A Kerberos principal entry is represented by a kadm5_principal_ent_t. It contains a subset of the information stored in the master Kerberos database as well as the additional information maintained by the admin system. In the current version, the only additional information is the principal's policy and the aux_attributes flags.
The principal may or may not have a policy enforced on it. If the POLICY bit (see section 4.5) is set in aux_attributes, the policy field names the principal's policy. If the POLICY bit is not set in aux_attributes, no policy is enforced on the principal and the value of the policy field is undefined.
The fields of an kadm5_principal_ent_t are interpreted as follows.
Name | Value | |
KRB5_KDB_DISALLOW_POSTDATED | 0x00000001 | |
KRB5_KDB_DISALLOW_FORWARDABLE | 0x00000002 | |
KRB5_KDB_DISALLOW_TGT_BASED | 0x00000004 | |
KRB5_KDB_DISALLOW_RENEWABLE | 0x00000008 | |
KRB5_KDB_DISALLOW_PROXIABLE | 0x00000010 | |
KRB5_KDB_DISALLOW_DUP_SKEY | 0x00000020 | |
KRB5_KDB_DISALLOW_ALL_TIX | 0x00000040 | |
KRB5_KDB_REQUIRES_PRE_AUTH | 0x00000080 | |
KRB5_KDB_REQUIRES_HW_AUTH | 0x00000100 | |
KRB5_KDB_REQUIRES_PWCHANGE | 0x00000200 | |
KRB5_KDB_DISALLOW_SVR | 0x00001000 | |
KRB5_KDB_PWCHANGE_SERVICE | 0x00002000 | |
KRB5_KDB_SUPPORT_DESMD5 | 0x00004000 | |
KRB5_KDB_NEW_PRINC | 0x00008000 |
#1
linked
list. This field only exists in KADM5_API_VERSION_2.
#1
array. This field only exists in KADM5_API_VERSION_2.
typedef struct _krb5_tl_data { struct _krb5_tl_data* tl_data_next; krb5_int16 tl_data_type; krb5_int16 tl_data_length; krb5_octet * tl_data_contents; } krb5_tl_data;The KADM5 API only allows elements whose tl_data_type is greater than or equal to 256. Values less than 256 are reserved for internal use by the KADM5 or kdb system. They are filtered out of the list returned by kadm5_get_principal, and generate an error if given to kadm5_modify_principal.
The libkdb library defines the tagged data types KRB5_TL_LAST_PWD_CHANGE, KRB5_TL_MOD_PRINC, and KRB5_TL_KADM_DATA, all with values less than 256, which store the last password modification time, time and modifier of last principal modification, and administration system data. All of these entries are expected by the administration system and parsed out into fields of the kadm5_principal_ent_rec structure; as described above, they are not included in the tl_data list.
Tagged data elements with types greater than 256 are handled without interpretation by KADM5. Note that an application that calls kadm5_modify_principal with the KADM5_TL_DATA mask bit set is responsible for providing the complete tl_data list, which it necessarily must obtain from kadm5_get_principal. It is never possible for an application to construct a complete tl_data list from scratch.