getpid(), (int) sec, -+ if (asprintf(&msg, "[%d] %u.%d: %s\n", (int) getpid(), (unsigned int) sec, - (int) usec, str) < 0) - goto cleanup; - info.message = msg; diff --git a/Improve-PKINIT-UPN-SAN-matching.patch b/Improve-PKINIT-UPN-SAN-matching.patch deleted file mode 100644 index 26b27f1..0000000 --- a/Improve-PKINIT-UPN-SAN-matching.patch +++ /dev/null @@ -1,151 +0,0 @@ -From 03265620488b84238c31170356b5f41c80f0e9d9 Mon Sep 17 00:00:00 2001 -From: Matt Rogers -Date: Mon, 5 Dec 2016 12:17:59 -0500 -Subject: [PATCH] Improve PKINIT UPN SAN matching - -Add the match_client() kdcpreauth callback and use it in -verify_client_san(). match_client() preserves the direct UPN to -request principal comparison and adds a direct comparison to the -client principal, falling back to an alias DB search and comparison -against the client principal. Change crypto_retreive_X509_sans() to -parse UPN values as enterprise principals. - -[ghudson@mit.edu: use match_client for both kinds of SANs] - -ticket: 8528 (new) -(cherry picked from commit 46ff765e1fb8cbec2bb602b43311269e695dbedc) ---- - src/include/krb5/kdcpreauth_plugin.h | 13 ++++++++++ - src/kdc/kdc_preauth.c | 28 ++++++++++++++++++++-- - src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 4 +++- - src/plugins/preauth/pkinit/pkinit_srv.c | 10 ++++---- - 4 files changed, 48 insertions(+), 7 deletions(-) - -diff --git a/src/include/krb5/kdcpreauth_plugin.h b/src/include/krb5/kdcpreauth_plugin.h -index f455effae..92aa5a5a5 100644 ---- a/src/include/krb5/kdcpreauth_plugin.h -+++ b/src/include/krb5/kdcpreauth_plugin.h -@@ -221,6 +221,19 @@ typedef struct krb5_kdcpreauth_callbacks_st { - - /* End of version 3 kdcpreauth callbacks. */ - -+ /* -+ * Return true if princ matches the principal named in the request or the -+ * client principal (possibly canonicalized). If princ does not match, -+ * attempt a database lookup of princ with aliases allowed and compare the -+ * result to the client principal, returning true if it matches. -+ * Otherwise, return false. -+ */ -+ krb5_boolean (*match_client)(krb5_context context, -+ krb5_kdcpreauth_rock rock, -+ krb5_principal princ); -+ -+ /* End of version 4 kdcpreauth callbacks. */ -+ - } *krb5_kdcpreauth_callbacks; - - /* Optional: preauth plugin initialization function. */ -diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c -index 605fcb7ad..0ce79c667 100644 ---- a/src/kdc/kdc_preauth.c -+++ b/src/kdc/kdc_preauth.c -@@ -568,8 +568,31 @@ set_cookie(krb5_context context, krb5_kdcpreauth_rock rock, - return kdc_fast_set_cookie(rock->rstate, pa_type, data); - } - -+static krb5_boolean -+match_client(krb5_context context, krb5_kdcpreauth_rock rock, -+ krb5_principal princ) -+{ -+ krb5_db_entry *ent; -+ krb5_boolean match = FALSE; -+ krb5_principal req_client = rock->request->client; -+ krb5_principal client = rock->client->princ; -+ -+ /* Check for a direct match against the request principal or -+ * the post-canon client principal. */ -+ if (krb5_principal_compare_flags(context, princ, req_client, -+ KRB5_PRINCIPAL_COMPARE_ENTERPRISE) || -+ krb5_principal_compare(context, princ, client)) -+ return TRUE; -+ -+ if (krb5_db_get_principal(context, princ, KRB5_KDB_FLAG_ALIAS_OK, &ent)) -+ return FALSE; -+ match = krb5_principal_compare(context, ent->princ, client); -+ krb5_db_free_principal(context, ent); -+ return match; -+} -+ - static struct krb5_kdcpreauth_callbacks_st callbacks = { -- 3, -+ 4, - max_time_skew, - client_keys, - free_keys, -@@ -583,7 +606,8 @@ static struct krb5_kdcpreauth_callbacks_st callbacks = { - client_keyblock, - add_auth_indicator, - get_cookie, -- set_cookie -+ set_cookie, -+ match_client - }; - - static krb5_error_code -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index 74fffbf32..bc6e7662e 100644 ---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -@@ -2190,7 +2190,9 @@ crypto_retrieve_X509_sans(krb5_context context, - /* Prevent abuse of embedded null characters. */ - if (memchr(name.data, '\0', name.length)) - break; -- ret = krb5_parse_name(context, name.data, &upns[u]); -+ ret = krb5_parse_name_flags(context, name.data, -+ KRB5_PRINCIPAL_PARSE_ENTERPRISE, -+ &upns[u]); - if (ret) { - pkiDebug("%s: failed parsing ms-upn san value\n", - __FUNCTION__); -diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c -index 295be25e1..b5638a367 100644 ---- a/src/plugins/preauth/pkinit/pkinit_srv.c -+++ b/src/plugins/preauth/pkinit/pkinit_srv.c -@@ -121,6 +121,8 @@ static krb5_error_code - verify_client_san(krb5_context context, - pkinit_kdc_context plgctx, - pkinit_kdc_req_context reqctx, -+ krb5_kdcpreauth_callbacks cb, -+ krb5_kdcpreauth_rock rock, - krb5_principal client, - int *valid_san) - { -@@ -171,7 +173,7 @@ verify_client_san(krb5_context context, - __FUNCTION__, client_string, san_string); - krb5_free_unparsed_name(context, san_string); - #endif -- if (krb5_principal_compare(context, princs[i], client)) { -+ if (cb->match_client(context, rock, princs[i])) { - pkiDebug("%s: pkinit san match found\n", __FUNCTION__); - *valid_san = 1; - retval = 0; -@@ -199,7 +201,7 @@ verify_client_san(krb5_context context, - __FUNCTION__, client_string, san_string); - krb5_free_unparsed_name(context, san_string); - #endif -- if (krb5_principal_compare(context, upns[i], client)) { -+ if (cb->match_client(context, rock, upns[i])) { - pkiDebug("%s: upn san match found\n", __FUNCTION__); - *valid_san = 1; - retval = 0; -@@ -387,8 +389,8 @@ pkinit_server_verify_padata(krb5_context context, - } - if (is_signed) { - -- retval = verify_client_san(context, plgctx, reqctx, request->client, -- &valid_san); -+ retval = verify_client_san(context, plgctx, reqctx, cb, rock, -+ request->client, &valid_san); - if (retval) - goto cleanup; - if (!valid_san) { diff --git a/Make-timestamp-manipulations-y2038-safe.patch b/Make-timestamp-manipulations-y2038-safe.patch deleted file mode 100644 index 26bff26..0000000 --- a/Make-timestamp-manipulations-y2038-safe.patch +++ /dev/null @@ -1,1844 +0,0 @@ -From ac30f4753f157dafe93df2941a216fde591fcb69 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Sat, 22 Apr 2017 12:52:17 -0400 -Subject: [PATCH] Make timestamp manipulations y2038-safe - -Wherever we manipulate krb5_timestamp values using arithmetic, -comparison operations, or conversion to time_t, use the new helper -functions in k5-int.h to ensure that the operations work after y2038 -and do not exhibit undefined behavior. (Relying on -implementation-defined conversion to signed values is okay as we test -that in configure.in.) - -In printf format strings, use %u instead of signed types. When -exporting creds with k5_json_array_fmt(), use a long long so that -timestamps after y2038 aren't marshalled as negative numbers. When -parsing timestamps in test programs, use atoll() instead of atol() so -that positive timestamps after y2038 can be used as input. - -In ksu and klist, make printtime() take a krb5_timestamp parameter to -avoid an unnecessary conversion to time_t and back. - -As Leash does not use k5-int.h, use time_t values internally and -safely convert from libkrb5 timestamp values. - -ticket: 8352 -(cherry picked from commit a9cbbf0899f270fbb14f63ffbed1b6d542333641) ---- - src/clients/kinit/kinit.c | 2 +- - src/clients/klist/klist.c | 20 ++++------- - src/clients/ksu/ccache.c | 20 +++-------- - src/clients/ksu/ksu.h | 2 +- - src/kadmin/cli/getdate.y | 2 +- - src/kadmin/cli/kadmin.c | 5 ++- - src/kadmin/dbutil/dump.c | 27 ++++++++------- - src/kadmin/dbutil/kdb5_mkey.c | 6 ++-- - src/kadmin/dbutil/tabdump.c | 2 +- - src/kadmin/testing/util/tcl_kadm5.c | 12 +++---- - src/kdc/do_as_req.c | 2 +- - src/kdc/do_tgs_req.c | 6 ++-- - src/kdc/extern.c | 4 ++- - src/kdc/fast_util.c | 4 +-- - src/kdc/kdc_log.c | 14 ++++---- - src/kdc/kdc_util.c | 20 +++++------ - src/kdc/kdc_util.h | 2 ++ - src/kdc/replay.c | 2 +- - src/kdc/tgs_policy.c | 7 ++-- - src/lib/gssapi/krb5/accept_sec_context.c | 8 +++-- - src/lib/gssapi/krb5/acquire_cred.c | 13 ++++--- - src/lib/gssapi/krb5/context_time.c | 2 +- - src/lib/gssapi/krb5/export_cred.c | 5 +-- - src/lib/gssapi/krb5/iakerb.c | 4 +-- - src/lib/gssapi/krb5/init_sec_context.c | 9 ++--- - src/lib/gssapi/krb5/inq_context.c | 2 +- - src/lib/gssapi/krb5/inq_cred.c | 5 +-- - src/lib/gssapi/krb5/s4u_gss_glue.c | 2 +- - src/lib/kadm5/chpass_util.c | 8 ++--- - src/lib/kadm5/srv/server_acl.c | 5 +-- - src/lib/kadm5/srv/svr_principal.c | 12 +++---- - src/lib/kdb/kdb5.c | 2 +- - src/lib/krb5/asn.1/asn1_k_encode.c | 3 +- - src/lib/krb5/ccache/cc_keyring.c | 14 ++++---- - src/lib/krb5/ccache/cc_memory.c | 4 +-- - src/lib/krb5/ccache/cc_retr.c | 4 +-- - src/lib/krb5/ccache/ccapi/stdcc_util.c | 40 +++++++++++----------- - src/lib/krb5/ccache/cccursor.c | 2 +- - src/lib/krb5/keytab/kt_file.c | 6 ++-- - src/lib/krb5/krb/gc_via_tkt.c | 7 ++-- - src/lib/krb5/krb/get_creds.c | 2 +- - src/lib/krb5/krb/get_in_tkt.c | 38 ++++++-------------- - src/lib/krb5/krb/gic_pwd.c | 4 +-- - src/lib/krb5/krb/int-proto.h | 2 +- - src/lib/krb5/krb/pac.c | 2 +- - src/lib/krb5/krb/str_conv.c | 4 +-- - src/lib/krb5/krb/t_kerb.c | 12 ++----- - src/lib/krb5/krb/valid_times.c | 4 +-- - src/lib/krb5/krb/vfy_increds.c | 2 +- - src/lib/krb5/os/timeofday.c | 2 +- - src/lib/krb5/os/toffset.c | 2 +- - src/lib/krb5/os/ustime.c | 6 ++-- - src/lib/krb5/rcache/rc_dfl.c | 3 +- - src/lib/krb5/rcache/t_replay.c | 8 ++--- - src/plugins/kdb/db2/lockout.c | 8 ++--- - src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 2 +- - src/plugins/kdb/ldap/libkdb_ldap/lockout.c | 8 ++--- - src/windows/cns/tktlist.c | 10 +++--- - src/windows/include/leashwin.h | 12 +++---- - src/windows/leash/KrbListTickets.cpp | 12 +++---- - src/windows/leash/LeashView.cpp | 22 ++++++------ - src/windows/leashdll/lshfunc.c | 2 +- - src/windows/ms2mit/ms2mit.c | 2 +- - 63 files changed, 230 insertions(+), 255 deletions(-) - -diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c -index f1cd1b73d..50065e32e 100644 ---- a/src/clients/kinit/kinit.c -+++ b/src/clients/kinit/kinit.c -@@ -318,7 +318,7 @@ parse_options(argc, argv, opts) - fprintf(stderr, _("Bad start time value %s\n"), optarg); - errflg++; - } else { -- opts->starttime = abs_starttime - time(0); -+ opts->starttime = ts_delta(abs_starttime, time(NULL)); - } - } - break; -diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c -index ba19788a2..ffeecc394 100644 ---- a/src/clients/klist/klist.c -+++ b/src/clients/klist/klist.c -@@ -72,7 +72,7 @@ void do_ccache_name (char *); - int show_ccache (krb5_ccache); - int check_ccache (krb5_ccache); - void do_keytab (char *); --void printtime (time_t); -+void printtime (krb5_timestamp); - void one_addr (krb5_address *); - void fillit (FILE *, unsigned int, int); - -@@ -538,10 +538,10 @@ check_ccache(krb5_ccache cache) - while (!(ret = krb5_cc_next_cred(kcontext, cache, &cur, &creds))) { - if (is_local_tgt(creds.server, &princ->realm)) { - found_tgt = TRUE; -- if (creds.times.endtime > now) -+ if (ts_after(creds.times.endtime, now)) - found_current_tgt = TRUE; - } else if (!krb5_is_config_principal(kcontext, creds.server) && -- creds.times.endtime > now) { -+ ts_after(creds.times.endtime, now)) { - found_current_cred = TRUE; - } - krb5_free_cred_contents(kcontext, &creds); -@@ -623,19 +623,13 @@ flags_string(cred) - } - - void --printtime(tv) -- time_t tv; -+printtime(krb5_timestamp ts) - { -- char timestring[BUFSIZ]; -- char fill; -+ char timestring[BUFSIZ], fill = ' '; - -- fill = ' '; -- if (!krb5_timestamp_to_sfstring((krb5_timestamp) tv, -- timestring, -- timestamp_width+1, -- &fill)) { -+ if (!krb5_timestamp_to_sfstring(ts, timestring, timestamp_width + 1, -+ &fill)) - printf("%s", timestring); -- } - } - - static void -diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c -index a0736f2da..236313b7b 100644 ---- a/src/clients/ksu/ccache.c -+++ b/src/clients/ksu/ccache.c -@@ -278,11 +278,11 @@ krb5_error_code krb5_check_exp(context, tkt_time) - context->clockskew); - - fprintf(stderr,"krb5_check_exp: currenttime - endtime %d \n", -- (currenttime - tkt_time.endtime )); -+ ts_delta(currenttime, tkt_time.endtime)); - - } - -- if (currenttime - tkt_time.endtime > context->clockskew){ -+ if (ts_delta(currenttime, tkt_time.endtime) > context->clockskew) { - retval = KRB5KRB_AP_ERR_TKT_EXPIRED ; - return retval; - } -@@ -323,21 +323,11 @@ char *flags_string(cred) - return(buf); - } - --void printtime(tv) -- time_t tv; -+void printtime(krb5_timestamp ts) - { -- char fmtbuf[18]; -- char fill; -- krb5_timestamp tstamp; -+ char fmtbuf[18], fill = ' '; - -- /* XXXX ASSUMES sizeof(krb5_timestamp) >= sizeof(time_t) */ -- (void) localtime((time_t *)&tv); -- tstamp = tv; -- fill = ' '; -- if (!krb5_timestamp_to_sfstring(tstamp, -- fmtbuf, -- sizeof(fmtbuf), -- &fill)) -+ if (!krb5_timestamp_to_sfstring(ts, fmtbuf, sizeof(fmtbuf), &fill)) - printf("%s", fmtbuf); - } - -diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h -index ee8e9d6a0..3bf0bd438 100644 ---- a/src/clients/ksu/ksu.h -+++ b/src/clients/ksu/ksu.h -@@ -150,7 +150,7 @@ extern krb5_boolean krb5_find_princ_in_cred_list - extern krb5_error_code krb5_find_princ_in_cache - (krb5_context, krb5_ccache, krb5_principal, krb5_boolean *); - --extern void printtime (time_t); -+extern void printtime (krb5_timestamp); - - /* authorization.c */ - extern krb5_boolean fowner (FILE *, uid_t); -diff --git a/src/kadmin/cli/getdate.y b/src/kadmin/cli/getdate.y -index 4f0c56f7e..0a19c5648 100644 ---- a/src/kadmin/cli/getdate.y -+++ b/src/kadmin/cli/getdate.y -@@ -118,7 +118,7 @@ static int getdate_yyerror (char *); - - - #define EPOCH 1970 --#define EPOCH_END 2038 /* assumes 32 bits */ -+#define EPOCH_END 2106 /* assumes unsigned 32-bit range */ - #define HOUR(x) ((time_t)(x) * 60) - #define SECSPERDAY (24L * 60L * 60L) - -diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c -index c53c677a8..aee5c83b9 100644 ---- a/src/kadmin/cli/kadmin.c -+++ b/src/kadmin/cli/kadmin.c -@@ -31,8 +31,7 @@ - * library */ - - /* for "_" macro */ --#include "k5-platform.h" --#include -+#include "k5-int.h" - #include - #include - #include -@@ -144,8 +143,8 @@ strdate(krb5_timestamp when) - { - struct tm *tm; - static char out[40]; -+ time_t lcltim = ts2tt(when); - -- time_t lcltim = when; - tm = localtime(&lcltim); - strftime(out, sizeof(out), "%a %b %d %H:%M:%S %Z %Y", tm); - return out; -diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c -index cad53cfbf..a6fc4ea77 100644 ---- a/src/kadmin/dbutil/dump.c -+++ b/src/kadmin/dbutil/dump.c -@@ -379,11 +379,12 @@ k5beta7_common(krb5_context context, krb5_db_entry *entry, - fprintf(fp, "princ\t%d\t%lu\t%d\t%d\t%d\t%s\t", (int)entry->len, - (unsigned long)strlen(name), counter, (int)entry->n_key_data, - (int)entry->e_length, name); -- fprintf(fp, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d", entry->attributes, -- entry->max_life, entry->max_renewable_life, entry->expiration, -- entry->pw_expiration, -- omit_nra ? 0 : entry->last_success, -- omit_nra ? 0 : entry->last_failed, -+ fprintf(fp, "%d\t%d\t%d\t%u\t%u\t%u\t%u\t%d", entry->attributes, -+ entry->max_life, entry->max_renewable_life, -+ (unsigned int)entry->expiration, -+ (unsigned int)entry->pw_expiration, -+ (unsigned int)(omit_nra ? 0 : entry->last_success), -+ (unsigned int)(omit_nra ? 0 : entry->last_failed), - omit_nra ? 0 : entry->fail_auth_count); - - /* Write out tagged data. */ -@@ -717,7 +718,7 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep, - { - int retval, nread, i, j; - krb5_db_entry *dbentry; -- int t1, t2, t3, t4, t5, t6, t7; -+ int t1, t2, t3, t4; - unsigned int u1, u2, u3, u4, u5; - char *name = NULL; - krb5_key_data *kp = NULL, *kd; -@@ -773,8 +774,8 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep, - } - - /* Get the fixed principal attributes */ -- nread = fscanf(filep, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t", -- &t1, &t2, &t3, &t4, &t5, &t6, &t7, &u1); -+ nread = fscanf(filep, "%d\t%d\t%d\t%u\t%u\t%d\t%d\t%d\t", -+ &t1, &t2, &t3, &u1, &u2, &u3, &u4, &u5); - if (nread != 8) { - load_err(fname, *linenop, _("cannot read principal attributes")); - goto fail; -@@ -782,11 +783,11 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep, - dbentry->attributes = t1; - dbentry->max_life = t2; - dbentry->max_renewable_life = t3; -- dbentry->expiration = t4; -- dbentry->pw_expiration = t5; -- dbentry->last_success = t6; -- dbentry->last_failed = t7; -- dbentry->fail_auth_count = u1; -+ dbentry->expiration = u1; -+ dbentry->pw_expiration = u2; -+ dbentry->last_success = u3; -+ dbentry->last_failed = u4; -+ dbentry->fail_auth_count = u5; - dbentry->mask = KADM5_LOAD | KADM5_PRINCIPAL | KADM5_ATTRIBUTES | - KADM5_MAX_LIFE | KADM5_MAX_RLIFE | - KADM5_PRINC_EXPIRE_TIME | KADM5_LAST_SUCCESS | -diff --git a/src/kadmin/dbutil/kdb5_mkey.c b/src/kadmin/dbutil/kdb5_mkey.c -index 7df8cbc83..2efe3176e 100644 ---- a/src/kadmin/dbutil/kdb5_mkey.c -+++ b/src/kadmin/dbutil/kdb5_mkey.c -@@ -44,8 +44,8 @@ static char *strdate(krb5_timestamp when) - { - struct tm *tm; - static char out[40]; -+ time_t lcltim = ts2tt(when); - -- time_t lcltim = when; - tm = localtime(&lcltim); - strftime(out, sizeof(out), "%a %b %d %H:%M:%S %Z %Y", tm); - return out; -@@ -481,7 +481,7 @@ kdb5_use_mkey(int argc, char *argv[]) - cur_actkvno != NULL; - prev_actkvno = cur_actkvno, cur_actkvno = cur_actkvno->next) { - -- if (new_actkvno->act_time < cur_actkvno->act_time) { -+ if (ts_after(cur_actkvno->act_time, new_actkvno->act_time)) { - if (prev_actkvno) { - prev_actkvno->next = new_actkvno; - new_actkvno->next = cur_actkvno; -@@ -499,7 +499,7 @@ kdb5_use_mkey(int argc, char *argv[]) - } - } - -- if (actkvno_list->act_time > now) { -+ if (ts_after(actkvno_list->act_time, now)) { - com_err(progname, EINVAL, - _("there must be one master key currently active")); - exit_status++; -diff --git a/src/kadmin/dbutil/tabdump.c b/src/kadmin/dbutil/tabdump.c -index 69a3482ec..fb36b060a 100644 ---- a/src/kadmin/dbutil/tabdump.c -+++ b/src/kadmin/dbutil/tabdump.c -@@ -148,7 +148,7 @@ write_date_iso(struct rec_args *args, krb5_timestamp when) - struct tm *tm = NULL; - struct rechandle *h = args->rh; - -- t = when; -+ t = ts2tt(when); - tm = gmtime(&t); - if (tm == NULL) { - errno = EINVAL; -diff --git a/src/kadmin/testing/util/tcl_kadm5.c b/src/kadmin/testing/util/tcl_kadm5.c -index a4997c60c..9dde579ef 100644 ---- a/src/kadmin/testing/util/tcl_kadm5.c -+++ b/src/kadmin/testing/util/tcl_kadm5.c -@@ -697,13 +697,13 @@ static Tcl_DString *unparse_principal_ent(kadm5_principal_ent_t princ, - } else - Tcl_DStringAppendElement(str, "null"); - -- sprintf(buf, "%d", princ->princ_expire_time); -+ sprintf(buf, "%u", (unsigned int)princ->princ_expire_time); - Tcl_DStringAppendElement(str, buf); - -- sprintf(buf, "%d", princ->last_pwd_change); -+ sprintf(buf, "%u", (unsigned int)princ->last_pwd_change); - Tcl_DStringAppendElement(str, buf); - -- sprintf(buf, "%d", princ->pw_expiration); -+ sprintf(buf, "%u", (unsigned int)princ->pw_expiration); - Tcl_DStringAppendElement(str, buf); - - sprintf(buf, "%d", princ->max_life); -@@ -722,7 +722,7 @@ static Tcl_DString *unparse_principal_ent(kadm5_principal_ent_t princ, - } else - Tcl_DStringAppendElement(str, "null"); - -- sprintf(buf, "%d", princ->mod_date); -+ sprintf(buf, "%u", (unsigned int)princ->mod_date); - Tcl_DStringAppendElement(str, buf); - - if (mask & KADM5_ATTRIBUTES) { -@@ -758,10 +758,10 @@ static Tcl_DString *unparse_principal_ent(kadm5_principal_ent_t princ, - sprintf(buf, "%d", princ->max_renewable_life); - Tcl_DStringAppendElement(str, buf); - -- sprintf(buf, "%d", princ->last_success); -+ sprintf(buf, "%u", (unsigned int)princ->last_success); - Tcl_DStringAppendElement(str, buf); - -- sprintf(buf, "%d", princ->last_failed); -+ sprintf(buf, "%u", (unsigned int)princ->last_failed); - Tcl_DStringAppendElement(str, buf); - - sprintf(buf, "%d", princ->fail_auth_count); -diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c -index a4bf91b1b..f85da6da6 100644 ---- a/src/kdc/do_as_req.c -+++ b/src/kdc/do_as_req.c -@@ -87,7 +87,7 @@ get_key_exp(krb5_db_entry *entry) - return entry->pw_expiration; - if (entry->pw_expiration == 0) - return entry->expiration; -- return min(entry->expiration, entry->pw_expiration); -+ return ts_min(entry->expiration, entry->pw_expiration); - } - - /* -diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c -index 339259fd1..ac5864603 100644 ---- a/src/kdc/do_tgs_req.c -+++ b/src/kdc/do_tgs_req.c -@@ -500,12 +500,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, - - old_starttime = enc_tkt_reply.times.starttime ? - enc_tkt_reply.times.starttime : enc_tkt_reply.times.authtime; -- old_life = enc_tkt_reply.times.endtime - old_starttime; -+ old_life = ts_delta(enc_tkt_reply.times.endtime, old_starttime); - - enc_tkt_reply.times.starttime = kdc_time; - enc_tkt_reply.times.endtime = -- min(header_ticket->enc_part2->times.renew_till, -- kdc_time + old_life); -+ ts_min(header_ticket->enc_part2->times.renew_till, -+ ts_incr(kdc_time, old_life)); - } else { - /* not a renew request */ - enc_tkt_reply.times.starttime = kdc_time; -diff --git a/src/kdc/extern.c b/src/kdc/extern.c -index fe627494b..84b5c6ad5 100644 ---- a/src/kdc/extern.c -+++ b/src/kdc/extern.c -@@ -37,6 +37,8 @@ - kdc_realm_t **kdc_realmlist = (kdc_realm_t **) NULL; - int kdc_numrealms = 0; - krb5_data empty_string = {0, 0, ""}; --krb5_timestamp kdc_infinity = KRB5_INT32_MAX; /* XXX */ - krb5_keyblock psr_key; - krb5_int32 max_dgram_reply_size = MAX_DGRAM_SIZE; -+ -+/* With ts_after(), this is the largest timestamp value. */ -+krb5_timestamp kdc_infinity = -1; -diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c -index 9df940219..e05107ef3 100644 ---- a/src/kdc/fast_util.c -+++ b/src/kdc/fast_util.c -@@ -607,7 +607,7 @@ kdc_fast_read_cookie(krb5_context context, struct kdc_request_state *state, - ret = krb5_timeofday(context, &now); - if (ret) - goto cleanup; -- if (now - COOKIE_LIFETIME > cookie->time) { -+ if (ts2tt(now) > cookie->time + COOKIE_LIFETIME) { - /* Don't accept the cookie contents. Only return an error if the - * cookie is relevant to the request. */ - if (is_relevant(cookie->data, req->padata)) -@@ -700,7 +700,7 @@ kdc_fast_make_cookie(krb5_context context, struct kdc_request_state *state, - ret = krb5_timeofday(context, &now); - if (ret) - goto cleanup; -- cookie.time = now; -+ cookie.time = ts2tt(now); - cookie.data = contents; - ret = encode_krb5_secure_cookie(&cookie, &der_cookie); - if (ret) -diff --git a/src/kdc/kdc_log.c b/src/kdc/kdc_log.c -index 94a2a1c87..c044a3553 100644 ---- a/src/kdc/kdc_log.c -+++ b/src/kdc/kdc_log.c -@@ -79,9 +79,9 @@ log_as_req(krb5_context context, const krb5_fulladdr *from, - /* success */ - char rep_etypestr[128]; - rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), reply); -- krb5_klog_syslog(LOG_INFO, _("AS_REQ (%s) %s: ISSUE: authtime %d, %s, " -+ krb5_klog_syslog(LOG_INFO, _("AS_REQ (%s) %s: ISSUE: authtime %u, %s, " - "%s for %s"), -- ktypestr, fromstring, authtime, -+ ktypestr, fromstring, (unsigned int)authtime, - rep_etypestr, cname2, sname2); - } else { - /* fail */ -@@ -156,10 +156,10 @@ log_tgs_req(krb5_context ctx, const krb5_fulladdr *from, - name (useful), and doesn't log ktypestr (probably not - important). */ - if (errcode != KRB5KDC_ERR_SERVER_NOMATCH) { -- krb5_klog_syslog(LOG_INFO, _("TGS_REQ (%s) %s: %s: authtime %d, %s%s " -+ krb5_klog_syslog(LOG_INFO, _("TGS_REQ (%s) %s: %s: authtime %u, %s%s " - "%s for %s%s%s"), -- ktypestr, fromstring, status, authtime, rep_etypestr, -- !errcode ? "," : "", logcname, logsname, -+ ktypestr, fromstring, status, (unsigned int)authtime, -+ rep_etypestr, !errcode ? "," : "", logcname, logsname, - errcode ? ", " : "", errcode ? emsg : ""); - if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) - krb5_klog_syslog(LOG_INFO, -@@ -171,9 +171,9 @@ log_tgs_req(krb5_context ctx, const krb5_fulladdr *from, - logaltcname); - - } else -- krb5_klog_syslog(LOG_INFO, _("TGS_REQ %s: %s: authtime %d, %s for %s, " -+ krb5_klog_syslog(LOG_INFO, _("TGS_REQ %s: %s: authtime %u, %s for %s, " - "2nd tkt client %s"), -- fromstring, status, authtime, -+ fromstring, status, (unsigned int)authtime, - logcname, logsname, logaltcname); - - /* OpenSolaris: audit_krb5kdc_tgs_req(...) or -diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c -index 30c501c67..b710aefe4 100644 ---- a/src/kdc/kdc_util.c -+++ b/src/kdc/kdc_util.c -@@ -654,7 +654,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm, - } - - /* The client must not be expired */ -- if (client.expiration && client.expiration < kdc_time) { -+ if (client.expiration && ts_after(kdc_time, client.expiration)) { - *status = "CLIENT EXPIRED"; - if (vague_errors) - return(KRB_ERR_GENERIC); -@@ -664,7 +664,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm, - - /* The client's password must not be expired, unless the server is - a KRB5_KDC_PWCHANGE_SERVICE. */ -- if (client.pw_expiration && client.pw_expiration < kdc_time && -+ if (client.pw_expiration && ts_after(kdc_time, client.pw_expiration) && - !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) { - *status = "CLIENT KEY EXPIRED"; - if (vague_errors) -@@ -674,7 +674,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm, - } - - /* The server must not be expired */ -- if (server.expiration && server.expiration < kdc_time) { -+ if (server.expiration && ts_after(kdc_time, server.expiration)) { - *status = "SERVICE EXPIRED"; - return(KDC_ERR_SERVICE_EXP); - } -@@ -1771,9 +1771,9 @@ kdc_get_ticket_endtime(kdc_realm_t *kdc_active_realm, - if (till == 0) - till = kdc_infinity; - -- until = min(till, endtime); -+ until = ts_min(till, endtime); - -- life = until - starttime; -+ life = ts_delta(until, starttime); - - if (client != NULL && client->max_life != 0) - life = min(life, client->max_life); -@@ -1782,7 +1782,7 @@ kdc_get_ticket_endtime(kdc_realm_t *kdc_active_realm, - if (kdc_active_realm->realm_maxlife != 0) - life = min(life, kdc_active_realm->realm_maxlife); - -- *out_endtime = starttime + life; -+ *out_endtime = ts_incr(starttime, life); - } - - /* -@@ -1812,22 +1812,22 @@ kdc_get_ticket_renewtime(kdc_realm_t *realm, krb5_kdc_req *request, - if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE)) - rtime = request->rtime ? request->rtime : kdc_infinity; - else if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) && -- tkt->times.endtime < request->till) -+ ts_after(request->till, tkt->times.endtime)) - rtime = request->till; - else - return; - - /* Truncate it to the allowable renewable time. */ - if (tgt != NULL) -- rtime = min(rtime, tgt->times.renew_till); -+ rtime = ts_min(rtime, tgt->times.renew_till); - max_rlife = min(server->max_renewable_life, realm->realm_maxrlife); - if (client != NULL) - max_rlife = min(max_rlife, client->max_renewable_life); -- rtime = min(rtime, tkt->times.starttime + max_rlife); -+ rtime = ts_min(rtime, ts_incr(tkt->times.starttime, max_rlife)); - - /* Make the ticket renewable if the truncated requested time is larger than - * the ticket end time. */ -- if (rtime > tkt->times.endtime) { -+ if (ts_after(rtime, tkt->times.endtime)) { - setflag(tkt->flags, TKT_FLG_RENEWABLE); - tkt->times.renew_till = rtime; - } -diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h -index bcf05fc27..672f94380 100644 ---- a/src/kdc/kdc_util.h -+++ b/src/kdc/kdc_util.h -@@ -452,6 +452,8 @@ struct krb5_kdcpreauth_rock_st { - #define max(a, b) ((a) > (b) ? (a) : (b)) - #endif - -+#define ts_min(a, b) (ts_after(a, b) ? (b) : (a)) -+ - #define ADDRTYPE2FAMILY(X) \ - ((X) == ADDRTYPE_INET6 ? AF_INET6 : (X) == ADDRTYPE_INET ? AF_INET : -1) - -diff --git a/src/kdc/replay.c b/src/kdc/replay.c -index 8da7ac19a..fab39cf88 100644 ---- a/src/kdc/replay.c -+++ b/src/kdc/replay.c -@@ -61,7 +61,7 @@ static size_t total_size = 0; - static krb5_ui_4 seed; - - #define STALE_TIME (2*60) /* two minutes */ --#define STALE(ptr, now) (abs((ptr)->timein - (now)) >= STALE_TIME) -+#define STALE(ptr, now) (labs(ts_delta((ptr)->timein, now)) >= STALE_TIME) - - /* Return x rotated to the left by r bits. */ - static inline krb5_ui_4 -diff --git a/src/kdc/tgs_policy.c b/src/kdc/tgs_policy.c -index a30cacc66..d0f25d1b7 100644 ---- a/src/kdc/tgs_policy.c -+++ b/src/kdc/tgs_policy.c -@@ -186,7 +186,7 @@ static int - check_tgs_svc_time(krb5_kdc_req *req, krb5_db_entry server, krb5_ticket *tkt, - krb5_timestamp kdc_time, const char **status) - { -- if (server.expiration && server.expiration < kdc_time) { -+ if (server.expiration && ts_after(kdc_time, server.expiration)) { - *status = "SERVICE EXPIRED"; - return KDC_ERR_SERVICE_EXP; - } -@@ -222,7 +222,7 @@ check_tgs_times(krb5_kdc_req *req, krb5_ticket_times *times, - KDC time. */ - if (req->kdc_options & KDC_OPT_VALIDATE) { - starttime = times->starttime ? times->starttime : times->authtime; -- if (starttime > kdc_time) { -+ if (ts_after(starttime, kdc_time)) { - *status = "NOT_YET_VALID"; - return KRB_AP_ERR_TKT_NYV; - } -@@ -231,7 +231,8 @@ check_tgs_times(krb5_kdc_req *req, krb5_ticket_times *times, - * Check the renew_till time. The endtime was already - * been checked in the initial authentication check. - */ -- if ((req->kdc_options & KDC_OPT_RENEW) && times->renew_till < kdc_time) { -+ if ((req->kdc_options & KDC_OPT_RENEW) && -+ ts_after(kdc_time, times->renew_till)) { - *status = "TKT_EXPIRED"; - return KRB_AP_ERR_TKT_EXPIRED; - } -diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c -index 580d08cbf..06967aa27 100644 ---- a/src/lib/gssapi/krb5/accept_sec_context.c -+++ b/src/lib/gssapi/krb5/accept_sec_context.c -@@ -351,8 +351,10 @@ kg_accept_dce(minor_status, context_handle, verifier_cred_handle, - if (mech_type) - *mech_type = ctx->mech_used; - -- if (time_rec) -- *time_rec = ctx->krb_times.endtime + ctx->k5_context->clockskew - now; -+ if (time_rec) { -+ *time_rec = ts_delta(ctx->krb_times.endtime, now) + -+ ctx->k5_context->clockskew; -+ } - - /* Never return GSS_C_DELEG_FLAG since we don't support DCE credential - * delegation yet. */ -@@ -1146,7 +1148,7 @@ kg_accept_krb5(minor_status, context_handle, - /* Add the maximum allowable clock skew as a grace period for context - * expiration, just as we do for the ticket. */ - if (time_rec) -- *time_rec = ctx->krb_times.endtime + context->clockskew - now; -+ *time_rec = ts_delta(ctx->krb_times.endtime, now) + context->clockskew; - - if (ret_flags) - *ret_flags = ctx->gss_flags; -diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c -index 03ee25ec1..362ba9d86 100644 ---- a/src/lib/gssapi/krb5/acquire_cred.c -+++ b/src/lib/gssapi/krb5/acquire_cred.c -@@ -550,7 +550,7 @@ set_refresh_time(krb5_context context, krb5_ccache ccache, - char buf[128]; - krb5_data d; - -- snprintf(buf, sizeof(buf), "%ld", (long)refresh_time); -+ snprintf(buf, sizeof(buf), "%u", (unsigned int)ts2tt(refresh_time)); - d = string2data(buf); - (void)krb5_cc_set_config(context, ccache, NULL, KRB5_CC_CONF_REFRESH_TIME, - &d); -@@ -566,8 +566,9 @@ kg_cred_time_to_refresh(krb5_context context, krb5_gss_cred_id_rec *cred) - - if (krb5_timeofday(context, &now)) - return FALSE; -- if (cred->refresh_time != 0 && now >= cred->refresh_time) { -- set_refresh_time(context, cred->ccache, cred->refresh_time + 30); -+ if (cred->refresh_time != 0 && !ts_after(cred->refresh_time, now)) { -+ set_refresh_time(context, cred->ccache, -+ ts_incr(cred->refresh_time, 30)); - return TRUE; - } - return FALSE; -@@ -586,7 +587,8 @@ kg_cred_set_initial_refresh(krb5_context context, krb5_gss_cred_id_rec *cred, - return; - - /* Make a note to refresh these when they are halfway to expired. */ -- refresh = times->starttime + (times->endtime - times->starttime) / 2; -+ refresh = ts_incr(times->starttime, -+ ts_delta(times->endtime, times->starttime) / 2); - set_refresh_time(context, cred->ccache, refresh); - } - -@@ -848,7 +850,8 @@ acquire_cred_context(krb5_context context, OM_uint32 *minor_status, - GSS_C_NO_NAME); - if (GSS_ERROR(ret)) - goto error_out; -- *time_rec = (cred->expire > now) ? (cred->expire - now) : 0; -+ *time_rec = ts_after(cred->expire, now) ? -+ ts_delta(cred->expire, now) : 0; - k5_mutex_unlock(&cred->lock); - } - } -diff --git a/src/lib/gssapi/krb5/context_time.c b/src/lib/gssapi/krb5/context_time.c -index 450593288..1fdb5a16f 100644 ---- a/src/lib/gssapi/krb5/context_time.c -+++ b/src/lib/gssapi/krb5/context_time.c -@@ -51,7 +51,7 @@ krb5_gss_context_time(minor_status, context_handle, time_rec) - return(GSS_S_FAILURE); - } - -- lifetime = ctx->krb_times.endtime - now; -+ lifetime = ts_delta(ctx->krb_times.endtime, now); - if (!ctx->initiate) - lifetime += ctx->k5_context->clockskew; - if (lifetime <= 0) { -diff --git a/src/lib/gssapi/krb5/export_cred.c b/src/lib/gssapi/krb5/export_cred.c -index 652b2604b..8054e4a77 100644 ---- a/src/lib/gssapi/krb5/export_cred.c -+++ b/src/lib/gssapi/krb5/export_cred.c -@@ -410,10 +410,11 @@ json_kgcred(krb5_context context, krb5_gss_cred_id_t cred, - if (ret) - goto cleanup; - -- ret = k5_json_array_fmt(&array, "ivvbbvvvvbiivs", cred->usage, name, imp, -+ ret = k5_json_array_fmt(&array, "ivvbbvvvvbLLvs", cred->usage, name, imp, - cred->default_identity, cred->iakerb_mech, keytab, - rcache, ccache, ckeytab, cred->have_tgt, -- cred->expire, cred->refresh_time, etypes, -+ (long long)ts2tt(cred->expire), -+ (long long)ts2tt(cred->refresh_time), etypes, - cred->password); - if (ret) - goto cleanup; -diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c -index 2dc4d0c1a..bb1072fe4 100644 ---- a/src/lib/gssapi/krb5/iakerb.c -+++ b/src/lib/gssapi/krb5/iakerb.c -@@ -494,7 +494,7 @@ iakerb_tkt_creds_ctx(iakerb_ctx_id_t ctx, - if (code != 0) - goto cleanup; - -- creds.times.endtime = now + time_req; -+ creds.times.endtime = ts_incr(now, time_req); - } - - if (cred->name->ad_context != NULL) { -@@ -669,7 +669,7 @@ iakerb_get_initial_state(iakerb_ctx_id_t ctx, - if (code != 0) - goto cleanup; - -- in_creds.times.endtime = now + time_req; -+ in_creds.times.endtime = ts_incr(now, time_req); - } - - /* Make an AS request if we have no creds or it's time to refresh them. */ -diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c -index 2a7467f54..1be1b5878 100644 ---- a/src/lib/gssapi/krb5/init_sec_context.c -+++ b/src/lib/gssapi/krb5/init_sec_context.c -@@ -214,7 +214,8 @@ static krb5_error_code get_credentials(context, cred, server, now, - * boundaries) because accept_sec_context code is also similarly - * non-forgiving. - */ -- if (!krb5_gss_dbg_client_expcreds && result_creds->times.endtime < now) { -+ if (!krb5_gss_dbg_client_expcreds && -+ ts_after(now, result_creds->times.endtime)) { - code = KRB5KRB_AP_ERR_TKT_EXPIRED; - goto cleanup; - } -@@ -573,7 +574,7 @@ kg_new_connection( - if (time_req == 0 || time_req == GSS_C_INDEFINITE) { - ctx->krb_times.endtime = 0; - } else { -- ctx->krb_times.endtime = now + time_req; -+ ctx->krb_times.endtime = ts_incr(now, time_req); - } - - if ((code = kg_duplicate_name(context, cred->name, &ctx->here))) -@@ -657,7 +658,7 @@ kg_new_connection( - if (time_rec) { - if ((code = krb5_timeofday(context, &now))) - goto cleanup; -- *time_rec = ctx->krb_times.endtime - now; -+ *time_rec = ts_delta(ctx->krb_times.endtime, now); - } - - /* set the other returns */ -@@ -871,7 +872,7 @@ mutual_auth( - if (time_rec) { - if ((code = krb5_timeofday(context, &now))) - goto fail; -- *time_rec = ctx->krb_times.endtime - now; -+ *time_rec = ts_delta(ctx->krb_times.endtime, now); - } - - if (ret_flags) -diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c -index d2e466e60..cac024da1 100644 ---- a/src/lib/gssapi/krb5/inq_context.c -+++ b/src/lib/gssapi/krb5/inq_context.c -@@ -120,7 +120,7 @@ krb5_gss_inquire_context(minor_status, context_handle, initiator_name, - - /* Add the maximum allowable clock skew as a grace period for context - * expiration, just as we do for the ticket during authentication. */ -- lifetime = ctx->krb_times.endtime - now; -+ lifetime = ts_delta(ctx->krb_times.endtime, now); - if (!ctx->initiate) - lifetime += context->clockskew; - if (lifetime < 0) -diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c -index 4e35a0563..e662ae53a 100644 ---- a/src/lib/gssapi/krb5/inq_cred.c -+++ b/src/lib/gssapi/krb5/inq_cred.c -@@ -130,8 +130,9 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret, - goto fail; - } - -- if (cred->expire > 0) { -- if ((lifetime = cred->expire - now) < 0) -+ if (cred->expire != 0) { -+ lifetime = ts_delta(cred->expire, now); -+ if (lifetime < 0) - lifetime = 0; - } - else -diff --git a/src/lib/gssapi/krb5/s4u_gss_glue.c b/src/lib/gssapi/krb5/s4u_gss_glue.c -index ff1c310bc..10848c1df 100644 ---- a/src/lib/gssapi/krb5/s4u_gss_glue.c -+++ b/src/lib/gssapi/krb5/s4u_gss_glue.c -@@ -284,7 +284,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status, - if (code != 0) - goto cleanup; - -- *time_rec = cred->expire - now; -+ *time_rec = ts_delta(cred->expire, now); - } - - major_status = GSS_S_COMPLETE; -diff --git a/src/lib/kadm5/chpass_util.c b/src/lib/kadm5/chpass_util.c -index 408b0eb31..1680a5504 100644 ---- a/src/lib/kadm5/chpass_util.c -+++ b/src/lib/kadm5/chpass_util.c -@@ -4,15 +4,11 @@ - */ - - --#include "autoconf.h" --#include --#include --#include -+#include "k5-int.h" - - #include - #include "admin_internal.h" - --#include - - #define string_text error_message - -@@ -218,7 +214,7 @@ kadm5_ret_t _kadm5_chpass_principal_util(void *server_handle, - time_t until; - char *time_string, *ptr; - -- until = princ_ent.last_pwd_change + policy_ent.pw_min_life; -+ until = ts_incr(princ_ent.last_pwd_change, policy_ent.pw_min_life); - - time_string = ctime(&until); - if (*(ptr = &time_string[strlen(time_string)-1]) == '\n') -diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c -index 3c2844d14..c4bb16dc7 100644 ---- a/src/lib/kadm5/srv/server_acl.c -+++ b/src/lib/kadm5/srv/server_acl.c -@@ -408,13 +408,14 @@ kadm5int_acl_impose_restrictions(kcontext, recp, maskp, rp) - } - if (rp->mask & KADM5_PRINC_EXPIRE_TIME) { - if (!(*maskp & KADM5_PRINC_EXPIRE_TIME) -- || (recp->princ_expire_time > (now + rp->princ_lifetime))) -+ || ts_after(recp->princ_expire_time, -+ ts_incr(now, rp->princ_lifetime))) - recp->princ_expire_time = now + rp->princ_lifetime; - *maskp |= KADM5_PRINC_EXPIRE_TIME; - } - if (rp->mask & KADM5_PW_EXPIRATION) { - if (!(*maskp & KADM5_PW_EXPIRATION) -- || (recp->pw_expiration > (now + rp->pw_lifetime))) -+ || ts_after(recp->pw_expiration, ts_incr(now, rp->pw_lifetime))) - recp->pw_expiration = now + rp->pw_lifetime; - *maskp |= KADM5_PW_EXPIRATION; - } -diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c -index 8f4da0e52..137e1fb64 100644 ---- a/src/lib/kadm5/srv/svr_principal.c -+++ b/src/lib/kadm5/srv/svr_principal.c -@@ -400,7 +400,7 @@ kadm5_create_principal_3(void *server_handle, - kdb->pw_expiration = 0; - if (have_polent) { - if(polent.pw_max_life) -- kdb->pw_expiration = now + polent.pw_max_life; -+ kdb->pw_expiration = ts_incr(now, polent.pw_max_life); - else - kdb->pw_expiration = 0; - } -@@ -612,7 +612,7 @@ kadm5_modify_principal(void *server_handle, - &(kdb->pw_expiration)); - if (ret) - goto done; -- kdb->pw_expiration += pol.pw_max_life; -+ kdb->pw_expiration = ts_incr(kdb->pw_expiration, pol.pw_max_life); - } else { - kdb->pw_expiration = 0; - } -@@ -1445,7 +1445,7 @@ kadm5_chpass_principal_3(void *server_handle, - } - - if (pol.pw_max_life) -- kdb->pw_expiration = now + pol.pw_max_life; -+ kdb->pw_expiration = ts_incr(now, pol.pw_max_life); - else - kdb->pw_expiration = 0; - } else { -@@ -1624,7 +1624,7 @@ kadm5_randkey_principal_3(void *server_handle, - #endif - - if (pol.pw_max_life) -- kdb->pw_expiration = now + pol.pw_max_life; -+ kdb->pw_expiration = ts_incr(now, pol.pw_max_life); - else - kdb->pw_expiration = 0; - } else { -@@ -1774,7 +1774,7 @@ kadm5_setv4key_principal(void *server_handle, - #endif - - if (pol.pw_max_life) -- kdb->pw_expiration = now + pol.pw_max_life; -+ kdb->pw_expiration = ts_incr(now, pol.pw_max_life); - else - kdb->pw_expiration = 0; - } else { -@@ -2027,7 +2027,7 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal, - } - if (have_pol) { - if (pol.pw_max_life) -- kdb->pw_expiration = now + pol.pw_max_life; -+ kdb->pw_expiration = ts_incr(now, pol.pw_max_life); - else - kdb->pw_expiration = 0; - } else { -diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c -index 690725765..07392572e 100644 ---- a/src/lib/kdb/kdb5.c -+++ b/src/lib/kdb/kdb5.c -@@ -1297,7 +1297,7 @@ find_actkvno(krb5_actkvno_node *list, krb5_timestamp now) - * are in the future, we will return the first node; if all are in the - * past, we will return the last node. - */ -- while (list->next != NULL && list->next->act_time <= now) -+ while (list->next != NULL && !ts_after(list->next->act_time, now)) - list = list->next; - return list->act_kvno; - } -diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c -index a827ca608..889460989 100644 ---- a/src/lib/krb5/asn.1/asn1_k_encode.c -+++ b/src/lib/krb5/asn.1/asn1_k_encode.c -@@ -158,8 +158,7 @@ static asn1_error_code - encode_kerberos_time(asn1buf *buf, const void *p, taginfo *rettag, - size_t *len_out) - { -- /* Range checking for time_t vs krb5_timestamp? */ -- time_t val = *(krb5_timestamp *)p; -+ time_t val = ts2tt(*(krb5_timestamp *)p); - rettag->asn1class = UNIVERSAL; - rettag->construction = PRIMITIVE; - rettag->tagnum = ASN1_GENERALTIME; -diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c -index 4fe3f0d6f..fba710b1b 100644 ---- a/src/lib/krb5/ccache/cc_keyring.c -+++ b/src/lib/krb5/ccache/cc_keyring.c -@@ -751,7 +751,7 @@ update_keyring_expiration(krb5_context context, krb5_ccache id) - for (;;) { - if (krcc_next_cred(context, id, &cursor, &creds) != 0) - break; -- if (creds.times.endtime > endtime) -+ if (ts_after(creds.times.endtime, endtime)) - endtime = creds.times.endtime; - krb5_free_cred_contents(context, &creds); - } -@@ -765,7 +765,7 @@ update_keyring_expiration(krb5_context context, krb5_ccache id) - - /* Setting the timeout to zero would reset the timeout, so we set it to one - * second instead if creds are already expired. */ -- timeout = (endtime > now) ? endtime - now : 1; -+ timeout = ts_after(endtime, now) ? ts_delta(endtime, now) : 1; - (void)keyctl_set_timeout(data->cache_id, timeout); - } - -@@ -1316,8 +1316,10 @@ krcc_store(krb5_context context, krb5_ccache id, krb5_creds *creds) - if (ret) - goto errout; - -- if (creds->times.endtime > now) -- (void)keyctl_set_timeout(cred_key, creds->times.endtime - now); -+ if (ts_after(creds->times.endtime, now)) { -+ (void)keyctl_set_timeout(cred_key, -+ ts_delta(creds->times.endtime, now)); -+ } - - update_keyring_expiration(context, id); - -@@ -1680,8 +1682,8 @@ static void - krcc_update_change_time(krcc_data *data) - { - krb5_timestamp now_time = time(NULL); -- data->changetime = (data->changetime >= now_time) ? -- data->changetime + 1 : now_time; -+ data->changetime = ts_after(now_time, data->changetime) ? -+ now_time : ts_incr(data->changetime, 1); - } - - /* -diff --git a/src/lib/krb5/ccache/cc_memory.c b/src/lib/krb5/ccache/cc_memory.c -index 0354575c5..c5425eb3a 100644 ---- a/src/lib/krb5/ccache/cc_memory.c -+++ b/src/lib/krb5/ccache/cc_memory.c -@@ -720,8 +720,8 @@ static void - update_mcc_change_time(krb5_mcc_data *d) - { - krb5_timestamp now_time = time(NULL); -- d->changetime = (d->changetime >= now_time) ? -- d->changetime + 1 : now_time; -+ d->changetime = ts_after(now_time, d->changetime) ? -+ now_time : ts_incr(d->changetime, 1); - } - - static krb5_error_code KRB5_CALLCONV -diff --git a/src/lib/krb5/ccache/cc_retr.c b/src/lib/krb5/ccache/cc_retr.c -index 1314d24bd..1a32e00c8 100644 ---- a/src/lib/krb5/ccache/cc_retr.c -+++ b/src/lib/krb5/ccache/cc_retr.c -@@ -46,11 +46,11 @@ static krb5_boolean - times_match(const krb5_ticket_times *t1, const krb5_ticket_times *t2) - { - if (t1->renew_till) { -- if (t1->renew_till > t2->renew_till) -+ if (ts_after(t1->renew_till, t2->renew_till)) - return FALSE; /* this one expires too late */ - } - if (t1->endtime) { -- if (t1->endtime > t2->endtime) -+ if (ts_after(t1->endtime, t2->endtime)) - return FALSE; /* this one expires too late */ - } - /* only care about expiration on a times_match */ -diff --git a/src/lib/krb5/ccache/ccapi/stdcc_util.c b/src/lib/krb5/ccache/ccapi/stdcc_util.c -index 9f44af3d0..6092ee432 100644 ---- a/src/lib/krb5/ccache/ccapi/stdcc_util.c -+++ b/src/lib/krb5/ccache/ccapi/stdcc_util.c -@@ -16,8 +16,8 @@ - #include - #endif - -+#include "k5-int.h" - #include "stdcc_util.h" --#include "krb5.h" - #ifdef _WIN32 /* it's part of krb5.h everywhere else */ - #include "kv5m_err.h" - #endif -@@ -321,10 +321,10 @@ copy_cc_cred_union_to_krb5_creds (krb5_context in_context, - keyblock_contents = NULL; - - /* copy times */ -- out_creds->times.authtime = cv5->authtime + offset_seconds; -- out_creds->times.starttime = cv5->starttime + offset_seconds; -- out_creds->times.endtime = cv5->endtime + offset_seconds; -- out_creds->times.renew_till = cv5->renew_till + offset_seconds; -+ out_creds->times.authtime = ts_incr(cv5->authtime, offset_seconds); -+ out_creds->times.starttime = ts_incr(cv5->starttime, offset_seconds); -+ out_creds->times.endtime = ts_incr(cv5->endtime, offset_seconds); -+ out_creds->times.renew_till = ts_incr(cv5->renew_till, offset_seconds); - out_creds->is_skey = cv5->is_skey; - out_creds->ticket_flags = cv5->ticket_flags; - -@@ -451,11 +451,11 @@ copy_krb5_creds_to_cc_cred_union (krb5_context in_context, - cv5->keyblock.data = keyblock_data; - keyblock_data = NULL; - -- cv5->authtime = in_creds->times.authtime - offset_seconds; -- cv5->starttime = in_creds->times.starttime - offset_seconds; -- cv5->endtime = in_creds->times.endtime - offset_seconds; -- cv5->renew_till = in_creds->times.renew_till - offset_seconds; -- cv5->is_skey = in_creds->is_skey; -+ cv5->authtime = ts_incr(in_creds->times.authtime, -offset_seconds); -+ cv5->starttime = ts_incr(in_creds->times.starttime, -offset_seconds); -+ cv5->endtime = ts_incr(in_creds->times.endtime, -offset_seconds); -+ cv5->renew_till = ts_incr(in_creds->times.renew_till, -offset_seconds); -+ cv5->is_skey = in_creds->is_skey; - cv5->ticket_flags = in_creds->ticket_flags; - - if (in_creds->ticket.data) { -@@ -732,10 +732,10 @@ void dupCCtoK5(krb5_context context, cc_creds *src, krb5_creds *dest) - err = krb5_get_time_offsets(context, &offset_seconds, &offset_microseconds); - if (err) return; - #endif -- dest->times.authtime = src->authtime + offset_seconds; -- dest->times.starttime = src->starttime + offset_seconds; -- dest->times.endtime = src->endtime + offset_seconds; -- dest->times.renew_till = src->renew_till + offset_seconds; -+ dest->times.authtime = ts_incr(src->authtime, offset_seconds); -+ dest->times.starttime = ts_incr(src->starttime, offset_seconds); -+ dest->times.endtime = ts_incr(src->endtime, offset_seconds); -+ dest->times.renew_till = ts_incr(src->renew_till, offset_seconds); - dest->is_skey = src->is_skey; - dest->ticket_flags = src->ticket_flags; - -@@ -804,10 +804,10 @@ void dupK5toCC(krb5_context context, krb5_creds *creds, cred_union **cu) - err = krb5_get_time_offsets(context, &offset_seconds, &offset_microseconds); - if (err) return; - #endif -- c->authtime = creds->times.authtime - offset_seconds; -- c->starttime = creds->times.starttime - offset_seconds; -- c->endtime = creds->times.endtime - offset_seconds; -- c->renew_till = creds->times.renew_till - offset_seconds; -+ c->authtime = ts_incr(creds->times.authtime, -offset_seconds); -+ c->starttime = ts_incr(creds->times.starttime, -offset_seconds); -+ c->endtime = ts_incr(creds->times.endtime, -offset_seconds); -+ c->renew_till = ts_incr(creds->times.renew_till, -offset_seconds); - c->is_skey = creds->is_skey; - c->ticket_flags = creds->ticket_flags; - -@@ -925,11 +925,11 @@ times_match(t1, t2) - register const krb5_ticket_times *t2; - { - if (t1->renew_till) { -- if (t1->renew_till > t2->renew_till) -+ if (ts_after(t1->renew_till, t2->renew_till)) - return FALSE; /* this one expires too late */ - } - if (t1->endtime) { -- if (t1->endtime > t2->endtime) -+ if (ts_after(t1->endtime, t2->endtime)) - return FALSE; /* this one expires too late */ - } - /* only care about expiration on a times_match */ -diff --git a/src/lib/krb5/ccache/cccursor.c b/src/lib/krb5/ccache/cccursor.c -index c31a3f5f0..e631f2051 100644 ---- a/src/lib/krb5/ccache/cccursor.c -+++ b/src/lib/krb5/ccache/cccursor.c -@@ -159,7 +159,7 @@ krb5_cccol_last_change_time(krb5_context context, - ret = krb5_cccol_cursor_next(context, c, &ccache); - if (ccache) { - ret = krb5_cc_last_change_time(context, ccache, &last_time); -- if (!ret && last_time > max_change_time) { -+ if (!ret && ts_after(last_time, max_change_time)) { - max_change_time = last_time; - } - ret = 0; -diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c -index 674d88bab..76efb71c6 100644 ---- a/src/lib/krb5/keytab/kt_file.c -+++ b/src/lib/krb5/keytab/kt_file.c -@@ -264,9 +264,11 @@ more_recent(const krb5_keytab_entry *k1, const krb5_keytab_entry *k2) - * limitations (8-bit kvno storage), pre-1.14 kadmin protocol limitations - * (8-bit kvno marshalling), or KDB limitations (16-bit kvno storage). - */ -- if (k1->timestamp >= k2->timestamp && k1->vno < 128 && k2->vno > 240) -+ if (!ts_after(k2->timestamp, k1->timestamp) && -+ k1->vno < 128 && k2->vno > 240) - return TRUE; -- if (k1->timestamp <= k2->timestamp && k1->vno > 240 && k2->vno < 128) -+ if (!ts_after(k1->timestamp, k2->timestamp) && -+ k1->vno > 240 && k2->vno < 128) - return FALSE; - - /* Otherwise do a simple version comparison. */ -diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c -index c85d8b8d8..cf1ea361f 100644 ---- a/src/lib/krb5/krb/gc_via_tkt.c -+++ b/src/lib/krb5/krb/gc_via_tkt.c -@@ -287,18 +287,19 @@ krb5int_process_tgs_reply(krb5_context context, - retval = KRB5_KDCREP_MODIFIED; - - if ((in_cred->times.endtime != 0) && -- (dec_rep->enc_part2->times.endtime > in_cred->times.endtime)) -+ ts_after(dec_rep->enc_part2->times.endtime, in_cred->times.endtime)) - retval = KRB5_KDCREP_MODIFIED; - - if ((kdcoptions & KDC_OPT_RENEWABLE) && - (in_cred->times.renew_till != 0) && -- (dec_rep->enc_part2->times.renew_till > in_cred->times.renew_till)) -+ ts_after(dec_rep->enc_part2->times.renew_till, -+ in_cred->times.renew_till)) - retval = KRB5_KDCREP_MODIFIED; - - if ((kdcoptions & KDC_OPT_RENEWABLE_OK) && - (dec_rep->enc_part2->flags & KDC_OPT_RENEWABLE) && - (in_cred->times.endtime != 0) && -- (dec_rep->enc_part2->times.renew_till > in_cred->times.endtime)) -+ ts_after(dec_rep->enc_part2->times.renew_till, in_cred->times.endtime)) - retval = KRB5_KDCREP_MODIFIED; - - if (retval != 0) -diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c -index 110abeb2b..be5b2d18c 100644 ---- a/src/lib/krb5/krb/get_creds.c -+++ b/src/lib/krb5/krb/get_creds.c -@@ -816,7 +816,7 @@ get_cached_local_tgt(krb5_context context, krb5_tkt_creds_context ctx, - return code; - - /* Check if the TGT is expired before bothering the KDC with it. */ -- if (now > tgt->times.endtime) { -+ if (ts_after(now, tgt->times.endtime)) { - krb5_free_creds(context, tgt); - return KRB5KRB_AP_ERR_TKT_EXPIRED; - } -diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c -index a058f5bd7..40aba1905 100644 ---- a/src/lib/krb5/krb/get_in_tkt.c -+++ b/src/lib/krb5/krb/get_in_tkt.c -@@ -39,24 +39,6 @@ static krb5_error_code sort_krb5_padata_sequence(krb5_context context, - krb5_data *realm, - krb5_pa_data **padata); - --/* -- * This function performs 32 bit bounded addition so we can generate -- * lifetimes without overflowing krb5_int32 -- */ --static krb5_int32 --krb5int_addint32 (krb5_int32 x, krb5_int32 y) --{ -- if ((x > 0) && (y > (KRB5_INT32_MAX - x))) { -- /* sum will be be greater than KRB5_INT32_MAX */ -- return KRB5_INT32_MAX; -- } else if ((x < 0) && (y < (KRB5_INT32_MIN - x))) { -- /* sum will be less than KRB5_INT32_MIN */ -- return KRB5_INT32_MIN; -- } -- -- return x + y; --} -- - /* - * Decrypt the AS reply in ctx, populating ctx->reply->enc_part2. If - * strengthen_key is not null, combine it with the reply key as specified in -@@ -267,21 +249,21 @@ verify_as_reply(krb5_context context, - (request->from != 0) && - (request->from != as_reply->enc_part2->times.starttime)) - || ((request->till != 0) && -- (as_reply->enc_part2->times.endtime > request->till)) -+ ts_after(as_reply->enc_part2->times.endtime, request->till)) - || ((request->kdc_options & KDC_OPT_RENEWABLE) && - (request->rtime != 0) && -- (as_reply->enc_part2->times.renew_till > request->rtime)) -+ ts_after(as_reply->enc_part2->times.renew_till, request->rtime)) - || ((request->kdc_options & KDC_OPT_RENEWABLE_OK) && - !(request->kdc_options & KDC_OPT_RENEWABLE) && - (as_reply->enc_part2->flags & KDC_OPT_RENEWABLE) && - (request->till != 0) && -- (as_reply->enc_part2->times.renew_till > request->till)) -+ ts_after(as_reply->enc_part2->times.renew_till, request->till)) - ) { - return KRB5_KDCREP_MODIFIED; - } - - if (context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) { -- time_offset = as_reply->enc_part2->times.authtime - time_now; -+ time_offset = ts_delta(as_reply->enc_part2->times.authtime, time_now); - retval = krb5_set_time_offsets(context, time_offset, 0); - if (retval) - return retval; -@@ -790,15 +772,15 @@ set_request_times(krb5_context context, krb5_init_creds_context ctx) - return code; - - /* Omit request start time unless the caller explicitly asked for one. */ -- from = krb5int_addint32(now, ctx->start_time); -+ from = ts_incr(now, ctx->start_time); - if (ctx->start_time != 0) - ctx->request->from = from; - -- ctx->request->till = krb5int_addint32(from, ctx->tkt_life); -+ ctx->request->till = ts_incr(from, ctx->tkt_life); - - if (ctx->renew_life > 0) { - /* Don't ask for a smaller renewable time than the lifetime. */ -- ctx->request->rtime = krb5int_addint32(from, ctx->renew_life); -+ ctx->request->rtime = ts_incr(from, ctx->renew_life); - if (ctx->request->rtime < ctx->request->till) - ctx->request->rtime = ctx->request->till; - ctx->request->kdc_options &= ~KDC_OPT_RENEWABLE_OK; -@@ -1438,7 +1420,7 @@ note_req_timestamp(krb5_context context, krb5_init_creds_context ctx, - - if (k5_time_with_offset(0, 0, &now, &usec) != 0) - return; -- ctx->pa_offset = kdc_time - now; -+ ctx->pa_offset = ts_delta(kdc_time, now); - ctx->pa_offset_usec = kdc_usec - usec; - ctx->pa_offset_state = (ctx->fast_state->armor_key != NULL) ? - AUTH_OFFSET : UNAUTH_OFFSET; -@@ -1807,6 +1789,7 @@ k5_populate_gic_opt(krb5_context context, krb5_get_init_creds_opt **out, - { - int i; - krb5_int32 starttime; -+ krb5_deltat lifetime; - krb5_get_init_creds_opt *opt; - krb5_error_code retval; - -@@ -1838,7 +1821,8 @@ k5_populate_gic_opt(krb5_context context, krb5_get_init_creds_opt **out, - if (retval) - goto cleanup; - if (creds->times.starttime) starttime = creds->times.starttime; -- krb5_get_init_creds_opt_set_tkt_life(opt, creds->times.endtime - starttime); -+ lifetime = ts_delta(creds->times.endtime, starttime); -+ krb5_get_init_creds_opt_set_tkt_life(opt, lifetime); - } - *out = opt; - return 0; -diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c -index 6f3a29f2c..3565a7c4c 100644 ---- a/src/lib/krb5/krb/gic_pwd.c -+++ b/src/lib/krb5/krb/gic_pwd.c -@@ -211,7 +211,7 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options, - if (ret != 0) - return; - if (!is_last_req && -- (pw_exp < now || (pw_exp - now) > 7 * 24 * 60 * 60)) -+ (ts_after(now, pw_exp) || ts_delta(pw_exp, now) > 7 * 24 * 60 * 60)) - return; - - if (!prompter) -@@ -221,7 +221,7 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options, - if (ret != 0) - return; - -- delta = pw_exp - now; -+ delta = ts_delta(pw_exp, now); - if (delta < 3600) { - snprintf(banner, sizeof(banner), - _("Warning: Your password will expire in less than one hour " -diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h -index 44eca359f..48bd9f8f7 100644 ---- a/src/lib/krb5/krb/int-proto.h -+++ b/src/lib/krb5/krb/int-proto.h -@@ -84,7 +84,7 @@ krb5int_construct_matching_creds(krb5_context context, krb5_flags options, - krb5_flags *fields); - - #define in_clock_skew(context, date, now) \ -- (labs((date) - (now)) < (context)->clockskew) -+ (labs(ts_delta(date, now)) < (context)->clockskew) - - #define IS_TGS_PRINC(p) ((p)->length == 2 && \ - data_eq_string((p)->data[0], KRB5_TGS_NAME)) -diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c -index 9098927b5..c70585a9e 100644 ---- a/src/lib/krb5/krb/pac.c -+++ b/src/lib/krb5/krb/pac.c -@@ -378,7 +378,7 @@ k5_time_to_seconds_since_1970(int64_t ntTime, krb5_timestamp *elapsedSeconds) - - abstime = ntTime > 0 ? ntTime - NT_TIME_EPOCH : -ntTime; - -- if (abstime > KRB5_INT32_MAX) -+ if (abstime > UINT32_MAX) - return ERANGE; - - *elapsedSeconds = abstime; -diff --git a/src/lib/krb5/krb/str_conv.c b/src/lib/krb5/krb/str_conv.c -index 3ab7eacac..f0a2ae20b 100644 ---- a/src/lib/krb5/krb/str_conv.c -+++ b/src/lib/krb5/krb/str_conv.c -@@ -207,7 +207,7 @@ krb5_error_code KRB5_CALLCONV - krb5_timestamp_to_string(krb5_timestamp timestamp, char *buffer, size_t buflen) - { - size_t ret; -- time_t timestamp2 = timestamp; -+ time_t timestamp2 = ts2tt(timestamp); - struct tm tmbuf; - const char *fmt = "%c"; /* This is to get around gcc -Wall warning that - the year returned might be two digits */ -@@ -229,7 +229,7 @@ krb5_timestamp_to_sfstring(krb5_timestamp timestamp, char *buffer, size_t buflen - struct tm *tmp; - size_t i; - size_t ndone; -- time_t timestamp2 = timestamp; -+ time_t timestamp2 = ts2tt(timestamp); - struct tm tmbuf; - - static const char * const sftime_format_table[] = { -diff --git a/src/lib/krb5/krb/t_kerb.c b/src/lib/krb5/krb/t_kerb.c -index 60cfb5b15..74ac14d9a 100644 ---- a/src/lib/krb5/krb/t_kerb.c -+++ b/src/lib/krb5/krb/t_kerb.c -@@ -5,16 +5,8 @@ - */ - - #include "autoconf.h" --#include "krb5.h" --#include --#include --#include --#include -+#include "k5-int.h" - #include --#include --#include --#include --#include - - #include "com_err.h" - -@@ -37,7 +29,7 @@ test_string_to_timestamp(krb5_context ctx, char *ktime) - com_err("krb5_string_to_timestamp", retval, 0); - return; - } -- t = (time_t) timestamp; -+ t = ts2tt(timestamp); - printf("Parsed time was %s", ctime(&t)); - } - -diff --git a/src/lib/krb5/krb/valid_times.c b/src/lib/krb5/krb/valid_times.c -index d63122183..9e509b2dd 100644 ---- a/src/lib/krb5/krb/valid_times.c -+++ b/src/lib/krb5/krb/valid_times.c -@@ -47,10 +47,10 @@ krb5int_validate_times(krb5_context context, krb5_ticket_times *times) - else - starttime = times->authtime; - -- if (starttime - currenttime > context->clockskew) -+ if (ts_delta(starttime, currenttime) > context->clockskew) - return KRB5KRB_AP_ERR_TKT_NYV; /* ticket not yet valid */ - -- if ((currenttime - times->endtime) > context->clockskew) -+ if (ts_delta(currenttime, times->endtime) > context->clockskew) - return KRB5KRB_AP_ERR_TKT_EXPIRED; /* ticket expired */ - - return 0; -diff --git a/src/lib/krb5/krb/vfy_increds.c b/src/lib/krb5/krb/vfy_increds.c -index 9786d63b5..b4878ba38 100644 ---- a/src/lib/krb5/krb/vfy_increds.c -+++ b/src/lib/krb5/krb/vfy_increds.c -@@ -120,7 +120,7 @@ get_vfy_cred(krb5_context context, krb5_creds *creds, krb5_principal server, - ret = krb5_timeofday(context, &in_creds.times.endtime); - if (ret) - goto cleanup; -- in_creds.times.endtime += 5*60; -+ in_creds.times.endtime = ts_incr(in_creds.times.endtime, 5 * 60); - ret = krb5_get_credentials(context, 0, ccache, &in_creds, &out_creds); - if (ret) - goto cleanup; -diff --git a/src/lib/krb5/os/timeofday.c b/src/lib/krb5/os/timeofday.c -index fddb12142..887f24c22 100644 ---- a/src/lib/krb5/os/timeofday.c -+++ b/src/lib/krb5/os/timeofday.c -@@ -60,7 +60,7 @@ krb5_check_clockskew(krb5_context context, krb5_timestamp date) - retval = krb5_timeofday(context, ¤ttime); - if (retval) - return retval; -- if (!