diff --git a/SOURCES/Add-German-translation.patch b/SOURCES/Add-German-translation.patch new file mode 100644 index 0000000..2b385ac --- /dev/null +++ b/SOURCES/Add-German-translation.patch @@ -0,0 +1,9333 @@ +From b02f2560d4610b11738687a23a848b422a9e4083 Mon Sep 17 00:00:00 2001 +From: Chris Leick +Date: Wed, 6 Apr 2016 18:14:40 -0400 +Subject: [PATCH] Add German translation + +ticket: 8515 (new) +(cherry picked from commit 0c9a4d9734c29a77d3c7ac267e8e885a75f44b4f) +--- + src/po/Makefile.in | 2 +- + src/po/de.po | 9301 ++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 9302 insertions(+), 1 deletion(-) + create mode 100644 src/po/de.po + +diff --git a/src/po/Makefile.in b/src/po/Makefile.in +index fdaf872a1..6753447dc 100644 +--- a/src/po/Makefile.in ++++ b/src/po/Makefile.in +@@ -18,7 +18,7 @@ ETSRCS= $(BUILDTOP)/lib/gssapi/generic/gssapi_err_generic.c \ + $(BUILDTOP)/lib/krb5/error_tables/kv5m_err.c \ + $(BUILDTOP)/lib/krb5/error_tables/krb524_err.c + # This is a placeholder until we have an actual translation. +-CATALOGS=en_US.mo ++CATALOGS=en_US.mo de.mo + + .SUFFIXES: .po .mo + .po.mo: +diff --git a/src/po/de.po b/src/po/de.po +new file mode 100644 +index 000000000..2144d7833 +--- /dev/null ++++ b/src/po/de.po +@@ -0,0 +1,9301 @@ ++# German translation of mit-krb5. ++# This file is distributed under the same license as the mit-krb5 package. ++# Copyright (C) 1985-2013 by the Massachusetts Institute of Technology. ++# Copyright (C) of this file 2014-2016 Chris Leick . ++# ++msgid "" ++msgstr "" ++"Project-Id-Version: mit-krb5 13.2\n" ++"Report-Msgid-Bugs-To: krbdev@mit.edu\n" ++"POT-Creation-Date: 2015-05-06 14:59-0400\n" ++"PO-Revision-Date: 2016-04-07 08:15+0200\n" ++"Last-Translator: Chris Leick \n" ++"Language-Team: German \n" ++"Language: de\n" ++"MIME-Version: 1.0\n" ++"Content-Type: text/plain; charset=UTF-8\n" ++"Content-Transfer-Encoding: 8bit\n" ++"Plural-Forms: nplurals=2; plural=n != 1;\n" ++ ++#: ../../src/clients/kdestroy/kdestroy.c:62 ++#, c-format ++msgid "Usage: %s [-A] [-q] [-c cache_name]\n" ++msgstr "Aufruf: %s [-A] [-q] [-c Zwischenspeichername]\n" ++ ++#: ../../src/clients/kdestroy/kdestroy.c:63 ++#, c-format ++msgid "\t-A destroy all credential caches in collection\n" ++msgstr "\t-A vernichtet alle Anmeldedatenzwischenspeicher in der Sammlung.\n" ++ ++#: ../../src/clients/kdestroy/kdestroy.c:64 ++#, c-format ++msgid "\t-q quiet mode\n" ++msgstr "\t-q stiller Modus\n" ++ ++#: ../../src/clients/kdestroy/kdestroy.c:65 ++#: ../../src/clients/kswitch/kswitch.c:45 ++#, c-format ++msgid "\t-c specify name of credentials cache\n" ++msgstr "\t-c gibt den Namen des Zwischenspeichers für Anmeldedaten an.\n" ++ ++#: ../../src/clients/kdestroy/kdestroy.c:98 ++#: ../../src/clients/kinit/kinit.c:383 ../../src/clients/ksu/main.c:284 ++#, c-format ++msgid "Only one -c option allowed\n" ++msgstr "Nur eine »-c«-Option ist erlaubt.\n" ++ ++#: ../../src/clients/kdestroy/kdestroy.c:105 ++#: ../../src/clients/kinit/kinit.c:412 ../../src/clients/klist/klist.c:182 ++#, c-format ++msgid "Kerberos 4 is no longer supported\n" ++msgstr "Kerberos 4 wird nicht mehr unterstützt.\n" ++ ++#: ../../src/clients/kdestroy/kdestroy.c:126 ++#: ../../src/clients/klist/klist.c:253 ../../src/clients/ksu/main.c:131 ++#: ../../src/clients/ksu/main.c:137 ../../src/clients/kswitch/kswitch.c:97 ++#: ../../src/kadmin/ktutil/ktutil.c:52 ../../src/kdc/main.c:926 ++#: ../../src/slave/kprop.c:102 ../../src/slave/kpropd.c:1052 ++msgid "while initializing krb5" ++msgstr "beim Initialisieren von Krb5" ++ ++#: ../../src/clients/kdestroy/kdestroy.c:133 ++msgid "while listing credential caches" ++msgstr "beim Auflisten der Anmeldedatenzwischenspeicher" ++ ++#: ../../src/clients/kdestroy/kdestroy.c:140 ++msgid "composing ccache name" ++msgstr "Ccache-Name wird zusammengesetzt." ++ ++#: ../../src/clients/kdestroy/kdestroy.c:145 ++#, c-format ++msgid "while destroying cache %s" ++msgstr "beim Zerstören des Zwischenspeichers %s" ++ ++#: ../../src/clients/kdestroy/kdestroy.c:157 ++#: ../../src/clients/kswitch/kswitch.c:104 ++#, c-format ++msgid "while resolving %s" ++msgstr "beim Auflösen von %s" ++ ++#: ../../src/clients/kdestroy/kdestroy.c:163 ++#: ../../src/clients/kinit/kinit.c:501 ../../src/clients/klist/klist.c:460 ++msgid "while getting default ccache" ++msgstr "beim Holen des Standard-Ccaches" ++ ++#: ../../src/clients/kdestroy/kdestroy.c:170 ../../src/clients/ksu/main.c:986 ++msgid "while destroying cache" ++msgstr "beim Zerstören des Zwischenspeichers" ++ ++#: ../../src/clients/kdestroy/kdestroy.c:173 ++#, c-format ++msgid "Ticket cache NOT destroyed!\n" ++msgstr "Ticketzwischenspeicher NICHT vernichtet!\n" ++ ++#: ../../src/clients/kdestroy/kdestroy.c:175 ++#, c-format ++msgid "Ticket cache %cNOT%c destroyed!\n" ++msgstr "Ticketzwischenspeicher %cNICHT%c vernichtet!\n" ++ ++#: ../../src/clients/kinit/kinit.c:213 ++#, c-format ++msgid "\t-V verbose\n" ++msgstr "\t-V detaillierte Ausgabe\n" ++ ++#: ../../src/clients/kinit/kinit.c:214 ++#, c-format ++msgid "\t-l lifetime\n" ++msgstr "\t-l Lebensdauer\n" ++ ++#: ../../src/clients/kinit/kinit.c:215 ++#, c-format ++msgid "\t-s start time\n" ++msgstr "\t-s Startzeit\n" ++ ++#: ../../src/clients/kinit/kinit.c:216 ++#, c-format ++msgid "\t-r renewable lifetime\n" ++msgstr "\t-r verlängerbare Lebensdauer\n" ++ ++#: ../../src/clients/kinit/kinit.c:217 ++#, c-format ++msgid "\t-f forwardable\n" ++msgstr "\t-f weiterleitbar\n" ++ ++#: ../../src/clients/kinit/kinit.c:218 ++#, c-format ++msgid "\t-F not forwardable\n" ++msgstr "\t-F nicht weiterleitbar\n" ++ ++#: ../../src/clients/kinit/kinit.c:219 ++#, c-format ++msgid "\t-p proxiable\n" ++msgstr "\t-p Proxy nutzbar\n" ++ ++#: ../../src/clients/kinit/kinit.c:220 ++#, c-format ++msgid "\t-P not proxiable\n" ++msgstr "\t-P Proxy nicht nutzbar\n" ++ ++#: ../../src/clients/kinit/kinit.c:221 ++#, c-format ++msgid "\t-n anonymous\n" ++msgstr "\t-n anonym\n" ++ ++#: ../../src/clients/kinit/kinit.c:222 ++#, c-format ++msgid "\t-a include addresses\n" ++msgstr "\t-a bezieht Adressen ein.\n" ++ ++#: ../../src/clients/kinit/kinit.c:223 ++#, c-format ++msgid "\t-A do not include addresses\n" ++msgstr "\t-a bezieht Adressen nicht ein.\n" ++ ++#: ../../src/clients/kinit/kinit.c:224 ++#, c-format ++msgid "\t-v validate\n" ++msgstr "\t-v überprüft\n" ++ ++#: ../../src/clients/kinit/kinit.c:225 ++#, c-format ++msgid "\t-R renew\n" ++msgstr "\t-R erneuert\n" ++ ++#: ../../src/clients/kinit/kinit.c:226 ++#, c-format ++msgid "\t-C canonicalize\n" ++msgstr "\t-C bringt in Normalform\n" ++ ++#: ../../src/clients/kinit/kinit.c:227 ++#, c-format ++msgid "\t-E client is enterprise principal name\n" ++msgstr "\t-E Client ist der Principal-Name des Unternehmens\n" ++ ++#: ../../src/clients/kinit/kinit.c:228 ++#, c-format ++msgid "\t-k use keytab\n" ++msgstr "\t-k verwendet Schlüsseltabelle\n" ++ ++#: ../../src/clients/kinit/kinit.c:229 ++#, c-format ++msgid "\t-i use default client keytab (with -k)\n" ++msgstr "\t-i verwendet die Standardschlüsseltabelle des Clients (mit -k).\n" ++ ++#: ../../src/clients/kinit/kinit.c:230 ++#, c-format ++msgid "\t-t filename of keytab to use\n" ++msgstr "\t-t Dateiname der zu verwendenden Schlüsseltabelle\n" ++ ++#: ../../src/clients/kinit/kinit.c:231 ++#, c-format ++msgid "\t-c Kerberos 5 cache name\n" ++msgstr "\t-c Kerberos-5-Zwischenspeichername\n" ++ ++#: ../../src/clients/kinit/kinit.c:232 ++#, c-format ++msgid "\t-S service\n" ++msgstr "\t-S Dienst\n" ++ ++#: ../../src/clients/kinit/kinit.c:233 ++#, c-format ++msgid "\t-T armor credential cache\n" ++msgstr "\t-T gehärteter Anmeldedatenzwischenspeicher\n" ++ ++#: ../../src/clients/kinit/kinit.c:234 ++#, c-format ++msgid "\t-X [=]\n" ++msgstr "\t-X [=]\n" ++ ++#: ../../src/clients/kinit/kinit.c:301 ../../src/clients/kinit/kinit.c:309 ++#, c-format ++msgid "Bad lifetime value %s\n" ++msgstr "falscher Wert für die Lebensdauer %s\n" ++ ++#: ../../src/clients/kinit/kinit.c:343 ++#, c-format ++msgid "Bad start time value %s\n" ++msgstr "falscher Wert für die Startzeit %s\n" ++ ++#: ../../src/clients/kinit/kinit.c:362 ++#, c-format ++msgid "Only one -t option allowed.\n" ++msgstr "Nur eine -t-Option ist erlaubt.\n" ++ ++#: ../../src/clients/kinit/kinit.c:370 ++#, c-format ++msgid "Only one armor_ccache\n" ++msgstr "nur ein gehärteter Ccache\n" ++ ++#: ../../src/clients/kinit/kinit.c:391 ++#, c-format ++msgid "Only one -I option allowed\n" ++msgstr "Nur eine -I-Option ist erlaubt.\n" ++ ++#: ../../src/clients/kinit/kinit.c:401 ++msgid "while adding preauth option" ++msgstr "beim Hinzufügen der Option »preauth«" ++ ++#: ../../src/clients/kinit/kinit.c:425 ++#, c-format ++msgid "Only one of -f and -F allowed\n" ++msgstr "Nur eine der Optionen -f und -F ist erlaubt.\n" ++ ++#: ../../src/clients/kinit/kinit.c:430 ++#, c-format ++msgid "Only one of -p and -P allowed\n" ++msgstr "Nur eine der Optionen -p und -P ist erlaubt.\n" ++ ++#: ../../src/clients/kinit/kinit.c:435 ++#, c-format ++msgid "Only one of -a and -A allowed\n" ++msgstr "Nur eine der Optionen -a und -A ist erlaubt.\n" ++ ++#: ../../src/clients/kinit/kinit.c:440 ++#, c-format ++msgid "Only one of -t and -i allowed\n" ++msgstr "Nur eine der Optionen -t und-i ist erlaubt.\n" ++ ++#: ../../src/clients/kinit/kinit.c:447 ++#, c-format ++msgid "keytab specified, forcing -k\n" ++msgstr "Schlüsseltabelle angegeben, -k wird erzwungen\n" ++ ++#: ../../src/clients/kinit/kinit.c:451 ../../src/clients/klist/klist.c:221 ++#, c-format ++msgid "Extra arguments (starting with \"%s\").\n" ++msgstr "zusätzliche Argumente (beginnend mit »%s«)\n" ++ ++#: ../../src/clients/kinit/kinit.c:480 ++msgid "while initializing Kerberos 5 library" ++msgstr "beim Initialisieren der Kerberos-5-Bibliothek" ++ ++#: ../../src/clients/kinit/kinit.c:488 ../../src/clients/kinit/kinit.c:644 ++#, c-format ++msgid "resolving ccache %s" ++msgstr "Ccache %s wird ermittelt" ++ ++#: ../../src/clients/kinit/kinit.c:493 ++#, c-format ++msgid "Using specified cache: %s\n" ++msgstr "Angegebener Zwischenspeicher wird verwendet: %s\n" ++ ++#: ../../src/clients/kinit/kinit.c:515 ../../src/clients/kinit/kinit.c:595 ++#: ../../src/clients/kpasswd/kpasswd.c:28 ../../src/clients/ksu/main.c:238 ++#, c-format ++msgid "when parsing name %s" ++msgstr "wenn der Name %s ausgewertet wird" ++ ++#: ../../src/clients/kinit/kinit.c:523 ../../src/kadmin/dbutil/kdb5_util.c:307 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:391 ++#: ../../src/slave/kprop.c:203 ++msgid "while getting default realm" ++msgstr "beim Holen des Standard-Realms" ++ ++#: ../../src/clients/kinit/kinit.c:535 ++msgid "while building principal" ++msgstr "beim Erstellen des Principals" ++ ++#: ../../src/clients/kinit/kinit.c:543 ++msgid "When resolving the default client keytab" ++msgstr "beim Auflösen der Standardschlüsseltabelle des Clients" ++ ++#: ../../src/clients/kinit/kinit.c:550 ++msgid "When determining client principal name from keytab" ++msgstr "beim Bestimmen des Dienst-Principal-Namens anhand der Schlüsseltabelle" ++ ++#: ../../src/clients/kinit/kinit.c:559 ++msgid "when creating default server principal name" ++msgstr "wenn der Standard-Principal-Name des Servers erstellt wird" ++ ++#: ../../src/clients/kinit/kinit.c:566 ++#, c-format ++msgid "(principal %s)" ++msgstr "(Principal %s)" ++ ++#: ../../src/clients/kinit/kinit.c:569 ++msgid "for local services" ++msgstr "für lokale Dienste" ++ ++#: ../../src/clients/kinit/kinit.c:590 ../../src/clients/kpasswd/kpasswd.c:42 ++#, c-format ++msgid "Unable to identify user\n" ++msgstr "Benutzer kann nicht identifiziert werden\n" ++ ++#: ../../src/clients/kinit/kinit.c:605 ../../src/clients/kswitch/kswitch.c:116 ++#, c-format ++msgid "while searching for ccache for %s" ++msgstr "beim Suchen nach Ccache für %s" ++ ++#: ../../src/clients/kinit/kinit.c:611 ++#, c-format ++msgid "Using existing cache: %s\n" ++msgstr "Existierender Zwischenspeicher wird verwendet: %s\n" ++ ++#: ../../src/clients/kinit/kinit.c:620 ++msgid "while generating new ccache" ++msgstr "beim Erstellen von neuem Ccache" ++ ++#: ../../src/clients/kinit/kinit.c:624 ++#, c-format ++msgid "Using new cache: %s\n" ++msgstr "Neuer Zwischenspeicher wird verwendet: %s\n" ++ ++#: ../../src/clients/kinit/kinit.c:636 ++#, c-format ++msgid "Using default cache: %s\n" ++msgstr "Standardzwischenspeicher wird verwendet: %s\n" ++ ++#: ../../src/clients/kinit/kinit.c:649 ++#, c-format ++msgid "Using specified input cache: %s\n" ++msgstr "Angegebener Eingabezwischenspeicher wird verwendet: %s\n" ++ ++#: ../../src/clients/kinit/kinit.c:657 ../../src/clients/ksu/krb_auth_su.c:160 ++msgid "when unparsing name" ++msgstr "beim Rückgängigmachen der Auswertung des Namens" ++ ++#: ../../src/clients/kinit/kinit.c:661 ++#, c-format ++msgid "Using principal: %s\n" ++msgstr "verwendeter Principal: %s\n" ++ ++#: ../../src/clients/kinit/kinit.c:752 ++msgid "getting local addresses" ++msgstr "Lokale Adressen werden geholt." ++ ++#: ../../src/clients/kinit/kinit.c:771 ++#, c-format ++msgid "while setting up KDB keytab for realm %s" ++msgstr "beim Einrichten der KDB-Schlüsseltabelle für Realm %s" ++ ++#: ../../src/clients/kinit/kinit.c:780 ../../src/clients/kvno/kvno.c:201 ++#, c-format ++msgid "resolving keytab %s" ++msgstr "Schlüsseltabelle wird ermittelt: %s" ++ ++#: ../../src/clients/kinit/kinit.c:785 ++#, c-format ++msgid "Using keytab: %s\n" ++msgstr "Schlüsseltabelle wird verwendet: %s\n" ++ ++#: ../../src/clients/kinit/kinit.c:789 ++msgid "resolving default client keytab" ++msgstr "Standardschlüsseltabelle des Clients wird ermittelt." ++ ++#: ../../src/clients/kinit/kinit.c:799 ++#, c-format ++msgid "while setting '%s'='%s'" ++msgstr "beim Setzen von »%s«=»%s«" ++ ++#: ../../src/clients/kinit/kinit.c:804 ++#, c-format ++msgid "PA Option %s = %s\n" ++msgstr "PA-Option %s = %s\n" ++ ++#: ../../src/clients/kinit/kinit.c:849 ++msgid "getting initial credentials" ++msgstr "Anfängliche Anmeldedaten werden geholt." ++ ++#: ../../src/clients/kinit/kinit.c:852 ++msgid "validating credentials" ++msgstr "Anmeldedaten werden geprüft." ++ ++#: ../../src/clients/kinit/kinit.c:855 ++msgid "renewing credentials" ++msgstr "Anmeldedaten werden erneuert." ++ ++#: ../../src/clients/kinit/kinit.c:860 ++#, c-format ++msgid "%s: Password incorrect while %s\n" ++msgstr "%s: Passwort bei %s falsch\n" ++ ++#: ../../src/clients/kinit/kinit.c:863 ++#, c-format ++msgid "while %s" ++msgstr "bei %s" ++ ++#: ../../src/clients/kinit/kinit.c:871 ../../src/slave/kprop.c:224 ++#, c-format ++msgid "when initializing cache %s" ++msgstr "beim Initialisieren des Zwischenspeichers %s" ++ ++#: ../../src/clients/kinit/kinit.c:876 ++#, c-format ++msgid "Initialized cache\n" ++msgstr "initialisierter Zwischenspeicher\n" ++ ++#: ../../src/clients/kinit/kinit.c:880 ++msgid "while storing credentials" ++msgstr "beim Speichern der Anmeldedaten" ++ ++#: ../../src/clients/kinit/kinit.c:884 ++#, c-format ++msgid "Stored credentials\n" ++msgstr "gespeicherte Anmeldedaten\n" ++ ++#: ../../src/clients/kinit/kinit.c:891 ++msgid "while switching to new ccache" ++msgstr "beim Wechsel zum neuen Ccache" ++ ++#: ../../src/clients/kinit/kinit.c:946 ++#, c-format ++msgid "Authenticated to Kerberos v5\n" ++msgstr "Authentifiziert für Kerberos v5\n" ++ ++#: ../../src/clients/klist/klist.c:91 ++#, c-format ++msgid "" ++"Usage: %s [-e] [-V] [[-c] [-l] [-A] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] " ++"[name]\n" ++msgstr "" ++"Aufruf: %s [-e] [-V] [[-c] [-l] [-A] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-" ++"K]] [Name]\n" ++ ++#: ../../src/clients/klist/klist.c:93 ++#, c-format ++msgid "\t-c specifies credentials cache\n" ++msgstr "\t-c gibt den Anmeldedatenzwischenspeicher an\n" ++ ++#: ../../src/clients/klist/klist.c:94 ++#, c-format ++msgid "\t-k specifies keytab\n" ++msgstr "\t-k gibt die Schlüsseltabelle an.\n" ++ ++#: ../../src/clients/klist/klist.c:95 ++#, c-format ++msgid "\t (Default is credentials cache)\n" ++msgstr "\t (Voreinstellung ist Anmeldedatenzwischenspeicher)\n" ++ ++#: ../../src/clients/klist/klist.c:96 ++#, c-format ++msgid "\t-i uses default client keytab if no name given\n" ++msgstr "" ++"\t-i verwendet die Standardschlüsseltabelle des Clients, falls kein Name " ++"angegeben wurde.\n" ++ ++#: ../../src/clients/klist/klist.c:97 ++#, c-format ++msgid "\t-l lists credential caches in collection\n" ++msgstr "\t-l listet gesammelte Anmeldedatenzwischenspeicher auf.\n" ++ ++#: ../../src/clients/klist/klist.c:98 ++#, c-format ++msgid "\t-A shows content of all credential caches\n" ++msgstr "\t-A zeigt den Inhalt aller Anmeldedatenzwischenspeicher an.\n" ++ ++#: ../../src/clients/klist/klist.c:99 ++#, c-format ++msgid "\t-e shows the encryption type\n" ++msgstr "\t-e zeigt den Verschlüsselungstyp.\n" ++ ++#: ../../src/clients/klist/klist.c:100 ++#, c-format ++msgid "\t-V shows the Kerberos version and exits\n" ++msgstr "\t-V zeigt die Kerberos-Version und wird beendet.\n" ++ ++#: ../../src/clients/klist/klist.c:101 ++#, c-format ++msgid "\toptions for credential caches:\n" ++msgstr "\tOptionen für Anmeldedatenzwischenspeicher:\n" ++ ++#: ../../src/clients/klist/klist.c:102 ++#, c-format ++msgid "\t\t-d shows the submitted authorization data types\n" ++msgstr "\t\t-d zeigt die übertragenen Autorisierungsdatentypen.\n" ++ ++#: ../../src/clients/klist/klist.c:104 ++#, c-format ++msgid "\t\t-f shows credentials flags\n" ++msgstr "t\t-f zeigt die Anmeldedatenschalter.\n" ++ ++#: ../../src/clients/klist/klist.c:105 ++#, c-format ++msgid "\t\t-s sets exit status based on valid tgt existence\n" ++msgstr "" ++"\t\t-s setzt den Exit-Status auf Basis der Existenz eines gültigen TGTs.\n" ++ ++#: ../../src/clients/klist/klist.c:107 ++#, c-format ++msgid "\t\t-a displays the address list\n" ++msgstr "\t\t-a zeigt die Adressliste.\n" ++ ++#: ../../src/clients/klist/klist.c:108 ++#, c-format ++msgid "\t\t\t-n do not reverse-resolve\n" ++msgstr "\t\t\t-n löst nicht rückwärts auf.\n" ++ ++#: ../../src/clients/klist/klist.c:109 ++#, c-format ++msgid "\toptions for keytabs:\n" ++msgstr "\tOptionen für Schlüsseltabellen:\n" ++ ++#: ../../src/clients/klist/klist.c:110 ++#, c-format ++msgid "\t\t-t shows keytab entry timestamps\n" ++msgstr "\t\t-t zeigt die Zeitstempel der Schlüsseltabelleneinträge.\n" ++ ++#: ../../src/clients/klist/klist.c:111 ++#, c-format ++msgid "\t\t-K shows keytab entry keys\n" ++msgstr "\t\t-K zeigt die Schlüssel der Schlüsseltabelleneinträge.\n" ++ ++#: ../../src/clients/klist/klist.c:230 ++#, c-format ++msgid "%s version %s\n" ++msgstr "%s Version %s\n" ++ ++#: ../../src/clients/klist/klist.c:282 ++msgid "while getting default client keytab" ++msgstr "beim Holen der Standardschlüsseltabelle des Clients" ++ ++#: ../../src/clients/klist/klist.c:287 ++msgid "while getting default keytab" ++msgstr "beim Holen der Standardschlüsseltabelle" ++ ++#: ../../src/clients/klist/klist.c:292 ../../src/kadmin/cli/keytab.c:108 ++#, c-format ++msgid "while resolving keytab %s" ++msgstr "beim Ermitteln der Schlüsseltabelle %s" ++ ++#: ../../src/clients/klist/klist.c:298 ../../src/kadmin/cli/keytab.c:92 ++msgid "while getting keytab name" ++msgstr "beim Holen des Schlüsseltabellennamens" ++ ++#: ../../src/clients/klist/klist.c:305 ../../src/kadmin/cli/keytab.c:399 ++msgid "while starting keytab scan" ++msgstr "beim Start des Schlüsseltabellen-Scans" ++ ++#: ../../src/clients/klist/klist.c:326 ../../src/clients/klist/klist.c:500 ++#: ../../src/clients/ksu/ccache.c:465 ../../src/kadmin/dbutil/dump.c:550 ++msgid "while unparsing principal name" ++msgstr "beim Rückgängigmachen des Auswertens des Principal-Namens" ++ ++#: ../../src/clients/klist/klist.c:350 ../../src/kadmin/cli/keytab.c:443 ++msgid "while scanning keytab" ++msgstr "beim Scannen der Schlüsseltabelle" ++ ++#: ../../src/clients/klist/klist.c:354 ../../src/kadmin/cli/keytab.c:448 ++msgid "while ending keytab scan" ++msgstr "beim Beenden des Schlüsseltabellen-Scans" ++ ++#: ../../src/clients/klist/klist.c:371 ../../src/clients/klist/klist.c:434 ++msgid "while listing ccache collection" ++msgstr "beim Aufführen der Ccache-Sammlung" ++ ++#: ../../src/clients/klist/klist.c:411 ++msgid "(Expired)" ++msgstr "(abgelaufen)" ++ ++#: ../../src/clients/klist/klist.c:466 ++#, c-format ++msgid "while resolving ccache %s" ++msgstr "beim Ermitteln des Ccaches %s" ++ ++#: ../../src/clients/klist/klist.c:504 ++#, c-format ++msgid "" ++"Ticket cache: %s:%s\n" ++"Default principal: %s\n" ++"\n" ++msgstr "" ++"Ticketzwischenspeicher: %s:%s\n" ++"Standard-Principal: %s\n" ++"\n" ++ ++#: ../../src/clients/klist/klist.c:518 ++msgid "while starting to retrieve tickets" ++msgstr "während das Abfragen der Tickets beginnt" ++ ++#: ../../src/clients/klist/klist.c:539 ++msgid "while finishing ticket retrieval" ++msgstr "während das Abfragem der Tickets endet" ++ ++#: ../../src/clients/klist/klist.c:545 ++msgid "while closing ccache" ++msgstr "beim Schließen des Ccaches" ++ ++#: ../../src/clients/klist/klist.c:555 ++msgid "while retrieving a ticket" ++msgstr "beim Abfragen eines Tickets" ++ ++#: ../../src/clients/klist/klist.c:667 ../../src/clients/ksu/ccache.c:450 ++#: ../../src/slave/kpropd.c:1225 ../../src/slave/kpropd.c:1285 ++msgid "while unparsing client name" ++msgstr "beim Rückgängigmachen des Auswertens des Client-Namens" ++ ++#: ../../src/clients/klist/klist.c:672 ../../src/clients/ksu/ccache.c:455 ++#: ../../src/slave/kprop.c:240 ++msgid "while unparsing server name" ++msgstr "beim Rückgängigmachen des Auswertens des Server-Namens" ++ ++#: ../../src/clients/klist/klist.c:701 ../../src/clients/ksu/ccache.c:480 ++#, c-format ++msgid "\tfor client %s" ++msgstr "\tfür Client %s" ++ ++#: ../../src/clients/klist/klist.c:713 ../../src/clients/ksu/ccache.c:489 ++msgid "renew until " ++msgstr "erneuern bis " ++ ++#: ../../src/clients/klist/klist.c:730 ../../src/clients/ksu/ccache.c:499 ++#, c-format ++msgid "Flags: %s" ++msgstr "Schalter: %s" ++ ++#: ../../src/clients/klist/klist.c:749 ++#, c-format ++msgid "Etype (skey, tkt): %s, " ++msgstr "Etype (Skey, TKT): %s, " ++ ++#: ../../src/clients/klist/klist.c:766 ++#, c-format ++msgid "AD types: " ++msgstr "AD-Typen" ++ ++#: ../../src/clients/klist/klist.c:783 ++#, c-format ++msgid "\tAddresses: (none)\n" ++msgstr "\tAdressen: (keine)\n" ++ ++#: ../../src/clients/klist/klist.c:785 ++#, c-format ++msgid "\tAddresses: " ++msgstr "\tAdressen: " ++ ++#: ../../src/clients/klist/klist.c:818 ++#, c-format ++msgid "broken address (type %d length %d)" ++msgstr "kaputte Adresse (Typ %d Länge %d)" ++ ++#: ../../src/clients/klist/klist.c:838 ++#, c-format ++msgid "unknown addrtype %d" ++msgstr "unbekannter »addrtype« %d" ++ ++#: ../../src/clients/klist/klist.c:847 ++#, c-format ++msgid "unprintable address (type %d, error %d %s)" ++msgstr "nicht druckbare Adresse (Typ %d Fehler %d %s)" ++ ++#: ../../src/clients/kpasswd/kpasswd.c:12 ../../src/lib/krb5/krb/gic_pwd.c:396 ++msgid "Enter new password" ++msgstr "Geben Sie ein neues Passwort ein." ++ ++#: ../../src/clients/kpasswd/kpasswd.c:13 ../../src/lib/krb5/krb/gic_pwd.c:404 ++msgid "Enter it again" ++msgstr "Geben Sie es erneut ein." ++ ++#: ../../src/clients/kpasswd/kpasswd.c:33 ++#, c-format ++msgid "Unable to identify user from password file\n" ++msgstr "" ++"Der Benutzer kann nicht anhand der Passwortdatei identifiziert werden.\n" ++ ++#: ../../src/clients/kpasswd/kpasswd.c:65 ++#, c-format ++msgid "usage: %s [principal]\n" ++msgstr "Aufruf: %s [Principal]\n" ++ ++#: ../../src/clients/kpasswd/kpasswd.c:73 ++msgid "initializing kerberos library" ++msgstr "Kerberos-Bibliothek wird initialisiert." ++ ++#: ../../src/clients/kpasswd/kpasswd.c:77 ++msgid "allocating krb5_get_init_creds_opt" ++msgstr "krb5_get_init_creds_opt wird reserviert." ++ ++#: ../../src/clients/kpasswd/kpasswd.c:92 ++msgid "opening default ccache" ++msgstr "Standard-Ccache wird geöffnet." ++ ++#: ../../src/clients/kpasswd/kpasswd.c:97 ++msgid "getting principal from ccache" ++msgstr "Principal wird vom Ccache geholt." ++ ++#: ../../src/clients/kpasswd/kpasswd.c:104 ++msgid "while setting FAST ccache" ++msgstr "beim Setzen des FAST-Ccaches" ++ ++#: ../../src/clients/kpasswd/kpasswd.c:111 ++msgid "closing ccache" ++msgstr "Ccache wird geschlossen." ++ ++#: ../../src/clients/kpasswd/kpasswd.c:118 ++msgid "parsing client name" ++msgstr "Client-Name wird ausgewertet." ++ ++#: ../../src/clients/kpasswd/kpasswd.c:135 ++msgid "Password incorrect while getting initial ticket" ++msgstr "Passwort beim Holen des anfänglichen Tickets falsch" ++ ++#: ../../src/clients/kpasswd/kpasswd.c:137 ++msgid "getting initial ticket" ++msgstr "Anfängliches Ticket wird geholt." ++ ++#: ../../src/clients/kpasswd/kpasswd.c:144 ++msgid "while reading password" ++msgstr "beim Lesen des Passworts" ++ ++#: ../../src/clients/kpasswd/kpasswd.c:152 ++msgid "changing password" ++msgstr "Passwort wird geändert." ++ ++#: ../../src/clients/kpasswd/kpasswd.c:174 ++#: ../lib/kadm5/chpass_util_strings.c:30 ++#, c-format ++msgid "Password changed.\n" ++msgstr "Passwort geändert\n" ++ ++#: ../../src/clients/ksu/authorization.c:369 ++#, c-format ++msgid "" ++"Error: bad entry - %s in %s file, must be either full path or just the cmd " ++"name\n" ++msgstr "" ++"Fehler: falscher Eintrag – %s in Datei %s muss entweder ein vollständiger " ++"Pfad oder nur ein Befehlsname sein.\n" ++ ++#: ../../src/clients/ksu/authorization.c:377 ++#, c-format ++msgid "" ++"Error: bad entry - %s in %s file, since %s is just the cmd name, CMD_PATH " ++"must be defined \n" ++msgstr "" ++"Fehler: falscher Eintrag – %s in Datei %s. Da %s nur ein Befehlsname ist, " ++"muss CMD_PATH definiert sein.\n" ++ ++#: ../../src/clients/ksu/authorization.c:392 ++#, c-format ++msgid "Error: bad entry - %s in %s file, CMD_PATH contains no paths \n" ++msgstr "" ++"Fehler: falscher Eintrag – %s in Datei %s. CMD_PATH enthält keine Pfade.\n" ++ ++#: ../../src/clients/ksu/authorization.c:401 ++#, c-format ++msgid "Error: bad path %s in CMD_PATH for %s must start with '/' \n" ++msgstr "Fehler: falscher Pfad %s in CMD_PATH für %s muss mit »/« beginnen\n" ++ ++#: ../../src/clients/ksu/authorization.c:517 ++msgid "Error: not found -> " ++msgstr "Fehler: nicht gefunden -> " ++ ++#: ../../src/clients/ksu/authorization.c:723 ++#, c-format ++msgid "home directory name `%s' too long, can't search for .k5login\n" ++msgstr "" ++"Name des Home-Verzeichnisses »%s« ist zu lang, Suche nach .k5login nicht " ++"möglich\n" ++ ++#: ../../src/clients/ksu/ccache.c:368 ++#, c-format ++msgid "home directory path for %s too long\n" ++msgstr "Home-Verzeichnispfad für %s zu lang\n" ++ ++#: ../../src/clients/ksu/ccache.c:461 ++msgid "while retrieving principal name" ++msgstr "beim Abfragen des Principal-Namens" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:57 ++#: ../../src/clients/ksu/krb_auth_su.c:62 ../../src/slave/kprop.c:247 ++msgid "while copying client principal" ++msgstr "beim Kopieren des Client-Principals" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:69 ++msgid "while creating tgt for local realm" ++msgstr "beim Erstellen des TGTs für lokalen Realm" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:84 ++msgid "while retrieving creds from cache" ++msgstr "beim Abfragen der Anmeldedaten aus dem Zwischenspeicher" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:95 ++msgid "while switching to target uid" ++msgstr "beim Umschalten auf die Ziel-UID" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:100 ++#, c-format ++msgid "" ++"WARNING: Your password may be exposed if you enter it here and are logged \n" ++msgstr "" ++"WARNUNG: Ihr Passwort könnte offengelegt werden, falls Sie es hier eingeben " ++"und\n" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:102 ++#, c-format ++msgid " in remotely using an unsecure (non-encrypted) channel. \n" ++msgstr "" ++" in der Ferne mittels eines unsicheren (unverschlüsselten) Kanals\n" ++" angemeldet sind.\n" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:114 ../../src/clients/ksu/main.c:464 ++msgid "while reclaiming root uid" ++msgstr "beim erneuten Beanspruchen der Root-UID" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:121 ++#, c-format ++msgid "does not have any appropriate tickets in the cache.\n" ++msgstr "hat keine geeigneten Tickets im Zwischenspeicher.\n" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:133 ++msgid "while verifying ticket for server" ++msgstr "beim Prüfen des Tickets für Server" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:167 ++msgid "while getting time of day" ++msgstr "beim Holen der Tageszeit" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:171 ++#, c-format ++msgid "Kerberos password for %s: " ++msgstr "Kerberos-Passwort für %s: " ++ ++#: ../../src/clients/ksu/krb_auth_su.c:175 ++#, c-format ++msgid "principal name %s too long for internal buffer space\n" ++msgstr "Principal-Name %s für den internen Pufferbereich zu groß\n" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:184 ++#, c-format ++msgid "while reading password for '%s'\n" ++msgstr "beim Lesen des Passworts für »%s«\n" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:191 ++#, c-format ++msgid "No password given\n" ++msgstr "kein Passwort angegeben\n" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:204 ++#, c-format ++msgid "%s: Password incorrect\n" ++msgstr "%s: Passwort falsch\n" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:206 ++msgid "while getting initial credentials" ++msgstr "beim Holen der Anfangsanmeldedaten" ++ ++#: ../../src/clients/ksu/krb_auth_su.c:226 ++#: ../../src/clients/ksu/krb_auth_su.c:240 ++#, c-format ++msgid " %s while unparsing name\n" ++msgstr "%s beim Rückgängigmachen der Namensauswertung\n" ++ ++#: ../../src/clients/ksu/main.c:68 ++#, c-format ++msgid "" ++"Usage: %s [target user] [-n principal] [-c source cachename] [-k] [-D] [-r " ++"time] [-pf] [-l lifetime] [-zZ] [-q] [-e command [args... ] ] [-a " ++"[args... ] ]\n" ++msgstr "" ++"Aufruf: %s [Zielbenutzer] [-n Principal] [-c Quellenzwischenspeichername] [-" ++"k] [-D] [-r Zeit] [-pf] [-l Lebensdauer] [-zZ] [-q] [-e Befehl [Argumente " ++"…] ] [-a [Argumente …] ]\n" ++ ++#: ../../src/clients/ksu/main.c:147 ++msgid "" ++"program name too long - quitting to avoid triggering system logging bugs" ++msgstr "" ++"Programmname zu lang – wird beendet, um das Auslösen von " ++"Systemprotokollierungsfehlern zu vermeiden" ++ ++#: ../../src/clients/ksu/main.c:173 ++msgid "while allocating memory" ++msgstr "bei Reservieren von Speicher" ++ ++#: ../../src/clients/ksu/main.c:186 ++msgid "while setting euid to source user" ++msgstr "beim Setzen der EUID auf dem Quellbenutzer" ++ ++#: ../../src/clients/ksu/main.c:196 ../../src/clients/ksu/main.c:231 ++#, c-format ++msgid "Bad lifetime value (%s hours?)\n" ++msgstr "falscher Wert für Lebensdauer (%s Stunden?)\n" ++ ++#: ../../src/clients/ksu/main.c:208 ../../src/clients/ksu/main.c:292 ++msgid "when gathering parameters" ++msgstr "beim Zusammenstellen der Parameter" ++ ++#: ../../src/clients/ksu/main.c:251 ++#, c-format ++msgid "-z option is mutually exclusive with -Z.\n" ++msgstr "Die Optionen -z und -Z schließen sich gegenseitig aus.\n" ++ ++#: ../../src/clients/ksu/main.c:259 ++#, c-format ++msgid "-Z option is mutually exclusive with -z.\n" ++msgstr "Die Optionen -Z und -z schließen sich gegenseitig aus.\n" ++ ++#: ../../src/clients/ksu/main.c:272 ++#, c-format ++msgid "while looking for credentials cache %s" ++msgstr "beim Suchen nach dem Anmeldedatenzwischenspeicher %s" ++ ++#: ../../src/clients/ksu/main.c:278 ++#, c-format ++msgid "malformed credential cache name %s\n" ++msgstr "falsch gebildeter Anmeldedatenzwischenspeichername %s\n" ++ ++# ksu ist eine Kerberos-Variante von su ++#: ../../src/clients/ksu/main.c:336 ++#, c-format ++msgid "ksu: who are you?\n" ++msgstr "ksu: Wer sind Sie?\n" ++ ++#: ../../src/clients/ksu/main.c:340 ++#, c-format ++msgid "Your uid doesn't match your passwd entry?!\n" ++msgstr "Ihre UID passt nicht zu Ihrem Passworteintrag.\n" ++ ++#: ../../src/clients/ksu/main.c:355 ++#, c-format ++msgid "ksu: unknown login %s\n" ++msgstr "ksu: unbekannter Anmeldename %s\n" ++ ++#: ../../src/clients/ksu/main.c:375 ++msgid "while getting source cache" ++msgstr "beim Holen des Quellenzwischenspeichers" ++ ++#: ../../src/clients/ksu/main.c:381 ../../src/clients/kvno/kvno.c:194 ++msgid "while opening ccache" ++msgstr "beim Öffnen des Ccaches" ++ ++#: ../../src/clients/ksu/main.c:389 ++msgid "while selecting the best principal" ++msgstr "beim Auswählen des besten Principals" ++ ++#: ../../src/clients/ksu/main.c:397 ++msgid "while returning to source uid after finding best principal" ++msgstr "" ++"bei der Rückkehr zur Quell-UID, nachdem der beste Principal gefunden wurde" ++ ++#: ../../src/clients/ksu/main.c:417 ++#, c-format ++msgid "account %s: authorization failed\n" ++msgstr "Konto %s: Autorisierung fehlgeschlagen\n" ++ ++#: ../../src/clients/ksu/main.c:442 ++msgid "while parsing temporary name" ++msgstr "beim Auswertens des temporären Namens" ++ ++#: ../../src/clients/ksu/main.c:447 ++msgid "while creating temporary cache" ++msgstr "bei Erstellen des temporären Zwischenspeichers" ++ ++#: ../../src/clients/ksu/main.c:453 ../../src/clients/ksu/main.c:693 ++#, c-format ++msgid "while copying cache %s to %s" ++msgstr "beim Kopieren des Zwischenspeichers %s nach %s" ++ ++#: ../../src/clients/ksu/main.c:471 ++#, c-format ++msgid "" ++"WARNING: Your password may be exposed if you enter it here and are logged\n" ++msgstr "" ++"WARNUNG: Ihr Passwort könnte offengelegt werden, falls Sie es hier eingeben " ++"und\n" ++ ++#: ../../src/clients/ksu/main.c:473 ++#, c-format ++msgid " in remotely using an unsecure (non-encrypted) channel.\n" ++msgstr "" ++" in der Ferne über einen unsicheren (unverschlüsselten) Kanal " ++"angemeldet\n" ++"sind.\n" ++ ++#: ../../src/clients/ksu/main.c:479 ++#, c-format ++msgid "Goodbye\n" ++msgstr "Auf Wiedersehen\n" ++ ++#: ../../src/clients/ksu/main.c:483 ++#, c-format ++msgid "Could not get a tgt for " ++msgstr "Es konnte kein TGT geholt werden für " ++ ++#: ../../src/clients/ksu/main.c:505 ++#, c-format ++msgid "Authentication failed.\n" ++msgstr "Authentifizierung fehlgeschlagen.\n" ++ ++#: ../../src/clients/ksu/main.c:513 ++msgid "When unparsing name" ++msgstr "beim Rückgängigmachen der Namensauswertung" ++ ++#: ../../src/clients/ksu/main.c:517 ++#, c-format ++msgid "Authenticated %s\n" ++msgstr "Authentifiziert %s\n" ++ ++#: ../../src/clients/ksu/main.c:524 ++msgid "while switching to target for authorization check" ++msgstr "beim Wechsel des Ziels der Autorisierungsprüfung" ++ ++#: ../../src/clients/ksu/main.c:531 ++msgid "while checking authorization" ++msgstr "beim Prüfen der Autorisierung" ++ ++#: ../../src/clients/ksu/main.c:537 ++msgid "while switching back from target after authorization check" ++msgstr "beim Zurückwechsel vom Ziel nach der Autorisierungsprüfung" ++ ++#: ../../src/clients/ksu/main.c:544 ++#, c-format ++msgid "Account %s: authorization for %s for execution of\n" ++msgstr "Konto %s: Autorisierung für %s zum Ausführen von\n" ++ ++#: ../../src/clients/ksu/main.c:546 ++#, c-format ++msgid " %s successful\n" ++msgstr " %s erfolgreich\n" ++ ++#: ../../src/clients/ksu/main.c:552 ++#, c-format ++msgid "Account %s: authorization for %s successful\n" ++msgstr "Konto %s: Autorisierung für %s erfolgreich\n" ++ ++#: ../../src/clients/ksu/main.c:564 ++#, c-format ++msgid "Account %s: authorization for %s for execution of %s failed\n" ++msgstr "Konto %s: Autorisierung für %s zum Ausführen von %s fehlgeschlagen\n" ++ ++#: ../../src/clients/ksu/main.c:572 ++#, c-format ++msgid "Account %s: authorization of %s failed\n" ++msgstr "Konto %s: Autorisierung von %s fehlgeschlagen\n" ++ ++#: ../../src/clients/ksu/main.c:587 ++msgid "while calling cc_filter" ++msgstr "beim Aufruf von »cc_filter«" ++ ++#: ../../src/clients/ksu/main.c:595 ++msgid "while erasing target cache" ++msgstr "bei Löschen des Zielzwischenspeichers" ++ ++#: ../../src/clients/ksu/main.c:615 ++#, c-format ++msgid "ksu: permission denied (shell).\n" ++msgstr "ksu: Zugriff verweigert (Shell)\n" ++ ++#: ../../src/clients/ksu/main.c:624 ++#, c-format ++msgid "ksu: couldn't set environment variable USER\n" ++msgstr "ksu: Umgebungsvariable USER kann nicht gesetzt werden\n" ++ ++#: ../../src/clients/ksu/main.c:630 ++#, c-format ++msgid "ksu: couldn't set environment variable HOME\n" ++msgstr "ksu: Umgebungsvariable HOME kann nicht gesetzt werden\n" ++ ++#: ../../src/clients/ksu/main.c:635 ++#, c-format ++msgid "ksu: couldn't set environment variable SHELL\n" ++msgstr "ksu: Umgebungsvariable SHELL kann nicht gesetzt werden\n" ++ ++#: ../../src/clients/ksu/main.c:646 ++#, c-format ++msgid "ksu: initgroups failed.\n" ++msgstr "ksu: »initgroups« fehlgeschlagen\n" ++ ++#: ../../src/clients/ksu/main.c:651 ++#, c-format ++msgid "Leaving uid as %s (%ld)\n" ++msgstr "UID bleibt %s (%ld)\n" ++ ++#: ../../src/clients/ksu/main.c:654 ++#, c-format ++msgid "Changing uid to %s (%ld)\n" ++msgstr "UID wird zu %s (%ld) geändert\n" ++ ++#: ../../src/clients/ksu/main.c:680 ++msgid "while getting name of target ccache" ++msgstr "beim Holen des Ziel-Ccache-Namens" ++ ++#: ../../src/clients/ksu/main.c:700 ++#, c-format ++msgid "%s does not have correct permissions for %s, %s aborted" ++msgstr "%s hat nicht die korrekten Rechte für %s, %s wird abgebrochen." ++ ++#: ../../src/clients/ksu/main.c:721 ++#, c-format ++msgid "Internal error: command %s did not get resolved\n" ++msgstr "Interner Fehler: Befehl %s wurde nicht aufgelöst\n" ++ ++#: ../../src/clients/ksu/main.c:738 ../../src/clients/ksu/main.c:774 ++#, c-format ++msgid "while trying to execv %s" ++msgstr "beim Versuch von »execv %s«" ++ ++#: ../../src/clients/ksu/main.c:764 ++msgid "while calling waitpid" ++msgstr "beim Aufruf von »waitpid«" ++ ++#: ../../src/clients/ksu/main.c:769 ++msgid "while trying to fork." ++msgstr "beim Versuch zu verzweigen." ++ ++#: ../../src/clients/ksu/main.c:791 ++msgid "while reading cache name from ccache" ++msgstr "beim Lesen des Zwischenspeichernamens aus dem Ccache" ++ ++#: ../../src/clients/ksu/main.c:797 ++#, c-format ++msgid "ksu: couldn't set environment variable %s\n" ++msgstr "ksu: Umgebungsvariable %s kann nicht gesetzt werden\n" ++ ++#: ../../src/clients/ksu/main.c:820 ++#, c-format ++msgid "while clearing the value of %s" ++msgstr "beim Leeren des Werts von %s" ++ ++#: ../../src/clients/ksu/main.c:828 ++msgid "while resetting target ccache name" ++msgstr "beim Zurücksetzen des Ziel-Ccache-Namens" ++ ++#: ../../src/clients/ksu/main.c:842 ++msgid "while determining target ccache name" ++msgstr "beim Bestimmen des Ziel-Ccache-Namens" ++ ++#: ../../src/clients/ksu/main.c:881 ++msgid "while generating part of the target ccache name" ++msgstr "beim Erzeugen eines Teils des Ziel-Ccache-Namens" ++ ++#: ../../src/clients/ksu/main.c:887 ++msgid "while allocating memory for the target ccache name" ++msgstr "beim Reservieren von Speicher für den Ziel-Ccache-Namen" ++ ++#: ../../src/clients/ksu/main.c:906 ++msgid "while creating new target ccache" ++msgstr "bei Erstellen von neuem Ziel-Ccache" ++ ++#: ../../src/clients/ksu/main.c:912 ++msgid "while initializing target cache" ++msgstr "beim Initialisieren des Zielzwischenspeichers" ++ ++#: ../../src/clients/ksu/main.c:952 ++#, c-format ++msgid "terminal name %s too long\n" ++msgstr "Terminal-Name %s ist zu lang.\n" ++ ++#: ../../src/clients/ksu/main.c:980 ++msgid "while changing to target uid for destroying ccache" ++msgstr "beim Ändern der Ziel-UID für das Zerstören von Ccache" ++ ++#: ../../src/clients/kswitch/kswitch.c:44 ++#, c-format ++msgid "Usage: %s {-c cache_name | -p principal}\n" ++msgstr "Aufruf: %s {-c Zwischenspeichername | -p Principal}\n" ++ ++#: ../../src/clients/kswitch/kswitch.c:46 ++#, c-format ++msgid "\t-p specify name of principal\n" ++msgstr "\t-p gibt den Namen des Principals an.\n" ++ ++#: ../../src/clients/kswitch/kswitch.c:69 ++#, c-format ++msgid "Only one -c or -p option allowed\n" ++msgstr "Nur eine der Optionen -c oder -p ist erlaubt.\n" ++ ++#: ../../src/clients/kswitch/kswitch.c:88 ++#, c-format ++msgid "One of -c or -p must be specified\n" ++msgstr "Entweder -c oder -p muss angegeben werden.\n" ++ ++#: ../../src/clients/kswitch/kswitch.c:110 ../../src/clients/kvno/kvno.c:211 ++#: ../../src/clients/kvno/kvno.c:245 ../../src/kadmin/cli/keytab.c:350 ++#: ../../src/kadmin/dbutil/kdb5_util.c:576 ++#, c-format ++msgid "while parsing principal name %s" ++msgstr "beim Auswerten des Principal-Namens %s" ++ ++#: ../../src/clients/kswitch/kswitch.c:124 ++msgid "while switching to credential cache" ++msgstr "beim Wechsel auf den Anmeldedatenzwischenspeicher" ++ ++#: ../../src/clients/kvno/kvno.c:46 ++#, c-format ++msgid "usage: %s [-C] [-u] [-c ccache] [-e etype]\n" ++msgstr "Aufruf: %s [-C] [-u] [-c Ccache] [-e Etype]\n" ++ ++#: ../../src/clients/kvno/kvno.c:47 ++#, c-format ++msgid "\t[-k keytab] [-S sname] [-U for_user [-P]]\n" ++msgstr "\t[-k Schlüsseltabelle] [-S Sname] [-U für_Benutzer [-P]]\n" ++ ++#: ../../src/clients/kvno/kvno.c:48 ++#, c-format ++msgid "\tservice1 service2 ...\n" ++msgstr "\tDienst1 Dienst2 …\n" ++ ++#: ../../src/clients/kvno/kvno.c:103 ../../src/clients/kvno/kvno.c:111 ++#, c-format ++msgid "Options -u and -S are mutually exclusive\n" ++msgstr "Die Optionen -u und -S schließen sich gegenseitig aus.\n" ++ ++#: ../../src/clients/kvno/kvno.c:126 ++#, c-format ++msgid "Option -P (constrained delegation) requires keytab to be specified\n" ++msgstr "" ++"Die Option -P (eingeschränkte Abtretung) erfordert zur Angabe eine " ++"Schlüsseltabelle.\n" ++ ++#: ../../src/clients/kvno/kvno.c:130 ++#, c-format ++msgid "" ++"Option -P (constrained delegation) requires option -U (protocol transition)\n" ++msgstr "" ++"Die Option -P (eingeschränkte Abtretung) erfordert die Option -U " ++"(Protokollübergang)\n" ++ ++#: ../../src/clients/kvno/kvno.c:175 ../../src/kadmin/cli/kadmin.c:280 ++msgid "while initializing krb5 library" ++msgstr "beim Initialisieren der Krb5-Bibliothek" ++ ++#: ../../src/clients/kvno/kvno.c:182 ++msgid "while converting etype" ++msgstr "bei der Etype-Umwandlung" ++ ++#: ../../src/clients/kvno/kvno.c:218 ++msgid "while getting client principal name" ++msgstr "beim Holen des Client-Principal-Namens" ++ ++#: ../../src/clients/kvno/kvno.c:256 ++#, c-format ++msgid "while formatting parsed principal name for '%s'" ++msgstr "beim Formatieren des ausgewerteten Principal-Namens für »%s«" ++ ++#: ../../src/clients/kvno/kvno.c:267 ++msgid "client and server principal names must match" ++msgstr "Die Principal-Namen von Client und Server müssen übereinstimmen." ++ ++#: ../../src/clients/kvno/kvno.c:284 ++#, c-format ++msgid "while getting credentials for %s" ++msgstr "beim Holen der Anmeldedaten für %s" ++ ++#: ../../src/clients/kvno/kvno.c:291 ++#, c-format ++msgid "while decoding ticket for %s" ++msgstr "beim Dekodieren des Tickets für %s" ++ ++#: ../../src/clients/kvno/kvno.c:302 ++#, c-format ++msgid "while decrypting ticket for %s" ++msgstr "beim Entschlüsseln des Tickets für %s" ++ ++#: ../../src/clients/kvno/kvno.c:306 ++#, c-format ++msgid "%s: kvno = %d, keytab entry valid\n" ++msgstr "%s: KVNO = %d, Schlüsseltabelleneintrag gültig\n" ++ ++#: ../../src/clients/kvno/kvno.c:324 ++#, c-format ++msgid "%s: constrained delegation failed" ++msgstr "%s: eingeschränkte Abtretung fehlgeschlagen" ++ ++#: ../../src/clients/kvno/kvno.c:330 ++#, c-format ++msgid "%s: kvno = %d\n" ++msgstr "%s: KVNO = %d\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:118 ++#, c-format ++msgid "" ++"Usage: %s [-r realm] [-p principal] [-q query] [clnt|local args]\n" ++"\tclnt args: [-s admin_server[:port]] [[-c ccache]|[-k [-t keytab]]]|[-n]\n" ++"\tlocal args: [-x db_args]* [-d dbname] [-e \"enc:salt ...\"] [-m]\n" ++"where,\n" ++"\t[-x db_args]* - any number of database specific arguments.\n" ++"\t\t\tLook at each database documentation for supported arguments\n" ++msgstr "" ++"Aufruf: %s [-r Realm] [-p Principal] [-q Abfrage] [clnt|lokale Argumente]\n" ++"\tclnt Argumente: [-s Admin-Server[:Port]] [[-c Ccache]|\n" ++"\t[-k [-t Schlüsseltabelle]]]|[-n] lokale Argumente: [-x DB-Argumente]*\n" ++"\t[-d Datenbankname] [-e \"enc:Salt …\"] [-m]\n" ++"wobei\n" ++"\t[-x DB-Argumente]* - eine beliebige Anzahl datenbankspezifischer " ++"Argumente\n" ++"\tist. Die unterstützten Argumente finden Sie in den jeweiligen " ++"\tDatenbankdokumentationen\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:292 ../../src/kadmin/cli/kadmin.c:333 ++#, c-format ++msgid "%s: Cannot initialize. Not enough memory\n" ++msgstr "%s: Zu wenig Speicher zum Initialisieren\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:353 ../../src/kadmin/cli/kadmin.c:804 ++#: ../../src/kadmin/cli/kadmin.c:1084 ../../src/kadmin/cli/kadmin.c:1634 ++#: ../../src/kadmin/cli/keytab.c:159 ../../src/kadmin/dbutil/kdb5_util.c:591 ++#, c-format ++msgid "while parsing keysalts %s" ++msgstr "beim Auswerten der Schlüssel-Salts %s" ++ ++#: ../../src/kadmin/cli/kadmin.c:376 ++#, c-format ++msgid "%s: unable to get default realm\n" ++msgstr "%s: Standard-Realm kann nicht geholt werden\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:396 ++msgid "while opening default credentials cache" ++msgstr "beim Öffnen des Standardanmeldedatenzwischenspeichers" ++ ++#: ../../src/kadmin/cli/kadmin.c:402 ++#, c-format ++msgid "while opening credentials cache %s" ++msgstr "beim Öffnen des Anmeldedatenzwischenspeichers %s" ++ ++#: ../../src/kadmin/cli/kadmin.c:424 ../../src/kadmin/cli/kadmin.c:479 ++#: ../../src/kadmin/cli/kadmin.c:487 ../../src/kadmin/cli/kadmin.c:494 ++#, c-format ++msgid "%s: out of memory\n" ++msgstr "%s: Speicherplatz reicht nicht aus\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:433 ../../src/kadmin/cli/kadmin.c:448 ++#: ../../src/slave/kpropd.c:681 ++msgid "while canonicalizing principal name" ++msgstr "während der Principal-Name in die normale Form gebracht wird" ++ ++#: ../../src/kadmin/cli/kadmin.c:442 ++msgid "creating host service principal" ++msgstr "Principal des Rechnerdienstes wird erstellt" ++ ++#: ../../src/kadmin/cli/kadmin.c:455 ++#, c-format ++msgid "%s: unable to canonicalize principal\n" ++msgstr "%s: Principal kann nicht in die normale Form gebracht werden\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:499 ++#, c-format ++msgid "%s: unable to figure out a principal name\n" ++msgstr "%s: Es kann kein Principal-Name herausgefunden werden.\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:507 ++msgid "while setting up logging" ++msgstr "beim Einrichten der Protokollierung" ++ ++#: ../../src/kadmin/cli/kadmin.c:516 ++#, c-format ++msgid "Authenticating as principal %s with existing credentials.\n" ++msgstr "Authentifizierung als Principal %s mit existierenden Anmeldedaten\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:522 ++#, c-format ++msgid "Authenticating as principal %s with password; anonymous requested.\n" ++msgstr "" ++"Authentifizierung als Principal %s mit Passwort; Anonymität erwünscht\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:529 ++#, c-format ++msgid "Authenticating as principal %s with keytab %s.\n" ++msgstr "Authentifizierung als Principal %s mit Schlüsseltabelle %s\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:532 ++#, c-format ++msgid "Authenticating as principal %s with default keytab.\n" ++msgstr "Authentifizierung als Principal %s mit Standardschlüsseltabelle\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:538 ++#, c-format ++msgid "Authenticating as principal %s with password.\n" ++msgstr "Authentifizierung als Principal %s mit Passwort\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:546 ../../src/slave/kpropd.c:728 ++#, c-format ++msgid "while initializing %s interface" ++msgstr "beim Initialisieren der Schnittstelle %s" ++ ++#: ../../src/kadmin/cli/kadmin.c:560 ++#, c-format ++msgid "while closing ccache %s" ++msgstr "beim Schließen von Ccache %s" ++ ++#: ../../src/kadmin/cli/kadmin.c:566 ++msgid "while mapping update log" ++msgstr "beim Abbilden des Aktualisierungsprotokolls" ++ ++#: ../../src/kadmin/cli/kadmin.c:581 ++msgid "while unlocking locked database" ++msgstr "beim Entsperren der Datenbank" ++ ++#: ../../src/kadmin/cli/kadmin.c:590 ++msgid "Administration credentials NOT DESTROYED.\n" ++msgstr "Verwaltungsanmeldedaten NICHT VERNICHTET\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:639 ++#, c-format ++msgid "usage: delete_principal [-force] principal\n" ++msgstr "Aufruf: delete_principal [-force] Principal\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:644 ../../src/kadmin/cli/kadmin.c:819 ++msgid "while parsing principal name" ++msgstr "beim Auswerten des Principal-Namens" ++ ++#: ../../src/kadmin/cli/kadmin.c:650 ../../src/kadmin/cli/kadmin.c:825 ++#: ../../src/kadmin/cli/kadmin.c:1217 ../../src/kadmin/cli/kadmin.c:1339 ++#: ../../src/kadmin/cli/kadmin.c:1409 ../../src/kadmin/cli/kadmin.c:1858 ++#: ../../src/kadmin/cli/kadmin.c:1902 ../../src/kadmin/cli/kadmin.c:1948 ++#: ../../src/kadmin/cli/kadmin.c:1988 ++msgid "while canonicalizing principal" ++msgstr "während der Principal in die normale Form gebracht wird" ++ ++#: ../../src/kadmin/cli/kadmin.c:654 ++#, c-format ++msgid "Are you sure you want to delete the principal \"%s\"? (yes/no): " ++msgstr "" ++"Sind Sie sicher, dass Sie den Principal »%s« löschen möchten? (yes/no): " ++ ++#: ../../src/kadmin/cli/kadmin.c:658 ++#, c-format ++msgid "Principal \"%s\" not deleted\n" ++msgstr "Principal »%s« nicht gelöscht\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:665 ++#, c-format ++msgid "while deleting principal \"%s\"" ++msgstr "beim Löschen von Principal »%s«" ++ ++#: ../../src/kadmin/cli/kadmin.c:668 ++#, c-format ++msgid "Principal \"%s\" deleted.\n" ++msgstr "Principal »%s« gelöscht\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:669 ++#, c-format ++msgid "" ++"Make sure that you have removed this principal from all ACLs before " ++"reusing.\n" ++msgstr "" ++"Stellen Sie sicher, dass Sie diesen Principal aus allen ACLs entfernt haben, " ++"bevor Sie ihn erneut benutzen.\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:686 ++#, c-format ++msgid "usage: rename_principal [-force] old_principal new_principal\n" ++msgstr "Aufruf: rename_principal [-force] alter_Principal neuer_Principal\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:693 ++msgid "while parsing old principal name" ++msgstr "beim Auswerten des alten Principal-Namens" ++ ++#: ../../src/kadmin/cli/kadmin.c:699 ++msgid "while parsing new principal name" ++msgstr "beim Auswerten des neuen Principal-Namens" ++ ++#: ../../src/kadmin/cli/kadmin.c:705 ++msgid "while canonicalizing old principal" ++msgstr "während der alte Principal in die normale Form gebracht wird" ++ ++#: ../../src/kadmin/cli/kadmin.c:711 ++msgid "while canonicalizing new principal" ++msgstr "während der neue Principal in die normale Form gebracht wird" ++ ++#: ../../src/kadmin/cli/kadmin.c:715 ++#, c-format ++msgid "" ++"Are you sure you want to rename the principal \"%s\" to \"%s\"? (yes/no): " ++msgstr "" ++"Sind Sie sicher, dass Sie den Principal »%s« in »%s« umbenennen möchten? " ++"(yes/no): " ++ ++#: ../../src/kadmin/cli/kadmin.c:719 ++#, c-format ++msgid "Principal \"%s\" not renamed\n" ++msgstr "Principal »%s« wurde nicht umbenannt.\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:726 ++#, c-format ++msgid "while renaming principal \"%s\" to \"%s\"" ++msgstr "beim Umbenennen von Principal »%s« in »%s«" ++ ++#: ../../src/kadmin/cli/kadmin.c:730 ++#, c-format ++msgid "Principal \"%s\" renamed to \"%s\".