next up previous contents
Next: Policies, kadm5_policy_ent_t Up: Data Structures Previous: Data Structures   Contents


Principals, kadm5_principal_ent_t

A Kerberos principal entry is represented by a kadm5_principal_ent_t. It contains a subset of the information stored in the master Kerberos database as well as the additional information maintained by the admin system. In the current version, the only additional information is the principal's policy and the aux_attributes flags.

The principal may or may not have a policy enforced on it. If the POLICY bit (see section 4.5) is set in aux_attributes, the policy field names the principal's policy. If the POLICY bit is not set in aux_attributes, no policy is enforced on the principal and the value of the policy field is undefined.

Figure 1: Definition of kadm5_principal_ent_t.
\begin{figure}\begin{verbatim}typedef struct _kadm5_principal_ent_t {
krb5_pr...
...a;
} kadm5_principal_ent_rec, *kadm5_principal_ent_t;\end{verbatim}
\end{figure}

The fields of an kadm5_principal_ent_t are interpreted as follows.

principal
The name of the principal; must conform to Kerberos naming specifications.

princ_expire_time
The expire time of the principal as a Kerberos timestamp. No Kerberos tickets will be issued for a principal after its expire time.

last_pwd_change
The time this principal's password was last changed, as a Kerberos timestamp.

pw_expiration
The expire time of the user's current password, as a Kerberos timestamp. No application service tickets will be issued for the principal once the password expire time has passed. Note that the user can only obtain tickets for services that have the PW_CHANGE_SERVICE bit set in the attributes field.

max_life
The maximum lifetime of any Kerberos ticket issued to this principal.

attributes
A bitfield of attributes for use by the KDC. The symbols and constant values are defined below; their interpretation appears in the libkdb functional specification.

Name Value  
KRB5_KDB_DISALLOW_POSTDATED 0x00000001  
KRB5_KDB_DISALLOW_FORWARDABLE 0x00000002  
KRB5_KDB_DISALLOW_TGT_BASED 0x00000004  
KRB5_KDB_DISALLOW_RENEWABLE 0x00000008  
KRB5_KDB_DISALLOW_PROXIABLE 0x00000010  
KRB5_KDB_DISALLOW_DUP_SKEY 0x00000020  
KRB5_KDB_DISALLOW_ALL_TIX 0x00000040  
KRB5_KDB_REQUIRES_PRE_AUTH 0x00000080  
KRB5_KDB_REQUIRES_HW_AUTH 0x00000100  
KRB5_KDB_REQUIRES_PWCHANGE 0x00000200  
KRB5_KDB_DISALLOW_SVR 0x00001000  
KRB5_KDB_PWCHANGE_SERVICE 0x00002000  
KRB5_KDB_SUPPORT_DESMD5 0x00004000  
KRB5_KDB_NEW_PRINC 0x00008000  

mod_name
The name of the Kerberos principal that most recently modified this principal.

mod_date
The time this principal was last modified, as a Kerberos timestamp.

kvno
The version of the principal's current key.

mkvno
The version of the Kerberos Master Key in effect when this principal's key was last changed. In KADM5_API_VERSION_2, this field is always zero.

policy
If the POLICY bit is set in aux_attributes, the name of the policy controlling this principal.

aux_attributes
A bitfield of flags for use by the administration system. Currently, the only valid flag is POLICY, and it indicates whether or not the principal has a policy enforced on it.

max_renewable_life
The maximum renewable lifetime of any Kerberos ticket issued to or for this principal. This field only exists in KADM5_API_VERSION_2.

last_success
The KDC time of the last successful AS_REQ. This is only updated if KRBCONF_KDC_MODIFIES_KDB is defined during compilation of the KDC. This field only exists in KADM5_API_VERSION_2.

last_failed
The KDC time of the last failed AS_REQ. This is only updated if KRBCONF_KDC_MODIFIES_KDB is defined during compilation of the KDC. This field only exists in KADM5_API_VERSION_2.

fail_auth_count
The number of consecutive failed AS_REQs. When this number reaches KRB5_MAX_FAIL_COUNT, the KRB5_KDC_DISALLOW_ALL_TIX is set on the principal. This is only updated if KRBCONF_KDC_MODIFIES_KDB is defined during compilation. This field only exists in KADM5_API_VERSION_2.

n_tl_data
The number of elements in the #1 linked list. This field only exists in KADM5_API_VERSION_2.

n_key_data
The number of elements in the #1 array. This field only exists in KADM5_API_VERSION_2.

tl_data
A linked list of tagged data. This list is a mechanism by which programs can store extended information in a principal entry, without having to modify the database API. Each element is of type krb5_tl_data:
typedef struct _krb5_tl_data {
    struct _krb5_tl_data* tl_data_next;
    krb5_int16            tl_data_type;         
    krb5_int16            tl_data_length;       
    krb5_octet          * tl_data_contents;     
} krb5_tl_data;
The KADM5 API only allows elements whose tl_data_type is greater than or equal to 256. Values less than 256 are reserved for internal use by the KADM5 or kdb system. They are filtered out of the list returned by kadm5_get_principal, and generate an error if given to kadm5_modify_principal.

The libkdb library defines the tagged data types KRB5_TL_LAST_PWD_CHANGE, KRB5_TL_MOD_PRINC, and KRB5_TL_KADM_DATA, all with values less than 256, which store the last password modification time, time and modifier of last principal modification, and administration system data. All of these entries are expected by the administration system and parsed out into fields of the kadm5_principal_ent_rec structure; as described above, they are not included in the tl_data list.

Tagged data elements with types greater than 256 are handled without interpretation by KADM5. Note that an application that calls kadm5_modify_principal with the KADM5_TL_DATA mask bit set is responsible for providing the complete tl_data list, which it necessarily must obtain from kadm5_get_principal. It is never possible for an application to construct a complete tl_data list from scratch.

key_data
An array of the principal's keys. The keys contained in this array are encrypted in the Kerberos master key. See section 4.4 for a discussion of the krb5_key_data structure.


next up previous contents
Next: Policies, kadm5_policy_ent_t Up: Data Structures Previous: Data Structures   Contents
Autobuild 2009-09-05