(labs((date)-currenttime) < context->clockskew)) -+ if (labs(ts_delta(date, currenttime)) >= context->clockskew) - return KRB5KRB_AP_ERR_SKEW; - - return 0; -diff --git a/src/lib/krb5/os/toffset.c b/src/lib/krb5/os/toffset.c -index 456193a41..37bc69f49 100644 ---- a/src/lib/krb5/os/toffset.c -+++ b/src/lib/krb5/os/toffset.c -@@ -47,7 +47,7 @@ krb5_set_real_time(krb5_context context, krb5_timestamp seconds, krb5_int32 micr - if (retval) - return retval; - -- os_ctx->time_offset = seconds - sec; -+ os_ctx->time_offset = ts_delta(seconds, sec); - os_ctx->usec_offset = (microseconds > -1) ? microseconds - usec : 0; - - os_ctx->os_flags = ((os_ctx->os_flags & ~KRB5_OS_TOFFSET_TIME) | -diff --git a/src/lib/krb5/os/ustime.c b/src/lib/krb5/os/ustime.c -index 056357683..1c1b571eb 100644 ---- a/src/lib/krb5/os/ustime.c -+++ b/src/lib/krb5/os/ustime.c -@@ -49,13 +49,13 @@ k5_time_with_offset(krb5_timestamp offset, krb5_int32 offset_usec, - usec += offset_usec; - if (usec > 1000000) { - usec -= 1000000; -- sec++; -+ sec = ts_incr(sec, 1); - } - if (usec < 0) { - usec += 1000000; -- sec--; -+ sec = ts_incr(sec, -1); - } -- sec += offset; -+ sec = ts_incr(sec, offset); - - *time_out = sec; - *usec_out = usec; -diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c -index c0f12ed9d..6b043844d 100644 ---- a/src/lib/krb5/rcache/rc_dfl.c -+++ b/src/lib/krb5/rcache/rc_dfl.c -@@ -97,8 +97,7 @@ alive(krb5_int32 mytime, krb5_donot_replay *new1, krb5_deltat t) - { - if (mytime == 0) - return CMP_HOHUM; /* who cares? */ -- /* I hope we don't have to worry about overflow */ -- if (new1->ctime + t < mytime) -+ if (ts_after(mytime, ts_incr(new1->ctime, t))) - return CMP_EXPIRED; - return CMP_HOHUM; - } -diff --git a/src/lib/krb5/rcache/t_replay.c b/src/lib/krb5/rcache/t_replay.c -index db273ec2f..b99cdf1ab 100644 ---- a/src/lib/krb5/rcache/t_replay.c -+++ b/src/lib/krb5/rcache/t_replay.c -@@ -110,7 +110,7 @@ store(krb5_context ctx, char *rcspec, char *client, char *server, char *msg, - krb5_donot_replay rep; - krb5_data d; - -- if (now_timestamp > 0) -+ if (now_timestamp != 0) - krb5_set_debugging_time(ctx, now_timestamp, now_usec); - if ((retval = krb5_rc_resolve_full(ctx, &rc, rcspec))) - goto cleanup; -@@ -221,13 +221,13 @@ main(int argc, char **argv) - msg = (**argv) ? *argv : NULL; - argc--; argv++; - if (!argc) usage(progname); -- timestamp = (krb5_timestamp) atol(*argv); -+ timestamp = (krb5_timestamp) atoll(*argv); - argc--; argv++; - if (!argc) usage(progname); - usec = (krb5_int32) atol(*argv); - argc--; argv++; - if (!argc) usage(progname); -- now_timestamp = (krb5_timestamp) atol(*argv); -+ now_timestamp = (krb5_timestamp) atoll(*argv); - argc--; argv++; - if (!argc) usage(progname); - now_usec = (krb5_int32) atol(*argv); -@@ -249,7 +249,7 @@ main(int argc, char **argv) - rcspec = *argv; - argc--; argv++; - if (!argc) usage(progname); -- now_timestamp = (krb5_timestamp) atol(*argv); -+ now_timestamp = (krb5_timestamp) atoll(*argv); - argc--; argv++; - if (!argc) usage(progname); - now_usec = (krb5_int32) atol(*argv); -diff --git a/src/plugins/kdb/db2/lockout.c b/src/plugins/kdb/db2/lockout.c -index 7d151b55b..3a4f41821 100644 ---- a/src/plugins/kdb/db2/lockout.c -+++ b/src/plugins/kdb/db2/lockout.c -@@ -100,7 +100,7 @@ locked_check_p(krb5_context context, - - /* If the entry was unlocked since the last failure, it's not locked. */ - if (krb5_dbe_lookup_last_admin_unlock(context, entry, &unlock_time) == 0 && -- entry->last_failed <= unlock_time) -+ !ts_after(entry->last_failed, unlock_time)) - return FALSE; - - if (max_fail == 0 || entry->fail_auth_count < max_fail) -@@ -109,7 +109,7 @@ locked_check_p(krb5_context context, - if (lockout_duration == 0) - return TRUE; /* principal permanently locked */ - -- return (stamp < entry->last_failed + lockout_duration); -+ return ts_after(ts_incr(entry->last_failed, lockout_duration), stamp); - } - - krb5_error_code -@@ -200,13 +200,13 @@ krb5_db2_lockout_audit(krb5_context context, - status == KRB5KRB_AP_ERR_BAD_INTEGRITY)) { - if (krb5_dbe_lookup_last_admin_unlock(context, entry, - &unlock_time) == 0 && -- entry->last_failed <= unlock_time) { -+ !ts_after(entry->last_failed, unlock_time)) { - /* Reset fail_auth_count after administrative unlock. */ - entry->fail_auth_count = 0; - } - - if (failcnt_interval != 0 && -- stamp > entry->last_failed + failcnt_interval) { -+ ts_after(stamp, ts_incr(entry->last_failed, failcnt_interval))) { - /* Reset fail_auth_count after failcnt_interval. */ - entry->fail_auth_count = 0; - } -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -index 7ba53f959..88a170495 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -@@ -1734,7 +1734,7 @@ getstringtime(krb5_timestamp epochtime) - { - struct tm tme; - char *strtime=NULL; -- time_t posixtime = epochtime; -+ time_t posixtime = ts2tt(epochtime); - - strtime = calloc (50, 1); - if (strtime == NULL) -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c -index 0fc56c2fe..1088ecc5a 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c -@@ -93,7 +93,7 @@ locked_check_p(krb5_context context, - - /* If the entry was unlocked since the last failure, it's not locked. */ - if (krb5_dbe_lookup_last_admin_unlock(context, entry, &unlock_time) == 0 && -- entry->last_failed <= unlock_time) -+ !ts_after(entry->last_failed, unlock_time)) - return FALSE; - - if (max_fail == 0 || entry->fail_auth_count < max_fail) -@@ -102,7 +102,7 @@ locked_check_p(krb5_context context, - if (lockout_duration == 0) - return TRUE; /* principal permanently locked */ - -- return (stamp < entry->last_failed + lockout_duration); -+ return ts_after(ts_incr(entry->last_failed, lockout_duration), stamp); - } - - krb5_error_code -@@ -196,14 +196,14 @@ krb5_ldap_lockout_audit(krb5_context context, - status == KRB5KRB_AP_ERR_BAD_INTEGRITY)) { - if (krb5_dbe_lookup_last_admin_unlock(context, entry, - &unlock_time) == 0 && -- entry->last_failed <= unlock_time) { -+ !ts_after(entry->last_failed, unlock_time)) { - /* Reset fail_auth_count after administrative unlock. */ - entry->fail_auth_count = 0; - entry->mask |= KADM5_FAIL_AUTH_COUNT; - } - - if (failcnt_interval != 0 && -- stamp > entry->last_failed + failcnt_interval) { -+ ts_after(stamp, ts_incr(entry->last_failed, failcnt_interval))) { - /* Reset fail_auth_count after failcnt_interval */ - entry->fail_auth_count = 0; - entry->mask |= KADM5_FAIL_AUTH_COUNT; -diff --git a/src/windows/cns/tktlist.c b/src/windows/cns/tktlist.c -index f2805f5cd..26e699fae 100644 ---- a/src/windows/cns/tktlist.c -+++ b/src/windows/cns/tktlist.c -@@ -35,6 +35,8 @@ - #include "cns.h" - #include "tktlist.h" - -+#define ts2tt(t) (time_t)(uint32_t)(t) -+ - /* - * Ticket information for a list line - */ -@@ -167,10 +169,10 @@ ticket_init_list (HWND hwnd) - - ncred++; - strcpy (buf, " "); -- strncat(buf, short_date (c.times.starttime - kwin_get_epoch()), -+ strncat(buf, short_date(ts2tt(c.times.starttime) - kwin_get_epoch()), - sizeof(buf) - 1 - strlen(buf)); - strncat(buf, " ", sizeof(buf) - 1 - strlen(buf)); -- strncat(buf, short_date (c.times.endtime - kwin_get_epoch()), -+ strncat(buf, short_date(ts2tt(c.times.endtime) - kwin_get_epoch()), - sizeof(buf) - 1 - strlen(buf)); - strncat(buf, " ", sizeof(buf) - 1 - strlen(buf)); - -@@ -192,8 +194,8 @@ ticket_init_list (HWND hwnd) - return -1; - - lpinfo->ticket = TRUE; -- lpinfo->issue_time = c.times.starttime - kwin_get_epoch(); -- lpinfo->lifetime = c.times.endtime - c.times.starttime; -+ lpinfo->issue_time = ts2tt(c.times.starttime) - kwin_get_epoch(); -+ lpinfo->lifetime = ts2tt(c.times.endtime) - c.times.starttime; - strcpy(lpinfo->buf, buf); - - rc = ListBox_AddItemData(hwnd, lpinfo); -diff --git a/src/windows/include/leashwin.h b/src/windows/include/leashwin.h -index 9577365a7..325dce2e9 100644 ---- a/src/windows/include/leashwin.h -+++ b/src/windows/include/leashwin.h -@@ -111,9 +111,9 @@ struct TicketList { - TicketList *next; - char *service; - char *encTypes; -- krb5_timestamp issued; -- krb5_timestamp valid_until; -- krb5_timestamp renew_until; -+ time_t issued; -+ time_t valid_until; -+ time_t renew_until; - unsigned long flags; - }; - -@@ -124,9 +124,9 @@ struct TICKETINFO { - char *ccache_name; - TicketList *ticket_list; - int btickets; /* Do we have tickets? */ -- long issued; /* The issue time */ -- long valid_until; /* */ -- long renew_until; /* The Renew time (k5 only) */ -+ time_t issued; /* The issue time */ -+ time_t valid_until; /* */ -+ time_t renew_until; /* The Renew time (k5 only) */ - unsigned long flags; - }; - -diff --git a/src/windows/leash/KrbListTickets.cpp b/src/windows/leash/KrbListTickets.cpp -index beab0ea11..5dd37b05a 100644 ---- a/src/windows/leash/KrbListTickets.cpp -+++ b/src/windows/leash/KrbListTickets.cpp -@@ -92,10 +92,10 @@ etype_string(krb5_enctype enctype) - static void - CredToTicketInfo(krb5_creds KRBv5Credentials, TICKETINFO *ticketinfo) - { -- ticketinfo->issued = KRBv5Credentials.times.starttime; -- ticketinfo->valid_until = KRBv5Credentials.times.endtime; -+ ticketinfo->issued = (DWORD)KRBv5Credentials.times.starttime; -+ ticketinfo->valid_until = (DWORD)KRBv5Credentials.times.endtime; - ticketinfo->renew_until = KRBv5Credentials.ticket_flags & TKT_FLG_RENEWABLE ? -- KRBv5Credentials.times.renew_till : 0; -+ (DWORD)KRBv5Credentials.times.renew_till : (DWORD)0; - _tzset(); - if ( ticketinfo->valid_until - time(0) <= 0L ) - ticketinfo->btickets = EXPD_TICKETS; -@@ -137,10 +137,10 @@ CredToTicketList(krb5_context ctx, krb5_creds KRBv5Credentials, - functionName = "calloc()"; - goto cleanup; - } -- list->issued = KRBv5Credentials.times.starttime; -- list->valid_until = KRBv5Credentials.times.endtime; -+ list->issued = (DWORD)KRBv5Credentials.times.starttime; -+ list->valid_until = (DWORD)KRBv5Credentials.times.endtime; - if (KRBv5Credentials.ticket_flags & TKT_FLG_RENEWABLE) -- list->renew_until = KRBv5Credentials.times.renew_till; -+ list->renew_until = (DWORD)KRBv5Credentials.times.renew_till; - else - list->renew_until = 0; - -diff --git a/src/windows/leash/LeashView.cpp b/src/windows/leash/LeashView.cpp -index ef2a5a3e0..253ae3f06 100644 ---- a/src/windows/leash/LeashView.cpp -+++ b/src/windows/leash/LeashView.cpp -@@ -229,22 +229,22 @@ static HFONT CreateBoldItalicFont(HFONT font) - - bool change_icon_size = true; - --void krb5TimestampToFileTime(krb5_timestamp t, LPFILETIME pft) -+void TimestampToFileTime(time_t t, LPFILETIME pft) - { - // Note that LONGLONG is a 64-bit value -- LONGLONG ll; -+ ULONGLONG ll; - -- ll = Int32x32To64(t, 10000000) + 116444736000000000; -+ ll = UInt32x32To64((DWORD)t, 10000000) + 116444736000000000; - pft->dwLowDateTime = (DWORD)ll; - pft->dwHighDateTime = ll >> 32; - } - - // allocate outstr --void krb5TimestampToLocalizedString(krb5_timestamp t, LPTSTR *outStr) -+void TimestampToLocalizedString(time_t t, LPTSTR *outStr) - { - FILETIME ft, lft; - SYSTEMTIME st; -- krb5TimestampToFileTime(t, &ft); -+ TimestampToFileTime(t, &ft); - FileTimeToLocalFileTime(&ft, &lft); - FileTimeToSystemTime(&lft, &st); - TCHAR timeFormat[80]; // 80 is max required for LOCALE_STIMEFORMAT -@@ -1125,9 +1125,9 @@ void CLeashView::AddDisplayItem(CListCtrl &list, - CCacheDisplayData *elem, - int iItem, - char *principal, -- long issued, -- long valid_until, -- long renew_until, -+ time_t issued, -+ time_t valid_until, -+ time_t renew_until, - char *encTypes, - unsigned long flags, - char *ccache_name) -@@ -1145,7 +1145,7 @@ void CLeashView::AddDisplayItem(CListCtrl &list, - if (issued == 0) { - list.SetItemText(iItem, iSubItem++, "Unknown"); - } else { -- krb5TimestampToLocalizedString(issued, &localTimeStr); -+ TimestampToLocalizedString(issued, &localTimeStr); - list.SetItemText(iItem, iSubItem++, localTimeStr); - } - } -@@ -1155,7 +1155,7 @@ void CLeashView::AddDisplayItem(CListCtrl &list, - } else if (valid_until < now) { - list.SetItemText(iItem, iSubItem++, "Expired"); - } else if (renew_until) { -- krb5TimestampToLocalizedString(renew_until, &localTimeStr); -+ TimestampToLocalizedString(renew_until, &localTimeStr); - DurationToString(renew_until - now, &durationStr); - if (localTimeStr && durationStr) { - _snprintf(tempStr, MAX_DURATION_STR, "%s %s", localTimeStr, durationStr); -@@ -1172,7 +1172,7 @@ void CLeashView::AddDisplayItem(CListCtrl &list, - } else if (valid_until < now) { - list.SetItemText(iItem, iSubItem++, "Expired"); - } else { -- krb5TimestampToLocalizedString(valid_until, &localTimeStr); -+ TimestampToLocalizedString(valid_until, &localTimeStr); - DurationToString(valid_until - now, &durationStr); - if (localTimeStr && durationStr) { - _snprintf(tempStr, MAX_DURATION_STR, "%s %s", localTimeStr, durationStr); -diff --git a/src/windows/leashdll/lshfunc.c b/src/windows/leashdll/lshfunc.c -index 0f76cc334..8dafb7bed 100644 ---- a/src/windows/leashdll/lshfunc.c -+++ b/src/windows/leashdll/lshfunc.c -@@ -2898,7 +2898,7 @@ static BOOL cc_have_tickets(krb5_context ctx, krb5_ccache cache) - _tzset(); - while (!(code = pkrb5_cc_next_cred(ctx, cache, &cur, &creds))) { - if ((!pkrb5_is_config_principal(ctx, creds.server)) && -- (creds.times.endtime - time(0) > 0)) -+ ((time_t)(DWORD)creds.times.endtime - time(0) > 0)) - have_tickets = TRUE; - - pkrb5_free_cred_contents(ctx, &creds); -diff --git a/src/windows/ms2mit/ms2mit.c b/src/windows/ms2mit/ms2mit.c -index c3325034a..2b4373cc1 100644 ---- a/src/windows/ms2mit/ms2mit.c -+++ b/src/windows/ms2mit/ms2mit.c -@@ -74,7 +74,7 @@ cc_has_tickets(krb5_context kcontext, krb5_ccache ccache, int *has_tickets) - break; - - if (!krb5_is_config_principal(kcontext, creds.server) && -- creds.times.endtime > now) -+ ts_after(creds.times.endtime, now)) - *has_tickets = 1; - - krb5_free_cred_contents(kcontext, &creds); diff --git a/Remove-incomplete-PKINIT-OCSP-support.patch b/Remove-incomplete-PKINIT-OCSP-support.patch deleted file mode 100644 index 2f40965..0000000 --- a/Remove-incomplete-PKINIT-OCSP-support.patch +++ /dev/null @@ -1,134 +0,0 @@ -From 466d09c9b2c456d663672cb6d5f661ef86e8536e Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Mon, 31 Jul 2017 16:03:41 -0400 -Subject: [PATCH] Remove incomplete PKINIT OCSP support - -pkinit_kdc_ocsp is non-functional in the PKINIT OpenSSL crypto -implementation, so remove most traces of it, including its man page -entry. If it is present in kdc.conf, error out of PKINIT -initialization instead of silently ignoring the realm entirely. - -ticket: 8603 (new) -(cherry picked from commit 3ff426b9048a8024e5c175256c63cd0ad0572320) ---- - doc/admin/conf_files/kdc_conf.rst | 3 --- - src/man/kdc.conf.man | 3 --- - src/plugins/preauth/pkinit/pkinit.h | 2 +- - src/plugins/preauth/pkinit/pkinit_identity.c | 11 ----------- - src/plugins/preauth/pkinit/pkinit_srv.c | 12 ++++++++++-- - 5 files changed, 11 insertions(+), 20 deletions(-) - -diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst -index 4e54f7e1d..d00e7926c 100644 ---- a/doc/admin/conf_files/kdc_conf.rst -+++ b/doc/admin/conf_files/kdc_conf.rst -@@ -765,9 +765,6 @@ For information about the syntax of some of these options, see - pkinit is used to authenticate. This option may be specified - multiple times. (New in release 1.14.) - --**pkinit_kdc_ocsp** -- Specifies the location of the KDC's OCSP. -- - **pkinit_pool** - Specifies the location of intermediate certificates which may be - used by the KDC to complete the trust chain between a client's -diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man -index d207ebd7f..c47da0117 100644 ---- a/src/man/kdc.conf.man -+++ b/src/man/kdc.conf.man -@@ -886,9 +886,6 @@ Specifies an authentication indicator to include in the ticket if - pkinit is used to authenticate. This option may be specified - multiple times. (New in release 1.14.) - .TP --.B \fBpkinit_kdc_ocsp\fP --Specifies the location of the KDC\(aqs OCSP. --.TP - .B \fBpkinit_pool\fP - Specifies the location of intermediate certificates which may be - used by the KDC to complete the trust chain between a client\(aqs -diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h -index 876db94c3..a49f3078e 100644 ---- a/src/plugins/preauth/pkinit/pkinit.h -+++ b/src/plugins/preauth/pkinit/pkinit.h -@@ -73,6 +73,7 @@ - #define KRB5_CONF_PKINIT_IDENTITIES "pkinit_identities" - #define KRB5_CONF_PKINIT_IDENTITY "pkinit_identity" - #define KRB5_CONF_PKINIT_KDC_HOSTNAME "pkinit_kdc_hostname" -+/* pkinit_kdc_ocsp has been removed */ - #define KRB5_CONF_PKINIT_KDC_OCSP "pkinit_kdc_ocsp" - #define KRB5_CONF_PKINIT_POOL "pkinit_pool" - #define KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING "pkinit_require_crl_checking" -@@ -173,7 +174,6 @@ typedef struct _pkinit_identity_opts { - char **anchors; - char **intermediates; - char **crls; -- char *ocsp; - int idtype; - char *cert_filename; - char *key_filename; -diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c -index 177a2cad8..a897efa25 100644 ---- a/src/plugins/preauth/pkinit/pkinit_identity.c -+++ b/src/plugins/preauth/pkinit/pkinit_identity.c -@@ -125,7 +125,6 @@ pkinit_init_identity_opts(pkinit_identity_opts **idopts) - opts->anchors = NULL; - opts->intermediates = NULL; - opts->crls = NULL; -- opts->ocsp = NULL; - - opts->cert_filename = NULL; - opts->key_filename = NULL; -@@ -174,12 +173,6 @@ pkinit_dup_identity_opts(pkinit_identity_opts *src_opts, - if (retval) - goto cleanup; - -- if (src_opts->ocsp != NULL) { -- newopts->ocsp = strdup(src_opts->ocsp); -- if (newopts->ocsp == NULL) -- goto cleanup; -- } -- - if (src_opts->cert_filename != NULL) { - newopts->cert_filename = strdup(src_opts->cert_filename); - if (newopts->cert_filename == NULL) -@@ -674,10 +667,6 @@ pkinit_identity_prompt(krb5_context context, - if (retval) - goto errout; - } -- if (idopts->ocsp != NULL) { -- retval = ENOTSUP; -- goto errout; -- } - - errout: - return retval; -diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c -index 731d14eb8..32ca122f2 100644 ---- a/src/plugins/preauth/pkinit/pkinit_srv.c -+++ b/src/plugins/preauth/pkinit/pkinit_srv.c -@@ -1252,7 +1252,7 @@ static krb5_error_code - pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx) - { - krb5_error_code retval; -- char *eku_string = NULL; -+ char *eku_string = NULL, *ocsp_check = NULL; - - pkiDebug("%s: entered for realm %s\n", __FUNCTION__, plgctx->realmname); - retval = pkinit_kdcdefault_string(context, plgctx->realmname, -@@ -1287,7 +1287,15 @@ pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx) - - pkinit_kdcdefault_string(context, plgctx->realmname, - KRB5_CONF_PKINIT_KDC_OCSP, -- &plgctx->idopts->ocsp); -+ &ocsp_check); -+ if (ocsp_check != NULL) { -+ free(ocsp_check); -+ retval = ENOTSUP; -+ krb5_set_error_message(context, retval, -+ _("OCSP is not supported: (realm: %s)"), -+ plgctx->realmname); -+ goto errout; -+ } - - pkinit_kdcdefault_integer(context, plgctx->realmname, - KRB5_CONF_PKINIT_DH_MIN_BITS, diff --git a/Use-GSSAPI-fallback-skiptest.patch b/Use-GSSAPI-fallback-skiptest.patch index 118df5a..14beb76 100644 --- a/Use-GSSAPI-fallback-skiptest.patch +++ b/Use-GSSAPI-fallback-skiptest.patch @@ -1,4 +1,4 @@ -From 6d0b40b26e7fea1cd394618c1ab6d5e366bbc069 Mon Sep 17 00:00:00 2001 +From 697f19c5bfd4470c167d35c7af43c82a32660b82 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Wed, 1 Mar 2017 17:46:22 -0500 Subject: [PATCH] Use GSSAPI fallback skiptest diff --git a/Use-expected_msg-in-test-scripts.patch b/Use-expected_msg-in-test-scripts.patch deleted file mode 100644 index d4dc83e..0000000 --- a/Use-expected_msg-in-test-scripts.patch +++ /dev/null @@ -1,2584 +0,0 @@ -From 24ac588502b1731a7fd2629804f8d9ed1668297e Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Wed, 18 Jan 2017 11:22:58 -0500 -Subject: [PATCH] Use expected_msg in test scripts - -(cherry picked from commit d406afa363554097ac48646a29249c04f498c88e) ---- - src/appl/gss-sample/t_gss_sample.py | 18 ++- - src/appl/user_user/t_user2user.py | 6 +- - src/kdc/t_emptytgt.py | 5 +- - src/lib/krb5/krb/t_expire_warn.py | 13 +- - src/tests/gssapi/t_authind.py | 5 +- - src/tests/gssapi/t_ccselect.py | 10 +- - src/tests/gssapi/t_client_keytab.py | 60 +++------ - src/tests/gssapi/t_enctypes.py | 4 +- - src/tests/gssapi/t_export_cred.py | 4 +- - src/tests/gssapi/t_gssapi.py | 97 +++++--------- - src/tests/gssapi/t_s4u.py | 21 ++- - src/tests/t_audit.py | 11 +- - src/tests/t_authdata.py | 58 +++----- - src/tests/t_ccache.py | 38 ++---- - src/tests/t_crossrealm.py | 14 +- - src/tests/t_dump.py | 31 ++--- - src/tests/t_general.py | 12 +- - src/tests/t_hostrealm.py | 5 +- - src/tests/t_iprop.py | 103 ++++++--------- - src/tests/t_kadm5_hook.py | 10 +- - src/tests/t_kadmin_acl.py | 254 ++++++++++++++---------------------- - src/tests/t_kadmin_parsing.py | 30 ++--- - src/tests/t_kdb.py | 127 +++++++----------- - src/tests/t_kdb_locking.py | 5 +- - src/tests/t_keydata.py | 16 +-- - src/tests/t_keyrollover.py | 16 +-- - src/tests/t_keytab.py | 50 +++---- - src/tests/t_kprop.py | 13 +- - src/tests/t_localauth.py | 5 +- - src/tests/t_mkey.py | 45 +++---- - src/tests/t_otp.py | 10 +- - src/tests/t_pkinit.py | 27 ++-- - src/tests/t_policy.py | 101 +++++--------- - src/tests/t_preauth.py | 14 +- - src/tests/t_pwqual.py | 25 ++-- - src/tests/t_referral.py | 10 +- - src/tests/t_renew.py | 5 +- - src/tests/t_salt.py | 12 +- - src/tests/t_skew.py | 22 ++-- - src/tests/t_stringattr.py | 4 +- - 40 files changed, 475 insertions(+), 841 deletions(-) - -diff --git a/src/appl/gss-sample/t_gss_sample.py b/src/appl/gss-sample/t_gss_sample.py -index 8a6b0304f..0299e4590 100755 ---- a/src/appl/gss-sample/t_gss_sample.py -+++ b/src/appl/gss-sample/t_gss_sample.py -@@ -31,22 +31,20 @@ gss_server = os.path.join(appdir, 'gss-server') - # Run a gss-server process and a gss-client process, with additional - # gss-client flags given by options and additional gss-server flags - # given by server_options. Return the output of gss-client. --def run_client_server(realm, options, server_options, expected_code=0): -+def run_client_server(realm, options, server_options, **kwargs): - portstr = str(realm.server_port()) - server_args = [gss_server, '-export', '-port', portstr] - server_args += server_options + ['host'] - server = realm.start_server(server_args, 'starting...') -- out = realm.run([gss_client, '-port', portstr] + options + -- [hostname, 'host', 'testmsg'], expected_code=expected_code) -+ realm.run([gss_client, '-port', portstr] + options + -+ [hostname, 'host', 'testmsg'], **kwargs) - stop_daemon(server) -- return out - - # Run a gss-server and gss-client process, and verify that gss-client - # displayed the expected output for a successful negotiation. - def server_client_test(realm, options, server_options): -- out = run_client_server(realm, options, server_options) -- if 'Signature verified.' not in out: -- fail('Expected message not seen in gss-client output') -+ run_client_server(realm, options, server_options, -+ expected_msg='Signature verified.') - - # Make up a filename to hold user's initial credentials. - def ccache_savefile(realm): -@@ -81,10 +79,10 @@ def pw_test(realm, options, server_options=[]): - # IAKERB, gss_aqcuire_cred_with_password() otherwise). - def wrong_pw_test(realm, options, server_options=[], iakerb=False): - options = options + ['-user', realm.user_princ, '-pass', 'wrongpw'] -- out = run_client_server(realm, options, server_options, expected_code=1) - failed_op = 'initializing context' if iakerb else 'acquiring creds' -- if 'GSS-API error ' + failed_op not in out: -- fail('Expected error not seen in gss-client output') -+ msg = 'GSS-API error ' + failed_op -+ run_client_server(realm, options, server_options, expected_code=1, -+ expected_msg=msg) - - # Perform a test of the server and client with initial credentials - # obtained with the client keytab -diff --git a/src/appl/user_user/t_user2user.py b/src/appl/user_user/t_user2user.py -index 8bdef8e07..2a7d03f8d 100755 ---- a/src/appl/user_user/t_user2user.py -+++ b/src/appl/user_user/t_user2user.py -@@ -10,9 +10,9 @@ for realm in multipass_realms(): - else: - srv_output = realm.start_server(['./uuserver', '9999'], 'Server started') - -- output = realm.run(['./uuclient', hostname, 'testing message', '9999']) -- if 'uu-client: server says \"Hello, other end of connection.\"' not in output: -- fail('Message not echoed back.') -+ msg = 'uu-client: server says "Hello, other end of connection."' -+ realm.run(['./uuclient', hostname, 'testing message', '9999'], -+ expected_msg=msg) - - - success('User-2-user test programs') -diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py -index 8f7717a01..2d0432e33 100755 ---- a/src/kdc/t_emptytgt.py -+++ b/src/kdc/t_emptytgt.py -@@ -2,7 +2,6 @@ - from k5test import * - - realm = K5Realm(create_host=False) --output = realm.run([kvno, 'krbtgt/'], expected_code=1) --if 'not found in Kerberos database' not in output: -- fail('TGT lookup for empty realm failed in unexpected way') -+realm.run([kvno, 'krbtgt/'], expected_code=1, -+ expected_msg='not found in Kerberos database') - success('Empty tgt lookup.') -diff --git a/src/lib/krb5/krb/t_expire_warn.py b/src/lib/krb5/krb/t_expire_warn.py -index e021379ab..aed39e399 100755 ---- a/src/lib/krb5/krb/t_expire_warn.py -+++ b/src/lib/krb5/krb/t_expire_warn.py -@@ -39,15 +39,10 @@ realm.run([kadminl, 'addprinc', '-pw', 'pass', '-pwexpire', '3 days', 'days']) - output = realm.run(['./t_expire_warn', 'noexpire', 'pass', '0']) - if output: - fail('Unexpected output for noexpire') --output = realm.run(['./t_expire_warn', 'minutes', 'pass', '0']) --if ' less than one hour on ' not in output: -- fail('Expected warning not seen for minutes') --output = realm.run(['./t_expire_warn', 'hours', 'pass', '0']) --if ' hours on ' not in output: -- fail('Expected warning not seen for hours') --output = realm.run(['./t_expire_warn', 'days', 'pass', '0']) --if ' days on ' not in output: -- fail('Expected warning not seen for days') -+realm.run(['./t_expire_warn', 'minutes', 'pass', '0'], -+ expected_msg=' less than one hour on ') -+realm.run(['./t_expire_warn', 'hours', 'pass', '0'], expected_msg=' hours on ') -+realm.run(['./t_expire_warn', 'days', 'pass', '0'], expected_msg=' days on ') - - # Check for expected expire callback behavior. These tests are - # carefully agnostic about whether the KDC supports last_req fields, -diff --git a/src/tests/gssapi/t_authind.py b/src/tests/gssapi/t_authind.py -index 316bc4093..dfd0a9a04 100644 ---- a/src/tests/gssapi/t_authind.py -+++ b/src/tests/gssapi/t_authind.py -@@ -24,9 +24,8 @@ if ('Attribute auth-indicators Authenticated Complete') not in out: - if '73757065727374726f6e67' not in out: - fail('Expected auth indicator not seen in name attributes') - --out = realm.run(['./t_srcattrs', 'p:service/2'], expected_code=1) --if 'gss_init_sec_context: KDC policy rejects request' not in out: -- fail('Expected error message not seen for indicator mismatch') -+msg = 'gss_init_sec_context: KDC policy rejects request' -+realm.run(['./t_srcattrs', 'p:service/2'], expected_code=1, expected_msg=msg) - - realm.kinit(realm.user_princ, password('user'), ['-X', 'indicators=one two']) - out = realm.run(['./t_srcattrs', 'p:service/2']) -diff --git a/src/tests/gssapi/t_ccselect.py b/src/tests/gssapi/t_ccselect.py -index 6be6b4ec0..1ea614d30 100755 ---- a/src/tests/gssapi/t_ccselect.py -+++ b/src/tests/gssapi/t_ccselect.py -@@ -45,9 +45,8 @@ refserver = 'p:host/' + hostname + '@' - - # Verify that we can't get initiator creds with no credentials in the - # collection. --output = r1.run(['./t_ccselect', host1, '-'], expected_code=1) --if 'No Kerberos credentials available' not in output: -- fail('Expected error not seen in output when no credentials available') -+r1.run(['./t_ccselect', host1, '-'], expected_code=1, -+ expected_msg='No Kerberos credentials available') - - # Make a directory collection and use it for client commands in both realms. - ccdir = os.path.join(r1.testdir, 'cc') -@@ -117,8 +116,7 @@ if output != (zaphod + '\n'): - output = r1.run(['./t_ccselect', refserver]) - if output != (bob + '\n'): - fail('bob not chosen via primary cache when no .k5identity line matches.') --output = r1.run(['./t_ccselect', 'h:bogus@' + hostname], expected_code=1) --if 'Can\'t find client principal noprinc' not in output: -- fail('Expected error not seen when k5identity selects bad principal.') -+r1.run(['./t_ccselect', 'h:bogus@' + hostname], expected_code=1, -+ expected_msg="Can't find client principal noprinc") - - success('GSSAPI credential selection tests') -diff --git a/src/tests/gssapi/t_client_keytab.py b/src/tests/gssapi/t_client_keytab.py -index 4c8747a50..2da87f45b 100755 ---- a/src/tests/gssapi/t_client_keytab.py -+++ b/src/tests/gssapi/t_client_keytab.py -@@ -15,9 +15,7 @@ realm.extract_keytab(realm.user_princ, realm.client_keytab) - realm.extract_keytab(bob, realm.client_keytab) - - # Test 1: no name/cache specified, pick first principal from client keytab --out = realm.run(['./t_ccselect', phost]) --if realm.user_princ not in out: -- fail('Authenticated as wrong principal') -+realm.run(['./t_ccselect', phost], expected_msg=realm.user_princ) - realm.run([kdestroy]) - - # Test 2: no name/cache specified, pick principal from k5identity -@@ -25,36 +23,27 @@ k5idname = os.path.join(realm.testdir, '.k5identity') - k5id = open(k5idname, 'w') - k5id.write('%s service=host host=%s\n' % (bob, hostname)) - k5id.close() --out = realm.run(['./t_ccselect', gssserver]) --if bob not in out: -- fail('Authenticated as wrong principal') -+realm.run(['./t_ccselect', gssserver], expected_msg=bob) - os.remove(k5idname) - realm.run([kdestroy]) - - # Test 3: no name/cache specified, default ccache has name but no creds - realm.run(['./ccinit', realm.ccache, bob]) --out = realm.run(['./t_ccselect', phost]) --if bob not in out: -- fail('Authenticated as wrong principal') -+realm.run(['./t_ccselect', phost], expected_msg=bob) - # Leave tickets for next test. - - # Test 4: name specified, non-collectable default cache doesn't match --out = realm.run(['./t_ccselect', phost, puser], expected_code=1) --if 'Principal in credential cache does not match desired name' not in out: -- fail('Expected error not seen') -+msg = 'Principal in credential cache does not match desired name' -+realm.run(['./t_ccselect', phost, puser], expected_code=1, expected_msg=msg) - realm.run([kdestroy]) - - # Test 5: name specified, nonexistent default cache --out = realm.run(['./t_ccselect', phost, pbob]) --if bob not in out: -- fail('Authenticated as wrong principal') -+realm.run(['./t_ccselect', phost, pbob], expected_msg=bob) - # Leave tickets for next test. - - # Test 6: name specified, matches default cache, time to refresh - realm.run(['./ccrefresh', realm.ccache, '1']) --out = realm.run(['./t_ccselect', phost, pbob]) --if bob not in out: -- fail('Authenticated as wrong principal') -+realm.run(['./t_ccselect', phost, pbob], expected_msg=bob) - out = realm.run(['./ccrefresh', realm.ccache]) - if int(out) < 1000: - fail('Credentials apparently not refreshed') -@@ -67,9 +56,8 @@ realm.run([kdestroy]) - - # Test 8: ccache specified with name but no creds; name not in client keytab - realm.run(['./ccinit', realm.ccache, realm.host_princ]) --out = realm.run(['./t_imp_cred', phost], expected_code=1) --if 'Credential cache is empty' not in out: -- fail('Expected error not seen') -+realm.run(['./t_imp_cred', phost], expected_code=1, -+ expected_msg='Credential cache is empty') - realm.run([kdestroy]) - - # Test 9: ccache specified with name but no creds; name in client keytab -@@ -104,16 +92,12 @@ realm.env['KRB5CCNAME'] = ccname - # Test 12: name specified, matching cache in collection with no creds - bobcache = os.path.join(ccdir, 'tktbob') - realm.run(['./ccinit', bobcache, bob]) --out = realm.run(['./t_ccselect', phost, pbob]) --if bob not in out: -- fail('Authenticated