\n" ++msgstr "Principal »%s« wurde in »%s« umbenannt.\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:731 ++#, c-format ++msgid "" ++"Make sure that you have removed the old principal from all ACLs before " ++"reusing.\n" ++msgstr "" ++"Stellen Sie sicher, dass Sie den alten Principal aus allen ACLs entfernt " ++"haben, bevor Sie ihn erneut benutzen.\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:746 ++#, c-format ++msgid "" ++"usage: change_password [-randkey] [-keepold] [-e keysaltlist] [-pw password] " ++"principal\n" ++msgstr "" ++"Aufruf: change_password [-randkey] [-keepold] [-e Schlüssel-Salt-Liste] [-pw " ++"Passwort] Principal\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:772 ++msgid "change_password: missing db argument" ++msgstr "change_password: fehlendes Datenbankargument" ++ ++#: ../../src/kadmin/cli/kadmin.c:778 ++#, c-format ++msgid "change_password: Not enough memory\n" ++msgstr "change_password: zu wenig Speicher\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:786 ++msgid "change_password: missing password arg" ++msgstr "change_password: fehlendes Passwortargument" ++ ++#: ../../src/kadmin/cli/kadmin.c:797 ++msgid "change_password: missing keysaltlist arg" ++msgstr "change_password: fehlendes Schlüssel-Salt-Listenargument" ++ ++#: ../../src/kadmin/cli/kadmin.c:813 ++msgid "missing principal name" ++msgstr "fehlender Principal-Name" ++ ++#: ../../src/kadmin/cli/kadmin.c:837 ../../src/kadmin/cli/kadmin.c:874 ++#, c-format ++msgid "while changing password for \"%s\"." ++msgstr "beim Ändern des Passworts von »%s«." ++ ++#: ../../src/kadmin/cli/kadmin.c:840 ../../src/kadmin/cli/kadmin.c:877 ++#, c-format ++msgid "Password for \"%s\" changed.\n" ++msgstr "Passwort von »%s« geändert\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:846 ../../src/kadmin/cli/kadmin.c:1290 ++#, c-format ++msgid "while randomizing key for \"%s\"." ++msgstr "beim Erzeugen eines zufälligen Schlüssels für »%s«." ++ ++#: ../../src/kadmin/cli/kadmin.c:849 ++#, c-format ++msgid "Key for \"%s\" randomized.\n" ++msgstr "Es wurde ein zufälliger Schlüssel für %s erzeugt\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:854 ../../src/kadmin/cli/kadmin.c:1250 ++#, c-format ++msgid "Enter password for principal \"%s\"" ++msgstr "Geben Sie das Passwort für Principal »%s« ein." ++ ++#: ../../src/kadmin/cli/kadmin.c:856 ../../src/kadmin/cli/kadmin.c:1252 ++#, c-format ++msgid "Re-enter password for principal \"%s\"" ++msgstr "Geben Sie das Passwort für Principal »%s« erneut ein." ++ ++#: ../../src/kadmin/cli/kadmin.c:861 ../../src/kadmin/cli/kadmin.c:1256 ++#, c-format ++msgid "while reading password for \"%s\"." ++msgstr "beim Lesen des Passworts von »%s«." ++ ++#: ../../src/kadmin/cli/kadmin.c:915 ++#, c-format ++msgid "Not enough memory\n" ++msgstr "Speicher reicht nicht aus\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:945 ../../src/kadmin/dbutil/kdb5_util.c:623 ++msgid "while getting time" ++msgstr "beim Holen der Zeit" ++ ++#: ../../src/kadmin/cli/kadmin.c:994 ../../src/kadmin/cli/kadmin.c:1007 ++#: ../../src/kadmin/cli/kadmin.c:1020 ../../src/kadmin/cli/kadmin.c:1033 ++#: ../../src/kadmin/cli/kadmin.c:1546 ../../src/kadmin/cli/kadmin.c:1558 ++#: ../../src/kadmin/cli/kadmin.c:1601 ../../src/kadmin/cli/kadmin.c:1618 ++#, c-format ++msgid "Invalid date specification \"%s\".\n" ++msgstr "ungültige Datumsangabe »%s«\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1118 ../../src/kadmin/cli/kadmin.c:1333 ++#: ../../src/kadmin/cli/kadmin.c:1404 ../../src/kadmin/cli/kadmin.c:1852 ++#: ../../src/kadmin/cli/kadmin.c:1896 ../../src/kadmin/cli/kadmin.c:1942 ++#: ../../src/kadmin/cli/kadmin.c:1982 ++msgid "while parsing principal" ++msgstr "beim Auswerten des Principals" ++ ++#: ../../src/kadmin/cli/kadmin.c:1127 ++#, c-format ++msgid "usage: add_principal [options] principal\n" ++msgstr "Aufruf: add_principal [Optionen] Principal\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1128 ../../src/kadmin/cli/kadmin.c:1155 ++#: ../../src/kadmin/cli/kadmin.c:1657 ++#, c-format ++msgid "\toptions are:\n" ++msgstr "\tEs gibt folgende Optionen:\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1130 ++#, c-format ++msgid "" ++"\t\t[-randkey|-nokey] [-x db_princ_args]* [-expire expdate] [-pwexpire " ++"pwexpdate] [-maxlife maxtixlife]\n" ++"\t\t[-kvno kvno] [-policy policy] [-clearpolicy]\n" ++"\t\t[-pw password] [-maxrenewlife maxrenewlife]\n" ++"\t\t[-e keysaltlist]\n" ++"\t\t[{+|-}attribute]\n" ++msgstr "" ++"\t\t[-randkey|-nokey] [-x DB-Principal-Argumente]* [-expire Ablaufdatum] [-" ++"pwexpire Passwortablaufdatum] [-maxlife maximale_Ticketlebensdauer]\n" ++"\t\t[-kvno KVNO] [-policy Richtlinie] [-clearpolicy]\n" ++"\t\t[-pw Passwort] [-maxrenewlife maximale_Dauer_bis_zum_Erneuern]\n" ++"\t\t[-e Schlüssel-Salt-Liste]\n" ++"\t\t[{+|-}Attribut]\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1136 ++#, c-format ++msgid "\tattributes are:\n" ++msgstr "\tEs gibt folgende Attribute:\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1138 ../../src/kadmin/cli/kadmin.c:1164 ++#, c-format ++msgid "" ++"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n" ++"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n" ++"\t\trequires_hwauth needchange allow_svr password_changing_service\n" ++"\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n" ++"\n" ++"where,\n" ++"\t[-x db_princ_args]* - any number of database specific arguments.\n" ++"\t\t\tLook at each database documentation for supported arguments\n" ++msgstr "" ++"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n" ++"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n" ++"\t\trequires_hwauth needchange allow_svr password_changing_service\n" ++"\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n" ++"\n" ++"wobei\n" ++"\t[-x DB-Principal-Argumente]* - eine beliebige Zahl\n" ++"\tdatenbankspezifischer Argumente ist.\n" ++"\t\t\tDie unterstützten Argumente finden Sie in der jeweiligen\n" ++"Datenbankdokumentation.\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1154 ++#, c-format ++msgid "usage: modify_principal [options] principal\n" ++msgstr "Aufruf: modify_principal [Optionen] Principal\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1157 ++#, c-format ++msgid "" ++"\t\t[-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife " ++"maxtixlife]\n" ++"\t\t[-kvno kvno] [-policy policy] [-clearpolicy]\n" ++"\t\t[-maxrenewlife maxrenewlife] [-unlock] [{+|-}attribute]\n" ++msgstr "" ++"\t\t[-x DB-Principal-Argumente]* [-expire Ablaufdatum] [-pwexpire " ++"Passwortablaufdatum] [-maxlife maximale_Ticketlebensdauer]\n" ++"\t\t[-kvno KVNO] [-policy Richtlinie] [-clearpolicy]\n" ++"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern] [-unlock] [{+|-}" ++"Attribut]\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1224 ../../src/kadmin/cli/kadmin.c:1362 ++#, c-format ++msgid "WARNING: policy \"%s\" does not exist\n" ++msgstr "WARNUNG: Richtlinie »%s« existiert nicht.\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1230 ++#, c-format ++msgid "NOTICE: no policy specified for %s; assigning \"default\"\n" ++msgstr "" ++"HINWEIS: Für %s wurde keine Richtlinie angegeben, es wird »default« " ++"zugewiesen\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1235 ++#, c-format ++msgid "WARNING: no policy specified for %s; defaulting to no policy\n" ++msgstr "" ++"WARNUNG: Für %s wurde keine Richtlinie angegeben, es wird die Vorgabe " ++"»keine\n" ++"Richtlinie« verwandt.\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1276 ++#, c-format ++msgid "Admin server does not support -nokey while creating \"%s\"\n" ++msgstr "" ++"Der Administrationsrechner unterstützt beim Erstellen von »%s« kein -nokey\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1298 ++#, c-format ++msgid "while clearing DISALLOW_ALL_TIX for \"%s\"." ++msgstr "beim Löschen von DISALLOW_ALL_TIX für »%s«." ++ ++#: ../../src/kadmin/cli/kadmin.c:1345 ++#, c-format ++msgid "while getting \"%s\"." ++msgstr "beim Holen von »%s«." ++ ++#: ../../src/kadmin/cli/kadmin.c:1371 ++#, c-format ++msgid "while modifying \"%s\"." ++msgstr "beim Ändern von »%s«." ++ ++#: ../../src/kadmin/cli/kadmin.c:1375 ++#, c-format ++msgid "Principal \"%s\" modified.\n" ++msgstr "Principal »%s« wurde geändert.\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1396 ++#, c-format ++msgid "usage: get_principal [-terse] principal\n" ++msgstr "Aufruf: get_principal [-terse] Principal\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1415 ++#, c-format ++msgid "while retrieving \"%s\"." ++msgstr "beim Abfragen von »%s«." ++ ++#: ../../src/kadmin/cli/kadmin.c:1420 ../../src/kadmin/cli/kadmin.c:1425 ++msgid "while unparsing principal" ++msgstr "beim Rückgängigmachen der Auswertung des Principals" ++ ++#: ../../src/kadmin/cli/kadmin.c:1429 ++#, c-format ++msgid "Principal: %s\n" ++msgstr "Principal: %s\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1430 ++#, c-format ++msgid "Expiration date: %s\n" ++msgstr "Ablaufdatum: %s\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1431 ../../src/kadmin/cli/kadmin.c:1433 ++#: ../../src/kadmin/cli/kadmin.c:1444 ++msgid "[never]" ++msgstr "[niemals]" ++ ++#: ../../src/kadmin/cli/kadmin.c:1432 ++#, c-format ++msgid "Last password change: %s\n" ++msgstr "Letzte Passwortänderung: %s\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1434 ++#, c-format ++msgid "Password expiration date: %s\n" ++msgstr "Passwortablaufdatum: %s\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1436 ../../src/kadmin/cli/kadmin.c:1478 ++msgid "[none]" ++msgstr "[keins]" ++ ++#: ../../src/kadmin/cli/kadmin.c:1437 ++#, c-format ++msgid "Maximum ticket life: %s\n" ++msgstr "maximale Ticketlebensdauer: %s\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1438 ++#, c-format ++msgid "Maximum renewable life: %s\n" ++msgstr "maximale verlängerbare Lebensdauer: %s\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1440 ++#, c-format ++msgid "Last modified: %s (%s)\n" ++msgstr "zuletzt geändert: %s (%s)\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1442 ++#, c-format ++msgid "Last successful authentication: %s\n" ++msgstr "letzte erfolgreiche Authentifizierung: %s\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1448 ++#, c-format ++msgid "Failed password attempts: %d\n" ++msgstr "Fehlgeschlagene Anmeldeversuche: %d\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1450 ++#, c-format ++msgid "Number of keys: %d\n" ++msgstr "Anzahl der Schlüssel: %d\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1457 ++#, c-format ++msgid "" ++msgstr "" ++ ++#: ../../src/kadmin/cli/kadmin.c:1464 ++#, c-format ++msgid "" ++msgstr "" ++ ++#: ../../src/kadmin/cli/kadmin.c:1470 ++#, c-format ++msgid "MKey: vno %d\n" ++msgstr "MKey: vno %d\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1472 ++#, c-format ++msgid "Attributes:" ++msgstr "Attribute:" ++ ++#: ../../src/kadmin/cli/kadmin.c:1480 ++msgid " [does not exist]" ++msgstr " [existiert nicht]" ++ ++#: ../../src/kadmin/cli/kadmin.c:1481 ++#, c-format ++msgid "Policy: %s%s\n" ++msgstr "Richtlinie: %s%s\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1517 ++#, c-format ++msgid "usage: get_principals [expression]\n" ++msgstr "Aufruf: get_principals [Ausdruck]\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1522 ../../src/kadmin/cli/kadmin.c:1794 ++msgid "while retrieving list." ++msgstr "beim Abfragen der Liste." ++ ++#: ../../src/kadmin/cli/kadmin.c:1647 ++#, c-format ++msgid "%s: parser lost count!\n" ++msgstr "%s: Auswertungsprogramm verlor Anzahl!\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1656 ++#, c-format ++msgid "usage; %s [options] policy\n" ++msgstr "Aufruf: %s [Optionen] Richtlinie\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1659 ++#, c-format ++msgid "" ++"\t\t[-maxlife time] [-minlife time] [-minlength length]\n" ++"\t\t[-minclasses number] [-history number]\n" ++"\t\t[-maxfailure number] [-failurecountinterval time]\n" ++"\t\t[-allowedkeysalts keysalts]\n" ++msgstr "" ++"\t\t[-maxlife Zeit] [-minlife Zeit] [-minlength Länge]\n" ++"\t\t[-minclasses Anzahl] [-history Nummer]\n" ++"\t\t[-maxfailure Anzahl] [-failurecountinterval Zeit]\n" ++"\t\t[-allowedkeysalts Schlüssel-Salts]\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1663 ++#, c-format ++msgid "\t\t[-lockoutduration time]\n" ++msgstr "\t\t[-lockoutduration Dauer]\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1682 ++#, c-format ++msgid "while creating policy \"%s\"." ++msgstr "beim Erstellen der Richtlinie »%s«" ++ ++#: ../../src/kadmin/cli/kadmin.c:1703 ++#, c-format ++msgid "while modifying policy \"%s\"." ++msgstr "beim Ändern der Richtlinie »%s«" ++ ++#: ../../src/kadmin/cli/kadmin.c:1715 ++#, c-format ++msgid "usage: delete_policy [-force] policy\n" ++msgstr "Aufruf: delete_policy [-force] Richtlinie\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1719 ++#, c-format ++msgid "Are you sure you want to delete the policy \"%s\"? (yes/no): " ++msgstr "" ++"Sind Sie sicher, dass Sie die Richtlinie »%s« löschen möchten? (yes/no): " ++ ++#: ../../src/kadmin/cli/kadmin.c:1723 ++#, c-format ++msgid "Policy \"%s\" not deleted.\n" ++msgstr "Richtlinie »%s« nicht gelöscht\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1729 ++#, c-format ++msgid "while deleting policy \"%s\"" ++msgstr "bei Löschen der Richtlinie »%s«" ++ ++#: ../../src/kadmin/cli/kadmin.c:1741 ++#, c-format ++msgid "usage: get_policy [-terse] policy\n" ++msgstr "Aufruf: get_policy [-terse] Richtlinie\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1746 ++#, c-format ++msgid "while retrieving policy \"%s\"." ++msgstr "beim Abfragen der Richtlinie »%s«." ++ ++#: ../../src/kadmin/cli/kadmin.c:1751 ++#, c-format ++msgid "Policy: %s\n" ++msgstr "Richtlinie: »%s«\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1752 ++#, c-format ++msgid "Maximum password life: %ld\n" ++msgstr "maximale Passwortlebensdauer: %ld\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1753 ++#, c-format ++msgid "Minimum password life: %ld\n" ++msgstr "minimale Passwortlebensdauer: %ld\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1754 ++#, c-format ++msgid "Minimum password length: %ld\n" ++msgstr "minimale Passwortlänge: %ld\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1755 ++#, c-format ++msgid "Minimum number of password character classes: %ld\n" ++msgstr "minimale Anzahl von Passwortzeichenklassen: %ld\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1757 ++#, c-format ++msgid "Number of old keys kept: %ld\n" ++msgstr "Anzahl aufbewahrter alter Schlüssel: %ld\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1758 ++#, c-format ++msgid "Maximum password failures before lockout: %lu\n" ++msgstr "maximale Anzahl falscher Passworteingaben vor dem Sperren: %lu\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1760 ++#, c-format ++msgid "Password failure count reset interval: %s\n" ++msgstr "Rücksetzintervall für zu viele falsch eingebene Passwörter: %s\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1762 ++#, c-format ++msgid "Password lockout duration: %s\n" ++msgstr "Passwortsperrdauer: %s\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1765 ++#, c-format ++msgid "Allowed key/salt types: %s\n" ++msgstr "erlaubte Schlüssel-/Salt-Typen: %s\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1789 ++#, c-format ++msgid "usage: get_policies [expression]\n" ++msgstr "Aufruf: get_policies [Ausdruck]\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1811 ++#, c-format ++msgid "usage: get_privs\n" ++msgstr "Aufruf: get_privs\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1816 ++msgid "while retrieving privileges" ++msgstr "beim Abfragen von Rechten" ++ ++#: ../../src/kadmin/cli/kadmin.c:1819 ++#, c-format ++msgid "current privileges:" ++msgstr "aktuelle Rechte:" ++ ++#: ../../src/kadmin/cli/kadmin.c:1845 ++#, c-format ++msgid "usage: purgekeys [-all|-keepkvno oldest_kvno_to_keep] principal\n" ++msgstr "" ++"Aufruf: purgekeys [-all|-keepkvno älteste_KVNO_die_behalten_wird] Principal\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1865 ++#, c-format ++msgid "while purging keys for principal \"%s\"" ++msgstr "beim vollständigen Löschen der Schlüssel für Principal »%s«" ++ ++#: ../../src/kadmin/cli/kadmin.c:1870 ++#, c-format ++msgid "All keys for principal \"%s\" removed.\n" ++msgstr "Alle Schlüssel für Principal »%s« wurden entfernt.\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1872 ++#, c-format ++msgid "Old keys for principal \"%s\" purged.\n" ++msgstr "Alte Schlüssel für Principal »%s« wurden entfernt.\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1889 ++#, c-format ++msgid "usage: get_strings principal\n" ++msgstr "Aufruf: get_strings Principal\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1909 ++#, c-format ++msgid "while getting attributes for principal \"%s\"" ++msgstr "beim Holen von Attributen für Principal »%s«" ++ ++#: ../../src/kadmin/cli/kadmin.c:1914 ++#, c-format ++msgid "(No string attributes.)\n" ++msgstr "(keine Zeichenkettenattribute)\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1933 ++#, c-format ++msgid "usage: set_string principal key value\n" ++msgstr "Aufruf: set_string Principal Schlüssel Wert\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1955 ++#, c-format ++msgid "while setting attribute on principal \"%s\"" ++msgstr "beim Setzen eines Attributes für Principal »%s«" ++ ++#: ../../src/kadmin/cli/kadmin.c:1959 ++#, c-format ++msgid "Attribute set for principal \"%s\".\n" ++msgstr "Attribute für Principal »%s« wurden gesetzt.\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1974 ++#, c-format ++msgid "usage: del_string principal key\n" ++msgstr "Aufruf: del_string Principal Schlüssel\n" ++ ++#: ../../src/kadmin/cli/kadmin.c:1995 ++#, c-format ++msgid "while deleting attribute from principal \"%s\"" ++msgstr "beim Löschen eines Attributs von Principal »%s«" ++ ++#: ../../src/kadmin/cli/kadmin.c:1999 ++#, c-format ++msgid "Attribute removed from principal \"%s\".\n" ++msgstr "Attribut von Principal »%s« wurde gelöscht.\n" ++ ++#: ../../src/kadmin/cli/keytab.c:56 ++#, c-format ++msgid "" ++"Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [-norandkey] " ++"[principal | -glob princ-exp] [...]\n" ++msgstr "" ++"Aufruf: ktadd [-k[eytab] Schlüsseltabelle] [-q] [-e Schlüssel-Salt-Liste] [-" ++"norandkey] [Principal | -glob Principal-Ausdruck] […]\n" ++ ++#: ../../src/kadmin/cli/keytab.c:59 ++#, c-format ++msgid "" ++"Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [principal | -glob " ++"princ-exp] [...]\n" ++msgstr "" ++"Aufruf: ktadd [-k[eytab] Schlüsseltabelle] [-q] [-e Schlüssel-Salt-Liste] " ++"[Principal | -glob Principal-Ausdruck] […]\n" ++ ++#: ../../src/kadmin/cli/keytab.c:67 ++#, c-format ++msgid "" ++"Usage: ktremove [-k[eytab] keytab] [-q] principal [kvno|\"all\"|\"old\"]\n" ++msgstr "" ++"Aufruf: ktremove [-k[eytab] Schlüsseltabelle] [-q] Principal " ++"[kvno|»all«|»old«]\n" ++ ++#: ../../src/kadmin/cli/keytab.c:81 ../../src/kadmin/cli/keytab.c:102 ++msgid "while creating keytab name" ++msgstr "beim Erstellen des Schlüsseltabellennamens" ++ ++#: ../../src/kadmin/cli/keytab.c:86 ++msgid "while opening default keytab" ++msgstr "beim Öffnen der Standardschlüsseltabelle" ++ ++#: ../../src/kadmin/cli/keytab.c:147 ++#, c-format ++msgid "-norandkey option only valid for kadmin.local\n" ++msgstr "Die Option »-norandkey« ist nur für »kadmin.local« gültig.\n" ++ ++#: ../../src/kadmin/cli/keytab.c:176 ++#, c-format ++msgid "cannot specify keysaltlist when not changing key\n" ++msgstr "" ++"Schlüssel-Salt-Liste kann nicht angegeben werden, wenn der Schlüssel nicht " ++"geändert wird\n" ++ ++#: ../../src/kadmin/cli/keytab.c:192 ++#, c-format ++msgid "while expanding expression \"%s\"." ++msgstr "beim Expandieren des Ausdrucks »%s«." ++ ++#: ../../src/kadmin/cli/keytab.c:211 ../../src/kadmin/cli/keytab.c:251 ++msgid "while closing keytab" ++msgstr "beim Schließen der Schlüsseltabelle" ++ ++#: ../../src/kadmin/cli/keytab.c:275 ++#, c-format ++msgid "while parsing -add principal name %s" ++msgstr "beim Auswerten von »-add Principal-Name %s«" ++ ++#: ../../src/kadmin/cli/keytab.c:289 ++#, c-format ++msgid "%s: Principal %s does not exist.\n" ++msgstr "%s: Principal %s existiert nicht.\n" ++ ++#: ../../src/kadmin/cli/keytab.c:292 ++#, c-format ++msgid "while changing %s's key" ++msgstr "beim Ändern des Schlüssels von %s" ++ ++#: ../../src/kadmin/cli/keytab.c:299 ++msgid "while retrieving principal" ++msgstr "beim Abfragen des Principals" ++ ++#: ../../src/kadmin/cli/keytab.c:311 ++msgid "while adding key to keytab" ++msgstr "beim Hinzufügen des Schlüssels zur Schlüsseltabelle" ++ ++#: ../../src/kadmin/cli/keytab.c:317 ++#, c-format ++msgid "" ++"Entry for principal %s with kvno %d, encryption type %s added to keytab %s.\n" ++msgstr "" ++"Der Eintrag für Principal %s mit KVNO %d und Verschlüsselungstyp %s wurde " ++"der Schlüsseltabelle %s hinzugefügt.\n" ++ ++#: ../../src/kadmin/cli/keytab.c:326 ++msgid "while freeing principal entry" ++msgstr "beim Freigeben des Principal-Eintrags" ++ ++#: ../../src/kadmin/cli/keytab.c:373 ++#, c-format ++msgid "%s: Keytab %s does not exist.\n" ++msgstr "%s: Schlüsseltabelle %s existiert nicht.\n" ++ ++#: ../../src/kadmin/cli/keytab.c:377 ++#, c-format ++msgid "%s: No entry for principal %s exists in keytab %s\n" ++msgstr "" ++"%s: Für Principal %s existiert kein Eintrag in der Schlüsseltabelle %s.\n" ++ ++#: ../../src/kadmin/cli/keytab.c:381 ++#, c-format ++msgid "%s: No entry for principal %s with kvno %d exists in keytab %s\n" ++msgstr "" ++"%s: Für den Principal %s mit der KVNO %d existiert kein Eintrag in der " ++"Schlüsseltabelle %s.\n" ++ ++#: ../../src/kadmin/cli/keytab.c:387 ++msgid "while retrieving highest kvno from keytab" ++msgstr "beim Abfragen der höchsten KVNO der Schlüsseltabelle" ++ ++#: ../../src/kadmin/cli/keytab.c:420 ++msgid "while temporarily ending keytab scan" ++msgstr "beim Unterbrechen des Schlüsseltabellen-Scans" ++ ++#: ../../src/kadmin/cli/keytab.c:425 ++msgid "while deleting entry from keytab" ++msgstr "beim Löschen eines Eintrags aus der Schlüsseltabelle" ++ ++#: ../../src/kadmin/cli/keytab.c:430 ++msgid "while restarting keytab scan" ++msgstr "bei der Wiederaufnahme des Schlüsseltabellen-Scans" ++ ++#: ../../src/kadmin/cli/keytab.c:436 ++#, c-format ++msgid "Entry for principal %s with kvno %d removed from keytab %s.\n" ++msgstr "" ++"Der Eintrag für Principal %s mit KVNO %d wurde aus der Schlüsseltabelle %s " ++"entfernt.\n" ++ ++#: ../../src/kadmin/cli/keytab.c:458 ++#, c-format ++msgid "%s: There is only one entry for principal %s in keytab %s\n" ++msgstr "" ++"%s: Es gibt nur einen Eintrag für Principal %s in der Schlüsseltabelle %s.\n" ++ ++#: ../../src/kadmin/cli/ss_wrapper.c:49 ../../src/kadmin/ktutil/ktutil.c:58 ++msgid "creating invocation" ++msgstr "Aufruf wird erstellt" ++ ++#: ../../src/kadmin/dbutil/dump.c:165 ++msgid "while allocating temporary filename dump" ++msgstr "beim Reservieren des temporären Dateinamenspeicherauszugs" ++ ++#: ../../src/kadmin/dbutil/dump.c:176 ++msgid "while renaming dump file into place" ++msgstr "während das Umbenennen der Auszugsdateien Gestalt annimmt" ++ ++#: ../../src/kadmin/dbutil/dump.c:192 ++msgid "while allocating dump_ok filename" ++msgstr "beim Reservieren des »dump_ok«-Dateinamens" ++ ++#: ../../src/kadmin/dbutil/dump.c:199 ++#, c-format ++msgid "while creating 'ok' file, '%s'" ++msgstr "beim Erstellen der Datei »ok«, »%s«" ++ ++#: ../../src/kadmin/dbutil/dump.c:206 ++#, c-format ++msgid "while locking 'ok' file, '%s'" ++msgstr "beim Sperren der Datei »ok«, »%s«" ++ ++#: ../../src/kadmin/dbutil/dump.c:248 ../../src/kadmin/dbutil/dump.c:277 ++#, c-format ++msgid "%s: regular expression error: %s\n" ++msgstr "%s: Fehler im regulären Ausdruck: %s\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:260 ++#, c-format ++msgid "%s: regular expression match error: %s\n" ++msgstr "%s: Fehler beim Abgleich mit regulärem Ausdruck: %s\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:361 ++#, c-format ++msgid "%s: tagged data list inconsistency for %s (counted %d, stored %d)\n" ++msgstr "" ++"%s: Unstimmigkeit in der markierten Datenliste für %s (%d gezählt, %d " ++"gespeichert)\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:519 ++#, c-format ++msgid "" ++"Warning! Multiple DES-CBC-CRC keys for principal %s; skipping duplicates.\n" ++msgstr "" ++"Warnung! Mehrere DES-CBC-CRC-Schlüssel für Principal %s, Duplikate werden " ++"übersprungen.\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:530 ++#, c-format ++msgid "" ++"Warning! No DES-CBC-CRC key for principal %s, cannot generate OV-compatible " ++"record; skipping\n" ++msgstr "" ++"Warnung! Kein DES-CBC-CRC-Schlüssel für Principal %s, es kann kein OV-" ++"kompatibler Datensatz erzeugt werden, wird übersprungen\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:558 ++#, c-format ++msgid "while converting %s to new master key" ++msgstr "beim Umwandeln von %s in den neuen Hauptschlüssel" ++ ++#: ../../src/kadmin/dbutil/dump.c:579 ++#, c-format ++msgid "%s(%d): %s\n" ++msgstr "%s(%d): %s\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:622 ++#, c-format ++msgid "%s(%d): ignoring trash at end of line: " ++msgstr "%s(%d): Müll am Zeilenende wird ignoriert: " ++ ++#: ../../src/kadmin/dbutil/dump.c:685 ++msgid "cannot read tagged data type and length" ++msgstr "Markierter Datentyp und Länge können nicht gelesen werden." ++ ++#: ../../src/kadmin/dbutil/dump.c:692 ++msgid "cannot read tagged data contents" ++msgstr "Inhalt der markierten Daten kann nicht gelesen werden." ++ ++#: ../../src/kadmin/dbutil/dump.c:726 ++msgid "cannot match size tokens" ++msgstr "Größenmerkmale können nicht zugeordnet werden." ++ ++#: ../../src/kadmin/dbutil/dump.c:755 ++msgid "cannot read name string" ++msgstr "Namenszeichenkette kann nicht gelesen werden." ++ ++#: ../../src/kadmin/dbutil/dump.c:760 ++#, c-format ++msgid "while parsing name %s" ++msgstr "beim Auswerten des Namens %s" ++ ++#: ../../src/kadmin/dbutil/dump.c:768 ++msgid "cannot read principal attributes" ++msgstr "Principal-Attribute können nicht gelesen werden." ++ ++#: ../../src/kadmin/dbutil/dump.c:821 ++msgid "cannot read key size and version" ++msgstr "Schlüssellänge und -version können nicht gelesen werden." ++ ++#: ../../src/kadmin/dbutil/dump.c:832 ++msgid "cannot read key type and length" ++msgstr "Schlüsseltyp und -länge können nicht gelesen werden." ++ ++#: ../../src/kadmin/dbutil/dump.c:838 ++msgid "cannot read key data" ++msgstr "Schlüsseldaten können nicht gelesen werden." ++ ++#: ../../src/kadmin/dbutil/dump.c:848 ++msgid "cannot read extra data" ++msgstr "Zusätzliche Daten können nicht gelesen werden." ++ ++#: ../../src/kadmin/dbutil/dump.c:857 ++#, c-format ++msgid "while storing %s" ++msgstr "beim Speichern von %s" ++ ++#: ../../src/kadmin/dbutil/dump.c:896 ../../src/kadmin/dbutil/dump.c:935 ++#: ../../src/kadmin/dbutil/dump.c:981 ++#, c-format ++msgid "cannot parse policy (%d read)\n" ++msgstr "Richtlinie kann nicht ausgewertet werden (%d gelesen)\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:904 ../../src/kadmin/dbutil/dump.c:943 ++#: ../../src/kadmin/dbutil/dump.c:1001 ++msgid "while creating policy" ++msgstr "beim Erstellen der Richtlinie" ++ ++#: ../../src/kadmin/dbutil/dump.c:908 ++#, c-format ++msgid "created policy %s\n" ++msgstr "erstellte Richtlinie %s\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:1038 ++#, c-format ++msgid "unknown record type \"%s\"\n" ++msgstr "unbekannter Datensatztyp »%s«\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:1167 ++#, c-format ++msgid "%s: Unknown iprop dump version %d\n" ++msgstr "%s: unbekannte Iprop-Auszugsversion %d\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:1270 ../../src/kadmin/dbutil/dump.c:1498 ++#, c-format ++msgid "Iprop not enabled\n" ++msgstr "Iprop nicht aktiviert\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:1308 ++msgid "Conditional dump is an undocumented option for use only for iprop dumps" ++msgstr "" ++"Bedingter Auszug ist eine nicht dokumentierte Option, die nur für Iprop-" ++"Auszüge benutzt wird." ++ ++#: ../../src/kadmin/dbutil/dump.c:1321 ++msgid "Database not currently opened!" ++msgstr "Die Datenbank ist zur Zeit nicht geöffnet!" ++ ++#: ../../src/kadmin/dbutil/dump.c:1335 ++#: ../../src/kadmin/dbutil/kdb5_stash.c:116 ++#: ../../src/kadmin/dbutil/kdb5_util.c:479 ++msgid "while reading master key" ++msgstr "beim Lesen des Hauptschlüssels" ++ ++#: ../../src/kadmin/dbutil/dump.c:1341 ++msgid "while verifying master key" ++msgstr "beim Prüfen des Hauptschlüssels" ++ ++#: ../../src/kadmin/dbutil/dump.c:1360 ../../src/kadmin/dbutil/dump.c:1370 ++msgid "while reading new master key" ++msgstr "beim Lesen des neuen Hauptschlüssels" ++ ++#: ../../src/kadmin/dbutil/dump.c:1364 ++#, c-format ++msgid "Please enter new master key....\n" ++msgstr "Bitte geben Sie den neuen Hauptschlüssel ein …\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:1388 ++#, c-format ++msgid "while opening %s for writing" ++msgstr "beim Öffnen von %s zum Schreiben" ++ ++#: ../../src/kadmin/dbutil/dump.c:1403 ++msgid "while reading update log header" ++msgstr "beim Lesen der Aktualisierungsprotokollkopfzeilen" ++ ++#: ../../src/kadmin/dbutil/dump.c:1418 ../../src/kadmin/dbutil/dump.c:1425 ++#, c-format ++msgid "performing %s dump" ++msgstr "Auszug von %s wird durchgeführt" ++ ++#: ../../src/kadmin/dbutil/dump.c:1455 ++#, c-format ++msgid "%s: error processing line %d of %s\n" ++msgstr "%s: Fehler beim Verarbeiten von Zeile %d von %s\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:1507 ++msgid "while parsing options" ++msgstr "beim Auswerten der Optionen" ++ ++#: ../../src/kadmin/dbutil/dump.c:1522 ++#, c-format ++msgid "while opening %s" ++msgstr "beim Öffnen von %s" ++ ++#: ../../src/kadmin/dbutil/dump.c:1527 ../../src/kadmin/dbutil/dump.c:1626 ++msgid "standard input" ++msgstr "Standardeingabe" ++ ++#: ../../src/kadmin/dbutil/dump.c:1532 ++#, c-format ++msgid "%s: can't read dump header in %s\n" ++msgstr "%s: Kopfzeilen des Auszugs in %s können nicht gelesen werden.\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:1540 ../../src/kadmin/dbutil/dump.c:1557 ++#, c-format ++msgid "%s: dump header bad in %s\n" ++msgstr "%s: falsche Kopfzeilen des Auszugs in %s\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:1566 ++#, c-format ++msgid "Could not open iprop ulog\n" ++msgstr "Iprop-Ulog kann nicht geöffnet werden.\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:1571 ++#, c-format ++msgid "%s: dump version %s can only be loaded with the -update flag\n" ++msgstr "" ++"%s: Die Auszugsversion %s kann nur mit dem Schalter -update geladen werden.\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:1580 ../../src/kadmin/dbutil/dump.c:1585 ++msgid "computing parameters for database" ++msgstr "Parameter für die Datenbank werden berechnet." ++ ++#: ../../src/kadmin/dbutil/dump.c:1591 ++msgid "while creating database" ++msgstr "beim Erstellen der Datenbank" ++ ++#: ../../src/kadmin/dbutil/dump.c:1600 ++msgid "while opening database" ++msgstr "beim Öffnen der Datenbank" ++ ++#: ../../src/kadmin/dbutil/dump.c:1610 ++msgid "while permanently locking database" ++msgstr "beim dauerhaften Sperren der Datenbank" ++ ++#: ../../src/kadmin/dbutil/dump.c:1628 ++#, c-format ++msgid "%s: %s restore failed\n" ++msgstr "%s: Wiederherstellen von %s fehlgeschlagen\n" ++ ++#: ../../src/kadmin/dbutil/dump.c:1633 ++msgid "while unlocking database" ++msgstr "beim Aufheben der Datenbanksperre" ++ ++#: ../../src/kadmin/dbutil/dump.c:1643 ../../src/kadmin/dbutil/dump.c:1662 ++msgid "while reinitializing update log" ++msgstr "beim erneuten Initialisieren des Aktualisierungsprotokolls" ++ ++#: ../../src/kadmin/dbutil/dump.c:1653 ++msgid "while making newly loaded database live" ++msgstr "beim Aktivieren der neu geladenen Datenbank" ++ ++#: ../../src/kadmin/dbutil/dump.c:1669 ++msgid "while writing update log header" ++msgstr "beim Schreiben der Aktualisierungsprotokollkopfzeilen" ++ ++#: ../../src/kadmin/dbutil/dump.c:1683 ++#, c-format ++msgid "while deleting bad database %s" ++msgstr "beim Löschen der falschen Datenbank %s" ++ ++#: ../../src/kadmin/dbutil/kadm5_create.c:84 ++msgid "while looking up the Kerberos configuration" ++msgstr "beim Nachschlagen der Kerberos-Konfiguration" ++ ++#: ../../src/kadmin/dbutil/kadm5_create.c:111 ++msgid "while initializing the Kerberos admin interface" ++msgstr "beim Initialisieren der Kerberos-Administrationsoberfläche" ++ ++#: ../../src/kadmin/dbutil/kadm5_create.c:169 ++#, c-format ++msgid "getaddrinfo(%s): Cannot determine canonical hostname.\n" ++msgstr "" ++"getaddrinfo(%s): Die Normalform des Rechnernamens kann nicht bestimmt " ++"werden.\n" ++ ++#: ../../src/kadmin/dbutil/kadm5_create.c:190 ++#: ../../src/kadmin/dbutil/kadm5_create.c:196 ++#, c-format ++msgid "Out of memory\n" ++msgstr "Speicherplatz reicht nicht aus.\n" ++ ++#: ../../src/kadmin/dbutil/kadm5_create.c:270 ++msgid "while appending realm to principal" ++msgstr "beim Anhängen des Realms an den Principal" ++ ++#: ../../src/kadmin/dbutil/kadm5_create.c:275 ++msgid "while parsing admin principal name" ++msgstr "beim Auswerten des Principal-Namens des Administrators" ++ ++#: ../../src/kadmin/dbutil/kadm5_create.c:286 ++#, c-format ++msgid "while creating principal %s" ++msgstr "beim Erstellen des Principals %s" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:175 ++#: ../../src/kadmin/dbutil/kdb5_util.c:241 ++#: ../../src/kadmin/dbutil/kdb5_util.c:248 ++msgid "while parsing command arguments\n" ++msgstr "beim Auswerten der Befehlsargumente\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:198 ++#, c-format ++msgid "Loading random data\n" ++msgstr "Zufällige Daten werden geladen.\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:201 ++msgid "Loading random data" ++msgstr "Zufällige Daten werden geladen." ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:211 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:242 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:435 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:591 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1149 ++#: ../../src/kadmin/dbutil/kdb5_util.c:423 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:606 ++msgid "while setting up master key name" ++msgstr "beim Einrichten des Hauptschlüsselnamens" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:222 ++#, c-format ++msgid "" ++"Initializing database '%s' for realm '%s',\n" ++"master key name '%s'\n" ++msgstr "" ++"Datenbank »%s« für Realm »%s« wird initialisiert,\n" ++"Hauptschlüsselname »%s«\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:227 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:516 ++#, c-format ++msgid "You will be prompted for the database Master Password.\n" ++msgstr "Sie werden nach dem Master-Passwort der Datenbank gefragt.\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:228 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:260 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:517 ++#, c-format ++msgid "It is important that you NOT FORGET this password.\n" ++msgstr "Es ist wichtig, dass Sie dieses Passwort NICHT VERGESSEN.\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:234 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:266 ++msgid "while creating new master key" ++msgstr "beim Erstellen des neuen Hauptschlüssels" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:242 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:527 ++msgid "while reading master key from keyboard" ++msgstr "beim Lesen des Hauptschlüssels von der Tastatur" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:252 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:285 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:618 ++msgid "while calculating master key salt" ++msgstr "beim Berechnen des Hauptschlüssel-Salts" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:260 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:294 ++#: ../../src/kadmin/dbutil/kdb5_util.c:465 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:630 ++msgid "while transforming master key from password" ++msgstr "beim Umwandeln des Hauptschlüssels vom Passwort" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:270 ++msgid "while initializing random key generator" ++msgstr "beim Initialisieren des Zufallsschlüsselgenerators" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:275 ++#, c-format ++msgid "while creating database '%s'" ++msgstr "beim Erstellen der Datenbank »%s«" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:293 ++msgid "while creating update log" ++msgstr "beim Erstellen des Aktualisierungsprotokolls" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:304 ++msgid "while initializing update log" ++msgstr "beim Initialisieren des Aktualisierungsprotokolls" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:320 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:642 ++msgid "while adding entries to the database" ++msgstr "beim Hinzufügen von Einträgen in die Datenbank" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:348 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:339 ++#: ../../src/kadmin/dbutil/kdb5_stash.c:133 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:667 ++msgid "while storing key" ++msgstr "beim Speichern des Schlüssels" ++ ++#: ../../src/kadmin/dbutil/kdb5_create.c:349 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:340 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:668 ++#, c-format ++msgid "Warning: couldn't stash master key.\n" ++msgstr "Warnung: Hauptschlüssel kann nicht gelagert werden.\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_destroy.c:57 ++msgid "while initializing krb5_context" ++msgstr "beim Initialisieren von »krb5_context«" ++ ++#: ../../src/kadmin/dbutil/kdb5_destroy.c:63 ++#: ../../src/kadmin/dbutil/kdb5_util.c:259 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:291 ++msgid "while setting default realm name" ++msgstr "beim Einstellen des Standard-Realm-Namens" ++ ++#: ../../src/kadmin/dbutil/kdb5_destroy.c:83 ++#, c-format ++msgid "Deleting KDC database stored in '%s', are you sure?\n" ++msgstr "" ++"Die in »%s« gespeicherte KDC-Datenbank wird gelöscht. Sind Sie sicher?\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_destroy.c:85 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1166 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:360 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1482 ++#, c-format ++msgid "(type 'yes' to confirm)? " ++msgstr "(Geben Sie als Bestätigung »yes« ein)? " ++ ++#: ../../src/kadmin/dbutil/kdb5_destroy.c:92 ++#, c-format ++msgid "OK, deleting database '%s'...\n" ++msgstr "OK, Datenbank »%s« wird gelöscht …\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_destroy.c:97 ++#, c-format ++msgid "deleting database '%s'" ++msgstr "Datenbank »%s« wird gelöscht." ++ ++#: ../../src/kadmin/dbutil/kdb5_destroy.c:106 ++#, c-format ++msgid "** Database '%s' destroyed.\n" ++msgstr "** Datenbank »%s« vernichtet\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:218 ++#, c-format ++msgid "%s is an invalid enctype" ++msgstr "%s ist ein ungültiger Verschlüsselungstyp" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:250 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:443 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:599 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:986 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1157 ++#, c-format ++msgid "while getting master key principal %s" ++msgstr "beim Holen des Hauptschlüssels von Principal %s" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:256 ++#, c-format ++msgid "Creating new master key for master key principal '%s'\n" ++msgstr "" ++"Es wird ein neuer Hauptschlüssel für den Hauptschlüssel-Principal »%s« " ++"erstellt.\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:259 ++#, c-format ++msgid "You will be prompted for a new database Master Password.\n" ++msgstr "Sie werden nach einem neuen Datenbank-Master-Passwort gefragt.\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:275 ++msgid "while reading new master key from keyboard" ++msgstr "beim Lesen des neuen Hauptschlüssels von der Tastatur" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:304 ++msgid "adding new master key to master principal" ++msgstr "dem Haupt-Principal wird ein neuer Hauptschlüssel hinzugefügt" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:310 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:402 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:843 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1356 ++msgid "while getting current time" ++msgstr "beim Holen der aktuellen Zeit" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:317 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:544 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1363 ++msgid "while updating the master key principal modification time" ++msgstr "beim Aktulisieren der Änderungszeit des Hauptschlüssel-Principals" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:325 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:553 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1374 ++msgid "while adding master key entry to the database" ++msgstr "beim Hinzufügen des Hauptschlüsseleintrags zur Datenbank" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:383 ++msgid "0 is an invalid KVNO value" ++msgstr "0 ist kein gültiger KVNO-Wert" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:394 ++#, c-format ++msgid "%d is an invalid KVNO value" ++msgstr "%d ist kein gültiger KVNO-Wert" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:410 ++#, c-format ++msgid "could not parse date-time string '%s'" ++msgstr "»date-time«-Zeichenkette »%s« konnte nicht ausgewertet werden" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:452 ++msgid "while looking up active version of master key" ++msgstr "beim Nachschlagen der aktiven Version des Hauptschlüssels" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:491 ++msgid "while adding new master key" ++msgstr "beim Hinzufügen eines neuen Hauptschlüssels" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:529 ++msgid "there must be one master key currently active" ++msgstr "ein Hauptschlüssel muss derzeit aktiv sein" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:537 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1342 ++msgid "while updating actkvno data for master principal entry" ++msgstr "beim Aktualisieren der Actkvno-Daten für den Haupt-Principal-Eintrag" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:581 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:948 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1116 ++msgid "master keylist not initialized" ++msgstr "Hauptschlüsselliste ist nicht initialisiert" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:607 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:994 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1254 ++msgid "while looking up active kvno list" ++msgstr "beim Nachschlagen der Liste aktiver KVNOs" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:615 ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1002 ++msgid "while looking up active master key" ++msgstr "beim Nachschlagen des aktiven Hauptschlüssels" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:627 ++msgid "while getting enctype description" ++msgstr "beim Holen des Verschlüsselungsbeschreibung" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:644 ++#, c-format ++msgid "KVNO: %d, Enctype: %s, Active on: %s *\n" ++msgstr "KVNO: %d, Verschlüsselungstyp: %s, aktiviert auf: %s *\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:649 ++#, c-format ++msgid "KVNO: %d, Enctype: %s, Active on: %s\n" ++msgstr "KVNO: %d, Verschlüsselungstyp: %s, aktiviert auf: %s\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:653 ++#, c-format ++msgid "KVNO: %d, Enctype: %s, No activate time set\n" ++msgstr "KVNO: %d, Verschlüsselungstyp: %s, keine Aktivierungszeit gesetzt\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:658 ++msgid "asprintf could not allocate enough memory to hold output" ++msgstr "" ++"Asprintf konnte nicht genug Speicher reservieren, um die Ausgabe " ++"bereitzuhalten" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:793 ++msgid "getting string representation of principal name" ++msgstr "Principal-Name wird im Klartext geholt" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:817 ++#, c-format ++msgid "determining master key used for principal '%s'" ++msgstr "Hauptschlüssel, der für Principal »%s« benutzt wird, wird bestimmt" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:823 ++#, c-format ++msgid "would skip: %s\n" ++msgstr "würde übersprungen: %s\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:825 ++#, c-format ++msgid "skipping: %s\n" ++msgstr "wird übersprungen: %s\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:831 ++#, c-format ++msgid "would update: %s\n" ++msgstr "würde aktualisiert: %s\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:835 ++#, c-format ++msgid "updating: %s\n" ++msgstr "wird aktualisiert: %s\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:839 ++#, c-format ++msgid "error re-encrypting key for principal '%s'" ++msgstr "Fehler beim erneuten Verschlüsseln des Schlüssels für Principal »%s«" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:850 ++#, c-format ++msgid "while updating principal '%s' modification time" ++msgstr "beim Aktualisieren der Änderungszeit von Principal »%s«" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:857 ++#, c-format ++msgid "while updating principal '%s' key data in the database" ++msgstr "" ++"beim Aktualisieren der Schlüsseldaten von Principal »%s« in der Datenbank" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:889 ++#, c-format ++msgid "" ++"\n" ++"(type 'yes' to confirm)? " ++msgstr "" ++"\n" ++"(Geben Sie als Bestätigung »yes« ein) " ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:942 ++msgid "while formatting master principal name" ++msgstr "beim Formatieren des Haupt-Principal-Namens" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:959 ++#, c-format ++msgid "converting glob pattern '%s' to regular expression" ++msgstr "Platzhalter »%s« wird in einen regulären Ausdruck umgewandelt" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:977 ++#, c-format ++msgid "error compiling converted regexp '%s'" ++msgstr "Fehler beim Kompilieren des umgewandelten regulären Ausdrucks »%s«" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1010 ++#, c-format ++msgid "Re-encrypt all keys not using master key vno %u?" ++msgstr "" ++"Sollen alle Schlüssel neu verschlüsselt werden, die nicht die Hauptschlüssel-" ++"VNO %u verwenden?" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1012 ++#, c-format ++msgid "OK, doing nothing.\n" ++msgstr "Ok, es wird nichts getan.\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1018 ++#, c-format ++msgid "Principals whose keys WOULD BE re-encrypted to master key vno %u:\n" ++msgstr "" ++"Principals, deren Schlüssel mit dem Hauptschlüssel VNO %u neu verschlüsselt " ++"WÜRDEN:\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1021 ++#, c-format ++msgid "" ++"Principals whose keys are being re-encrypted to master key vno %u if " ++"necessary:\n" ++msgstr "" ++"Principals, deren Schlüssel mit dem Hauptschlüssel VNO %u neu verschlüsselt " ++"werden, falls nötig:\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1037 ++msgid "trying to process principal database" ++msgstr "es wird versucht, die Principal-Datenbank zu verarbeiten" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1042 ++#, c-format ++msgid "%u principals processed: %u would be updated, %u already current\n" ++msgstr "" ++"%u Principals verarbeitet: %u würden aktualisiert, %u bereits aktuell\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1046 ++#, c-format ++msgid "%u principals processed: %u updated, %u already current\n" ++msgstr "%u Principals verarbeitet: %u aktualisiert, %u bereits aktuell\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1164 ++#, c-format ++msgid "" ++"Will purge all unused master keys stored in the '%s' principal, are you " ++"sure?\n" ++msgstr "" ++"Sind Sie sicher, dass alle nicht verwendeten Hauptschlüssel, die für " ++"Principal »%s« gespeichert sind, vollständig entfernt werden sollen?\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1175 ++#, c-format ++msgid "OK, purging unused master keys from '%s'...\n" ++msgstr "" ++"Ok, die nicht verwendeten Hauptschlüssel von »%s« werden vollständig " ++"entfernt …\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1183 ++#, c-format ++msgid "There is only one master key which can not be purged.\n" ++msgstr "" ++"Es gibt nur einen einzigen Hauptschlüssel, der nicht vollständig entfernt " ++"werden kann.\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1192 ++msgid "while allocating args.kvnos" ++msgstr "beim Reservieren von »args.kvnos«" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1208 ++msgid "while finding master keys in use" ++msgstr "bei der Suche nach den gerade verwendeten Hauptschlüsseln" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1217 ++#, c-format ++msgid "Would purge the following master key(s) from %s:\n" ++msgstr "" ++"Der/Die folgende(n) Hauptschlüssel würden/würde von %s vollständig " ++"entfernt:\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1220 ++#, c-format ++msgid "Purging the following master key(s) from %s:\n" ++msgstr "" ++"Der/Die folgende(n) Hauptschlüssel werden/wird von %s vollständig entfernt:\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1232 ++msgid "master key stash file needs updating, command aborting" ++msgstr "" ++"Ablagedatei des Hauptschlüssels erfordert Aktualisierung, Befehl abgebrochen" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1238 ++#, c-format ++msgid "KVNO: %d\n" ++msgstr "KVNO: %d\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1243 ++#, c-format ++msgid "All keys in use, nothing purged.\n" ++msgstr "Alle Schlüssel sind in Gebrauch, keiner wurde vollständig entfernt.\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1248 ++#, c-format ++msgid "%d key(s) would be purged.\n" ++msgstr "%d Schlüssel würde(n) vollständig entfernt.\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1261 ++msgid "while looking up mkey aux data list" ++msgstr "beim Nachschlagen der Mkey-Aux-Datenliste" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1269 ++msgid "while allocating key_data" ++msgstr "beim Reservieren von »key_data«" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1350 ++msgid "while updating mkey_aux data for master principal entry" ++msgstr "beim Aktualisieren der Mkey-Aux-Daten für den Haupt-Principal-Eintrag" ++ ++#: ../../src/kadmin/dbutil/kdb5_mkey.c:1378 ++#, c-format ++msgid "%d key(s) purged.\n" ++msgstr "%d Schlüssel vollständig entfernt\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_stash.c:97 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:538 ++#, c-format ++msgid "while setting up enctype %d" ++msgstr "beim Einrichten des Verschlüsselungstyps %d" ++ ++#: ../../src/kadmin/dbutil/kdb5_stash.c:123 ++msgid "while getting master key list" ++msgstr "beim Holen der Hauptschlüsselliste" ++ ++#: ../../src/kadmin/dbutil/kdb5_stash.c:127 ++#, c-format ++msgid "Using existing stashed keys to update stash file.