Document client keytab usage

Document-client-keytab-usage.patch

@@ -0,0 +1,62 @@
+From 90a4102f334ce0c655492de9248c3c60ffbd0449 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Mon, 16 Mar 2020 18:14:30 -0400
+Subject: [PATCH] Document client keytab usage
+
+ticket: 8886 (new)
+tags: pullup
+target_version: 1.18-next
+
+(cherry picked from commit 366c64897d55c86cdc616d2d1cf4617ff8a07a99)
+---
+ doc/admin/appl_servers.rst | 37 +++++++++++++++++++++++++++++++++++++
+ 1 file changed, 37 insertions(+)
+
+diff --git a/doc/admin/appl_servers.rst b/doc/admin/appl_servers.rst
+index fee49f027..5232db9af 100644
+--- a/doc/admin/appl_servers.rst
++++ b/doc/admin/appl_servers.rst
+@@ -60,6 +60,43 @@ To remove a principal from an existing keytab, use the kadmin
+    :end-before: _ktremove_end:
+ 
+ 
++Using a keytab to acquire client credentials
++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
++
++While keytabs are ordinarily used to accept credentials from clients,
++they can also be used to acquire initial credentials, allowing one
++service to authenticate to another.
++
++To manually obtain credentials using a keytab, use the :ref:`kinit(1)`
++**-k** option, together with the **-t** option if the keytab is not in
++the default location.
++
++Beginning with release 1.11, GSSAPI applications can be configured to
++automatically obtain initial credentials from a keytab as needed.  The
++recommended configuration is as follows:
++
++#. Create a keytab containing a single entry for the desired client
++   identity.
++
++#. Place the keytab in a location readable by the service, and set the
++   **KRB5_CLIENT_KTNAME** environment variable to its filename.
++   Alternatively, use the **default_client_keytab_name** profile
++   variable in :ref:`libdefaults`, or use the default location of
++   |ckeytab|.
++
++#. Set **KRB5CCNAME** to a filename writable by the service, which
++   will not be used for any other purpose.  Do not manually obtain
++   credentials at this location.  (Another credential cache type
++   besides **FILE** can be used if desired, as long the cache will not
++   conflict with another use.  A **MEMORY** cache can be used if the
++   service runs as a long-lived process.  See :ref:`ccache_definition`
++   for details.)
++
++#. Start the service.  When it authenticates using GSSAPI, it will
++   automatically obtain credentials from the client keytab into the
++   specified credential cache, and refresh them before they expire.
++
++
+ Clock Skew
+ ----------
+ 

krb5.spec

@@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.18
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 5%{?dist}
+Release: 6%{?dist}
 
 # rharwood has trust path to signing key and verifies on check-in
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
@@ -54,6 +54,7 @@ Patch8: Fix-AS-REQ-checking-of-KDB-modified-indicators.patch
 Patch9: Allow-certauth-modules-to-set-hw-authent-flag.patch
 Patch10: Allow-deletion-of-require_auth-with-LDAP-KDB.patch
 Patch11: Refresh-manually-acquired-creds-from-client-keytab.patch
+Patch12: Document-client-keytab-usage.patch
 
 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@@ -627,6 +628,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Tue Mar 17 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-6
+- Document client keytab usage
+
 * Tue Mar 03 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-5
 - Refresh manually acquired creds from client keytab