as wrong principal') -+realm.run(['./t_ccselect', phost, pbob], expected_msg=bob) - # Leave tickets for next test. - - # Test 13: name specified, matching cache in collection, time to refresh - realm.run(['./ccrefresh', bobcache, '1']) --out = realm.run(['./t_ccselect', phost, pbob]) --if bob not in out: -- fail('Authenticated as wrong principal') -+realm.run(['./t_ccselect', phost, pbob], expected_msg=bob) - out = realm.run(['./ccrefresh', bobcache]) - if int(out) < 1000: - fail('Credentials apparently not refreshed') -@@ -121,22 +105,15 @@ realm.run([kdestroy, '-A']) - - # Test 14: name specified, collection has default for different principal - realm.kinit(realm.user_princ, password('user')) --out = realm.run(['./t_ccselect', phost, pbob]) --if bob not in out: -- fail('Authenticated as wrong principal') --out = realm.run([klist]) --if 'Default principal: %s\n' % realm.user_princ not in out: -- fail('Default cache overwritten by acquire_cred') -+realm.run(['./t_ccselect', phost, pbob], expected_msg=bob) -+msg = 'Default principal: %s\n' % realm.user_princ -+realm.run([klist], expected_msg=msg) - realm.run([kdestroy, '-A']) - - # Test 15: name specified, collection has no default cache --out = realm.run(['./t_ccselect', phost, pbob]) --if bob not in out: -- fail('Authenticated as wrong principal') -+realm.run(['./t_ccselect', phost, pbob], expected_msg=bob) - # Make sure the tickets we acquired didn't become the default --out = realm.run([klist], expected_code=1) --if 'No credentials cache found' not in out: -- fail('Expected error not seen') -+realm.run([klist], expected_code=1, expected_msg='No credentials cache found') - realm.run([kdestroy, '-A']) - - # Test 16: default client keytab cannot be resolved, but valid -@@ -145,8 +122,7 @@ conf = {'libdefaults': {'default_client_keytab_name': '%{'}} - bad_cktname = realm.special_env('bad_cktname', False, krb5_conf=conf) - del bad_cktname['KRB5_CLIENT_KTNAME'] - realm.kinit(realm.user_princ, password('user')) --out = realm.run(['./t_ccselect', phost], env=bad_cktname) --if realm.user_princ not in out: -- fail('Expected principal not seen for bad client keytab name') -+realm.run(['./t_ccselect', phost], env=bad_cktname, -+ expected_msg=realm.user_princ) - - success('Client keytab tests') -diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py -index 862f22989..f513db2b5 100755 ---- a/src/tests/gssapi/t_enctypes.py -+++ b/src/tests/gssapi/t_enctypes.py -@@ -58,9 +58,7 @@ def test(msg, ienc, aenc, tktenc='', tktsession='', proto='', isubkey='', - # and check that it fails with the expected error message. - def test_err(msg, ienc, aenc, expected_err): - shutil.copyfile(os.path.join(realm.testdir, 'save'), realm.ccache) -- out = realm.run(cmdline(ienc, aenc), expected_code=1) -- if expected_err not in out: -- fail(msg) -+ realm.run(cmdline(ienc, aenc), expected_code=1, expected_msg=expected_err) - - - # By default, all of the key enctypes should be aes256. -diff --git a/src/tests/gssapi/t_export_cred.py b/src/tests/gssapi/t_export_cred.py -index 698835928..b98962788 100755 ---- a/src/tests/gssapi/t_export_cred.py -+++ b/src/tests/gssapi/t_export_cred.py -@@ -23,9 +23,7 @@ def ccache_restore(realm): - def check(realm, args): - ccache_restore(realm) - realm.run(['./t_export_cred'] + args) -- output = realm.run([klist, '-f']) -- if 'Flags: Ff' not in output: -- fail('Forwarded tickets not found in ccache after t_export_cred') -+ realm.run([klist, '-f'], expected_msg='Flags: Ff') - - # Check a given set of arguments with no specified mech and with krb5 - # and SPNEGO as the specified mech. -diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py -index e23c936d7..397e58962 100755 ---- a/src/tests/gssapi/t_gssapi.py -+++ b/src/tests/gssapi/t_gssapi.py -@@ -28,57 +28,40 @@ realm.run([kadminl, 'renprinc', 'service1/abraham', 'service1/andrew']) - - # Test with no acceptor name, including client/keytab principal - # mismatch (non-fatal) and missing keytab entry (fatal). --output = realm.run(['./t_accname', 'p:service1/andrew']) --if 'service1/abraham' not in output: -- fail('Expected service1/abraham in t_accname output') --output = realm.run(['./t_accname', 'p:service1/barack']) --if 'service1/barack' not in output: -- fail('Expected service1/barack in t_accname output') --output = realm.run(['./t_accname', 'p:service2/calvin']) --if 'service2/calvin' not in output: -- fail('Expected service1/barack in t_accname output') --output = realm.run(['./t_accname', 'p:service2/dwight'], expected_code=1) --if ' not found in keytab' not in output: -- fail('Expected error message not seen in t_accname output') -+realm.run(['./t_accname', 'p:service1/andrew'], -+ expected_msg='service1/abraham') -+realm.run(['./t_accname', 'p:service1/barack'], expected_msg='service1/barack') -+realm.run(['./t_accname', 'p:service2/calvin'], expected_msg='service2/calvin') -+realm.run(['./t_accname', 'p:service2/dwight'], expected_code=1, -+ expected_msg=' not found in keytab') - - # Test with acceptor name containing service only, including - # client/keytab hostname mismatch (non-fatal) and service name - # mismatch (fatal). --output = realm.run(['./t_accname', 'p:service1/andrew', 'h:service1']) --if 'service1/abraham' not in output: -- fail('Expected service1/abraham in t_accname output') --output = realm.run(['./t_accname', 'p:service1/andrew', 'h:service2'], -- expected_code=1) --if ' not found in keytab' not in output: -- fail('Expected error message not seen in t_accname output') --output = realm.run(['./t_accname', 'p:service2/calvin', 'h:service2']) --if 'service2/calvin' not in output: -- fail('Expected service2/calvin in t_accname output') --output = realm.run(['./t_accname', 'p:service2/calvin', 'h:service1'], -- expected_code=1) --if ' found in keytab but does not match server principal' not in output: -- fail('Expected error message not seen in t_accname output') -+realm.run(['./t_accname', 'p:service1/andrew', 'h:service1'], -+ expected_msg='service1/abraham') -+realm.run(['./t_accname', 'p:service1/andrew', 'h:service2'], expected_code=1, -+ expected_msg=' not found in keytab') -+realm.run(['./t_accname', 'p:service2/calvin', 'h:service2'], -+ expected_msg='service2/calvin') -+realm.run(['./t_accname', 'p:service2/calvin', 'h:service1'], expected_code=1, -+ expected_msg=' found in keytab but does not match server principal') - - # Test with acceptor name containing service and host. Use the - # client's un-canonicalized hostname as acceptor input to mirror what - # many servers do. --output = realm.run(['./t_accname', 'p:' + realm.host_princ, -- 'h:host@%s' % socket.gethostname()]) --if realm.host_princ not in output: -- fail('Expected %s in t_accname output' % realm.host_princ) --output = realm.run(['./t_accname', 'p:host/-nomatch-', -- 'h:host@%s' % socket.gethostname()], -- expected_code=1) --if ' not found in keytab' not in output: -- fail('Expected error message not seen in t_accname output') -+realm.run(['./t_accname', 'p:' + realm.host_princ, -+ 'h:host@%s' % socket.gethostname()], expected_msg=realm.host_princ) -+realm.run(['./t_accname', 'p:host/-nomatch-', -+ 'h:host@%s' % socket.gethostname()], expected_code=1, -+ expected_msg=' not found in keytab') - - # Test krb5_gss_import_cred. - realm.run(['./t_imp_cred', 'p:service1/barack']) - realm.run(['./t_imp_cred', 'p:service1/barack', 'service1/barack']) - realm.run(['./t_imp_cred', 'p:service1/andrew', 'service1/abraham']) --output = realm.run(['./t_imp_cred', 'p:service2/dwight'], expected_code=1) --if ' not found in keytab' not in output: -- fail('Expected error message not seen in t_imp_cred output') -+realm.run(['./t_imp_cred', 'p:service2/dwight'], expected_code=1, -+ expected_msg=' not found in keytab') - - # Test credential store extension. - tmpccname = 'FILE:' + os.path.join(realm.testdir, 'def_cache') -@@ -116,10 +99,8 @@ ignore_conf = {'libdefaults': {'ignore_acceptor_hostname': 'true'}} - realm = K5Realm(krb5_conf=ignore_conf) - realm.run([kadminl, 'addprinc', '-randkey', 'host/-nomatch-']) - realm.run([kadminl, 'xst', 'host/-nomatch-']) --output = realm.run(['./t_accname', 'p:host/-nomatch-', -- 'h:host@%s' % socket.gethostname()]) --if 'host/-nomatch-' not in output: -- fail('Expected host/-nomatch- in t_accname output') -+realm.run(['./t_accname', 'p:host/-nomatch-', -+ 'h:host@%s' % socket.gethostname()], expected_msg='host/-nomatch-') - - realm.stop() - -@@ -141,41 +122,25 @@ r3.stop() - realm = K5Realm() - - # Test deferred resolution of the default ccache for initiator creds. --output = realm.run(['./t_inq_cred']) --if realm.user_princ not in output: -- fail('Expected %s in t_inq_cred output' % realm.user_princ) --output = realm.run(['./t_inq_cred', '-k']) --if realm.user_princ not in output: -- fail('Expected %s in t_inq_cred output' % realm.user_princ) --output = realm.run(['./t_inq_cred', '-s']) --if realm.user_princ not in output: -- fail('Expected %s in t_inq_cred output' % realm.user_princ) -+realm.run(['./t_inq_cred'], expected_msg=realm.user_princ) -+realm.run(['./t_inq_cred', '-k'], expected_msg=realm.user_princ) -+realm.run(['./t_inq_cred', '-s'], expected_msg=realm.user_princ) - - # Test picking a name from the keytab for acceptor creds. --output = realm.run(['./t_inq_cred', '-a']) --if realm.host_princ not in output: -- fail('Expected %s in t_inq_cred output' % realm.host_princ) --output = realm.run(['./t_inq_cred', '-k', '-a']) --if realm.host_princ not in output: -- fail('Expected %s in t_inq_cred output' % realm.host_princ) --output = realm.run(['./t_inq_cred', '-s', '-a']) --if realm.host_princ not in output: -- fail('Expected %s in t_inq_cred output' % realm.host_princ) -+realm.run(['./t_inq_cred', '-a'], expected_msg=realm.host_princ) -+realm.run(['./t_inq_cred', '-k', '-a'], expected_msg=realm.host_princ) -+realm.run(['./t_inq_cred', '-s', '-a'], expected_msg=realm.host_princ) - - # Test client keytab initiation (non-deferred) with a specified name. - realm.extract_keytab(realm.user_princ, realm.client_keytab) - os.remove(realm.ccache) --output = realm.run(['./t_inq_cred', '-k']) --if realm.user_princ not in output: -- fail('Expected %s in t_inq_cred output' % realm.user_princ) -+realm.run(['./t_inq_cred', '-k'], expected_msg=realm.user_princ) - - # Test deferred client keytab initiation and GSS_C_BOTH cred usage. - os.remove(realm.client_keytab) - os.remove(realm.ccache) - shutil.copyfile(realm.keytab, realm.client_keytab) --output = realm.run(['./t_inq_cred', '-k', '-b']) --if realm.host_princ not in output: -- fail('Expected %s in t_inq_cred output' % realm.host_princ) -+realm.run(['./t_inq_cred', '-k', '-b'], expected_msg=realm.host_princ) - - # Test gss_export_name behavior. - out = realm.run(['./t_export_name', 'u:x']) -diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py -index 7366e3915..e4cd68469 100755 ---- a/src/tests/gssapi/t_s4u.py -+++ b/src/tests/gssapi/t_s4u.py -@@ -42,10 +42,8 @@ if ('auth1: ' + realm.user_princ not in output or - # result in no delegated credential being created by - # accept_sec_context. - realm.kinit(realm.user_princ, password('user'), ['-c', usercache]) --output = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, pservice1, -- pservice1, pservice2]) --if 'no credential delegated' not in output: -- fail('krb5 -> no delegated cred') -+realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, pservice1, -+ pservice1, pservice2], expected_msg='no credential delegated') - - # Try S4U2Self. Ask for an S4U2Proxy step; this won't happen because - # service/1 isn't allowed to get a forwardable S4U2Self ticket. -@@ -61,17 +59,15 @@ if ('Warning: no delegated cred handle' not in output or - # Correct that problem and try again. As above, the S4U2Proxy step - # won't actually succeed since we don't support that in DB2. - realm.run([kadminl, 'modprinc', '+ok_to_auth_as_delegate', service1]) --output = realm.run(['./t_s4u', puser, pservice2], expected_code=1) --if 'NOT_ALLOWED_TO_DELEGATE' not in output: -- fail('s4u2self') -+realm.run(['./t_s4u', puser, pservice2], expected_code=1, -+ expected_msg='NOT_ALLOWED_TO_DELEGATE') - - # Again with SPNEGO. This uses SPNEGO for the initial authentication, - # but still uses krb5 for S4U2Proxy--the delegated cred is returned as - # a krb5 cred, not a SPNEGO cred, and t_s4u uses the delegated cred - # directly rather than saving and reacquiring it. --output = realm.run(['./t_s4u', '--spnego', puser, pservice2], expected_code=1) --if 'NOT_ALLOWED_TO_DELEGATE' not in output: -- fail('s4u2self') -+realm.run(['./t_s4u', '--spnego', puser, pservice2], expected_code=1, -+ expected_msg='NOT_ALLOWED_TO_DELEGATE') - - realm.stop() - -@@ -148,9 +144,8 @@ realm.stop() - # fail, but we can check that the right server principal was used. - r1, r2 = cross_realms(2, create_user=False) - r1.run([kinit, '-k', r1.host_princ]) --out = r1.run(['./t_s4u', 'p:' + r2.host_princ], expected_code=1) --if 'Server not found in Kerberos database' not in out: -- fail('cross-realm s4u2self (t_s4u output)') -+r1.run(['./t_s4u', 'p:' + r2.host_princ], expected_code=1, -+ expected_msg='Server not found in Kerberos database') - r1.stop() - r2.stop() - with open(os.path.join(r2.testdir, 'kdc.log')) as f: -diff --git a/src/tests/t_audit.py b/src/tests/t_audit.py -index 69c9251e0..00e96bfea 100755 ---- a/src/tests/t_audit.py -+++ b/src/tests/t_audit.py -@@ -14,18 +14,15 @@ realm.run([kvno, 'target']) - - # Make S4U2Self and S4U2Proxy requests so they will be audited. The - # S4U2Proxy request is expected to fail. --out = realm.run([kvno, '-k', realm.keytab, '-U', 'user', '-P', 'target'], -- expected_code=1) --if 'NOT_ALLOWED_TO_DELEGATE' not in out: -- fail('Unexpected error for S4U2Proxy') -+realm.run([kvno, '-k', realm.keytab, '-U', 'user', '-P', 'target'], -+ expected_code=1, expected_msg='NOT_ALLOWED_TO_DELEGATE') - - # Make a U2U request so it will be audited. - uuserver = os.path.join(buildtop, 'appl', 'user_user', 'uuserver') - uuclient = os.path.join(buildtop, 'appl', 'user_user', 'uuclient') - port_arg = str(realm.server_port()) - realm.start_server([uuserver, port_arg], 'Server started') --output = realm.run([uuclient, hostname, 'testing message', port_arg]) --if 'Hello' not in output: -- fail('U2U request failed unexpectedly') -+realm.run([uuclient, hostname, 'testing message', port_arg], -+ expected_msg='Hello') - - success('Audit tests') -diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py -index 33525022b..dd92b338f 100644 ---- a/src/tests/t_authdata.py -+++ b/src/tests/t_authdata.py -@@ -24,10 +24,8 @@ if ' -5: test1' not in out or '?-6: test2' not in out: - if 'fake' in out: - fail('KDC-only authdata not filtered for request with authdata') - --out = realm.run(['./adata', realm.host_princ, '!-1', 'mandatoryforkdc'], -- expected_code=1) --if 'KDC policy rejects request' not in out: -- fail('Wrong error seen for mandatory-for-kdc failure') -+realm.run(['./adata', realm.host_princ, '!-1', 'mandatoryforkdc'], -+ expected_code=1, expected_msg='KDC policy rejects request') - - # The no_auth_data_required server flag should suppress SIGNTICKET, - # but not module or request authdata. -@@ -98,45 +96,32 @@ realm2.extract_keytab('krbtgt/LOCAL', realm.keytab) - # AS request to local-realm service - realm.kinit(realm.user_princ, password('user'), - ['-X', 'indicators=indcl', '-r', '2d', '-S', realm.host_princ]) --out = realm.run(['./adata', realm.host_princ]) --if '+97: [indcl]' not in out: -- fail('auth-indicator not seen for AS req to service') -+realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]') - - # Ticket modification request - realm.kinit(realm.user_princ, None, ['-R', '-S', realm.host_princ]) --out = realm.run(['./adata', realm.host_princ]) --if '+97: [indcl]' not in out: -- fail('auth-indicator not seen for ticket modification request') -+realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]') - - # AS request to cross TGT - realm.kinit(realm.user_princ, password('user'), - ['-X', 'indicators=indcl', '-S', 'krbtgt/FOREIGN']) --out = realm.run(['./adata', 'krbtgt/FOREIGN']) --if '+97: [indcl]' not in out: -- fail('auth-indicator not seen for AS req to cross-realm TGT') -+realm.run(['./adata', 'krbtgt/FOREIGN'], expected_msg='+97: [indcl]') - - # Multiple indicators - realm.kinit(realm.user_princ, password('user'), - ['-X', 'indicators=indcl indcl2 indcl3']) --out = realm.run(['./adata', realm.krbtgt_princ]) --if '+97: [indcl, indcl2, indcl3]' not in out: -- fail('multiple auth-indicators not seen for normal AS req') -+realm.run(['./adata', realm.krbtgt_princ], -+ expected_msg='+97: [indcl, indcl2, indcl3]') - - # AS request to local TGT (resulting creds are used for TGS tests) - realm.kinit(realm.user_princ, password('user'), ['-X', 'indicators=indcl']) --out = realm.run(['./adata', realm.krbtgt_princ]) --if '+97: [indcl]' not in out: -- fail('auth-indicator not seen for normal AS req') -+realm.run(['./adata', realm.krbtgt_princ], expected_msg='+97: [indcl]') - - # Local TGS request for local realm service --out = realm.run(['./adata', realm.host_princ]) --if '+97: [indcl]' not in out: -- fail('auth-indicator not seen for local TGS req') -+realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]') - - # Local TGS request for cross TGT service --out = realm.run(['./adata', 'krbtgt/FOREIGN']) --if '+97: [indcl]' not in out: -- fail('auth-indicator not seen for TGS req to cross-realm TGT') -+realm.run(['./adata', 'krbtgt/FOREIGN'], expected_msg='+97: [indcl]') - - # We don't yet have support for passing auth indicators across realms, - # so just verify that indicators don't survive cross-realm requests. -@@ -152,16 +137,13 @@ if '97:' in out: - - # Test that the CAMMAC signature still works during a krbtgt rollover. - realm.run([kadminl, 'cpw', '-randkey', '-keepold', realm.krbtgt_princ]) --out = realm.run(['./adata', realm.host_princ]) --if '+97: [indcl]' not in out: -- fail('auth-indicator not seen for local TGS req after krbtgt rotation') -+realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]') - - # Test indicator enforcement. - realm.addprinc('restricted') - realm.run([kadminl, 'setstr', 'restricted', 'require_auth', 'superstrong']) --out = realm.run([kvno, 'restricted'], expected_code=1) --if 'KDC policy rejects request' not in out: -- fail('expected error not seen for auth indicator enforcement') -+realm.run([kvno, 'restricted'], expected_code=1, -+ expected_msg='KDC policy rejects request') - realm.run([kadminl, 'setstr', 'restricted', 'require_auth', 'indcl']) - realm.run([kvno, 'restricted']) - realm.kinit(realm.user_princ, password('user'), ['-X', 'indicators=ind1 ind2']) -@@ -222,13 +204,11 @@ if '+97: [indcl]' not in out or '[inds1]' in out: - # Test that KDB module authdata is included in an AS request, by - # default or with an explicit PAC request. - realm.kinit(realm.user_princ, None, ['-k']) --out = realm.run(['./adata', realm.krbtgt_princ]) --if '-456: db-authdata-test' not in out: -- fail('DB authdata not seen in default AS request') -+realm.run(['./adata', realm.krbtgt_princ], -+ expected_msg='-456: db-authdata-test') - realm.kinit(realm.user_princ, None, ['-k', '--request-pac']) --out = realm.run(['./adata', realm.krbtgt_princ]) --if '-456: db-authdata-test' not in out: -- fail('DB authdata not seen with --request-pac') -+realm.run(['./adata', realm.krbtgt_princ], -+ expected_msg='-456: db-authdata-test') - - # Test that KDB module authdata is suppressed in an AS request by a - # negative PAC request. -@@ -238,9 +218,7 @@ if '-456: db-authdata-test' in out: - fail('DB authdata not suppressed by --no-request-pac') - - # Test that KDB authdata is included in a TGS request by default. --out = realm.run(['./adata', 'service/1']) --if '-456: db-authdata-test' not in out: -- fail('DB authdata not seen in TGS request') -+realm.run(['./adata', 'service/1'], expected_msg='-456: db-authdata-test') - - # Test that KDB authdata is suppressed in a TGS request by the - # +no_auth_data_required flag. -diff --git a/src/tests/t_ccache.py b/src/tests/t_ccache.py -index 47d963130..2dcd19102 100755 ---- a/src/tests/t_ccache.py -+++ b/src/tests/t_ccache.py -@@ -35,15 +35,11 @@ if not test_keyring: - - # Test kdestroy and klist of a non-existent ccache. - realm.run([kdestroy]) --output = realm.run([klist], expected_code=1) --if 'No credentials cache found' not in output: -- fail('Expected error message not seen in klist output') -+realm.run([klist], expected_code=1, expected_msg='No credentials cache found') - - # Test kinit with an inaccessible ccache. --out = realm.run([kinit, '-c', 'testdir/xx/yy', realm.user_princ], -- input=(password('user') + '\n'), expected_code=1) --if 'Failed to store credentials' not in out: -- fail('Expected error message not seen in kinit output') -+realm.kinit(realm.user_princ, password('user'), flags=['-c', 'testdir/xx/yy'], -+ expected_code=1, expected_msg='Failed to store credentials') - - # Test klist -s with a single ccache. - realm.run([klist, '-s'], expected_code=1) -@@ -65,9 +61,7 @@ def collection_test(realm, ccname): - - realm.run([klist, '-A', '-s'], expected_code=1) - realm.kinit('alice', password('alice')) -- output = realm.run([klist]) -- if 'Default principal: alice@' not in output: -- fail('Initial kinit failed to get credentials for alice.') -+ realm.run([klist], expected_msg='Default principal: alice@') - realm.run([klist, '-A', '-s']) - realm.run([kdestroy]) - output = realm.run([klist], expected_code=1) -@@ -130,25 +124,20 @@ if test_keyring: - realm.env['KRB5CCNAME'] = 'KEYRING:' + cname - realm.run([kdestroy, '-A']) - realm.kinit(realm.user_princ, password('user')) -- out = realm.run([klist, '-l']) -- if 'KEYRING:legacy:' + cname + ':' + cname not in out: -- fail('Wrong initial primary name in keyring legacy collection') -+ msg = 'KEYRING:legacy:' + cname + ':' + cname -+ realm.run([klist, '-l'], expected_msg=msg) - # Make sure this cache is linked to the session keyring. - id = realm.run([keyctl, 'search', '@s', 'keyring', cname]) -- out = realm.run([keyctl, 'list', id.strip()]) -- if 'user: __krb5_princ__' not in out: -- fail('Legacy cache not linked into session keyring') -+ realm.run([keyctl, 'list', id.strip()], -+ expected_msg='user: __krb5_princ__') - # Remove the collection keyring. When the collection is - # reinitialized, the legacy cache should reappear inside it - # automatically as the primary cache. - cleanup_keyring('@s', col_ringname) -- out = realm.run([klist]) -- if realm.user_princ not in out: -- fail('Cannot see legacy cache after removing collection') -+ realm.run([klist], expected_msg=realm.user_princ) - coll_id = realm.run([keyctl, 'search', '@s', 'keyring', '_krb_' + cname]) -- out = realm.run([keyctl, 'list', coll_id.strip()]) -- if (id.strip() + ':') not in out: -- fail('Legacy cache did not reappear in collection after klist') -+ msg = id.strip() + ':' -+ realm.run([keyctl, 'list', coll_id.strip()], expected_msg=msg) - # Destroy the cache and check that it is unlinked from the session keyring. - realm.run([kdestroy]) - realm.run([keyctl, 'search', '@s', 'keyring', cname], expected_code=1) -@@ -160,8 +149,7 @@ conf = {'libdefaults': {'default_ccache_name': 'testdir/%{null}abc%{uid}'}} - realm = K5Realm(krb5_conf=conf, create_kdb=False) - del realm.env['KRB5CCNAME'] - uidstr = str(os.getuid()) --out = realm.run([klist], expected_code=1) --if 'testdir/abc%s' % uidstr not in out: -- fail('Wrong ccache in klist') -+msg = 'testdir/abc%s' % uidstr -+realm.run([klist], expected_code=1, expected_msg=msg) - - success('Credential cache tests') -diff --git a/src/tests/t_crossrealm.py b/src/tests/t_crossrealm.py -index 0d967b8a5..1fa48793a 100755 ---- a/src/tests/t_crossrealm.py -+++ b/src/tests/t_crossrealm.py -@@ -25,9 +25,7 @@ - from k5test import * - - def test_kvno(r, princ, test, env=None): -- output = r.run([kvno, princ], env=env) -- if princ not in output: -- fail('%s: principal %s not in kvno output' % (test, princ)) -+ r.run([kvno, princ], env=env, expected_msg=princ) - - - def stop(*realms): -@@ -85,9 +83,8 @@ capaths = {'capaths': {'A': {'C': 'B'}}} - r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)), - args=({'realm': 'A', 'krb5_conf': capaths}, - {'realm': 'B'}, {'realm': 'C'})) --output = r1.run([kvno, r3.host_princ], expected_code=1) --if 'KDC policy rejects request' not in output: -- fail('transited 1: Expected error message not in output') -+r1.run([kvno, r3.host_princ], expected_code=1, -+ expected_msg='KDC policy rejects request') - stop(r1, r2, r3) - - # Test a different kind of transited error. The KDC for D does not -@@ -99,9 +96,8 @@ r1, r2, r3, r4 = cross_realms(4, xtgts=((0,1), (1,2), (2,3)), - {'realm': 'B', 'krb5_conf': capaths}, - {'realm': 'C', 'krb5_conf': capaths}, - {'realm': 'D'})) --output = r1.run([kvno, r4.host_princ], expected_code=1) --if 'Illegal cross-realm ticket' not in output: -- fail('transited 2: Expected error message not in output') -+r1.run([kvno, r4.host_princ], expected_code=1, -+ expected_msg='Illegal cross-realm ticket') - stop(r1, r2, r3, r4) - - success('Cross-realm tests') -diff --git a/src/tests/t_dump.py b/src/tests/t_dump.py -index 5d3a43762..8a9462bd8 100755 ---- a/src/tests/t_dump.py -+++ b/src/tests/t_dump.py -@@ -36,12 +36,10 @@ if 'Expiration date: [never]' not in out or 'MKey: vno 1' not in out: - out = realm.run([kadminl, 'getpols']) - if 'fred\n' not in out or 'barney\n' not in out: - fail('Missing policy after load') --out = realm.run([kadminl, 'getpol', 'compat']) --if 'Number of old keys kept: 5' not in out: -- fail('Policy (1.8 format) has wrong value after load') --out = realm.run([kadminl, 'getpol', 'barney']) --if 'Number of old keys kept: 1' not in out: -- fail('Policy has wrong value after load') -+realm.run([kadminl, 'getpol', 'compat'], -+ expected_msg='Number of old keys kept: 5') -+realm.run([kadminl, 'getpol', 'barney'], -+ expected_msg='Number of old keys kept: 1') - - # Dump/load again, and make sure everything is still there. - realm.run([kdb5_util, 'dump', dumpfile]) -@@ -81,15 +79,10 @@ dump_compare(realm, ['-ov'], srcdump_ov) - def load_dump_check_compare(realm, opt, srcfile): - realm.run([kdb5_util, 'destroy', '-f']) - realm.run([kdb5_util, 'load'] + opt + [srcfile]) -- out = realm.run([kadminl, 'getprincs']) -- if 'user@' not in out: -- fail('Loaded dumpfile missing user principal') -- out = realm.run([kadminl, 'getprinc', 'nokeys']) -- if 'Number of keys: 0' not in out: -- fail('Loading dumpfile did not process zero-key principal') -- out = realm.run([kadminl, 'getpols']) -- if 'testpol' not in out: -- fail('Loaded dumpfile missing test policy') -+ realm.run([kadminl, 'getprincs'], expected_msg='user@') -+ realm.run([kadminl, 'getprinc', 'nokeys'], -+ expected_msg='Number of keys: 0') -+ realm.run([kadminl, 'getpols'], expected_msg='testpol') - dump_compare(realm, opt, srcfile) - - # Load each format of dump, check it, re-dump it, and compare. -@@ -99,12 +92,8 @@ load_dump_check_compare(realm, ['-b7'], srcdump_b7) - - # Loading the last (-b7 format) dump won't have loaded the - # per-principal kadm data. Load that incrementally with -ov. --out = realm.run([kadminl, 'getprinc', 'user']) --if 'Policy: [none]' not in out: -- fail('Loaded b7 dump unexpectedly contains user policy reference') -+realm.run([kadminl, 'getprinc', 'user'], expected_msg='Policy: [none]') - realm.run([kdb5_util, 'load', '-update', '-ov', srcdump_ov]) --out = realm.run([kadminl, 'getprinc', 'user']) --if 'Policy: testpol' not in out: -- fail('Loading ov dump did not add user policy reference') -+realm.run([kadminl, 'getprinc', 'user'], expected_msg='Policy: testpol') - - success('Dump/load tests') -diff --git a/src/tests/t_general.py b/src/tests/t_general.py -index 16bf6c5e3..6621b7230 100755 ---- a/src/tests/t_general.py -+++ b/src/tests/t_general.py -@@ -3,10 +3,9 @@ from k5test import * - - for realm in multipass_realms(create_host=False): - # Check that kinit fails appropriately with the wrong password. -- output = realm.run([kinit, realm.user_princ], input='wrong\n', -- expected_code=1) -- if 'Password incorrect while getting initial credentials' not in output: -- fail('Expected error message not seen in kinit output') -+ msg = 'Password incorrect while getting initial credentials' -+ realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1, -+ expected_msg=msg) - - # Check that we can kinit as a different principal. - realm.kinit(realm.admin_princ, password('admin')) -@@ -42,9 +41,8 @@ realm.run(['./responder', '-r', 'password=%s' % password('user'), - # Test that WRONG_REALM responses aren't treated as referrals unless - # they contain a crealm field pointing to a different realm. - # (Regression test for #8060.) --out = realm.run([kinit, '-C', 'notfoundprinc'], expected_code=1) --if 'not found in Kerberos database' not in out: -- fail('Expected error message not seen in kinit -C output') -+realm.run([kinit, '-C', 'notfoundprinc'], expected_code=1, -+ expected_msg='not found in Kerberos database') - - # Spot-check KRB5_TRACE output - expected_trace = ('Sending initial UDP request', -diff --git a/src/tests/t_hostrealm.py b/src/tests/t_hostrealm.py -index 76b282d2a..224c067ef 100755 ---- a/src/tests/t_hostrealm.py -+++ b/src/tests/t_hostrealm.py -@@ -20,9 +20,8 @@ def test(realm, args, expected_realms, msg, env=None): - fail(msg) - - def test_error(realm, args, expected_error, msg, env=None): -- out = realm.run(['./hrealm'] + args, env=env, expected_code=1) -- if expected_error not in out: -- fail(msg) -+ realm.run(['./hrealm'] + args, env=env, expected_code=1, -+ expected_msg=expected_error) - - def testh(realm, host, expected_realms, msg, env=None): - test(realm, ['-h', host], expected_realms, msg, env=env) -diff --git a/src/tests/t_iprop.py b/src/tests/t_iprop.py -index e64fdd279..8e23cd5de 100755 ---- a/src/tests/t_iprop.py -+++ b/src/tests/t_iprop.py -@@ -214,9 +214,8 @@ check_ulog(7, 1, 7, [None, pr1, pr3, pr2, pr2, pr2, pr2]) - kpropd1.send_signal(signal.SIGUSR1) - wait_for_prop(kpropd1, False, 6, 7) - check_ulog(2, 6, 7, [None, pr2], slave1) --out = realm.run([kadminl, 'getprinc', pr2], env=slave1) --if 'Attributes: DISALLOW_ALL_TIX' not in out: -- fail('slave1 does not have modification from master') -+realm.run([kadminl, 'getprinc', pr2], env=slave1, -+ expected_msg='Attributes: DISALLOW_ALL_TIX') - - # Start kadmind -proponly for slave1. (Use the slave1m environment - # which defines iprop_port to $port8.) -@@ -245,15 +244,13 @@ check_ulog(8, 1, 