\n" ++msgstr "" ++"Zur Aktualisierung der Ablagedatei werden existierende gelagert Schlüssel " ++"verwendet.\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:80 ++#, c-format ++msgid "" ++"Usage: kdb5_util [-x db_args]* [-r realm] [-d dbname] [-k mkeytype] [-M " ++"mkeyname]\n" ++"\t [-kv mkeyVNO] [-sf stashfilename] [-m] cmd [cmd_options]\n" ++"\tcreate [-s]\n" ++"\tdestroy [-f]\n" ++"\tstash [-f keyfile]\n" ++"\tdump [-old|-ov|-b6|-b7|-r13|-r18] [-verbose]\n" ++"\t [-mkey_convert] [-new_mkey_file mkey_file]\n" ++"\t [-rev] [-recurse] [filename [princs...]]\n" ++"\tload [-old|-ov|-b6|-b7|-r13|-r18] [-verbose] [-update] filename\n" ++"\tark [-e etype_list] principal\n" ++"\tadd_mkey [-e etype] [-s]\n" ++"\tuse_mkey kvno [time]\n" ++"\tlist_mkeys\n" ++msgstr "" ++"Aufruf: kdb5_util [-x Datenbankargumente]* [-r Realm] [-d Datenbankname] [-k " ++"Mkeytype] [-M Mkeyname]\n" ++"\t [-kv MkeyVNO] [-sf Ablagedateiname] [-m] Befehl [Befehlsoptionen]\n" ++"\tcreate [-s]\n" ++"\tdestroy [-f]\n" ++"\tstash [-f Schlüsseldatei]\n" ++"\tdump [-old|-ov|-b6|-b7|-r13|-r18] [-verbose]\n" ++"\t [-mkey_convert] [-new_mkey_file mkey-Datei]\n" ++"\t [-rev] [-recurse] [Dateiname [Principals …]]\n" ++"\tload [-old|-ov|-b6|-b7|-r13|-r18] [-verbose] [-update] Dateiname\n" ++"\tark [-e Etype-Liste] Principal\n" ++"\tadd_mkey [-e Etype] [-s]\n" ++"\tuse_mkey kvno [Zeit]\n" ++"\tlist_mkeys\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:98 ++#, c-format ++msgid "" ++"\tupdate_princ_encryption [-f] [-n] [-v] [princ-pattern]\n" ++"\tpurge_mkeys [-f] [-n] [-v]\n" ++"\n" ++"where,\n" ++"\t[-x db_args]* - any number of database specific arguments.\n" ++"\t\t\tLook at each database documentation for supported arguments\n" ++msgstr "" ++"\tupdate_princ_encryption [-f] [-n] [-v] [Principal-Muster]\n" ++"\tpurge_mkeys [-f] [-n] [-v]\n" ++"\n" ++"dabei sind\n" ++"\t[-x Datenbankargumente]* - eine beliebige Anzahl datenbankspezifischer " ++"Argumente.\n" ++"\t\t\tWelche Argumente unterstützt werden, finden Sie in der Dokumentation " ++"der jeweiligen Datenbank.\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:211 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:260 ++msgid "while initializing Kerberos code" ++msgstr "beim Initialisieren von Kerberos-Code" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:217 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:267 ++msgid "while creating sub-command arguments" ++msgstr "beim Erstellen von Unterbefehlsargumenten" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:235 ++msgid "while parsing command arguments" ++msgstr "beim Auswerten von Befehlsargumenten" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:264 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:298 ++#, c-format ++msgid ": %s is an invalid enctype" ++msgstr ": %s ist kein gültiger Verschlüsselungstyp" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:272 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:307 ++#, c-format ++msgid ": %s is an invalid mkeyVNO" ++msgstr ": %s ist kein gültiger MkeyVNO" ++ ++# FIXME s/retreiving/retrieving/ ++#: ../../src/kadmin/dbutil/kdb5_util.c:317 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:431 ++msgid "while retreiving configuration parameters" ++msgstr "beim Abfragen der Konfigurationsparameter" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:368 ++msgid "Too few arguments" ++msgstr "zu wenige Argumente" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:369 ++#, c-format ++msgid "Usage: %s dbpathname realmname" ++msgstr "Aufruf: %s Datenbankpfadname Realm-Name" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:375 ++msgid "while closing previous database" ++msgstr "beim Schließen der vorherigen Datenbank" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:412 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:877 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1497 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:564 ++msgid "while initializing database" ++msgstr "beim Initialisieren der Datenbank" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:429 ++msgid "while retrieving master entry" ++msgstr "beim Abfragen des Haupteintrags" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:448 ++msgid "while calculated master key salt" ++msgstr "beim Berechnen des Hauptschlüssel-Salts" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:480 ++msgid "Warning: proceeding without master key" ++msgstr "Warnung: Es wird ohne Hauptschlüssel fortgefahren" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:498 ++msgid "while seeding random number generator" ++msgstr "beim Erzeugen des Startwerts des Zufallszahlengenerators" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:508 ++#, c-format ++msgid "%s: Could not map log\n" ++msgstr "%s: Protokolldatei konnte nicht abgebildet werden\n" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:535 ++msgid "while closing database" ++msgstr "beim Schließen der Datenbank" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:582 ++#, c-format ++msgid "while fetching principal %s" ++msgstr "beim Abrufen von Principal %s" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:605 ++msgid "while finding mkey" ++msgstr "beim Suchen nach Mkey" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:630 ++msgid "while setting changetime" ++msgstr "beim Setzen der Änderungszeit der Datei" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:638 ++#, c-format ++msgid "while saving principal %s" ++msgstr "beim Speichern von Principal %s" ++ ++#: ../../src/kadmin/dbutil/kdb5_util.c:642 ++#, c-format ++msgid "%s changed\n" ++msgstr "%s geändert\n" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:73 ++#, c-format ++msgid "%s: invalid arguments\n" ++msgstr "%s: ungültige Argumente\n" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:78 ++msgid "while freeing ktlist" ++msgstr "beim Freigeben von »ktlist«" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:89 ++#, c-format ++msgid "%s: must specify keytab to read\n" ++msgstr "" ++"%s: Die Schlüsseltabelle, die gelesen werden soll, muss angegeben werden.\n" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:94 ++#, c-format ++msgid "while reading keytab \"%s\"" ++msgstr "beim Lesen der Schlüsseltabelle »%s«" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:104 ++#, c-format ++msgid "%s: must specify the srvtab to read\n" ++msgstr "%s: Die zu lesende Dienstschlüsseltabelle muss angegeben werden.\n" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:109 ++#, c-format ++msgid "while reading srvtab \"%s\"" ++msgstr "beim Lesen der Dienstschlüsseltabelle »%s«" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:119 ++#, c-format ++msgid "%s: must specify keytab to write\n" ++msgstr "%s: Die zu schreibende Schlüsseltabelle muss angegeben werden.\n" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:124 ++#, c-format ++msgid "while writing keytab \"%s\"" ++msgstr "beim Schreiben der Schlüsseltabelle »%s«" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:131 ++#, c-format ++msgid "%s: writing srvtabs is no longer supported\n" ++msgstr "" ++"%s: Schreiben der Dienstschlüsseltabelle wird nicht länger unterstützt\n" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:169 ++#, c-format ++msgid "usage: %s (-key | -password) -p principal -k kvno -e enctype\n" ++msgstr "" ++"Aufruf: %s (-key | -password) -p Principal -k KVNO -e Verschlüsselungstyp\n" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:176 ++msgid "while adding new entry" ++msgstr "beim Hinzufügen eines neuen Eintrags" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:186 ++#, c-format ++msgid "%s: must specify entry to delete\n" ++msgstr "%s: zu löschender Eintrag muss angegeben werden\n" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:191 ++#, c-format ++msgid "while deleting entry %d" ++msgstr "beim Löschen von Eintrag %d" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:219 ++#, c-format ++msgid "%s: usage: %s [-t] [-k] [-e]\n" ++msgstr "%s: Aufruf: %s [-t] [-k] [-e]\n" ++ ++#: ../../src/kadmin/ktutil/ktutil.c:259 ++msgid "While converting enctype to string" ++msgstr "beim Umwandeln des Verschlüsselungstyps in eine Zeichenkette" ++ ++#: ../../src/kadmin/ktutil/ktutil_funcs.c:162 ++#, c-format ++msgid "Password for %.1000s" ++msgstr "Passwort für %.1000s" ++ ++#: ../../src/kadmin/ktutil/ktutil_funcs.c:179 ++#, c-format ++msgid "Key for %s (hex): " ++msgstr "Schlüssel für %s (hexadezimal): " ++ ++#: ../../src/kadmin/ktutil/ktutil_funcs.c:191 ++#, c-format ++msgid "addent: Error reading key.\n" ++msgstr "addent: Fehler beim Lesen des Schlüssels\n" ++ ++#: ../../src/kadmin/ktutil/ktutil_funcs.c:206 ++#, c-format ++msgid "addent: Illegal character in key.\n" ++msgstr "addent: unerlaubtes Zeichen im Schlüssel\n" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:48 ++#, c-format ++msgid "Unauthorized request: %s, client=%s, service=%s, addr=%s" ++msgstr "unberechtigte Anfrage: %s, Client=%s, Dienst=%s, Adresse=%s" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:49 ++#: ../../src/kadmin/server/ipropd_svc.c:212 ++#, c-format ++msgid "Request: %s, %s, %s, client=%s, service=%s, addr=%s" ++msgstr "Anfrage: %s, %s, %s, Client=%s, Dienst=%s, Adresse=%s" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:146 ++#: ../../src/kadmin/server/ipropd_svc.c:271 ++#, c-format ++msgid "%s: server handle is NULL" ++msgstr "%s: Server-Identifikator ist NULL" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:156 ++#: ../../src/kadmin/server/ipropd_svc.c:284 ++#, c-format ++msgid "%s: setup_gss_names failed" ++msgstr "%s: setup_gss_names fehlgeschlagen" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:166 ++#: ../../src/kadmin/server/ipropd_svc.c:295 ++#, c-format ++msgid "%s: out of memory recording principal names" ++msgstr "%s: Speicher reicht nicht zur Aufzeichnung der Principal-Namen aus" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:195 ++#, c-format ++msgid "%s; Incoming SerialNo=%lu; Outgoing SerialNo=%lu" ++msgstr "%s; eingehende Seriennummer=%lu; ausgehende Seriennummer=%lu" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:201 ++#, c-format ++msgid "%s; Incoming SerialNo=%lu; Outgoing SerialNo=N/A" ++msgstr "%s; eingehende Seriennummer=%lu; ausgehende Seriennummer=N/A" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:320 ++#, c-format ++msgid "%s: getclhoststr failed" ++msgstr "%s: getclhoststr fehlgeschlagen" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:342 ++#, c-format ++msgid "%s: cannot construct kdb5 util dump string too long; out of memory" ++msgstr "" ++"Ausgabenzeichenkette des KDB5-Hilfswerkzeugs nicht konstruierbar, da zu " ++"lang; Speicher reicht nicht aus.%s: Die Ausgabezeichenkette des KDB5-" ++"Hilfswerkzeugs kann nicht erstellt werden, weil sie zu lang ist. Der " ++"Speicherplatz reicht nicht aus." ++ ++#: ../../src/kadmin/server/ipropd_svc.c:362 ++#, c-format ++msgid "%s: fork failed: %s" ++msgstr "%s: Verzweigen fehlgeschlagen: %s" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:374 ++#, c-format ++msgid "%s: popen failed: %s" ++msgstr "%s: popen fehlgeschlagen: %s" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:388 ++#, c-format ++msgid "%s: pclose(popen) failed: %s" ++msgstr "%s: pclose(popen) fehlgeschlagen: %s" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:405 ++#, c-format ++msgid "%s: exec failed: %s" ++msgstr "%s: exec fehlgeschlagen: %s" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:421 ++#, c-format ++msgid "Request: %s, spawned resync process %d, client=%s, service=%s, addr=%s" ++msgstr "" ++"Anfrage: %s, hervorgebrachter Neusynchronisationsprozess %d, Client=%s, " ++"Dienst=%s, Adresse=%s" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:485 ++#: ../../src/kadmin/server/kadm_rpc_svc.c:275 ++#, c-format ++msgid "check_rpcsec_auth: failed inquire_context, stat=%u" ++msgstr "check_rpcsec_auth: inquire_context fehlgeschlagen, Stat=%u" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:515 ++#: ../../src/kadmin/server/kadm_rpc_svc.c:304 ++#, c-format ++msgid "bad service principal %.*s%s" ++msgstr "falscher Dienst-Principal %.*s%s" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:538 ++#, c-format ++msgid "authentication attempt failed: %s, RPC authentication flavor %d" ++msgstr "" ++"Authentifizierungsversuche gescheitert: %s, PRC-Authentifizierungsvariante %d" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:572 ++#, c-format ++msgid "RPC unknown request: %d (%s)" ++msgstr "unbekannte PRC-Anfrage: %d (%s)" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:580 ++#, c-format ++msgid "RPC svc_getargs failed (%s)" ++msgstr "RPC-»svc_getargs« fehlgeschlagen (%s)" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:590 ++#, c-format ++msgid "RPC svc_sendreply failed (%s)" ++msgstr "RPC-»svc_sendreply« fehlgeschlagen (%s)" ++ ++#: ../../src/kadmin/server/ipropd_svc.c:596 ++#, c-format ++msgid "RPC svc_freeargs failed (%s)" ++msgstr "RPC-»svc_freeargs« fehlgeschlagen (%s)" ++ ++#: ../../src/kadmin/server/kadm_rpc_svc.c:325 ++#, c-format ++msgid "gss_to_krb5_name: failed display_name status %d" ++msgstr "gss_to_krb5_name: display_name fehlgeschlagen, Status %d" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:86 ++#, c-format ++msgid "" ++"Usage: kadmind [-x db_args]* [-r realm] [-m] [-nofork] [-port port-number]\n" ++"\t\t[-proponly] [-p path-to-kdb5_util] [-F dump-file]\n" ++"\t\t[-K path-to-kprop] [-P pid_file]\n" ++"\n" ++"where,\n" ++"\t[-x db_args]* - any number of database specific arguments.\n" ++"\t\t\tLook at each database documentation for supported arguments\n" ++msgstr "" ++"Aufruf: kadmind [-x Datenbankargumente]* [-r Realm] [-m] [-nofork]\n" ++"\t\t[-port Portummer] [-p Pfad_zum_KDB5-Hilfswerkzeug] [-F Auszugsdatei]\n" ++"\t\t[-K Pfad_zu_Kprop] [-P PID-Datei]\n" ++"\n" ++"dabei sind\n" ++"\t[-x Datenbankargumente]* - eine beliebige Anzahl datenbankspezifischer " ++"Argumente.\n" ++"\t\t\tWelche Argumente unterstützt werden, finden Sie in der Dokumentation " ++"der jeweiligen Datenbank.\n" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:111 ++#, c-format ++msgid "%s: %s while %s, aborting\n" ++msgstr "%s: %s bei %s, wird abgebrochen\n" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:113 ++#, c-format ++msgid "%s while %s, aborting\n" ++msgstr "%s bei %s, wird abgebrochen\n" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:115 ++#, c-format ++msgid "%s: %s, aborting\n" ++msgstr "%s: %s, wird abgebrochen\n" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:116 ++#, c-format ++msgid "%s, aborting" ++msgstr "%s, wird abgebrochen" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:282 ++#, c-format ++msgid "" ++"WARNING! Forged/garbled request: %s, claimed client = %.*s%s, server = %.*s" ++"%s, addr = %s" ++msgstr "" ++"WARNUNG! Gefälschte/verstümmelte Anfrage: %s, geforderter Client = %.*s%s, " ++"Server = %.*s%s, Adresse = %s" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:288 ++#, c-format ++msgid "" ++"WARNING! Forged/garbled request: %d, claimed client = %.*s%s, server = %.*s" ++"%s, addr = %s" ++msgstr "" ++"WARNUNG! Gefälschte/verstümmelte Anfrage: %d, Client = %.*s%s, Server = " ++"%.*s%s, Adresse = %s" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:302 ++#, c-format ++msgid "Miscellaneous RPC error: %s, %s" ++msgstr "sonstiger PRC-Fehler: %s, %s" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:318 ++#, c-format ++msgid "%s Cannot decode status %d" ++msgstr "%s: Status %d kann nicht dekodiert werden" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:336 ++#, c-format ++msgid "Authentication attempt failed: %s, GSS-API error strings are:" ++msgstr "Authentifizierungsversuch fehlgeschlagen: %s, GSS-API-Fehlermeldungen:" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:341 ++msgid " GSS-API error strings complete." ++msgstr " GSS-API-Fehlermeldungen vollständig" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:378 ++#, c-format ++msgid "%s: cannot initialize. Not enough memory\n" ++msgstr "%s: kann nicht initialisiert werden: Speicher reicht nicht aus.\n" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:445 ++#, c-format ++msgid "%s: %s while initializing context, aborting\n" ++msgstr "%s: %s beim Initialisieren des Kontextes, wird abgebrochen\n" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:456 ++msgid "initializing" ++msgstr "wird initialisiert" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:460 ++msgid "getting config parameters" ++msgstr "beim Holen der Konfigurationsparameter" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:462 ++msgid "Missing required realm configuration" ++msgstr "erforderliche Realm-Konfiguration fehlt" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:464 ++msgid "Missing required ACL file configuration" ++msgstr "erforderliche ACL-Dateikonfiguration fehlt" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:468 ++msgid "initializing network" ++msgstr "Netzwerk wird initialisiert" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:473 ++msgid "Cannot build GSSAPI auth names" ++msgstr "GSS-API-Authentifizierungsnamen können nicht gebildet werden." ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:477 ++msgid "Cannot set up KDB keytab" ++msgstr "Die KDB-Schlüsseltabelle kann nicht eingerichtet werden." ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:480 ++msgid "Cannot set GSSAPI authentication names" ++msgstr "GSS-API-Authentifizierungsnamen können nicht gesetzt werden." ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:497 ++msgid "Cannot initialize GSSAPI service name" ++msgstr "GSSAPI-Dienstname kann nicht initialisiert werden" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:501 ++msgid "initializing ACL file" ++msgstr "ACL-Datei wird initialisiert" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:504 ++msgid "spawning daemon process" ++msgstr "Daemon-Prozess wird erzeugt" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:508 ++msgid "creating PID file" ++msgstr "PID-Datei wird erstellt" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:511 ++msgid "Seeding random number generator" ++msgstr "Startwert des Zufallszahlengenerators wird erzeugt" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:514 ++msgid "getting random seed" ++msgstr "Zufallsstartwert wird geholt" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:521 ++msgid "mapping update log" ++msgstr "Aktualisierungsprotokoll wird abgebildet" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:525 ++#, c-format ++msgid "%s: create IPROP svc (PROG=%d, VERS=%d)\n" ++msgstr "%s: IPROP-Dienst wird erstellt (PROG=%d, VERS=%d)\n" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:530 ++msgid "starting" ++msgstr "startet" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:532 ../../src/kdc/main.c:1061 ++#, c-format ++msgid "%s: starting...\n" ++msgstr "%s: startet …\n" ++ ++#: ../../src/kadmin/server/ovsec_kadmd.c:535 ++msgid "finished, exiting" ++msgstr "fertig, wird beendet" ++ ++#: ../../src/kadmin/server/schpw.c:282 ++#, c-format ++msgid "setpw request from %s by %.*s%s for %.*s%s: %s" ++msgstr "»setpw«-Anfrage von %s durch %.*s%s für %.*s%s: %s" ++ ++#: ../../src/kadmin/server/schpw.c:287 ++#, c-format ++msgid "chpw request from %s for %.*s%s: %s" ++msgstr "»chpw«-Anfrage von %s für %.*s%s: %s" ++ ++#: ../../src/kadmin/server/schpw.c:464 ++#, c-format ++msgid "chpw: Couldn't open admin keytab %s" ++msgstr "chpw«: Administratorschlüsseltabelle %s konnte nicht geöffnet werden" ++ ++#: ../../src/kadmin/server/server_stubs.c:293 ++#, c-format ++msgid "" ++"Unauthorized request: %s, %.*s%s, client=%.*s%s, service=%.*s%s, addr=%s" ++msgstr "" ++"Unauthorisierte Anfrage: %s, %.*s%s, Client=%.*s%s, Dienst=%.*s%s, Adresse=%s" ++ ++#: ../../src/kadmin/server/server_stubs.c:314 ++#: ../../src/kadmin/server/server_stubs.c:649 ++#: ../../src/kadmin/server/server_stubs.c:1792 ++msgid "success" ++msgstr "erfolgreich" ++ ++#: ../../src/kadmin/server/server_stubs.c:324 ++#, c-format ++msgid "Request: %s, %.*s%s, %s, client=%.*s%s, service=%.*s%s, addr=%s" ++msgstr "Anfrage: %s, %.*s%s, %s, Client=%.*s%s, Dienst=%.*s%s, Adresse=%s" ++ ++#: ../../src/kadmin/server/server_stubs.c:628 ++#, c-format ++msgid "" ++"Unauthorized request: kadm5_rename_principal, %.*s%s to %.*s%s, client=%.*s" ++"%s, service=%.*s%s, addr=%s" ++msgstr "" ++"Unauthorisierte Anfrage: kadm5_rename_principal, %.*s%s bis %.*s%s, Client=" ++"%.*s%s, Dienst=%.*s%s, Adresse=%s" ++ ++#: ../../src/kadmin/server/server_stubs.c:644 ++#, c-format ++msgid "" ++"Request: kadm5_rename_principal, %.*s%s to %.*s%s, %s, client=%.*s%s, " ++"service=%.*s%s, addr=%s" ++msgstr "" ++"Anfrage: kadm5_rename_principal, %.*s%s bis %.*s%s, %s, Client=%.*s%s, " ++"Dienst=%.*s%s, Adresse=%s" ++ ++#: ../../src/kadmin/server/server_stubs.c:1788 ++#, c-format ++msgid "" ++"Request: kadm5_init, %.*s%s, %s, client=%.*s%s, service=%.*s%s, addr=%s, " ++"vers=%d, flavor=%d" ++msgstr "" ++"Anfrage: kadm5_init, %.*s%s, %s, Client=%.*s%s, Dienst=%.*s%s, Adresse=%s, " ++"Version=%d, Variante=%d" ++ ++#: ../../src/kdc/do_as_req.c:273 ++#, c-format ++msgid "AS_REQ : handle_authdata (%d)" ++msgstr "AS_REQ: handle_authdata (%d)" ++ ++#: ../../src/kdc/do_tgs_req.c:593 ++#, c-format ++msgid "TGS_REQ : handle_authdata (%d)" ++msgstr "TGS_REQ: handle_authdata (%d)" ++ ++#: ../../src/kdc/do_tgs_req.c:655 ++msgid "not checking transit path" ++msgstr "Übergangspfad wird nicht geprüft" ++ ++#: ../../src/kdc/fast_util.c:62 ++#, c-format ++msgid "%s while handling ap-request armor" ++msgstr "%s bei der Handhabung des »ap-request«-Schutzes" ++ ++#: ../../src/kdc/fast_util.c:71 ++msgid "ap-request armor for something other than the local TGS" ++msgstr "»ap-request«-Schutz für etwas anderes als den lokalen TGS" ++ ++#: ../../src/kdc/fast_util.c:80 ++msgid "ap-request armor without subkey" ++msgstr "»ap-request«-Schutz ohne Unterschlüssel" ++ ++#: ../../src/kdc/fast_util.c:162 ++msgid "Ap-request armor not permitted with TGS" ++msgstr "»ap-request«-Schutz nicht mit TGS gestattet" ++ ++#: ../../src/kdc/fast_util.c:169 ++#, c-format ++msgid "Unknown FAST armor type %d" ++msgstr "unbekanntet FAST-Schutztyp %d" ++ ++#: ../../src/kdc/fast_util.c:183 ++msgid "No armor key but FAST armored request present" ++msgstr "Es gibt keinen Schutzschlüssel aber eine FAST-geschützte Anfrage" ++ ++#: ../../src/kdc/fast_util.c:219 ++msgid "FAST req_checksum invalid; request modified" ++msgstr "FAST-»req_checksum« ungültig; Anfrage geändert" ++ ++#: ../../src/kdc/fast_util.c:225 ++msgid "Unkeyed checksum used in fast_req" ++msgstr "in fast_req wurde eine Prüfsumme ohne Schlüssel benutzt" ++ ++#: ../../src/kdc/kdc_audit.c:110 ++#, c-format ++msgid "audit plugin %s failed to open. error=%i" ++msgstr "Öffnen der Audit-Erweiterung %s fehlgeschlagen. Fehler=%i" ++ ++#: ../../src/kdc/kdc_authdata.c:292 ../../src/kdc/kdc_authdata.c:328 ++#, c-format ++msgid "authdata %s failed to initialize: %s" ++msgstr "Initialisieren von »authdata« %s fehlgeschlagen: %s" ++ ++#: ../../src/kdc/kdc_authdata.c:779 ++#, c-format ++msgid "authdata (%s) handling failure: %s" ++msgstr "Handhabung von »authdata« %s fehlgeschlagen: %s" ++ ++#: ../../src/kdc/kdc_log.c:82 ++#, c-format ++msgid "AS_REQ (%s) %s: ISSUE: authtime %d, %s, %s for %s" ++msgstr "AS_REQ (%s) %s: PROBLEM: Authentifizierungszeit %d, %s, %s für %s" ++ ++#: ../../src/kdc/kdc_log.c:88 ++#, c-format ++msgid "AS_REQ (%s) %s: %s: %s for %s%s%s" ++msgstr "AS_REQ (%s) %s: %s: %s für %s%s%s" ++ ++#: ../../src/kdc/kdc_log.c:159 ++#, c-format ++msgid "TGS_REQ (%s) %s: %s: authtime %d, %s%s %s for %s%s%s" ++msgstr "TGS_REQ (%s) %s: %s: Authentifizierungszeit %d, %s%s %s für %s%s%s" ++ ++#: ../../src/kdc/kdc_log.c:166 ++#, c-format ++msgid "... PROTOCOL-TRANSITION s4u-client=%s" ++msgstr "… PROTOKOLLÜBERGANG s4u-client=%s" ++ ++#: ../../src/kdc/kdc_log.c:170 ++#, c-format ++msgid "... CONSTRAINED-DELEGATION s4u-client=%s" ++msgstr "… EINHESCHRÄNKTE DELEGIERUNG s4u-client=%s" ++ ++#: ../../src/kdc/kdc_log.c:174 ++#, c-format ++msgid "TGS_REQ %s: %s: authtime %d, %s for %s, 2nd tkt client %s" ++msgstr "TGS_REQ %s: %s: Authentifizierungszeit %d, %s für %s, 2. TKT-Client %s" ++ ++#: ../../src/kdc/kdc_log.c:208 ++#, c-format ++msgid "bad realm transit path from '%s' to '%s' via '%.*s%s'" ++msgstr "falscher Realm-Übergangspfad von »%s« zu »%s« über »%.*s%s«" ++ ++#: ../../src/kdc/kdc_log.c:214 ++#, c-format ++msgid "unexpected error checking transit from '%s' to '%s' via '%.*s%s': %s" ++msgstr "" ++"unerwarteter Fehler bei der Prüfung des Übergangs von »%s« zu »%s« über »%.*s" ++"%s«: %s" ++ ++#: ../../src/kdc/kdc_log.c:232 ++msgid "TGS_REQ: issuing alternate TGT" ++msgstr "TGS_REQ: alternativer TGT wird erstellt" ++ ++#: ../../src/kdc/kdc_log.c:235 ++#, c-format ++msgid "TGS_REQ: issuing TGT %s" ++msgstr "TGS_REQ: TGT %s wird erstellt" ++ ++#: ../../src/kdc/kdc_preauth.c:328 ++#, c-format ++msgid "preauth %s failed to initialize: %s" ++msgstr "Initialisieren von »preauth« %s fehlgeschlagen: %s" ++ ++#: ../../src/kdc/kdc_preauth.c:339 ++#, c-format ++msgid "preauth %s failed to setup loop: %s" ++msgstr "Einrichten der Schleife von »preauth« %s fehlgeschlagen: %s" ++ ++#: ../../src/kdc/kdc_preauth.c:760 ++#, c-format ++msgid "%spreauth required but hint list is empty" ++msgstr "%spreauth benötigt, aber Hinweisliste ist leer" ++ ++#: ../../src/kdc/kdc_preauth_ec.c:75 ++msgid "Encrypted Challenge used outside of FAST tunnel" ++msgstr "verschlüsselte Aufforderung wurde außerhalb des FAST-Tunnels verwendet" ++ ++#: ../../src/kdc/kdc_preauth_ec.c:110 ++msgid "Incorrect password in encrypted challenge" ++msgstr "falsches Passwort in verschlüsselter Aufforderung" ++ ++#: ../../src/kdc/kdc_util.c:236 ++msgid "TGS_REQ: SESSION KEY or MUTUAL" ++msgstr "TGS_REQ: SITZUNGSSCHLÜSSEL oder BEIDERSEITIG" ++ ++#: ../../src/kdc/kdc_util.c:314 ++msgid "PROCESS_TGS: failed lineage check" ++msgstr "PROCESS_TGS: Abstammungsprüfung fehlgeschlagen" ++ ++#: ../../src/kdc/kdc_util.c:468 ++#, c-format ++msgid "TGS_REQ: UNKNOWN SERVER: server='%s'" ++msgstr "TGS_REQ: UNBEKANNTER SERVER: Server=»%s«" ++ ++#: ../../src/kdc/main.c:231 ++#, c-format ++msgid "while getting context for realm %s" ++msgstr "beim Holen des Kontextes für Realm %s" ++ ++#: ../../src/kdc/main.c:329 ++#, c-format ++msgid "while setting default realm to %s" ++msgstr "beim Setzen des Standard-Realms auf %s" ++ ++#: ../../src/kdc/main.c:337 ++#, c-format ++msgid "while initializing database for realm %s" ++msgstr "beim Initialisieren der Datenbank für Realm %s" ++ ++#: ../../src/kdc/main.c:346 ++#, c-format ++msgid "while setting up master key name %s for realm %s" ++msgstr "beim Einrichten des Hauptschlüsselnamens %s für Realm %s" ++ ++#: ../../src/kdc/main.c:359 ++#, c-format ++msgid "while fetching master key %s for realm %s" ++msgstr "beim Abholen des Hauptschlüssels %s für Realm %s" ++ ++#: ../../src/kdc/main.c:367 ++#, c-format ++msgid "while fetching master keys list for realm %s" ++msgstr "beim Abholen der Hauptschlüsselliste für Realm %s" ++ ++#: ../../src/kdc/main.c:376 ++#, c-format ++msgid "while resolving kdb keytab for realm %s" ++msgstr "beim Ermitteln der KDB-Schlüsseltabelle für Realm %s" ++ ++#: ../../src/kdc/main.c:385 ++#, c-format ++msgid "while building TGS name for realm %s" ++msgstr "beim Bilden des TGS-Namens für Realm %s" ++ ++#: ../../src/kdc/main.c:503 ++#, c-format ++msgid "creating %d worker processes" ++msgstr "%d Arbeitsprozesse werden erzeugt" ++ ++#: ../../src/kdc/main.c:513 ++msgid "Unable to reinitialize main loop" ++msgstr "Hauptschleife konnte nicht neu initialisiert werden" ++ ++#: ../../src/kdc/main.c:518 ++#, c-format ++msgid "Unable to initialize signal handlers in pid %d" ++msgstr "" ++"Signalbehandlungsprogramme in PID %d konnten nicht initialisiert werden" ++ ++#: ../../src/kdc/main.c:548 ++#, c-format ++msgid "worker %ld exited with status %d" ++msgstr "Arbeitsprozess %ld endete mit Status %d" ++ ++#: ../../src/kdc/main.c:572 ++#, c-format ++msgid "signal %d received in supervisor" ++msgstr "Überwachungsprogramm empfing Signal %d" ++ ++#: ../../src/kdc/main.c:591 ++#, c-format ++msgid "" ++"usage: %s [-x db_args]* [-d dbpathname] [-r dbrealmname]\n" ++"\t\t[-R replaycachename] [-m] [-k masterenctype]\n" ++"\t\t[-M masterkeyname] [-p port] [-P pid_file]\n" ++"\t\t[-n] [-w numworkers] [/]\n" ++"\n" ++"where,\n" ++"\t[-x db_args]* - Any number of database specific arguments.\n" ++"\t\t\tLook at each database module documentation for \t\t\tsupported " ++"arguments\n" ++msgstr "" ++"Aufruf: %s [-x Datenbankargumente]* [-d Datenbankpfadname]\n" ++"\t\t[-r Datenbank-Realm-Name] [-m] [-k Hauptverschlüsselungstyp]\n" ++"\t\t[-M Hauptschlüsselname] [-p Port] [-P PID-Datei]\n" ++"\t\t[-n] [-w Arbeitsprozessanzahl] [/]\n" ++"\n" ++"dabei sind\n" ++"\t[-x Datenbankargumente]* - eine beliebige Anzahl datenbankspezifischer " ++"Argumente.\n" ++"\t\t\tWelche Argumente unterstützt werden, finden Sie in der Dokumentation " ++"der jeweiligen Datenbank.\n" ++ ++#: ../../src/kdc/main.c:653 ../../src/kdc/main.c:660 ../../src/kdc/main.c:774 ++#, c-format ++msgid " KDC cannot initialize. Not enough memory\n" ++msgstr "KDC kann nicht initialisiert werden. Speicher reicht nicht aus\n" ++ ++#: ../../src/kdc/main.c:679 ../../src/kdc/main.c:722 ../../src/kdc/main.c:733 ++#, c-format ++msgid "%s: KDC cannot initialize. Not enough memory\n" ++msgstr "%s: KDC kann nicht initialisiert werden. Speicher reicht nicht aus\n" ++ ++#: ../../src/kdc/main.c:699 ../../src/kdc/main.c:816 ++#, c-format ++msgid "%s: cannot initialize realm %s - see log file for details\n" ++msgstr "" ++"%s: Realm %s kann nicht initialisiert werden - Einzelheiten finden Sie in " ++"der Protokolldatei\n" ++ ++#: ../../src/kdc/main.c:710 ++#, c-format ++msgid "%s: cannot initialize realm %s. Not enough memory\n" ++msgstr "" ++"%s: Realm %s kann nicht initialisiert werden. Speicher reicht nicht aus\n" ++ ++#: ../../src/kdc/main.c:761 ++#, c-format ++msgid "invalid enctype %s" ++msgstr "ungültiger Verschlüsselungstyp %s" ++ ++#: ../../src/kdc/main.c:804 ++msgid "while attempting to retrieve default realm" ++msgstr "beim Versuch, den Standard-Realm abzufragen" ++ ++#: ../../src/kdc/main.c:806 ++#, c-format ++msgid "%s: %s, attempting to retrieve default realm\n" ++msgstr "%s: %s, es wird versucht, den Standard-Realm abzufragen\n" ++ ++#: ../../src/kdc/main.c:912 ++#, c-format ++msgid "%s: cannot get memory for realm list\n" ++msgstr "%s: Speicher für die Realm-Liste kann nicht erlangt werden\n" ++ ++# http://www.oreilly.de/german/freebooks/linuxdrive2ger/getcache.html ++#: ../../src/kdc/main.c:947 ++msgid "while initializing lookaside cache" ++msgstr "beim Initialisieren des Lookaside-Zwischenspeichers" ++ ++#: ../../src/kdc/main.c:955 ++msgid "while creating main loop" ++msgstr "beim Erzeugen der Hauptschleife" ++ ++# SAM=Security Accounts Manager ++#: ../../src/kdc/main.c:965 ++msgid "while initializing SAM" ++msgstr "beim Initialisieren des SAMs" ++ ++#: ../../src/kdc/main.c:1011 ++msgid "while initializing routing socket" ++msgstr "beim Initialisieren des Routing-Sockets" ++ ++#: ../../src/kdc/main.c:1017 ++msgid "while initializing signal handlers" ++msgstr "beim Initialisieren des Signalbehandlungsprogramms" ++ ++#: ../../src/kdc/main.c:1024 ++msgid "while initializing network" ++msgstr "beim Initialisieren des Netzwerks" ++ ++#: ../../src/kdc/main.c:1029 ++msgid "while detaching from tty" ++msgstr "beim Lösen vom Terminal" ++ ++#: ../../src/kdc/main.c:1036 ++msgid "while creating PID file" ++msgstr "beim Erstellen der PID-Datei" ++ ++#: ../../src/kdc/main.c:1045 ++msgid "creating worker processes" ++msgstr "Arbeitsprozesse werden erzeugt" ++ ++#: ../../src/kdc/main.c:1055 ++msgid "while loading audit plugin module(s)" ++msgstr "beim Laden des/der Auditerweiterungsmoduls/Auditerweiterungsmodule" ++ ++#: ../../src/kdc/main.c:1059 ++msgid "commencing operation" ++msgstr "Aktion wird begonnen" ++ ++#: ../../src/kdc/main.c:1067 ++msgid "shutting down" ++msgstr "wird heruntergefahren" ++ ++#: ../../src/lib/apputils/net-server.c:258 ++msgid "Got signal to request exit" ++msgstr "Signal zur Anfrage des Beendens empfangen" ++ ++#: ../../src/lib/apputils/net-server.c:272 ++msgid "Got signal to reset" ++msgstr "Signal zum Zurücksetzen empfangen" ++ ++#: ../../src/lib/apputils/net-server.c:429 ++#, c-format ++msgid "closing down fd %d" ++msgstr "Dateideskriptor %d wird geschlossen" ++ ++#: ../../src/lib/apputils/net-server.c:443 ++#, c-format ++msgid "descriptor %d closed but still in svc_fdset" ++msgstr "Deskriptor %d geschlossen, aber immer noch in »svc_fdset«" ++ ++#: ../../src/lib/apputils/net-server.c:469 ++msgid "cannot create io event" ++msgstr "E/A-Ereignis kann nicht erzeugt werden" ++ ++#: ../../src/lib/apputils/net-server.c:475 ++msgid "cannot save event" ++msgstr "Ereignis kann nicht gesichert werden" ++ ++#: ../../src/lib/apputils/net-server.c:495 ++#, c-format ++msgid "file descriptor number %d too high" ++msgstr "Dateideskriptornummer %d zu hoch" ++ ++#: ../../src/lib/apputils/net-server.c:503 ++msgid "cannot allocate storage for connection info" ++msgstr "Speicher für Verbindungsinformation kann nicht reserviert werden" ++ ++#: ../../src/lib/apputils/net-server.c:562 ++#, c-format ++msgid "Cannot create TCP server socket on %s" ++msgstr "Auf %s kann kein TCP-Server-Socket erstellt werden." ++ ++#: ../../src/lib/apputils/net-server.c:571 ++#, c-format ++msgid "TCP socket fd number %d (for %s) too high" ++msgstr "TCP-Socket-Deskriptornummer %d (für %s) zu hoch" ++ ++#: ../../src/lib/apputils/net-server.c:579 ++#, c-format ++msgid "Cannot enable SO_REUSEADDR on fd %d" ++msgstr "SO_REUSEADDR kann nicht für Dateideskriptor %d aktiviert werden" ++ ++#: ../../src/lib/apputils/net-server.c:586 ++#, c-format ++msgid "setsockopt(%d,IPV6_V6ONLY,1) failed" ++msgstr "setsockopt(%d,IPV6_V6ONLY,1) fehlgeschlagen" ++ ++#: ../../src/lib/apputils/net-server.c:588 ++#, c-format ++msgid "setsockopt(%d,IPV6_V6ONLY,1) worked" ++msgstr "setsockopt(%d,IPV6_V6ONLY,1) funktioniert" ++ ++#: ../../src/lib/apputils/net-server.c:591 ++msgid "no IPV6_V6ONLY socket option support" ++msgstr "keine Socket-Option für IPV6_V6ONLY unterstützt" ++ ++#: ../../src/lib/apputils/net-server.c:597 ++#, c-format ++msgid "Cannot bind server socket on %s" ++msgstr "Server-Socket kann nicht an %s gebunden werden" ++ ++#: ../../src/lib/apputils/net-server.c:624 ++#, c-format ++msgid "Cannot create RPC service: %s; continuing" ++msgstr "RPC-Dienst kann nicht erstellt werden: %s; es wird fortgefahren" ++ ++#: ../../src/lib/apputils/net-server.c:633 ++#, c-format ++msgid "Cannot register RPC service: %s; continuing" ++msgstr "RPC-Dienst kann nicht registriert werden: %s; es wird fortgefahren" ++ ++#: ../../src/lib/apputils/net-server.c:682 ++#, c-format ++msgid "Cannot listen on TCP server socket on %s" ++msgstr "" ++"Auf dem TCP-Server-Socket kann nicht auf eine Verbindung gewartet werden auf " ++"%s." ++ ++#: ../../src/lib/apputils/net-server.c:688 ++#, c-format ++msgid "cannot set listening tcp socket on %s non-blocking" ++msgstr "" ++"Das auf eine Verbindung wartende TCP-Socket kann nicht auf nicht-" ++"blockierendes %s gesetzt werden." ++ ++#: ../../src/lib/apputils/net-server.c:695 ++#, c-format ++msgid "disabling SO_LINGER on TCP socket on %s" ++msgstr "SO_LINGER auf dem TCP-Socket auf %s wird deaktiviert" ++ ++#: ../../src/lib/apputils/net-server.c:743 ++#: ../../src/lib/apputils/net-server.c:752 ++#, c-format ++msgid "listening on fd %d: tcp %s" ++msgstr "auf Dateideskriptor %d wird auf eine Verbindung gewartet: TCP %s" ++ ++#: ../../src/lib/apputils/net-server.c:757 ++msgid "assuming IPv6 socket accepts IPv4" ++msgstr "es wird davon ausgegangen, dass das IPv6-Socket IPv4 akzeptiert" ++ ++#: ../../src/lib/apputils/net-server.c:791 ++#: ../../src/lib/apputils/net-server.c:804 ++#, c-format ++msgid "listening on fd %d: rpc %s" ++msgstr "auf Dateideskriptor %d wird auf eine Verbindung gewartet: RPC %s" ++ ++#: ../../src/lib/apputils/net-server.c:883 ++#, c-format ++msgid "Cannot request packet info for udp socket address %s port %d" ++msgstr "" ++"Paketinformation für UDP-Socket-Adresse %s, Port %d, kann nicht abgefragt " ++"werden" ++ ++#: ../../src/lib/apputils/net-server.c:889 ++#, c-format ++msgid "listening on fd %d: udp %s%s" ++msgstr "auf Dateideskriptor %d wird auf eine Verbindung gewartet: UDP %s%s" ++ ++#: ../../src/lib/apputils/net-server.c:918 ++msgid "Failed to reconfigure network, exiting" ++msgstr "Neukonfiguration des Netzwerks fehlgeschlagen, wird beendet" ++ ++#: ../../src/lib/apputils/net-server.c:979 ++#, c-format ++msgid "" ++"unhandled routing message type %d, will reconfigure just for the fun of it" ++msgstr "" ++"nicht behandelter Routing-Meldungstyp %d, es wird es nur zum Spaß neu " ++"konfiguriert" ++ ++#: ../../src/lib/apputils/net-server.c:1013 ++#, c-format ++msgid "short read (%d/%d) from routing socket" ++msgstr "ungenügende Daten (%d/%d) vom Routing-Socket gelesen" ++ ++#: ../../src/lib/apputils/net-server.c:1023 ++#, c-format ++msgid "read %d from routing socket but msglen is %d" ++msgstr "%d vom Routing-Socket gelesen, Nachrichtenlänge ist jedoch %d" ++ ++#: ../../src/lib/apputils/net-server.c:1055 ++#, c-format ++msgid "couldn't set up routing socket: %s" ++msgstr "Routing-Socket konnte nicht eingerichtet werden: %s" ++ ++#: ../../src/lib/apputils/net-server.c:1058 ++#, c-format ++msgid "routing socket is fd %d" ++msgstr "Das Routing-Socket hat den Dateideskriptor %d." ++ ++#: ../../src/lib/apputils/net-server.c:1084 ++msgid "setting up network..." ++msgstr "Netzwerk wird eingerichtet …" ++ ++#: ../../src/lib/apputils/net-server.c:1101 ++#, c-format ++msgid "set up %d sockets" ++msgstr "%d Sockets werden eingerichtet" ++ ++#: ../../src/lib/apputils/net-server.c:1103 ++msgid "no sockets set up?" ++msgstr "keine Sockets eingerichtet?" ++ ++#: ../../src/lib/apputils/net-server.c:1351 ++#: ../../src/lib/apputils/net-server.c:1405 ++msgid "while dispatching (udp)" ++msgstr "beim Versenden (UDP)" ++ ++#: ../../src/lib/apputils/net-server.c:1380 ++#, c-format ++msgid "while sending reply to %s/%s from %s" ++msgstr "beim Senden der Antwort zu %s/%s von %s" ++ ++#: ../../src/lib/apputils/net-server.c:1385 ++#, c-format ++msgid "short reply write %d vs %d\n" ++msgstr "ungenügende Ausgabe der Antwort %d gegenüber %d\n" ++ ++#: ../../src/lib/apputils/net-server.c:1430 ++msgid "while receiving from network" ++msgstr "beim Empfangen vom Netzwerk" ++ ++#: ../../src/lib/apputils/net-server.c:1446 ++#, c-format ++msgid "pktinfo says local addr is %s" ++msgstr "Pktinfo sagt, die lokale Adresse sei %s" ++ ++#: ../../src/lib/apputils/net-server.c:1479 ++msgid "too many connections" ++msgstr "zu viele Verbindungen" ++ ++#: ../../src/lib/apputils/net-server.c:1502 ++#, c-format ++msgid "dropping %s fd %d from %s" ++msgstr "%s Dateideskriptor %d von %s wird verworfen" ++ ++#: ../../src/lib/apputils/net-server.c:1580 ++#, c-format ++msgid "allocating buffer for new TCP session from %s" ++msgstr "Puffer für neue TCP-Sitzung von %s wird reserviert" ++ ++#: ../../src/lib/apputils/net-server.c:1610 ++msgid "while dispatching (tcp)" ++msgstr "beim Versenden (TCP)" ++ ++#: ../../src/lib/apputils/net-server.c:1642 ++msgid "error allocating tcp dispatch private!" ++msgstr "Fehler beim Reservieren zum nicht öffentlichen TCP-Versand!" ++ ++#: ../../src/lib/apputils/net-server.c:1689 ++#, c-format ++msgid "TCP client %s wants %lu bytes, cap is %lu" ++msgstr "TCP-Client %s will %lu Byte, Cap ist %lu" ++ ++#: ../../src/lib/apputils/net-server.c:1697 ++#, c-format ++msgid "error constructing KRB_ERR_FIELD_TOOLONG error! %s" ++msgstr "Fehler beim Erzeugen des KRB_ERR_FIELD_TOOLONG-Fehlers! %s" ++ ++#: ../../src/lib/apputils/net-server.c:1876 ++#, c-format ++msgid "accepted RPC connection on socket %d from %s" ++msgstr "akzeptierte PRC-Verbindung auf Socket %d von %s" ++ ++# pseudo random function ++#: ../../src/lib/crypto/krb/cf2.c:114 ++#, c-format ++msgid "Enctype %d has no PRF" ++msgstr "Verschlüsselungstyp %d hat keine PRF" ++ ++#: ../../src/lib/crypto/krb/prng_fortuna.c:428 ++msgid "Random number generator could not be seeded" ++msgstr "Zufallszahlengenerator konnte kein Startwert zugewiesen werden" ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:43 ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:165 ++msgid "A required input parameter could not be read" ++msgstr "Ein benötigter Eingabeparameter konnte nicht gelesen werden." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:44 ++msgid "A required input parameter could not be written" ++msgstr "Ein benötigter Eingabeparameter konnte nicht geschrieben werden." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:45 ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:175 ++msgid "A parameter was malformed" ++msgstr "Ein Parameter hatte eine falsche Form" ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:48 ++msgid "calling error" ++msgstr "Aufruffehler" ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:59 ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:195 ++msgid "An unsupported mechanism was requested" ++msgstr "Ein nicht unterstützter Mechanismus wurde angefordert." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:60 ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:199 ++msgid "An invalid name was supplied" ++msgstr "Ein ungültiger Name wurde übergeben." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:61 ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:203 ++msgid "A supplied name was of an unsupported type" ++msgstr "Ein übergebener Name hatte einen nicht unterstützten Typ." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:62 ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:208 ++msgid "Incorrect channel bindings were supplied" ++msgstr "Falsche Kanalbindungen wurden übergeben." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:63 ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:179 ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:274 ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:334 ++msgid "An invalid status code was supplied" ++msgstr "Ein ungültiger Statuscode wurde übergeben." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:64 ++msgid "A token had an invalid signature" ++msgstr "Ein Merkmal hatte eine ungültige Signatur." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:65 ++msgid "No credentials were supplied" ++msgstr "Es wurden keine Anmeldedaten übergeben." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:66 ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:223 ++msgid "No context has been established" ++msgstr "Es wurde keine Kontext etabliert." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:67 ++msgid "A token was invalid" ++msgstr "Ein Merkmal war ungültig." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:68 ++msgid "A credential was invalid" ++msgstr "Eine der Anmeldedaten war ungültig." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:69 ++msgid "The referenced credentials have expired" ++msgstr "Die referenzierten Anmeldedaten sind abgelaufen." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:70 ++msgid "The context has expired" ++msgstr "Der Kontext ist abgelaufen." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:71 ++msgid "Miscellaneous failure" ++msgstr "sonstiger Fehlschlag" ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:72 ++msgid "The quality-of-protection requested could not be provided" ++msgstr "" ++"Die angeforderte Qualität des Schutzes konnte nicht bereitgestellt werden." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:73 ++msgid "The operation is forbidden by the local security policy" ++msgstr "Die Aktion wird durch die lokale Sicherheitsrichtinie verboten." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:74 ++msgid "The operation or option is not available" ++msgstr "Die Aktion oder Option ist nicht verfügbar." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:77 ++msgid "routine error" ++msgstr "Fehler in einer Routine" ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:89 ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:311 ++msgid "The routine must be called again to complete its function" ++msgstr "" ++"Die Routine muss erneut aufgerufen werden, um ihre Funktion zu " ++"vervollständigen." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:90 ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:316 ++msgid "The token was a duplicate of an earlier token" ++msgstr "Das Merkmal war ein Zweitexemplar eines früheren Merkmals." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:91 ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:321 ++msgid "The token's validity period has expired" ++msgstr "Die Gültigkeitsperiode des Merkmals ist abgelaufen." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:92 ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:325 ++msgid "A later token has already been processed" ++msgstr "Es wurde bereits ein neueres Merkmal verarbeitet." ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:95 ++msgid "supplementary info code" ++msgstr "zusätzlicher Informationscode" ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:106 ++#: ../lib/krb5/error_tables/krb5_err.c:23 ++msgid "No error" ++msgstr "kein Fehler" ++ ++#: ../../src/lib/gssapi/generic/disp_major_status.c:107 ++#, c-format ++msgid "Unknown %s (field = %d)" ++msgstr "%s unbekannt (Feld = %d)" ++ ++#: ../../src/lib/gssapi/krb5/acquire_cred.c:165 ++#, c-format ++msgid "No key table entry found matching %s" ++msgstr "Es wurde kein zu %s passender Schlüsseltabelleneintrag gefunden." ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:161 ++msgid "The routine completed successfully" ++msgstr "Die Routine wurde erfolgreich abgeschlossen" ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:170 ++msgid "A required output parameter could not be written" ++msgstr "Ein erforderlicher Ausgabeparameter konnte nicht geschrieben werden." ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:212 ++msgid "A token had an invalid Message Integrity Check (MIC)" ++msgstr "" ++"Ein Merkmal hatte eine ungültige Meldungsintegritätsprüfung (Message " ++"Integrity Check/MIC)." ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:217 ++msgid "" ++"No credentials were supplied, or the credentials were unavailable or " ++"inaccessible" ++msgstr "" ++"Es wurden keine Anmeldedaten übergeben oder die Anmeldedaten waren nicht " ++"verfügbar bzw. ein Zugriff darauf nicht möglich." ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:227 ++msgid "Invalid token was supplied" ++msgstr "Es wurde ein ungültiges Token übergeben." ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:231 ++msgid "Invalid credential was supplied" ++msgstr "ungültige Anmeldedaten wurden übergeben" ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:235 ++msgid "The referenced credential has expired" ++msgstr "Die referenzierten Anmeldedaten sind abgelaufen." ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:239 ++msgid "The referenced context has expired" ++msgstr "Der referenzierte Kontext ist abgelaufen." ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:243 ++msgid "Unspecified GSS failure. Minor code may provide more information" ++msgstr "" ++"nicht spezifizierter GSS-Fehlschlag. Möglicherweise stellt der " ++"untergeordnete Code weitere Informationen bereit." ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:248 ++msgid "The quality-of-protection (QOP) requested could not be provided" ++msgstr "" ++"Die Qualität des Schutzes (quality-of-protection/QOP) konnte nicht " ++"bereitgestellt werden." ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:253 ++msgid "The operation is forbidden by local security policy" ++msgstr "Die Aktion wird durch die lokale Sicherheitsrichtinie verboten." ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:258 ++msgid "The operation or option is not available or unsupported" ++msgstr "" ++"Die Aktion oder Option ist nicht verfügbar oder wird nicht unterstützt." ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:263 ++msgid "The requested credential element already exists" ++msgstr "Das angeforderte Anmeldedatenelement existiert bereits." ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:268 ++msgid "The provided name was not mechanism specific (MN)" ++msgstr "Der bereitgestellte Name war nicht mechanismusspezifisch (MN)." ++ ++#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:329 ++msgid "An expected per-message token was not received" ++msgstr "Ein erwartetes nachrichtenspezifisches Token wurde nicht empfangen." ++ ++#: ../../src/lib/gssapi/spnego/spnego_mech.c:1860 ++msgid "SPNEGO cannot find mechanisms to negotiate" ++msgstr "SPNEGO kann keine Mechanismen zum Aushandeln finden." ++ ++#: ../../src/lib/gssapi/spnego/spnego_mech.c:1865 ++msgid "SPNEGO failed to acquire creds" ++msgstr "SPNEGO ist beim Beschaffen von Anmeldedaten gescheitert" ++ ++#: ../../src/lib/gssapi/spnego/spnego_mech.c:1870 ++msgid "SPNEGO acceptor did not select a mechanism" ++msgstr "SPNEGO-Abnehmer hat keinen Mechanismus ausgewählt" ++ ++#: ../../src/lib/gssapi/spnego/spnego_mech.c:1875 ++msgid "SPNEGO failed to negotiate a mechanism" ++msgstr "SPNEGO ist beim Aushandeln eines Mechanismus gescheitert." ++ ++#: ../../src/lib/gssapi/spnego/spnego_mech.c:1880 ++msgid "SPNEGO acceptor did not return a valid token" ++msgstr "SPNEGO-Abnehmer hat kein gültiges Token zurückgeliefert" ++ ++#: ../../src/lib/kadm5/alt_prof.c:854 ++#, c-format ++msgid "Cannot resolve address of admin server \"%s\" for realm \"%s\"" ++msgstr "" ++"Adresse des Admin-Servers »%s« für Realm »%s« kann nicht ermittelt werden" ++ ++#: ../../src/lib/kadm5/logger.c:56 ++#, c-format ++msgid "%s: cannot parse <%s>\n" ++msgstr "%s: <%s> kann nicht ausgewertet werden\n" ++ ++#: ../../src/lib/kadm5/logger.c:57 ++#, c-format ++msgid "%s: warning - logging entry syntax error\n" ++msgstr "%s: Warnung – Syntaxfehler bei Protokolleintrag\n" ++ ++#: ../../src/lib/kadm5/logger.c:58 ++#, c-format ++msgid "%s: error writing to %s\n" ++msgstr "%s: Fehler beim Schreiben auf %s\n" ++ ++#: ../../src/lib/kadm5/logger.c:59 ++#, c-format ++msgid "%s: error writing to %s device\n" ++msgstr "%s: Fehler beim Schreiben auf Gerät %s\n" ++ ++#: ../../src/lib/kadm5/logger.c:61 ++msgid "EMERGENCY" ++msgstr "NOTFALL" ++ ++#: ../../src/lib/kadm5/logger.c:62 ++msgid "ALERT" ++msgstr "ALARM" ++ ++#: ../../src/lib/kadm5/logger.c:63 ++msgid "CRITICAL" ++msgstr "KRITISCH" ++ ++#: ../../src/lib/kadm5/logger.c:64 ++msgid "Error" ++msgstr "Fehler" ++ ++#: ../../src/lib/kadm5/logger.c:65 ++msgid "Warning" ++msgstr "Warnung" ++ ++#: ../../src/lib/kadm5/logger.c:66 ++msgid "Notice" ++msgstr "Hinweis" ++ ++#: ../../src/lib/kadm5/logger.c:67 ++msgid "info" ++msgstr "Information" ++ ++#: ../../src/lib/kadm5/logger.c:68 ++msgid "debug" ++msgstr "Fehlersuchmeldung" ++ ++#: ../../src/lib/kadm5/logger.c:967 ++#, c-format ++msgid "Couldn't open log file %s: %s\n" ++msgstr "Protokolldatei %s konnte nicht geöffnet werden: %s\n" ++ ++#: ../../src/lib/kadm5/srv/kadm5_hook.c:119 ++#, c-format ++msgid "kadm5_hook %s failed postcommit %s: %s" ++msgstr "»kadm5_hook« %s ist beim Nach-Commit %s gescheitert: %s" ++ ++#: ../../src/lib/kadm5/srv/pwqual_dict.c:106 ++msgid "No dictionary file specified, continuing without one." ++msgstr "keine Wörterbuchdatei angegeben, es wird ohne fortgefahren" ++ ++#: ../../src/lib/kadm5/srv/pwqual_dict.c:113 ++#, c-format ++msgid "WARNING! Cannot find dictionary file %s, continuing without one." ++msgstr "" ++"WARNUNG! Wörterbuchdatei %s kann nicht gefunden werden, es wird ohne " ++"fortgefahren" ++ ++#: ../../src/lib/kadm5/srv/pwqual_empty.c:42 ++msgid "Empty passwords are not allowed" ++msgstr "Leere Passwörter sind nicht erlaubt." ++ ++#: ../../src/lib/kadm5/srv/pwqual_hesiod.c:114 ++msgid "Password may not match user information." ++msgstr "Das Passwort darf keinen Anwenderdaten entsprechen." ++ ++#: ../../src/lib/kadm5/srv/pwqual_princ.c:54 ++msgid "Password may not match principal name" ++msgstr "Das Passwort darf nicht mit dem Principal-Namen übereinstimmen." ++ ++#: ../../src/lib/kadm5/srv/server_acl.c:89 ++#, c-format ++msgid "%s: line %d too long, truncated" ++msgstr "%s: Zeile %d zu lang, wurde gekürzt" ++ ++#: ../../src/lib/kadm5/srv/server_acl.c:90 ++#, c-format ++msgid "Unrecognized ACL operation '%c' in %s" ++msgstr "unbekannte ACL-Aktion »%c« in %s" ++ ++#: ../../src/lib/kadm5/srv/server_acl.c:92 ++#, c-format ++msgid "%s: syntax error at line %d <%10s...