8, [None, pr1, pr3, pr2, pr2, pr2, pr2, pr1]) - kpropd1.send_signal(signal.SIGUSR1) - wait_for_prop(kpropd1, False, 7, 8) - check_ulog(3, 6, 8, [None, pr2, pr1], slave1) --out = realm.run([kadminl, 'getprinc', pr1], env=slave1) --if 'Maximum ticket life: 0 days 00:20:00' not in out: -- fail('slave1 does not have modification from master') -+realm.run([kadminl, 'getprinc', pr1], env=slave1, -+ expected_msg='Maximum ticket life: 0 days 00:20:00') - kpropd3.send_signal(signal.SIGUSR1) - wait_for_prop(kpropd3, False, 7, 8) - check_ulog(2, 7, 8, [None, pr1], slave3) --out = realm.run([kadminl, '-r', realm.realm, 'getprinc', pr1], env=slave3) --if 'Maximum ticket life: 0 days 00:20:00' not in out: -- fail('slave3 does not have modification from slave1') -+realm.run([kadminl, '-r', realm.realm, 'getprinc', pr1], env=slave3, -+ expected_msg='Maximum ticket life: 0 days 00:20:00') - stop_daemon(kpropd3) - - # Test dissimilar default_realm and domain_realm map settings (no -r realm). -@@ -287,15 +284,13 @@ check_ulog(9, 1, 9, [None, pr1, pr3, pr2, pr2, pr2, pr2, pr1, pr1]) - kpropd1.send_signal(signal.SIGUSR1) - wait_for_prop(kpropd1, False, 8, 9) - check_ulog(4, 6, 9, [None, pr2, pr1, pr1], slave1) --out = realm.run([kadminl, 'getprinc', pr1], env=slave1) --if 'Maximum renewable life: 0 days 22:00:00\n' not in out: -- fail('slave1 does not have modification from master') -+realm.run([kadminl, 'getprinc', pr1], env=slave1, -+ expected_msg='Maximum renewable life: 0 days 22:00:00\n') - kpropd2.send_signal(signal.SIGUSR1) - wait_for_prop(kpropd2, False, 8, 9) - check_ulog(3, 7, 9, [None, pr1, pr1], slave2) --out = realm.run([kadminl, 'getprinc', pr1], env=slave2) --if 'Maximum renewable life: 0 days 22:00:00\n' not in out: -- fail('slave2 does not have modification from slave1') -+realm.run([kadminl, 'getprinc', pr1], env=slave2, -+ expected_msg='Maximum renewable life: 0 days 22:00:00\n') - - # Reset the ulog on slave1 to force a full resync from master. The - # resync will use the old dump file and then propagate changes. -@@ -317,15 +312,11 @@ check_ulog(10, 1, 10, [None, pr1, pr3, pr2, pr2, pr2, pr2, pr1, pr1, pr2]) - kpropd1.send_signal(signal.SIGUSR1) - wait_for_prop(kpropd1, False, 9, 10) - check_ulog(5, 6, 10, [None, pr2, pr1, pr1, pr2], slave1) --out = realm.run([kadminl, 'getprinc', pr2], env=slave1) --if 'Attributes:\n' not in out: -- fail('slave1 does not have modification from master') -+realm.run([kadminl, 'getprinc', pr2], env=slave1, expected_msg='Attributes:\n') - kpropd2.send_signal(signal.SIGUSR1) - wait_for_prop(kpropd2, False, 9, 10) - check_ulog(4, 7, 10, [None, pr1, pr1, pr2], slave2) --out = realm.run([kadminl, 'getprinc', pr2], env=slave2) --if 'Attributes:\n' not in out: -- fail('slave2 does not have modification from slave1') -+realm.run([kadminl, 'getprinc', pr2], env=slave2, expected_msg='Attributes:\n') - - # Create a policy and check that it propagates via full resync. - realm.run([kadminl, 'addpol', '-minclasses', '2', 'testpol']) -@@ -333,15 +324,13 @@ check_ulog(1, 1, 1, [None]) - kpropd1.send_signal(signal.SIGUSR1) - wait_for_prop(kpropd1, True, 10, 1) - check_ulog(1, 1, 1, [None], slave1) --out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1) --if 'Minimum number of password character classes: 2' not in out: -- fail('slave1 does not have policy from master') -+realm.run([kadminl, 'getpol', 'testpol'], env=slave1, -+ expected_msg='Minimum number of password character classes: 2') - kpropd2.send_signal(signal.SIGUSR1) - wait_for_prop(kpropd2, True, 10, 1) - check_ulog(1, 1, 1, [None], slave2) --out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2) --if 'Minimum number of password character classes: 2' not in out: -- fail('slave2 does not have policy from slave1') -+realm.run([kadminl, 'getpol', 'testpol'], env=slave2, -+ expected_msg='Minimum number of password character classes: 2') - - # Modify the policy and test that it also propagates via full resync. - realm.run([kadminl, 'modpol', '-minlength', '17', 'testpol']) -@@ -349,15 +338,13 @@ check_ulog(1, 1, 1, [None]) - kpropd1.send_signal(signal.SIGUSR1) - wait_for_prop(kpropd1, True, 1, 1) - check_ulog(1, 1, 1, [None], slave1) --out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1) --if 'Minimum password length: 17' not in out: -- fail('slave1 does not have policy change from master') -+realm.run([kadminl, 'getpol', 'testpol'], env=slave1, -+ expected_msg='Minimum password length: 17') - kpropd2.send_signal(signal.SIGUSR1) - wait_for_prop(kpropd2, True, 1, 1) - check_ulog(1, 1, 1, [None], slave2) --out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2) --if 'Minimum password length: 17' not in out: -- fail('slave2 does not have policy change from slave1') -+realm.run([kadminl, 'getpol', 'testpol'], env=slave2, -+ expected_msg='Minimum password length: 17') - - # Delete the policy and test that it propagates via full resync. - realm.run([kadminl, 'delpol', 'testpol']) -@@ -365,15 +352,13 @@ check_ulog(1, 1, 1, [None]) - kpropd1.send_signal(signal.SIGUSR1) - wait_for_prop(kpropd1, True, 1, 1) - check_ulog(1, 1, 1, [None], slave1) --out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1, expected_code=1) --if 'Policy does not exist' not in out: -- fail('slave1 did not get policy deletion from master') -+realm.run([kadminl, 'getpol', 'testpol'], env=slave1, expected_code=1, -+ expected_msg='Policy does not exist') - kpropd2.send_signal(signal.SIGUSR1) - wait_for_prop(kpropd2, True, 1, 1) - check_ulog(1, 1, 1, [None], slave2) --out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2, expected_code=1) --if 'Policy does not exist' not in out: -- fail('slave2 did not get policy deletion from slave1') -+realm.run([kadminl, 'getpol', 'testpol'], env=slave2, expected_code=1, -+ expected_msg='Policy does not exist') - - # Modify a principal on the master and test that it propagates incrementally. - realm.run([kadminl, 'modprinc', '-maxlife', '10 minutes', pr1]) -@@ -381,15 +366,13 @@ check_ulog(2, 1, 2, [None, pr1]) - kpropd1.send_signal(signal.SIGUSR1) - wait_for_prop(kpropd1, False, 1, 2) - check_ulog(2, 1, 2, [None, pr1], slave1) --out = realm.run([kadminl, 'getprinc', pr1], env=slave1) --if 'Maximum ticket life: 0 days 00:10:00' not in out: -- fail('slave1 does not have modification from master') -+realm.run([kadminl, 'getprinc', pr1], env=slave1, -+ expected_msg='Maximum ticket life: 0 days 00:10:00') - kpropd2.send_signal(signal.SIGUSR1) - wait_for_prop(kpropd2, False, 1, 2) - check_ulog(2, 1, 2, [None, pr1], slave2) --out = realm.run([kadminl, 'getprinc', pr1], env=slave2) --if 'Maximum ticket life: 0 days 00:10:00' not in out: -- fail('slave2 does not have modification from slave1') -+realm.run([kadminl, 'getprinc', pr1], env=slave2, -+ expected_msg='Maximum ticket life: 0 days 00:10:00') - - # Delete a principal and test that it propagates incrementally. - realm.run([kadminl, 'delprinc', pr3]) -@@ -397,15 +380,13 @@ check_ulog(3, 1, 3, [None, pr1, pr3]) - kpropd1.send_signal(signal.SIGUSR1) - wait_for_prop(kpropd1, False, 2, 3) - check_ulog(3, 1, 3, [None, pr1, pr3], slave1) --out = realm.run([kadminl, 'getprinc', pr3], env=slave1, expected_code=1) --if 'Principal does not exist' not in out: -- fail('slave1 does not have principal deletion from master') -+realm.run([kadminl, 'getprinc', pr3], env=slave1, expected_code=1, -+ expected_msg='Principal does not exist') - kpropd2.send_signal(signal.SIGUSR1) - wait_for_prop(kpropd2, False, 2, 3) - check_ulog(3, 1, 3, [None, pr1, pr3], slave2) --out = realm.run([kadminl, 'getprinc', pr3], env=slave2, expected_code=1) --if 'Principal does not exist' not in out: -- fail('slave2 does not have principal deletion from slave1') -+realm.run([kadminl, 'getprinc', pr3], env=slave2, expected_code=1, -+ expected_msg='Principal does not exist') - - # Rename a principal and test that it propagates incrementally. - renpr = "quacked@" + realm.realm -@@ -414,16 +395,14 @@ check_ulog(6, 1, 6, [None, pr1, pr3, renpr, pr1, renpr]) - kpropd1.send_signal(signal.SIGUSR1) - wait_for_prop(kpropd1, False, 3, 6) - check_ulog(6, 1, 6, [None, pr1, pr3, renpr, pr1, renpr], slave1) --out = realm.run([kadminl, 'getprinc', pr1], env=slave1, expected_code=1) --if 'Principal does not exist' not in out: -- fail('slave1 does not have principal deletion from master') -+realm.run([kadminl, 'getprinc', pr1], env=slave1, expected_code=1, -+ expected_msg='Principal does not exist') - realm.run([kadminl, 'getprinc', renpr], env=slave1) - kpropd2.send_signal(signal.SIGUSR1) - wait_for_prop(kpropd2, False, 3, 6) - check_ulog(6, 1, 6, [None, pr1, pr3, renpr, pr1, renpr], slave2) --out = realm.run([kadminl, 'getprinc', pr1], env=slave2, expected_code=1) --if 'Principal does not exist' not in out: -- fail('slave2 does not have principal deletion from master') -+realm.run([kadminl, 'getprinc', pr1], env=slave2, expected_code=1, -+ expected_msg='Principal does not exist') - realm.run([kadminl, 'getprinc', renpr], env=slave2) - - pr1 = renpr -@@ -455,9 +434,8 @@ out = realm.run_kpropd_once(slave1, ['-d']) - if 'Got incremental updates (sno=2 ' not in out: - fail('Expected full dump and synchronized from kpropd -t') - check_ulog(2, 1, 2, [None, pr1], slave1) --out = realm.run([kadminl, 'getprinc', pr1], env=slave1) --if 'Maximum ticket life: 0 days 00:05:00' not in out: -- fail('slave1 does not have modification from master after kpropd -t') -+realm.run([kadminl, 'getprinc', pr1], env=slave1, -+ expected_msg='Maximum ticket life: 0 days 00:05:00') - - # Propagate a policy change via full resync. - realm.run([kadminl, 'addpol', '-minclasses', '3', 'testpol']) -@@ -467,8 +445,7 @@ if ('Full propagation transfer finished' not in out or - 'KDC is synchronized' not in out): - fail('Expected full dump and synchronized from kpropd -t') - check_ulog(1, 1, 1, [None], slave1) --out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1) --if 'Minimum number of password character classes: 3' not in out: -- fail('slave1 does not have policy from master after kpropd -t') -+realm.run([kadminl, 'getpol', 'testpol'], env=slave1, -+ expected_msg='Minimum number of password character classes: 3') - - success('iprop tests') -diff --git a/src/tests/t_kadm5_hook.py b/src/tests/t_kadm5_hook.py -index 708e328b0..c1c8c9419 100755 ---- a/src/tests/t_kadm5_hook.py -+++ b/src/tests/t_kadm5_hook.py -@@ -7,12 +7,10 @@ plugin = os.path.join(buildtop, "plugins", "kadm5_hook", "test", - hook_krb5_conf = {'plugins': {'kadm5_hook': { 'module': 'test:' + plugin}}} - - realm = K5Realm(krb5_conf=hook_krb5_conf, create_user=False, create_host=False) --output = realm.run([kadminl, 'addprinc', '-randkey', 'test']) --if "create: stage precommit" not in output: -- fail('kadm5_hook test output not found') -+realm.run([kadminl, 'addprinc', '-randkey', 'test'], -+ expected_msg='create: stage precommit') - --output = realm.run([kadminl, 'renprinc', 'test', 'test2']) --if "rename: stage precommit" not in output: -- fail('kadm5_hook test output not found') -+realm.run([kadminl, 'renprinc', 'test', 'test2'], -+ expected_msg='rename: stage precommit') - - success('kadm5_hook') -diff --git a/src/tests/t_kadmin_acl.py b/src/tests/t_kadmin_acl.py -index 188929a76..bbbbae99e 100755 ---- a/src/tests/t_kadmin_acl.py -+++ b/src/tests/t_kadmin_acl.py -@@ -87,27 +87,24 @@ for pw in (['-pw', 'newpw'], ['-randkey']): - args = pw + ks - kadmin_as(all_changepw, ['cpw'] + args + ['unselected']) - kadmin_as(some_changepw, ['cpw'] + args + ['selected']) -- out = kadmin_as(none, ['cpw'] + args + ['selected'], expected_code=1) -- if 'Operation requires ``change-password\'\' privilege' not in out: -- fail('cpw failure (no perms)') -- out = kadmin_as(some_changepw, ['cpw'] + args + ['unselected'], -- expected_code=1) -- if 'Operation requires ``change-password\'\' privilege' not in out: -- fail('cpw failure (target)') -- out = kadmin_as(none, ['cpw'] + args + ['none']) -+ msg = "Operation requires ``change-password'' privilege" -+ kadmin_as(none, ['cpw'] + args + ['selected'], expected_code=1, -+ expected_msg=msg) -+ kadmin_as(some_changepw, ['cpw'] + args + ['unselected'], -+ expected_code=1, expected_msg=msg) -+ kadmin_as(none, ['cpw'] + args + ['none']) - realm.run([kadminl, 'modprinc', '-policy', 'minlife', 'none']) -- out = kadmin_as(none, ['cpw'] + args + ['none'], expected_code=1) -- if 'Current password\'s minimum life has not expired' not in out: -- fail('cpw failure (minimum life)') -+ msg = "Current password's minimum life has not expired" -+ kadmin_as(none, ['cpw'] + args + ['none'], expected_code=1, -+ expected_msg=msg) - realm.run([kadminl, 'modprinc', '-clearpolicy', 'none']) - realm.run([kadminl, 'delprinc', 'selected']) - realm.run([kadminl, 'delprinc', 'unselected']) - - kadmin_as(all_add, ['addpol', 'policy']) - realm.run([kadminl, 'delpol', 'policy']) --out = kadmin_as(none, ['addpol', 'policy'], expected_code=1) --if 'Operation requires ``add\'\' privilege' not in out: -- fail('addpol failure (no perms)') -+kadmin_as(none, ['addpol', 'policy'], expected_code=1, -+ expected_msg="Operation requires ``add'' privilege") - - # addprinc can generate two different RPC calls depending on options. - for ks in ([], ['-e', 'aes256-cts']): -@@ -117,89 +114,62 @@ for ks in ([], ['-e', 'aes256-cts']): - kadmin_as(some_add, ['addprinc'] + args + ['selected']) - realm.run([kadminl, 'delprinc', 'selected']) - kadmin_as(restricted_add, ['addprinc'] + args + ['unselected']) -- out = realm.run([kadminl, 'getprinc', 'unselected']) -- if 'REQUIRES_PRE_AUTH' not in out: -- fail('addprinc success (restrictions) -- restriction check') -+ realm.run([kadminl, 'getprinc', 'unselected'], -+ expected_msg='REQUIRES_PRE_AUTH') - realm.run([kadminl, 'delprinc', 'unselected']) -- out = kadmin_as(none, ['addprinc'] + args + ['selected'], expected_code=1) -- if 'Operation requires ``add\'\' privilege' not in out: -- fail('addprinc failure (no perms)') -- out = kadmin_as(some_add, ['addprinc'] + args + ['unselected'], -- expected_code=1) -- if 'Operation requires ``add\'\' privilege' not in out: -- fail('addprinc failure (target)') -+ kadmin_as(none, ['addprinc'] + args + ['selected'], expected_code=1, -+ expected_msg="Operation requires ``add'' privilege") -+ kadmin_as(some_add, ['addprinc'] + args + ['unselected'], expected_code=1, -+ expected_msg="Operation requires ``add'' privilege") - - realm.addprinc('unselected', 'pw') - kadmin_as(all_delete, ['delprinc', 'unselected']) - realm.addprinc('selected', 'pw') - kadmin_as(some_delete, ['delprinc', 'selected']) - realm.addprinc('unselected', 'pw') --out = kadmin_as(none, ['delprinc', 'unselected'], expected_code=1) --if 'Operation requires ``delete\'\' privilege' not in out: -- fail('delprinc failure (no perms)') --out = kadmin_as(some_delete, ['delprinc', 'unselected'], expected_code=1) --if 'Operation requires ``delete\'\' privilege' not in out: -- fail('delprinc failure (no target)') -+kadmin_as(none, ['delprinc', 'unselected'], expected_code=1, -+ expected_msg="Operation requires ``delete'' privilege") -+kadmin_as(some_delete, ['delprinc', 'unselected'], expected_code=1, -+ expected_msg="Operation requires ``delete'' privilege") - realm.run([kadminl, 'delprinc', 'unselected']) - --out = kadmin_as(all_inquire, ['getpol', 'minlife']) --if 'Policy: minlife' not in out: -- fail('getpol success (acl)') --out = kadmin_as(none, ['getpol', 'minlife'], expected_code=1) --if 'Operation requires ``get\'\' privilege' not in out: -- fail('getpol failure (no perms)') -+kadmin_as(all_inquire, ['getpol', 'minlife'], expected_msg='Policy: minlife') -+kadmin_as(none, ['getpol', 'minlife'], expected_code=1, -+ expected_msg="Operation requires ``get'' privilege") - realm.run([kadminl, 'modprinc', '-policy', 'minlife', 'none']) --out = kadmin_as(none, ['getpol', 'minlife']) --if 'Policy: minlife' not in out: -- fail('getpol success (self policy exemption)') -+kadmin_as(none, ['getpol', 'minlife'], expected_msg='Policy: minlife') - realm.run([kadminl, 'modprinc', '-clearpolicy', 'none']) - - realm.addprinc('selected', 'pw') - realm.addprinc('unselected', 'pw') --out = kadmin_as(all_inquire, ['getprinc', 'unselected']) --if 'Principal: unselected@KRBTEST.COM' not in out: -- fail('getprinc success (acl)') --out = kadmin_as(some_inquire, ['getprinc', 'selected']) --if 'Principal: selected@KRBTEST.COM' not in out: -- fail('getprinc success (target)') --out = kadmin_as(none, ['getprinc', 'selected'], expected_code=1) --if 'Operation requires ``get\'\' privilege' not in out: -- fail('getprinc failure (no perms)') --out = kadmin_as(some_inquire, ['getprinc', 'unselected'], expected_code=1) --if 'Operation requires ``get\'\' privilege' not in out: -- fail('getprinc failure (target)') --out = kadmin_as(none, ['getprinc', 'none']) --if 'Principal: none@KRBTEST.COM' not in out: -- fail('getprinc success (self exemption)') -+kadmin_as(all_inquire, ['getprinc', 'unselected'], -+ expected_msg='Principal: unselected@KRBTEST.COM') -+kadmin_as(some_inquire, ['getprinc', 'selected'], -+ expected_msg='Principal: selected@KRBTEST.COM') -+kadmin_as(none, ['getprinc', 'selected'], expected_code=1, -+ expected_msg="Operation requires ``get'' privilege") -+kadmin_as(some_inquire, ['getprinc', 'unselected'], expected_code=1, -+ expected_msg="Operation requires ``get'' privilege") -+kadmin_as(none, ['getprinc', 'none'], -+ expected_msg='Principal: none@KRBTEST.COM') - realm.run([kadminl, 'delprinc', 'selected']) - realm.run([kadminl, 'delprinc', 'unselected']) - --out = kadmin_as(all_list, ['listprincs']) --if 'K/M@KRBTEST.COM' not in out: -- fail('listprincs success (acl)') --out = kadmin_as(none, ['listprincs'], expected_code=1) --if 'Operation requires ``list\'\' privilege' not in out: -- fail('listprincs failure (no perms)') -+kadmin_as(all_list, ['listprincs'], expected_msg='K/M@KRBTEST.COM') -+kadmin_as(none, ['listprincs'], expected_code=1, -+ expected_msg="Operation requires ``list'' privilege") - - realm.addprinc('selected', 'pw') - realm.addprinc('unselected', 'pw') - realm.run([kadminl, 'setstr', 'selected', 'key', 'value']) - realm.run([kadminl, 'setstr', 'unselected', 'key', 'value']) --out = kadmin_as(all_inquire, ['getstrs', 'unselected']) --if 'key: value' not in out: -- fail('getstrs success (acl)') --out = kadmin_as(some_inquire, ['getstrs', 'selected']) --if 'key: value' not in out: -- fail('getstrs success (target)') --out = kadmin_as(none, ['getstrs', 'selected'], expected_code=1) --if 'Operation requires ``get\'\' privilege' not in out: -- fail('getstrs failure (no perms)') --out = kadmin_as(some_inquire, ['getstrs', 'unselected'], expected_code=1) --if 'Operation requires ``get\'\' privilege' not in out: -- fail('getstrs failure (target)') --out = kadmin_as(none, ['getstrs', 'none']) --if '(No string attributes.)' not in out: -- fail('getstrs success (self exemption)') -+kadmin_as(all_inquire, ['getstrs', 'unselected'], expected_msg='key: value') -+kadmin_as(some_inquire, ['getstrs', 'selected'], expected_msg='key: value') -+kadmin_as(none, ['getstrs', 'selected'], expected_code=1, -+ expected_msg="Operation requires ``get'' privilege") -+kadmin_as(some_inquire, ['getstrs', 'unselected'], expected_code=1, -+ expected_msg="Operation requires ``get'' privilege") -+kadmin_as(none, ['getstrs', 'none'], expected_msg='(No string attributes.)') - realm.run([kadminl, 'delprinc', 'selected']) - realm.run([kadminl, 'delprinc', 'unselected']) - -@@ -207,27 +177,21 @@ out = kadmin_as(all_modify, ['modpol', '-maxlife', '1 hour', 'policy'], - expected_code=1) - if 'Operation requires' in out: - fail('modpol success (acl)') --out = kadmin_as(none, ['modpol', '-maxlife', '1 hour', 'policy'], -- expected_code=1) --if 'Operation requires ``modify\'\' privilege' not in out: -- fail('modpol failure (no perms)') -+kadmin_as(none, ['modpol', '-maxlife', '1 hour', 'policy'], expected_code=1, -+ expected_msg="Operation requires ``modify'' privilege") - - realm.addprinc('selected', 'pw') - realm.addprinc('unselected', 'pw') - kadmin_as(all_modify, ['modprinc', '-maxlife', '1 hour', 'unselected']) - kadmin_as(some_modify, ['modprinc', '-maxlife', '1 hour', 'selected']) - kadmin_as(restricted_modify, ['modprinc', '-maxlife', '1 hour', 'unselected']) --out = realm.run([kadminl, 'getprinc', 'unselected']) --if 'REQUIRES_PRE_AUTH' not in out: -- fail('addprinc success (restrictions) -- restriction check') --out = kadmin_as(all_inquire, ['modprinc', '-maxlife', '1 hour', 'selected'], -- expected_code=1) --if 'Operation requires ``modify\'\' privilege' not in out: -- fail('addprinc failure (no perms)') --out = kadmin_as(some_modify, ['modprinc', '-maxlife', '1 hour', 'unselected'], -- expected_code=1) --if 'Operation requires' not in out: -- fail('modprinc failure (target)') -+realm.run([kadminl, 'getprinc', 'unselected'], -+ expected_msg='REQUIRES_PRE_AUTH') -+kadmin_as(all_inquire, ['modprinc', '-maxlife', '1 hour', 'selected'], -+ expected_code=1, -+ expected_msg="Operation requires ``modify'' privilege") -+kadmin_as(some_modify, ['modprinc', '-maxlife', '1 hour', 'unselected'], -+ expected_code=1, expected_msg='Operation requires') - realm.run([kadminl, 'delprinc', 'selected']) - realm.run([kadminl, 'delprinc', 'unselected']) - -@@ -235,12 +199,10 @@ realm.addprinc('selected', 'pw') - realm.addprinc('unselected', 'pw') - kadmin_as(all_modify, ['purgekeys', 'unselected']) - kadmin_as(some_modify, ['purgekeys', 'selected']) --out = kadmin_as(none, ['purgekeys', 'selected'], expected_code=1) --if 'Operation requires ``modify\'\' privilege' not in out: -- fail('purgekeys failure (no perms)') --out = kadmin_as(some_modify, ['purgekeys', 'unselected'], expected_code=1) --if 'Operation requires ``modify\'\' privilege' not in out: -- fail('purgekeys failure (target)') -+kadmin_as(none, ['purgekeys', 'selected'], expected_code=1, -+ expected_msg="Operation requires ``modify'' privilege") -+kadmin_as(some_modify, ['purgekeys', 'unselected'], expected_code=1, -+ expected_msg="Operation requires ``modify'' privilege") - kadmin_as(none, ['purgekeys', 'none']) - realm.run([kadminl, 'delprinc', 'selected']) - realm.run([kadminl, 'delprinc', 'unselected']) -@@ -250,36 +212,27 @@ kadmin_as(all_rename, ['renprinc', 'from', 'to']) - realm.run([kadminl, 'renprinc', 'to', 'from']) - kadmin_as(some_rename, ['renprinc', 'from', 'to']) - realm.run([kadminl, 'renprinc', 'to', 'from']) --out = kadmin_as(all_add, ['renprinc', 'from', 'to'], expected_code=1) --if 'Operation requires ``delete\'\' privilege' not in out: -- fail('renprinc failure (no delete perms)') --out = kadmin_as(all_delete, ['renprinc', 'from', 'to'], expected_code=1) --if 'Operation requires ``add\'\' privilege' not in out: -- fail('renprinc failure (no add perms)') --out = kadmin_as(some_rename, ['renprinc', 'from', 'notto'], expected_code=1) --if 'Operation requires ``add\'\' privilege' not in out: -- fail('renprinc failure (new target)') -+kadmin_as(all_add, ['renprinc', 'from', 'to'], expected_code=1, -+ expected_msg="Operation requires ``delete'' privilege") -+kadmin_as(all_delete, ['renprinc', 'from', 'to'], expected_code=1, -+ expected_msg="Operation requires ``add'' privilege") -+kadmin_as(some_rename, ['renprinc', 'from', 'notto'], expected_code=1, -+ expected_msg="Operation requires ``add'' privilege") - realm.run([kadminl, 'renprinc', 'from', 'notfrom']) --out = kadmin_as(some_rename, ['renprinc', 'notfrom', 'to'], expected_code=1) --if 'Operation requires ``delete\'\' privilege' not in out: -- fail('renprinc failure (old target)') --out = kadmin_as(restricted_rename, ['renprinc', 'notfrom', 'to'], -- expected_code=1) --if 'Operation requires ``add\'\' privilege' not in out: -- fail('renprinc failure (restrictions)') -+kadmin_as(some_rename, ['renprinc', 'notfrom', 'to'], expected_code=1, -+ expected_msg="Operation requires ``delete'' privilege") -+kadmin_as(restricted_rename, ['renprinc', 'notfrom', 'to'], expected_code=1, -+ expected_msg="Operation requires ``add'' privilege") - realm.run([kadminl, 'delprinc', 'notfrom']) - - realm.addprinc('selected', 'pw') - realm.addprinc('unselected', 'pw') - kadmin_as(all_modify, ['setstr', 'unselected', 'key', 'value']) - kadmin_as(some_modify, ['setstr', 'selected', 'key', 'value']) --out = kadmin_as(none, ['setstr', 'selected', 'key', 'value'], expected_code=1) --if 'Operation requires ``modify\'\' privilege' not in out: -- fail('addprinc failure (no perms)') --out = kadmin_as(some_modify, ['setstr', 'unselected', 'key', 'value'], -- expected_code=1) --if 'Operation requires' not in out: -- fail('modprinc failure (target)') -+kadmin_as(none, ['setstr', 'selected', 'key', 'value'], expected_code=1, -+ expected_msg="Operation requires ``modify'' privilege") -+kadmin_as(some_modify, ['setstr', 'unselected', 'key', 'value'], -+ expected_code=1, expected_msg='Operation requires') - realm.run([kadminl, 'delprinc', 'selected']) - realm.run([kadminl, 'delprinc', 'unselected']) - -@@ -287,28 +240,21 @@ kadmin_as(admin, ['addprinc', '-pw', 'pw', 'anytarget']) - realm.run([kadminl, 'delprinc', 'anytarget']) - kadmin_as(wctarget, ['addprinc', '-pw', 'pw', 'wild/card']) - realm.run([kadminl, 'delprinc', 'wild/card']) --out = kadmin_as(wctarget, ['addprinc', '-pw', 'pw', 'wild/card/extra'], -- expected_code=1) --if 'Operation requires' not in out: -- fail('addprinc failure (target wildcard extra component)') -+kadmin_as(wctarget, ['addprinc', '-pw', 'pw', 'wild/card/extra'], -+ expected_code=1, expected_msg='Operation requires') - realm.addprinc('admin/user', 'pw') - kadmin_as(admin, ['delprinc', 'admin/user']) --out = kadmin_as(admin, ['delprinc', 'none'], expected_code=1) --if 'Operation requires' not in out: -- fail('delprinc failure (wildcard backreferences not matched)') -+kadmin_as(admin, ['delprinc', 'none'], expected_code=1, -+ expected_msg='Operation requires') - realm.addprinc('four/one/three', 'pw') - kadmin_as(onetwothreefour, ['delprinc', 'four/one/three']) - - kadmin_as(restrictions, ['addprinc', '-pw', 'pw', 'type1']) --out = realm.run([kadminl, 'getprinc', 'type1']) --if 'Policy: minlife' not in out: -- fail('restriction (policy)') -+realm.run([kadminl, 'getprinc', 'type1'], expected_msg='Policy: minlife') - realm.run([kadminl, 'delprinc', 'type1']) - kadmin_as(restrictions, ['addprinc', '-pw', 'pw', '-policy', 'minlife', - 'type2']) --out = realm.run([kadminl, 'getprinc', 'type2']) --if 'Policy: [none]' not in out: -- fail('restriction (clearpolicy)') -+realm.run([kadminl, 'getprinc', 'type2'], expected_msg='Policy: [none]') - realm.run([kadminl, 'delprinc', 'type2']) - kadmin_as(restrictions, ['addprinc', '-pw', 'pw', '-maxlife', '1 minute', - 'type3']) -@@ -319,40 +265,32 @@ if ('Maximum ticket life: 0 days 00:01:00' not in out or - realm.run([kadminl, 'delprinc', 'type3']) - kadmin_as(restrictions, ['addprinc', '-pw', 'pw', '-maxrenewlife', '1 day', - 'type3']) --out = realm.run([kadminl, 'getprinc', 'type3']) --if 'Maximum renewable life: 0 days 02:00:00' not in out: -- fail('restriction (maxrenewlife high)') -+realm.run([kadminl, 'getprinc', 'type3'], -+ expected_msg='Maximum renewable life: 0 days 02:00:00') - - realm.run([kadminl, 'addprinc', '-pw', 'pw', 'extractkeys']) --out = kadmin_as(all_wildcard, ['ktadd', '-norandkey', 'extractkeys'], -- expected_code=1) --if 'Operation requires ``extract-keys\'\' privilege' not in out: -- fail('extractkeys failure (all_wildcard)') -+kadmin_as(all_wildcard, ['ktadd', '-norandkey', 'extractkeys'], -+ expected_code=1, -+ expected_msg="Operation requires ``extract-keys'' privilege") - kadmin_as(all_extract, ['ktadd', '-norandkey', 'extractkeys']) - realm.kinit('extractkeys', flags=['-k']) - os.remove(realm.keytab) - - kadmin_as(all_modify, ['modprinc', '+lockdown_keys', 'extractkeys']) --out = kadmin_as(all_changepw, ['cpw', '-pw', 'newpw', 'extractkeys'], -- expected_code=1) --if 'Operation requires ``change-password\'\' privilege' not in out: -- fail('extractkeys failure (all_changepw)') -+kadmin_as(all_changepw, ['cpw', '-pw', 'newpw', 'extractkeys'], -+ expected_code=1, -+ expected_msg="Operation requires ``change-password'' privilege") - kadmin_as(all_changepw, ['cpw', '-randkey', 'extractkeys']) --out = kadmin_as(all_extract, ['ktadd', '-norandkey', 'extractkeys'], -- expected_code=1) --if 'Operation requires ``extract-keys\'\' privilege' not in out: -- fail('extractkeys failure (all_extract)') --out = kadmin_as(all_delete, ['delprinc', 'extractkeys'], expected_code=1) --if 'Operation requires ``delete\'\' privilege' not in out: -- fail('extractkeys failure (all_delete)') --out = kadmin_as(all_rename, ['renprinc', 'extractkeys', 'renamedprinc'], -- expected_code=1) --if 'Operation requires ``delete\'\' privilege' not in out: -- fail('extractkeys failure (all_rename)') --out = kadmin_as(all_modify, ['modprinc', '-lockdown_keys', 'extractkeys'], -- expected_code=1) --if 'Operation requires ``modify\'\' privilege' not in out: -- fail('extractkeys failure (all_modify)') -+kadmin_as(all_extract, ['ktadd', '-norandkey', 'extractkeys'], expected_code=1, -+ expected_msg="Operation requires ``extract-keys'' privilege") -+kadmin_as(all_delete, ['delprinc', 'extractkeys'], expected_code=1, -+ expected_msg="Operation requires ``delete'' privilege") -+kadmin_as(all_rename, ['renprinc', 'extractkeys', 'renamedprinc'], -+ expected_code=1, -+ expected_msg="Operation requires ``delete'' privilege") -+kadmin_as(all_modify, ['modprinc', '-lockdown_keys', 'extractkeys'], -+ expected_code=1, -+ expected_msg="Operation requires ``modify'' privilege") - realm.run([kadminl, 'modprinc', '-lockdown_keys', 'extractkeys']) - kadmin_as(all_extract, ['ktadd', '-norandkey', 'extractkeys']) - realm.kinit('extractkeys', flags=['-k']) -diff --git a/src/tests/t_kadmin_parsing.py b/src/tests/t_kadmin_parsing.py -index 92d72d2b0..8de387c64 100644 ---- a/src/tests/t_kadmin_parsing.py -+++ b/src/tests/t_kadmin_parsing.py -@@ -57,33 +57,27 @@ realm = K5Realm(create_host=False, get_creds=False) - realm.run([kadminl, 'addpol', 'pol']) - for instr, outstr in intervals: - realm.run([kadminl, 'modprinc', '-maxlife', instr, realm.user_princ]) -- out = realm.run([kadminl, 'getprinc', realm.user_princ]) -- if 'Maximum ticket life: ' + outstr + '\n' not in out: -- fail('princ maxlife: ' + instr) -+ msg = 'Maximum ticket life: ' + outstr + '\n' -+ realm.run([kadminl, 'getprinc', realm.user_princ], expected_msg=msg) - - realm.run([kadminl, 'modprinc', '-maxrenewlife', instr, realm.user_princ]) -- out = realm.run([kadminl, 'getprinc', realm.user_princ]) -- if 