>" ++msgstr "%s: Syntaxfehler in Zeile %d <%10s …>" ++ ++#: ../../src/lib/kadm5/srv/server_acl.c:94 ++#, c-format ++msgid "%s while opening ACL file %s" ++msgstr "%s beim Öffnen der ACL-Datei %s" ++ ++#: ../../src/lib/kadm5/srv/server_acl.c:353 ++#, c-format ++msgid "%s: invalid restrictions: %s" ++msgstr "%s: ungültige Beschränkung: %s" ++ ++#: ../../src/lib/kadm5/srv/server_kdb.c:192 ++msgid "History entry contains no key data" ++msgstr "Chronikeintrag enthält keine Schlüsseldaten" ++ ++#: ../../src/lib/kadm5/srv/server_misc.c:128 ++#, c-format ++msgid "password quality module %s rejected password for %s: %s" ++msgstr "" ++"Das Modul %s für Passwortqualität hat das Passwort für %s abgelehnt: %s" ++ ++#: ../../src/lib/kadm5/str_conv.c:80 ++msgid "Not Postdateable" ++msgstr "nicht vordatierbar" ++ ++#: ../../src/lib/kadm5/str_conv.c:81 ++msgid "Not Forwardable" ++msgstr "nicht weiterleitbar" ++ ++#: ../../src/lib/kadm5/str_conv.c:82 ++msgid "No TGT-based requests" ++msgstr "keine TGT-basierten Anfragen" ++ ++#: ../../src/lib/kadm5/str_conv.c:83 ++msgid "Not renewable" ++msgstr "nicht erneuerbar" ++ ++#: ../../src/lib/kadm5/str_conv.c:84 ++msgid "Not proxiable" ++msgstr "Proxy nicht nutzbar" ++ ++#: ../../src/lib/kadm5/str_conv.c:85 ++msgid "No DUP_SKEY requests" ++msgstr "keine DUP_SKEY-Anfragen" ++ ++#: ../../src/lib/kadm5/str_conv.c:86 ++msgid "All Tickets Disallowed" ++msgstr "keine Tickets erlaubt" ++ ++#: ../../src/lib/kadm5/str_conv.c:87 ++msgid "Preauthentication required" ++msgstr "Vorauthentifizierung erforderlich" ++ ++#: ../../src/lib/kadm5/str_conv.c:88 ++msgid "HW authentication required" ++msgstr "HW-Authentifizierung erforderlich" ++ ++#: ../../src/lib/kadm5/str_conv.c:89 ++msgid "OK as Delegate" ++msgstr "OK als Vertreter" ++ ++#: ../../src/lib/kadm5/str_conv.c:90 ++msgid "Password Change required" ++msgstr "Passwortänderung erforderlich" ++ ++#: ../../src/lib/kadm5/str_conv.c:91 ++msgid "Service Disabled" ++msgstr "Dienst deaktiviert" ++ ++#: ../../src/lib/kadm5/str_conv.c:92 ++msgid "Password Changing Service" ++msgstr "Passwortänderungsdienst" ++ ++#: ../../src/lib/kadm5/str_conv.c:93 ++msgid "RSA-MD5 supported" ++msgstr "RSA-MD5 unterstützt" ++ ++#: ../../src/lib/kadm5/str_conv.c:94 ++msgid "Protocol transition with delegation allowed" ++msgstr "Protokollübergang mit Vertretung erlaubt" ++ ++#: ../../src/lib/kadm5/str_conv.c:95 ++msgid "No authorization data required" ++msgstr "keine Autorisierungsdaten erforderlich" ++ ++#: ../../src/lib/kdb/kdb5.c:219 ++msgid "No default realm set; cannot initialize KDB" ++msgstr "kein Standard-Realm gesetzt; KDB kann nicht initialisiert werden" ++ ++#: ../../src/lib/kdb/kdb5.c:324 ../../src/lib/kdb/kdb5.c:406 ++#, c-format ++msgid "Unable to find requested database type: %s" ++msgstr "angeforderter Datenbanktyp kann nicht gefunden werden. %s" ++ ++#: ../../src/lib/kdb/kdb5.c:416 ++#, c-format ++msgid "plugin symbol 'kdb_function_table' lookup failed: %s" ++msgstr "" ++"Nachschlagen des Erweiterungssymbols »kdb_function_table« fehlgeschlagen: %s" ++ ++#: ../../src/lib/kdb/kdb5.c:426 ++#, c-format ++msgid "" ++"Unable to load requested database module '%s': plugin symbol " ++"'kdb_function_table' not found" ++msgstr "" ++"angefordertes Datenbankmodul »%s« kann nicht geladen werden: " ++"Erweiterungssymbol »kdb_function_table« nicht gefunden" ++ ++#: ../../src/lib/kdb/kdb5.c:1650 ++#, c-format ++msgid "Illegal version number for KRB5_TL_MKEY_AUX %d\n" ++msgstr "Ungültige Versionsnummer für KRB5_TL_MKEY_AUX %d\n" ++ ++#: ../../src/lib/kdb/kdb5.c:1819 ++#, c-format ++msgid "Illegal version number for KRB5_TL_ACTKVNO %d\n" ++msgstr "Ungültige Versionsnummer für KRB5_TL_ACTKVNO %d\n" ++ ++#: ../../src/lib/kdb/kdb_default.c:164 ++#, c-format ++msgid "keyfile (%s) is not a regular file: %s" ++msgstr "Schlüsseldatei (%s) ist keine normale Datei: %s" ++ ++#: ../../src/lib/kdb/kdb_default.c:177 ++msgid "Could not create temp keytab file name." ++msgstr "Temporärer Schlüsseltabellendateiname konnte nicht erstellt werden." ++ ++#: ../../src/lib/kdb/kdb_default.c:202 ++#, c-format ++msgid "Temporary stash file already exists: %s." ++msgstr "Temporäre Ablagedatei existiert bereits: %s." ++ ++#: ../../src/lib/kdb/kdb_default.c:230 ++#, c-format ++msgid "rename of temporary keyfile (%s) to (%s) failed: %s" ++msgstr "" ++"Umbenennen von temporärer Schlüsseldatei (%s) in (%s) fehlgeschlagen: %s" ++ ++#: ../../src/lib/kdb/kdb_default.c:419 ++#, c-format ++msgid "Can not fetch master key (error: %s)." ++msgstr "Hauptschlüssel kann nicht abgeholt werden (Fehler: %s)" ++ ++#: ../../src/lib/kdb/kdb_default.c:482 ++msgid "Unable to decrypt latest master key with the provided master key\n" ++msgstr "" ++"Letzter Hauptschlüssel kann nicht mit dem bereitgestellten Hauptschlüssel " ++"entschlüsselt werden.\n" ++ ++#: ../../src/lib/kdb/kdb_log.c:83 ++msgid "could not sync ulog header to disk" ++msgstr "Ulog-Kopfzeilen konnten nicht auf die Platte synchronisiert werden" ++ ++#: ../../src/lib/krb5/ccache/cc_dir.c:122 ++#, c-format ++msgid "Subsidiary cache path %s has no parent directory" ++msgstr "" ++"Ergänzender Zwischenspeicherpfad %s hat kein übergeordnetes Verzeichnis." ++ ++#: ../../src/lib/krb5/ccache/cc_dir.c:128 ++#, c-format ++msgid "Subsidiary cache path %s filename does not begin with \"tkt\"" ++msgstr "" ++"Dateiname des ergänzenden Zwischenspeicherpfads %s beginnt nicht mit »tkt«" ++ ++#: ../../src/lib/krb5/ccache/cc_dir.c:169 ++#, c-format ++msgid "%s contains invalid filename" ++msgstr "%s enthält einen ungültigen Dateinamen." ++ ++#: ../../src/lib/krb5/ccache/cc_dir.c:229 ++#, c-format ++msgid "Credential cache directory %s does not exist" ++msgstr "Anmeldedatenzwischenspeicherverzeichnis %s existiert nicht." ++ ++#: ../../src/lib/krb5/ccache/cc_dir.c:235 ++#, c-format ++msgid "Credential cache directory %s exists but is not a directory" ++msgstr "" ++"Anmeldedatenzwischenspeicherverzeichnis %s existiert, ist jedoch kein " ++"Verzeichnis" ++ ++#: ../../src/lib/krb5/ccache/cc_dir.c:400 ++msgid "" ++"Can't create new subsidiary cache because default cache is not a directory " ++"collection" ++msgstr "" ++"Der neue ergänzende Zwischenspeicher kann nicht erstellt werden, da der " ++"Standardzwischenspeicher keine Ansammlung von Verzeichnissen ist." ++ ++#: ../../src/lib/krb5/ccache/cc_file.c:569 ++#, c-format ++msgid "Credentials cache file '%s' not found" ++msgstr "Anmeldedatenzwischenspeicherdatei »%s« nicht gefunden" ++ ++#: ../../src/lib/krb5/ccache/cc_file.c:1575 ++#, c-format ++msgid "Credentials cache I/O operation failed (%s)" ++msgstr "Anmeldedatenzwischenspeicher-E/A-Aktion fehlgeschlagen (%s)" ++ ++#: ../../src/lib/krb5/ccache/cc_keyring.c:1151 ++msgid "" ++"Can't create new subsidiary cache because default cache is already a " ++"subsidiary" ++msgstr "" ++"Der neue ergänzende Zwischenspeicher kann nicht erstellt werden, da der " ++"Standardzwischenspeicher bereits eine Ergänzung ist." ++ ++#: ../../src/lib/krb5/ccache/cc_keyring.c:1219 ++#, c-format ++msgid "Credentials cache keyring '%s' not found" ++msgstr "Schlüsselbund %s des Anmeldedatenzwischenspeichers nicht gefunden" ++ ++#: ../../src/lib/krb5/ccache/cccursor.c:212 ++#, c-format ++msgid "Can't find client principal %s in cache collection" ++msgstr "" ++"Client-Principal %s kann nicht in der Zwischenspeicheransammlung gefunden " ++"werden" ++ ++#: ../../src/lib/krb5/ccache/cccursor.c:253 ++msgid "No Kerberos credentials available" ++msgstr "keine Kerberos-Anmeldedaten verfügbar" ++ ++#: ../../src/lib/krb5/keytab/kt_file.c:398 ++#, c-format ++msgid "No key table entry found for %s" ++msgstr "Für %s wurde kein Schlüsseltabelleneintrag gefunden." ++ ++#: ../../src/lib/krb5/keytab/kt_file.c:815 ++#: ../../src/lib/krb5/keytab/kt_file.c:848 ++msgid "Cannot change keytab with keytab iterators active" ++msgstr "" ++"Schlüsseltabelle mit aktiven Schlüsseltabelleniteratoren kann nicht geändert " ++"werden" ++ ++#: ../../src/lib/krb5/keytab/kt_file.c:1047 ++#, c-format ++msgid "Key table file '%s' not found" ++msgstr "Schlüsseltabellendatei »%s« nicht gefunden" ++ ++#: ../../src/lib/krb5/keytab/ktfns.c:127 ++#, c-format ++msgid "Keytab %s is nonexistent or empty" ++msgstr "Schlüsseltabelle %s existiert nicht oder ist leer" ++ ++#: ../../src/lib/krb5/krb/chpw.c:251 ++msgid "Malformed request error" ++msgstr "Fehler wegen Anfrage in falscher Form" ++ ++#: ../../src/lib/krb5/krb/chpw.c:254 ../lib/krb5/error_tables/kdb5_err.c:58 ++msgid "Server error" ++msgstr "Serverfehler" ++ ++#: ../../src/lib/krb5/krb/chpw.c:257 ++msgid "Authentication error" ++msgstr "Authentifizierungsfehler" ++ ++#: ../../src/lib/krb5/krb/chpw.c:260 ++msgid "Password change rejected" ++msgstr "Passwortänderung abgelehnt" ++ ++#: ../../src/lib/krb5/krb/chpw.c:263 ++msgid "Access denied" ++msgstr "Zugriff verweigert" ++ ++#: ../../src/lib/krb5/krb/chpw.c:266 ++msgid "Wrong protocol version" ++msgstr "falsche Protokollversion" ++ ++#: ../../src/lib/krb5/krb/chpw.c:269 ++msgid "Initial password required" ++msgstr "Erstpasswort erforderlich" ++ ++#: ../../src/lib/krb5/krb/chpw.c:272 ++msgid "Success" ++msgstr "Erfolg" ++ ++#: ../../src/lib/krb5/krb/chpw.c:275 ../lib/krb5/error_tables/krb5_err.c:257 ++msgid "Password change failed" ++msgstr "Ändern des Passworts fehlgeschlagen" ++ ++#: ../../src/lib/krb5/krb/chpw.c:433 ++msgid "" ++"The password must include numbers or symbols. Don't include any part of " ++"your name in the password." ++msgstr "" ++"Das Passwort muss Zahlen oder Symbole enthalten. Fügen Sie keinen Teil Ihres " ++"Namens in das Passwort ein." ++ ++#: ../../src/lib/krb5/krb/chpw.c:439 ++#, c-format ++msgid "The password must contain at least %d character." ++msgid_plural "The password must contain at least %d characters." ++msgstr[0] "Das Passwort muss mindestens %d Zeichen enthalten." ++msgstr[1] "Das Passwort muss mindestens %d Zeichen enthalten." ++ ++#: ../../src/lib/krb5/krb/chpw.c:448 ++#, c-format ++msgid "The password must be different from the previous password." ++msgid_plural "The password must be different from the previous %d passwords." ++msgstr[0] "Das Passwort muss sich vom vorhergehenden Passwort unterscheiden." ++msgstr[1] "" ++"Das Passwort muss sich von den vorhergehenden %d Passwörtern unterscheiden." ++ ++#: ../../src/lib/krb5/krb/chpw.c:460 ++#, c-format ++msgid "The password can only be changed once a day." ++msgid_plural "The password can only be changed every %d days." ++msgstr[0] "Das Passwort kann nur einmal täglich geändert werden." ++msgstr[1] "Das Passwort kann nur alle %d Tage geändert werden." ++ ++#: ../../src/lib/krb5/krb/chpw.c:506 ++msgid "Try a more complex password, or contact your administrator." ++msgstr "" ++"Versuchen Sie es mit einem etwas komplexeren Passwort oder wenden Sie sich " ++"an Ihren Administrator." ++ ++#: ../../src/lib/krb5/krb/fast.c:217 ++#, c-format ++msgid "%s constructing AP-REQ armor" ++msgstr "%s-Konstruktion von AP-REQ-Schutz" ++ ++#: ../../src/lib/krb5/krb/fast.c:399 ++#, c-format ++msgid "%s while decrypting FAST reply" ++msgstr "%s beim Entschlüsseln der FAST-Antwort" ++ ++#: ../../src/lib/krb5/krb/fast.c:408 ++msgid "nonce modified in FAST response: KDC response modified" ++msgstr "" ++"Nummer für einmaligen Gebrauch in der FAST-Anwort geändert: KDC-Anwort " ++"geändert" ++ ++#: ../../src/lib/krb5/krb/fast.c:474 ++msgid "Expecting FX_ERROR pa-data inside FAST container" ++msgstr "Innerhalb des FAST-Containers wird »FX_ERROR pa-data« erwartet." ++ ++#: ../../src/lib/krb5/krb/fast.c:545 ++msgid "FAST response missing finish message in KDC reply" ++msgstr "Der FAST-Anwort fehlt die Beendigungsnachricht in der KDC-Anwort" ++ ++#: ../../src/lib/krb5/krb/fast.c:558 ++msgid "Ticket modified in KDC reply" ++msgstr "Ticket in der KDC-Antwort verändert" ++ ++#: ../../src/lib/krb5/krb/gc_via_tkt.c:208 ++#, c-format ++msgid "KDC returned error string: %.*s" ++msgstr "KDC gab eine Fehlermeldung zurück: %.*s" ++ ++#: ../../src/lib/krb5/krb/gc_via_tkt.c:217 ++#, c-format ++msgid "Server %s not found in Kerberos database" ++msgstr "Server %s wurde nicht in der Kerberos-Datenbank gefunden" ++ ++#: ../../src/lib/krb5/krb/get_in_tkt.c:133 ++msgid "Reply has wrong form of session key for anonymous request" ++msgstr "" ++"Antwort hat die falsche Form des Sitzungschlüssels für eine anonyme Anfrage" ++ ++#: ../../src/lib/krb5/krb/get_in_tkt.c:1628 ++#, c-format ++msgid "%s while storing credentials" ++msgstr "%s beim Speichern der Anmeldedaten" ++ ++#: ../../src/lib/krb5/krb/get_in_tkt.c:1715 ++#, c-format ++msgid "Client '%s' not found in Kerberos database" ++msgstr "Client »%s« wurde nicht in der Kerberos-Datenbank gefunden" ++ ++#: ../../src/lib/krb5/krb/gic_keytab.c:207 ++#, c-format ++msgid "Keytab contains no suitable keys for %s" ++msgstr "Schlüsseltabelle enthält keine passenden Schlüssel für %s" ++ ++#: ../../src/lib/krb5/krb/gic_pwd.c:75 ++#, c-format ++msgid "Password for %s" ++msgstr "Passwort for %s" ++ ++#: ../../src/lib/krb5/krb/gic_pwd.c:227 ++#, c-format ++msgid "Warning: Your password will expire in less than one hour on %s" ++msgstr "" ++"Warnung: Ihr Passwort auf %s wird in weniger als einer Stunde ablaufen." ++ ++# FIXME in German impossible; plural without »s« ++#: ../../src/lib/krb5/krb/gic_pwd.c:231 ++#, c-format ++msgid "Warning: Your password will expire in %d hour%s on %s" ++msgstr "Warnung: Ihr Passwort wird in %d Stunden%s auf %s ablaufen." ++ ++#: ../../src/lib/krb5/krb/gic_pwd.c:235 ++#, c-format ++msgid "Warning: Your password will expire in %d days on %s" ++msgstr "Warnung: Ihr Passwort wird in %d Tagen auf %s ablaufen." ++ ++#: ../../src/lib/krb5/krb/gic_pwd.c:409 ++msgid "Password expired. You must change it now." ++msgstr "Passwort abgelaufen. Sie müssen es nun ändern." ++ ++#: ../../src/lib/krb5/krb/gic_pwd.c:428 ../../src/lib/krb5/krb/gic_pwd.c:432 ++#, c-format ++msgid "%s. Please try again." ++msgstr "%s. Bitte versuchen Sie es erneut." ++ ++#: ../../src/lib/krb5/krb/gic_pwd.c:471 ++#, c-format ++msgid "%.*s%s%s. Please try again.\n" ++msgstr "%.*s%s%s. Bitte versuchen Sie es erneut.\n" ++ ++#: ../../src/lib/krb5/krb/parse.c:203 ++#, c-format ++msgid "Principal %s is missing required realm" ++msgstr "Principal %s fehlt erforderlicher Realm" ++ ++#: ../../src/lib/krb5/krb/parse.c:215 ++#, c-format ++msgid "Principal %s has realm present" ++msgstr "Für Principal %s ist Realm vorhanden" ++ ++#: ../../src/lib/krb5/krb/plugin.c:165 ++#, c-format ++msgid "Invalid module specifier %s" ++msgstr "ungültiger Modulbezeichner %s" ++ ++#: ../../src/lib/krb5/krb/plugin.c:402 ++#, c-format ++msgid "Could not find %s plugin module named '%s'" ++msgstr "Das Erweiterungsmodul %s namens »%s« konnte nicht gefunden werden." ++ ++#: ../../src/lib/krb5/krb/preauth2.c:1018 ++msgid "Unable to initialize preauth context" ++msgstr "Vorauthentifizierungskontext konnte nicht initialisiert werden." ++ ++#: ../../src/lib/krb5/krb/preauth2.c:1032 ++#, c-format ++msgid "Preauth module %s: %s" ++msgstr "Vorauthentifizierungsmodul %s: %s" ++ ++#: ../../src/lib/krb5/krb/preauth_otp.c:510 ++msgid "Please choose from the following:\n" ++msgstr "Bitte wählen Sie aus dem Folgenden aus:\n" ++ ++#: ../../src/lib/krb5/krb/preauth_otp.c:511 ++msgid "Vendor:" ++msgstr "Anbieter:" ++ ++#: ../../src/lib/krb5/krb/preauth_otp.c:523 ++msgid "Enter #" ++msgstr "Geben Sie # ein" ++ ++#: ../../src/lib/krb5/krb/preauth_otp.c:559 ++msgid "OTP Challenge:" ++msgstr "Anforderung des Einwegpassworts:" ++ ++#: ../../src/lib/krb5/krb/preauth_otp.c:588 ++msgid "OTP Token PIN" ++msgstr "Einwegpasswort-Token-PIN" ++ ++#: ../../src/lib/krb5/krb/preauth_otp.c:702 ++msgid "OTP value doesn't match any token formats" ++msgstr "Wert des Einwegpassworts entspricht keinem Token-Format" ++ ++#: ../../src/lib/krb5/krb/preauth_otp.c:769 ++msgid "Enter OTP Token Value" ++msgstr "Geben Sie den Wert des Einwegpasswort-Tokens an" ++ ++#: ../../src/lib/krb5/krb/preauth_otp.c:914 ++msgid "No supported tokens" ++msgstr "keine unterstützten Token" ++ ++#: ../../src/lib/krb5/krb/preauth_sam2.c:49 ++msgid "Challenge for Enigma Logic mechanism" ++msgstr "Anforderung für Enigma-Logic-Mechanismus" ++ ++#: ../../src/lib/krb5/krb/preauth_sam2.c:53 ++msgid "Challenge for Digital Pathways mechanism" ++msgstr "Anforderung für Digital-Pathway-Mechanismus" ++ ++#: ../../src/lib/krb5/krb/preauth_sam2.c:57 ++msgid "Challenge for Activcard mechanism" ++msgstr "Anforderung für Activcard-Mechanismus" ++ ++#: ../../src/lib/krb5/krb/preauth_sam2.c:60 ++msgid "Challenge for Enhanced S/Key mechanism" ++msgstr "Anforderung für erweiterten S/Key-Mechanismus" ++ ++#: ../../src/lib/krb5/krb/preauth_sam2.c:63 ++msgid "Challenge for Traditional S/Key mechanism" ++msgstr "Anforderung für traditionellen S/Key-Mechanismus" ++ ++#: ../../src/lib/krb5/krb/preauth_sam2.c:66 ++#: ../../src/lib/krb5/krb/preauth_sam2.c:69 ++msgid "Challenge for Security Dynamics mechanism" ++msgstr "Anforderung für Security-Dynamics-Mechanismus" ++ ++#: ../../src/lib/krb5/krb/preauth_sam2.c:72 ++msgid "Challenge from authentication server" ++msgstr "Anforderung vom Authentifizierungsserver" ++ ++#: ../../src/lib/krb5/krb/preauth_sam2.c:166 ++msgid "SAM Authentication" ++msgstr "SAM-Authentifizierung" ++ ++#: ../../src/lib/krb5/krb/rd_req_dec.c:145 ++#, c-format ++msgid "Cannot find key for %s kvno %d in keytab" ++msgstr "" ++"Schlüssel für %s-KNVO %d kann nicht in der Schlüsseltabelle gefunden werden" ++ ++#: ../../src/lib/krb5/krb/rd_req_dec.c:150 ++#, c-format ++msgid "Cannot find key for %s kvno %d in keytab (request ticket server %s)" ++msgstr "" ++"Schlüssel für %s-KNVO %d kann nicht in der Schlüsseltabelle gefunden werden " ++"(angefragter Ticketserver %s)" ++ ++#: ../../src/lib/krb5/krb/rd_req_dec.c:175 ++#, c-format ++msgid "Cannot decrypt ticket for %s using keytab key for %s" ++msgstr "" ++"Ticket für %s kann nicht mittels des Schlüsseltabellenschlüssels für %s " ++"entschlüsselt werden" ++ ++#: ../../src/lib/krb5/krb/rd_req_dec.c:197 ++#, c-format ++msgid "Server principal %s does not match request ticket server %s" ++msgstr "Server-Principal %s passt nicht zum abgefragten Ticketserver %s" ++ ++#: ../../src/lib/krb5/krb/rd_req_dec.c:226 ++msgid "No keys in keytab" ++msgstr "keine Schlüssel in der Schlüsseltabelle" ++ ++#: ../../src/lib/krb5/krb/rd_req_dec.c:229 ++#, c-format ++msgid "Server principal %s does not match any keys in keytab" ++msgstr "" ++"Server-Principal %s hat keinen passenden Schlüssel in der Schlüsseltabelle" ++ ++#: ../../src/lib/krb5/krb/rd_req_dec.c:236 ++#, c-format ++msgid "" ++"Request ticket server %s found in keytab but does not match server principal " ++"%s" ++msgstr "" ++"abgefragter Ticketserver %s wurde in der Schlüsseltabelle gefunden, er passte " ++"jedoch nicht zu Server-Principal %s" ++ ++#: ../../src/lib/krb5/krb/rd_req_dec.c:241 ++#, c-format ++msgid "Request ticket server %s not found in keytab (ticket kvno %d)" ++msgstr "" ++"Abgefragter Ticketserver %s wurde nicht in der Schlüsseltabelle gefunden " ++"(Ticket KVNO %d)." ++ ++#: ../../src/lib/krb5/krb/rd_req_dec.c:247 ++#, c-format ++msgid "" ++"Request ticket server %s kvno %d not found in keytab; ticket is likely out " ++"of date" ++msgstr "" ++"Abgefragter Ticketserver %s KVNO %d wurde nicht in der Schlüsseltabelle " ++"gefunden; Ticket ist wahrscheinlich abgelaufen." ++ ++#: ../../src/lib/krb5/krb/rd_req_dec.c:252 ++#, c-format ++msgid "" ++"Request ticket server %s kvno %d not found in keytab; keytab is likely out " ++"of date" ++msgstr "" ++"Abgefragter Ticketserver %s KVNO %d wurde nicht in der Schlüsseltabelle " ++"gefunden; Schlüsseltabelle ist wahrscheinlich nicht mehr aktuell." ++ ++#: ../../src/lib/krb5/krb/rd_req_dec.c:261 ++#, c-format ++msgid "" ++"Request ticket server %s kvno %d found in keytab but not with enctype %s" ++msgstr "" ++"Abgefragter Ticketserver %s KVNO %d wurde in der Schlüsseltabelle gefunden, " ++"jedoch nicht mit Verschlüsselungstyp %s." ++ ++#: ../../src/lib/krb5/krb/rd_req_dec.c:266 ++#, c-format ++msgid "" ++"Request ticket server %s kvno %d enctype %s found in keytab but cannot " ++"decrypt ticket" ++msgstr "" ++"Abgefragter Ticketserver %s KVNO %d mit Verschlüsselungstyp %s in der " ++"Schlüsseltabelle gefunden, Ticket kann jedoch nicht entschlüsselt werden." ++ ++#: ../../src/lib/krb5/krb/rd_req_dec.c:897 ++#, c-format ++msgid "Encryption type %s not permitted" ++msgstr "Verschlüsselungstyp %s nicht erlaubt" ++ ++#: ../../src/lib/krb5/os/expand_path.c:316 ++#, c-format ++msgid "Can't find username for uid %lu" ++msgstr "Zu UID %lu kann kein Benutzername gefunden werden." ++ ++#: ../../src/lib/krb5/os/expand_path.c:405 ++#: ../../src/lib/krb5/os/expand_path.c:421 ++msgid "Invalid token" ++msgstr "ungültiges Token" ++ ++#: ../../src/lib/krb5/os/expand_path.c:506 ++msgid "variable missing }" ++msgstr "Variable fehlt }" ++ ++#: ../../src/lib/krb5/os/locate_kdc.c:660 ++#, c-format ++msgid "Cannot find KDC for realm \"%.*s\"" ++msgstr "KDC für Realm »%.*s« kann nicht gefunden werden" ++ ++#: ../../src/lib/krb5/os/sendto_kdc.c:475 ++#, c-format ++msgid "Cannot contact any KDC for realm '%.*s'" ++msgstr "für Realm »%.*s« kann nicht KDC kontaktiert werden" ++ ++#: ../../src/lib/krb5/rcache/rc_io.c:106 ++#, c-format ++msgid "Cannot fstat replay cache file %s: %s" ++msgstr "»fstat« für Antwortzwischenspeicherdatei %s nicht möglich: %s" ++ ++#: ../../src/lib/krb5/rcache/rc_io.c:112 ++#, c-format ++msgid "" ++"Insecure mkstemp() file mode for replay cache file %s; try running this " ++"program with umask 077" ++msgstr "" ++"unsicherer mkstemp()-Dateimodus für Antwortzwischenspeicherdatei %s; " ++"versuchen Sie, dieses Programm mit der Umask 077 auszuführen" ++ ++#: ../../src/lib/krb5/rcache/rc_io.c:144 ++#, c-format ++msgid "Cannot %s replay cache file %s: %s" ++msgstr "%s der Wiederholungszwischenspeicherdatei %s nicht möglich: %s" ++ ++#: ../../src/lib/krb5/rcache/rc_io.c:149 ++#, c-format ++msgid "Cannot %s replay cache: %s" ++msgstr "%s des Wiederholungszwischenspeichers nicht möglich: %s" ++ ++#: ../../src/lib/krb5/rcache/rc_io.c:272 ++#, c-format ++msgid "Insecure file mode for replay cache file %s" ++msgstr "unsicherer Dateimodus für Wiederholungszwischenspeicherdatei %s" ++ ++#: ../../src/lib/krb5/rcache/rc_io.c:278 ++#, c-format ++msgid "rcache not owned by %d" ++msgstr "Rcache gehört nicht %d" ++ ++#: ../../src/lib/krb5/rcache/rc_io.c:402 ../../src/lib/krb5/rcache/rc_io.c:406 ++#: ../../src/lib/krb5/rcache/rc_io.c:411 ++#, c-format ++msgid "Can't write to replay cache: %s" ++msgstr "" ++"in Wiederholungszwischenspeicherdatei kann nicht geschrieben werden: %s" ++ ++#: ../../src/lib/krb5/rcache/rc_io.c:432 ++#, c-format ++msgid "Cannot sync replay cache file: %s" ++msgstr "" ++"Wiederholungszwischenspeicherdatei kann nicht synchronisiert werden: %s" ++ ++#: ../../src/lib/krb5/rcache/rc_io.c:451 ++#, c-format ++msgid "Can't read from replay cache: %s" ++msgstr "aus dem Wiederholungszwischenspeicher kann nicht gelesen werden: %s" ++ ++#: ../../src/lib/krb5/rcache/rc_io.c:482 ../../src/lib/krb5/rcache/rc_io.c:488 ++#: ../../src/lib/krb5/rcache/rc_io.c:493 ++#, c-format ++msgid "Can't destroy replay cache: %s" ++msgstr "Wiederholungszwischenspeicher kann nicht vernichtet werden: %s" ++ ++#: ../../src/plugins/kdb/db2/kdb_db2.c:245 ++#: ../../src/plugins/kdb/db2/kdb_db2.c:830 ++#, c-format ++msgid "Unsupported argument \"%s\" for db2" ++msgstr "nicht unterstütztes Argument »%s« für DB2" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:69 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:887 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1088 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1507 ++msgid "while reading kerberos container information" ++msgstr "beim Lesen der Kerberos-Container-Information" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:129 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:143 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:504 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:518 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:151 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:166 ++msgid "while providing time specification" ++msgstr "beim Bereitstellen der Zeitspezifikation" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:268 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:304 ++msgid "while creating policy object" ++msgstr "beim Erstellen des Richtlinienobjekts" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:279 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1515 ++msgid "while reading realm information" ++msgstr "beim Lesen der Realm-Information" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:348 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:407 ++msgid "while destroying policy object" ++msgstr "beim Zerstören des Richtlinienobjekts" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:358 ++#, c-format ++msgid "This will delete the policy object '%s', are you sure?\n" ++msgstr "Dies wird das Richtlinienobjekt »%s« löschen, sind Sie sicher?\n" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:473 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:663 ++msgid "while modifying policy object" ++msgstr "beim Ändern des Richtlinienobjekts" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:487 ++#, c-format ++msgid "while reading information of policy '%s'" ++msgstr "beim Lesen der Information der Richtlinie »%s«" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:692 ++msgid "while viewing policy" ++msgstr "beim Betrachten der Richtlinie" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:701 ++#, c-format ++msgid "while viewing policy '%s'" ++msgstr "beim Betrachten der Richtlinie »%s«" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:835 ++msgid "while listing policy objects" ++msgstr "beim Auflisten der Richtlinienobjekte" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:453 ++#, c-format ++msgid "for subtree while creating realm '%s'" ++msgstr "für einen Teilbaum beim Erstellen von Realm »%s«" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:465 ++#, c-format ++msgid "for container reference while creating realm '%s'" ++msgstr "für Container-Bezug beim Erstellen von Realm »%s«" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:489 ++#, c-format ++msgid "invalid search scope while creating realm '%s'" ++msgstr "ungültiger Suchbereich beim Erstellen von Realm »%s«" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:504 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:823 ++#, c-format ++msgid "'%s' is an invalid option\n" ++msgstr "»%s« ist keine gültige Option\n" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:512 ++#, c-format ++msgid "Initializing database for realm '%s'\n" ++msgstr "Datenbank für Realm »%s« wird initialisiert\n" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:536 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:696 ++#, c-format ++msgid "while creating realm '%s'" ++msgstr "beim Erstellen von Realm »%s«" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:556 ++#, c-format ++msgid "Enter DN of Kerberos container: " ++msgstr "Geben Sie die den DN des Kerberos-Containers ein: " ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:591 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:894 ++#, c-format ++msgid "while reading information of realm '%s'" ++msgstr "beim Lesen der Information von Realm »%s«" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:733 ++msgid "while reading Kerberos container information" ++msgstr "beim Lesen der Kerberos-Container-Information" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:774 ++#, c-format ++msgid "for subtree while modifying realm '%s'" ++msgstr "für einen Teilbaum beim Ändern von Realm »%s«" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:785 ++#, c-format ++msgid "for container reference while modifying realm '%s'" ++msgstr "für Container-Bezug beim Ändern von Realm »%s«" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:812 ++#, c-format ++msgid "specified for search scope while modifying information of realm '%s'" ++msgstr "" ++"angegeben für Suchbereich, während die Information für Realm »%s« geändert " ++"wird" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:851 ++#, c-format ++msgid "while modifying information of realm '%s'" ++msgstr "beim Ändern der Information von Realm »%s«" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:940 ++msgid "Realm Name" ++msgstr "Realm-Name" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:943 ++msgid "Subtree" ++msgstr "Teilbaum" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:946 ++msgid "Principal Container Reference" ++msgstr "Principal-Container-Bezug" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:951 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:953 ++msgid "SearchScope" ++msgstr "Suchbereich" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:951 ++msgid "Invalid !" ++msgstr "ungültig!" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:958 ++msgid "KDC Services" ++msgstr "KDC-Dienste" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:973 ++msgid "Admin Services" ++msgstr "Administratordienste" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:988 ++msgid "Passwd Services" ++msgstr "Passwortdienste" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1004 ++msgid "Maximum Ticket Life" ++msgstr "maximale Ticketlebensdauer" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1009 ++msgid "Maximum Renewable Life" ++msgstr "maximale verlängerbare Lebensdauer" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1016 ++msgid "Ticket flags" ++msgstr "Ticket-Flags" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1095 ++msgid "while listing realms" ++msgstr "beim Auflisten der Realms" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1439 ++msgid "while adding entries to database" ++msgstr "beim Hinzufügen von Einträgen zur Datenbank" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1480 ++#, c-format ++msgid "Deleting KDC database of '%s', are you sure?\n" ++msgstr "" ++"Sind Sie sicher, dass die KDC-Datenbank von »%s« gelöscht werden soll?\n" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1491 ++#, c-format ++msgid "OK, deleting database of '%s'...\n" ++msgstr "OK, die Datenbank von »%s« wird gelöscht …\n" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1524 ++#, c-format ++msgid "deleting database of '%s'" ++msgstr "Die Datenbank von »%s« wird gelöscht." ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1529 ++#, c-format ++msgid "** Database of '%s' destroyed.\n" ++msgstr "** Datenbank von »%s« vernichtet\n" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:81 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:88 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:96 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:104 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:120 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:148 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:227 ++msgid "while setting service object password" ++msgstr "beim Setzen des Passworts für das Dienstobjekt" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:140 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:477 ++#, c-format ++msgid "Password for \"%s\"" ++msgstr "Passwort für »%s«" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:143 ++#, c-format ++msgid "Re-enter password for \"%s\"" ++msgstr "Geben Sie das Passwort für »%s« erneut ein." ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:154 ++#, c-format ++msgid "%s: Invalid password\n" ++msgstr "%s: ungültiges Passwort\n" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:170 ++msgid "Failed to convert the password to hexadecimal" ++msgstr "Das Umwandeln des Passworts in Dezimalschreibweise ist fehlgeschlagen." ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:183 ++#, c-format ++msgid "Failed to open file %s: %s" ++msgstr "Datei %s konnte nicht geöffnet werden: %s" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:205 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:247 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:256 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:283 ++msgid "Failed to write service object password to file" ++msgstr "" ++"Schreiben des Passworts für das Dienstobjekt in eine Datei fehlgeschlagen" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:211 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:268 ++msgid "Error reading service object password file" ++msgstr "Fehler beim Lesen der Passwortdatei für das Dienstobjekt" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:236 ++#, c-format ++msgid "Error creating file %s" ++msgstr "Fehler beim Erstellen der Datei %s" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:105 ++#, c-format ++msgid "" ++"Usage: kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri]\n" ++"\tcmd [cmd_options]\n" ++"create [-subtrees subtree_dn_list] [-sscope search_scope] [-" ++"containerref container_reference_dn]\n" ++"\t\t[-m|-P password|-sf stashfilename] [-k mkeytype] [-kv mkeyVNO] [-s]\n" ++"\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n" ++"\t\t[ticket_flags] [-r realm]\n" ++"modify [-subtrees subtree_dn_list] [-sscope search_scope] [-" ++"containerref container_reference_dn]\n" ++"\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n" ++"\t\t[ticket_flags] [-r realm]\n" ++"view [-r realm]\n" ++"destroy [-f] [-r realm]\n" ++"list\n" ++"stashsrvpw [-f filename] service_dn\n" ++"create_policy [-r realm] [-maxtktlife max_ticket_life]\n" ++"\t\t[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy\n" ++"modify_policy [-r realm] [-maxtktlife max_ticket_life]\n" ++"\t\t[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy\n" ++"view_policy [-r realm] policy\n" ++"destroy_policy [-r realm] [-force] policy\n" ++"list_policy [-r realm]\n" ++msgstr "" ++"Aufruf: kdb5_ldap_util [-D Benutzer-DN [-w Passwort]] [-H LDAP-URI]\n" ++"\tcmd [Befehlsoptionen]\n" ++"create [-subtrees DN-Liste_Teilbäume] [-sscope Suchbereich] [-" ++"containerref Container-Bezug-DN]\n" ++"\t\t[-m|-P Passwort|-sf Ablagedateiname] [-k mkeytype] [-kv mkeyVNO] [-s]\n" ++"\t\t[-maxtktlife maximale_Ticketlebensdauer]\n" ++"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern_des_Tickets]\n" ++"\t\t[Ticket_Flags] [-r Realm]\n" ++"modify [-subtrees DN-Liste_Teilbäume] [-sscope Suchbereich] [-" ++"containerref Container-Bezug-DN]\n" ++"\t\t[-maxtktlife maximale_Ticketlebensdauer]\n" ++"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern_des_Tickets]\n" ++"\t\t[Ticket_Flags] [-r Realm]\n" ++"view [-r Realm]\n" ++"destroy [-f] [-r Realm]\n" ++"list\n" ++"stashsrvpw [-f Dateiname] Dienst-DN\n" ++"create_policy [-r Realm] [-maxtktlife maximale_Ticketlebensdauer]\n" ++"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern_des_Tickets]\n" ++"\t\t[Ticket_Flags] Richtlinie\n" ++"modify_policy [-r Realm] [-maxtktlife maximale_Ticketlebensdauer]\n" ++"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern_des_Tickets]\n" ++"\t\t[Ticket_Flags] Richtlinie\n" ++"view_policy [-r Realm] Richtlinie\n" ++"destroy_policy [-r Realm] [-force] Richtlinie\n" ++"list_policy [-r Realm]\n" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:325 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:333 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:341 ++msgid "while reading ldap parameters" ++msgstr "beim Lesen der LDAP-Parameter" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:439 ++msgid "while initializing error handling" ++msgstr "beim Initialisieren der Fehlerbehandlung" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:447 ++msgid "while initializing ldap handle" ++msgstr "beim Initialisieren des LDAP-Identifikators" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:461 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:470 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:483 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:525 ++msgid "while retrieving ldap configuration" ++msgstr "beim Abfragen der LDAP-Konfiguration" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:500 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:507 ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:516 ++msgid "while initializing server list" ++msgstr "beim Initialisieren der Serverliste" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:547 ++msgid "while setting up lib handle" ++msgstr "ein Einrichten der BibliotheksIdentifikators" ++ ++#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:556 ++msgid "while reading ldap configuration" ++msgstr "beim Lesen der LDAP-Konfiguration" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:68 ++msgid "Unable to read Kerberos container" ++msgstr "Kerberos-Container kann nicht gelesen werden" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:74 ++msgid "Unable to read Realm" ++msgstr "Realm kann nicht gelesen werden" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:215 ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:73 ++msgid "Error processing LDAP DB params:" ++msgstr "Fehler beim Verarbeiten der LDAP-Datenbankparameter:" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:222 ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:80 ++msgid "Error reading LDAP server params:" ++msgstr "Fehler beim Lesen der LDAP-Server-Parameters:" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:64 ++msgid "LDAP bind dn value missing" ++msgstr "LDAP-Bindungs-DN-Wert fehlt" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:69 ++msgid "LDAP bind password value missing" ++msgstr "LDAP-Bindungs-Passwortwert fehlt" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:77 ++msgid "Error reading password from stash: " ++msgstr "Fehler beim Lesen des Passworts aus der Ablage: " ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:85 ++msgid "Service password length is zero" ++msgstr "Länge des Dienstpassworts ist Null" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:145 ++#, c-format ++msgid "Cannot bind to LDAP server '%s' with SASL mechanism '%s': %s" ++msgstr "" ++"mit LDAP-Server »%s« kann keine Verbindung mit SASL-Mechanismus »%s« " ++"hergestellt werden: %s" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:158 ++#, c-format ++msgid "Cannot bind to LDAP server '%s' as '%s': %s" ++msgstr "" ++"mit LDAP-Server »%s« kann keine Verbindung als »%s« hergestellt werden: %s" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:183 ++#, c-format ++msgid "Cannot create LDAP handle for '%s': %s" ++msgstr "LDAP-Identifikator für »%s« kann nicht erstellt werden: %s" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:131 ++msgid "could not complete roll-back, error deleting Kerberos Container" ++msgstr "" ++"Zurücksetzen kann nicht abgeschlossen werden, Fehler beim Löschen des " ++"Kerberos-Containers" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:56 ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:67 ++msgid "Error reading kerberos container location from krb5.conf" ++msgstr "" ++"Fehler beim Lesen des Kerberos-Container-Speicherorts aus der »krb5.conf«." ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:75 ++msgid "Kerberos container location not specified" ++msgstr "Kerberos-Container-Speicherort nicht angegeben" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:55 ++#, c-format ++msgid "Error reading '%s' attribute: %s" ++msgstr "Fehler beim Lesen des Attributs »%s«: %s" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:218 ++msgid "KDB module requires -update argument" ++msgstr "KDB-Modul benötigt Argument »-update«" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:224 ++#, c-format ++msgid "'%s' value missing" ++msgstr "Wert »%s« fehlt" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:282 ++#, c-format ++msgid "unknown option '%s'" ++msgstr "unbekannte Option »%s«" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:342 ++msgid "Minimum connections required per server is 2" ++msgstr "Die benötigte Mindestanzahl von Verbindungen pro Server ist zwei" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c:159 ++msgid "Default realm not set" ++msgstr "Standard-Realm nicht gesetzt" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c:262 ++msgid "DN information missing" ++msgstr "DN-Information fehlt" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:108 ++msgid "Principal does not belong to realm" ++msgstr "Principal gehört nicht zum Realm" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:278 ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:287 ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:295 ++#, c-format ++msgid "%s option not supported" ++msgstr "Option %s wird nicht unterstützt" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:302 ++#, c-format ++msgid "unknown option: %s" ++msgstr "unbekannte Option: %s" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:309 ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:316 ++#, c-format ++msgid "%s option value missing" ++msgstr "Wert der Option %s fehlt" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:542 ++msgid "Principal does not belong to the default realm" ++msgstr "Principal gehört nicht zum Standard-Realm" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:610 ++#, c-format ++msgid "" ++"operation can not continue, more than one entry with principal name \"%s\" " ++"found" ++msgstr "" ++"Die Aktion kann nicht fortfahren, da mehr als ein Principal namens »%s« " ++"gefunden wurde." ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:673 ++#, c-format ++msgid "'%s' not found: " ++msgstr "»%s« nicht gefunden: " ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:751 ++msgid "DN is out of the realm subtree" ++msgstr "DN liegt außerhalb ders Teilbaums des Realms" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:807 ++#, c-format ++msgid "ldap object is already kerberized" ++msgstr "LDAP-Objekt ist bereits an Kerberos angepasst" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:827 ++#, c-format ++msgid "" ++"link information can not be set/updated as the kerberos principal belongs to " ++"an ldap object" ++msgstr "" ++"Verweisinformation kann nicht eingerichtet/aktualisiert werden, da der " ++"Kerberos-Principal zu einem LDAP-Objekt gehört." ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:842 ++#, c-format ++msgid "Failed getting object references" ++msgstr "Holen von Objektbezügen fehlgeschlagen" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:849 ++#, c-format ++msgid "kerberos principal is already linked to a ldap object" ++msgstr "Kerberos-Principal ist bereits mit einem LDAP-Objekt verknüpft" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1167 ++msgid "ticket policy object value: " ++msgstr "Wert des Ticket-Richtlinienobjekts: " ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1215 ++#, c-format ++msgid "Principal delete failed (trying to replace entry): %s" ++msgstr "" ++"Löschen des Principals fehlgeschlagen (es wird versucht, den Eintrag zu " ++"ersetzen): %s" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1225 ++#, c-format ++msgid "Principal add failed: %s" ++msgstr "Hinzufügen des Principals fehlgeschlagen: %s" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1263 ++#, c-format ++msgid "User modification failed: %s" ++msgstr "Änderung des Benutzers fehlgeschlagen: %s" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1336 ++msgid "Error reading ticket policy. " ++msgstr "Fehler beim Lesen der Ticket-Richtlinie" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1402 ++#, c-format ++msgid "unable to decode stored principal key data (%s)" ++msgstr "" ++"Die gespeicherten Schlüsseldaten des Principals (%s) konnten nicht " ++"dekodiert werden." ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:223 ++msgid "Realm information not available" ++msgstr "Realm-Information nicht verfügbar" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:294 ++msgid "Error reading ticket policy: " ++msgstr "Fehler beim Lesen der Ticket-Richtlinie:" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:307 ++#, c-format ++msgid "Realm Delete FAILED: %s" ++msgstr "Löschen des Realms FEHLGESCHLAGEN: %s" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:387 ++msgid "subtree value: " ++msgstr "Wert des Teilbaums: " ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:404 ++msgid "container reference value: " ++msgstr "Wert des Container-Bezugs: " ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:487 ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:550 ++msgid "Kerberos Container information is missing" ++msgstr "Kerberos-Container-Information fehlt" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:499 ++msgid "Invalid Kerberos container DN" ++msgstr "ungültiger Kerberos-Container-DN" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:515 ++#, c-format ++msgid "Kerberos Container create FAILED: %s" ++msgstr "Erstellen des Kerberos-Containers FEHLGESCHLAGEN: %s" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:558 ++#, c-format ++msgid "Kerberos Container delete FAILED: %s" ++msgstr "Löschen des Kerberos-Containers FEHLGESCHLAGEN: %s" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:634 ++msgid "realm object value: " ++msgstr "Wert des Realm-Objekts: " ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:48 ++msgid "Not a hexadecimal password" ++msgstr "kein hexadezimales Passwort" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:55 ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:66 ++msgid "Password corrupt" ++msgstr "Passwort beschädigt" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:93 ++#, c-format ++msgid "Cannot open LDAP password file '%s': %s" ++msgstr "LDAP-Passwortdatei »%s« kann nicht geöffnet werden: %s" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:123 ++#, c-format ++msgid "Bind DN entry '%s' missing in LDAP password file '%s'" ++msgstr "Bind-DN-Eintrag »%s« fehlt in der LDAP-Passwortdatei »%s«" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:56 ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:132 ++msgid "Ticket Policy Name missing" ++msgstr "Ticket-Richtlinienname fehlt" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:144 ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:221 ++msgid "ticket policy object: " ++msgstr "Ticket-Richtlinienobjekt: " ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:209 ++msgid "Ticket Policy Object information missing" ++msgstr "Ticket-Richtlinienobjekt-Information fehlt" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:300 ++msgid "Ticket Policy Object DN missing" ++msgstr "DN des Ticket-Richtlinienobjekts fehlt" ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:327 ++msgid "Delete Failed: One or more Principals associated with the Ticket Policy" ++msgstr "" ++"Löschen fehlgeschlagen: Ein oder mehrere Principals gehören zur Ticket-" ++"Richtlinie." ++ ++#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:435 ++msgid "Error reading container object: " ++msgstr "Fehler beim Lesen des Container-Objekts: " ++ ++#: ../../src/plugins/preauth/pkinit/pkinit_crypto_nss.c:667 ++#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:652 ++#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4153 ++msgid "Pass phrase for" ++msgstr "Passphrase für" ++ ++#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1081 ++#, c-format ++msgid "Cannot create cert chain: %s" ++msgstr "Zertifikatskette kann nicht erstellt werden: %s" ++ ++#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1408 ++msgid "Invalid pkinit packet: octet string expected" ++msgstr "ungültiges Pkinit-Paket: Achtbit-Zeichenkette erwartet" ++ ++#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1427 ++msgid "wrong oid\n" ++msgstr "falsche OID\n" ++ ++#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:5994 ++#, c-format ++msgid "unknown code 0x%x" ++msgstr "unbekannter Code 0x%x" ++ ++#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:424 ++#, c-format ++msgid "Unsupported type while processing '%s'\n" ++msgstr "nicht unterstützter Typ bei der Verarbeitung von »%s«\n" ++ ++#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:465 ++msgid "Internal error parsing X509_user_identity\n" ++msgstr "interner Fehler beim Auswerten von »X509_user_identity«\n" ++ ++#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:560 ++msgid "No user identity options specified" ++msgstr "keine Optionen der Nutzeridentität angegeben" ++ ++#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:414 ++msgid "Pkinit request not signed, but client not anonymous." ++msgstr "Pkinit-Anfrage nicht signiert, Client ist jedoch nicht anonym" ++ ++# DH = Diffie-Hellman ++#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:447 ++msgid "Anonymous pkinit without DH public value not supported." ++msgstr "Anonymes Pkinit wird nicht ohne öffentlichen DH-Wert unterstützt." ++ ++#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1147 ++#, c-format ++msgid "No pkinit_identity supplied for realm %s" ++msgstr "Für Realm %s wird keine »pkinit_identity« bereitgestellt." ++ ++#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1158 ++#, c-format ++msgid "No pkinit_anchors supplied for realm %s" ++msgstr "Für Realm %s werden keine »pkinit_anchors« bereitgestellt." ++ ++#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1346 ++msgid "No realms configured correctly for pkinit support" ++msgstr "Für Pkinit-Unterstützung wurden keine Realms korrekt konfiguriert." ++ ++#: ../../src/slave/kprop.c:85 ++#, c-format ++msgid "" ++"\n" ++"Usage: %s [-r realm] [-f file] [-d] [-P port] [-s srvtab] slave_host\n" ++"\n" ++msgstr "" ++"\n" ++"Aufruf: %s [-r Realm] [-f Datei] [-d] [-P Port] [-s Dienstschlüsseltabelle] " ++"untergeordneter_Rechner\n" ++"\n" ++ ++#: ../../src/slave/kprop.c:114 ++#, c-format ++msgid "Database propagation to %s: SUCCEEDED\n" ++msgstr "Datenbankverbreitung auf %s: ERFOLGREICH\n" ++ ++#: ../../src/slave/kprop.c:187 ++msgid "while setting client principal name" ++msgstr "beim Setzen des Client-Principal-Namens" ++ ++#: ../../src/slave/kprop.c:194 ../../src/slave/kprop.c:209 ++msgid "while setting client principal realm" ++msgstr "beim Setzen des Client-Principal-Realms" ++ ++#: ../../src/slave/kprop.c:217 ++#, c-format ++msgid "while opening credential cache %s" ++msgstr "beim Öffnen des Anmeldedatenzwischenspeichers %s" ++ ++#: ../../src/slave/kprop.c:233 ++msgid "while setting server principal name" ++msgstr "beim Setzen des Server-Principal-Namens" ++ ++#: ../../src/slave/kprop.c:255 ++msgid "while resolving keytab" ++msgstr "beim Ermitteln der Schlüsseltabelle" ++ ++#: ../../src/slave/kprop.c:264 ++msgid "while getting initial credentials\n" ++msgstr "beim Holen der Anfangsanmeldedaten\n" ++ ++#: ../../src/slave/kprop.c:301 ++msgid "while creating socket" ++msgstr "beim Erstellen eines Sockets" ++ ++#: ../../src/slave/kprop.c:317 ++msgid "while converting server address" ++msgstr "beim Umwandeln der Server-Adresse" ++ ++#: ../../src/slave/kprop.c:327 ++msgid "while connecting to server" ++msgstr "beim Verbinden mit dem Server" ++ ++#: ../../src/slave/kprop.c:334 ../../src/slave/kpropd.c:1215 ++msgid "while getting local socket address" ++msgstr "beim Holen der lokalen Socket-Adresse" ++ ++#: ../../src/slave/kprop.c:339 ++msgid "while converting local address" ++msgstr "beim Umwandeln der lokalen Socket-Adresse" ++ ++#: ../../src/slave/kprop.c:362 ++msgid "in krb5_auth_con_setaddrs" ++msgstr "in »krb5_auth_con_setaddrs«" ++ ++#: ../../src/slave/kprop.c:370 ++msgid "while authenticating to server" ++msgstr "beim Authentifizieren am Server" ++ ++#: ../../src/slave/kprop.c:374 ../../src/slave/kprop.c:573 ++#: ../../src/slave/kpropd.c:1521 ++#, c-format ++msgid "Generic remote error: %s\n" ++msgstr "allgemeiner ferner Fehler: %s\n" ++ ++#: ../../src/slave/kprop.c:380 ../../src/slave/kprop.c:579 ++msgid "signalled from server" ++msgstr "signalisiert vom Server" ++ ++#: ../../src/slave/kprop.c:382 ../../src/slave/kprop.c:581 ++#, c-format ++msgid "Error text from server: %s\n" ++msgstr "Fehlermeldung vom Server: %s\n" ++ ++#: ../../src/slave/kprop.c:410 ++#, c-format ++msgid "allocating database file name '%s'" ++msgstr "Datenbankdateiname »%s« wird reserviert" ++ ++#: ../../src/slave/kprop.c:416 ++#, c-format ++msgid "while trying to open %s" ++msgstr "beim Versuch, %s zu öffnen" ++ ++#: ../../src/slave/kprop.c:423 ++msgid "database locked" ++msgstr "Datenbank gesperrt" ++ ++#: ../../src/slave/kprop.c:426 ../../src/slave/kpropd.c:525 ++#, c-format ++msgid "while trying to lock '%s'" ++msgstr "beim Versuch, »%s« zu sperren" ++ ++#: ../../src/slave/kprop.c:430 ../../src/slave/kprop.c:438 ++#, c-format ++msgid "while trying to stat %s" ++msgstr "beim Versuch, »stat« für %s auszuführen" ++ ++#: ../../src/slave/kprop.c:434 ++msgid "while trying to malloc data_ok_fn" ++msgstr "beim Versuch, Speicher für »data_ok_fn« zu reservieren" ++ ++#: ../../src/slave/kprop.c:443 ++#, c-format ++msgid "'%s' more recent than '%s'." ++msgstr "»%s« ist aktueller als »%s«." ++ ++#: ../../src/slave/kprop.c:459 ++#, c-format ++msgid "while unlocking database '%s'" ++msgstr "beim Entsperren von Datenbank »%s«" ++ ++#: ../../src/slave/kprop.c:492 ../../src/slave/kprop.c:493 ++msgid "while encoding database size" ++msgstr "beim Aufbereiten der Datenbankgröße" ++ ++#: ../../src/slave/kprop.c:501 ++msgid "while sending database size" ++msgstr "beim Senden der Datenbankgröße" ++ ++#: ../../src/slave/kprop.c:511 ++msgid "while allocating i_vector" ++msgstr "beim Reservieren von »i_vector«" ++ ++#: ../../src/slave/kprop.c:534 ++#, c-format ++msgid "while sending database block starting at %d" ++msgstr "beim Senden des Datenbankblocks, der bei %d beginnt" ++ ++#: ../../src/slave/kprop.c:544 ++msgid "Premature EOF found for database file!" ++msgstr "vorzeitiges EOF für Datenbankdatei gefunden!" ++ ++#: ../../src/slave/kprop.c:557 ++msgid "while reading response from server" ++msgstr "beim Lesen der Antwort vom Servers" ++ ++#: ../../src/slave/kprop.c:568 ++msgid "while decoding error response from server" ++msgstr "beim Aufschlüsseln der Fehlerantwort vom Server" ++ ++#: ../../src/slave/kprop.c:599 ++#, c-format ++msgid "Kpropd sent database size %d, expecting %d" ++msgstr "Kpropd sendet Datenbankgröße %d, erwartet wurde %d" ++ ++#: ../../src/slave/kprop.c:643 ++msgid "while allocating filename for update_last_prop_file" ++msgstr "beim Reservieren des Dateinamens für »update_last_prop_file«" ++ ++#: ../../src/slave/kprop.c:648 ++#, c-format ++msgid "while creating 'last_prop' file, '%s'" ++msgstr "beim Erstellen der Datei »last_prop«, »%s«" ++ ++#: ../../src/slave/kpropd.c:170 ++#, c-format ++msgid "" ++"\n" ++"Usage: %s [-r realm] [-s srvtab] [-dS] [-f slave_file]\n" ++msgstr "" ++"\n" ++"Aufruf: %s [-r Realm] [-s Dienstschlüsseltabelle] [-dS] [-f " ++"untergeordnete_Datei]\n" ++ ++#: ../../src/slave/kpropd.c:172 ++#, c-format ++msgid "\t[-F kerberos_db_file ] [-p kdb5_util_pathname]\n" ++msgstr "\t[-F Kerberos-Datenbankdatei ] [-p KDB5-Hilfswerkzeugpfadname]\n" ++ ++#: ../../src/slave/kpropd.c:173 ++#, c-format ++msgid "\t[-x db_args]* [-P port] [-a acl_file]\n" ++msgstr "\t[-x Datenbankargumente]* [-P Port] [-a ACL-Datei]\n" ++ ++#: ../../src/slave/kpropd.c:174 ++#, c-format ++msgid "\t[-A admin_server]\n" ++msgstr "\t[-A Serveradministrator]\n" ++ ++#: ../../src/slave/kpropd.c:215 ++#, c-format ++msgid "Killing fullprop child (%d)\n" ++msgstr "Beenden des Fullprop-Kindprozesses (%d) wird erzwungen\n" ++ ++#: ../../src/slave/kpropd.c:244 ++msgid "while checking if stdin is a socket" ++msgstr "beim Prüfen, ob die Standardeingabe ein Socket ist" ++ ++#: ../../src/slave/kpropd.c:262 ++#, c-format ++msgid "ready\n" ++msgstr "bereit\n" ++ ++#: ../../src/slave/kpropd.c:272 ++#, c-format ++msgid "Could not open /dev/null: %s" ++msgstr "/dev/null konnte nicht geöffnet werden: %s" ++ ++#: ../../src/slave/kpropd.c:279 ++#, c-format ++msgid "Could not dup the inetd socket: %s" ++msgstr "Das Inetd-Socket konnte nicht dupliziert werden: %s" ++ ++#: ../../src/slave/kpropd.c:314 ../../src/slave/kpropd.c:327 ++msgid "do_iprop failed.\n" ++msgstr "»do_iprop« fehlgeschlagen\n" ++ ++#: ../../src/slave/kpropd.c:366 ++#, c-format ++msgid "getaddrinfo: %s\n" ++msgstr "getaddrinfo: %s\n" ++ ++#: ../../src/slave/kpropd.c:372 ++msgid "while obtaining socket" ++msgstr "beim Erlangen des Sockets" ++ ++#: ../../src/slave/kpropd.c:378 ++msgid "while setting SO_REUSEADDR option" ++msgstr "beim Setzen der Option SO_REUSEADDR" ++ ++#: ../../src/slave/kpropd.c:386 ++msgid "while unsetting IPV6_V6ONLY option" ++msgstr "beim Entfernen der Option IPV6_V6ONLY" ++ ++#: ../../src/slave/kpropd.c:391 ++msgid "while binding listener socket" ++msgstr "beim Anbinden an das auf Verbindung wartende Socket" ++ ++#: ../../src/slave/kpropd.c:402 ++#, c-format ++msgid "waiting for a kprop connection\n" ++msgstr "warten auf Kprop-Verbindung\n" ++ ++#: ../../src/slave/kpropd.c:408 ++msgid "while accepting connection" ++msgstr "beim Akzeptieren der Verbindung" ++ ++#: ../../src/slave/kpropd.c:414 ++msgid "while forking" ++msgstr "beim Erzeugen eines Kindprozesses" ++ ++#: ../../src/slave/kpropd.c:429 ++#, c-format ++msgid "waitpid() failed to wait for doit() (%d %s)\n" ++msgstr "waitpid() schlug beim Warten auf doit() fehl (%d %s)\n" ++ ++#: ../../src/slave/kpropd.c:433 ++msgid "while waiting to receive database" ++msgstr "beim Warten auf den Erhalt der Datenbank" ++ ++#: ../../src/slave/kpropd.c:437 ++#, c-format ++msgid "Database load process for full propagation completed.\n" ++msgstr "" ++"Der Datenbankladeprozess für eine vollständige Verbreitung ist " ++"abgeschlossen.\n" ++ ++#: ../../src/slave/kpropd.c:471 ++#, c-format ++msgid "" ++"%s: Standard input does not appear to be a network socket.\n" ++"\t(Not run from inetd, and missing the -S option?)\n" ++msgstr "" ++"%s: Bei der Standardeingabe scheint es sich nicht um ein Netzwerk-Socket zu\n" ++"\thandeln (läuft nicht aus Inetd und die Option -S fehlt?).\n" ++ ++#: ../../src/slave/kpropd.c:485 ++msgid "while attempting setsockopt (SO_KEEPALIVE)" ++msgstr "beim Versuch, »setsockopt« auszuführen (SO_KEEPALIVE)" ++ ++#: ../../src/slave/kpropd.c:490 ++#, c-format ++msgid "Connection from %s" ++msgstr "Verbindung von %s" ++ ++#: ../../src/slave/kpropd.c:510 ++#, c-format ++msgid "Rejected connection from unauthorized principal %s\n" ++msgstr "Zurückgewiesene Verbindung von nicht autorisiertem Principal %s\n" ++ ++#: ../../src/slave/kpropd.c:514 ++#, c-format ++msgid "Rejected connection from unauthorized principal %s" ++msgstr "Zurückgewiesene Verbindung von nicht authorisiertem Principal %s" ++ ++#: ../../src/slave/kpropd.c:531 ++#, c-format ++msgid "while opening database file, '%s'" ++msgstr "beim Öffnen der Datenbankdatei, »%s«" ++ ++#: ../../src/slave/kpropd.c:537 ++#, c-format ++msgid "while renaming %s to %s" ++msgstr "beim Umbenennen von %s in %s" ++ ++#: ../../src/slave/kpropd.c:543 ++#, c-format ++msgid "while downgrading lock on '%s'" ++msgstr "beim Downgrade der Sperre auf »%s«" ++ ++#: ../../src/slave/kpropd.c:550 ++#, c-format ++msgid "while unlocking '%s'" ++msgstr "beim Aufheben der Sperre »%s«" ++ ++#: ../../src/slave/kpropd.c:562 ++msgid "while sending # of received bytes" ++msgstr "beim Senden n empfangener Byte" ++ ++#: ../../src/slave/kpropd.c:568 ++msgid "while trying to close database file" ++msgstr "beim Versuch, die Datenbankdatei zu schließen" ++ ++#: ../../src/slave/kpropd.c:624 ++#, c-format ++msgid "Incremental propagation enabled\n" ++msgstr "inkrementelle Verbreitung aktiviert\n" ++ ++#: ../../src/slave/kpropd.c:634 ++msgid "Unable to get default realm" ++msgstr "Standard-Realm kann nicht geholt werden" ++ ++#: ../../src/slave/kpropd.c:647 ++#, c-format ++msgid "%s: unable to get kiprop host based service name for realm %s\n" ++msgstr "" ++"%s: Kiprop-rechnerbasierter Dienstname für Realm %s kann nicht geholt " ++"werden\n" ++ ++#: ../../src/slave/kpropd.c:658 ++msgid "while trying to construct host service principal" ++msgstr "beim Versuch, den Rechnerdienst-Principal zu erstellen" ++ ++#: ../../src/slave/kpropd.c:672 ++msgid "while determining local service principal name" ++msgstr "beim Bestimmen des lokalen Dienst-Principal-Namens" ++ ++#: ../../src/slave/kpropd.c:692 ++#, c-format ++msgid "Initializing kadm5 as client %s\n" ++msgstr "Kadm5 wird als Client %s initialisiert\n" ++ ++#: ../../src/slave/kpropd.c:706 ++#, c-format ++msgid "kadm5 initialization failed!\n" ++msgstr "Initialisierung von Kadm5 fehlgeschlagen!\n" ++ ++#: ../../src/slave/kpropd.c:715 ++msgid "while attempting to connect to master KDC ... retrying" ++msgstr "" ++"beim Versuch, eine Verbindung zum Master-KDC aufzubauen … wird erneut " ++"versucht" ++ ++#: ../../src/slave/kpropd.c:719 ++#, c-format ++msgid "Sleeping %d seconds to re-initialize kadm5 (RPC ERROR)\n" ++msgstr "" ++"Um Kadm5 neu zu initialisieren, wird %d Sekunden gewartet (RPC-FEHLER).\n" ++ ++#: ../../src/slave/kpropd.c:735 ++#, c-format ++msgid "while initializing %s interface, retrying" ++msgstr "beim Initialisieren der Schnittstelle %s, wird erneut versucht" ++ ++#: ../../src/slave/kpropd.c:739 ++#, c-format ++msgid "Sleeping %d seconds to re-initialize kadm5 (krb5kdc not running?)\n" ++msgstr "" ++"Um Kadm5 neu zu initialisieren, wird %d Sekunden gewartet (läuft Krb5kdc " ++"nicht?).\n" ++ ++#: ../../src/slave/kpropd.c:749 ++#, c-format ++msgid "kadm5 initialization succeeded\n" ++msgstr "Initialisieren von Kadm5 erfolgreich\n" ++ ++#: ../../src/slave/kpropd.c:771 ++msgid "reading update log header" ++msgstr "Aktualisierungsprotokollkopfzeilen werden gelesen" ++ ++#: ../../src/slave/kpropd.c:782 ++#, c-format ++msgid "Calling iprop_get_updates_1 (sno=%u sec=%u usec=%u)\n" ++msgstr "»iprop_get_updates_1()« wird aufgerufen (sno=%u sec=%u usec=%u)\n" ++ ++#: ../../src/slave/kpropd.c:792 ++msgid "iprop_get_updates call failed" ++msgstr "Aufruf von »iprop_get_updates« fehlgeschlagen" ++ ++#: ../../src/slave/kpropd.c:798 ++#, c-format ++msgid "Reinitializing iprop because get updates failed\n" ++msgstr "" ++"Iprop wird neu initialisiert, da Aktualisierungen fehlgeschlagen sind\n" ++ ++#: ../../src/slave/kpropd.c:819 ++#, c-format ++msgid "Still waiting for full resync\n" ++msgstr "" ++"Es wird immer noch auf das vollständige erneute Synchronisieren gewartet.\n" ++ ++#: ../../src/slave/kpropd.c:824 ++#, c-format ++msgid "Full resync needed\n" ++msgstr "erneutes vollständiges Synchronisieren erforderlich\n" ++ ++#: ../../src/slave/kpropd.c:825 ++msgid "kpropd: Full resync needed." ++msgstr "Kpropd: erneutes vollständiges Synchronisieren erforderlich" ++ ++#: ../../src/slave/kpropd.c:830 ++msgid "iprop_full_resync call failed" ++msgstr "Aufruf von »iprop_full_resync« fehlgeschlagen" ++ ++#: ../../src/slave/kpropd.c:841 ++#, c-format ++msgid "Full resync request granted\n" ++msgstr "Anfrage nach vollständigem erneuten Synchronisieren genehmigt\n" ++ ++#: ../../src/slave/kpropd.c:842 ++msgid "Full resync request granted." ++msgstr "Anfrage nach vollständigem erneuten Synchronisieren genehmigt" ++ ++# FIXME s/backoff/back-off/ ++#: ../../src/slave/kpropd.c:851 ++#, c-format ++msgid "Exponential backoff\n" ++msgstr "exponentieller Wartezyklus\n" ++ ++#: ../../src/slave/kpropd.c:857 ++#, c-format ++msgid "Full resync permission denied\n" ++msgstr "vollständiges erneutes Synchronisieren nicht gestattet\n" ++ ++#: ../../src/slave/kpropd.c:858 ++msgid "Full resync, permission denied." ++msgstr "vollständiges erneutes Synchronisieren, nicht gestattet" ++ ++#: ../../src/slave/kpropd.c:863 ++#, c-format ++msgid "Full resync error from master\n" ++msgstr "Fehler beim vollständigen erneuten Synchronisieren vom Master\n" ++ ++#: ../../src/slave/kpropd.c:864 ++msgid " Full resync, error returned from master KDC." ++msgstr "" ++"vollständiges erneutes Synchronisieren, das Master-KDC gab einen Fehler " ++"zurück" ++ ++#: ../../src/slave/kpropd.c:872 ++#, c-format ++msgid "Full resync invalid result from master\n" ++msgstr "" ++"Beim vollständigen erneuten Synchronisieren gab der Master ein ungültiges " ++"Ergebnis zurück.\n" ++ ++#: ../../src/slave/kpropd.c:874 ++msgid "Full resync, invalid return from master KDC." ++msgstr "" ++"vollständiges erneutes Synchronisieren, ungültiger Rückgabewert vom Master-" ++"KDC" ++ ++#: ../../src/slave/kpropd.c:890 ++#, c-format ++msgid "Got incremental updates (sno=%u sec=%u usec=%u)\n" ++msgstr "" ++"inkrementelle Aktualisierungen erhalten (sno=%u sec=%u usec=%u)\n" ++ ++#: ../../src/slave/kpropd.c:902 ++#, c-format ++msgid "ulog_replay failed (%s), updates not registered\n" ++msgstr "" ++"»ulog_replay« fehlgeschlagen (%s), Aktualisierungen nicht registriert\n" ++ ++#: ../../src/slave/kpropd.c:905 ++#, c-format ++msgid "ulog_replay failed (%s), updates not registered." ++msgstr "»ulog_replay« fehlgeschlagen (%s), Aktualisierungen nicht registriert" ++ ++#: ../../src/slave/kpropd.c:914 ++#, c-format ++msgid "Incremental updates: %d updates / %lu us" ++msgstr "inkrementelle Aktualisierungen: %d Aktualisierungen / %lu us" ++ ++#: ../../src/slave/kpropd.c:917 ++#, c-format ++msgid "Incremental updates: %d updates / %lu us\n" ++msgstr "inkrementelle Aktualisierungen: %d Aktualisierungen / %lu us\n" ++ ++#: ../../src/slave/kpropd.c:925 ++#, c-format ++msgid "get_updates permission denied\n" ++msgstr "Zugriff bei »get_updates« verweigert\n" ++ ++#: ../../src/slave/kpropd.c:926 ++msgid "get_updates, permission denied." ++msgstr "»get_updates«, Zugriff verweigert" ++ ++#: ../../src/slave/kpropd.c:931 ++#, c-format ++msgid "get_updates error from master\n" ++msgstr "»get_updates«-Fehler vom Master\n" ++ ++#: ../../src/slave/kpropd.c:932 ++msgid "get_updates, error returned from master KDC." ++msgstr "Vom Master-KDC wurde ein »get_updates«-Fehler zurückgegeben." ++ ++# FIXME s/backoff/back-off/ ++#: ../../src/slave/kpropd.c:940 ++#, c-format ++msgid "get_updates master busy; backoff\n" ++msgstr "»get_updates«-Master ausgelastet; hält sich zurück\n" ++ ++#: ../../src/slave/kpropd.c:949 ++#, c-format ++msgid "KDC is synchronized with master.\n" ++msgstr "KDC wurde mit dem Master synchronisiert.\n" ++ ++#: ../../src/slave/kpropd.c:957 ++#, c-format ++msgid "get_updates invalid result from master\n" ++msgstr "ungültiges »get_updates«-Ergebnis vom Master\n" ++ ++#: ../../src/slave/kpropd.c:958 ++msgid "get_updates, invalid return from master KDC." ++msgstr "»get_updates«, ungültiger Rückgabewert vom Master-KDC" ++ ++# FIXME s/backoff/back-off/ ++#: ../../src/slave/kpropd.c:973 ++#, c-format ++msgid "Busy signal received from master, backoff for %d secs\n" ++msgstr "" ++"Vom Master wurde ein Signal empfangen, dass er ausgelastet ist, " ++"Zurückhaltung für %d Sekunden\n" ++ ++#: ../../src/slave/kpropd.c:980 ++#, c-format ++msgid "Waiting for %d seconds before checking for updates again\n" ++msgstr "" ++"vor der erneuten Prufung auf Aktualisierungen wird %d Sekunden gewartet\n" ++ ++#: ../../src/slave/kpropd.c:991 ++#, c-format ++msgid "ERROR returned by master, bailing\n" ++msgstr "FEHLER vom Master zurückgegeben, Ausstieg\n" ++ ++#: ../../src/slave/kpropd.c:992 ++msgid "ERROR returned by master KDC, bailing.\n" ++msgstr "FEHLER vom Master-KDC zurückgegeben, Ausstieg\n" ++ ++#: ../../src/slave/kpropd.c:1134 ++msgid "copying db args" ++msgstr "Datenbankargumente werden kopiert" ++ ++#: ../../src/slave/kpropd.c:1161 ++msgid "while trying to construct my service name" ++msgstr "beim Versuch, meinen Dienstnamen zu erstellen" ++ ++#: ../../src/slave/kpropd.c:1167 ++msgid "while constructing my service realm" ++msgstr "beim Erstellen meines Dienst-Realms" ++ ++#: ../../src/slave/kpropd.c:1175 ++msgid "while allocating filename for temp file" ++msgstr "beim Reservieren des Dateinamens für die temporäre Datei" ++ ++#: ../../src/slave/kpropd.c:1181 ++msgid "while initializing" ++msgstr "bei der Initialisierung" ++ ++#: ../../src/slave/kpropd.c:1189 ++msgid "Unable to map log!\n" ++msgstr "Protokoll kann nicht abgebildet werden!\n" ++ ++#: ../../src/slave/kpropd.c:1235 ++#, c-format ++msgid "Error in krb5_auth_con_ini: %s" ++msgstr "Fehler in »krb5_auth_con_ini«: %s" ++ ++#: ../../src/slave/kpropd.c:1243 ++#, c-format ++msgid "Error in krb5_auth_con_setflags: %s" ++msgstr "Fehler in »krb5_auth_con_setflags«: %s" ++ ++#: ../../src/slave/kpropd.c:1251 ++#, c-format ++msgid "Error in krb5_auth_con_setaddrs: %s" ++msgstr "Fehler in »krb5_auth_con_setaddrs«: %s" ++ ++#: ../../src/slave/kpropd.c:1259 ++#, c-format ++msgid "Error in krb5_kt_resolve: %s" ++msgstr "Fehler in »krb5_kt_resolve«: %s" ++ ++#: ../../src/slave/kpropd.c:1268 ++#, c-format ++msgid "Error in krb5_recvauth: %s" ++msgstr "Fehler in »krb5_recvauth«: %s" ++ ++#: ../../src/slave/kpropd.c:1275 ++#, c-format ++msgid "Error in krb5_copy_prinicpal: %s" ++msgstr "Fehler in »krb5_copy_prinicpal«: %s" ++ ++#: ../../src/slave/kpropd.c:1291 ++msgid "while unparsing ticket etype" ++msgstr "beim Rückgängigmachen der Auswertung des »etype«s des Tickets" ++ ++#: ../../src/slave/kpropd.c:1295 ++#, c-format ++msgid "authenticated client: %s (etype == %s)\n" ++msgstr "Authentifizierter Client: %s (etype == %s)\n" ++ ++#: ../../src/slave/kpropd.c:1374 ++msgid "while reading size of database from client" ++msgstr "beim Lesen der Datenbankgröße vom Client" ++ ++#: ../../src/slave/kpropd.c:1384 ++msgid "while decoding database size from client" ++msgstr "beim Dekodieren der Datenbankgröße vom Client" ++ ++#: ../../src/slave/kpropd.c:1397 ++msgid "while initializing i_vector" ++msgstr "beim Initialisieren von »i_vector«" ++ ++#: ../../src/slave/kpropd.c:1402 ++#, c-format ++msgid "Full propagation transfer started.\n" ++msgstr "vollständige Verbreitungsübertragung gestartet\n" ++ ++#: ../../src/slave/kpropd.c:1455 ++#, c-format ++msgid "Full propagation transfer finished.\n" ++msgstr "vollständige Verbreitungsübertragung beendet\n" ++ ++#: ../../src/slave/kpropd.c:1516 ++msgid "while decoding error packet from client" ++msgstr "beim Dekodieren des Fehlerpakets vom Client" ++ ++#: ../../src/slave/kpropd.c:1525 ++msgid "signaled from server" ++msgstr "signalisiert vom Server" ++ ++#: ../../src/slave/kpropd.c:1527 ++#, c-format ++msgid "Error text from client: %s\n" ++msgstr "Fehlermeldung vom Client: %s\n" ++ ++#: ../../src/slave/kpropd.c:1576 ++#, c-format ++msgid "while trying to fork %s" ++msgstr "beim Versuch, einen Kindprozess von %s zu erzeugen" ++ ++#: ../../src/slave/kpropd.c:1580 ++#, c-format ++msgid "while trying to exec %s" ++msgstr "beim Versuch, %s auszuführen" ++ ++#: ../../src/slave/kpropd.c:1587 ++#, c-format ++msgid "while waiting for %s" ++msgstr "beim Warten auf %s" ++ ++#: ../../src/slave/kpropd.c:1593 ++#, c-format ++msgid "%s load terminated" ++msgstr "Laden von %s beendet" ++ ++#: ../../src/slave/kpropd.c:1599 ++#, c-format ++msgid "%s returned a bad exit status (%d)" ++msgstr "%s gab einen falschen Exit-Status (%d) zurück" ++ ++#: ../../src/slave/kproplog.c:27 ++#, c-format ++msgid "" ++"\n" ++"Usage: %s [-h] [-v] [-v] [-e num]\n" ++"\t%s -R\n" ++"\n" ++msgstr "" ++"\n" ++"Aufruf: %s [-h] [-v] [-v] [-e Zahl]\n" ++"\t%s -R\n" ++"\n" ++ ++#: ../../src/slave/kproplog.c:129 ++#, c-format ++msgid "" ++"\n" ++"Couldn't allocate memory" ++msgstr "" ++"\n" ++"Speicher konnte nicht reserviert werden" ++ ++#: ../../src/slave/kproplog.c:223 ++#, c-format ++msgid "\t\tAttribute flags\n" ++msgstr "\t\tAttributschalter\n" ++ ++#: ../../src/slave/kproplog.c:228 ++#, c-format ++msgid "\t\tMaximum ticket life\n" ++msgstr "\t\tmaximale Ticketlebensdauer\n" ++ ++#: ../../src/slave/kproplog.c:233 ++#, c-format ++msgid "\t\tMaximum renewable life\n" ++msgstr "\t\tmaximale verlängerbare Lebensdauer\n" ++ ++#: ../../src/slave/kproplog.c:238 ++#, c-format ++msgid "\t\tPrincipal expiration\n" ++msgstr "\t\tAblauf des Principals\n" ++ ++#: ../../src/slave/kproplog.c:243 ++#, c-format ++msgid "\t\tPassword expiration\n" ++msgstr "\t\tAblauf des Passworts\n" ++ ++#: ../../src/slave/kproplog.c:248 ++#, c-format ++msgid "\t\tLast successful auth\n" ++msgstr "\t\tletzte erfolgreiche Authentifizierung\n" ++ ++#: ../../src/slave/kproplog.c:253 ++#, c-format ++msgid "\t\tLast failed auth\n" ++msgstr "\t\tletzte fehlgeschlagene Authentifizierung\n" ++ ++#: ../../src/slave/kproplog.c:258 ++#, c-format ++msgid "\t\tFailed passwd attempt\n" ++msgstr "\t\tfehlgeschlagener Passwortversuch\n" ++ ++#: ../../src/slave/kproplog.c:263 ++#, c-format ++msgid "\t\tPrincipal\n" ++msgstr "\t\tPrincipal\n" ++ ++#: ../../src/slave/kproplog.c:268 ++#, c-format ++msgid "\t\tKey data\n" ++msgstr "\t\tSchlüsseldaten\n" ++ ++#: ../../src/slave/kproplog.c:275 ++#, c-format ++msgid "\t\tTL data\n" ++msgstr "\t\tTL-Daten\n" ++ ++#: ../../src/slave/kproplog.c:282 ++#, c-format ++msgid "\t\tLength\n" ++msgstr "\t\tLänge\n" ++ ++#: ../../src/slave/kproplog.c:287 ++#, c-format ++msgid "\t\tPassword last changed\n" ++msgstr "\t\tletzte Passwortänderung\n" ++ ++#: ../../src/slave/kproplog.c:292 ++#, c-format ++msgid "\t\tModifying principal\n" ++msgstr "\t\ttPrincipal wird geändert\n" ++ ++#: ../../src/slave/kproplog.c:297 ++#, c-format ++msgid "\t\tModification time\n" ++msgstr "\t\tÄnderungszeit\n" ++ ++#: ../../src/slave/kproplog.c:302 ++#, c-format ++msgid "\t\tModified where\n" ++msgstr "\t\tGeändert wobei\n" ++ ++#: ../../src/slave/kproplog.c:307 ++#, c-format ++msgid "\t\tPassword policy\n" ++msgstr "\t\tPasswortrichtlinie\n" ++ ++#: ../../src/slave/kproplog.c:312 ++#, c-format ++msgid "\t\tPassword policy switch\n" ++msgstr "\t\tPasswortrichtlinienumschalter\n" ++ ++#: ../../src/slave/kproplog.c:317 ++#, c-format ++msgid "\t\tPassword history KVNO\n" ++msgstr "\t\tPasswortchronik KVNO\n" ++ ++#: ../../src/slave/kproplog.c:322 ++#, c-format ++msgid "\t\tPassword history\n" ++msgstr "\t\tPasswortchronik\n" ++ ++#: ../../src/slave/kproplog.c:356 ++#, c-format ++msgid "" ++"Corrupt update entry\n" ++"\n" ++msgstr "" ++"beschädigter Aktualisierungseintrag\n" ++"\n" ++ ++#: ../../src/slave/kproplog.c:364 ++#, c-format ++msgid "" ++"Entry data decode failure\n" ++"\n" ++msgstr "" ++"Dekodieren der eingetragenen Daten fehlgeschlagen\n" ++"\n" ++ ++#: ../../src/slave/kproplog.c:369 ++#, c-format ++msgid "Update Entry\n" ++msgstr "Aktualisierungseintrag\n" ++ ++#: ../../src/slave/kproplog.c:371 ++#, c-format ++msgid "\tUpdate serial # : %u\n" ++msgstr "\tAktualisierung der Seriennummer: %u\n" ++ ++#: ../../src/slave/kproplog.c:373 ++#, c-format ++msgid "\tUpdate operation : " ++msgstr "\tAktualisierungsaktion: " ++ ++#: ../../src/slave/kproplog.c:375 ++#, c-format ++msgid "Delete\n" ++msgstr "Löschen\n" ++ ++#: ../../src/slave/kproplog.c:377 ++#, c-format ++msgid "Add\n" ++msgstr "Hinzufügen\n" ++ ++#: ../../src/slave/kproplog.c:381 ++#, c-format ++msgid "" ++"Could not allocate principal name\n" ++"\n" ++msgstr "" ++"Der Principal-Name konnte nicht reserviert werden.\n" ++"\n" ++ ++#: ../../src/slave/kproplog.c:387 ++#, c-format ++msgid "\tUpdate principal : %s\n" ++msgstr "\tAktualisierung des Principals: %s\n" ++ ++#: ../../src/slave/kproplog.c:389 ++#, c-format ++msgid "\tUpdate size : %u\n" ++msgstr "\tGröße der Aktualisierung: %u\n" ++ ++#: ../../src/slave/kproplog.c:390 ++#, c-format ++msgid "\tUpdate committed : %s\n" ++msgstr "\tAktualisierung übergeben: %s\n" ++ ++#: ../../src/slave/kproplog.c:394 ++#, c-format ++msgid "\tUpdate time stamp : None\n" ++msgstr "\tZeitstempel der Aktualisierung: keiner\n" ++ ++#: ../../src/slave/kproplog.c:396 ++#, c-format ++msgid "\tUpdate time stamp : %s" ++msgstr "\tZeitstempel der Aktualisierung: %s" ++ ++#: ../../src/slave/kproplog.c:400 ++#, c-format ++msgid "\tAttributes changed : %d\n" ++msgstr "\tgeänderte Attribute: %d\n" ++ ++#: ../../src/slave/kproplog.c:465 ++#, c-format ++msgid "" ++"Unable to initialize Kerberos\n" ++"\n" ++msgstr "" ++"Kerberos kann nicht initialisiert werden\n" ++"\n" ++ ++#: ../../src/slave/kproplog.c:472 ++#, c-format ++msgid "" ++"Couldn't read database_name\n" ++"\n" ++msgstr "" ++"»database_name« kann nicht gelesen werden\n" ++"\n" ++ ++#: ../../src/slave/kproplog.c:476 ++#, c-format ++msgid "" ++"\n" ++"Kerberos update log (%s)\n" ++msgstr "" ++"\n" ++"Kerberos-Aktualisierungsprotokoll (%s)\n" ++ ++#: ../../src/slave/kproplog.c:480 ../../src/slave/kproplog.c:495 ++#, c-format ++msgid "" ++"Unable to map log file %s\n" ++"\n" ++msgstr "" ++"Protokolldatei %s kann nicht abgebildet werden\n" ++"\n" ++ ++#: ../../src/slave/kproplog.c:485 ++#, c-format ++msgid "" ++"Couldn't reinitialize ulog file %s\n" ++"\n" ++msgstr "" ++"Ulog-Datei %s konnte nicht neu initialisiert werden\n" ++"\n" ++ ++#: ../../src/slave/kproplog.c:489 ++#, c-format ++msgid "Reinitialized the ulog.\n" ++msgstr "Das Ulog wurde neu initialisiert.\n" ++ ++#: ../../src/slave/kproplog.c:501 ++#, c-format ++msgid "" ++"Corrupt header log, exiting\n" ++"\n" ++msgstr "" ++"beschädigtes Kopfzeilenprotokoll, wird beendet\n" ++"\n" ++ ++#: ../../src/slave/kproplog.c:505 ++#, c-format ++msgid "Update log dump :\n" ++msgstr "Aktualisierungsprotokollauszug :\n" ++ ++#: ../../src/slave/kproplog.c:506 ++#, c-format ++msgid "\tLog version # : %u\n" ++msgstr "\tProtokollversion #: %u\n" ++ ++#: ../../src/slave/kproplog.c:507 ++#, c-format ++msgid "\tLog state : " ++msgstr "\tProtokollstatus: " ++ ++#: ../../src/slave/kproplog.c:510 ++#, c-format ++msgid "Stable\n" ++msgstr "stabil\n" ++ ++#: ../../src/slave/kproplog.c:513 ++#, c-format ++msgid "Unstable\n" ++msgstr "instabil\n" ++ ++#: ../../src/slave/kproplog.c:516 ++#, c-format ++msgid "Corrupt\n" ++msgstr "beschädigt\n" ++ ++#: ../../src/slave/kproplog.c:519 ++#, c-format ++msgid "Unknown state: %d\n" ++msgstr "unbekannter Status: %d\n" ++ ++#: ../../src/slave/kproplog.c:522 ++#, c-format ++msgid "\tEntry block size : %u\n" ++msgstr "\tBlockgrößeneintrag: %u\n" ++ ++#: ../../src/slave/kproplog.c:523 ++#, c-format ++msgid "\tNumber of entries : %u\n" ++msgstr "\tAnzahl der Einträge: %u\n" ++ ++#: ../../src/slave/kproplog.c:526 ++#, c-format ++msgid "\tLast serial # : None\n" ++msgstr "\tletzte Seriennummer: keine\n" ++ ++#: ../../src/slave/kproplog.c:529 ++#, c-format ++msgid "\tFirst serial # : None\n" ++msgstr "\terste Seriennummer: keine\n" ++ ++#: ../../src/slave/kproplog.c:531 ++#, c-format ++msgid "\tFirst serial # : " ++msgstr "\terste Seriennummer: " ++ ++#: ../../src/slave/kproplog.c:535 ++#, c-format ++msgid "\tLast serial # : " ++msgstr "\tletzte Seriennummer: " ++ ++#: ../../src/slave/kproplog.c:540 ++#, c-format ++msgid "\tLast time stamp : None\n" ++msgstr "\tletzter Zeitstempel: keiner\n" ++ ++#: ../../src/slave/kproplog.c:543 ++#, c-format ++msgid "\tFirst time stamp : None\n" ++msgstr "\terster Zeitstempel: keiner\n" ++ ++#: ../../src/slave/kproplog.c:545 ++#, c-format ++msgid "\tFirst time stamp : %s" ++msgstr "\terster Zeitstempel: %s" ++ ++#: ../../src/slave/kproplog.c:549 ++#, c-format ++msgid "\tLast time stamp : %s\n" ++msgstr "\tletzter Zeitstempel: %s\n" ++ ++#: ../../src/util/support/errors.c:77 ++msgid "Kerberos library initialization failure" ++msgstr "Initialisieren der Kerberos-Bibliothek fehlgeschlagen" ++ ++#: ../../src/util/support/errors.c:93 ++#, c-format ++msgid "error %ld" ++msgstr "Fehler %ld" ++ ++#: ../../src/util/support/plugins.c:186 ++#, c-format ++msgid "unable to find plugin [%s]: %s" ++msgstr "Erweiterung [%s] konnte nicht gefunden werden: %s" ++ ++#: ../../src/util/support/plugins.c:274 ++msgid "unknown failure" ++msgstr "unbekannter Fehlschlag" ++ ++#: ../../src/util/support/plugins.c:277 ++#, c-format ++msgid "unable to load plugin [%s]: %s" ++msgstr "Erweiterung [%s] konnte nicht geladen werden: %s" ++ ++#: ../../src/util/support/plugins.c:300 ++#, c-format ++msgid "unable to load DLL [%s]" ++msgstr "DLL [%s] konnte nicht geladen werden" ++ ++#: ../../src/util/support/plugins.c:316 ++#, c-format ++msgid "plugin unavailable: %s" ++msgstr "Erweiterung nicht verfügbar: %s" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:23 ++msgid "No @ in SERVICE-NAME name string" ++msgstr "keine @ in der Namenszeichenkette SERVICE-NAME" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:24 ++msgid "STRING-UID-NAME contains nondigits" ++msgstr "STRING-UID-NAME enthält etwas anderes als Ziffern" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:25 ++msgid "UID does not resolve to username" ++msgstr "UID lässt sich nicht zu Benutzernamen ermitteln" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:26 ++msgid "Validation error" ++msgstr "Überprüfungsfehler" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:27 ++msgid "Couldn't allocate gss_buffer_t data" ++msgstr "»gss_buffer_t«-Daten konnten reserviert werden" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:28 ++msgid "Message context invalid" ++msgstr "Nachrichtenkontext ungültig" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:29 ++msgid "Buffer is the wrong size" ++msgstr "Puffer hat die falsche Größe" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:30 ++msgid "Credential usage type is unknown" ++msgstr "Typ des Anmeldedatenaufrufs ist unbekannt" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:31 ++msgid "Unknown quality of protection specified" ++msgstr "unbekannte Schutzqualität angegeben" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:32 ++msgid "Local host name could not be determined" ++msgstr "lokaler Rechnername konnte nicht bestimmt werden" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:33 ++msgid "Hostname in SERVICE-NAME string could not be canonicalized" ++msgstr "" ++"Rechnername in der Zeichenkette »SERVICE-NAME« konnte nicht in Normalform " ++"gebracht werden" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:34 ++msgid "Mechanism is incorrect" ++msgstr "Mechanismus ist nicht korrekt" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:35 ++msgid "Token header is malformed or corrupt" ++msgstr "Token-Kopfzeilen haben die falsche Form oder sind beschädigt" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:36 ++msgid "Packet was replayed in wrong direction" ++msgstr "Paket wurde in falscher Richtung erneut abgespielt" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:37 ++msgid "Token is missing data" ++msgstr "dem Token fehlen Daten" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:38 ++msgid "Token was reflected" ++msgstr "Token wurde zurückgeworfen" ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:39 ++msgid "Received token ID does not match expected token ID" ++msgstr "Die empfangene Token-Kennung passt nicht zur erwarteten Token-Kennung." ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:40 ++msgid "The given credential's usage does not match the requested usage" ++msgstr "" ++"Die Verwendung der angegebenen Anmeldedaten passt nicht zur angeforderten " ++"Verwendung." ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:41 ++msgid "Storing of acceptor credentials is not supported by the mechanism" ++msgstr "" ++"Das Speichern von Abnehmeranmeldedaten wird nicht durch den Mechanismus " ++"unterstützt." ++ ++#: ../lib/gssapi/generic/gssapi_err_generic.c:42 ++msgid "Storing of non-default credentials is not supported by the mechanism" ++msgstr "" ++"Das Speichern von Nichtstandardanmeldedaten wird nicht durch den Mechanismus " ++"unterstützt." ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:23 ++msgid "Principal in credential cache does not match desired name" ++msgstr "" ++"Principal im Anmeldedatenzwischenspeicher entspricht nicht dem gewünschten " ++"Namen" ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:24 ++msgid "No principal in keytab matches desired name" ++msgstr "Kein Principal in der Schlüsseltabelle passt zum gewünschten Namen." ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:25 ++msgid "Credential cache has no TGT" ++msgstr "Anmeldedatenzwischenspeicher hat kein TGT" ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:26 ++msgid "Authenticator has no subkey" ++msgstr "Schlüsselziffer hat keinen Unterschlüssel" ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:27 ++msgid "Context is already fully established" ++msgstr "Kontext wurde bereits vollständig eingerichtet" ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:28 ++msgid "Unknown signature type in token" ++msgstr "unbekannter Signaturtyp im Token" ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:29 ++msgid "Invalid field length in token" ++msgstr "falsche Feldlänge im Token" ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:30 ++msgid "Attempt to use incomplete security context" ++msgstr "" ++"Es wurde versucht, einen unvollständigen Sicherheitskontext zu verwenden." ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:31 ++msgid "Bad magic number for krb5_gss_ctx_id_t" ++msgstr "falsche magische Zahl für »krb5_gss_ctx_id_t«" ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:32 ++msgid "Bad magic number for krb5_gss_cred_id_t" ++msgstr "falsche magische Zahl für »krb5_gss_cred_id_t«" ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:33 ++msgid "Bad magic number for krb5_gss_enc_desc" ++msgstr "falsche magische Zahl für »krb5_gss_enc_desc«" ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:34 ++msgid "Sequence number in token is corrupt" ++msgstr "Sequnznummer im Token ist beschädigt" ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:35 ++msgid "Credential cache is empty" ++msgstr "Anmeldedatenzwischenspeicher ist leer" ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:36 ++msgid "Acceptor and Initiator share no checksum types" ++msgstr "Abnehmer und Initiator haben keinen gemeinsamen Prüfsummentyp" ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:37 ++msgid "Requested lucid context version not supported" ++msgstr "angeforderte »lucid«-Kontextversion nicht unterstützt" ++ ++# PRF = Pseudo Random Function ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:38 ++msgid "PRF input too long" ++msgstr "PRF-Eingabe zu lang" ++ ++#: ../lib/gssapi/krb5/gssapi_err_krb5.c:39 ++msgid "Bad magic number for iakerb_ctx_id_t" ++msgstr "falsche magische Zahl für »iakerb_ctx_id_t«" ++ ++#: ../lib/kadm5/chpass_util_strings.c:23 ++msgid "while getting policy info." ++msgstr "beim Holen der Richtlinieninformation." ++ ++#: ../lib/kadm5/chpass_util_strings.c:24 ++msgid "while getting principal info." ++msgstr "beim Holen der Principal-Information." ++ ++#: ../lib/kadm5/chpass_util_strings.c:25 ++msgid "New passwords do not match - password not changed.\n" ++msgstr "neue Passwörter stimmen nicht überein – Passwort nicht geändert\n" ++ ++#: ../lib/kadm5/chpass_util_strings.c:26 ++msgid "New password" ++msgstr "neues Passwort" ++ ++#: ../lib/kadm5/chpass_util_strings.c:27 ++msgid "New password (again)" ++msgstr "neues Passwort (erneut)" ++ ++#: ../lib/kadm5/chpass_util_strings.c:28 ++msgid "" ++"You must type a password. Passwords must be at least one character long.\n" ++msgstr "" ++"Sie müssen ein Passwort eingeben. Passwörter müssen mindestens ein Zeichen " ++"lang sein.\n" ++ ++#: ../lib/kadm5/chpass_util_strings.c:29 ++msgid "yet no policy set! Contact your system security administrator." ++msgstr "" ++"noch keine Richtlinie gesetzt! Kontaktieren Sie Ihren " ++"Systemsicherheitsadministrator" ++ ++#: ../lib/kadm5/chpass_util_strings.c:31 ++msgid "" ++"New password was found in a dictionary of possible passwords and\n" ++"therefore may be easily guessed. Please choose another password.\n" ++"See the kpasswd man page for help in choosing a good password." ++msgstr "" ++"Das neue Passwort wurde in einem Wörterbuch mit möglichen Passwörtern " ++"gefunden\n" ++"und kann daher leicht erraten werden. Bitte wählen Sie ein anderes " ++"Passwort.\n" ++"Hilfe bei der Wahl guter Passwörter finden Sie in der Handbuchseite von\n" ++"»kpasswd«." ++ ++#: ../lib/kadm5/chpass_util_strings.c:32 ++msgid "Password not changed." ++msgstr "Passwort nicht geändert" ++ ++#: ../lib/kadm5/chpass_util_strings.c:33 ++#, c-format ++msgid "" ++"New password is too short.\n" ++"Please choose a password which is at least %d characters long." ++msgstr "" ++"Das neue Passwort ist zu kurz.\n" ++"Bitte wählen Sie ein Passwort, das mindestens %d Zeichen lang ist." ++ ++#: ../lib/kadm5/chpass_util_strings.c:34 ++#, c-format ++msgid "" ++"New password does not have enough character classes.\n" ++"The character classes are:\n" ++"\t- lower-case letters,\n" ++"\t- upper-case letters,\n" ++"\t- digits,\n" ++"\t- punctuation, and\n" ++"\t- all other characters (e.g., control characters).\n" ++"Please choose a password with at least %d character classes." ++msgstr "" ++"Das neue Passwort besteht aus zu wenigen Zeichenklassen.\n" ++"Die Zeichenklassen sind:\n" ++"\t- Kleinbuchstaben,\n" ++"\t- Großbuchstaben,\n" ++"\t- Ziffern,\n" ++"\t- Satzzeichen und\n" ++"\t- alle anderen Zeichen (z.B. Steuerzeichen).\n" ++"Bitte wählen Sie ein Passwort mit mindestens %d Zeichenklassen." ++ ++#: ../lib/kadm5/chpass_util_strings.c:35 ++#, c-format ++msgid "" ++"Password cannot be changed because it was changed too recently.\n" ++"Please wait until %s before you change it.\n" ++"If you need to change your password before then, contact your system\n" ++"security administrator." ++msgstr "" ++"Das Passwort kann nicht geändert werden, da es erst vor kurzem geändert " ++"wurde.\n" ++"Bitte warten Sie bis %s, ehe Sie es ändern.\n" ++"Falls Sie es vorher ändern müssen, kontaktieren Sie Ihren\n" ++"Systemsicherheitsadministrator." ++ ++#: ../lib/kadm5/chpass_util_strings.c:36 ++msgid "New password was used previously. Please choose a different password." ++msgstr "" ++"Das neue Passwort wurde zuvor schon benutzt. Bitte wählen Sie ein anderes " ++"Passwort." ++ ++#: ../lib/kadm5/chpass_util_strings.c:37 ++msgid "while trying to change password." ++msgstr "beim Versuch, das Passwort zu ändern." ++ ++#: ../lib/kadm5/chpass_util_strings.c:38 ++msgid "while reading new password." ++msgstr "beim Lesen des neuen Passworts." ++ ++#: ../lib/kadm5/kadm_err.c:23 ++msgid "Operation failed for unspecified reason" ++msgstr "Aktion aus nicht näher beschriebenem Grund fehlgeschlagen" ++ ++#: ../lib/kadm5/kadm_err.c:24 ++msgid "Operation requires ``get'' privilege" ++msgstr "Aktion erfordert »get«-Recht" ++ ++#: ../lib/kadm5/kadm_err.c:25 ++msgid "Operation requires ``add'' privilege" ++msgstr "Aktion erfordert »add«-Recht" ++ ++#: ../lib/kadm5/kadm_err.c:26 ++msgid "Operation requires ``modify'' privilege" ++msgstr "Aktion erfordert »modify«-Recht" ++ ++#: ../lib/kadm5/kadm_err.c:27 ++msgid "Operation requires ``delete'' privilege" ++msgstr "Aktion erfordert »delete«-Recht" ++ ++#: ../lib/kadm5/kadm_err.c:28 ++msgid "Insufficient authorization for operation" ++msgstr "unzureichende Berechtigung für diese Aktion" ++ ++#: ../lib/kadm5/kadm_err.c:29 ../lib/kdb/adb_err.c:29 ++msgid "Database inconsistency detected" ++msgstr "Datenbankinkonsistenz entdeckt" ++ ++#: ../lib/kadm5/kadm_err.c:30 ../lib/kdb/adb_err.c:24 ++msgid "Principal or policy already exists" ++msgstr "Principal oder Richtlinie existiert bereits" ++ ++#: ../lib/kadm5/kadm_err.c:31 ++msgid "Communication failure with server" ++msgstr "Kommunikation mit dem Server fehlgeschlagen" ++ ++#: ../lib/kadm5/kadm_err.c:32 ++msgid "No administration server found for realm" ++msgstr "kein Administrationsserver für den Realm gefunden" ++ ++#: ../lib/kadm5/kadm_err.c:33 ++msgid "Password history principal key version mismatch" ++msgstr "Die Passwortchronikschlüssel des Principals passen nicht zusammen." ++ ++#: ../lib/kadm5/kadm_err.c:34 ++msgid "Connection to server not initialized" ++msgstr "Verbindung zum Server nicht initialisiert" ++ ++#: ../lib/kadm5/kadm_err.c:35 ++msgid "Principal does not exist" ++msgstr "Principal existiert nicht" ++ ++#: ../lib/kadm5/kadm_err.c:36 ++msgid "Policy does not exist" ++msgstr "Richtlinie existiert nicht" ++ ++#: ../lib/kadm5/kadm_err.c:37 ++msgid "Invalid field mask for operation" ++msgstr "ungültige Feldmaske für Aktion" ++ ++#: ../lib/kadm5/kadm_err.c:38 ++msgid "Invalid number of character classes" ++msgstr "ungültige Anzahl von Zeichenklassen" ++ ++#: ../lib/kadm5/kadm_err.c:39 ++msgid "Invalid password length" ++msgstr "ungültige Passwortlänge" ++ ++#: ../lib/kadm5/kadm_err.c:40 ++msgid "Illegal policy name" ++msgstr "unzulässiger Richtlinienname" ++ ++#: ../lib/kadm5/kadm_err.c:41 ++msgid "Illegal principal name" ++msgstr "unzulässiger Principal-Name" ++ ++# FIXME s/auxillary/auxilary/ ++#: ../lib/kadm5/kadm_err.c:42 ++msgid "Invalid auxillary attributes" ++msgstr "ungültige Zusatzattribute" ++ ++#: ../lib/kadm5/kadm_err.c:43 ++msgid "Invalid password history count" ++msgstr "ungültige Passwortchronikanzahl" ++ ++#: ../lib/kadm5/kadm_err.c:44 ++msgid "Password minimum life is greater than password maximum life" ++msgstr "Die minimale Lebensdauer des Passworts ist größer als die maximale." ++ ++#: ../lib/kadm5/kadm_err.c:45 ++msgid "Password is too short" ++msgstr "Das Passwort ist zu kurz." ++ ++#: ../lib/kadm5/kadm_err.c:46 ++msgid "Password does not contain enough character classes" ++msgstr "Das Passwort enthält nicht genug Zeichenklassen." ++ ++#: ../lib/kadm5/kadm_err.c:47 ++msgid "Password is in the password dictionary" ++msgstr "Das Passwort steht im Passwortwörterbuch." ++ ++#: ../lib/kadm5/kadm_err.c:48 ++msgid "Cannot reuse password" ++msgstr "Das Passwort kann nicht erneut verwendet werden." ++ ++#: ../lib/kadm5/kadm_err.c:49 ++msgid "Current password's minimum life has not expired" ++msgstr "Die aktuell minimale Lebensdauer des Passworts ist nicht abgelaufen." ++ ++#: ../lib/kadm5/kadm_err.c:50 ../lib/krb5/error_tables/kdb5_err.c:67 ++msgid "Policy is in use" ++msgstr "Richtlinie ist in Benutzung" ++ ++#: ../lib/kadm5/kadm_err.c:51 ++msgid "Connection to server already initialized" ++msgstr "Verbindung zum Server ist bereits initialisiert" ++ ++#: ../lib/kadm5/kadm_err.c:52 ++msgid "Incorrect password" ++msgstr "falsches Passwort" ++ ++#: ../lib/kadm5/kadm_err.c:53 ++msgid "Cannot change protected principal" ++msgstr "geschützter Principal kann nicht geändert werden" ++ ++#: ../lib/kadm5/kadm_err.c:54 ++msgid "Programmer error! Bad Admin server handle" ++msgstr "Fehler des Programmierers! Falscher Admin-Server-Identifikator" ++ ++#: ../lib/kadm5/kadm_err.c:55 ++msgid "Programmer error! Bad API structure version" ++msgstr "Fehler des Programmierers! Falsche API-Strukturversion" ++ ++#: ../lib/kadm5/kadm_err.c:56 ++msgid "" ++"API structure version specified by application is no longer supported (to " ++"fix, recompile application against current KADM5 API header files and " ++"libraries)" ++msgstr "" ++"Die von der Anwendung angegebene Version der API-Struktur wird nicht länger " ++"unterstützt. (Kompilieren Sie die Anwendung mit den aktuellen KADM5-API-" ++"Header-Dateien und -Bibliotheken, um dies zu beheben.)" ++ ++#: ../lib/kadm5/kadm_err.c:57 ++msgid "" ++"API structure version specified by application is unknown to libraries (to " ++"fix, obtain current KADM5 API header files and libraries and recompile " ++"application)" ++msgstr "" ++"Die von der Anwendung angegebene Version der API-Struktur ist den " ++"Bibliotheken unbekannt. (Besorgen Sie sich die aktuellen KADM5-API-Header-" ++"Dateien und -Bibliotheken und kompilieren Sie die Anwendung neu, um dies zu " ++"beheben.)" ++ ++#: ../lib/kadm5/kadm_err.c:58 ++msgid "Programmer error! Bad API version" ++msgstr "Fehler des Programmierers! Falsche API-Version" ++ ++#: ../lib/kadm5/kadm_err.c:59 ++msgid "" ++"API version specified by application is no longer supported by libraries (to " ++"fix, update application to adhere to current API version and recompile)" ++msgstr "" ++"Die von der Anwendung angegebene Version der API-Struktur wird nicht länger " ++"von den Bibliotheken unterstützt. (Aktualisieren Sie die Anwendung, dass sie " ++"zu der aktuellen API-Version passt, und kompilieren Sie sie, um dies zu " ++"beheben.)" ++ ++#: ../lib/kadm5/kadm_err.c:60 ++msgid "" ++"API version specified by application is no longer supported by server (to " ++"fix, update application to adhere to current API version and recompile)" ++msgstr "" ++"Die von der Anwendung angegebene Version der API-Struktur wird nicht länger " ++"vom Server unterstützt. (Aktualisieren Sie die Anwendung, dass sie zu der " ++"aktuellen API-Version passt, und kompilieren Sie sie, um dies zu beheben.)" ++ ++#: ../lib/kadm5/kadm_err.c:61 ++msgid "" ++"API version specified by application is unknown to libraries (to fix, obtain " ++"current KADM5 API header files and libraries and recompile application)" ++msgstr "" ++"Die von der Anwendung angegebenene API-Version ist den Bibliotheken " ++"unbekannt. (Besorgen Sie sich die aktuellen KADM5-API-Header-Dateien und -" ++"Bibliotheken und kompilieren Sie die Anwendung neu, um dies zu beheben.)" ++ ++#: ../lib/kadm5/kadm_err.c:62 ++msgid "" ++"API version specified by application is unknown to server (to fix, obtain " ++"and install newest KADM5 Admin Server)" ++msgstr "" ++"Die von der Anwendung angegebene API-Version ist dem Server unbekannt. " ++"(Besorgen und installieren Sie sich den neuesten KADM5-Admin-Server, um dies " ++"zu beheben.)" ++ ++#: ../lib/kadm5/kadm_err.c:63 ++msgid "Database error! Required KADM5 principal missing" ++msgstr "Datenbankfehler! Erforderlicher KADM5-Principal fehlt" ++ ++#: ../lib/kadm5/kadm_err.c:64 ++msgid "The salt type of the specified principal does not support renaming" ++msgstr "Der Salt-Typ des angegebenen Principals unterstützt kein Umbenennen." ++ ++#: ../lib/kadm5/kadm_err.c:65 ++msgid "Illegal configuration parameter for remote KADM5 client" ++msgstr "widerrechtlicher Konfigurationsparameter für fernen KADM5-Client" ++ ++#: ../lib/kadm5/kadm_err.c:66 ++msgid "Illegal configuration parameter for local KADM5 client" ++msgstr "widerrechtlicher Konfigurationsparameter für lokalen KADM5-Client" ++ ++#: ../lib/kadm5/kadm_err.c:67 ++msgid "Operation requires ``list'' privilege" ++msgstr "Aktion erfordert das »list«-Recht" ++ ++#: ../lib/kadm5/kadm_err.c:68 ++msgid "Operation requires ``change-password'' privilege" ++msgstr "Aktion erfordert das »change-password«-Recht" ++ ++#: ../lib/kadm5/kadm_err.c:69 ++msgid "GSS-API (or Kerberos) error" ++msgstr "GSS-API- (oder Kerberos-) Fehler" ++ ++#: ../lib/kadm5/kadm_err.c:70 ++msgid "Programmer error! Illegal tagged data list type" ++msgstr "" ++"Fehler des Programmierers! Widerrechlicher Listentyp für gekennzeichnete " ++"Daten" ++ ++#: ../lib/kadm5/kadm_err.c:71 ++msgid "Required parameters in kdc.conf missing" ++msgstr "erforderliche Parameter in »kdc.conf« fehlen" ++ ++#: ../lib/kadm5/kadm_err.c:72 ++msgid "Bad krb5 admin server hostname" ++msgstr "falscher Rechnername des KRB5-Admin-Servers" ++ ++#: ../lib/kadm5/kadm_err.c:73 ++msgid "Operation requires ``set-key'' privilege" ++msgstr "Aktion erfordert das »set-key«-Recht" ++ ++#: ../lib/kadm5/kadm_err.c:74 ++msgid "Multiple values for single or folded enctype" ++msgstr "" ++"mehrere Werte für einzelnen Verschlüsselungstyp oder Verschlüsselungstyp mit " ++"Salt" ++ ++#: ../lib/kadm5/kadm_err.c:75 ++msgid "Invalid enctype for setv4key" ++msgstr "widerrechtlicher Verschlüsselungstyp für Setv4key" ++ ++#: ../lib/kadm5/kadm_err.c:76 ++msgid "Mismatched enctypes for setkey3" ++msgstr "nicht zusammenpassende Verschlüsselungstypen für Setkey3" ++ ++#: ../lib/kadm5/kadm_err.c:77 ++msgid "Missing parameters in krb5.conf required for kadmin client" ++msgstr "für Kadmin-Client benötigte Parameter fehlen in »krb5.conf«" ++ ++#: ../lib/kadm5/kadm_err.c:78 ../lib/kdb/adb_err.c:30 ++msgid "XDR encoding error" ++msgstr "XDR-Verschlüsselungsfehler" ++ ++#: ../lib/kadm5/kadm_err.c:79 ++msgid "Cannot resolve network address for admin server in requested realm" ++msgstr "" ++"Die Netzwerkadresse für den Admin-Server im angeforderten Realm kann nicht " ++"aufgelöst werden." ++ ++#: ../lib/kadm5/kadm_err.c:80 ++msgid "Unspecified password quality failure" ++msgstr "nicht näher angegebener Passwortqualitätsfehlschlag" ++ ++#: ../lib/kadm5/kadm_err.c:81 ++msgid "Invalid key/salt tuples" ++msgstr "ungültige Schlüssel-/Salt-Tupel" ++ ++#: ../lib/kdb/adb_err.c:23 ++msgid "No Error" ++msgstr "kein Fehler" ++ ++#: ../lib/kdb/adb_err.c:25 ++msgid "Principal or policy does not exist" ++msgstr "Principal oder Richtlinie existiert nicht" ++ ++#: ../lib/kdb/adb_err.c:26 ++msgid "Database not initialized" ++msgstr "Datenbank nicht initialisiert" ++ ++#: ../lib/kdb/adb_err.c:27 ++msgid "Invalid policy name" ++msgstr "ungültiger Richtlinienname" ++ ++#: ../lib/kdb/adb_err.c:28 ++msgid "Invalid principal name" ++msgstr "ungültiger Principal-Name" ++ ++#: ../lib/kdb/adb_err.c:31 ++msgid "Failure!" ++msgstr "Fehlschlag!" ++ ++#: ../lib/kdb/adb_err.c:32 ++msgid "Bad lock mode" ++msgstr "falscher Sperrmodus" ++ ++#: ../lib/kdb/adb_err.c:33 ++msgid "Cannot lock database" ++msgstr "Datenbank kann nicht gesperrt werden" ++ ++#: ../lib/kdb/adb_err.c:34 ++msgid "Database not locked" ++msgstr "Datenbank nicht gesperrt" ++ ++#: ../lib/kdb/adb_err.c:35 ++msgid "KADM5 administration database lock file missing" ++msgstr "Sperrdatei der KADM5-Verwaltungsdatenbank fehlt" ++ ++#: ../lib/kdb/adb_err.c:36 ++msgid "Insufficient permission to lock file" ++msgstr "keine ausreichenden Rechte zum Sperren der Datei" ++ ++#: ../lib/krb5/error_tables/k5e1_err.c:23 ++msgid "Plugin does not support interface version" ++msgstr "Erweiterung unterstützt nicht die Schnittstellenversion" ++ ++#: ../lib/krb5/error_tables/k5e1_err.c:24 ++msgid "Invalid module specifier" ++msgstr "ungültige Modulangabe" ++ ++#: ../lib/krb5/error_tables/k5e1_err.c:25 ++msgid "Plugin module name not found" ++msgstr "Erweiterungsmodulname nicht gefunden" ++ ++#: ../lib/krb5/error_tables/k5e1_err.c:26 ++msgid "The KDC should discard this request" ++msgstr "Das KDC sollte diese Anfrage verwerfen" ++ ++#: ../lib/krb5/error_tables/k5e1_err.c:27 ++msgid "Can't create new subsidiary cache" ++msgstr "Der neue ergänzende Zwischenspeicher kann nicht erzeugt werden" ++ ++#: ../lib/krb5/error_tables/k5e1_err.c:28 ++msgid "Invalid keyring anchor name" ++msgstr "ungültiger Schlüsselbundverankerungsname" ++ ++#: ../lib/krb5/error_tables/k5e1_err.c:29 ++msgid "Unknown keyring collection version" ++msgstr "unbekannte Schlüsselbundsammlungsversion" ++ ++#: ../lib/krb5/error_tables/k5e1_err.c:30 ++msgid "Invalid UID in persistent keyring name" ++msgstr "ungültige UID im beständigen Schlüsselbundnamen" ++ ++#: ../lib/krb5/error_tables/k5e1_err.c:31 ++msgid "Malformed reply from KCM daemon" ++msgstr "Antwort des KCM-Daemons hat die falsche Form" ++ ++#: ../lib/krb5/error_tables/k5e1_err.c:32 ++msgid "Mach RPC error communicating with KCM daemon" ++msgstr "Mach-RPC-Fehler beim der Kommunikation mit dem KCM-Daemon" ++ ++#: ../lib/krb5/error_tables/k5e1_err.c:33 ++msgid "KCM daemon reply too big" ++msgstr "Antwort des KCM-Daemons zu groß" ++ ++#: ../lib/krb5/error_tables/k5e1_err.c:34 ++msgid "No KCM server found" ++msgstr "Kein KCM-Server gefunden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:24 ++msgid "Client's entry in database has expired" ++msgstr "Eintrag des Clients in der Datenbank ist abgelaufen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:25 ++msgid "Server's entry in database has expired" ++msgstr "Eintrag des Servers in der Datenbank ist abgelaufen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:26 ++msgid "Requested protocol version not supported" ++msgstr "angeforderte Protokollversion nicht unterstützt" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:27 ++msgid "Client's key is encrypted in an old master key" ++msgstr "" ++"Der Schlüssel des Clients wurde mit einem alten Hauptschlüssel verschlüsselt." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:28 ++msgid "Server's key is encrypted in an old master key" ++msgstr "" ++"Der Schlüssel des Servers wurde mit einem alten Hauptschlüssel verschlüsselt." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:29 ++msgid "Client not found in Kerberos database" ++msgstr "Client nicht in der Kerberos-Datenbank gefunden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:30 ++msgid "Server not found in Kerberos database" ++msgstr "Server nicht in der Kerberos-Datenbank gefunden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:31 ++msgid "Principal has multiple entries in Kerberos database" ++msgstr "Principal hat in der Kerberos-Datenbank mehrere Einträge" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:32 ++msgid "Client or server has a null key" ++msgstr "Client oder Server hat einen Nullschlüssel" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:33 ++msgid "Ticket is ineligible for postdating" ++msgstr "Ticket ist zum Vordatieren ungeeignet" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:34 ++msgid "Requested effective lifetime is negative or too short" ++msgstr "Die angeforderte effektive Lebensdauer ist negativ oder zu kurz." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:35 ++msgid "KDC policy rejects request" ++msgstr "KDC-Richtlinie weist die Anfrage zurück" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:36 ++msgid "KDC can't fulfill requested option" ++msgstr "KDC kann erforderliche Option nicht erfüllen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:37 ++msgid "KDC has no support for encryption type" ++msgstr "KDC unterstützt diesen Verschlüsselungstyp nicht" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:38 ++msgid "KDC has no support for checksum type" ++msgstr "KDC unterstützt diesen Prüfsummentyp nicht" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:39 ++msgid "KDC has no support for padata type" ++msgstr "KDC unterstützt diesen Padata-Typ nicht" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:40 ++msgid "KDC has no support for transited type" ++msgstr "KDC unterstützt diesen Übergangstyp nicht" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:41 ++msgid "Clients credentials have been revoked" ++msgstr "Anmeldedaten des Clients wurden widerrufen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:42 ++msgid "Credentials for server have been revoked" ++msgstr "Anmeldedaten für den Server wurden widerrufen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:43 ++msgid "TGT has been revoked" ++msgstr "TGT wurde widerrufen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:44 ++msgid "Client not yet valid - try again later" ++msgstr "Client noch nicht gültig – versuchen Sie es später noch einmal" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:45 ++msgid "Server not yet valid - try again later" ++msgstr "Server noch nicht gültig – versuchen Sie es später noch einmal" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:46 ++msgid "Password has expired" ++msgstr "Passwort ist abgelaufen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:47 ++msgid "Preauthentication failed" ++msgstr "Vorauthentifizierung fehlgeschlagen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:48 ++msgid "Additional pre-authentication required" ++msgstr "zusätzlich Vorauthentifizierung erforderlich" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:49 ++msgid "Requested server and ticket don't match" ++msgstr "abgefragter Server und Ticket passen nicht zusammen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:50 ++msgid "Server principal valid for user2user only" ++msgstr "Der Server-Principal ist nur für »user2user« gültig" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:51 ++msgid "KDC policy rejects transited path" ++msgstr "KDC-Richtlinie verwirft durchgereichten Pfad" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:52 ++msgid "A service is not available that is required to process the request" ++msgstr "" ++"Ein Dienst, der zum Verarbeiten der Abfrage erforderlich ist, ist nicht " ++"verfügbar." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:53 ++msgid "KRB5 error code 30" ++msgstr "KRB5-Fehlercode 30" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:54 ++msgid "Decrypt integrity check failed" ++msgstr "Entschlüsselungsintegritätsprüfung fehlgeschlagen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:55 ++msgid "Ticket expired" ++msgstr "Ticket abgelaufen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:56 ++msgid "Ticket not yet valid" ++msgstr "Ticket noch nicht gültig" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:57 ++msgid "Request is a replay" ++msgstr "Anfrage ist eine Wiederholung" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:58 ++msgid "The ticket isn't for us" ++msgstr "Das Ticket ist nicht für uns." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:59 ++msgid "Ticket/authenticator don't match" ++msgstr "Ticket/Schlüsselziffer passen nicht zueinander" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:60 ++msgid "Clock skew too great" ++msgstr "Uhrzeitabweichung zu groß" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:61 ++msgid "Incorrect net address" ++msgstr "falsche Netzwerkadresse" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:62 ++msgid "Protocol version mismatch" ++msgstr "Protokollversion passt nicht" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:63 ++msgid "Invalid message type" ++msgstr "ungültiger Nachrichtentyp" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:64 ++msgid "Message stream modified" ++msgstr "Nachrichtendatenstrom geändert" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:65 ++msgid "Message out of order" ++msgstr "Nachricht nicht in Ordnung" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:66 ++msgid "Illegal cross-realm ticket" ++msgstr "Widerrechliches Realm-übergreifendes Ticket" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:67 ++msgid "Key version is not available" ++msgstr "Schlüsselversion ist nicht verfügbar" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:68 ++msgid "Service key not available" ++msgstr "Dienstschlüssel nicht verfügbar" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:69 ++#: ../lib/krb5/error_tables/krb5_err.c:181 ++msgid "Mutual authentication failed" ++msgstr "gegenseitige Authentifizierung fehlgeschlagen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:70 ++msgid "Incorrect message direction" ++msgstr "falsche Nachrichtenrichtung" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:71 ++msgid "Alternative authentication method required" ++msgstr "alternative Authentifizierungsmethode erforderlich" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:72 ++msgid "Incorrect sequence number in message" ++msgstr "falsche Sequenznummer in der Nachricht" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:73 ++msgid "Inappropriate type of checksum in message" ++msgstr "ungeeigneter Prüfsummentyp in der Nachricht" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:74 ++msgid "Policy rejects transited path" ++msgstr "Richtlinie verwirft durchgereichten Pfad" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:75 ++msgid "Response too big for UDP, retry with TCP" ++msgstr "Antwort für UDP zu groß, erneuter Versuch mit TCP" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:76 ++msgid "KRB5 error code 53" ++msgstr "KRB5-Fehlercode 53" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:77 ++msgid "KRB5 error code 54" ++msgstr "KRB5-Fehlercode 54" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:78 ++msgid "KRB5 error code 55" ++msgstr "KRB5-Fehlercode 55" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:79 ++msgid "KRB5 error code 56" ++msgstr "KRB5-Fehlercode 56" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:80 ++msgid "KRB5 error code 57" ++msgstr "KRB5-Fehlercode 57" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:81 ++msgid "KRB5 error code 58" ++msgstr "KRB5-Fehlercode 58" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:82 ++msgid "KRB5 error code 59" ++msgstr "KRB5-Fehlercode 59" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:83 ++msgid "Generic error (see e-text)" ++msgstr "allgemeiner Fehler (siehe E-Text)" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:84 ++msgid "Field is too long for this implementation" ++msgstr "Feld ist für diese Implementierung zu lang" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:85 ++msgid "Client not trusted" ++msgstr "Client nicht vertrauenswürdig" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:86 ++msgid "KDC not trusted" ++msgstr "KDC nicht vertrauenswürdig" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:87 ++msgid "Invalid signature" ++msgstr "ungültige Signatur" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:88 ++msgid "Key parameters not accepted" ++msgstr "Schlüsselparameter nicht akzeptiert" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:89 ++msgid "Certificate mismatch" ++msgstr "Zertifikat passt nicht" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:90 ++msgid "No ticket granting ticket" ++msgstr "kein ticketgewährendes Ticket" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:91 ++msgid "Realm not local to KDC" ++msgstr "Realm für KDC nicht lokal" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:92 ++msgid "User to user required" ++msgstr "Benutzer-zu-Benutzer erforderlich" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:93 ++msgid "Can't verify certificate" ++msgstr "Zertifikat kann nicht überprüft werden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:94 ++msgid "Invalid certificate" ++msgstr "ungültiges Zertifikat" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:95 ++msgid "Revoked certificate" ++msgstr "widerrufenes Zertifikat" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:96 ++msgid "Revocation status unknown" ++msgstr "Widerrufsstatus unbekannt" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:97 ++msgid "Revocation status unavailable" ++msgstr "Widerrufsstatus nicht verfügbar" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:98 ++msgid "Client name mismatch" ++msgstr "Client-Name passt nicht" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:99 ++msgid "KDC name mismatch" ++msgstr "KDC-Name passt nicht" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:100 ++msgid "Inconsistent key purpose" ++msgstr "inkonstistenter Schlüsselzweck" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:101 ++msgid "Digest in certificate not accepted" ++msgstr "Kurzfassung im Zertifikat nicht akzeptiert" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:102 ++msgid "Checksum must be included" ++msgstr "Prüfsumme muss enthalten sein" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:103 ++msgid "Digest in signed-data not accepted" ++msgstr "Kurzfassung in signierten Daten nicht akzeptiert" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:104 ++msgid "Public key encryption not supported" ++msgstr "Asymetrische Verschlüsselung nicht unterstützt" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:105 ++msgid "KRB5 error code 82" ++msgstr "KRB5-Fehlercode 82" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:106 ++msgid "KRB5 error code 83" ++msgstr "KRB5-Fehlercode 83" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:107 ++msgid "KRB5 error code 84" ++msgstr "KRB5-Fehlercode 84" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:108 ++msgid "The IAKERB proxy could not find a KDC" ++msgstr "Der IAKERB-Proxy konnte kein KDC finden." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:109 ++msgid "The KDC did not respond to the IAKERB proxy" ++msgstr "Das KDC anwortete dem IAKERB-Proxy nicht." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:110 ++msgid "KRB5 error code 87" ++msgstr "KRB5-Fehlercode 87" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:111 ++msgid "KRB5 error code 88" ++msgstr "KRB5-Fehlercode 88" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:112 ++msgid "KRB5 error code 89" ++msgstr "KRB5-Fehlercode 89" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:113 ++msgid "KRB5 error code 90" ++msgstr "KRB5-Fehlercode 90" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:114 ++msgid "KRB5 error code 91" ++msgstr "KRB5-Fehlercode 91" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:115 ++msgid "KRB5 error code 92" ++msgstr "KRB5-Fehlercode 92" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:116 ++msgid "An unsupported critical FAST option was requested" ++msgstr "Es wurde eine nicht unterstützte kritische FAST-Aktion angefordert." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:117 ++msgid "KRB5 error code 94" ++msgstr "KRB5-Fehlercode 94" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:118 ++msgid "KRB5 error code 95" ++msgstr "KRB5-Fehlercode 95" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:119 ++msgid "KRB5 error code 96" ++msgstr "KRB5-Fehlercode 96" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:120 ++msgid "KRB5 error code 97" ++msgstr "KRB5-Fehlercode 97" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:121 ++msgid "KRB5 error code 98" ++msgstr "KRB5-Fehlercode 98" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:122 ++msgid "KRB5 error code 99" ++msgstr "KRB5-Fehlercode 99" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:123 ++msgid "No acceptable KDF offered" ++msgstr "kein akzeptables KDF angeboten" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:124 ++msgid "KRB5 error code 101" ++msgstr "KRB5-Fehlercode 101" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:125 ++msgid "KRB5 error code 102" ++msgstr "KRB5-Fehlercode 102" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:126 ++msgid "KRB5 error code 103" ++msgstr "KRB5-Fehlercode 103" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:127 ++msgid "KRB5 error code 104" ++msgstr "KRB5-Fehlercode 104" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:128 ++msgid "KRB5 error code 105" ++msgstr "KRB5-Fehlercode 105" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:129 ++msgid "KRB5 error code 106" ++msgstr "KRB5-Fehlercode 106" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:130 ++msgid "KRB5 error code 107" ++msgstr "KRB5-Fehlercode 107" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:131 ++msgid "KRB5 error code 108" ++msgstr "KRB5-Fehlercode 108" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:132 ++msgid "KRB5 error code 109" ++msgstr "KRB5-Fehlercode 109" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:133 ++msgid "KRB5 error code 110" ++msgstr "KRB5-Fehlercode 110" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:134 ++msgid "KRB5 error code 111" ++msgstr "KRB5-Fehlercode 111" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:135 ++msgid "KRB5 error code 112" ++msgstr "KRB5-Fehlercode 112" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:136 ++msgid "KRB5 error code 113" ++msgstr "KRB5-Fehlercode 113" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:137 ++msgid "KRB5 error code 114" ++msgstr "KRB5-Fehlercode 114" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:138 ++msgid "KRB5 error code 115" ++msgstr "KRB5-Fehlercode 115" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:139 ++msgid "KRB5 error code 116" ++msgstr "KRB5-Fehlercode 116" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:140 ++msgid "KRB5 error code 117" ++msgstr "KRB5-Fehlercode 117" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:141 ++msgid "KRB5 error code 118" ++msgstr "KRB5-Fehlercode 118" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:142 ++msgid "KRB5 error code 119" ++msgstr "KRB5-Fehlercode 119" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:143 ++msgid "KRB5 error code 120" ++msgstr "KRB5-Fehlercode 120" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:144 ++msgid "KRB5 error code 121" ++msgstr "KRB5-Fehlercode 121" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:145 ++msgid "KRB5 error code 122" ++msgstr "KRB5-Fehlercode 122" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:146 ++msgid "KRB5 error code 123" ++msgstr "KRB5-Fehlercode 123" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:147 ++msgid "KRB5 error code 124" ++msgstr "KRB5-Fehlercode 124" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:148 ++msgid "KRB5 error code 125" ++msgstr "KRB5-Fehlercode 125" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:149 ++msgid "KRB5 error code 126" ++msgstr "KRB5-Fehlercode 126" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:150 ++msgid "KRB5 error code 127" ++msgstr "KRB5-Fehlercode 127" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:151 ++#: ../lib/krb5/error_tables/kdb5_err.c:23 ++msgid "$Id$" ++msgstr "$Id$" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:152 ++msgid "Invalid flag for file lock mode" ++msgstr "ungültiger Schalter für den Datei-Sperrmodus" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:153 ++msgid "Cannot read password" ++msgstr "Passwort kann nicht gelesen werden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:154 ++msgid "Password mismatch" ++msgstr "Passwort stimmt nicht überein" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:155 ++msgid "Password read interrupted" ++msgstr "Lesen des Passworts unterbrochen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:156 ++msgid "Illegal character in component name" ++msgstr "ungültiges Zeichen in Komponentenname" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:157 ++msgid "Malformed representation of principal" ++msgstr "Darstellung des Principals in falscher Form" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:158 ++msgid "Can't open/find Kerberos configuration file" ++msgstr "Kerberos-Konfigurationsdatei kann nicht geöffnet/gefunden werden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:159 ++msgid "Improper format of Kerberos configuration file" ++msgstr "Format der Kerberos-Konfigurationsdatei ist ungeeignet" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:160 ++msgid "Insufficient space to return complete information" ++msgstr "Platz reicht nicht zur Rückgabe aller Informationen aus" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:161 ++msgid "Invalid message type specified for encoding" ++msgstr "der zum Kodieren angegebene Nachrichtentyp ist ungültig" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:162 ++msgid "Credential cache name malformed" ++msgstr "falsche Form des Anmeldedatenzwischenspeichernamens" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:163 ++msgid "Unknown credential cache type" ++msgstr "unbekannter Anmeldedatenzwischenspeichertyp" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:164 ++msgid "Matching credential not found" ++msgstr "keine passenden Anmeldedaten gefunden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:165 ++msgid "End of credential cache reached" ++msgstr "Ende des Anmeldedatenzwischenspeichers erreicht" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:166 ++msgid "Request did not supply a ticket" ++msgstr "Anfrage lieferte kein Ticket" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:167 ++msgid "Wrong principal in request" ++msgstr "falscher Principal in der Anfrage" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:168 ++msgid "Ticket has invalid flag set" ++msgstr "Das Ticket hat einen falsch gesetzten Schalter." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:169 ++msgid "Requested principal and ticket don't match" ++msgstr "angeforderter Principal und Ticket passen nicht zusammen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:170 ++msgid "KDC reply did not match expectations" ++msgstr "KDC-Antwort entsprach nicht den Erwartungen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:171 ++msgid "Clock skew too great in KDC reply" ++msgstr "Zeitversatz in der KDC-Antwort zu groß" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:172 ++msgid "Client/server realm mismatch in initial ticket request" ++msgstr "" ++"Client-/Server-Realm passen in der anfänglichen Ticketanfrage nicht zusammen." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:173 ++msgid "Program lacks support for encryption type" ++msgstr "" ++"Dem Programm fehlt es an der Unterstützung für den Verschlüsselungstyp." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:174 ++msgid "Program lacks support for key type" ++msgstr "Dem Programm fehlt es an der Unterstützung für den Schlüsseltyp." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:175 ++msgid "Requested encryption type not used in message" ++msgstr "" ++"Der angeforderte Verschlüsselungstyp wird in der Nachricht nicht verwendet." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:176 ++msgid "Program lacks support for checksum type" ++msgstr "Dem Programm fehlt es an der Unterstützung für den Prüfsummentyp." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:177 ++msgid "Cannot find KDC for requested realm" ++msgstr "KDC für angeforderten Realm kann nicht gefunden werden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:178 ++msgid "Kerberos service unknown" ++msgstr "Kerberos-Dienst unbekannt" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:179 ++msgid "Cannot contact any KDC for requested realm" ++msgstr "Für den angeforderten Realm kann kein KDC kontaktiert werden." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:180 ++msgid "No local name found for principal name" ++msgstr "Für den Principal-Namen wurde kein lokaler Name gefunden." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:182 ++msgid "Replay cache type is already registered" ++msgstr "Wiederholungszwischenspeichertyp ist bereits registriert" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:183 ++msgid "No more memory to allocate (in replay cache code)" ++msgstr "" ++"kein Speicher mehr zu reservieren (im Wiederholungszwischenspeichercode)" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:184 ++msgid "Replay cache type is unknown" ++msgstr "Wiederholungszwischenspeichertyp ist unbekannt" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:185 ++msgid "Generic unknown RC error" ++msgstr "allgemeiner unbekannter Wiederholungszwischenspeicherfehler" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:186 ++msgid "Message is a replay" ++msgstr "Nachricht ist eine Wiederholung" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:187 ++msgid "Replay cache I/O operation failed" ++msgstr "Wiederholungszwischenspeicher-E/A-Aktion fehlgeschlagen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:188 ++msgid "Replay cache type does not support non-volatile storage" ++msgstr "" ++"Wiederholungszwischenspeichertyp unterstützt keinen beständigen Speicher" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:189 ++msgid "Replay cache name parse/format error" ++msgstr "Auswerte-/Formatfehler im Wiederholungszwischenspeichernamens" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:190 ++msgid "End-of-file on replay cache I/O" ++msgstr "Dateiende bei der E/A des Wiederholungszwischenspeichers" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:191 ++msgid "No more memory to allocate (in replay cache I/O code)" ++msgstr "" ++"kein weiterer Speicher reservierbar (im Wiederholungszwischenspeicher-E/A-" ++"Code)" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:192 ++msgid "Permission denied in replay cache code" ++msgstr "Zugriff im Wiederholungszwischenspeichercode verweigert" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:193 ++msgid "I/O error in replay cache i/o code" ++msgstr "E/A-Fehler im Wiederholungszwischenspeicher-E/A-Code" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:194 ++msgid "Generic unknown RC/IO error" ++msgstr "allgemeiner unbekannter Wiederholungszwischenspeicher-/E/A-Fehler" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:195 ++msgid "Insufficient system space to store replay information" ++msgstr "" ++"Platz im System reicht nicht zum Speichern der Wiederholungsinformationen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:196 ++msgid "Can't open/find realm translation file" ++msgstr "Realm-Übersetzungsdatei kann nicht geöffnet/gefunden werden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:197 ++msgid "Improper format of realm translation file" ++msgstr "Format der Realm-Übersetzungsdatei ist ungeeignet" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:198 ++msgid "Can't open/find lname translation database" ++msgstr "die Lname-Übersetzungsdatenbank kann nicht geöffnet/gefunden werden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:199 ++msgid "No translation available for requested principal" ++msgstr "Für den angeforderten Principal ist keine Übersetzung verfügbar." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:200 ++msgid "Improper format of translation database entry" ++msgstr "Format des Eintrags der Übersetzungsdatenbank ist ungeeignet" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:201 ++msgid "Cryptosystem internal error" ++msgstr "interner Fehler des Verschlüsselungssystems" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:202 ++msgid "Key table name malformed" ++msgstr "falsche Form des Schlüsseltabellennamens" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:203 ++msgid "Unknown Key table type" ++msgstr "unbekannter Schlüsseltabellentyp" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:204 ++msgid "Key table entry not found" ++msgstr "Schlüsseltabelleneintrag nicht gefunden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:205 ++msgid "End of key table reached" ++msgstr "Ende der Schlüsseltabelle erreicht" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:206 ++msgid "Cannot write to specified key table" ++msgstr "in angegebene Schlüsseltabelle kann nicht geschrieben werden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:207 ++msgid "Error writing to key table" ++msgstr "Fehler beim Schreiben in Schlüsseltabelle" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:208 ++msgid "Cannot find ticket for requested realm" ++msgstr "Ticket für angeforderten Realm kann nicht gefunden werden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:209 ++msgid "DES key has bad parity" ++msgstr "DES-Schlüssel hat falsche Parität" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:210 ++msgid "DES key is a weak key" ++msgstr "DES-Schlüssel ist schwach" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:211 ++msgid "Bad encryption type" ++msgstr "falscher Verschlüsselungstyp" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:212 ++msgid "Key size is incompatible with encryption type" ++msgstr "Schlüssellänge ist nicht mit dem Verschlüsselungstyp kompatibel" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:213 ++msgid "Message size is incompatible with encryption type" ++msgstr "Nachrichtengröße ist nicht mit Verschlüsselungstyp kompatibel" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:214 ++msgid "Credentials cache type is already registered." ++msgstr "Anmeldedatenzwischenspeichertyp ist bereits registriert" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:215 ++msgid "Key table type is already registered." ++msgstr "Schlüsseltabellentyp ist bereits registriert" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:216 ++msgid "Credentials cache I/O operation failed XXX" ++msgstr "E/A-Aktion für Anmeldedatenzwischenspeicher fehlgeschlagen XXX" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:217 ++msgid "Credentials cache permissions incorrect" ++msgstr "Anmeldedatenzwischenspeicherrechte nicht korrekt" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:218 ++msgid "No credentials cache found" ++msgstr "kein Anmeldedatenzwischenspeicher gefunden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:219 ++msgid "Internal credentials cache error" ++msgstr "interner Anmeldedatenzwischenspeicherfehler" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:220 ++msgid "Error writing to credentials cache" ++msgstr "Fehler beim Schreiben in den Anmeldedatenzwischenspeicher" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:221 ++msgid "No more memory to allocate (in credentials cache code)" ++msgstr "" ++"kein weiterer Speicher zu reservieren (im Anmeldedatenzwischenspeichercode)" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:222 ++msgid "Bad format in credentials cache" ++msgstr "falsches Format im Anmeldedatenzwischenspeicher" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:223 ++msgid "No credentials found with supported encryption types" ++msgstr "keine Anmeldedaten mit unterstützten Verschlüsselungstypen gefunden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:224 ++msgid "Invalid KDC option combination (library internal error)" ++msgstr "ungültige Kombination von KDC-Optionen (interner Bibliotheksfehler)" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:225 ++msgid "Request missing second ticket" ++msgstr "Der Anfrage fehlt das zweite Ticket." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:226 ++msgid "No credentials supplied to library routine" ++msgstr "der Bibliotheks-Routine wurden keine Anmeldedaten geliefert" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:227 ++msgid "Bad sendauth version was sent" ++msgstr "Es wurde eine falsche Sendauth-Version verschickt" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:228 ++msgid "Bad application version was sent (via sendauth)" ++msgstr "Es wurde eine falsche Anwendungsversion (über Sendauth) verschickt" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:229 ++msgid "Bad response (during sendauth exchange)" ++msgstr "falsche Antwort (beim Sendauth-Austausch)" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:230 ++msgid "Server rejected authentication (during sendauth exchange)" ++msgstr "Server wies Authentifizierung (beim Sendauth-Austausch) zurück" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:231 ++msgid "Unsupported preauthentication type" ++msgstr "nicht unterstützter Vorauthentifizierungstyp" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:232 ++msgid "Required preauthentication key not supplied" ++msgstr "erforderlicher Vorauthentifizierungsschlüssel nicht bereitgestellt" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:233 ++msgid "Generic preauthentication failure" ++msgstr "allgemeiner Fehlschlag der Vorauthentifizierung" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:234 ++msgid "Unsupported replay cache format version number" ++msgstr "" ++"nicht unterstütztes Versionsnummernformat des Wiederholungszwischenspeichers" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:235 ++msgid "Unsupported credentials cache format version number" ++msgstr "" ++"nicht unterstütztes Versionsnummernformat des Anmeldedatenzwischenspeichers" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:236 ++msgid "Unsupported key table format version number" ++msgstr "nicht unterstütztes Versionsnummernformat der Schlüsseltabelle" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:237 ++msgid "Program lacks support for address type" ++msgstr "Dem Programm fehlt es an der Unterstützung des Adresstyps." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:238 ++msgid "Message replay detection requires rcache parameter" ++msgstr "Erkennung der Antwortnachricht erfordert den Parameter »rcache«" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:239 ++msgid "Hostname cannot be canonicalized" ++msgstr "Rechnername kann nicht in Normalform gebracht werden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:240 ++msgid "Cannot determine realm for host" ++msgstr "Realm für Rechner kann nicht bestimmt werden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:241 ++msgid "Conversion to service principal undefined for name type" ++msgstr "Umwandlung in Dienst-Principal für Namenstyp nicht definiert" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:242 ++msgid "Initial Ticket response appears to be Version 4 error" ++msgstr "anfängliche Ticket-Antwort scheint ein Fehler der Version 4 zu sein" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:243 ++msgid "Cannot resolve network address for KDC in requested realm" ++msgstr "" ++"Netzwerkadresse für KDC im angeforderten Realm kann nicht aufgelöst werden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:244 ++msgid "Requesting ticket can't get forwardable tickets" ++msgstr "anforderndes Ticket kann keine weiterleitbaren Tickets holen" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:245 ++msgid "Bad principal name while trying to forward credentials" ++msgstr "falscher Principal beim Versuch, Anmeldedaten weiterzuleiten" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:246 ++msgid "Looping detected inside krb5_get_in_tkt" ++msgstr "Schleife innerhalb von »krb5_get_in_tkt« entdeckt" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:247 ++msgid "Configuration file does not specify default realm" ++msgstr "Konfigurationsdatei gibt keinen Standard-Realm an" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:248 ++msgid "Bad SAM flags in obtain_sam_padata" ++msgstr "falsche SAM-Schalter in »obtain_sam_padata«" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:249 ++msgid "Invalid encryption type in SAM challenge" ++msgstr "ungültiger Verschlüsselungstyp in der SAM-Aufforderung" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:250 ++msgid "Missing checksum in SAM challenge" ++msgstr "fehlende Prüfsumme in der SAM-Aufforderung" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:251 ++msgid "Bad checksum in SAM challenge" ++msgstr "falsche Prüfsumme in der SAM-Aufforderung" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:252 ++msgid "Keytab name too long" ++msgstr "Schlüsseltabellennamen zu lang" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:253 ++msgid "Key version number for principal in key table is incorrect" ++msgstr "" ++"Schlüsselversionsnummer des Principals in der Schlüsseltabelle ist nicht " ++"korrekt" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:254 ++msgid "This application has expired" ++msgstr "Diese Anwendung ist abgelaufen." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:255 ++msgid "This Krb5 library has expired" ++msgstr "Diese Krb5-Bibliothek ist abgelaufen." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:256 ++msgid "New password cannot be zero length" ++msgstr "Das neue Passwort kann nicht die Länge Null haben." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:258 ++msgid "Bad format in keytab" ++msgstr "falsches Format in der Schlüsseltabelle" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:259 ++msgid "Encryption type not permitted" ++msgstr "Verschlüsselungstyp nicht erlaubt" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:260 ++msgid "No supported encryption types (config file error?)" ++msgstr "" ++"keine unterstützten Verschlüsselungstypen (Fehler in der " ++"Konfigurationsdatei?)" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:261 ++msgid "Program called an obsolete, deleted function" ++msgstr "Das Programm rief eine veraltete, gelöschte Funktion auf." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:262 ++msgid "unknown getaddrinfo failure" ++msgstr "unbekannter Getaddrinfo-Fehlschlag" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:263 ++msgid "no data available for host/domain name" ++msgstr "keine Daten für Rechner/Domain-Namen verfügbar" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:264 ++msgid "host/domain name not found" ++msgstr "Rechner/Domain-Name nicht gefunden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:265 ++msgid "service name unknown" ++msgstr "Dienstname unbekannt" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:266 ++msgid "Cannot determine realm for numeric host address" ++msgstr "Realm für numerische Rechneradresse kann nicht bestimmt werden" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:267 ++msgid "Invalid key generation parameters from KDC" ++msgstr "ungültige Parameter zum Erzeugen von Schlüsseln vom KDC" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:268 ++msgid "service not available" ++msgstr "Dienst nicht verfügbar" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:269 ++msgid "Ccache function not supported: read-only ccache type" ++msgstr "Ccache-Funktion nicht unterstützt: Ccache-Typ nur lesbar" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:270 ++msgid "Ccache function not supported: not implemented" ++msgstr "Ccache-Funktion nicht unterstützt: nicht implementiert" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:271 ++msgid "Invalid format of Kerberos lifetime or clock skew string" ++msgstr "" ++"ungültiges Format der Kerberos-Lebensdauer oder der Zeitversatzzeichenkette" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:272 ++msgid "Supplied data not handled by this plugin" ++msgstr "" ++"Die bereitgestellten Daten werden nicht von dieser Erweiterung behandelt." ++ ++#: ../lib/krb5/error_tables/krb5_err.c:273 ++msgid "Plugin does not support the operation" ++msgstr "Erweiterung unterstützt diese Aktion nicht" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:274 ++msgid "Invalid UTF-8 string" ++msgstr "ungültige UTF-8-Zeichenkette" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:275 ++msgid "FAST protected pre-authentication required but not supported by KDC" ++msgstr "" ++"FAST-geschützte Vorauthentifizierung erforderlich, aber nicht vom KDC " ++"unterstützt" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:276 ++msgid "Auth context must contain local address" ++msgstr "Authentifizierungskontext muss lokale Adresse enthalten" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:277 ++msgid "Auth context must contain remote address" ++msgstr "Authentifizierungskontext muss ferne Adresse enthalten" ++ ++#: ../lib/krb5/error_tables/krb5_err.c:278 ++msgid "Tracing unsupported" ++msgstr "Verfolgung nicht unterstützt" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:24 ++msgid "Entry already exists in database" ++msgstr "Eintrag existiert bereits in der Datenbank" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:25 ++msgid "Database store error" ++msgstr "Datenbank-Speicherfehler" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:26 ++msgid "Database read error" ++msgstr "Datenbank-Lesefehler" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:27 ++msgid "Insufficient access to perform requested operation" ++msgstr "Zugriffsrechte reichen nicht zur Durchführung der angeforderten Aktion" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:28 ++msgid "No such entry in the database" ++msgstr "kein derartiger Eintrag in der Datenbank" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:29 ++msgid "Illegal use of wildcard" ++msgstr "ungültige Verwendung eines Platzhalters" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:30 ++msgid "Database is locked or in use--try again later" ++msgstr "" ++"Datenbank ist gesperrt oder wird gerade benutzt – versuchen Sie es später " ++"wieder" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:31 ++msgid "Database was modified during read" ++msgstr "Datenbank wurde während des Lesens geändert" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:32 ++msgid "Database record is incomplete or corrupted" ++msgstr "Datensatz ist unvollständig oder beschädigt" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:33 ++msgid "Attempt to lock database twice" ++msgstr "Es wurde zweimal versucht, die Datenbank zu sperren." ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:34 ++msgid "Attempt to unlock database when not locked" ++msgstr "" ++"Es wurde versucht, die Datenbank zu entsperren, obwohl sie nicht gesperrt " ++"ist." ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:35 ++msgid "Invalid kdb lock mode" ++msgstr "ungültiger KDB-Sperrmodus" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:36 ++msgid "Database has not been initialized" ++msgstr "Datenbank wurde nicht initialisiert" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:37 ++msgid "Database has already been initialized" ++msgstr "Datenbank wurde bereits initialisiert" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:38 ++msgid "Bad direction for converting keys" ++msgstr "falsche Richtung zum Umwandeln von Schlüsseln" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:39 ++msgid "Cannot find master key record in database" ++msgstr "Hauptschlüsseldatensatz kann nicht in der Datenbank gefunden werden" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:40 ++msgid "Master key does not match database" ++msgstr "Hauptschlüssel passt nicht zur Datenbank" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:41 ++msgid "Key size in database is invalid" ++msgstr "Die Schlüssellänge in der Datenbank ist ungültig," ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:42 ++msgid "Cannot find/read stored master key" ++msgstr "Der gespeicherte Hauptschlüssel kann nicht gefunden/gelesen werden." ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:43 ++msgid "Stored master key is corrupted" ++msgstr "Der gespeicherte Hauptschlüssel ist beschädigt." ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:44 ++msgid "Cannot find active master key" ++msgstr "Der aktive Hauptschlüssel kann nicht gefunden werden." ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:45 ++msgid "KVNO of new master key does not match expected value" ++msgstr "KVNO des neuen Hauptschlüssels passt nicht zum erwarteten Wert" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:46 ++msgid "Stored master key is not current" ++msgstr "gespeicherter Hauptschlüssel ist nicht aktuell" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:47 ++msgid "Insufficient access to lock database" ++msgstr "keine ausreichenden Zugriffsrechte zum Sperren der Datenbank" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:48 ++msgid "Database format error" ++msgstr "fehlerhaftes Datenbankformat" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:49 ++msgid "Unsupported version in database entry" ++msgstr "nicht unterstützte Version im Datenbankeintrag" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:50 ++msgid "Unsupported salt type" ++msgstr "nicht unterstützter Salt-Typ" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:51 ++msgid "Unsupported encryption type" ++msgstr "nicht unterstützter Verschlüsselungstyp" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:52 ++msgid "Bad database creation flags" ++msgstr "falsche Schalter zum Erstellen der Datenbank" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:53 ++msgid "No matching key in entry having a permitted enctype" ++msgstr "" ++"kein passender Schlüssel in einem Eintrag mit erlaubtem Verschlüsselungstyp" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:54 ++msgid "No matching key in entry" ++msgstr "kein passender Schlüssel im Eintrag" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:55 ++msgid "Unable to find requested database type" ++msgstr "angeforderter Datenbanktyp kann nicht gefunden werden" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:56 ++msgid "Database type not supported" ++msgstr "Datenbanktyp nicht unterstützt" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:57 ++msgid "Database library failed to initialize" ++msgstr "Initialisieren der Datenbankbibliothek fehlgeschlagen" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:59 ++msgid "Unable to access Kerberos database" ++msgstr "auf die Kerberos-Datenbank kann nicht zugegriffen werden" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:60 ++msgid "Kerberos database internal error" ++msgstr "interner Kerberos-Datenbankfehler" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:61 ++msgid "Kerberos database constraints violated" ++msgstr "Kerberos-Datenbankbeschränkungen verletzt" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:62 ++msgid "Update log conversion error" ++msgstr "Fehler beim Umwandeln des Aktualisierungsprotokolls" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:63 ++msgid "Update log is unstable" ++msgstr "Aktualisierungsprotokoll ist instabil" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:64 ++msgid "Update log is corrupt" ++msgstr "Aktualisierungsprotokoll ist beschädigt" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:65 ++msgid "Generic update log error" ++msgstr "allgemeiner Aktualisierungsprotokollfehler" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:66 ++msgid "Database module does not match KDC version" ++msgstr "Datenbankmodul passt nicht zur KDC-Version" ++ ++#: ../lib/krb5/error_tables/kdb5_err.c:68 ++msgid "Too much string mapping data" ++msgstr "zu viele zeichenkettenabbildenden Daten" ++ ++#: ../lib/krb5/error_tables/asn1_err.c:23 ++msgid "ASN.1 failed call to system time library" ++msgstr "ASN.1 beim Aufruf der Systemzeitbibliothek gescheitert" ++ ++#: ../lib/krb5/error_tables/asn1_err.c:24 ++msgid "ASN.1 structure is missing a required field" ++msgstr "ein erforderliches Feld fehlt in der ASN.1-Struktur" ++ ++#: ../lib/krb5/error_tables/asn1_err.c:25 ++msgid "ASN.1 unexpected field number" ++msgstr "ASN.1 unerwartete Feldnummer" ++ ++#: ../lib/krb5/error_tables/asn1_err.c:26 ++msgid "ASN.1 type numbers are inconsistent" ++msgstr "ASN.1-Typnummern sind inkonsistent" ++ ++#: ../lib/krb5/error_tables/asn1_err.c:27 ++msgid "ASN.1 value too large" ++msgstr "ASN.1-Wert zu groß" ++ ++#: ../lib/krb5/error_tables/asn1_err.c:28 ++msgid "ASN.1 encoding ended unexpectedly" ++msgstr "ASN.1-Kodierung endete unerwartet" ++ ++#: ../lib/krb5/error_tables/asn1_err.c:29 ++msgid "ASN.1 identifier doesn't match expected value" ++msgstr "ASN.1-Bezeichner passt nicht zum erwarteten Wert" ++ ++#: ../lib/krb5/error_tables/asn1_err.c:30 ++msgid "ASN.1 length doesn't match expected value" ++msgstr "Länge von ASN.1 passt nicht zum erwarteten Wert" ++ ++#: ../lib/krb5/error_tables/asn1_err.c:31 ++msgid "ASN.1 badly-formatted encoding" ++msgstr "fehlerhaft formatierte ASN.1-Kodierung" ++ ++#: ../lib/krb5/error_tables/asn1_err.c:32 ++msgid "ASN.1 parse error" ++msgstr "ASN.1-Auswertungsfehler" ++ ++#: ../lib/krb5/error_tables/asn1_err.c:33 ++msgid "ASN.1 bad return from gmtime" ++msgstr "ASN.1 falscher Rückgabewert von Gmtime" ++ ++#: ../lib/krb5/error_tables/asn1_err.c:34 ++msgid "ASN.1 non-constructed indefinite encoding" ++msgstr "nicht konstruierte unbestimmte ASN.1-Kodierung" ++ ++#: ../lib/krb5/error_tables/asn1_err.c:35 ++msgid "ASN.1 missing expected EOC" ++msgstr "ASN.1 fehlt erwartetes EOC" ++ ++#: ../lib/krb5/error_tables/asn1_err.c:36 ++msgid "ASN.1 object omitted in sequence" ++msgstr "ASN.1-Objekt in Sequenz ausgelassen" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:23 ++msgid "Kerberos V5 magic number table" ++msgstr "Tabelle magischer Zahlen von Kerberos V5" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:24 ++msgid "Bad magic number for krb5_principal structure" ++msgstr "falsche magische Zahl für Krb5_principal-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:25 ++msgid "Bad magic number for krb5_data structure" ++msgstr "falsche magische Zahl für Krb5_data-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:26 ++msgid "Bad magic number for krb5_keyblock structure" ++msgstr "falsche magische Zahl für Krb5_krb5_keyblock-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:27 ++msgid "Bad magic number for krb5_checksum structure" ++msgstr "falsche magische Zahl für Krb5_krb5_checksum-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:28 ++msgid "Bad magic number for krb5_encrypt_block structure" ++msgstr "falsche magische Zahl für Krb5_encrypt_bloc-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:29 ++msgid "Bad magic number for krb5_enc_data structure" ++msgstr "falsche magische Zahl für Krb5_enc_data-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:30 ++msgid "Bad magic number for krb5_cryptosystem_entry structure" ++msgstr "falsche magische Zahl für Krb5_cryptosystem_entry-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:31 ++msgid "Bad magic number for krb5_cs_table_entry structure" ++msgstr "falsche magische Zahl für Krb5_cs_table_entry-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:32 ++msgid "Bad magic number for krb5_checksum_entry structure" ++msgstr "falsche magische Zahl für Krb5_checksum_entry-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:33 ++msgid "Bad magic number for krb5_authdata structure" ++msgstr "falsche magische Zahl für Krb5_authdata-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:34 ++msgid "Bad magic number for krb5_transited structure" ++msgstr "falsche magische Zahl für Krb5_transited-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:35 ++msgid "Bad magic number for krb5_enc_tkt_part structure" ++msgstr "falsche magische Zahl für Krb5_enc_tkt_part-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:36 ++msgid "Bad magic number for krb5_ticket structure" ++msgstr "falsche magische Zahl für Krb5_ticket-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:37 ++msgid "Bad magic number for krb5_authenticator structure" ++msgstr "falsche magische Zahl für Krb5_authenticator-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:38 ++msgid "Bad magic number for krb5_tkt_authent structure" ++msgstr "falsche magische Zahl für