'Maximum renewable life: ' + outstr + '\n' not in out: -- fail('princ maxrenewlife: ' + instr) -+ msg = 'Maximum renewable life: ' + outstr + '\n' -+ realm.run([kadminl, 'getprinc', realm.user_princ], expected_msg=msg) - - realm.run([kadminl, 'modpol', '-maxlife', instr, 'pol']) -- out = realm.run([kadminl, 'getpol', 'pol']) -- if 'Maximum password life: ' + outstr + '\n' not in out: -- fail('pol maxlife: ' + instr) -+ msg = 'Maximum password life: ' + outstr + '\n' -+ realm.run([kadminl, 'getpol', 'pol'], expected_msg=msg) - - realm.run([kadminl, 'modpol', '-minlife', instr, 'pol']) -- out = realm.run([kadminl, 'getpol', 'pol']) -- if 'Minimum password life: ' + outstr + '\n' not in out: -- fail('pol maxlife: ' + instr) -+ msg = 'Minimum password life: ' + outstr + '\n' -+ realm.run([kadminl, 'getpol', 'pol'], expected_msg=msg) - - realm.run([kadminl, 'modpol', '-failurecountinterval', instr, 'pol']) -- out = realm.run([kadminl, 'getpol', 'pol']) -- if 'Password failure count reset interval: ' + outstr + '\n' not in out: -- fail('pol maxlife: ' + instr) -+ msg = 'Password failure count reset interval: ' + outstr + '\n' -+ realm.run([kadminl, 'getpol', 'pol'], expected_msg=msg) - - realm.run([kadminl, 'modpol', '-lockoutduration', instr, 'pol']) -- out = realm.run([kadminl, 'getpol', 'pol']) -- if 'Password lockout duration: ' + outstr + '\n' not in out: -- fail('pol maxlife: ' + instr) -+ msg = 'Password lockout duration: ' + outstr + '\n' -+ realm.run([kadminl, 'getpol', 'pol'], expected_msg=msg) - - success('kadmin command parsing tests') -diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py -index 185225afa..44635b089 100755 ---- a/src/tests/t_kdb.py -+++ b/src/tests/t_kdb.py -@@ -167,47 +167,31 @@ if out != 'KRBTEST.COM\n': - # because we're sticking a krbPrincipalAux objectclass onto a subtree - # krbContainer, but it works and it avoids having to load core.schema - # in the test LDAP server. --out = realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=krb5', 'princ1'], -- expected_code=1) --if 'DN is out of the realm subtree' not in out: -- fail('Unexpected kadmin.local output for out-of-realm dn') -+realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=krb5', 'princ1'], -+ expected_code=1, expected_msg='DN is out of the realm subtree') - realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'princ1']) --out = realm.run([kadminl, 'getprinc', 'princ1']) --if 'Principal: princ1' not in out: -- fail('Unexpected kadmin.local output after creating princ1') --out = realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', -- 'again'], expected_code=1) --if 'ldap object is already kerberized' not in out: -- fail('Unexpected kadmin.local output trying to re-kerberize DN') -+realm.run([kadminl, 'getprinc', 'princ1'], expected_msg='Principal: princ1') -+realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'again'], -+ expected_code=1, expected_msg='ldap object is already kerberized') - # Check that we can't set linkdn on a non-standalone object. --out = realm.run([kadminl, 'modprinc', '-x', 'linkdn=cn=t1,cn=krb5', 'princ1'], -- expected_code=1) --if 'link information can not be set' not in out: -- fail('Unexpected kadmin.local output trying to set linkdn on princ1') -+realm.run([kadminl, 'modprinc', '-x', 'linkdn=cn=t1,cn=krb5', 'princ1'], -+ expected_code=1, expected_msg='link information can not be set') - - # Create a principal with a specified linkdn. --out = realm.run([kadminl, 'ank', '-randkey', '-x', 'linkdn=cn=krb5', 'princ2'], -- expected_code=1) --if 'DN is out of the realm subtree' not in out: -- fail('Unexpected kadmin.local output for out-of-realm linkdn') -+realm.run([kadminl, 'ank', '-randkey', '-x', 'linkdn=cn=krb5', 'princ2'], -+ expected_code=1, expected_msg='DN is out of the realm subtree') - realm.run([kadminl, 'ank', '-randkey', '-x', 'linkdn=cn=t1,cn=krb5', 'princ2']) - # Check that we can't reset linkdn. --out = realm.run([kadminl, 'modprinc', '-x', 'linkdn=cn=t2,cn=krb5', 'princ2'], -- expected_code=1) --if 'kerberos principal is already linked' not in out: -- fail('Unexpected kadmin.local output for re-specified linkdn') -+realm.run([kadminl, 'modprinc', '-x', 'linkdn=cn=t2,cn=krb5', 'princ2'], -+ expected_code=1, expected_msg='kerberos principal is already linked') - - # Create a principal with a specified containerdn. --out = realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=krb5', -- 'princ3'], expected_code=1) --if 'DN is out of the realm subtree' not in out: -- fail('Unexpected kadmin.local output for out-of-realm containerdn') -+realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=krb5', 'princ3'], -+ expected_code=1, expected_msg='DN is out of the realm subtree') - realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=t1,cn=krb5', - 'princ3']) --out = realm.run([kadminl, 'modprinc', '-x', 'containerdn=cn=t2,cn=krb5', -- 'princ3'], expected_code=1) --if 'containerdn option not supported' not in out: -- fail('Unexpected kadmin.local output trying to reset containerdn') -+realm.run([kadminl, 'modprinc', '-x', 'containerdn=cn=t2,cn=krb5', 'princ3'], -+ expected_code=1, expected_msg='containerdn option not supported') - - # Create and modify a ticket policy. - kldaputil(['create_policy', '-maxtktlife', '3hour', '-maxrenewlife', '6hour', -@@ -255,9 +239,8 @@ if out: - kldaputil(['create_policy', 'tktpol2']) - - # Try to create a password policy conflicting with a ticket policy. --out = realm.run([kadminl, 'addpol', 'tktpol2'], expected_code=1) --if 'Already exists while creating policy "tktpol2"' not in out: -- fail('Expected error not seen in kadmin.local output') -+realm.run([kadminl, 'addpol', 'tktpol2'], expected_code=1, -+ expected_msg='Already exists while creating policy "tktpol2"') - - # Try to create a ticket policy conflicting with a password policy. - realm.run([kadminl, 'addpol', 'pwpol']) -@@ -266,16 +249,13 @@ if 'Already exists while creating policy object' not in out: - fail('Expected error not seen in kdb5_ldap_util output') - - # Try to use a password policy as a ticket policy. --out = realm.run([kadminl, 'modprinc', '-x', 'tktpolicy=pwpol', 'princ4'], -- expected_code=1) --if 'Object class violation' not in out: -- fail('Expected error not seem in kadmin.local output') -+realm.run([kadminl, 'modprinc', '-x', 'tktpolicy=pwpol', 'princ4'], -+ expected_code=1, expected_msg='Object class violation') - - # Use a ticket policy as a password policy (CVE-2014-5353). This - # works with a warning; use kadmin.local -q so the warning is shown. --out = realm.run([kadminl, '-q', 'modprinc -policy tktpol2 princ4']) --if 'WARNING: policy "tktpol2" does not exist' not in out: -- fail('Expected error not seen in kadmin.local output') -+realm.run([kadminl, '-q', 'modprinc -policy tktpol2 princ4'], -+ expected_msg='WARNING: policy "tktpol2" does not exist') - - # Do some basic tests with a KDC against the LDAP module, exercising the - # db_args processing code. -@@ -298,9 +278,8 @@ if 'krbPrincipalAuthInd: otp' not in out: - if 'krbPrincipalAuthInd: radius' not in out: - fail('Expected krbPrincipalAuthInd value not in output') - --out = realm.run([kadminl, 'getstrs', 'authind']) --if 'require_auth: otp radius' not in out: -- fail('Expected auth indicators value not in output') -+realm.run([kadminl, 'getstrs', 'authind'], -+ expected_msg='require_auth: otp radius') - - # Test service principal aliases. - realm.addprinc('canon', password('canon')) -@@ -311,12 +290,10 @@ ldap_modify('dn: krbPrincipalName=canon@KRBTEST.COM,cn=t1,cn=krb5\n' - '-\n' - 'add: krbCanonicalName\n' - 'krbCanonicalName: canon@KRBTEST.COM\n') --out = realm.run([kadminl, 'getprinc', 'alias']) --if 'Principal: canon@KRBTEST.COM\n' not in out: -- fail('Could not fetch canon through alias') --out = realm.run([kadminl, 'getprinc', 'canon']) --if 'Principal: canon@KRBTEST.COM\n' not in out: -- fail('Could not fetch canon through canon') -+realm.run([kadminl, 'getprinc', 'alias'], -+ expected_msg='Principal: canon@KRBTEST.COM\n') -+realm.run([kadminl, 'getprinc', 'canon'], -+ expected_msg='Principal: canon@KRBTEST.COM\n') - realm.run([kvno, 'alias']) - realm.run([kvno, 'canon']) - out = realm.run([klist]) -@@ -334,9 +311,8 @@ ldap_modify('dn: krbPrincipalName=krbtgt/KRBTEST.COM@KRBTEST.COM,' - '-\n' - 'add: krbCanonicalName\n' - 'krbCanonicalName: krbtgt/KRBTEST.COM@KRBTEST.COM\n') --out = realm.run([kadminl, 'getprinc', 'tgtalias']) --if 'Principal: krbtgt/KRBTEST.COM@KRBTEST.COM' not in out: -- fail('Could not fetch krbtgt through tgtalias') -+realm.run([kadminl, 'getprinc', 'tgtalias'], -+ expected_msg='Principal: krbtgt/KRBTEST.COM@KRBTEST.COM') - realm.kinit(realm.user_princ, password('user')) - realm.run([kvno, 'tgtalias']) - realm.klist(realm.user_princ, 'tgtalias@KRBTEST.COM') -@@ -352,9 +328,8 @@ realm.klist(realm.user_princ, 'alias@KRBTEST.COM') - - # Test client principal aliases, with and without preauth. - realm.kinit('canon', password('canon')) --out = realm.kinit('alias', password('canon'), expected_code=1) --if 'not found in Kerberos database' not in out: -- fail('Wrong error message for kinit to alias without -C flag') -+realm.kinit('alias', password('canon'), expected_code=1, -+ expected_msg='not found in Kerberos database') - realm.kinit('alias', password('canon'), ['-C']) - realm.run([kvno, 'alias']) - realm.klist('canon@KRBTEST.COM', 'alias@KRBTEST.COM') -@@ -413,31 +388,24 @@ realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts,aes128-cts', - 'kvnoprinc']) - realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e', - 'aes256-cts,aes128-cts', 'kvnoprinc']) --out = realm.run([kadminl, 'getprinc', 'kvnoprinc']) --if 'Number of keys: 4' not in out: -- fail('After cpw -keepold, wrong number of keys') -+realm.run([kadminl, 'getprinc', 'kvnoprinc'], expected_msg='Number of keys: 4') - realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e', - 'aes256-cts,aes128-cts', 'kvnoprinc']) --out = realm.run([kadminl, 'getprinc', 'kvnoprinc']) --if 'Number of keys: 6' not in out: -- fail('After cpw -keepold, wrong number of keys') -+realm.run([kadminl, 'getprinc', 'kvnoprinc'], expected_msg='Number of keys: 6') - - # Regression test for #8041 (NULL dereference on keyless principals). - realm.run([kadminl, 'addprinc', '-nokey', 'keylessprinc']) --out = realm.run([kadminl, 'getprinc', 'keylessprinc']) --if 'Number of keys: 0' not in out: -- fail('Failed to create a principal with no keys') -+realm.run([kadminl, 'getprinc', 'keylessprinc'], -+ expected_msg='Number of keys: 0') - realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes256-cts,aes128-cts', - 'keylessprinc']) - realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e', - 'aes256-cts,aes128-cts', 'keylessprinc']) --out = realm.run([kadminl, 'getprinc', 'keylessprinc']) --if 'Number of keys: 4' not in out: -- fail('Failed to add keys to keylessprinc') -+realm.run([kadminl, 'getprinc', 'keylessprinc'], -+ expected_msg='Number of keys: 4') - realm.run([kadminl, 'purgekeys', '-all', 'keylessprinc']) --out = realm.run([kadminl, 'getprinc', 'keylessprinc']) --if 'Number of keys: 0' not in out: -- fail('After purgekeys -all, keys remain') -+realm.run([kadminl, 'getprinc', 'keylessprinc'], -+ expected_msg='Number of keys: 0') - - # Test for 8354 (old password history entries when -keepold is used) - realm.run([kadminl, 'addpol', '-history', '2', 'keepoldpasspol']) -@@ -451,9 +419,8 @@ realm.stop() - # Briefly test dump and load. - dumpfile = os.path.join(realm.testdir, 'dump') - realm.run([kdb5_util, 'dump', dumpfile]) --out = realm.run([kdb5_util, 'load', dumpfile], expected_code=1) --if 'KDB module requires -update argument' not in out: -- fail('Unexpected error from kdb5_util load without -update') -+realm.run([kdb5_util, 'load', dumpfile], expected_code=1, -+ expected_msg='KDB module requires -update argument') - realm.run([kdb5_util, 'load', '-update', dumpfile]) - - # Destroy the realm. -@@ -501,14 +468,10 @@ realm.addprinc(realm.user_princ, password('user')) - realm.kinit(realm.user_princ, password('user')) - realm.stop() - # Exercise DB options, which should cause binding to fail. --out = realm.run([kadminl, '-x', 'sasl_authcid=ab', 'getprinc', 'user'], -- expected_code=1) --if 'Cannot bind to LDAP server' not in out: -- fail('Expected error not seen in kadmin.local output') --out = realm.run([kadminl, '-x', 'bindpwd=wrong', 'getprinc', 'user'], -- expected_code=1) --if 'Cannot bind to LDAP server' not in out: -- fail('Expected error not seen in kadmin.local output') -+realm.run([kadminl, '-x', 'sasl_authcid=ab', 'getprinc', 'user'], -+ expected_code=1, expected_msg='Cannot bind to LDAP server') -+realm.run([kadminl, '-x', 'bindpwd=wrong', 'getprinc', 'user'], -+ expected_code=1, expected_msg='Cannot bind to LDAP server') - realm.run([kdb5_ldap_util, 'destroy', '-f']) - - # We could still use tests to exercise: -diff --git a/src/tests/t_kdb_locking.py b/src/tests/t_kdb_locking.py -index e8d86e09b..aac0a220f 100755 ---- a/src/tests/t_kdb_locking.py -+++ b/src/tests/t_kdb_locking.py -@@ -21,9 +21,8 @@ if not os.path.exists(kadm5_lock): - fail('kadm5 lock file not created: ' + kadm5_lock) - os.unlink(kadm5_lock) - --output = realm.kinit(p, p, [], expected_code=1) --if 'A service is not available' not in output: -- fail('krb5kdc should have returned service not available error') -+realm.kinit(p, p, [], expected_code=1, -+ expected_msg='A service is not available') - - f = open(kadm5_lock, 'w') - f.close() -diff --git a/src/tests/t_keydata.py b/src/tests/t_keydata.py -index 686e543bd..5c04a8523 100755 ---- a/src/tests/t_keydata.py -+++ b/src/tests/t_keydata.py -@@ -5,27 +5,19 @@ realm = K5Realm(create_user=False, create_host=False) - - # Create a principal with no keys. - realm.run([kadminl, 'addprinc', '-nokey', 'user']) --out = realm.run([kadminl, 'getprinc', 'user']) --if 'Number of keys: 0' not in out: -- fail('getprinc (addprinc -nokey)') -+realm.run([kadminl, 'getprinc', 'user'], expected_msg='Number of keys: 0') - - # Change its password and check the resulting kvno. - realm.run([kadminl, 'cpw', '-pw', 'password', 'user']) --out = realm.run([kadminl, 'getprinc', 'user']) --if 'vno 1' not in out: -- fail('getprinc (cpw -pw)') -+realm.run([kadminl, 'getprinc', 'user'], expected_msg='vno 1') - - # Delete all of its keys. - realm.run([kadminl, 'purgekeys', '-all', 'user']) --out = realm.run([kadminl, 'getprinc', 'user']) --if 'Number of keys: 0' not in out: -- fail('getprinc (purgekeys)') -+realm.run([kadminl, 'getprinc', 'user'], expected_msg='Number of keys: 0') - - # Randomize its keys and check the resulting kvno. - realm.run([kadminl, 'cpw', '-randkey', 'user']) --out = realm.run([kadminl, 'getprinc', 'user']) --if 'vno 1' not in out: -- fail('getprinc (cpw -randkey)') -+realm.run([kadminl, 'getprinc', 'user'], expected_msg='vno 1') - - # Return true if patype appears to have been received in a hint list - # from a KDC error message, based on the trace file fname. -diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py -index 35d0b61b8..bfd38914b 100755 ---- a/src/tests/t_keyrollover.py -+++ b/src/tests/t_keyrollover.py -@@ -23,25 +23,17 @@ realm.run([kvno, princ1]) - realm.run([kadminl, 'purgekeys', realm.krbtgt_princ]) - # Make sure an old TGT fails after purging old TGS key. - realm.run([kvno, princ2], expected_code=1) --output = realm.run([klist, '-e']) -- --expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): des-cbc-crc, des-cbc-crc' % \ -+msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): des-cbc-crc, des-cbc-crc' % \ - (realm.realm, realm.realm) -- --if expected not in output: -- fail('keyrollover: expected TGS enctype not found') -+realm.run([klist, '-e'], expected_msg=msg) - - # Check that new key actually works. - realm.kinit(realm.user_princ, password('user')) - realm.run([kvno, realm.host_princ]) --output = realm.run([klist, '-e']) -- --expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \ -+msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \ - 'aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96' % \ - (realm.realm, realm.realm) -- --if expected not in output: -- fail('keyrollover: expected TGS enctype not found after change') -+realm.run([klist, '-e'], expected_msg=msg) - - # Test that the KDC only accepts the first enctype for a kvno, for a - # local-realm TGS request. To set this up, we abuse an edge-case -diff --git a/src/tests/t_keytab.py b/src/tests/t_keytab.py -index a06e6c296..a48740ba5 100755 ---- a/src/tests/t_keytab.py -+++ b/src/tests/t_keytab.py -@@ -14,9 +14,8 @@ realm.run([ktutil], input=('rkt %s\ndelent 1\nwkt %s\n' % - realm.kinit(realm.host_princ, flags=['-k', '-t', pkeytab]) - - # Test kinit with no keys for client in keytab. --output = realm.kinit(realm.user_princ, flags=['-k'], expected_code=1) --if 'no suitable keys' not in output: -- fail('Expected error not seen in kinit output') -+realm.kinit(realm.user_princ, flags=['-k'], expected_code=1, -+ expected_msg='no suitable keys') - - # Test kinit and klist with client keytab defaults. - realm.extract_keytab(realm.user_princ, realm.client_keytab); -@@ -31,14 +30,12 @@ if realm.client_keytab not in out or realm.user_princ not in out: - - # Test implicit request for keytab (-i or -t without -k) - realm.run([kdestroy]) --output = realm.kinit(realm.host_princ, flags=['-t', realm.keytab]) --if 'keytab specified, forcing -k' not in output: -- fail('Expected output not seen from kinit -t keytab') -+realm.kinit(realm.host_princ, flags=['-t', realm.keytab], -+ expected_msg='keytab specified, forcing -k') - realm.klist(realm.host_princ) - realm.run([kdestroy]) --output = realm.kinit(realm.user_princ, flags=['-i']) --if 'keytab specified, forcing -k' not in output: -- fail('Expected output not seen from kinit -i') -+realm.kinit(realm.user_princ, flags=['-i'], -+ expected_msg='keytab specified, forcing -k') - realm.klist(realm.user_princ) - - # Test extracting keys with multiple key versions present. -@@ -70,12 +67,10 @@ def test_key_rotate(realm, princ, expected_kvno): - realm.run_kadmin(['ktadd', '-k', realm.keytab, princ]) - realm.run([kadminl, 'ktrem', princ, 'old']) - realm.kinit(princ, flags=['-k']) -- out = realm.run([klist, '-k']) -- if ('%d %s' % (expected_kvno, princ)) not in out: -- fail('kvno %d not listed in keytab' % expected_kvno) -- out = realm.run_kadmin(['getprinc', princ]) -- if ('Key: vno %d,' % expected_kvno) not in out: -- fail('vno %d not seen in getprinc output' % expected_kvno) -+ msg = '%d %s' % (expected_kvno, princ) -+ out = realm.run([klist, '-k'], expected_msg=msg) -+ msg = 'Key: vno %d,' % expected_kvno -+ out = realm.run_kadmin(['getprinc', princ], expected_msg=msg) - - princ = 'foo/bar@%s' % realm.realm - realm.addprinc(princ) -@@ -109,9 +104,8 @@ f = open(realm.keytab, 'w') - f.write('\x05\x02\x00\x00\x00' + chr(len(record))) - f.write(record) - f.close() --out = realm.run([klist, '-k']) --if (' 2 %s' % realm.user_princ) not in out: -- fail('Expected entry not seen in klist -k output') -+msg = ' 2 %s' % realm.user_princ -+out = realm.run([klist, '-k'], expected_msg=msg) - - # Make sure zero-fill isn't treated as a 32-bit kvno. - f = open(realm.keytab, 'w') -@@ -119,9 +113,8 @@ f.write('\x05\x02\x00\x00\x00' + chr(len(record) + 4)) - f.write(record) - f.write('\x00\x00\x00\x00') - f.close() --out = realm.run([klist, '-k']) --if (' 2 %s' % realm.user_princ) not in out: -- fail('Expected entry not seen in klist -k output') -+msg = ' 2 %s' % realm.user_princ -+out = realm.run([klist, '-k'], expected_msg=msg) - - # Make sure a hand-crafted 32-bit kvno is recognized. - f = open(realm.keytab, 'w') -@@ -129,9 +122,8 @@ f.write('\x05\x02\x00\x00\x00' + chr(len(record) + 4)) - f.write(record) - f.write('\x00\x00\x00\x03') - f.close() --out = realm.run([klist, '-k']) --if (' 3 %s' % realm.user_princ) not in out: -- fail('Expected entry not seen in klist -k output') -+msg = ' 3 %s' % realm.user_princ -+out = realm.run([klist, '-k'], expected_msg=msg) - - # Test parameter expansion in profile variables - realm.stop() -@@ -142,11 +134,9 @@ realm = K5Realm(krb5_conf=conf, create_kdb=False) - del realm.env['KRB5_KTNAME'] - del realm.env['KRB5_CLIENT_KTNAME'] - uidstr = str(os.getuid()) --out = realm.run([klist, '-k'], expected_code=1) --if 'FILE:testdir/abc%s' % uidstr not in out: -- fail('Wrong keytab in klist -k output') --out = realm.run([klist, '-ki'], expected_code=1) --if 'FILE:testdir/xyz%s' % uidstr not in out: -- fail('Wrong keytab in klist -ki output') -+msg = 'FILE:testdir/abc%s' % uidstr -+out = realm.run([klist, '-k'], expected_code=1, expected_msg=msg) -+msg = 'FILE:testdir/xyz%s' % uidstr -+out = realm.run([klist, '-ki'], expected_code=1, expected_msg=msg) - - success('Keytab-related tests') -diff --git a/src/tests/t_kprop.py b/src/tests/t_kprop.py -index 02cdfeec2..39169675d 100755 ---- a/src/tests/t_kprop.py -+++ b/src/tests/t_kprop.py -@@ -43,9 +43,7 @@ for realm in multipass_realms(create_user=False): - realm.run([kprop, '-f', dumpfile, '-P', str(realm.kprop_port()), hostname]) - check_output(kpropd) - -- out = realm.run([kadminl, 'listprincs'], slave) -- if 'wakawaka' not in out: -- fail('Slave does not have all principals from master') -+ realm.run([kadminl, 'listprincs'], slave, expected_msg='wakawaka') - - # default_realm tests follow. - # default_realm and domain_realm different than realm.realm (test -r argument). -@@ -79,9 +77,8 @@ realm.run([kdb5_util, 'dump', dumpfile]) - realm.run([kprop, '-r', realm.realm, '-f', dumpfile, '-P', - str(realm.kprop_port()), hostname]) - check_output(kpropd) --out = realm.run([kadminl, '-r', realm.realm, 'listprincs'], slave2) --if 'wakawaka' not in out: -- fail('Slave does not have all principals from master') -+realm.run([kadminl, '-r', realm.realm, 'listprincs'], slave2, -+ expected_msg='wakawaka') - - stop_daemon(kpropd) - -@@ -90,8 +87,6 @@ kpropd = realm.start_kpropd(slave3, ['-d']) - realm.run([kdb5_util, 'dump', dumpfile]) - realm.run([kprop, '-f', dumpfile, '-P', str(realm.kprop_port()), hostname]) - check_output(kpropd) --out = realm.run([kadminl, 'listprincs'], slave3) --if 'wakawaka' not in out: -- fail('Slave does not have all principals from master') -+realm.run([kadminl, 'listprincs'], slave3, expected_msg='wakawaka') - - success('kprop tests') -diff --git a/src/tests/t_localauth.py b/src/tests/t_localauth.py -index 4590485ac..aa625d038 100755 ---- a/src/tests/t_localauth.py -+++ b/src/tests/t_localauth.py -@@ -14,9 +14,8 @@ def test_an2ln(env, aname, result, msg): - fail(msg) - - def test_an2ln_err(env, aname, err, msg): -- out = realm.run(['./localauth', aname], env=env, expected_code=1) -- if err not in out: -- fail(msg) -+ realm.run(['./localauth', aname], env=env, expected_code=1, -+ expected_msg=err) - - def test_userok(env, aname, lname, ok, msg): - out = realm.run(['./localauth', aname, lname], env=env) -diff --git a/src/tests/t_mkey.py b/src/tests/t_mkey.py -index c53b71b45..615cd91ca 100755 ---- a/src/tests/t_mkey.py -+++ b/src/tests/t_mkey.py -@@ -92,9 +92,8 @@ def check_stash(*expected): - - # Verify that the user principal has the expected mkvno. - def check_mkvno(princ, expected_mkvno): -- out = realm.run([kadminl, 'getprinc', princ]) -- if ('MKey: vno %d\n' % expected_mkvno) not in out: -- fail('Unexpected mkvno in user DB entry') -+ msg = 'MKey: vno %d\n' % expected_mkvno -+ realm.run([kadminl, 'getprinc', princ], expected_msg=msg) - - - # Change the password using either kadmin.local or kadmin, then check -@@ -160,9 +159,8 @@ check_mkvno(realm.user_princ, 1) - collisionfile = os.path.join(realm.testdir, 'stash_tmp') - f = open(collisionfile, 'w') - f.close() --output = realm.run([kdb5_util, 'stash'], expected_code=1) --if 'Temporary stash file already exists' not in output: -- fail('Did not detect temp stash file collision') -+realm.run([kdb5_util, 'stash'], expected_code=1, -+ expected_msg='Temporary stash file already exists') - os.unlink(collisionfile) - - # Add a new master key with no options. Verify that: -@@ -179,9 +177,8 @@ change_password_check_mkvno(True, realm.user_princ, 'abcd', 1) - change_password_check_mkvno(False, realm.user_princ, 'user', 1) - - # Verify that use_mkey won't make all master keys inactive. --out = realm.run([kdb5_util, 'use_mkey', '1', 'now+1day'], expected_code=1) --if 'there must be one master key currently active' not in out: -- fail('Unexpected error from use_mkey making all mkeys inactive') -+realm.run([kdb5_util, 'use_mkey', '1', 'now+1day'], expected_code=1, -+ expected_msg='there must be one master key currently active') - check_mkey_list((2, defetype, False, False), (1, defetype, True, True)) - - # Make the new master key active. Verify that: -@@ -194,9 +191,8 @@ change_password_check_mkvno(True, realm.user_princ, 'abcd', 2) - change_password_check_mkvno(False, realm.user_princ, 'user', 2) - - # Check purge_mkeys behavior with both master keys still in use. --out = realm.run([kdb5_util, 'purge_mkeys', '-f', '-v']) --if 'All keys in use, nothing purged.' not in out: -- fail('Unexpected output from purge_mkeys with both mkeys in use') -+realm.run([kdb5_util, 'purge_mkeys', '-f', '-v'], -+ expected_msg='All keys in use, nothing purged.') - - # Do an update_princ_encryption dry run and for real. Verify that: - # 1. The target master key is 2 (the active mkvno). -@@ -226,9 +222,8 @@ update_princ_encryption(False, 2, nprincs - 1, 0) - check_mkvno(realm.user_princ, 2) - - # Test the safety check for purging with an outdated stash file. --out = realm.run([kdb5_util, 'purge_mkeys', '-f'], expected_code=1) --if 'stash file needs updating' not in out: -- fail('Unexpected error from purge_mkeys safety check') -+realm.run([kdb5_util, 'purge_mkeys', '-f'], expected_code=1, -+ expected_msg='stash file needs updating') - - # Update the master stash file and check it. Save a copy of the old - # one for a later test. -@@ -253,18 +248,15 @@ check_mkey_list((2, defetype, True, True)) - check_master_dbent(2, (2, defetype)) - os.rename(stash_file, stash_file + '.save') - os.rename(stash_file + '.old', stash_file) --out = realm.run([kadminl, 'getprinc', 'user'], expected_code=1) --if 'Unable to decrypt latest master key' not in out: -- fail('Unexpected error from kadmin.local with old stash file') -+realm.run([kadminl, 'getprinc', 'user'], expected_code=1, -+ expected_msg='Unable to decrypt latest master key') - os.rename(stash_file + '.save', stash_file) - realm.run([kdb5_util, 'stash']) - check_stash((2, defetype)) --out = realm.run([kdb5_util, 'use_mkey', '1'], expected_code=1) --if '1 is an invalid KVNO value' not in out: -- fail('Unexpected error from use_mkey with invalid kvno') --out = realm.run([kdb5_util, 'purge_mkeys', '-f', '-v']) --if 'There is only one master key which can not be purged.' not in out: -- fail('Unexpected output from purge_mkeys with one mkey') -+realm.run([kdb5_util, 'use_mkey', '1'], expected_code=1, -+ expected_msg='1 is an invalid KVNO value') -+realm.run([kdb5_util, 'purge_mkeys', '-f', '-v'], -+ expected_msg='There is only one master key which can not be purged.') - - # Add a third master key with a specified enctype. Verify that: - # 1. The new master key receives the correct number. -@@ -331,8 +323,7 @@ check_mkey_list((2, defetype, True, True), (1, des3, True, False)) - # Regression test for #8395. Purge the master key and verify that a - # master key fetch does not segfault. - realm.run([kadminl, 'purgekeys', '-all', 'K/M']) --out = realm.run([kadminl, 'getprinc', realm.user_princ], expected_code=1) --if 'Cannot find master key record in database' not in out: -- fail('Unexpected output from failed master key fetch') -+realm.run([kadminl, 'getprinc', realm.user_princ], expected_code=1, -+ expected_msg='Cannot find master key record in database') - - success('Master key rollover tests') -diff --git a/src/tests/t_otp.py b/src/tests/t_otp.py -index f098374f9..9b18ff94b 100755 ---- a/src/tests/t_otp.py -+++ b/src/tests/t_otp.py -@@ -199,9 +199,8 @@ realm.run([kadminl, 'setstr', realm.user_princ, 'otp', otpconfig('udp')]) - realm.kinit(realm.user_princ, 'accept', flags=flags) - verify(daemon, queue, True, realm.user_princ.split('@')[0], 'accept') - realm.extract_keytab(realm.krbtgt_princ, realm.keytab) --out = realm.run(['./adata', realm.krbtgt_princ]) --if '+97: [indotp1, indotp2]' not in out: -- fail('auth indicators not seen in OTP ticket') -+realm.run(['./adata', realm.krbtgt_princ], -+ expected_msg='+97: [indotp1, indotp2]') - - # Repeat with an indicators override in the string attribute. - daemon = UDPRadiusDaemon(args=(server_addr, secret_file, 'accept', queue)) -@@ -212,9 +211,8 @@ realm.run([kadminl, 'setstr', realm.user_princ, 'otp', oconf]) - realm.kinit(realm.user_princ, 'accept', flags=flags) - verify(daemon, queue, True, realm.user_princ.split('@')[0], 'accept') - realm.extract_keytab(realm.krbtgt_princ, realm.keytab) --out = realm.run(['./adata', realm.krbtgt_princ]) --if '+97: [indtok1, indtok2]' not in out: -- fail('auth indicators not seen in OTP ticket') -+realm.run(['./adata', realm.krbtgt_princ], -+ expected_msg='+97: [indtok1, indtok2]') - - # Detect upstream pyrad bug - # https://github.com/wichert/pyrad/pull/18 -diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py -index f56141564..e943f4974 100755 ---- a/src/tests/t_pkinit.py -+++ b/src/tests/t_pkinit.py -@@ -101,10 +101,9 @@ realm.kinit('user@krbtest.com', - flags=['-E', '-X', 'X509_user_identity=%s' % p12_upn2_identity]) - - # Test a mismatch. --out = realm.run([kinit, '-X', 'X509_user_identity=%s' % p12_upn2_identity, -- 'user2'], expected_code=1) --if 'kinit: Client name mismatch while getting initial credentials' not in out: -- fail('Wrong error for UPN SAN mismatch') -+msg = 'kinit: Client name mismatch while getting initial credentials' -+realm.run([kinit, '-X', 'X509_user_identity=%s' % p12_upn2_identity, 'user2'], -+ expected_code=1, expected_msg=msg) - realm.stop() - - realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf, -@@ -118,9 +117,8 @@ realm.klist(realm.user_princ) - realm.run([kvno, realm.host_princ]) - - # Test anonymous PKINIT. --out = realm.kinit('@%s' % realm.realm, flags=['-n'], expected_code=1) --if 'not found in Kerberos database' not in out: -- fail('Wrong error for anonymous PKINIT without anonymous enabled') -+realm.kinit('@%s' % realm.realm, flags=['-n'], expected_code=1, -+ expected_msg='not found in Kerberos database') - realm.addprinc('WELLKNOWN/ANONYMOUS') - realm.kinit('@%s' % realm.realm, flags=['-n']) - realm.klist('WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS') -@@ -135,9 +133,8 @@ f.write('WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS a *') - f.close() - realm.start_kadmind() - realm.run([kadmin, '-n', 'addprinc', '-pw', 'test', 'testadd']) --out = realm.run([kadmin, '-n', 'getprinc', 'testadd'], expected_code=1) --if "Operation requires ``get'' privilege" not in out: -- fail('Anonymous kadmin has too much privilege') -+realm.run([kadmin, '-n', 'getprinc', 'testadd'], expected_code=1, -+ expected_msg="Operation requires ``get'' privilege") - realm.stop_kadmind() - - # Test with anonymous restricted; FAST should work but kvno should fail. -@@ -146,9 +143,8 @@ realm.stop_kdc() - realm.start_kdc(env=r_env) - realm.kinit('@%s' % realm.realm, flags=['-n']) - realm.kinit('@%s' % realm.realm, flags=['-n', '-T', realm.ccache]) --out = realm.run([kvno, realm.host_princ], expected_code=1) --if 'KDC policy rejects request' not in out: -- fail('Wrong error for restricted anonymous PKINIT') -+realm.run([kvno, realm.host_princ], expected_code=1, -+ expected_msg='KDC policy rejects request') - - # Regression test for #8458: S4U2Self requests crash the KDC if - # anonymous is restricted. -@@ -200,9 +196,8 @@ realm.kinit(realm.user_princ, - password='encrypted') - realm.klist(realm.user_princ) - realm.run([kvno, realm.host_princ]) --out = realm.run(['./adata', realm.host_princ]) --if '+97: [indpkinit1, indpkinit2]' not in out: -- fail('auth indicators not seen in PKINIT ticket') -+realm.run(['./adata', realm.host_princ], -+ expected_msg='+97: [indpkinit1, indpkinit2]') - - # Run the basic test - PKINIT with FILE: identity, with a password on the key, - # supplied by the responder. -diff --git a/src/tests/t_policy.py b/src/tests/t_policy.py -index bfec96a93..26c4e466e 100755 ---- a/src/tests/t_policy.py -+++ b/src/tests/t_policy.py -@@ -7,35 +7,27 @@ realm = K5Realm(create_host=False, start_kadmind=True) - # Test password quality enforcement. - realm.run([kadminl, 'addpol', '-minlength', '6', '-minclasses', '2', 'pwpol']) - realm.run([kadminl, 'addprinc', '-randkey', '-policy', 'pwpol', 'pwuser']) --out = realm.run([kadminl, 'cpw', '-pw', 'sh0rt', 'pwuser'], expected_code=1) --if 'Password is too short' not in out: -- fail('short password') --out = realm.run([kadminl, 'cpw', '-pw', 'longenough', 'pwuser'], -- expected_code=1) --if 'Password does not contain enough character classes' not in out: -- fail('insufficient character classes') -+realm.run([kadminl, 'cpw', '-pw', 'sh0rt', 'pwuser'], expected_code=1, -+ expected_msg='Password is too short') -+realm.run([kadminl, 'cpw', '-pw', 'longenough', 'pwuser'], expected_code=1, -+ expected_msg='Password does not contain enough character classes') - realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser']) - - # Test some password history enforcement. Even with no history value, - # the current password should be denied. --out = realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'], -- expected_code=1) --if 'Cannot reuse password' not in out: -- fail('reuse of current password') -+realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'], expected_code=1, -+ expected_msg='Cannot reuse password') - realm.run([kadminl, 'modpol', '-history', '2', 'pwpol']) - realm.run([kadminl, 'cpw', '-pw', 'an0therpw', 'pwuser']) --out = realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'], -- expected_code=1) --if 'Cannot reuse password' not in out: -- fail('reuse of old password') -+realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'], expected_code=1, -+ expected_msg='Cannot reuse password') - realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser']) - realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser']) - - # Test references to nonexistent policies. - realm.run([kadminl, 'addprinc', '-randkey', '-policy', 'newpol', 'newuser']) --out = realm.run([kadminl, 'getprinc', 'newuser']) --if 'Policy: newpol [does not exist]\n' not in out: -- fail('getprinc output for principal referencing nonexistent policy') -+realm.run([kadminl, 'getprinc', 'newuser'], -+ expected_msg='Policy: newpol [does not exist]\n') - realm.run([kadminl, 'modprinc', '-policy', 'newpol', 'pwuser']) - # pwuser should allow reuse of the current password since newpol doesn't exist. - realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser']) -@@ -45,29 +37,20 @@ realm.run([kadmin, '-p', 'pwuser', '-w', '3rdpassword', 'cpw', '-pw', - - # Create newpol and verify that it is enforced. - realm.run([kadminl, 'addpol', '-minlength', '3', 'newpol']) --out = realm.run([kadminl, 'getprinc', 'pwuser']) --if 'Policy: newpol\n' not in out: -- fail('getprinc after creating policy (pwuser)') --out = realm.run([kadminl, 'cpw', '-pw', 'aa', 'pwuser'], expected_code=1) --if 'Password is too short' not in out: -- fail('short password after creating policy (pwuser)') --out = realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser'], -- expected_code=1) --if 'Cannot reuse password' not in out: -- fail('reuse of current password after creating policy') -+realm.run([kadminl, 'getprinc', 'pwuser'], expected_msg='Policy: newpol\n') -+realm.run([kadminl, 'cpw', '-pw', 'aa', 'pwuser'], expected_code=1, -+ expected_msg='Password is too short') -+realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser'], expected_code=1, -+ expected_msg='Cannot reuse password') - --out = realm.run([kadminl, 'getprinc', 'newuser']) --if 'Policy: newpol\n' not in out: -- fail('getprinc after creating policy (newuser)') --out = realm.run([kadminl, 'cpw', '-pw', 'aa', 'newuser'], expected_code=1) --if 'Password is too short' not in out: -- fail('short password after creating policy (newuser)') -+realm.run([kadminl, 'getprinc', 'newuser'], expected_msg='Policy: newpol\n') -+realm.run([kadminl, 'cpw', '-pw', 'aa', 'newuser'], expected_code=1, -+ expected_msg='Password is too short') - - # Delete the policy and verify that it is no longer enforced. - realm.run([kadminl, 'delpol', 'newpol']) --out = realm.run([kadminl, 'getpol', 'newpol'], expected_code=1) --if 'Policy does not exist' not in out: -- fail('deletion of referenced policy') -+realm.run([kadminl, 'getpol', 'newpol'], expected_code=1, -+ expected_msg='Policy does not exist') - realm.run([kadminl, 'cpw', '-pw', 'aa', 'pwuser']) - - # Test basic password lockout support. -@@ -78,18 +61,14 @@ realm.run([kadminl, 'modprinc', '+requires_preauth', '-policy', 'lockout', - 'user']) - - # kinit twice with the wrong password. --output = realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1) --if 'Password incorrect while getting initial credentials' not in output: -- fail('Expected error message not seen in kinit output') --output = realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1) --if 'Password incorrect while getting initial credentials' not in output: -- fail('Expected error message not seen in kinit output') -+realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1, -+ expected_msg='Password incorrect while getting initial credentials') -+realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1, -+ expected_msg='Password incorrect while getting initial credentials') - - # Now the account should be locked out. --output = realm.run([kinit, realm.user_princ], expected_code=1) --if 'Client\'s credentials have been revoked while getting initial credentials' \ -- not in output: -- fail('Expected lockout error message not seen in kinit output') -+m = 'Client\'s credentials have been revoked while getting initial credentials' -+realm.run([kinit, realm.user_princ], expected_code=1, expected_msg=m) - - # Check that modprinc -unlock allows a further attempt. - realm.run([kadminl, 'modprinc', '-unlock', 'user']) -@@ -113,10 +92,8 @@ realm.run([kadminl, 'cpw', '-pw', 'pw2', 'user']) - # Swap the keys, simulating older kadmin having chosen the second entry. - realm.run(['./hist', 'swap']) - # Make sure we can read the history entry. --out = realm.run([kadminl, 'cpw', '-pw', password('user'), 'user'], -- expected_code=1) --if 'Cannot reuse password' not in out: -- fail('Expected error not seen in output') -+realm.run([kadminl, 'cpw', '-pw', password('user'), 'user'], expected_code=1, -+ expected_msg='Cannot reuse password') - - # Test key/salt constraints. - -@@ -142,9 +119,8 @@ realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes256-cts', 'server']) - - # Test modpol. - realm.run([kadminl, 'modpol', '-allowedkeysalts', 'aes256-cts,rc4-hmac', 'ak']) --out = realm.run([kadminl, 'getpol', 'ak']) --if not 'Allowed key/salt types: aes256-cts,rc4-hmac' in out: -- fail('getpol does not implement allowedkeysalts?') -+realm.run([kadminl, 'getpol', 'ak'], -+ expected_msg='Allowed key/salt types: aes256-cts,rc4-hmac') - - # Test subsets and full set. - realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac', 'server']) -@@ -153,19 +129,14 @@ realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes256-cts,rc4-hmac', 'server']) - realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac,aes256-cts', 'server']) - - # Check that the order we got is the one from the policy. --out = realm.run([kadminl, 'getprinc', '-terse', 'server']) --if not '2\t1\t6\t18\t0\t1\t6\t23\t0' in out: -- fail('allowed_keysalts policy did not preserve order') -+realm.run([kadminl, 'getprinc', '-terse', 'server'], -+ expected_msg='2\t1\t6\t18\t0\t1\t6\t23\t0') - - # Test partially intersecting sets. --out = realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac,aes128-cts', -- 'server'], expected_code=1) --if not 'Invalid key/salt tuples' in out: -- fail('allowed_keysalts policy not applied properly') --out = realm.run([kadminl, 'cpw', '-randkey', '-e', -- 'rc4-hmac,aes256-cts,aes128-cts', 'server'], expected_code=1) --if not 'Invalid key/salt tuples' in out: -- fail('allowed_keysalts policy not applied properly') -+realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac,aes128-cts', 'server'], -+ expected_code=1, expected_msg='Invalid key/salt tuples') -+realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac,aes256-cts,aes128-cts', -+ 'server'], expected_code=1, expected_msg='Invalid key/salt tuples') - - # Test reset of allowedkeysalts. - realm.run([kadminl, 'modpol', '-allowedkeysalts', '-', 'ak']) -diff --git a/src/tests/t_preauth.py b/src/tests/t_preauth.py -index 0ef8bbca4..1823a797d 100644 ---- a/src/tests/t_preauth.py -+++ b/src/tests/t_preauth.py -@@ -10,18 +10,12 @@ realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf) - realm.run([kadminl, 'modprinc', '+requires_preauth', realm.user_princ]) - realm.run([kadminl, 'setstr', realm.user_princ, 'teststring', 'testval']) - realm.run([kadminl, 'addprinc', '-nokey', '+requires_preauth', 'nokeyuser']) --out = realm.run([kinit, realm.user_princ], input=password('user')+'\n') --if 'testval' not in out: -- fail('Decrypted string attribute not in kinit output') --out = realm.run([kinit, 'nokeyuser'], input=password('user')+'\n', -- expected_code=1) --if 'no key' not in out: -- fail('Expected "no key" message not in kinit output') -+realm.kinit(realm.user_princ, password('user'), expected_msg='testval') -+realm.kinit('nokeyuser', password('user'), expected_code=1, -+ expected_msg='no key') - - # Exercise KDC_ERR_MORE_PREAUTH_DATA_REQUIRED and secure cookies. - realm.run([kadminl, 'setstr', realm.user_princ, '2rt', 'secondtrip']) --out = realm.run([kinit, realm.user_princ], input=password('user')+'\n') --if '2rt: secondtrip' not in out: -- fail('multi round-trip cookie test') -+realm.kinit(realm.user_princ, password('user'), expected_msg='2rt: secondtrip') - - success('Pre-authentication framework tests') -diff --git a/src/tests/t_pwqual.py b/src/tests/t_pwqual.py -index 0d1d387d8..011110bd1 100755 ---- a/src/tests/t_pwqual.py -+++ b/src/tests/t_pwqual.py -@@ -18,29 +18,24 @@ f.close() - realm.run([kadminl, 'addpol', 'pol']) - - # The built-in "empty" module rejects empty passwords even without a policy. --out = realm.run([kadminl, 'addprinc', '-pw', '', 'p1'], expected_code=1) --if 'Empty passwords are not allowed' not in out: -- fail('Expected error not seen for empty password') -+realm.run([kadminl, 'addprinc', '-pw', '', 'p1'], expected_code=1, -+ expected_msg='Empty passwords are not allowed') - - # The built-in "dict" module rejects dictionary words, but only with a policy. - realm.run([kadminl, 'addprinc', '-pw', 'birds', 'p2']) --out = realm.run([kadminl, 'addprinc', '-pw', 'birds', '-policy', 'pol', 'p3'], -- expected_code=1) --if 'Password is in the password dictionary' not in out: -- fail('Expected error not seen from dictionary password') -+realm.run([kadminl, 'addprinc', '-pw', 'birds', '-policy', 'pol', 'p3'], -+ expected_code=1, -+ expected_msg='Password is in the password dictionary') - - # The built-in "princ" module rejects principal components, only with a policy. - realm.run([kadminl, 'addprinc', '-pw', 'p4', 'p4']) --out = realm.run([kadminl, 'addprinc', '-pw', 'p5', '-policy', 'pol', 'p5'], -- expected_code=1) --if 'Password may not match principal name' not in out: -- fail('Expected error not seen from principal component') -+realm.run([kadminl, 'addprinc', '-pw', 'p5', '-policy', 'pol', 'p5'], -+ expected_code=1, -+ expected_msg='Password may not match principal name') - - # The dynamic "combo" module rejects pairs of dictionary words. --out = realm.run([kadminl, 'addprinc', '-pw', 'birdsoranges', 'p6'], -- expected_code=1) --if 'Password may not be a pair of dictionary words' not in out: -- fail('Expected error not seen from combo module') -+realm.run([kadminl, 'addprinc', '-pw', 'birdsoranges', 'p6'], expected_code=1, -+ expected_msg='Password may not be a pair of dictionary words') - - # These plugin ordering tests aren't specifically related to the - # password quality interface, but are convenient to put here. -diff --git a/src/tests/t_referral.py b/src/tests/t_referral.py -index 559fbd5f7..9765116aa 100755 ---- a/src/tests/t_referral.py -+++ b/src/tests/t_referral.py -@@ -23,9 +23,8 @@ def testref(realm, nametype): - # Get credentials and check that we get an error, not a referral. - def testfail(realm, nametype): - shutil.copyfile(savefile, realm.ccache) -- out = realm.run(['./gcred', nametype, 'a/x.d'], expected_code=1) -- if 'not found in Kerberos database' not in out: -- fail('unexpected error') -+ realm.run(['./gcred', nametype, 'a/x.d'], expected_code=1, -+ expected_msg='not found in Kerberos database') - - # Create a modified KDC environment and restart the KDC. - def restart_kdc(realm, kdc_conf): -@@ -116,9 +115,8 @@ r1, r2 = cross_realms(2, xtgts=(), - create_host=False) - r2.addprinc('abc\@XYZ', 'pw') - r1.start_kdc() --out = r1.kinit('user', expected_code=1) --if 'not found in Kerberos database' not in out: -- fail('Expected error not seen for referral without canonicalize flag') -+r1.kinit('user', expected_code=1, -+ expected_msg='not found in Kerberos database') - r1.kinit('user', password('user'), ['-C']) - r1.klist('user@KRBTEST2.COM', 'krbtgt/KRBTEST2.COM') - r1.kinit('abc@XYZ', 'pw', ['-E']) -diff --git a/src/tests/t_renew.py b/src/tests/t_renew.py -index a5f0d4bc1..106c8ecd3 100755 ---- a/src/tests/t_renew.py -+++ b/src/tests/t_renew.py -@@ -32,9 +32,8 @@ realm.run([kvno, realm.user_princ]) - - # Make sure we can't renew non-renewable tickets. - test('non-renewable', '1h', '1h', False) --out = realm.kinit(realm.user_princ, flags=['-R'], expected_code=1) --if "KDC can't fulfill requested option" not in out: -- fail('expected error not seen renewing non-renewable ticket') -+realm.kinit(realm.user_princ, flags=['-R'], expected_code=1, -+ expected_msg="KDC can't fulfill requested option") - - # Test that -allow_renewable on the client principal works. - realm.run([kadminl, 'modprinc', '-allow_renewable', 'user']) -diff --git a/src/tests/t_salt.py b/src/tests/t_salt.py -index e923c92d1..ddb1905ed 100755 ---- a/src/tests/t_salt.py -+++ b/src/tests/t_salt.py -@@ -62,13 +62,11 @@ for ks in dup_kstypes: - # fails. - def test_reject_afs3(realm, etype): - query = 'ank -e ' + etype + ':afs3 -pw password princ1' -- out = realm.run([kadminl, 'ank', '-e', etype + ':afs3', '-pw', 'password', -- 'princ1'], expected_code=1) -- if 'Invalid key generation parameters from KDC' not in out: -- fail('Allowed afs3 salt for ' + etype) -- out = realm.run([kadminl, 'getprinc', 'princ1'], expected_code=1) -- if 'Principal does not exist' not in out: -- fail('Created principal with afs3 salt and enctype ' + etype) -+ realm.run([kadminl, 'ank', '-e', etype + ':afs3', '-pw', 'password', -+ 'princ1'], expected_code=1, -+ expected_msg='Invalid key generation parameters from KDC') -+ realm.run([kadminl, 'getprinc', 'princ1'], expected_code=1, -+ expected_msg='Principal does not exist') - - # Verify that the afs3 salt is rejected for arcfour and pbkdf2 enctypes. - # We do not currently do any verification on the key-generation parameters -diff --git a/src/tests/t_skew.py b/src/tests/t_skew.py -index b72971070..f2ae06695 100755 ---- a/src/tests/t_skew.py -+++ b/src/tests/t_skew.py -@@ -37,22 +37,16 @@ realm.kinit(realm.user_princ, password('user'), - - # kinit should detect too much skew in the KDC response. kinit with - # FAST should fail from the KDC since the armor AP-REQ won't be valid. --out = realm.kinit(realm.user_princ, password('user'), expected_code=1) --if 'Clock skew too great in KDC reply' not in out: -- fail('Expected error message not seen in kinit skew case') --out = realm.kinit(realm.user_princ, None, flags=['-T', fast_cache], -- expected_code=1) --if 'Clock skew too great while' not in out: -- fail('Expected error message not seen in kinit FAST skew case') -+realm.kinit(realm.user_princ, password('user'), expected_code=1, -+ expected_msg='Clock skew too great in KDC reply') -+realm.kinit(realm.user_princ, None, flags=['-T', fast_cache], expected_code=1, -+ expected_msg='Clock skew too great while') - - # kinit (with preauth) should fail from the KDC, with or without FAST. - realm.run([kadminl, 'modprinc', '+requires_preauth', 'user']) --out = realm.kinit(realm.user_princ, password('user'), expected_code=1) --if 'Clock skew too great while' not in out: -- fail('Expected error message not seen in kinit skew case (preauth)') --out = realm.kinit(realm.user_princ, None, flags=['-T', fast_cache], -- expected_code=1) --if 'Clock skew too great while' not in out: -- fail('Expected error message not seen in kinit FAST skew case (preauth)') -+realm.kinit(realm.user_princ, password('user'), expected_code=1, -+ expected_msg='Clock skew too great while') -+realm.kinit(realm.user_princ, None, flags=['-T', fast_cache], expected_code=1, -+ expected_msg='Clock skew too great while') - - success('Clock skew tests') -diff --git a/src/tests/t_stringattr.py b/src/tests/t_stringattr.py -index 281c8726f..5672a0f20 100755 ---- a/src/tests/t_stringattr.py -+++ b/src/tests/t_stringattr.py -@@ -28,9 +28,7 @@ realm = K5Realm(start_kadmind=True, create_host=False, get_creds=False) - - realm.prep_kadmin() - --out = realm.run_kadmin(['getstrs', 'user']) --if '(No string attributes.)' not in out: -- fail('Empty attribute query') -+realm.run_kadmin(['getstrs', 'user'], expected_msg='(No string attributes.)') - - realm.run_kadmin(['setstr', 'user', 'attr1', 'value1']) - realm.run_kadmin(['setstr', 'user', 'attr2', 'value2']) diff --git a/Use-expected_trace-in-test-scripts.patch b/Use-expected_trace-in-test-scripts.patch deleted file mode 100644 index 74516ea..0000000 --- a/Use-expected_trace-in-test-scripts.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 35a00879008457d21ccc6e623835976a21f5000b Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Tue, 17 Jan 2017 11:25:22 -0500 -Subject: [PATCH] Use expected_trace in test scripts - -(cherry picked from commit 7b7e5d964e5d020fdda3fb9843d9b8cf8b29a6f8) ---- - src/tests/t_general.py | 24 ++++++++---------------- - src/tests/t_pkinit.py | 15 ++++++--------- - 2 files changed, 14 insertions(+), 25 deletions(-) - -diff --git a/src/tests/t_general.py b/src/tests/t_general.py -index 6d523fe45..16bf6c5e3 100755 ---- a/src/tests/t_general.py -+++ b/src/tests/t_general.py -@@ -47,21 +47,13 @@ if 'not found in Kerberos database' not in out: - fail('Expected error message not seen in kinit -C output') - - # Spot-check KRB5_TRACE output --tracefile = os.path.join(realm.testdir, 'trace') --realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, realm.user_princ], -- input=(password('user') + "\n")) --f = open(tracefile, 'r') --trace = f.read() --f.close() --expected = ('Sending initial UDP request', -- 'Received answer', -- 'Selected etype info', -- 'AS key obtained', -- 'Decrypted AS reply', -- 'FAST negotiation: available', -- 'Storing user@KRBTEST.COM') --for e in expected: -- if e not in trace: -- fail('Expected output not in kinit trace log') -+expected_trace = ('Sending initial UDP request', -+ 'Received answer', -+ 'Selected etype info', -+ 'AS key obtained', -+ 'Decrypted AS reply', -+ 'FAST negotiation: available', -+ 'Storing user@KRBTEST.COM') -+realm.kinit(realm.user_princ, password('user'), expected_trace=expected_trace) - - success('FAST kinit, trace logging') -diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py -index 183977750..f56141564 100755 ---- a/src/tests/t_pkinit.py -+++ b/src/tests/t_pkinit.py -@@ -176,19 +176,16 @@ realm.klist(realm.user_princ) - - # Test a DH parameter renegotiation by temporarily setting a 4096-bit - # minimum on the KDC. --tracefile = os.path.join(realm.testdir, 'trace') - minbits_kdc_conf = {'realms': {'$realm': {'pkinit_dh_min_bits': '4096'}}} - minbits_env = realm.special_env('restrict', True, kdc_conf=minbits_kdc_conf) - realm.stop_kdc() - realm.start_kdc(env=minbits_env) --realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, '-X', -- 'X509_user_identity=' + file_identity, realm.user_princ]) --with open(tracefile, 'r') as f: -- trace = f.read() --if ('Key parameters not accepted' not in trace or -- 'Preauth tryagain input types' not in trace or -- 'trying again with KDC-provided parameters' not in trace): -- fail('DH renegotiation steps not found in kinit trace log') -+expected_trace = ('Key parameters not accepted', -+ 'Preauth tryagain input types', -+ 'trying again with KDC-provided parameters') -+realm.kinit(realm.user_princ, -+ flags=['-X', 'X509_user_identity=%s' % file_identity], -+ expected_trace=expected_trace) - realm.stop_kdc() - realm.start_kdc() - diff --git a/Use-fallback-realm-for-GSSAPI-ccache-selection.patch b/Use-fallback-realm-for-GSSAPI-ccache-selection.patch deleted file mode 100644 index bc0591a..0000000 --- a/Use-fallback-realm-for-GSSAPI-ccache-selection.patch +++ /dev/null @@ -1,185 +0,0 @@ -From feee4c633a7db348ef99f1f0c99a5c2e6cb70f92 Mon Sep 17 00:00:00 2001 -From: Matt Rogers -Date: Fri, 10 Feb 2017 12:53:42 -0500 -Subject: [PATCH] Use fallback realm for GSSAPI ccache selection - -In krb5_cc_select(), if the server principal has an empty realm, use -krb5_get_fallback_host_realm() and set the server realm to the first -fallback found. This helps with the selection of a non-default ccache -when there is no [domain_realms] configuration for the server domain. -Modify t_ccselect.py tests to account for fallback behavior. - -ticket: 8549 (new) -(cherry picked from commit 234b64bd6139d5b75dadd5abbd5bef5a162e298a) ---- - src/lib/krb5/ccache/ccselect.c | 37 ++++++++++++++++++++++++++----- - src/tests/gssapi/t_ccselect.py | 50 +++++++++++++++++++++++++++++++++--------- - 2 files changed, 72 insertions(+), 15 deletions(-) - -diff --git a/src/lib/krb5/ccache/ccselect.c b/src/lib/krb5/ccache/ccselect.c -index 2f3071a27..ee4b83a9b 100644 ---- a/src/lib/krb5/ccache/ccselect.c -+++ b/src/lib/krb5/ccache/ccselect.c -@@ -132,6 +132,8 @@ krb5_cc_select(krb5_context context, krb5_principal server, - struct ccselect_module_handle **hp, *h; - krb5_ccache cache; - krb5_principal princ; -+ krb5_principal srvcp = NULL; -+ char **fbrealms = NULL; - - *cache_out = NULL; - *princ_out = NULL; -@@ -139,7 +141,27 @@ krb5_cc_select(krb5_context context, krb5_principal server, - if (context->ccselect_handles == NULL) { - ret = load_modules(context); - if (ret) -- return ret; -+ goto cleanup; -+ } -+ -+ /* Try to use the fallback host realm for the server if there is no -+ * authoritative realm. */ -+ if (krb5_is_referral_realm(&server->realm) && -+ server->type == KRB5_NT_SRV_HST && server->length == 2) { -+ ret = krb5_get_fallback_host_realm(context, &server->data[1], -+ &fbrealms); -+ if (ret) -+ goto cleanup; -+ -+ /* Make a copy with the first fallback realm. */ -+ ret = krb5_copy_principal(context, server, &srvcp); -+ if (ret) -+ goto cleanup; -+ ret = krb5_set_principal_realm(context, srvcp, fbrealms[0]); -+ if (ret) -+ goto cleanup; -+ -+ server = srvcp; - } - - /* Consult authoritative modules first, then heuristic ones. */ -@@ -155,20 +177,25 @@ krb5_cc_select(krb5_context context, krb5_principal server, - princ); - *cache_out = cache; - *princ_out = princ; -- return 0; -+ goto cleanup; - } else if (ret == KRB5_CC_NOTFOUND) { - TRACE_CCSELECT_MODNOTFOUND(context, h->vt.name, server, princ); - *princ_out = princ; -- return ret; -+ goto cleanup; - } else if (ret != KRB5_PLUGIN_NO_HANDLE) { - TRACE_CCSELECT_MODFAIL(context, h->vt.name, ret, server); -- return ret; -+ goto cleanup; - } - } - } - - TRACE_CCSELECT_NOTFOUND(context, server); -- return KRB5_CC_NOTFOUND; -+ ret = KRB5_CC_NOTFOUND; -+ -+cleanup: -+ krb5_free_principal(context, srvcp); -+ krb5_free_host_realm(context, fbrealms); -+ return ret; - } - - void -diff --git a/src/tests/gssapi/t_ccselect.py b/src/tests/gssapi/t_ccselect.py -index 1ea614d30..668a2cc62 100755 ---- a/src/tests/gssapi/t_ccselect.py -+++ b/src/tests/gssapi/t_ccselect.py -@@ -31,12 +31,18 @@ r2 = K5Realm(create_user=False, realm='KRBTEST2.COM', portbase=62000, - - host1 = 'p:' + r1.host_princ - host2 = 'p:' + r2.host_princ -+foo = 'foo.krbtest.com' -+foo2 = 'foo.krbtest2.com' - --# gsserver specifies the target as a GSS name. The resulting --# principal will have the host-based type, but the realm won't be --# known before the client cache is selected (since k5test realms have --# no domain-realm mapping by default). --gssserver = 'h:host@' + hostname -+# These strings specify the target as a GSS name. The resulting -+# principal will have the host-based type, with the referral realm -+# (since k5test realms have no domain-realm mapping by default). -+# krb5_cc_select() will use the fallback realm, which is either the -+# uppercased parent domain, or the default realm if the hostname is a -+# single component. -+gssserver = 'h:host@' + foo -+gssserver2 = 'h:host@' + foo2 -+gsslocal = 'h:host@localhost' - - # refserver specifies the target as a principal in the referral realm. - # The principal won't be treated as a host principal by the -@@ -66,6 +72,16 @@ r1.addprinc(alice, password('alice')) - r1.addprinc(bob, password('bob')) - r2.addprinc(zaphod, password('zaphod')) - -+# Create host principals and keytabs for fallback realm tests. -+r1.addprinc('host/localhost') -+r2.addprinc('host/localhost') -+r1.addprinc('host/' + foo) -+r2.addprinc('host/' + foo2) -+r1.extract_keytab('host/localhost', r1.keytab) -+r2.extract_keytab('host/localhost', r2.keytab) -+r1.extract_keytab('host/' + foo, r1.keytab) -+r2.extract_keytab('host/' + foo2, r2.keytab) -+ - # Get tickets for one user in each realm (zaphod will be primary). - r1.kinit(alice, password('alice')) - r2.kinit(zaphod, password('zaphod')) -@@ -93,10 +109,24 @@ if output != (zaphod + '\n'): - fail('zaphod not chosen as default initiator name for server in r1') - - # Check that primary cache is used if server realm is unknown. --output = r2.run(['./t_ccselect', gssserver]) -+output = r2.run(['./t_ccselect', refserver]) - if output != (zaphod + '\n'): - fail('zaphod not chosen via primary cache for unknown server realm') --r1.run(['./t_ccselect', gssserver], expected_code=1) -+r1.run(['./t_ccselect', gssserver2], expected_code=1) -+# Check ccache selection using a fallback realm. -+output = r1.run(['./t_ccselect', gssserver]) -+if output != (alice + '\n'): -+ fail('alice not chosen via parent domain fallback') -+output = r2.run(['./t_ccselect', gssserver2]) -+if output != (zaphod + '\n'): -+ fail('zaphod not chosen via parent domain fallback') -+# Check ccache selection using a fallback realm (default realm). -+output = r1.run(['./t_ccselect', gsslocal]) -+if output != (alice + '\n'): -+ fail('alice not chosen via default realm fallback') -+output = r2.run(['./t_ccselect', gsslocal]) -+if output != (zaphod + '\n'): -+ fail('zaphod not chosen via default realm fallback') - - # Get a second cred in r1 (bob will be primary). - r1.kinit(bob, password('bob')) -@@ -104,19 +134,19 @@ r1.kinit(bob, password('bob')) - # Try some cache selections using .k5identity. - k5id = open(os.path.join(r1.testdir, '.k5identity'), 'w') - k5id.write('%s realm=%s\n' % (alice, r1.realm)) --k5id.write('%s service=ho*t host=%s\n' % (zaphod, hostname)) -+k5id.write('%s service=ho*t host=localhost\n' % zaphod) - k5id.write('noprinc service=bogus') - k5id.close() - output = r1.run(['./t_ccselect', host1]) - if output != (alice + '\n'): - fail('alice not chosen via .k5identity realm line.') --output = r2.run(['./t_ccselect', gssserver]) -+output = r2.run(['./t_ccselect', gsslocal]) - if output != (zaphod + '\n'): - fail('zaphod not chosen via .k5identity service/host line.') - output = r1.run(['./t_ccselect', refserver]) - if output != (bob + '\n'): - fail('bob not chosen via primary cache when no .k5identity line matches.') --r1.run(['./t_ccselect', 'h:bogus@' + hostname], expected_code=1, -+r1.run(['./t_ccselect', 'h:bogus@' + foo2], expected_code=1, - expected_msg="Can't find client principal noprinc") - - success('GSSAPI credential selection tests') diff --git a/Use-krb5_timestamp-where-appropriate.patch b/Use-krb5_timestamp-where-appropriate.patch deleted file mode 100644 index c5b4c25..0000000 --- a/Use-krb5_timestamp-where-appropriate.patch +++ /dev/null @@ -1,327 +0,0 @@ -From 0ae9141d53a8d9fe048542f89d17760990bd5bc4 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Wed, 17 May 2017 15:14:15 -0400 -Subject: [PATCH] Use krb5_timestamp where appropriate - -Where krb5_int32 is used to hold the number of seconds since the -epoch, use krb5_timestamp instead. - -(cherry picked from commit ae25f6ec5558140a546db34fea389412d81c0631) ---- - src/clients/klist/klist.c | 2 +- - src/include/k5-int.h | 2 +- - src/kadmin/server/misc.c | 2 +- - src/kdc/dispatch.c | 4 ++-- - src/lib/kadm5/srv/server_acl.c | 2 +- - src/lib/kadm5/srv/server_kdb.c | 2 +- - src/lib/kadm5/srv/svr_principal.c | 10 +++++----- - src/lib/krb5/krb/gen_save_subkey.c | 3 ++- - src/lib/krb5/krb/get_in_tkt.c | 2 +- - src/lib/krb5/krb/init_ctx.c | 3 ++- - src/lib/krb5/os/c_ustime.c | 7 +++++-- - src/lib/krb5/os/toffset.c | 3 ++- - src/lib/krb5/os/trace.c | 3 ++- - src/lib/krb5/os/ustime.c | 3 ++- - src/lib/krb5/rcache/rc_dfl.c | 10 +++++----- - src/tests/create/kdb5_mkdums.c | 2 +- - 16 files changed, 34 insertions(+), 26 deletions(-) - -diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c -index ffeecc394..4334415be 100644 ---- a/src/clients/klist/klist.c -+++ b/src/clients/klist/klist.c -@@ -56,7 +56,7 @@ int show_adtype = 0, show_all = 0, list_all = 0, use_client_keytab = 0; - int show_config = 0; - char *defname; - char *progname; --krb5_int32 now; -+krb5_timestamp now; - unsigned int timestamp_width; - - krb5_context kcontext; -diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index 82ee20760..ed9c7bf75 100644 ---- a/src/include/k5-int.h -+++ b/src/include/k5-int.h -@@ -721,7 +721,7 @@ krb5_error_code krb5int_c_copy_keyblock_contents(krb5_context context, - const krb5_keyblock *from, - krb5_keyblock *to); - --krb5_error_code krb5_crypto_us_timeofday(krb5_int32 *, krb5_int32 *); -+krb5_error_code krb5_crypto_us_timeofday(krb5_timestamp *, krb5_int32 *); - - /* - * End "los-proto.h" -diff --git a/src/kadmin/server/misc.c b/src/kadmin/server/misc.c -index a75b65a26..ba672d714 100644 ---- a/src/kadmin/server/misc.c -+++ b/src/kadmin/server/misc.c -@@ -159,7 +159,7 @@ kadm5_ret_t - check_min_life(void *server_handle, krb5_principal principal, - char *msg_ret, unsigned int msg_len) - { -- krb5_int32 now; -+ krb5_timestamp now; - kadm5_ret_t ret; - kadm5_policy_ent_rec pol; - kadm5_principal_ent_rec princ; -diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c -index 16a35d2be..4ecc23481 100644 ---- a/src/kdc/dispatch.c -+++ b/src/kdc/dispatch.c -@@ -94,8 +94,8 @@ static void - reseed_random(krb5_context kdc_err_context) - { - krb5_error_code retval; -- krb5_int32 now, now_usec; -- krb5_int32 usec_difference; -+ krb5_timestamp now; -+ krb5_int32 now_usec, usec_difference; - krb5_data data; - - retval = krb5_crypto_us_timeofday(&now, &now_usec); -diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c -index c4bb16dc7..679fc7c41 100644 ---- a/src/lib/kadm5/srv/server_acl.c -+++ b/src/lib/kadm5/srv/server_acl.c -@@ -375,7 +375,7 @@ kadm5int_acl_impose_restrictions(kcontext, recp, maskp, rp) - restriction_t *rp; - { - krb5_error_code code; -- krb5_int32 now; -+ krb5_timestamp now; - - DPRINT(DEBUG_CALLS, acl_debug_level, - ("* kadm5int_acl_impose_restrictions(..., *maskp=0x%08x, rp=0x%08x)\n", -diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c -index 612553ba3..f4b8aef2b 100644 ---- a/src/lib/kadm5/srv/server_kdb.c -+++ b/src/lib/kadm5/srv/server_kdb.c -@@ -365,7 +365,7 @@ kdb_put_entry(kadm5_server_handle_t handle, - krb5_db_entry *kdb, osa_princ_ent_rec *adb) - { - krb5_error_code ret; -- krb5_int32 now; -+ krb5_timestamp now; - XDR xdrs; - krb5_tl_data tl_data; - -diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c -index 137e1fb64..89f34482b 100644 ---- a/src/lib/kadm5/srv/svr_principal.c -+++ b/src/lib/kadm5/srv/svr_principal.c -@@ -296,7 +296,7 @@ kadm5_create_principal_3(void *server_handle, - osa_princ_ent_rec adb; - kadm5_policy_ent_rec polent; - krb5_boolean have_polent = FALSE; -- krb5_int32 now; -+ krb5_timestamp now; - krb5_tl_data *tl_data_tail; - unsigned int ret; - kadm5_server_handle_t handle = server_handle; -@@ -1322,7 +1322,7 @@ kadm5_chpass_principal_3(void *server_handle, - int n_ks_tuple, krb5_key_salt_tuple *ks_tuple, - char *password) - { -- krb5_int32 now; -+ krb5_timestamp now; - kadm5_policy_ent_rec pol; - osa_princ_ent_rec adb; - krb5_db_entry *kdb; -@@ -1544,7 +1544,7 @@ kadm5_randkey_principal_3(void *server_handle, - { - krb5_db_entry *kdb; - osa_princ_ent_rec adb; -- krb5_int32 now; -+ krb5_timestamp now; - kadm5_policy_ent_rec pol; - int ret, last_pwd, n_new_keys; - krb5_boolean have_pol = FALSE; -@@ -1686,7 +1686,7 @@ kadm5_setv4key_principal(void *server_handle, - { - krb5_db_entry *kdb; - osa_princ_ent_rec adb; -- krb5_int32 now; -+ krb5_timestamp now; - kadm5_policy_ent_rec pol; - krb5_keysalt keysalt; - int i, kvno, ret; -@@ -1891,7 +1891,7 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal, - { - krb5_db_entry *kdb; - osa_princ_ent_rec adb; -- krb5_int32 now; -+ krb5_timestamp now; - kadm5_policy_ent_rec pol; - krb5_key_data *new_key_data = NULL; - int i, j, ret, n_new_key_data = 0; -diff --git a/src/lib/krb5/krb/gen_save_subkey.c b/src/lib/krb5/krb/gen_save_subkey.c -index 61f36aa36..bc2c46d30 100644 ---- a/src/lib/krb5/krb/gen_save_subkey.c -+++ b/src/lib/krb5/krb/gen_save_subkey.c -@@ -38,7 +38,8 @@ k5_generate_and_save_subkey(krb5_context context, - to guarantee randomness, but to make it less likely that multiple - sessions could pick the same subkey. */ - struct { -- krb5_int32 sec, usec; -+ krb5_timestamp sec; -+ krb5_int32 usec; - } rnd_data; - krb5_data d; - krb5_error_code retval; -diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c -index 40aba1905..7178bd87b 100644 ---- a/src/lib/krb5/krb/get_in_tkt.c -+++ b/src/lib/krb5/krb/get_in_tkt.c -@@ -1788,7 +1788,7 @@ k5_populate_gic_opt(krb5_context context, krb5_get_init_creds_opt **out, - krb5_creds *creds) - { - int i; -- krb5_int32 starttime; -+ krb5_timestamp starttime; - krb5_deltat lifetime; - krb5_get_init_creds_opt *opt; - krb5_error_code retval; -diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c -index cf226fdba..4246c5dd2 100644 ---- a/src/lib/krb5/krb/init_ctx.c -+++ b/src/lib/krb5/krb/init_ctx.c -@@ -139,7 +139,8 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, - krb5_context ctx = 0; - krb5_error_code retval; - struct { -- krb5_int32 now, now_usec; -+ krb5_timestamp now; -+ krb5_int32 now_usec; - long pid; - } seed_data; - krb5_data seed; -diff --git a/src/lib/krb5/os/c_ustime.c b/src/lib/krb5/os/c_ustime.c -index 68fb381f4..f69f2ea4c 100644 ---- a/src/lib/krb5/os/c_ustime.c -+++ b/src/lib/krb5/os/c_ustime.c -@@ -29,7 +29,10 @@ - - k5_mutex_t krb5int_us_time_mutex = K5_MUTEX_PARTIAL_INITIALIZER; - --struct time_now { krb5_int32 sec, usec; }; -+struct time_now { -+ krb5_timestamp sec; -+ krb5_int32 usec; -+}; - - #if defined(_WIN32) - -@@ -73,7 +76,7 @@ get_time_now(struct time_now *n) - static struct time_now last_time; - - krb5_error_code --krb5_crypto_us_timeofday(krb5_int32 *seconds, krb5_int32 *microseconds) -+krb5_crypto_us_timeofday(krb5_timestamp *seconds, krb5_int32 *microseconds) - { - struct time_now now; - krb5_error_code err; -diff --git a/src/lib/krb5/os/toffset.c b/src/lib/krb5/os/toffset.c -index 37bc69f49..4bbcdde52 100644 ---- a/src/lib/krb5/os/toffset.c -+++ b/src/lib/krb5/os/toffset.c -@@ -40,7 +40,8 @@ krb5_error_code KRB5_CALLCONV - krb5_set_real_time(krb5_context context, krb5_timestamp seconds, krb5_int32 microseconds) - { - krb5_os_context os_ctx = &context->os_context; -- krb5_int32 sec, usec; -+ krb5_timestamp sec; -+ krb5_int32 usec; - krb5_error_code retval; - - retval = krb5_crypto_us_timeofday(&sec, &usec); -diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c -index 74c315c90..8750b7650 100644 ---- a/src/lib/krb5/os/trace.c -+++ b/src/lib/krb5/os/trace.c -@@ -340,7 +340,8 @@ krb5int_trace(krb5_context context, const char *fmt, ...) - va_list ap; - krb5_trace_info info; - char *str = NULL, *msg = NULL; -- krb5_int32 sec, usec; -+ krb5_timestamp sec; -+ krb5_int32 usec; - - if (context == NULL || context->trace_callback == NULL) - return; -diff --git a/src/lib/krb5/os/ustime.c b/src/lib/krb5/os/ustime.c -index 1c1b571eb..a80fdf68c 100644 ---- a/src/lib/krb5/os/ustime.c -+++ b/src/lib/krb5/os/ustime.c -@@ -40,7 +40,8 @@ krb5_error_code - k5_time_with_offset(krb5_timestamp offset, krb5_int32 offset_usec, - krb5_timestamp *time_out, krb5_int32 *usec_out) - { -- krb5_int32 sec, usec; -+ krb5_timestamp sec; -+ krb5_int32 usec; - krb5_error_code retval; - - retval = krb5_crypto_us_timeofday(&sec, &usec); -diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c -index 6b043844d..41ebf94da 100644 ---- a/src/lib/krb5/rcache/rc_dfl.c -+++ b/src/lib/krb5/rcache/rc_dfl.c -@@ -93,7 +93,7 @@ cmp(krb5_donot_replay *old, krb5_donot_replay *new1, krb5_deltat t) - } - - static int --alive(krb5_int32 mytime, krb5_donot_replay *new1, krb5_deltat t) -+alive(krb5_timestamp mytime, krb5_donot_replay *new1, krb5_deltat t) - { - if (mytime == 0) - return CMP_HOHUM; /* who cares? */ -@@ -129,7 +129,7 @@ struct authlist - - static int - rc_store(krb5_context context, krb5_rcache id, krb5_donot_replay *rep, -- krb5_int32 now, krb5_boolean fromfile) -+ krb5_timestamp now, krb5_boolean fromfile) - { - struct dfl_data *t = (struct dfl_data *)id->data; - unsigned int rephash; -@@ -536,7 +536,7 @@ krb5_rc_dfl_recover_locked(krb5_context context, krb5_rcache id) - krb5_error_code retval; - long max_size; - int expired_entries = 0; -- krb5_int32 now; -+ krb5_timestamp now; - - if ((retval = krb5_rc_io_open(context, &t->d, t->name))) { - return retval; -@@ -706,7 +706,7 @@ krb5_rc_dfl_store(krb5_context context, krb5_rcache id, krb5_donot_replay *rep) - { - krb5_error_code ret; - struct dfl_data *t; -- krb5_int32 now; -+ krb5_timestamp now; - - ret = krb5_timeofday(context, &now); - if (ret) -@@ -762,7 +762,7 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id) - struct authlist **qt; - struct authlist *r; - struct authlist *rt; -- krb5_int32 now; -+ krb5_timestamp now; - - if (krb5_timestamp(context, &now)) - now = 0; -diff --git a/src/tests/create/kdb5_mkdums.c b/src/tests/create/kdb5_mkdums.c -index 622f549f9..7c0666601 100644 ---- a/src/tests/create/kdb5_mkdums.c -+++ b/src/tests/create/kdb5_mkdums.c -@@ -247,7 +247,7 @@ add_princ(context, str_newprinc) - - { - /* Add mod princ to db entry */ -- krb5_int32 now; -+ krb5_timestamp now; - - retval = krb5_timeofday(context, &now); - if (retval) { diff --git a/Use-the-canonical-client-principal-name-for-OTP.patch b/Use-the-canonical-client-principal-name-for-OTP.patch deleted file mode 100644 index c96aeb5..0000000 --- a/Use-the-canonical-client-principal-name-for-OTP.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 7998de0b9ccd0c8813159cc3f1d49fe107e3e0ba Mon Sep 17 00:00:00 2001 -From: Matt Rogers -Date: Wed, 5 Apr 2017 16:48:55 -0400 -Subject: [PATCH] Use the canonical client principal name for OTP - -In the OTP module, when constructing the RADIUS request, use the -canonicalized client principal (using the new client_name kdcpreauth -callback) instead of the request client principal. - -ticket: 8571 (new) ---- - src/plugins/preauth/otp/main.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/plugins/preauth/otp/main.c b/src/plugins/preauth/otp/main.c -index 2649e9a90..a1b681682 100644 ---- a/src/plugins/preauth/otp/main.c -+++ b/src/plugins/preauth/otp/main.c -@@ -331,7 +331,8 @@ otp_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, - - /* Send the request. */ - otp_state_verify((otp_state *)moddata, cb->event_context(context, rock), -- request->client, config, req, on_response, rs); -+ cb->client_name(context, rock), config, req, on_response, -+ rs); - cb->free_string(context, rock, config); - - k5_free_pa_otp_req(context, req); diff --git a/krb5-1.11-kpasswdtest.patch b/krb5-1.11-kpasswdtest.patch index e68fb05..92f3dab 100644 --- a/krb5-1.11-kpasswdtest.patch +++ b/krb5-1.11-kpasswdtest.patch @@ -1,4 +1,4 @@ -From fb8f32ebdf3293d8a6bdb9478fe1f902a399ba7a Mon Sep 17 00:00:00 2001 +From 3e94cf1accf2b33bd0c8cf54eb58b4777f411cc6 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:52:01 -0400 Subject: [PATCH] krb5-1.11-kpasswdtest.patch diff --git a/krb5-1.11-run_user_0.patch b/krb5-1.11-run_user_0.patch index ad93b8a..9c4cf0e 100644 --- a/krb5-1.11-run_user_0.patch +++ b/krb5-1.11-run_user_0.patch @@ -1,4 +1,4 @@ -From 9c45f66fbc6afb472589dbeb5166f46ad266d319 Mon Sep 17 00:00:00 2001 +From 9e7e92ae1dcd242044f2dfe3b89926ddddb6a221 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:49:57 -0400 Subject: [PATCH] krb5-1.11-run_user_0.patch diff --git a/krb5-1.12-api.patch b/krb5-1.12-api.patch index c5bc2e5..0b8ec6f 100644 --- a/krb5-1.12-api.patch +++ b/krb5-1.12-api.patch @@ -1,4 +1,4 @@ -From 107a2b8728f1b76feb16df9201919444482e3981 Mon Sep 17 00:00:00 2001 +From 9a6cfaaecd1a37e74dba285decd03bb4a3382f9a Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:47:00 -0400 Subject: [PATCH] krb5-1.12-api.patch diff --git a/krb5-1.12-ksu-path.patch b/krb5-1.12-ksu-path.patch index 7f92b1d..43178b9 100644 --- a/krb5-1.12-ksu-path.patch +++ b/krb5-1.12-ksu-path.patch @@ -1,4 +1,4 @@ -From 93b86d94b871aed49b14d7fc1a2a9f23c16cbe0f Mon Sep 17 00:00:00 2001 +From 7b3bdbc0ca882325291caad391c4d328f174a614 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:32:09 -0400 Subject: [PATCH] krb5-1.12-ksu-path.patch diff --git a/krb5-1.12-ktany.patch b/krb5-1.12-ktany.patch index a941082..24135fd 100644 --- a/krb5-1.12-ktany.patch +++ b/krb5-1.12-ktany.patch @@ -1,4 +1,4 @@ -From efee9f8598ba84f2be0983fc1d07a9a72d0ff1b7 Mon Sep 17 00:00:00 2001 +From 1ede8564105568182e3cf6f273ab820453e2f025 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:33:53 -0400 Subject: [PATCH] krb5-1.12-ktany.patch diff --git a/krb5-1.12.1-pam.patch b/krb5-1.12.1-pam.patch index 5372fb4..c56606f 100644 --- a/krb5-1.12.1-pam.patch +++ b/krb5-1.12.1-pam.patch @@ -1,4 +1,4 @@ -From e0924e10dd431a898c9c95faa04b51edbe59c5ef Mon Sep 17 00:00:00 2001 +From 385194db1a08c1b923f9eb75e9602b56720fd50e Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:29:58 -0400 Subject: [PATCH] krb5-1.12.1-pam.patch @@ -28,10 +28,10 @@ changes we're proposing for how it handles cache collections. create mode 100644 src/clients/ksu/pam.h diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index 9c46da4b5..508e5fe90 100644 +index d6d1279c3..5c9c13e5f 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 -@@ -1675,3 +1675,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[ +@@ -1696,3 +1696,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[ ])) ])dnl dnl @@ -141,7 +141,7 @@ index b2fcbf240..5755bb58a 100644 clean: $(RM) ksu diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c -index 28342c2d7..cab0c1806 100644 +index 7ff676ca7..c6321c01b 100644 --- a/src/clients/ksu/main.c +++ b/src/clients/ksu/main.c @@ -26,6 +26,7 @@ @@ -756,10 +756,10 @@ index 000000000..0ab76569c +void appl_pam_cleanup(void); +#endif diff --git a/src/configure.in b/src/configure.in -index 037c9f316..daabd12c8 100644 +index 10f45eb12..7288a71ec 100644 --- a/src/configure.in +++ b/src/configure.in -@@ -1336,6 +1336,8 @@ AC_SUBST([VERTO_VERSION]) +@@ -1306,6 +1306,8 @@ AC_SUBST([VERTO_VERSION]) AC_PATH_PROG(GROFF, groff) diff --git a/krb5-1.13-dirsrv-accountlock.patch b/krb5-1.13-dirsrv-accountlock.patch index 9b0178c..47716dc 100644 --- a/krb5-1.13-dirsrv-accountlock.patch +++ b/krb5-1.13-dirsrv-accountlock.patch @@ -1,4 +1,4 @@ -From f2df0b75dfbc9796bf8e1477f4661dfb7cdcf8d4 Mon Sep 17 00:00:00 2001 +From 850689009f9aeddc0b63051a3e2883d02b05387e Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:47:44 -0400 Subject: [PATCH] krb5-1.13-dirsrv-accountlock.patch @@ -12,10 +12,10 @@ original version filed as RT#5891. 3 files changed, 29 insertions(+) diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index f5667c35f..2bfb99496 100644 +index 5eeaa2d8a..1fd243094 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 -@@ -1656,6 +1656,15 @@ if test "$with_ldap" = yes; then +@@ -1677,6 +1677,15 @@ if test "$with_ldap" = yes; then AC_MSG_NOTICE(enabling OpenLDAP database backend module support) OPENLDAP_PLUGIN=yes fi @@ -32,10 +32,10 @@ index f5667c35f..2bfb99496 100644 dnl dnl If libkeyutils exists (on Linux) include it and use keyring ccache diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -index 32efc4f54..af8b2db7b 100644 +index 5b9d1e9fa..4e7270065 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -@@ -1674,6 +1674,23 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context, +@@ -1652,6 +1652,23 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context, ret = krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data); if (ret) goto cleanup; diff --git a/krb5-1.15-beta1-buildconf.patch b/krb5-1.15-beta1-buildconf.patch index 276c254..b0024ec 100644 --- a/krb5-1.15-beta1-buildconf.patch +++ b/krb5-1.15-beta1-buildconf.patch @@ -1,4 +1,4 @@ -From ae5bb11c0f06fdf92f51d237e94c1d410c59aa04 Mon Sep 17 00:00:00 2001 +From 285eaffa69e9c2ff7f0adf017d192b5e7afb7002 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:45:26 -0400 Subject: [PATCH] krb5-1.15-beta1-buildconf.patch @@ -33,7 +33,7 @@ index c17cb5eb5..1891dea99 100755 lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" library=krb5 diff --git a/src/config/pre.in b/src/config/pre.in -index fcea229bd..d961b5621 100644 +index d4714d29a..03f5c8890 100644 --- a/src/config/pre.in +++ b/src/config/pre.in @@ -185,7 +185,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP) diff --git a/krb5-1.15.1-selinux-label.patch b/krb5-1.15.1-selinux-label.patch index 2590f8e..475f74d 100644 --- a/krb5-1.15.1-selinux-label.patch +++ b/krb5-1.15.1-selinux-label.patch @@ -1,4 +1,4 @@ -From aaf74b66a51cbda90ba40f73eb8def9b192ab262 Mon Sep 17 00:00:00 2001 +From d38588a165302d915eb6b4da0c2755601547bcd1 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:30:53 -0400 Subject: [PATCH] krb5-1.15.1-selinux-label.patch @@ -66,7 +66,7 @@ which we used earlier, is some improvement. create mode 100644 src/util/support/selinux.c diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index 508e5fe90..607859f17 100644 +index 5c9c13e5f..6257dba40 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 @@ -89,6 +89,7 @@ AC_SUBST_FILE(libnodeps_frag) @@ -77,7 +77,7 @@ index 508e5fe90..607859f17 100644 KRB5_LIB_PARAMS KRB5_AC_INITFINI KRB5_AC_ENABLE_THREADS -@@ -1742,3 +1743,51 @@ AC_SUBST(PAM_LIBS) +@@ -1763,3 +1764,51 @@ AC_SUBST(PAM_LIBS) AC_SUBST(PAM_MAN) AC_SUBST(NON_PAM_MAN) ])dnl @@ -151,7 +151,7 @@ index f6184da3f..c17cb5eb5 100755 echo $lib_flags diff --git a/src/config/pre.in b/src/config/pre.in -index e0626320c..fcea229bd 100644 +index 3f267eb1f..d4714d29a 100644 --- a/src/config/pre.in +++ b/src/config/pre.in @@ -177,6 +177,7 @@ LD = $(PURE) @LD@ @@ -170,12 +170,12 @@ index e0626320c..fcea229bd 100644 +KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(SELINUX_LIBS) $(DL_LIB) KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS) GSS_LIBS = $(GSS_KRB5_LIB) - # needs fixing if ever used on Mac OS X! + # needs fixing if ever used on macOS! diff --git a/src/configure.in b/src/configure.in -index daabd12c8..acf3a458b 100644 +index 7288a71ec..2b6d5baa7 100644 --- a/src/configure.in +++ b/src/configure.in -@@ -1338,6 +1338,8 @@ AC_PATH_PROG(GROFF, groff) +@@ -1308,6 +1308,8 @@ AC_PATH_PROG(GROFF, groff) KRB5_WITH_PAM @@ -185,7 +185,7 @@ index daabd12c8..acf3a458b 100644 if test "${localedir+set}" != set; then localedir='$(datadir)/locale' diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index 64991738a..173cb0264 100644 +index e1b1cb040..9378ae047 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -128,6 +128,7 @@ typedef unsigned char u_char; @@ -235,7 +235,7 @@ index 000000000..dfaaa847c +#endif +#endif diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index ac22f4c55..cf60d6c41 100644 +index c86e78274..e81bb0a6d 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -87,6 +87,12 @@ @@ -252,7 +252,7 @@ index ac22f4c55..cf60d6c41 100644 #include diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c -index f7889bd23..cad53cfbf 100644 +index aca136f0b..22e926ae4 100644 --- a/src/kadmin/dbutil/dump.c +++ b/src/kadmin/dbutil/dump.c @@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname) @@ -287,10 +287,10 @@ index f7889bd23..cad53cfbf 100644 com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok); exit_status++; diff --git a/src/kdc/main.c b/src/kdc/main.c -index ebc852bba..a4dffb29a 100644 +index f2226da25..ccac3a759 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c -@@ -872,7 +872,7 @@ write_pid_file(const char *path) +@@ -873,7 +873,7 @@ write_pid_file(const char *path) FILE *file; unsigned long pid; @@ -385,10 +385,10 @@ index bba64e516..73f0fe62d 100644 _("Credential cache directory %s does not exist"), dirname); diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c -index 6a42f267d..674d88bab 100644 +index 091f2c43f..ecc97ee2f 100644 --- a/src/lib/krb5/keytab/kt_file.c +++ b/src/lib/krb5/keytab/kt_file.c -@@ -1022,14 +1022,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) +@@ -1024,14 +1024,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) KTCHECKLOCK(id); errno = 0; @@ -406,10 +406,10 @@ index 6a42f267d..674d88bab 100644 goto report_errno; writevno = 1; diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c -index 83c8d4db8..a19246128 100644 +index e97ce5fe5..779f184cb 100644 --- a/src/lib/krb5/os/trace.c +++ b/src/lib/krb5/os/trace.c -@@ -397,7 +397,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename) +@@ -398,7 +398,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename) fd = malloc(sizeof(*fd)); if (fd == NULL) return ENOMEM; @@ -419,10 +419,10 @@ index 83c8d4db8..a19246128 100644 free(fd); return errno; diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c -index c4d2c744d..c0f12ed9d 100644 +index 1e0cb22c9..f5e93b1ab 100644 --- a/src/lib/krb5/rcache/rc_dfl.c +++ b/src/lib/krb5/rcache/rc_dfl.c -@@ -794,6 +794,9 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id) +@@ -793,6 +793,9 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id) krb5_error_code retval = 0; krb5_rcache tmp; krb5_deltat lifespan = t->lifespan; /* save original lifespan */ @@ -432,7 +432,7 @@ index c4d2c744d..c0f12ed9d 100644 if (! t->recovering) { name = t->name; -@@ -815,7 +818,17 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id) +@@ -814,7 +817,17 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id) retval = krb5_rc_resolve(context, tmp, 0); if (retval) goto cleanup; @@ -464,7 +464,7 @@ index 7db30a33b..2b9d01921 100644 * maybe someone took away write permission so we could only * get shared locks? diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c -index 4c4036eb4..d90bdeaba 100644 +index d23587a59..e2825650b 100644 --- a/src/plugins/kdb/db2/kdb_db2.c +++ b/src/plugins/kdb/db2/kdb_db2.c @@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc) @@ -500,7 +500,7 @@ index 2977b17f3..d5809a5a9 100644 } else { diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c -index 76f5d4709..1fa8b8389 100644 +index 862dbb164..686a960c9 100644 --- a/src/plugins/kdb/db2/libdb2/hash/hash.c +++ b/src/plugins/kdb/db2/libdb2/hash/hash.c @@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 (Berkeley) 11/7/95"; @@ -511,7 +511,7 @@ index 76f5d4709..1fa8b8389 100644 #include "db-int.h" #include "hash.h" #include "page.h" -@@ -140,7 +141,7 @@ __kdb2_hash_open(file, flags, mode, info, dflags) +@@ -129,7 +130,7 @@ __kdb2_hash_open(file, flags, mode, info, dflags) new_table = 1; } if (file) { @@ -580,10 +580,10 @@ index 022156a5e..3d6994c67 100644 if (newfile == NULL) { com_err(me, errno, _("Error creating file %s"), tmp_file); diff --git a/src/slave/kpropd.c b/src/slave/kpropd.c -index 056c31a42..b78c3d9e5 100644 +index d621f108f..99676cc97 100644 --- a/src/slave/kpropd.c +++ b/src/slave/kpropd.c -@@ -464,6 +464,9 @@ doit(int fd) +@@ -488,6 +488,9 @@ doit(int fd) krb5_enctype etype; int database_fd; char host[INET6_ADDRSTRLEN + 1]; @@ -593,7 +593,7 @@ index 056c31a42..b78c3d9e5 100644 signal_wrapper(SIGALRM, alarm_handler); alarm(params.iprop_resync_timeout); -@@ -520,9 +523,15 @@ doit(int fd) +@@ -543,9 +546,15 @@ doit(int fd) free(name); exit(1); } @@ -631,7 +631,7 @@ index 907c119bb..0f5462aea 100644 retval = errno; if (retval == 0) diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in -index 6239e4176..17bcd2a67 100644 +index 0bf0b7a87..58ac2e333 100644 --- a/src/util/support/Makefile.in +++ b/src/util/support/Makefile.in @@ -69,6 +69,7 @@ IPC_SYMS= \ @@ -642,7 +642,7 @@ index 6239e4176..17bcd2a67 100644 init-addrinfo.o \ plugins.o \ errors.o \ -@@ -148,7 +149,7 @@ SRCS=\ +@@ -149,7 +150,7 @@ SRCS=\ SHLIB_EXPDEPS = # Add -lm if dumping thread stats, for sqrt. diff --git a/krb5-1.3.1-dns.patch b/krb5-1.3.1-dns.patch index 766226f..c50f1df 100644 --- a/krb5-1.3.1-dns.patch +++ b/krb5-1.3.1-dns.patch @@ -1,4 +1,4 @@ -From 1b95f8a488d1e70bf7698c8b49412306a1b8aba0 Mon Sep 17 00:00:00 2001 +From 4bc124bfff119d436eeb1af7b9d5726e17284d67 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:46:21 -0400 Subject: [PATCH] krb5-1.3.1-dns.patch @@ -9,10 +9,10 @@ We want to be able to use --with-netlib and --enable-dns at the same time. 1 file changed, 1 insertion(+) diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index 607859f17..f5667c35f 100644 +index 6257dba40..5eeaa2d8a 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 -@@ -703,6 +703,7 @@ AC_HELP_STRING([--with-netlib=LIBS], use user defined resolver library), +@@ -726,6 +726,7 @@ AC_HELP_STRING([--with-netlib=LIBS], use user defined resolver library), LIBS="$LIBS $withval" AC_MSG_RESULT("netlib will use \'$withval\'") fi diff --git a/krb5-1.9-debuginfo.patch b/krb5-1.9-debuginfo.patch index d3d0080..57a8b32 100644 --- a/krb5-1.9-debuginfo.patch +++ b/krb5-1.9-debuginfo.patch @@ -1,4 +1,4 @@ -From e1d7fcf9713fe322ad5740045650dac86427e6ae Mon Sep 17 00:00:00 2001 +From 82f8b63ae3955423456adf15790c10eb1145ec52 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:49:25 -0400 Subject: [PATCH] krb5-1.9-debuginfo.patch diff --git a/krb5.spec b/krb5.spec index df62457..53c3d25 100644 --- a/krb5.spec +++ b/krb5.spec @@ -9,21 +9,21 @@ %global configured_default_ccache_name KEYRING:persistent:%%{uid} # leave empty or set to e.g., -beta2 -%global prerelease %{nil} +%global prerelease -beta1 # Should be in form 5.0, 6.1, etc. %global kdbversion 6.1 Summary: The Kerberos network authentication system Name: krb5 -Version: 1.15.2 -# for prerelease, should be e.g., 0.3.beta2% { ?dist } (without spaces) -Release: 2%{?dist} +Version: 1.16 +# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) +Release: 0.beta1.1%{?dist} # lookaside-cached sources; two downloads and a build artifact -Source0: https://web.mit.edu/kerberos/dist/krb5/1.15/krb5-%{version}%{prerelease}.tar.gz +Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz # rharwood has trust path to signing key and verifies on check-in -Source1: https://web.mit.edu/kerberos/dist/krb5/1.15/krb5-%{version}%{prerelease}.tar.gz.asc +Source1: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz.asc # This source is generated during the build because it is documentation. # To override this behavior (e.g., new upstream version), do: # tar cfT krb5-1.15.2-pdfs.tar /dev/null @@ -60,38 +60,7 @@ Patch33: krb5-1.13-dirsrv-accountlock.patch Patch34: krb5-1.9-debuginfo.patch Patch35: krb5-1.11-run_user_0.patch Patch36: krb5-1.11-kpasswdtest.patch -Patch37: Build-with-Werror-implicit-int-where-supported.patch -Patch38: Add-PKINIT-UPN-tests-to-t_pkinit.py.patch -Patch39: Add-test-case-for-PKINIT-DH-renegotiation.patch -Patch40: Use-expected_trace-in-test-scripts.patch -Patch41: Use-expected_msg-in-test-scripts.patch -Patch42: Use-fallback-realm-for-GSSAPI-ccache-selection.patch Patch43: Use-GSSAPI-fallback-skiptest.patch -Patch44: Improve-PKINIT-UPN-SAN-matching.patch -Patch45: Add-test-cert-generation-to-make-certs.sh.patch -Patch46: Deindent-crypto_retrieve_X509_sans.patch -Patch47: Add-the-client_name-kdcpreauth-callback.patch -Patch48: Use-the-canonical-client-principal-name-for-OTP.patch -Patch49: Add-certauth-pluggable-interface.patch -Patch50: Correct-error-handling-bug-in-prior-commit.patch -Patch51: Add-k5test-expected_msg-expected_trace.patch -Patch53: Add-support-to-query-the-SSF-of-a-GSS-context.patch -Patch55: Remove-incomplete-PKINIT-OCSP-support.patch -Patch57: Fix-in_clock_skew-and-use-it-in-AS-client-code.patch -Patch58: Add-timestamp-helper-functions.patch -Patch59: Make-timestamp-manipulations-y2038-safe.patch -Patch60: Add-timestamp-tests.patch -Patch61: Add-y2038-documentation.patch -Patch62: Fix-more-time-manipulations-for-y2038.patch -Patch63: Use-krb5_timestamp-where-appropriate.patch -Patch64: Add-KDC-policy-pluggable-interface.patch -Patch65: Fix-bugs-in-kdcpolicy-commit.patch -Patch66: Convert-some-pkiDebug-messages-to-TRACE-macros.patch -Patch67: Fix-certauth-built-in-module-returns.patch -Patch68: Add-test-cert-with-no-extensions.patch -Patch69: Add-PKINIT-test-case-for-generic-client-cert.patch -Patch70: Add-hostname-based-ccselect-module.patch -Patch71: Add-German-translation.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -381,7 +350,7 @@ for pdf in admin appdev basic build plugindev user ; do test -s build-pdf/$pdf.pdf || make -C build-pdf done # new krb5-%{version}-pdf -tar -cf "krb5-%{version}-pdfs.tar.new" build-pdf/*.pdf +tar -cf "krb5-%{version}%{prerelease}-pdfs.tar.new" build-pdf/*.pdf # We need to cut off any access to locally-running nameservers, too. %{__cc} -fPIC -shared -o noport.so -Wall -Wextra $RPM_SOURCE_DIR/noport.c @@ -745,6 +714,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Thu Oct 05 2017 Robbie Harwood - 1.16-0.beta1.1 +- New upstream prerelease (1.16-beta1) + * Thu Sep 28 2017 Robbie Harwood - 1.15.2-2 - Add German translation diff --git a/sources b/sources index a72430d..d5f6442 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (krb5-1.15.2-pdfs.tar) = 5875efde7ed88dcccd6f624a5252c5c70844fe94015ce4acfdf7f6ccabf52c86965c5a661b161c73e37b46e51aa5e9ea19602ab32e8b50682ecb0a450f0553b6 -SHA512 (krb5-1.15.2.tar.gz) = e5814bb66384b13637c37918df694c6b9933c29c2d952da0ed0dcd2e623b269060b4c16b6c02162039dadebdab99ff1085e37e7621ae4748dafb036424e612c2 -SHA512 (krb5-1.15.2.tar.gz.asc) = 37cee442de29229fa821539c3f1724eb4d37fa9ce5eee644869a7311c8fe10218dac36da3a5297d45168d8fb1ad64dbd614f10d3384d54e4070e56e7fe8a1e63 +SHA512 (krb5-1.16-beta1-pdfs.tar) = 79329b7978101723a5c9f55773ac69bd1986c716e6d8b4cd42cbf17a8e85cd49f13b376e0b4b0ccca485b5a5a79d6bce8ace0c22df79b6f0a47a74c387f83ffd +SHA512 (krb5-1.16-beta1.tar.gz) = 68dba5212d2dd28ed0bc4961931af8d291bcdf2805baa4e930b0218f7749dc1e4dfe696aacca0529787f274b99fe5a8297f3e13877f724ee983483b399daf2c9 +SHA512 (krb5-1.16-beta1.tar.gz.asc) = 342272496897b4a4452d73186b7d19bbc3155e38fe39e0e852e03ce4757a3284baefbb1c49653e53d36e96ab587a7acb718e14c8281ccca85cb0de4c7d0b730e