Krb5_tkt_authent-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:39 ++msgid "Bad magic number for krb5_creds structure" ++msgstr "falsche magische Zahl für Krb5_creds-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:40 ++msgid "Bad magic number for krb5_last_req_entry structure" ++msgstr "falsche magische Zahl für Krb5_last_req_entry-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:41 ++msgid "Bad magic number for krb5_pa_data structure" ++msgstr "falsche magische Zahl für Krb5_pa_data-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:42 ++msgid "Bad magic number for krb5_kdc_req structure" ++msgstr "falsche magische Zahl für Krb5_kdc_req-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:43 ++msgid "Bad magic number for krb5_enc_kdc_rep_part structure" ++msgstr "falsche magische Zahl für Krb5_enc_kdc_rep_part-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:44 ++msgid "Bad magic number for krb5_kdc_rep structure" ++msgstr "falsche magische Zahl für Krb5_kdc_rep-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:45 ++msgid "Bad magic number for krb5_error structure" ++msgstr "falsche magische Zahl für Krb5_error-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:46 ++msgid "Bad magic number for krb5_ap_req structure" ++msgstr "falsche magische Zahl für Krb5_ap_req-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:47 ++msgid "Bad magic number for krb5_ap_rep structure" ++msgstr "falsche magische Zahl für Krb5_ap_rep-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:48 ++msgid "Bad magic number for krb5_ap_rep_enc_part structure" ++msgstr "falsche magische Zahl für Krb5_ap_rep_enc_part-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:49 ++msgid "Bad magic number for krb5_response structure" ++msgstr "falsche magische Zahl für Krb5_response-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:50 ++msgid "Bad magic number for krb5_safe structure" ++msgstr "falsche magische Zahl für Krb5_safe-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:51 ++msgid "Bad magic number for krb5_priv structure" ++msgstr "falsche magische Zahl für Krb5_priv-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:52 ++msgid "Bad magic number for krb5_priv_enc_part structure" ++msgstr "falsche magische Zahl für Krb5_priv_enc_part-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:53 ++msgid "Bad magic number for krb5_cred structure" ++msgstr "falsche magische Zahl für Krb5_cred-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:54 ++msgid "Bad magic number for krb5_cred_info structure" ++msgstr "falsche magische Zahl für Krb5_cred_info-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:55 ++msgid "Bad magic number for krb5_cred_enc_part structure" ++msgstr "falsche magische Zahl für Krb5_cred_enc_part-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:56 ++msgid "Bad magic number for krb5_pwd_data structure" ++msgstr "falsche magische Zahl für Krb5_pwd_data-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:57 ++msgid "Bad magic number for krb5_address structure" ++msgstr "falsche magische Zahl für Krb5_address-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:58 ++msgid "Bad magic number for krb5_keytab_entry structure" ++msgstr "falsche magische Zahl für Krb5_keytab_entry-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:59 ++msgid "Bad magic number for krb5_context structure" ++msgstr "falsche magische Zahl für Krb5_context-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:60 ++msgid "Bad magic number for krb5_os_context structure" ++msgstr "falsche magische Zahl für Krb5_os_context-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:61 ++msgid "Bad magic number for krb5_alt_method structure" ++msgstr "falsche magische Zahl für Krb5_alt_method-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:62 ++msgid "Bad magic number for krb5_etype_info_entry structure" ++msgstr "falsche magische Zahl für Krb5_etype_info_entry-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:63 ++msgid "Bad magic number for krb5_db_context structure" ++msgstr "falsche magische Zahl für Krb5_db_context-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:64 ++msgid "Bad magic number for krb5_auth_context structure" ++msgstr "falsche magische Zahl für Krb5_auth_context-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:65 ++msgid "Bad magic number for krb5_keytab structure" ++msgstr "falsche magische Zahl für Krb5_keytab-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:66 ++msgid "Bad magic number for krb5_rcache structure" ++msgstr "falsche magische Zahl für Krb5_rcache-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:67 ++msgid "Bad magic number for krb5_ccache structure" ++msgstr "falsche magische Zahl für Krb5_ccache-Struktur" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:68 ++msgid "Bad magic number for krb5_preauth_ops" ++msgstr "falsche magische Zahl für Krb5_preauth_ops" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:69 ++msgid "Bad magic number for krb5_sam_challenge" ++msgstr "falsche magische Zahl für Krb5_sam_challenge" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:70 ++msgid "Bad magic number for krb5_sam_challenge_2" ++msgstr "falsche magische Zahl für Krb5_sam_challenge_2" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:71 ++msgid "Bad magic number for krb5_sam_key" ++msgstr "falsche magische Zahl für Krb5_sam_key" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:72 ++#: ../lib/krb5/error_tables/kv5m_err.c:73 ++msgid "Bad magic number for krb5_enc_sam_response_enc" ++msgstr "falsche magische Zahl für Krb5_enc_sam_response_enc" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:74 ++msgid "Bad magic number for krb5_sam_response" ++msgstr "falsche magische Zahl für Krb5_sam_response" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:75 ++msgid "Bad magic number for krb5_sam_response 2" ++msgstr "falsche magische Zahl für Krb5_sam_response 2" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:76 ++msgid "Bad magic number for krb5_predicted_sam_response" ++msgstr "falsche magische Zahl für Krb5_predicted_sam_response" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:77 ++msgid "Bad magic number for passwd_phrase_element" ++msgstr "falsche magische Zahl für Passwd_phrase_element" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:78 ++msgid "Bad magic number for GSSAPI OID" ++msgstr "falsche magische Zahl für GSSAPI OID" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:79 ++msgid "Bad magic number for GSSAPI QUEUE" ++msgstr "falsche magische Zahl für GSSAPI QUEUE" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:80 ++msgid "Bad magic number for fast armored request" ++msgstr "falsche magische Zahl für per FAST geschützte Anfrage" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:81 ++msgid "Bad magic number for FAST request" ++msgstr "falsche magische Zahl für FAST-Anfrage" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:82 ++msgid "Bad magic number for FAST response" ++msgstr "falsche magische Zahl für FAST-Antwort" ++ ++#: ../lib/krb5/error_tables/kv5m_err.c:83 ++msgid "Bad magic number for krb5_authdata_context" ++msgstr "falsche magische Zahl für Krb5_authdata_context" ++ ++#: ../lib/krb5/error_tables/krb524_err.c:23 ++msgid "Cannot convert V5 keyblock" ++msgstr "V5-Schlüsselblock kann nicht umgewandelt werden" ++ ++#: ../lib/krb5/error_tables/krb524_err.c:24 ++msgid "Cannot convert V5 address information" ++msgstr "V5-Adressinformationen können nicht umgewandelt werden" ++ ++#: ../lib/krb5/error_tables/krb524_err.c:25 ++msgid "Cannot convert V5 principal" ++msgstr "V5-Principal kann nicht umgewandelt werden" ++ ++#: ../lib/krb5/error_tables/krb524_err.c:26 ++msgid "V5 realm name longer than V4 maximum" ++msgstr "V5-Realm-Name ist länger als die V4-Maximallänge" ++ ++#: ../lib/krb5/error_tables/krb524_err.c:27 ++msgid "Kerberos V4 error" ++msgstr "Kerberos-V4-Fehler" ++ ++#: ../lib/krb5/error_tables/krb524_err.c:28 ++msgid "Encoding too large" ++msgstr "Kodierung zu lang" ++ ++#: ../lib/krb5/error_tables/krb524_err.c:29 ++msgid "Decoding out of data" ++msgstr "Dekodieren außerhalb der Daten" ++ ++#: ../lib/krb5/error_tables/krb524_err.c:30 ++msgid "Service not responding" ++msgstr "Dienst antwortet nicht" ++ ++#: ../lib/krb5/error_tables/krb524_err.c:31 ++msgid "Kerberos version 4 support is disabled" ++msgstr "Kerberos 4 Unterstützung ist deaktiviert" ++ ++#~ msgid "while creating server %s principal name" ++#~ msgstr "beim Erstellen des Principal-Namens für Server %s" ++ ++# KDC = Key Distribution Center ++#~ msgid "while getting credentials from kdc" ++#~ msgstr "beim Holen der Anmeldedaten vom KDC" ++ ++# FIXME s/Retrieving/retrieving/ ++#~ msgid "while Retrieving credentials" ++#~ msgstr "beim Abfragen der Anmeldedaten" ++ ++#~ msgid "while copying principal" ++#~ msgstr "beim Kopieren des Principals" ++ ++#~ msgid "%s does not have correct permissions for %s\n" ++#~ msgstr "%s hat nicht die erforderlichen Zugriffsrechte für %s\n" ++ ++#~ msgid "no salt\n" ++#~ msgstr "kein Salt\n" ++ ++#~ msgid "%s: Couldn't grab lock\n" ++#~ msgstr "%s: Es konnte keine Sperre erlangt werden.\n" ++ ++#~ msgid "%s: Loads disallowed when iprop is enabled and a ulog is present\n" ++#~ msgstr "" ++#~ "%s: Wenn Iprop aktiviert und Ulog vorhanden ist, ist Laden nicht " ++#~ "möglich.\n" ++ ++#~ msgid "trying to lock database" ++#~ msgstr "es wird versucht, die Datenbank zu sperren" ++ ++#~ msgid "GSS-API error %s: %s\n" ++#~ msgstr "GSS-API-Fehler %s: %s\n" ++ ++#~ msgid "Couldn't create KRB5 Name NameType OID\n" ++#~ msgstr "KRB5 Name NameType OID konnte nicht erstellt werden.\n" ++ ++#~ msgid "%s: %s while initializing, aborting" ++#~ msgstr "%s: %s beim Initialisieren, wird abgebrochen" ++ ++#~ msgid "" ++#~ "%s: Missing required configuration values (%lx) while initializing, " ++#~ "aborting" ++#~ msgstr "" ++#~ "%s: Beim Initialisieren fehlen die erforderlichen Konfigurationswerte " ++#~ "(%lx), wird abgebrochen" ++ ++#~ msgid "" ++#~ "%s: Missing required configuration values (%lx) while initializing, " ++#~ "aborting\n" ++#~ msgstr "" ++#~ "%s: Beim Initialisieren fehlen die erforderlichen Konfigurationswerte " ++#~ "(%lx), wird abgebrochen\n" ++ ++#~ msgid "%s: could not initialize loop, aborting" ++#~ msgstr "%s: Schleife konnte nicht initialisiert werden, wird abgebrochen" ++ ++#~ msgid "%s: could not initialize loop, aborting\n" ++#~ msgstr "%s: Schleife konnte nicht initialisiert werden, wird abgebrochen\n" ++ ++#~ msgid "%s: %s while initializing signal handlers, aborting" ++#~ msgstr "" ++#~ "%s: %s beim Initialisieren des Signalbehandlungsprogramms, wird " ++#~ "abgebrochen" ++ ++#~ msgid "%s: %s while initializing signal handlers, aborting\n" ++#~ msgstr "" ++#~ "%s: %s beim Initialisieren des Signalbehandlungsprogramms, wird " ++#~ "abgebrochen\n" ++ ++#~ msgid "%s: %s while initializing network, aborting" ++#~ msgstr "%s: %s beim Initialisieren des Netzwerks, wird abgebrochen" ++ ++#~ msgid "%s: %s while initializing network, aborting\n" ++#~ msgstr "%s: %s beim Initialisieren des Netzwerks, wird abgebrochen\n" ++ ++#~ msgid "Cannot build GSS-API authentication names, failing." ++#~ msgstr "" ++#~ "GSS-API-Authentifizierungsnamen können nicht gebildet werden, " ++#~ "fehlgeschlagen" ++ ++#~ msgid "Can't set kdb keytab's internal context." ++#~ msgstr "" ++#~ "Der interne Kontext von KDBs Schlüsseltabelle kann nicht gesetzt werden." ++ ++#~ msgid "Can't register kdb keytab." ++#~ msgstr "Die KDB-Schlüsseltabelle kann nicht registriert werden." ++ ++#~ msgid "Can't register acceptor keytab." ++#~ msgstr "Die Empfängerschlüsseltabelle kann nicht registriert werden." ++ ++#~ msgid "" ++#~ "Cannot set GSS-API authentication names (keytab not present?), failing." ++#~ msgstr "" ++#~ "GSS-API-Authentifizierungsnamen können nicht gesetzt werden " ++#~ "(Schlüsseltabelle nicht vorhanden?), fehlgeschlagen" ++ ++#~ msgid "Cannot initialize acl file: %s" ++#~ msgstr "ACL-Datei kann nicht initialisiert werden: %s" ++ ++#~ msgid "%s: Cannot initialize acl file: %s\n" ++#~ msgstr "%s: ACL-Datei kann nicht initialisiert werden: %s\n" ++ ++#~ msgid "Cannot detach from tty: %s" ++#~ msgstr "kann nicht vom Terminal gelöst werden: %s" ++ ++#~ msgid "Cannot create PID file %s: %s" ++#~ msgstr "PID-Datei %s kann nicht erstellt werden: %s" ++ ++#~ msgid "%s: %s while mapping update log (`%s.ulog')\n" ++#~ msgstr "%s: %s beim Abbilden des Aktualisierungsprotokolls (»%s.ulog«)\n" ++ ++#~ msgid "%s while mapping update log (`%s.ulog')" ++#~ msgstr "%s beim Abbilden des Aktualisierungsprotokolls (»%s.ulog«)" ++ ++#~ msgid "%s: Cannot create IProp RPC service (PROG=%d, VERS=%d)\n" ++#~ msgstr "" ++#~ "%s: IProp-RPC-Dienst kann nicht erstellt werden (PROG=%d, VERS=%d)\n" ++ ++#~ msgid "Cannot create IProp RPC service (PROG=%d, VERS=%d), failing." ++#~ msgstr "" ++#~ "IProp-RPC-Dienst kann nicht erstellt werden (PROG=%d, VERS=%d), " ++#~ "fehlgeschlagen" ++ ++#~ msgid "%s while getting IProp svc name, failing" ++#~ msgstr "%s beim Holen des IProp-Dienstnamens, fehlgeschlagen" ++ ++#~ msgid "%s: %s while getting IProp svc name, failing\n" ++#~ msgstr "%s: %s beim Holen des IProp-Dienstnamens, fehlgeschlagen\n" ++ ++#~ msgid "Unable to set RPCSEC_GSS service name (`%s'), failing." ++#~ msgstr "" ++#~ "der RPCSEC_GSS-Dienstname (»%s«) kann nicht gesetzt werden, fehlgeschlagen" ++ ++#~ msgid "%s: Unable to set RPCSEC_GSS service name (`%s'), failing.\n" ++#~ msgstr "" ++#~ "%s: der RPCSEC_GSS-Dienstname (»%s«) kann nicht gesetzt werden, " ++#~ "fehlgeschlagen\n" ++ ++#~ msgid "GSS-API authentication error %.*s: recursive failure!" ++#~ msgstr "GSS-API-Authentifizierungsfehler %.*s: rekursiver Fehlschlag!" ++ ++#~ msgid "skipping unrecognized local address family %d" ++#~ msgstr "nicht erkannte lokale Adressfamilie %d wird übersprungen" ++ ++#~ msgid "got routing msg type %d(%s) v%d" ++#~ msgstr "Routing-Meldungstyp %d(%s) v%d erhalten" ++ ++#~ msgid "Could not create temp stash file: %s" ++#~ msgstr "Temporäre Ablagedatei konnte nicht erstellt werden: %s" ++ ++#~ msgid "ulog_sync_header: could not sync to disk" ++#~ msgstr "ulog_sync_header: kann nicht auf Platte sychronisiert werden" ++ ++#~ msgid "%s: attempt to convert non-extended krb5_get_init_creds_opt" ++#~ msgstr "" ++#~ "%s: Es wird versucht, nicht erweiterte »krb5_get_init_creds_opt« " ++#~ "umzuwandeln" ++ ++#~ msgid "krb5_sname_to_principal, while adding entries to the database" ++#~ msgstr "" ++#~ "»krb5_sname_to_principal« beim Hinzufügen von Einträgen zur Datenbank" ++ ++#~ msgid "krb5_copy_principal, while adding entries to the database" ++#~ msgstr "»krb5_copy_principal« beim Hinzufügen von Einträgen zur Datenbank" ++ ++#~ msgid "" ++#~ "Unable to check if SASL EXTERNAL mechanism is supported by LDAP server. " ++#~ "Proceeding anyway ..." ++#~ msgstr "" ++#~ "Es konnte nicht geprüft werden, ob der Mechanismus SASL EXTERNAL vom LDAP-" ++#~ "Server unterstützt wird. Es wird trotzdem fortgesetzt …" ++ ++#~ msgid "" ++#~ "SASL EXTERNAL mechanism not supported by LDAP server. Can't perform " ++#~ "certificate-based bind." ++#~ msgstr "" ++#~ "Der Mechanismus SASL EXTERNAL wird nicht vom LDAP-Server unterstützt. Es " ++#~ "kann keine zertifikatbasierte Verbindung hergestellt werden." ++ ++#~ msgid "Error reading 'ldap_servers' attribute" ++#~ msgstr "Fehler beim Lesen des Attributs »ldap_servers«" ++ ++#~ msgid "Stash file entry corrupt" ++#~ msgstr "Eintrag in der Ablagedatei beschädigt" ++ ++#~ msgid "while setting server principal realm" ++#~ msgstr "beim Setzen des Server-Principal-Realms" ++ ++#~ msgid "while getting initial ticket\n" ++#~ msgstr "beim Holen eines Anfangs-Tickets\n" ++ ++#~ msgid "while destroying ticket cache" ++#~ msgstr "beim Zerstören des Ticket-Zwischenspeichers" ++ ++#~ msgid "while closing default ccache" ++#~ msgstr "beim Schließen des Standard-Ccaches" diff --git a/SOURCES/Add-KDC-policy-pluggable-interface.patch b/SOURCES/Add-KDC-policy-pluggable-interface.patch index 590ff85..935d588 100644 --- a/SOURCES/Add-KDC-policy-pluggable-interface.patch +++ b/SOURCES/Add-KDC-policy-pluggable-interface.patch @@ -20,29 +20,29 @@ ticket: 8606 (new) (cherry picked from commit d0969f6a8170344031ef58fd2a161190f1edfb96) [rharwood@redhat.com: mention but do not use kadm_auth] --- - doc/plugindev/index.rst | 1 + - doc/plugindev/kdcpolicy.rst | 24 +++ - src/Makefile.in | 1 + - src/configure.in | 1 + - src/include/Makefile.in | 1 + - src/include/k5-int.h | 4 +- - src/include/k5-trace.h | 5 + - src/include/krb5/kdcpolicy_plugin.h | 128 ++++++++++++ - src/kdc/do_as_req.c | 7 + - src/kdc/do_tgs_req.c | 6 + - src/kdc/kdc_util.c | 7 - - src/kdc/kdc_util.h | 11 - - src/kdc/main.c | 8 + - src/kdc/policy.c | 267 +++++++++++++++++++++---- - src/kdc/policy.h | 19 +- - src/kdc/tgs_policy.c | 6 - - src/lib/krb5/krb/plugin.c | 4 +- - src/plugins/kdcpolicy/test/Makefile.in | 20 ++ - src/plugins/kdcpolicy/test/deps | 0 - src/plugins/kdcpolicy/test/main.c | 111 ++++++++++ - src/plugins/kdcpolicy/test/policy_test.exports | 1 + - src/tests/Makefile.in | 1 + - src/tests/t_kdcpolicy.py | 57 ++++++ + doc/plugindev/index.rst | 1 + + doc/plugindev/kdcpolicy.rst | 24 ++ + src/Makefile.in | 1 + + src/configure.in | 1 + + src/include/Makefile.in | 1 + + src/include/k5-int.h | 4 +- + src/include/k5-trace.h | 5 + + src/include/krb5/kdcpolicy_plugin.h | 128 +++++++++ + src/kdc/do_as_req.c | 7 + + src/kdc/do_tgs_req.c | 6 + + src/kdc/kdc_util.c | 7 - + src/kdc/kdc_util.h | 11 - + src/kdc/main.c | 8 + + src/kdc/policy.c | 267 +++++++++++++++--- + src/kdc/policy.h | 19 +- + src/kdc/tgs_policy.c | 6 - + src/lib/krb5/krb/plugin.c | 4 +- + src/plugins/kdcpolicy/test/Makefile.in | 20 ++ + src/plugins/kdcpolicy/test/deps | 0 + src/plugins/kdcpolicy/test/main.c | 111 ++++++++ + .../kdcpolicy/test/policy_test.exports | 1 + + src/tests/Makefile.in | 1 + + src/tests/t_kdcpolicy.py | 57 ++++ 23 files changed, 616 insertions(+), 74 deletions(-) create mode 100644 doc/plugindev/kdcpolicy.rst create mode 100644 src/include/krb5/kdcpolicy_plugin.h diff --git a/SOURCES/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch b/SOURCES/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch index a1a7fef..a931833 100644 --- a/SOURCES/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch +++ b/SOURCES/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch @@ -9,7 +9,7 @@ id-pkinit-san match against canonicalized client principal] ticket: 8528 (cherry picked from commit d520fd3f032121b61b22681838af96ee505fe44d) --- - src/tests/t_pkinit.py | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++ + src/tests/t_pkinit.py | 57 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py diff --git a/SOURCES/Add-certauth-pluggable-interface.patch b/SOURCES/Add-certauth-pluggable-interface.patch index b7719a8..a6f2525 100644 --- a/SOURCES/Add-certauth-pluggable-interface.patch +++ b/SOURCES/Add-certauth-pluggable-interface.patch @@ -23,25 +23,25 @@ doc/plugindev/certauth.rst and doc/admin/krb5_conf.rst. ticket: 8561 (new) (cherry picked from commit b619ce84470519bea65470be3263cd85fba94f57) --- - doc/admin/conf_files/krb5_conf.rst | 21 ++ - doc/plugindev/certauth.rst | 27 ++ - doc/plugindev/index.rst | 1 + - src/Makefile.in | 1 + - src/configure.in | 1 + - src/include/Makefile.in | 1 + - src/include/k5-int.h | 3 +- - src/include/krb5/certauth_plugin.h | 103 +++++++ - src/lib/krb5/krb/plugin.c | 3 +- - src/plugins/certauth/test/Makefile.in | 20 ++ - src/plugins/certauth/test/certauth_test.exports | 2 + - src/plugins/certauth/test/deps | 14 + - src/plugins/certauth/test/main.c | 209 +++++++++++++ - src/plugins/preauth/pkinit/pkinit_crypto.h | 4 + - src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 30 ++ - src/plugins/preauth/pkinit/pkinit_srv.c | 335 ++++++++++++++++++--- - src/plugins/preauth/pkinit/pkinit_trace.h | 5 + - src/tests/Makefile.in | 1 + - src/tests/t_certauth.py | 47 +++ + doc/admin/conf_files/krb5_conf.rst | 21 ++ + doc/plugindev/certauth.rst | 27 ++ + doc/plugindev/index.rst | 1 + + src/Makefile.in | 1 + + src/configure.in | 1 + + src/include/Makefile.in | 1 + + src/include/k5-int.h | 3 +- + src/include/krb5/certauth_plugin.h | 103 ++++++ + src/lib/krb5/krb/plugin.c | 3 +- + src/plugins/certauth/test/Makefile.in | 20 ++ + .../certauth/test/certauth_test.exports | 2 + + src/plugins/certauth/test/deps | 14 + + src/plugins/certauth/test/main.c | 209 +++++++++++ + src/plugins/preauth/pkinit/pkinit_crypto.h | 4 + + .../preauth/pkinit/pkinit_crypto_openssl.c | 30 ++ + src/plugins/preauth/pkinit/pkinit_srv.c | 335 +++++++++++++++--- + src/plugins/preauth/pkinit/pkinit_trace.h | 5 + + src/tests/Makefile.in | 1 + + src/tests/t_certauth.py | 47 +++ 19 files changed, 786 insertions(+), 42 deletions(-) create mode 100644 doc/plugindev/certauth.rst create mode 100644 src/include/krb5/certauth_plugin.h diff --git a/SOURCES/Add-k5_dir_filenames-to-libkrb5support.patch b/SOURCES/Add-k5_dir_filenames-to-libkrb5support.patch new file mode 100644 index 0000000..a2a3c45 --- /dev/null +++ b/SOURCES/Add-k5_dir_filenames-to-libkrb5support.patch @@ -0,0 +1,224 @@ +From 3c73ffd2ae4237e449808768d76b2869f8dffe8f Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Tue, 5 Jun 2018 14:01:05 -0400 +Subject: [PATCH] Add k5_dir_filenames() to libkrb5support + +Add a support function to get a list of filenames from a directory in +sorted order. + +(cherry picked from commit 27534121eb39089ff4335d8b465027e9ba783682) +(cherry picked from commit 9010a0dbf59771cb0a9c1e6fd5a18a92a1200ca7) +[rharwood@redhat.com: exports file context doesn't match] +--- + src/include/k5-platform.h | 7 + + src/util/support/Makefile.in | 3 + + src/util/support/dir_filenames.c | 135 ++++++++++++++++++ + src/util/support/libkrb5support-fixed.exports | 2 + + 4 files changed, 147 insertions(+) + create mode 100644 src/util/support/dir_filenames.c + +diff --git a/src/include/k5-platform.h b/src/include/k5-platform.h +index 994f46323..5a58ccba2 100644 +--- a/src/include/k5-platform.h ++++ b/src/include/k5-platform.h +@@ -44,6 +44,8 @@ + * + constant time memory comparison + * + path manipulation + * + _, N_, dgettext, bindtextdomain (for localization) ++ * + getopt_long ++ * + fetching filenames from a directory + */ + + #ifndef K5_PLATFORM_H +@@ -1099,4 +1101,9 @@ extern int k5_getopt_long(int nargc, char **nargv, char *options, + #define getopt_long k5_getopt_long + #endif /* HAVE_GETOPT_LONG */ + ++/* Set *fnames_out to a null-terminated list of filenames within dirname, ++ * sorted according to strcmp(). Return 0 on success, or ENOENT/ENOMEM. */ ++int k5_dir_filenames(const char *dirname, char ***fnames_out); ++void k5_free_filenames(char **fnames); ++ + #endif /* K5_PLATFORM_H */ +diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in +index 17bcd2a67..9326742d7 100644 +--- a/src/util/support/Makefile.in ++++ b/src/util/support/Makefile.in +@@ -84,6 +84,7 @@ STLIBOBJS= \ + json.o \ + bcmp.o \ + strerror_r.o \ ++ dir_filenames.o \ + $(GETTIMEOFDAY_ST_OBJ) \ + $(IPC_ST_OBJ) \ + $(STRLCPY_ST_OBJ) \ +@@ -109,6 +110,7 @@ LIBOBJS= \ + $(OUTPRE)json.$(OBJEXT) \ + $(OUTPRE)bcmp.$(OBJEXT) \ + $(OUTPRE)strerror_r.$(OBJEXT) \ ++ $(OUTPRE)dir_filenames.$(OBJEXT) \ + $(GETTIMEOFDAY_OBJ) \ + $(IPC_OBJ) \ + $(STRLCPY_OBJ) \ +@@ -143,6 +145,7 @@ SRCS=\ + $(srcdir)/json.c \ + $(srcdir)/bcmp.c \ + $(srcdir)/strerror_r.c \ ++ $(srcdir)/dir_filenames.c \ + $(srcdir)/t_utf8.c \ + $(srcdir)/getopt.c \ + $(srcdir)/getopt_long.c +diff --git a/src/util/support/dir_filenames.c b/src/util/support/dir_filenames.c +new file mode 100644 +index 000000000..9312b0238 +--- /dev/null ++++ b/src/util/support/dir_filenames.c +@@ -0,0 +1,135 @@ ++/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ ++/* util/support/dir_filenames.c - fetch filenames in a directory */ ++/* ++ * Copyright (C) 2018 by the Massachusetts Institute of Technology. ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * * Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * * Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ++ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT ++ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS ++ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE ++ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#include "k5-platform.h" ++ ++void ++k5_free_filenames(char **fnames) ++{ ++ char **fn; ++ ++ for (fn = fnames; fn != NULL && *fn != NULL; fn++) ++ free(*fn); ++ free(fnames); ++} ++ ++/* Resize the filename list and add a name. */ ++static int ++add_filename(char ***fnames, int *n_fnames, const char *name) ++{ ++ char **newlist; ++ ++ newlist = realloc(*fnames, (*n_fnames + 2) * sizeof(*newlist)); ++ if (newlist == NULL) ++ return ENOMEM; ++ *fnames = newlist; ++ newlist[*n_fnames] = strdup(name); ++ if (newlist[*n_fnames] == NULL) ++ return ENOMEM; ++ (*n_fnames)++; ++ newlist[*n_fnames] = NULL; ++ return 0; ++} ++ ++static int ++compare_with_strcmp(const void *a, const void *b) ++{ ++ return strcmp(*(char **)a, *(char **)b); ++} ++ ++#ifdef _WIN32 ++ ++int ++k5_dir_filenames(const char *dirname, char ***fnames_out) ++{ ++ char *wildcard; ++ WIN32_FIND_DATA ffd; ++ HANDLE handle; ++ char **fnames = NULL; ++ int n_fnames = 0; ++ ++ *fnames_out = NULL; ++ ++ if (asprintf(&wildcard, "%s\\*", dirname) < 0) ++ return ENOMEM; ++ handle = FindFirstFile(wildcard, &ffd); ++ free(wildcard); ++ if (handle == INVALID_HANDLE_VALUE) ++ return ENOENT; ++ ++ do { ++ if (add_filename(&fnames, &n_fnames, &ffd.cFileName) != 0) { ++ k5_free_filenames(fnames); ++ FindClose(handle); ++ return ENOMEM; ++ } ++ } while (FindNextFile(handle, &ffd) != 0); ++ ++ FindClose(handle); ++ qsort(fnames, n_fnames, sizeof(*fnames), compare_with_strcmp); ++ *fnames_out = fnames; ++ return 0; ++} ++ ++#else /* _WIN32 */ ++ ++#include ++ ++int ++k5_dir_filenames(const char *dirname, char ***fnames_out) ++{ ++ DIR *dir; ++ struct dirent *ent; ++ char **fnames = NULL; ++ int n_fnames = 0; ++ ++ *fnames_out = NULL; ++ ++ dir = opendir(dirname); ++ if (dir == NULL) ++ return ENOENT; ++ ++ while ((ent = readdir(dir)) != NULL) { ++ if (add_filename(&fnames, &n_fnames, ent->d_name) != 0) { ++ k5_free_filenames(fnames); ++ closedir(dir); ++ return ENOMEM; ++ } ++ } ++ ++ closedir(dir); ++ qsort(fnames, n_fnames, sizeof(*fnames), compare_with_strcmp); ++ *fnames_out = fnames; ++ return 0; ++} ++ ++#endif /* not _WIN32 */ +diff --git a/src/util/support/libkrb5support-fixed.exports b/src/util/support/libkrb5support-fixed.exports +index d5d4177b7..2cdcddfe0 100644 +--- a/src/util/support/libkrb5support-fixed.exports ++++ b/src/util/support/libkrb5support-fixed.exports +@@ -52,6 +52,8 @@ k5_path_isabs + k5_path_join + k5_path_split + k5_strerror_r ++k5_dir_filenames ++k5_free_filenames + krb5int_key_register + krb5int_key_delete + krb5int_getspecific diff --git a/SOURCES/Add-support-to-query-the-SSF-of-a-GSS-context.patch b/SOURCES/Add-support-to-query-the-SSF-of-a-GSS-context.patch index 4659281..24ecda3 100644 --- a/SOURCES/Add-support-to-query-the-SSF-of-a-GSS-context.patch +++ b/SOURCES/Add-support-to-query-the-SSF-of-a-GSS-context.patch @@ -17,18 +17,18 @@ ticket: 8569 (new) --- src/include/k5-int.h | 1 + src/lib/crypto/krb/crypto_int.h | 1 + - src/lib/crypto/krb/enctype_util.c | 16 ++++++++++++++++ - src/lib/crypto/krb/etypes.c | 33 ++++++++++++++++++--------------- + src/lib/crypto/krb/enctype_util.c | 16 ++++++++++++ + src/lib/crypto/krb/etypes.c | 33 ++++++++++++++----------- src/lib/crypto/libk5crypto.exports | 1 + - src/lib/gssapi/generic/gssapi_ext.h | 11 +++++++++++ - src/lib/gssapi/generic/gssapi_generic.c | 9 +++++++++ - src/lib/gssapi/krb5/gssapiP_krb5.h | 6 ++++++ - src/lib/gssapi/krb5/gssapi_krb5.c | 4 ++++ - src/lib/gssapi/krb5/inq_context.c | 27 +++++++++++++++++++++++++++ + src/lib/gssapi/generic/gssapi_ext.h | 11 +++++++++ + src/lib/gssapi/generic/gssapi_generic.c | 9 +++++++ + src/lib/gssapi/krb5/gssapiP_krb5.h | 6 +++++ + src/lib/gssapi/krb5/gssapi_krb5.c | 4 +++ + src/lib/gssapi/krb5/inq_context.c | 27 ++++++++++++++++++++ src/lib/gssapi/libgssapi_krb5.exports | 1 + src/lib/gssapi32.def | 3 +++ src/lib/krb5_32.def | 3 +++ - src/tests/gssapi/t_enctypes.c | 14 ++++++++++++++ + src/tests/gssapi/t_enctypes.c | 14 +++++++++++ 14 files changed, 115 insertions(+), 15 deletions(-) diff --git a/src/include/k5-int.h b/src/include/k5-int.h diff --git a/SOURCES/Add-test-case-for-PKINIT-DH-renegotiation.patch b/SOURCES/Add-test-case-for-PKINIT-DH-renegotiation.patch new file mode 100644 index 0000000..047f011 --- /dev/null +++ b/SOURCES/Add-test-case-for-PKINIT-DH-renegotiation.patch @@ -0,0 +1,45 @@ +From c88c2328ed284996a61281ae84dddbdff044e1d5 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Wed, 11 Jan 2017 10:49:30 -0500 +Subject: [PATCH] Add test case for PKINIT DH renegotiation + +In t_pkinit.py, add a PKINIT test case where the KDC sends +KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED and the client retries with the +KDC's TD_DH_PARAMETERS value, using the clpreauth tryagain method. +Use the trace log to verify that the renegotiation actually takes +place. + +(cherry picked from commit 7ad7eb7fd591e6c789ea24b94eccbf74ee4d79f8) +--- + src/tests/t_pkinit.py | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py +index ac4d326b6..183977750 100755 +--- a/src/tests/t_pkinit.py ++++ b/src/tests/t_pkinit.py +@@ -174,6 +174,24 @@ realm.kinit(realm.user_princ, + '-X', 'flag_RSA_PROTOCOL=yes']) + realm.klist(realm.user_princ) + ++# Test a DH parameter renegotiation by temporarily setting a 4096-bit ++# minimum on the KDC. ++tracefile = os.path.join(realm.testdir, 'trace') ++minbits_kdc_conf = {'realms': {'$realm': {'pkinit_dh_min_bits': '4096'}}} ++minbits_env = realm.special_env('restrict', True, kdc_conf=minbits_kdc_conf) ++realm.stop_kdc() ++realm.start_kdc(env=minbits_env) ++realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, '-X', ++ 'X509_user_identity=' + file_identity, realm.user_princ]) ++with open(tracefile, 'r') as f: ++ trace = f.read() ++if ('Key parameters not accepted' not in trace or ++ 'Preauth tryagain input types' not in trace or ++ 'trying again with KDC-provided parameters' not in trace): ++ fail('DH renegotiation steps not found in kinit trace log') ++realm.stop_kdc() ++realm.start_kdc() ++ + # Run the basic test - PKINIT with FILE: identity, with a password on the key, + # supplied by the prompter. + # Expect failure if the responder does nothing, and we have no prompter. diff --git a/SOURCES/Add-test-cases-for-preauth-fallback-behavior.patch b/SOURCES/Add-test-cases-for-preauth-fallback-behavior.patch new file mode 100644 index 0000000..f2c1740 --- /dev/null +++ b/SOURCES/Add-test-cases-for-preauth-fallback-behavior.patch @@ -0,0 +1,826 @@ +From 6909a4e3aa5c41cfd896b91cc8f9560481dddfd1 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Fri, 20 Jan 2017 12:44:12 -0500 +Subject: [PATCH] Add test cases for preauth fallback behavior + +Add options to icred for performing optimistic preauth and setting +preauth options, and for choosing between the normal and stepwise +interfaces. Add options to the test preauth module to allow induced +failures at several points in processing, factoring out some padata +manipulation functions into a new file to avoid repeating too much +code. Add test cases to t_preauth.py using the new facilities to +exercise and verify several preauth fallback scenarios. Amend the +tryagain test case in t_pkinit.py to look for more trace log messages. + +ticket: 8537 +(cherry picked from commit 748beda1e36d76bed8b06b272ecb72988eede94b) +[rharwood@redhat.com: more expected_trace] +--- + src/plugins/preauth/test/Makefile.in | 4 +- + src/plugins/preauth/test/cltest.c | 86 ++++++++++----- + src/plugins/preauth/test/common.c | 61 +++++++++++ + src/plugins/preauth/test/common.h | 41 +++++++ + src/plugins/preauth/test/deps | 14 ++- + src/plugins/preauth/test/kdctest.c | 96 ++++++++++------ + src/tests/icred.c | 69 +++++++++--- + src/tests/t_general.py | 1 + + src/tests/t_pkinit.py | 12 +- + src/tests/t_preauth.py | 158 ++++++++++++++++++++++++++- + 10 files changed, 452 insertions(+), 90 deletions(-) + create mode 100644 src/plugins/preauth/test/common.c + create mode 100644 src/plugins/preauth/test/common.h + +diff --git a/src/plugins/preauth/test/Makefile.in b/src/plugins/preauth/test/Makefile.in +index ac3cb8155..77321b60f 100644 +--- a/src/plugins/preauth/test/Makefile.in ++++ b/src/plugins/preauth/test/Makefile.in +@@ -9,9 +9,9 @@ RELDIR=../plugins/preauth/test + SHLIB_EXPDEPS=$(KRB5_BASE_DEPLIBS) + SHLIB_EXPLIBS=$(KRB5_BASE_LIBS) + +-STLIBOBJS=cltest.o kdctest.o ++STLIBOBJS=cltest.o kdctest.o common.o + +-SRCS= $(srcdir)/cltest.c $(srcdir)/kdctest.c ++SRCS= $(srcdir)/cltest.c $(srcdir)/kdctest.c $(srcdir)/common.c + + all-unix: all-liblinks + install-unix: install-libs +diff --git a/src/plugins/preauth/test/cltest.c b/src/plugins/preauth/test/cltest.c +index 4c31e1c0f..f5f7c5aba 100644 +--- a/src/plugins/preauth/test/cltest.c ++++ b/src/plugins/preauth/test/cltest.c +@@ -1,7 +1,7 @@ + /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ + /* plugins/preauth/test/cltest.c - Test clpreauth module */ + /* +- * Copyright (C) 2015 by the Massachusetts Institute of Technology. ++ * Copyright (C) 2015, 2017 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without +@@ -32,7 +32,7 @@ + + /* + * This module is used to test preauth interface features. At this time, the +- * clpreauth module does two things: ++ * clpreauth module does the following: + * + * - It decrypts a message from the initial KDC pa-data using the reply key and + * prints it to stdout. (The unencrypted message "no key" can also be +@@ -45,17 +45,27 @@ + * it to the server, instructing the kdcpreauth module to assert one or more + * space-separated authentication indicators. (This string is sent on both + * round trips if a second round trip is requested.) ++ * ++ * - If a KDC_ERR_ENCTYPE_NOSUPP error with e-data is received, it prints the ++ * accompanying error padata and sends a follow-up request containing ++ * "tryagain". ++ * ++ * - If the "fail_optimistic", "fail_2rt", or "fail_tryagain" gic options are ++ * set, it fails with a recognizable error string at the requested point in ++ * processing. + */ + + #include "k5-int.h" + #include +- +-#define TEST_PA_TYPE -123 ++#include "common.h" + + static krb5_preauthtype pa_types[] = { TEST_PA_TYPE, 0 }; + + struct client_state { + char *indicators; ++ krb5_boolean fail_optimistic; ++ krb5_boolean fail_2rt; ++ krb5_boolean fail_tryagain; + }; + + struct client_request_state { +@@ -70,6 +80,7 @@ test_init(krb5_context context, krb5_clpreauth_moddata *moddata_out) + st = malloc(sizeof(*st)); + assert(st != NULL); + st->indicators = NULL; ++ st->fail_optimistic = st->fail_2rt = st->fail_tryagain = FALSE; + *moddata_out = (krb5_clpreauth_moddata)st; + return 0; + } +@@ -114,7 +125,6 @@ test_process(krb5_context context, krb5_clpreauth_moddata moddata, + struct client_state *st = (struct client_state *)moddata; + struct client_request_state *reqst = (struct client_request_state *)modreq; + krb5_error_code ret; +- krb5_pa_data **list, *pa; + krb5_keyblock *k; + krb5_enc_data enc; + krb5_data plain; +@@ -123,20 +133,18 @@ test_process(krb5_context context, krb5_clpreauth_moddata moddata, + if (pa_data->length == 0) { + /* This is an optimistic preauth test. Send a recognizable padata + * value so the KDC knows not to expect a cookie. */ +- list = k5calloc(2, sizeof(*list), &ret); +- assert(!ret); +- pa = k5alloc(sizeof(*pa), &ret); +- assert(!ret); +- pa->pa_type = TEST_PA_TYPE; +- pa->contents = (uint8_t *)strdup("optimistic"); +- assert(pa->contents != NULL); +- pa->length = 10; +- list[0] = pa; +- list[1] = NULL; +- *out_pa_data = list; ++ if (st->fail_optimistic) { ++ k5_setmsg(context, KRB5_PREAUTH_FAILED, "induced optimistic fail"); ++ return KRB5_PREAUTH_FAILED; ++ } ++ *out_pa_data = make_pa_list("optimistic", 10); + return 0; + } else if (reqst->second_round_trip) { + printf("2rt: %.*s\n", pa_data->length, pa_data->contents); ++ if (st->fail_2rt) { ++ k5_setmsg(context, KRB5_PREAUTH_FAILED, "induced 2rt fail"); ++ return KRB5_PREAUTH_FAILED; ++ } + } else if (pa_data->length == 6 && + memcmp(pa_data->contents, "no key", 6) == 0) { + printf("no key\n"); +@@ -157,17 +165,34 @@ test_process(krb5_context context, krb5_clpreauth_moddata moddata, + reqst->second_round_trip = TRUE; + + indstr = (st->indicators != NULL) ? st->indicators : ""; +- list = k5calloc(2, sizeof(*list), &ret); +- assert(!ret); +- pa = k5alloc(sizeof(*pa), &ret); +- assert(!ret); +- pa->pa_type = TEST_PA_TYPE; +- pa->contents = (uint8_t *)strdup(indstr); +- assert(pa->contents != NULL); +- pa->length = strlen(indstr); +- list[0] = pa; +- list[1] = NULL; +- *out_pa_data = list; ++ *out_pa_data = make_pa_list(indstr, strlen(indstr)); ++ return 0; ++} ++ ++static krb5_error_code ++test_tryagain(krb5_context context, krb5_clpreauth_moddata moddata, ++ krb5_clpreauth_modreq modreq, krb5_get_init_creds_opt *opt, ++ krb5_clpreauth_callbacks cb, krb5_clpreauth_rock rock, ++ krb5_kdc_req *request, krb5_data *enc_req, krb5_data *enc_prev, ++ krb5_preauthtype pa_type, krb5_error *error, ++ krb5_pa_data **padata, krb5_prompter_fct prompter, ++ void *prompter_data, krb5_pa_data ***padata_out) ++{ ++ struct client_state *st = (struct client_state *)moddata; ++ int i; ++ ++ *padata_out = NULL; ++ if (st->fail_tryagain) { ++ k5_setmsg(context, KRB5_PREAUTH_FAILED, "induced tryagain fail"); ++ return KRB5_PREAUTH_FAILED; ++ } ++ if (error->error != KDC_ERR_ENCTYPE_NOSUPP) ++ return KRB5_PREAUTH_FAILED; ++ for (i = 0; padata[i] != NULL; i++) { ++ if (padata[i]->pa_type == TEST_PA_TYPE) ++ printf("tryagain: %.*s\n", padata[i]->length, padata[i]->contents); ++ } ++ *padata_out = make_pa_list("tryagain", 8); + return 0; + } + +@@ -181,6 +206,12 @@ test_gic_opt(krb5_context kcontext, krb5_clpreauth_moddata moddata, + free(st->indicators); + st->indicators = strdup(value); + assert(st->indicators != NULL); ++ } else if (strcmp(attr, "fail_optimistic") == 0) { ++ st->fail_optimistic = TRUE; ++ } else if (strcmp(attr, "fail_2rt") == 0) { ++ st->fail_2rt = TRUE; ++ } else if (strcmp(attr, "fail_tryagain") == 0) { ++ st->fail_tryagain = TRUE; + } + return 0; + } +@@ -205,6 +236,7 @@ clpreauth_test_initvt(krb5_context context, int maj_ver, + vt->request_init = test_request_init; + vt->request_fini = test_request_fini; + vt->process = test_process; ++ vt->tryagain = test_tryagain; + vt->gic_opts = test_gic_opt; + return 0; + } +diff --git a/src/plugins/preauth/test/common.c b/src/plugins/preauth/test/common.c +new file mode 100644 +index 000000000..4d1f49dfa +--- /dev/null ++++ b/src/plugins/preauth/test/common.c +@@ -0,0 +1,61 @@ ++/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ ++/* plugins/preauth/test/common.c - common functions for test preauth module */ ++/* ++ * Copyright (C) 2017 by the Massachusetts Institute of Technology. ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * * Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * * Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ++ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT ++ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS ++ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE ++ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#include "k5-int.h" ++#include "common.h" ++ ++krb5_pa_data * ++make_pa(const char *contents, size_t len) ++{ ++ krb5_error_code ret; ++ krb5_pa_data *pa; ++ ++ pa = calloc(1, sizeof(*pa)); ++ assert(pa != NULL); ++ pa->pa_type = TEST_PA_TYPE; ++ pa->contents = k5memdup(contents, len, &ret); ++ assert(!ret); ++ pa->length = len; ++ return pa; ++} ++ ++/* Make a one-element padata list of type TEST_PA_TYPE. */ ++krb5_pa_data ** ++make_pa_list(const char *contents, size_t len) ++{ ++ krb5_pa_data **list; ++ ++ list = calloc(2, sizeof(*list)); ++ assert(list != NULL); ++ list[0] = make_pa(contents, len); ++ return list; ++} +diff --git a/src/plugins/preauth/test/common.h b/src/plugins/preauth/test/common.h +new file mode 100644 +index 000000000..b748e0874 +--- /dev/null ++++ b/src/plugins/preauth/test/common.h +@@ -0,0 +1,41 @@ ++/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ ++/* plugins/preauth/test/common.h - Declarations for test preauth module */ ++/* ++ * Copyright (C) 2017 by the Massachusetts Institute of Technology. ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * * Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * * Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ++ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT ++ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS ++ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE ++ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#ifndef COMMON_H ++#define COMMON_H ++ ++#define TEST_PA_TYPE -123 ++ ++krb5_pa_data *make_pa(const char *contents, size_t len); ++krb5_pa_data **make_pa_list(const char *contents, size_t len); ++ ++#endif /* COMMON_H */ +diff --git a/src/plugins/preauth/test/deps b/src/plugins/preauth/test/deps +index b48f00032..b1429e9e1 100644 +--- a/src/plugins/preauth/test/deps ++++ b/src/plugins/preauth/test/deps +@@ -11,7 +11,7 @@ cltest.so cltest.po $(OUTPRE)cltest.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/clpreauth_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ +- cltest.c ++ cltest.c common.h + kdctest.so kdctest.po $(OUTPRE)kdctest.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ +@@ -22,4 +22,14 @@ kdctest.so kdctest.po $(OUTPRE)kdctest.$(OBJEXT): $(BUILDTOP)/include/autoconf.h + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/kdcpreauth_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ +- kdctest.c ++ common.h kdctest.c ++common.so common.po $(OUTPRE)common.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ ++ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ ++ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ ++ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ ++ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ ++ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ ++ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ ++ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ ++ $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ ++ $(top_srcdir)/include/socket-utils.h common.c common.h +diff --git a/src/plugins/preauth/test/kdctest.c b/src/plugins/preauth/test/kdctest.c +index 026dc680d..66b77969a 100644 +--- a/src/plugins/preauth/test/kdctest.c ++++ b/src/plugins/preauth/test/kdctest.c +@@ -1,7 +1,7 @@ + /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ + /* plugins/preauth/test/kdctest.c - Test kdcpreauth module */ + /* +- * Copyright (C) 2015 by the Massachusetts Institute of Technology. ++ * Copyright (C) 2015, 2017 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without +@@ -40,10 +40,20 @@ + * key; the encrypted message "no attr" is sent if there is no string + * attribute.) It also sets a cookie containing "method-data". + * +- * - It retrieves the "2rt" attribute from the client principal. If set, the +- * verify method sends the client a KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error +- * with the contents of the 2rt attribute as pa-data, and sets a cookie +- * containing "more". ++ * - If the "err" attribute is set on the client principal, the verify method ++ * returns an KDC_ERR_ETYPE_NOSUPP error on the first try, with the contents ++ * of the err attribute as pa-data. If the client tries again with the ++ * padata value "tryagain", the verify method preuthenticates successfully ++ * with no additional processing. ++ * ++ * - If the "failopt" attribute is set on the client principal, the verify ++ * method returns KDC_ERR_PREAUTH_FAILED on optimistic preauth attempts. ++ * ++ * - If the "2rt" attribute is set on client principal, the verify method sends ++ * the client a KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error with the contents of ++ * the 2rt attribute as pa-data, and sets a cookie containing "more". If the ++ * "fail2rt" attribute is set on the client principal, the client's second ++ * try results in a KDC_ERR_PREAUTH_FAILED error. + * + * - It receives a space-separated list from the clpreauth module and asserts + * each string as an authentication indicator. It always succeeds in +@@ -52,6 +62,7 @@ + + #include "k5-int.h" + #include ++#include "common.h" + + #define TEST_PA_TYPE -123 + +@@ -73,11 +84,6 @@ test_edata(krb5_context context, krb5_kdc_req *req, + + ret = cb->get_string(context, rock, "teststring", &attr); + assert(!ret); +- pa = k5alloc(sizeof(*pa), &ret); +- assert(!ret); +- if (pa == NULL) +- abort(); +- pa->pa_type = TEST_PA_TYPE; + if (k != NULL) { + d = string2data((attr != NULL) ? attr : "no attr"); + ret = krb5_c_encrypt_length(context, k->enctype, d.length, &enclen); +@@ -86,12 +92,10 @@ test_edata(krb5_context context, krb5_kdc_req *req, + assert(!ret); + ret = krb5_c_encrypt(context, k, 1024, NULL, &d, &enc); + assert(!ret); +- pa->contents = (uint8_t *)enc.ciphertext.data; +- pa->length = enc.ciphertext.length; ++ pa = make_pa(enc.ciphertext.data, enc.ciphertext.length); ++ free(enc.ciphertext.data); + } else { +- pa->contents = (uint8_t *)strdup("no key"); +- assert(pa->contents != NULL); +- pa->length = 6; ++ pa = make_pa("no key", 6); + } + + /* Exercise setting a cookie information from the edata method. */ +@@ -111,12 +115,19 @@ test_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, + krb5_kdcpreauth_verify_respond_fn respond, void *arg) + { + krb5_error_code ret; +- krb5_boolean second_round_trip = FALSE; +- krb5_pa_data **list; ++ krb5_boolean second_round_trip = FALSE, optimistic = FALSE; ++ krb5_pa_data **list = NULL; + krb5_data cookie_data, d; +- char *str, *ind, *attr, *toksave = NULL; ++ char *str, *ind, *toksave = NULL; ++ char *attr_err, *attr_2rt, *attr_fail2rt, *attr_failopt; + +- ret = cb->get_string(context, rock, "2rt", &attr); ++ ret = cb->get_string(context, rock, "err", &attr_err); ++ assert(!ret); ++ ret = cb->get_string(context, rock, "2rt", &attr_2rt); ++ assert(!ret); ++ ret = cb->get_string(context, rock, "fail2rt", &attr_fail2rt); ++ assert(!ret); ++ ret = cb->get_string(context, rock, "failopt", &attr_failopt); + assert(!ret); + + /* Check the incoming cookie value. */ +@@ -124,13 +135,36 @@ test_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, + /* Make sure we are seeing optimistic preauth and not a lost cookie. */ + d = make_data(data->contents, data->length); + assert(data_eq_string(d, "optimistic")); ++ optimistic = TRUE; + } else if (data_eq_string(cookie_data, "more")) { + second_round_trip = TRUE; + } else { +- assert(data_eq_string(cookie_data, "method-data")); ++ assert(data_eq_string(cookie_data, "method-data") || ++ data_eq_string(cookie_data, "err")); + } + +- if (attr == NULL || second_round_trip) { ++ if (attr_err != NULL) { ++ d = make_data(data->contents, data->length); ++ if (data_eq_string(d, "tryagain")) { ++ /* Authenticate successfully. */ ++ enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; ++ } else { ++ d = string2data("err"); ++ ret = cb->set_cookie(context, rock, TEST_PA_TYPE, &d); ++ assert(!ret); ++ ret = KRB5KDC_ERR_ETYPE_NOSUPP; ++ list = make_pa_list(attr_err, strlen(attr_err)); ++ } ++ } else if (attr_2rt != NULL && !second_round_trip) { ++ d = string2data("more"); ++ ret = cb->set_cookie(context, rock, TEST_PA_TYPE, &d); ++ assert(!ret); ++ ret = KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED; ++ list = make_pa_list(attr_2rt, strlen(attr_2rt)); ++ } else if ((attr_fail2rt != NULL && second_round_trip) || ++ (attr_failopt != NULL && optimistic)) { ++ ret = KRB5KDC_ERR_PREAUTH_FAILED; ++ } else { + /* Parse and assert the indicators. */ + str = k5memdup0(data->contents, data->length, &ret); + if (ret) +@@ -142,21 +176,13 @@ test_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, + } + free(str); + enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; +- cb->free_string(context, rock, attr); +- (*respond)(arg, 0, NULL, NULL, NULL); +- } else { +- d = string2data("more"); +- ret = cb->set_cookie(context, rock, TEST_PA_TYPE, &d); +- list = k5calloc(2, sizeof(*list), &ret); +- assert(!ret); +- list[0] = k5alloc(sizeof(*list[0]), &ret); +- assert(!ret); +- list[0]->pa_type = TEST_PA_TYPE; +- list[0]->contents = (uint8_t *)attr; +- list[0]->length = strlen(attr); +- (*respond)(arg, KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED, NULL, list, +- NULL); + } ++ ++ cb->free_string(context, rock, attr_err); ++ cb->free_string(context, rock, attr_2rt); ++ cb->free_string(context, rock, attr_fail2rt); ++ cb->free_string(context, rock, attr_failopt); ++ (*respond)(arg, ret, NULL, list, NULL); + } + + static krb5_error_code +diff --git a/src/tests/icred.c b/src/tests/icred.c +index 071f91c80..55f929cd7 100644 +--- a/src/tests/icred.c ++++ b/src/tests/icred.c +@@ -35,8 +35,8 @@ + * it is very simplistic, but it can be extended as needed. + */ + ++#include "k5-platform.h" + #include +-#include + + static krb5_context ctx; + +@@ -59,29 +59,64 @@ main(int argc, char **argv) + const char *princstr, *password; + krb5_principal client; + krb5_init_creds_context icc; ++ krb5_get_init_creds_opt *opt; + krb5_creds creds; +- +- if (argc != 3) { +- fprintf(stderr, "Usage: icred princname password\n"); +- exit(1); +- } +- princstr = argv[1]; +- password = argv[2]; ++ krb5_boolean stepwise = FALSE; ++ krb5_preauthtype ptypes[64]; ++ int c, nptypes = 0; ++ char *val; + + check(krb5_init_context(&ctx)); ++ check(krb5_get_init_creds_opt_alloc(ctx, &opt)); ++ ++ while ((c = getopt(argc, argv, "so:X:")) != -1) { ++ switch (c) { ++ case 's': ++ stepwise = TRUE; ++ break; ++ case 'o': ++ assert(nptypes < 64); ++ ptypes[nptypes++] = atoi(optarg); ++ break; ++ case 'X': ++ val = strchr(optarg, '='); ++ if (val != NULL) ++ *val++ = '\0'; ++ else ++ val = "yes"; ++ check(krb5_get_init_creds_opt_set_pa(ctx, opt, optarg, val)); ++ break; ++ default: ++ abort(); ++ } ++ } ++ ++ argc -= optind; ++ argv += optind; ++ if (argc != 2) ++ abort(); ++ princstr = argv[0]; ++ password = argv[1]; ++ + check(krb5_parse_name(ctx, princstr, &client)); + +- /* Try once with the traditional interface. */ +- check(krb5_get_init_creds_password(ctx, &creds, client, password, NULL, +- NULL, 0, NULL, NULL)); +- krb5_free_cred_contents(ctx, &creds); ++ if (nptypes > 0) ++ krb5_get_init_creds_opt_set_preauth_list(opt, ptypes, nptypes); + +- /* Try again with the step interface. */ +- check(krb5_init_creds_init(ctx, client, NULL, NULL, 0, NULL, &icc)); +- check(krb5_init_creds_set_password(ctx, icc, password)); +- check(krb5_init_creds_get(ctx, icc)); +- krb5_init_creds_free(ctx, icc); ++ if (stepwise) { ++ /* Use the stepwise interface. */ ++ check(krb5_init_creds_init(ctx, client, NULL, NULL, 0, NULL, &icc)); ++ check(krb5_init_creds_set_password(ctx, icc, password)); ++ check(krb5_init_creds_get(ctx, icc)); ++ krb5_init_creds_free(ctx, icc); ++ } else { ++ /* Use the traditional one-shot interface. */ ++ check(krb5_get_init_creds_password(ctx, &creds, client, password, NULL, ++ NULL, 0, NULL, opt)); ++ krb5_free_cred_contents(ctx, &creds); ++ } + ++ krb5_get_init_creds_opt_free(ctx, opt); + krb5_free_principal(ctx, client); + krb5_free_context(ctx); + return 0; +diff --git a/src/tests/t_general.py b/src/tests/t_general.py +index 6d523fe45..b16cffa37 100755 +--- a/src/tests/t_general.py ++++ b/src/tests/t_general.py +@@ -30,6 +30,7 @@ conf={'plugins': {'pwqual': {'disable': 'empty'}}} + realm = K5Realm(create_user=False, create_host=False, krb5_conf=conf) + realm.run([kadminl, 'addprinc', '-pw', '', 'user']) + realm.run(['./icred', 'user', '']) ++realm.run(['./icred', '-s', 'user', '']) + realm.stop() + + realm = K5Realm(create_host=False) +diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py +index 38424932b..c25475096 100755 +--- a/src/tests/t_pkinit.py ++++ b/src/tests/t_pkinit.py +@@ -176,14 +176,20 @@ realm.klist(realm.user_princ) + + # Test a DH parameter renegotiation by temporarily setting a 4096-bit + # minimum on the KDC. (Preauth type 16 is PKINIT PA_PK_AS_REQ; +-# 133 is FAST PA-FX-COOKIE.) ++# 109 is PKINIT TD_DH_PARAMETERS; 133 is FAST PA-FX-COOKIE.) + minbits_kdc_conf = {'realms': {'$realm': {'pkinit_dh_min_bits': '4096'}}} + minbits_env = realm.special_env('restrict', True, kdc_conf=minbits_kdc_conf) + realm.stop_kdc() + realm.start_kdc(env=minbits_env) +-expected_trace = ('Key parameters not accepted', +- 'Preauth tryagain input types', ++expected_trace = ('Sending unauthenticated request', ++ '/Additional pre-authentication required', ++ 'Preauthenticating using KDC method data', ++ 'Preauth module pkinit (16) (real) returned: 0/Success', ++ 'Produced preauth for next request: 133, 16', ++ '/Key parameters not accepted', ++ 'Preauth tryagain input types (16): 109, 133', + 'trying again with KDC-provided parameters', ++ 'Preauth module pkinit (16) tryagain returned: 0/Success', + 'Followup preauth for next request: 16, 133') + realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % file_identity], +diff --git a/src/tests/t_preauth.py b/src/tests/t_preauth.py +index 9b6da5a96..7d4d299dc 100644 +--- a/src/tests/t_preauth.py ++++ b/src/tests/t_preauth.py +@@ -18,11 +18,161 @@ out = realm.run([kinit, 'nokeyuser'], input=password('user')+'\n', + if 'no key' not in out: + fail('Expected "no key" message not in kinit output') + +-# Exercise KDC_ERR_MORE_PREAUTH_DATA_REQUIRED and secure cookies. ++# Preauth type -123 is the test preauth module type; 133 is FAST ++# PA-FX-COOKIE; 2 is encrypted timestamp. ++ ++# Test normal preauth flow. ++expected_trace = ('Sending unauthenticated request', ++ '/Additional pre-authentication required', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: 133, -123', ++ 'Decrypted AS reply') ++realm.run(['./icred', realm.user_princ, password('user')], ++ expected_msg='testval', expected_trace=expected_trace) ++ ++# Test successful optimistic preauth. ++expected_trace = ('Attempting optimistic preauth', ++ 'Processing preauth types: -123', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: -123', ++ 'Decrypted AS reply') ++realm.run(['./icred', '-o', '-123', realm.user_princ, password('user')], ++ expected_trace=expected_trace) ++ ++# Test optimistic preauth failing on client, followed by successful ++# preauth using the same module. ++expected_trace = ('Attempting optimistic preauth', ++ 'Processing preauth types: -123', ++ '/induced optimistic fail', ++ 'Sending unauthenticated request', ++ '/Additional pre-authentication required', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: 133, -123', ++ 'Decrypted AS reply') ++realm.run(['./icred', '-o', '-123', '-X', 'fail_optimistic', realm.user_princ, ++ password('user')], expected_msg='testval', ++ expected_trace=expected_trace) ++ ++# Test optimistic preauth failing on KDC, followed by successful preauth ++# using the same module. ++realm.run([kadminl, 'setstr', realm.user_princ, 'failopt', 'yes']) ++expected_trace = ('Attempting optimistic preauth', ++ 'Processing preauth types: -123', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: -123', ++ '/Preauthentication failed', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: 133, -123', ++ 'Decrypted AS reply') ++realm.run(['./icred', '-o', '-123', realm.user_princ, password('user')], ++ expected_msg='testval', expected_trace=expected_trace) ++realm.run([kadminl, 'delstr', realm.user_princ, 'failopt']) ++ ++# Test KDC_ERR_MORE_PREAUTH_DATA_REQUIRED and secure cookies. + realm.run([kadminl, 'setstr', realm.user_princ, '2rt', 'secondtrip']) +-out = realm.run([kinit, realm.user_princ], input=password('user')+'\n') +-if '2rt: secondtrip' not in out: +- fail('multi round-trip cookie test') ++expected_trace = ('Sending unauthenticated request', ++ '/Additional pre-authentication required', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: 133, -123', ++ '/More preauthentication data is required', ++ 'Continuing preauth mech -123', ++ 'Processing preauth types: -123, 133', ++ 'Produced preauth for next request: 133, -123', ++ 'Decrypted AS reply') ++realm.run(['./icred', realm.user_princ, password('user')], ++ expected_msg='2rt: secondtrip', expected_trace=expected_trace) ++ ++# Test client-side failure after KDC_ERR_MORE_PREAUTH_DATA_REQUIRED, ++# falling back to encrypted timestamp. ++expected_trace = ('Sending unauthenticated request', ++ '/Additional pre-authentication required', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: 133, -123', ++ '/More preauthentication data is required', ++ 'Continuing preauth mech -123', ++ 'Processing preauth types: -123, 133', ++ '/induced 2rt fail', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Encrypted timestamp (for ', ++ 'module encrypted_timestamp (2) (real) returned: 0/Success', ++ 'Produced preauth for next request: 133, 2', ++ 'Decrypted AS reply') ++realm.run(['./icred', '-X', 'fail_2rt', realm.user_princ, password('user')], ++ expected_msg='2rt: secondtrip', expected_trace=expected_trace) ++ ++# Test KDC-side failure after KDC_ERR_MORE_PREAUTH_DATA_REQUIRED, ++# falling back to encrypted timestamp. ++realm.run([kadminl, 'setstr', realm.user_princ, 'fail2rt', 'yes']) ++expected_trace = ('Sending unauthenticated request', ++ '/Additional pre-authentication required', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: 133, -123', ++ '/More preauthentication data is required', ++ 'Continuing preauth mech -123', ++ 'Processing preauth types: -123, 133', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: 133, -123', ++ '/Preauthentication failed', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Encrypted timestamp (for ', ++ 'module encrypted_timestamp (2) (real) returned: 0/Success', ++ 'Produced preauth for next request: 133, 2', ++ 'Decrypted AS reply') ++realm.run(['./icred', realm.user_princ, password('user')], ++ expected_msg='2rt: secondtrip', expected_trace=expected_trace) ++realm.run([kadminl, 'delstr', realm.user_princ, 'fail2rt']) ++ ++# Test tryagain flow by inducing a KDC_ERR_ENCTYPE_NOSUPP error on the KDC. ++realm.run([kadminl, 'setstr', realm.user_princ, 'err', 'testagain']) ++expected_trace = ('Sending unauthenticated request', ++ '/Additional pre-authentication required', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: 133, -123', ++ '/KDC has no support for encryption type', ++ 'Recovering from KDC error 14 using preauth mech -123', ++ 'Preauth tryagain input types (-123): -123, 133', ++ 'Preauth module test (-123) tryagain returned: 0/Success', ++ 'Followup preauth for next request: -123, 133', ++ 'Decrypted AS reply') ++realm.run(['./icred', realm.user_princ, password('user')], ++ expected_msg='tryagain: testagain', expected_trace=expected_trace) ++ ++# Test a client-side tryagain failure, falling back to encrypted ++# timestamp. ++expected_trace = ('Sending unauthenticated request', ++ '/Additional pre-authentication required', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: 133, -123', ++ '/KDC has no support for encryption type', ++ 'Recovering from KDC error 14 using preauth mech -123', ++ 'Preauth tryagain input types (-123): -123, 133', ++ '/induced tryagain fail', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Encrypted timestamp (for ', ++ 'module encrypted_timestamp (2) (real) returned: 0/Success', ++ 'Produced preauth for next request: 133, 2', ++ 'Decrypted AS reply') ++realm.run(['./icred', '-X', 'fail_tryagain', realm.user_princ, ++ password('user')], expected_trace=expected_trace) + + # Test that multiple stepwise initial creds operations can be + # performed with the same krb5_context, with proper tracking of diff --git a/SOURCES/Add-test-cert-generation-to-make-certs.sh.patch b/SOURCES/Add-test-cert-generation-to-make-certs.sh.patch index d9aecf6..f2b1fa8 100644 --- a/SOURCES/Add-test-cert-generation-to-make-certs.sh.patch +++ b/SOURCES/Add-test-cert-generation-to-make-certs.sh.patch @@ -8,7 +8,7 @@ everything but the make-certs change since infrastructure cannot patch binaries. Plan to run make-certs during build, but this will only work with openssl < 1.1. --- - src/tests/dejagnu/pkinit-certs/make-certs.sh | 53 +++++++++++++++++++++++++++- + src/tests/dejagnu/pkinit-certs/make-certs.sh | 53 +++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) diff --git a/src/tests/dejagnu/pkinit-certs/make-certs.sh b/src/tests/dejagnu/pkinit-certs/make-certs.sh diff --git a/SOURCES/Add-tests-for-per-request-preauth-data-scoping.patch b/SOURCES/Add-tests-for-per-request-preauth-data-scoping.patch new file mode 100644 index 0000000..03d3b3e --- /dev/null +++ b/SOURCES/Add-tests-for-per-request-preauth-data-scoping.patch @@ -0,0 +1,228 @@ +From 996c0089cf2e3240e1b331555897e5bf83b023e7 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Wed, 4 Jan 2017 18:31:15 -0500 +Subject: [PATCH] Add tests for per-request preauth data scoping + +Add a test harness which interleaves calls for multiple initial creds +contexts using the same library context. Add a test case to +t_preauth.py using the new harness and the test preauth module to +verify that modreq pointers are correctly tracked. + +ticket: 7877 +(cherry picked from commit c0b25fe282355d4f329418956b9c6295780af633) +[rharwood@redhat.com: drop .gitignore] +--- + src/tests/Makefile.in | 23 +++++--- + src/tests/icinterleave.c | 124 +++++++++++++++++++++++++++++++++++++++ + src/tests/t_preauth.py | 13 ++++ + 3 files changed, 151 insertions(+), 9 deletions(-) + create mode 100644 src/tests/icinterleave.c + +diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in +index a2093108b..bd1b21346 100644 +--- a/src/tests/Makefile.in ++++ b/src/tests/Makefile.in +@@ -6,12 +6,12 @@ SUBDIRS = resolve asn.1 create hammer verify gssapi dejagnu shlib \ + RUN_DB_TEST = $(RUN_SETUP) KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf \ + LC_ALL=C $(VALGRIND) + +-OBJS= adata.o etinfo.o forward.o gcred.o hist.o hooks.o hrealm.o icred.o \ +- kdbtest.o localauth.o plugorder.o rdreq.o responder.o s2p.o \ +- s4u2proxy.o unlockiter.o ++OBJS= adata.o etinfo.o forward.o gcred.o hist.o hooks.o hrealm.o \ ++ icinterleave.o icred.o kdbtest.o localauth.o plugorder.o rdreq.o \ ++ responder.o s2p.o s4u2proxy.o unlockiter.o + EXTRADEPSRCS= adata.c etinfo.c forward.c gcred.c hist.c hooks.c hrealm.c \ +- icred.c kdbtest.c localauth.c plugorder.c rdreq.o responder.c s2p.c \ +- s4u2proxy.c unlockiter.c ++ icinterleave.c icred.c kdbtest.c localauth.c plugorder.c rdreq.o \ ++ responder.c s2p.c s4u2proxy.c unlockiter.c + + TEST_DB = ./testdb + TEST_REALM = FOO.TEST.REALM +@@ -44,6 +44,9 @@ hooks: hooks.o $(KRB5_BASE_DEPLIBS) + hrealm: hrealm.o $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o $@ hrealm.o $(KRB5_BASE_LIBS) + ++icinterleave: icinterleave.o $(KRB5_BASE_DEPLIBS) ++ $(CC_LINK) -o $@ icinterleave.o $(KRB5_BASE_LIBS) ++ + icred: icred.o $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o $@ icred.o $(KRB5_BASE_LIBS) + +@@ -115,8 +118,9 @@ kdb_check: kdc.conf krb5.conf + $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f + $(RM) $(TEST_DB)* stash_file + +-check-pytests: adata etinfo forward gcred hist hooks hrealm icred kdbtest +-check-pytests: localauth plugorder rdreq responder s2p s4u2proxy unlockiter ++check-pytests: adata etinfo forward gcred hist hooks hrealm icinterleave icred ++check-pytests: kdbtest localauth plugorder rdreq responder s2p s4u2proxy ++check-pytests: unlockiter + $(RUNPYTEST) $(srcdir)/t_general.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_hooks.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_dump.py $(PYTESTFLAGS) +@@ -172,8 +176,9 @@ check-pytests: localauth plugorder rdreq responder s2p s4u2proxy unlockiter + $(RUNPYTEST) $(srcdir)/t_kdcpolicy.py $(PYTESTFLAGS) + + clean: +- $(RM) adata etinfo forward gcred hist hooks hrealm icred kdbtest +- $(RM) localauth plugorder rdreq responder s2p s4u2proxy unlockiter ++ $(RM) adata etinfo forward gcred hist hooks hrealm icinterleave icred ++ $(RM) kdbtest localauth plugorder rdreq responder s2p s4u2proxy ++ $(RM) unlockiter + $(RM) krb5.conf kdc.conf + $(RM) -rf kdc_realm/sandbox ldap + $(RM) au.log +diff --git a/src/tests/icinterleave.c b/src/tests/icinterleave.c +new file mode 100644 +index 000000000..d76ecf361 +--- /dev/null ++++ b/src/tests/icinterleave.c +@@ -0,0 +1,124 @@ ++/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ ++/* tests/icinterleave.c - interleaved init_creds_step test harness */ ++/* ++ * Copyright (C) 2017 by the Massachusetts Institute of Technology. ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * * Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * * Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ++ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT ++ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS ++ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE ++ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++/* ++ * This test harness performs multiple initial creds operations using ++ * krb5_init_creds_step(), interleaving the operations to test the scoping of ++ * the preauth state. All principals must have the same password (or not ++ * require a password). ++ */ ++ ++#include "k5-int.h" ++ ++static krb5_context ctx; ++ ++static void ++check(krb5_error_code code) ++{ ++ const char *errmsg; ++ ++ if (code) { ++ errmsg = krb5_get_error_message(ctx, code); ++ fprintf(stderr, "%s\n", errmsg); ++ krb5_free_error_message(ctx, errmsg); ++ exit(1); ++ } ++} ++ ++int ++main(int argc, char **argv) ++{ ++ const char *password; ++ char **princstrs; ++ krb5_principal client; ++ krb5_init_creds_context *iccs; ++ krb5_data req, *reps, realm; ++ krb5_boolean any_left; ++ int i, nclients, master; ++ unsigned int flags; ++ ++ if (argc < 3) { ++ fprintf(stderr, "Usage: icinterleave password princ1 princ2 ...\n"); ++ exit(1); ++ } ++ password = argv[1]; ++ princstrs = argv + 2; ++ nclients = argc - 2; ++ ++ check(krb5_init_context(&ctx)); ++ ++ /* Create an initial creds context for each client principal. */ ++ iccs = calloc(nclients, sizeof(*iccs)); ++ assert(iccs != NULL); ++ for (i = 0; i < nclients; i++) { ++ check(krb5_parse_name(ctx, princstrs[i], &client)); ++ check(krb5_init_creds_init(ctx, client, NULL, NULL, 0, NULL, ++ &iccs[i])); ++ check(krb5_init_creds_set_password(ctx, iccs[i], password)); ++ krb5_free_principal(ctx, client); ++ } ++ ++ reps = calloc(nclients, sizeof(*reps)); ++ assert(reps != NULL); ++ ++ any_left = TRUE; ++ while (any_left) { ++ any_left = FALSE; ++ for (i = 0; i < nclients; i++) { ++ if (iccs[i] == NULL) ++ continue; ++ any_left = TRUE; ++ ++ printf("step %d\n", i + 1); ++ ++ req = empty_data(); ++ realm = empty_data(); ++ check(krb5_init_creds_step(ctx, iccs[i], &reps[i], &req, &realm, ++ &flags)); ++ if (!(flags & KRB5_INIT_CREDS_STEP_FLAG_CONTINUE)) { ++ printf("finish %d\n", i + 1); ++ krb5_init_creds_free(ctx, iccs[i]); ++ iccs[i] = NULL; ++ continue; ++ } ++ ++ master = 0; ++ krb5_free_data_contents(ctx, &reps[i]); ++ check(krb5_sendto_kdc(ctx, &req, &realm, &reps[i], &master, 0)); ++ krb5_free_data_contents(ctx, &req); ++ krb5_free_data_contents(ctx, &realm); ++ } ++ } ++ ++ krb5_free_context(ctx); ++ return 0; ++} +diff --git a/src/tests/t_preauth.py b/src/tests/t_preauth.py +index 0ef8bbca4..9b6da5a96 100644 +--- a/src/tests/t_preauth.py ++++ b/src/tests/t_preauth.py +@@ -24,4 +24,17 @@ out = realm.run([kinit, realm.user_princ], input=password('user')+'\n') + if '2rt: secondtrip' not in out: + fail('multi round-trip cookie test') + ++# Test that multiple stepwise initial creds operations can be ++# performed with the same krb5_context, with proper tracking of ++# clpreauth module request handles. ++realm.run([kadminl, 'addprinc', '-pw', 'pw', 'u1']) ++realm.run([kadminl, 'addprinc', '+requires_preauth', '-pw', 'pw', 'u2']) ++realm.run([kadminl, 'addprinc', '+requires_preauth', '-pw', 'pw', 'u3']) ++realm.run([kadminl, 'setstr', 'u2', '2rt', 'extra']) ++out = realm.run(['./icinterleave', 'pw', 'u1', 'u2', 'u3']) ++if out != ('step 1\nstep 2\nstep 3\nstep 1\nfinish 1\nstep 2\nno attr\n' ++ 'step 3\nno attr\nstep 2\n2rt: extra\nstep 3\nfinish 3\nstep 2\n' ++ 'finish 2\n'): ++ fail('unexpected output from icinterleave') ++ + success('Pre-authentication framework tests') diff --git a/SOURCES/Add-timestamp-tests.patch b/SOURCES/Add-timestamp-tests.patch index 74d0fb9..a203d59 100644 --- a/SOURCES/Add-timestamp-tests.patch +++ b/SOURCES/Add-timestamp-tests.patch @@ -18,14 +18,14 @@ ticket: 8352 src/Makefile.in | 1 + src/config/pre.in | 2 + src/configure.in | 3 + - src/lib/krb5/krb/Makefile.in | 14 ++-- - src/lib/krb5/krb/t_valid_times.c | 109 ++++++++++++++++++++++++++++++ + src/lib/krb5/krb/Makefile.in | 14 +++- + src/lib/krb5/krb/t_valid_times.c | 109 ++++++++++++++++++++++++ src/tests/Makefile.in | 1 + - src/tests/gssapi/Makefile.in | 27 ++++---- - src/tests/gssapi/t_gssapi.py | 32 +++++++++ - src/tests/gssapi/t_lifetime.c | 140 +++++++++++++++++++++++++++++++++++++++ + src/tests/gssapi/Makefile.in | 27 +++--- + src/tests/gssapi/t_gssapi.py | 32 +++++++ + src/tests/gssapi/t_lifetime.c | 140 +++++++++++++++++++++++++++++++ src/tests/t_kdb.py | 7 ++ - src/tests/t_y2038.py | 75 +++++++++++++++++++++ + src/tests/t_y2038.py | 75 +++++++++++++++++ 11 files changed, 395 insertions(+), 16 deletions(-) create mode 100644 src/lib/krb5/krb/t_valid_times.c create mode 100644 src/tests/gssapi/t_lifetime.c diff --git a/SOURCES/Add-vector-support-to-k5_sha256.patch b/SOURCES/Add-vector-support-to-k5_sha256.patch new file mode 100644 index 0000000..9591995 --- /dev/null +++ b/SOURCES/Add-vector-support-to-k5_sha256.patch @@ -0,0 +1,106 @@ +From c886bef63a4820d12fbc956f62747840fba8a88e Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Sat, 3 Feb 2018 20:53:42 -0500 +Subject: [PATCH] Add vector support to k5_sha256() + +Add a length argument so that multiple krb5_data values can be passed +to k5_sha256(), for efficient computation of SHA-256 hashes over +concatenations of data values. + +(cherry picked from commit 4f3373e8c55b3e9bdfb5b065e07214c5816c85fa) +--- + src/include/k5-int.h | 4 ++-- + src/lib/crypto/builtin/sha2/sha256.c | 6 ++++-- + src/lib/crypto/crypto_tests/t_sha2.c | 2 +- + src/lib/crypto/openssl/sha256.c | 6 ++++-- + src/lib/krb5/rcache/rc_conv.c | 2 +- + 5 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/src/include/k5-int.h b/src/include/k5-int.h +index 10b034037..7c549bce2 100644 +--- a/src/include/k5-int.h ++++ b/src/include/k5-int.h +@@ -634,9 +634,9 @@ krb5int_arcfour_gsscrypt(const krb5_keyblock *keyblock, krb5_keyusage usage, + + #define K5_SHA256_HASHLEN (256 / 8) + +-/* Write the SHA-256 hash of in to out. */ ++/* Write the SHA-256 hash of in (containing n elements) to out. */ + krb5_error_code +-k5_sha256(const krb5_data *in, uint8_t out[K5_SHA256_HASHLEN]); ++k5_sha256(const krb5_data *in, size_t n, uint8_t out[K5_SHA256_HASHLEN]); + + /* + * Attempt to zero memory in a way that compilers won't optimize out. +diff --git a/src/lib/crypto/builtin/sha2/sha256.c b/src/lib/crypto/builtin/sha2/sha256.c +index e34bed575..4b5fe10a3 100644 +--- a/src/lib/crypto/builtin/sha2/sha256.c ++++ b/src/lib/crypto/builtin/sha2/sha256.c +@@ -257,12 +257,14 @@ k5_sha256_final(void *res, SHA256_CTX *m) + } + + krb5_error_code +-k5_sha256(const krb5_data *in, uint8_t out[K5_SHA256_HASHLEN]) ++k5_sha256(const krb5_data *in, size_t n, uint8_t out[K5_SHA256_HASHLEN]) + { + SHA256_CTX ctx; ++ size_t i; + + k5_sha256_init(&ctx); +- k5_sha256_update(&ctx, in->data, in->length); ++ for (i = 0; i < n; i++) ++ k5_sha256_update(&ctx, in[i].data, in[i].length); + k5_sha256_final(out, &ctx); + return 0; + } +diff --git a/src/lib/crypto/crypto_tests/t_sha2.c b/src/lib/crypto/crypto_tests/t_sha2.c +index 12f32869b..e6fa58498 100644 +--- a/src/lib/crypto/crypto_tests/t_sha2.c ++++ b/src/lib/crypto/crypto_tests/t_sha2.c +@@ -125,7 +125,7 @@ hash_test(const struct krb5_hash_provider *hash, struct test *tests) + + if (hash == &krb5int_hash_sha256) { + /* Try again using k5_sha256(). */ +- if (k5_sha256(&iov.data, (uint8_t *)hval.data) != 0) ++ if (k5_sha256(&iov.data, 1, (uint8_t *)hval.data) != 0) + abort(); + if (memcmp(hval.data, t->hash, hval.length) != 0) + abort(); +diff --git a/src/lib/crypto/openssl/sha256.c b/src/lib/crypto/openssl/sha256.c +index fa095d472..0edd8b7ba 100644 +--- a/src/lib/crypto/openssl/sha256.c ++++ b/src/lib/crypto/openssl/sha256.c +@@ -34,16 +34,18 @@ + #include + + krb5_error_code +-k5_sha256(const krb5_data *in, uint8_t out[K5_SHA256_HASHLEN]) ++k5_sha256(const krb5_data *in, size_t n, uint8_t out[K5_SHA256_HASHLEN]) + { + EVP_MD_CTX *ctx; ++ size_t i; + int ok; + + ctx = EVP_MD_CTX_new(); + if (ctx == NULL) + return ENOMEM; + ok = EVP_DigestInit_ex(ctx, EVP_sha256(), NULL); +- ok = ok && EVP_DigestUpdate(ctx, in->data, in->length); ++ for (i = 0; i < n; i++) ++ ok = ok && EVP_DigestUpdate(ctx, in[i].data, in[i].length); + ok = ok && EVP_DigestFinal_ex(ctx, out, NULL); + EVP_MD_CTX_free(ctx); + return ok ? 0 : ENOMEM; +diff --git a/src/lib/krb5/rcache/rc_conv.c b/src/lib/krb5/rcache/rc_conv.c +index 0e021f5d8..f2fe528ac 100644 +--- a/src/lib/krb5/rcache/rc_conv.c ++++ b/src/lib/krb5/rcache/rc_conv.c +@@ -58,7 +58,7 @@ krb5_rc_hash_message(krb5_context context, const krb5_data *message, + *out = NULL; + + /* Calculate the binary checksum. */ +- retval = k5_sha256(message, cksum); ++ retval = k5_sha256(message, 1, cksum); + if (retval) + return retval; + diff --git a/SOURCES/Adjust-processing-of-pa_type-ccache-config.patch b/SOURCES/Adjust-processing-of-pa_type-ccache-config.patch new file mode 100644 index 0000000..d6e3297 --- /dev/null +++ b/SOURCES/Adjust-processing-of-pa_type-ccache-config.patch @@ -0,0 +1,121 @@ +From 5c71088657f56a26f367aeebe905df51b38be434 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Fri, 13 Jan 2017 10:14:36 -0500 +Subject: [PATCH] Adjust processing of pa_type ccache config + +Read the allowed preauth type from the input ccache in +restart_init_creds_loop(); there is no need to reread it each time we +produce a request. Move read_allowed_preauth_type() earlier in the +file to allow it to be called from restart_init_creds_loop() without a +prototype. + +Clear the selected preauth type in restart_init_creds_loop(), not in +init_creds_step_request(). We want to make sure that it doesn't +survive a restart due to a realm referral or expiry, but we don't want +to forget about it when retrying after an error. + +(cherry picked from commit 468c6eb7bb860f7ec0381086a22859f822b41c43) +--- + src/lib/krb5/krb/get_in_tkt.c | 61 ++++++++++++++++++----------------- + 1 file changed, 31 insertions(+), 30 deletions(-) + +diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c +index 52e07bb67..da12204ac 100644 +--- a/src/lib/krb5/krb/get_in_tkt.c ++++ b/src/lib/krb5/krb/get_in_tkt.c +@@ -791,6 +791,31 @@ set_request_times(krb5_context context, krb5_init_creds_context ctx) + return 0; + } + ++static void ++read_allowed_preauth_type(krb5_context context, krb5_init_creds_context ctx) ++{ ++ krb5_error_code ret; ++ krb5_data config; ++ char *tmp, *p; ++ krb5_ccache in_ccache = k5_gic_opt_get_in_ccache(ctx->opt); ++ ++ ctx->allowed_preauth_type = KRB5_PADATA_NONE; ++ if (in_ccache == NULL) ++ return; ++ memset(&config, 0, sizeof(config)); ++ if (krb5_cc_get_config(context, in_ccache, ctx->request->server, ++ KRB5_CC_CONF_PA_TYPE, &config) != 0) ++ return; ++ tmp = k5memdup0(config.data, config.length, &ret); ++ krb5_free_data_contents(context, &config); ++ if (tmp == NULL) ++ return; ++ ctx->allowed_preauth_type = strtol(tmp, &p, 10); ++ if (p == NULL || *p != '\0') ++ ctx->allowed_preauth_type = KRB5_PADATA_NONE; ++ free(tmp); ++} ++ + /** + * Throw away any pre-authentication realm state and begin with a + * unauthenticated or optimistically authenticated request. If fast_upgrade is +@@ -807,6 +832,7 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx, + krb5_free_error(context, ctx->err_reply); + ctx->preauth_to_use = ctx->err_padata = NULL; + ctx->err_reply = NULL; ++ ctx->selected_preauth_type = KRB5_PADATA_NONE; + + krb5int_fast_free_state(context, ctx->fast_state); + ctx->fast_state = NULL; +@@ -849,6 +875,11 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx, + &ctx->outer_request_body); + if (code != 0) + goto cleanup; ++ ++ /* Read the allowed preauth type for this server principal from the input ++ * ccache, if the application supplied one. */ ++ read_allowed_preauth_type(context, ctx); ++ + cleanup: + return code; + } +@@ -1154,31 +1185,6 @@ init_creds_validate_reply(krb5_context context, + return 0; + } + +-static void +-read_allowed_preauth_type(krb5_context context, krb5_init_creds_context ctx) +-{ +- krb5_error_code ret; +- krb5_data config; +- char *tmp, *p; +- krb5_ccache in_ccache = k5_gic_opt_get_in_ccache(ctx->opt); +- +- ctx->allowed_preauth_type = KRB5_PADATA_NONE; +- if (in_ccache == NULL) +- return; +- memset(&config, 0, sizeof(config)); +- if (krb5_cc_get_config(context, in_ccache, ctx->request->server, +- KRB5_CC_CONF_PA_TYPE, &config) != 0) +- return; +- tmp = k5memdup0(config.data, config.length, &ret); +- krb5_free_data_contents(context, &config); +- if (tmp == NULL) +- return; +- ctx->allowed_preauth_type = strtol(tmp, &p, 10); +- if (p == NULL || *p != '\0') +- ctx->allowed_preauth_type = KRB5_PADATA_NONE; +- free(tmp); +-} +- + static krb5_error_code + save_selected_preauth_type(krb5_context context, krb5_ccache ccache, + krb5_init_creds_context ctx) +@@ -1317,11 +1323,6 @@ init_creds_step_request(krb5_context context, + if (code) + goto cleanup; + +- /* Read the allowed patype for this server principal from the in_ccache, +- * if the application supplied one. */ +- read_allowed_preauth_type(context, ctx); +- ctx->selected_preauth_type = KRB5_PADATA_NONE; +- + /* + * Read cached preauth configuration data for this server principal from + * the in_ccache, if the application supplied one, and delete any that was diff --git a/SOURCES/Continue-after-KDC_ERR_PREAUTH_FAILED.patch b/SOURCES/Continue-after-KDC_ERR_PREAUTH_FAILED.patch new file mode 100644 index 0000000..b67622d --- /dev/null +++ b/SOURCES/Continue-after-KDC_ERR_PREAUTH_FAILED.patch @@ -0,0 +1,100 @@ +From 64c15ad2b8f4af57ffd998fc27f3781cc02bff29 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Mon, 16 Jan 2017 15:09:32 -0500 +Subject: [PATCH] Continue after KDC_ERR_PREAUTH_FAILED + +If the KDC sends KDC_ERR_PREAUTH_FAILED, try another mechanism, or +send an unauthenticated request if optimistic preauth failed. + +ticket: 8537 +(cherry picked from commit 52d2de31bc4728dbc2f59c6033dcdab86da919e9) +--- + src/lib/krb5/krb/get_in_tkt.c | 45 ++++++++++++++++++++++++++++------- + 1 file changed, 36 insertions(+), 9 deletions(-) + +diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c +index 8d0f964f9..c7d7bfe74 100644 +--- a/src/lib/krb5/krb/get_in_tkt.c ++++ b/src/lib/krb5/krb/get_in_tkt.c +@@ -1308,6 +1308,7 @@ init_creds_step_request(krb5_context context, + krb5_error_code code; + krb5_preauthtype pa_type; + struct errinfo save = EMPTY_ERRINFO; ++ uint32_t rcode = (ctx->err_reply == NULL) ? 0 : ctx->err_reply->error; + + if (ctx->loopcount >= MAX_IN_TKT_LOOPS) { + code = KRB5_GET_IN_TKT_LOOP; +@@ -1358,8 +1359,10 @@ init_creds_step_request(krb5_context context, + TRACE_INIT_CREDS_PREAUTH_MORE(context, ctx->selected_preauth_type); + code = k5_preauth(context, ctx, ctx->more_padata, TRUE, + &ctx->request->padata, &pa_type); +- } else if (ctx->err_reply != NULL && +- ctx->err_reply->error != KDC_ERR_PREAUTH_REQUIRED) { ++ } else if (rcode == KDC_ERR_PREAUTH_FAILED) { ++ /* Report the KDC-side failure code if we can't try another mech. */ ++ code = KRB5KDC_ERR_PREAUTH_FAILED; ++ } else if (rcode && rcode != KDC_ERR_PREAUTH_REQUIRED) { + /* Retrying after an error (possibly mechanism-specific), using error + * padata to figure out what to change. */ + TRACE_INIT_CREDS_PREAUTH_TRYAGAIN(context, ctx->err_reply->error, +@@ -1380,7 +1383,7 @@ init_creds_step_request(krb5_context context, + + if (ctx->request->padata == NULL && ctx->method_padata != NULL) { + /* Retrying after KDC_ERR_PREAUTH_REQUIRED, or trying again with a +- * different mechanism after a client-side failure. */ ++ * different mechanism after a failure. */ + TRACE_INIT_CREDS_PREAUTH(context); + code = k5_preauth(context, ctx, ctx->method_padata, TRUE, + &ctx->request->padata, &ctx->selected_preauth_type); +@@ -1480,6 +1483,18 @@ is_referral(krb5_context context, krb5_error *err, krb5_principal client) + return !krb5_realm_compare(context, err->client, client); + } + ++/* Transfer error padata to method data in ctx and sort it according to ++ * configuration. */ ++static krb5_error_code ++accept_method_data(krb5_context context, krb5_init_creds_context ctx) ++{ ++ krb5_free_pa_data(context, ctx->method_padata); ++ ctx->method_padata = ctx->err_padata; ++ ctx->err_padata = NULL; ++ return sort_krb5_padata_sequence(context, &ctx->request->client->realm, ++ ctx->method_padata); ++} ++ + static krb5_error_code + init_creds_step_reply(krb5_context context, + krb5_init_creds_context ctx, +@@ -1538,14 +1553,26 @@ init_creds_step_reply(krb5_context context, + ctx->restarted = FALSE; + code = restart_init_creds_loop(context, ctx, FALSE); + } else if (reply_code == KDC_ERR_PREAUTH_REQUIRED && retry) { +- krb5_free_pa_data(context, ctx->method_padata); +- ctx->method_padata = ctx->err_padata; +- ctx->err_padata = NULL; + note_req_timestamp(context, ctx, ctx->err_reply->stime, + ctx->err_reply->susec); +- code = sort_krb5_padata_sequence(context, +- &ctx->request->client->realm, +- ctx->method_padata); ++ code = accept_method_data(context, ctx); ++ } else if (reply_code == KDC_ERR_PREAUTH_FAILED && retry) { ++ note_req_timestamp(context, ctx, ctx->err_reply->stime, ++ ctx->err_reply->susec); ++ if (ctx->method_padata == NULL) { ++ /* Optimistic preauth failed on the KDC. Allow all mechanisms ++ * to be tried again using method data. */ ++ k5_reset_preauth_types_tried(ctx); ++ } else { ++ /* Don't try again with the mechanism that failed. */ ++ code = k5_preauth_note_failed(ctx, ctx->selected_preauth_type); ++ if (code) ++ goto cleanup; ++ } ++ ctx->selected_preauth_type = KRB5_PADATA_NONE; ++ /* Accept or update method data if the KDC sent it. */ ++ if (ctx->err_padata != NULL) ++ code = accept_method_data(context, ctx); + } else if (reply_code == KDC_ERR_MORE_PREAUTH_DATA_REQUIRED && retry) { + ctx->more_padata = ctx->err_padata; + ctx->err_padata = NULL; diff --git a/SOURCES/Continue-after-KRB5_CC_END-in-KCM-cache-iteration.patch b/SOURCES/Continue-after-KRB5_CC_END-in-KCM-cache-iteration.patch new file mode 100644 index 0000000..6ba7e0e --- /dev/null +++ b/SOURCES/Continue-after-KRB5_CC_END-in-KCM-cache-iteration.patch @@ -0,0 +1,42 @@ +From 0890a832accffe4ddfb882528346b3d9c65b351c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Wed, 28 Mar 2018 18:27:06 +0200 +Subject: [PATCH] Continue after KRB5_CC_END in KCM cache iteration + +The KCM server returns KRB5_CC_END in response to a GET_CACHE_BY_UUID +request to indicate that the specified ccache uuid no longer exists. +In krb5_ptcursor_next(), ignore this error and continue the iteration, +as the Heimdal KCM client code does. + +In addition to addressing the case where a third party deletes a cache +between the GET_CACHE_UUID_LIST request and when we reach that uuid in +the iteration, this change also fixes a bug in kdestroy -A where the +caller deletes the primary cache and we later request it by uuid when +iterating over the list. + +[ghudson@mit.edu: rewrote commit message; edited comment] + +(cherry picked from commit 49087f5e6309f298f8898c35af6f4ade418ced60) + +ticket: 8658 +version_fixed: 1.16.1 + +(cherry picked from commit 576d4294ea789c3d25c50a43fe9246cfe499585f) +--- + src/lib/krb5/ccache/cc_kcm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/lib/krb5/ccache/cc_kcm.c b/src/lib/krb5/ccache/cc_kcm.c +index a889e67b4..a3afd7056 100644 +--- a/src/lib/krb5/ccache/cc_kcm.c ++++ b/src/lib/krb5/ccache/cc_kcm.c +@@ -966,6 +966,9 @@ kcm_ptcursor_next(krb5_context context, krb5_cc_ptcursor cursor, + kcmreq_init(&req, KCM_OP_GET_CACHE_BY_UUID, NULL); + k5_buf_add_len(&req.reqbuf, id, KCM_UUID_LEN); + ret = kcmio_call(context, data->io, &req); ++ /* Continue if the cache has been deleted. */ ++ if (ret == KRB5_CC_END) ++ continue; + if (ret) + goto cleanup; + ret = kcmreq_get_name(&req, &name); diff --git a/SOURCES/Continue-preauth-after-client-side-failures.patch b/SOURCES/Continue-preauth-after-client-side-failures.patch new file mode 100644 index 0000000..14c069f --- /dev/null +++ b/SOURCES/Continue-preauth-after-client-side-failures.patch @@ -0,0 +1,109 @@ +From 0cd770449a733a8b3a853531a562c91883ccac27 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Sat, 14 Jan 2017 13:55:22 -0500 +Subject: [PATCH] Continue preauth after client-side failures + +If the module for the selected preauth mechanism fails when processing +a KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error, or fails a tryagain +operation, try again with a different preauth mech using the cached +method data. + +If optimistic preauth fails on the client side, send an +unauthenticated request, allowing the mechanisms we tried +optimistically to be tried again. + +ticket: 8537 +(cherry picked from commit 644840a207917661a6ccf706e7830bec273e23b3) +--- + src/lib/krb5/krb/get_in_tkt.c | 49 +++++++++++++++++++++++------------ + 1 file changed, 32 insertions(+), 17 deletions(-) + +diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c +index 8c7919e65..8d0f964f9 100644 +--- a/src/lib/krb5/krb/get_in_tkt.c ++++ b/src/lib/krb5/krb/get_in_tkt.c +@@ -1307,6 +1307,7 @@ init_creds_step_request(krb5_context context, + { + krb5_error_code code; + krb5_preauthtype pa_type; ++ struct errinfo save = EMPTY_ERRINFO; + + if (ctx->loopcount >= MAX_IN_TKT_LOOPS) { + code = KRB5_GET_IN_TKT_LOOP; +@@ -1341,38 +1342,51 @@ init_creds_step_request(krb5_context context, + if (ctx->optimistic_padata != NULL) { + /* Our first attempt, using an optimistic padata list. */ + TRACE_INIT_CREDS_PREAUTH_OPTIMISTIC(context); +- code = k5_preauth(context, ctx, ctx->optimistic_padata, FALSE, ++ code = k5_preauth(context, ctx, ctx->optimistic_padata, TRUE, + &ctx->request->padata, &ctx->selected_preauth_type); + krb5_free_pa_data(context, ctx->optimistic_padata); + ctx->optimistic_padata = NULL; +- if (code != 0) +- goto cleanup; ++ if (code) { ++ /* Make an unauthenticated request, and possibly try again using ++ * the same mechanisms as we tried optimistically. */ ++ k5_reset_preauth_types_tried(ctx); ++ krb5_clear_error_message(context); ++ code = 0; ++ } + } if (ctx->more_padata != NULL) { + /* Continuing after KDC_ERR_MORE_PREAUTH_DATA_REQUIRED. */ + TRACE_INIT_CREDS_PREAUTH_MORE(context, ctx->selected_preauth_type); + code = k5_preauth(context, ctx, ctx->more_padata, TRUE, + &ctx->request->padata, &pa_type); +- if (code != 0) +- goto cleanup; + } else if (ctx->err_reply != NULL && +- ctx->err_reply->error == KDC_ERR_PREAUTH_REQUIRED) { +- /* Continuing after KDC_ERR_PREAUTH_REQUIRED, using method data. */ +- TRACE_INIT_CREDS_PREAUTH(context); +- code = k5_preauth(context, ctx, ctx->method_padata, TRUE, +- &ctx->request->padata, &ctx->selected_preauth_type); +- if (code != 0) +- goto cleanup; +- } else if (ctx->err_reply != NULL) { +- /* Retry after an error other than PREAUTH_REQUIRED, using error padata +- * to figure out what to change. */ ++ ctx->err_reply->error != KDC_ERR_PREAUTH_REQUIRED) { ++ /* Retrying after an error (possibly mechanism-specific), using error ++ * padata to figure out what to change. */ + TRACE_INIT_CREDS_PREAUTH_TRYAGAIN(context, ctx->err_reply->error, + ctx->selected_preauth_type); + code = k5_preauth_tryagain(context, ctx, ctx->selected_preauth_type, + ctx->err_reply, ctx->err_padata, + &ctx->request->padata); +- if (code != 0) { +- /* couldn't come up with anything better */ ++ if (code) { ++ krb5_clear_error_message(context); + code = ctx->err_reply->error + ERROR_TABLE_BASE_krb5; ++ } ++ } ++ if (code) { ++ /* See if we can try a different preauth mech before giving up. */ ++ k5_save_ctx_error(context, code, &save); ++ ctx->selected_preauth_type = KRB5_PADATA_NONE; ++ } ++ ++ if (ctx->request->padata == NULL && ctx->method_padata != NULL) { ++ /* Retrying after KDC_ERR_PREAUTH_REQUIRED, or trying again with a ++ * different mechanism after a client-side failure. */ ++ TRACE_INIT_CREDS_PREAUTH(context); ++ code = k5_preauth(context, ctx, ctx->method_padata, TRUE, ++ &ctx->request->padata, &ctx->selected_preauth_type); ++ if (code) { ++ if (save.code != 0) ++ code = k5_restore_ctx_error(context, &save); + goto cleanup; + } + } +@@ -1413,6 +1427,7 @@ init_creds_step_request(krb5_context context, + cleanup: + krb5_free_pa_data(context, ctx->request->padata); + ctx->request->padata = NULL; ++ k5_clear_error(&save); + return code; + } + diff --git a/SOURCES/Convert-some-pkiDebug-messages-to-TRACE-macros.patch b/SOURCES/Convert-some-pkiDebug-messages-to-TRACE-macros.patch index b7620fc..5b55956 100644 --- a/SOURCES/Convert-some-pkiDebug-messages-to-TRACE-macros.patch +++ b/SOURCES/Convert-some-pkiDebug-messages-to-TRACE-macros.patch @@ -7,11 +7,11 @@ ticket: 8568 (new) (cherry picked from commit 9852862a83952a94300adfafa3e333f43396ec33) (cherry picked from commit 686fa6476eb759532d566794fa8d430774d44cf7) --- - src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 46 ++++++--------- - src/plugins/preauth/pkinit/pkinit_identity.c | 3 - - src/plugins/preauth/pkinit/pkinit_matching.c | 1 + - src/plugins/preauth/pkinit/pkinit_srv.c | 24 ++++---- - src/plugins/preauth/pkinit/pkinit_trace.h | 68 +++++++++++++++++++++- + .../preauth/pkinit/pkinit_crypto_openssl.c | 46 +++++-------- + src/plugins/preauth/pkinit/pkinit_identity.c | 3 - + src/plugins/preauth/pkinit/pkinit_matching.c | 1 + + src/plugins/preauth/pkinit/pkinit_srv.c | 24 +++---- + src/plugins/preauth/pkinit/pkinit_trace.h | 68 ++++++++++++++++++- 5 files changed, 97 insertions(+), 45 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c diff --git a/SOURCES/Deindent-crypto_retrieve_X509_sans.patch b/SOURCES/Deindent-crypto_retrieve_X509_sans.patch index 330820d..d9878d7 100644 --- a/SOURCES/Deindent-crypto_retrieve_X509_sans.patch +++ b/SOURCES/Deindent-crypto_retrieve_X509_sans.patch @@ -10,7 +10,7 @@ return parameters are always initialized. (cherry picked from commit c6b772523db9d7791ee1c56eb512c4626556a4e7) (cherry picked from commit 23086ac768a32db1e40a9b63684dbcfd76aba033) --- - src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 224 +++++++++++---------- + .../preauth/pkinit/pkinit_crypto_openssl.c | 224 +++++++++--------- 1 file changed, 114 insertions(+), 110 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c diff --git a/SOURCES/Document-and-check-init_creds-context-requirement.patch b/SOURCES/Document-and-check-init_creds-context-requirement.patch new file mode 100644 index 0000000..fa99298 --- /dev/null +++ b/SOURCES/Document-and-check-init_creds-context-requirement.patch @@ -0,0 +1,127 @@ +From 7a9917db6b72d47cd19fb54dc34fc409353a3ea4 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Mon, 9 Jan 2017 11:44:29 -0500 +Subject: [PATCH] Document and check init_creds context requirement + +To ensure that the same clpreauth plugin modules and moddata pointers +are used for each step of an initial creds operation, the caller must +use the same library context for krb5_init_creds_init(), +krb5_init_creds_step(), and krb5_init_creds_free(). Document and +enforce this requirement. + +ticket: 7877 +(cherry picked from commit c4beb35c9ac0711ef650abc4f1e44a4c82d5f3d0) +--- + src/include/krb5/krb5.hin | 13 +++++++++++++ + src/lib/krb5/krb/get_in_tkt.c | 6 +++++- + src/lib/krb5/krb/int-proto.h | 3 +++ + src/lib/krb5/krb/preauth2.c | 13 +++++++++++++ + 4 files changed, 34 insertions(+), 1 deletion(-) + +diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin +index 53ad85384..28557659e 100644 +--- a/src/include/krb5/krb5.hin ++++ b/src/include/krb5/krb5.hin +@@ -7321,6 +7321,9 @@ typedef struct _krb5_init_creds_context *krb5_init_creds_context; + * + * @param [in] context Library context + * @param [in] ctx Initial credentials context ++ * ++ * @a context must be the same as the one passed to krb5_init_creds_init() for ++ * this initial credentials context. + */ + void KRB5_CALLCONV + krb5_init_creds_free(krb5_context context, krb5_init_creds_context ctx); +@@ -7335,6 +7338,9 @@ krb5_init_creds_free(krb5_context context, krb5_init_creds_context ctx); + * krb5_init_creds_init(). On successful return, the credentials can be + * retrieved with krb5_init_creds_get_creds(). + * ++ * @a context must be the same as the one passed to krb5_init_creds_init() for ++ * this initial credentials context. ++ * + * @retval 0 Success; otherwise - Kerberos error codes + */ + krb5_error_code KRB5_CALLCONV +@@ -7385,6 +7391,10 @@ krb5_init_creds_get_error(krb5_context context, krb5_init_creds_context ctx, + * This function creates a new context for acquiring initial credentials. Use + * krb5_init_creds_free() to free @a ctx when it is no longer needed. + * ++ * Any subsequent calls to krb5_init_creds_step(), krb5_init_creds_get(), or ++ * krb5_init_creds_free() for this initial credentials context must use the ++ * same @a context argument as the one passed to this function. ++ * + * @retval 0 Success; otherwise - Kerberos error codes + */ + krb5_error_code KRB5_CALLCONV +@@ -7434,6 +7444,9 @@ krb5_init_creds_set_keytab(krb5_context context, krb5_init_creds_context ctx, + * transmit the next request using TCP rather than UDP. If this function + * returns any other error, the initial credential exchange has failed. + * ++ * @a context must be the same as the one passed to krb5_init_creds_init() for ++ * this initial credentials context. ++ * + * @retval 0 Success; otherwise - Kerberos error codes + */ + krb5_error_code KRB5_CALLCONV +diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c +index 80f5e1870..52e07bb67 100644 +--- a/src/lib/krb5/krb/get_in_tkt.c ++++ b/src/lib/krb5/krb/get_in_tkt.c +@@ -1667,7 +1667,7 @@ krb5_init_creds_step(krb5_context context, + krb5_data *realm, + unsigned int *flags) + { +- krb5_error_code code = 0, code2; ++ krb5_error_code code, code2; + + *flags = 0; + +@@ -1680,6 +1680,10 @@ krb5_init_creds_step(krb5_context context, + if (ctx->complete) + return EINVAL; + ++ code = k5_preauth_check_context(context, ctx); ++ if (code) ++ return code; ++ + if (in->length != 0) { + code = init_creds_step_reply(context, ctx, in); + if (code == KRB5KRB_ERR_RESPONSE_TOO_BIG) { +diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h +index f1667c238..628f0baa8 100644 +--- a/src/lib/krb5/krb/int-proto.h ++++ b/src/lib/krb5/krb/int-proto.h +@@ -208,6 +208,9 @@ void + k5_preauth_request_context_fini(krb5_context context, + krb5_init_creds_context ctx); + ++krb5_error_code ++k5_preauth_check_context(krb5_context context, krb5_init_creds_context ctx); ++ + krb5_error_code + k5_response_items_new(k5_response_items **ri_out); + +diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c +index 9a178f4e3..9c5d6eaa9 100644 +--- a/src/lib/krb5/krb/preauth2.c ++++ b/src/lib/krb5/krb/preauth2.c +@@ -296,6 +296,19 @@ k5_preauth_request_context_fini(krb5_context context, + ctx->preauth_reqctx = NULL; + } + ++krb5_error_code ++k5_preauth_check_context(krb5_context context, krb5_init_creds_context ctx) ++{ ++ krb5_preauth_req_context reqctx = ctx->preauth_reqctx; ++ ++ if (reqctx != NULL && reqctx->orig_context != context) { ++ k5_setmsg(context, EINVAL, ++ _("krb5_init_creds calls must use same library context")); ++ return EINVAL; ++ } ++ return 0; ++} ++ + /* Return 1 if pa_type is a real preauthentication mechanism according to the + * module h. Return 0 if it is not. */ + static int diff --git a/SOURCES/Echo-KDC-cookies-in-preauth-tryagain.patch b/SOURCES/Echo-KDC-cookies-in-preauth-tryagain.patch new file mode 100644 index 0000000..7370542 --- /dev/null +++ b/SOURCES/Echo-KDC-cookies-in-preauth-tryagain.patch @@ -0,0 +1,76 @@ +From 7deb721e6eeb51be30c147240426c19a0c7beede Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Sat, 21 Jan 2017 13:20:38 -0500 +Subject: [PATCH] Echo KDC cookies in preauth tryagain + +When trying again after a mechanism-specific error, we should send the +KDC cookie for conformance with RFC 6113. + +ticket: 8539 +(cherry picked from commit 25f12e90d98b677d0a72893b3c6eb859377aee68) +[rharwood@redhat.com: backport around expected_trace] +--- + src/lib/krb5/krb/preauth2.c | 8 +++++++- + src/tests/t_pkinit.py | 19 +++++++++---------- + 2 files changed, 16 insertions(+), 11 deletions(-) + +diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c +index 9c5d6eaa9..cfe3dd5b0 100644 +--- a/src/lib/krb5/krb/preauth2.c ++++ b/src/lib/krb5/krb/preauth2.c +@@ -923,7 +923,7 @@ k5_preauth_tryagain(krb5_context context, krb5_init_creds_context ctx, + krb5_pa_data **mod_pa; + krb5_clpreauth_modreq modreq; + clpreauth_handle h; +- int i; ++ int i, count; + + *padata_out = NULL; + +@@ -942,6 +942,12 @@ k5_preauth_tryagain(krb5_context context, krb5_init_creds_context ctx, + ctx->err_reply, ctx->err_padata, + ctx->prompter, ctx->prompter_data, &mod_pa); + if (ret == 0 && mod_pa != NULL) { ++ for (count = 0; mod_pa[count] != NULL; count++); ++ ret = copy_cookie(context, ctx->err_padata, &mod_pa, &count); ++ if (ret) { ++ krb5_free_pa_data(context, mod_pa); ++ return ret; ++ } + TRACE_PREAUTH_TRYAGAIN_OUTPUT(context, mod_pa); + *padata_out = mod_pa; + return 0; +diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py +index 183977750..38424932b 100755 +--- a/src/tests/t_pkinit.py ++++ b/src/tests/t_pkinit.py +@@ -175,20 +175,19 @@ realm.kinit(realm.user_princ, + realm.klist(realm.user_princ) + + # Test a DH parameter renegotiation by temporarily setting a 4096-bit +-# minimum on the KDC. +-tracefile = os.path.join(realm.testdir, 'trace') ++# minimum on the KDC. (Preauth type 16 is PKINIT PA_PK_AS_REQ; ++# 133 is FAST PA-FX-COOKIE.) + minbits_kdc_conf = {'realms': {'$realm': {'pkinit_dh_min_bits': '4096'}}} + minbits_env = realm.special_env('restrict', True, kdc_conf=minbits_kdc_conf) + realm.stop_kdc() + realm.start_kdc(env=minbits_env) +-realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, '-X', +- 'X509_user_identity=' + file_identity, realm.user_princ]) +-with open(tracefile, 'r') as f: +- trace = f.read() +-if ('Key parameters not accepted' not in trace or +- 'Preauth tryagain input types' not in trace or +- 'trying again with KDC-provided parameters' not in trace): +- fail('DH renegotiation steps not found in kinit trace log') ++expected_trace = ('Key parameters not accepted', ++ 'Preauth tryagain input types', ++ 'trying again with KDC-provided parameters', ++ 'Followup preauth for next request: 16, 133') ++realm.kinit(realm.user_princ, ++ flags=['-X', 'X509_user_identity=%s' % file_identity], ++ expected_trace=expected_trace) + realm.stop_kdc() + realm.start_kdc() + diff --git a/SOURCES/Exit-with-status-0-from-kadmind.patch b/SOURCES/Exit-with-status-0-from-kadmind.patch new file mode 100644 index 0000000..9d85255 --- /dev/null +++ b/SOURCES/Exit-with-status-0-from-kadmind.patch @@ -0,0 +1,32 @@ +From f77de343e052ad66324eda13cf8dd9b9e131590c Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Wed, 14 Mar 2018 14:31:22 -0400 +Subject: [PATCH] Exit with status 0 from kadmind + +Typically, 0 denotes successful exit. In particular, init systems +will complain if another different value is returned. This presents a +problem for automated installation jobs which want to restart kadmind. + +`service kadmin stop` typically sends SIGTERM, which is caught by +verto and passed to our handler. Besides cleanup, we then call +verto_break(), which causes the verto_run() event loop to return. The +weird return code has been present since the addition of the kadmin +code, which used a similar event model for signals. + +(cherry picked from commit f970ad412aca36f8a7d3addb1cd4026ed22e5592) +(cherry picked from commit 3bfe632c7011c335362d78356232507d9ee26f73) +--- + src/kadmin/server/ovsec_kadmd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c +index a3edd3b00..9fc49f1e6 100644 +--- a/src/kadmin/server/ovsec_kadmd.c ++++ b/src/kadmin/server/ovsec_kadmd.c +@@ -558,5 +558,5 @@ main(int argc, char *argv[]) + + krb5_klog_close(context); + krb5_free_context(context); +- exit(2); ++ exit(0); + } diff --git a/SOURCES/Fix-PKINIT-cert-matching-data-construction.patch b/SOURCES/Fix-PKINIT-cert-matching-data-construction.patch new file mode 100644 index 0000000..99e71aa --- /dev/null +++ b/SOURCES/Fix-PKINIT-cert-matching-data-construction.patch @@ -0,0 +1,115 @@ +From 1bde0be47ab0c6f94b474c0a3b1d03ec32db1293 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Tue, 17 Oct 2017 18:50:15 -0400 +Subject: [PATCH] Fix PKINIT cert matching data construction + +Rewrite X509_NAME_oneline_ex() and its call sites to use dynamic +allocation and to perform proper error checking. + +ticket: 8617 +target_version: 1.16 +target_version: 1.15-next +target_version: 1.14-next +tags: pullup + +(cherry picked from commit fbb687db1088ddd894d975996e5f6a4252b9a2b4) +--- + .../preauth/pkinit/pkinit_crypto_openssl.c | 67 +++++++------------ + 1 file changed, 25 insertions(+), 42 deletions(-) + +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index b243dca30..1eb273808 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -5052,33 +5052,29 @@ out: + return retval; + } + +-/* +- * Return a string format of an X509_NAME in buf where +- * size is an in/out parameter. On input it is the size +- * of the buffer, and on output it is the actual length +- * of the name. +- * If buf is NULL, returns the length req'd to hold name +- */ +-static char * +-X509_NAME_oneline_ex(X509_NAME * a, +- char *buf, +- unsigned int *size, +- unsigned long flag) ++static krb5_error_code ++rfc2253_name(X509_NAME *name, char **str_out) + { +- BIO *out = NULL; ++ BIO *b = NULL; ++ char *str; + +- out = BIO_new(BIO_s_mem ()); +- if (X509_NAME_print_ex(out, a, 0, flag) > 0) { +- if (buf != NULL && (*size) > (unsigned int) BIO_number_written(out)) { +- memset(buf, 0, *size); +- BIO_read(out, buf, (int) BIO_number_written(out)); +- } +- else { +- *size = BIO_number_written(out); +- } +- } +- BIO_free(out); +- return (buf); ++ *str_out = NULL; ++ b = BIO_new(BIO_s_mem()); ++ if (b == NULL) ++ return ENOMEM; ++ if (X509_NAME_print_ex(b, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0) ++ goto error; ++ str = calloc(BIO_number_written(b) + 1, 1); ++ if (str == NULL) ++ goto error; ++ BIO_read(b, str, BIO_number_written(b)); ++ BIO_free(b); ++ *str_out = str; ++ return 0; ++ ++error: ++ BIO_free(b); ++ return ENOMEM; + } + + /* +@@ -5144,8 +5140,6 @@ get_matching_data(krb5_context context, + pkinit_cert_matching_data *md = NULL; + krb5_principal *pkinit_sans = NULL, *upn_sans = NULL; + size_t i, j; +- char buf[DN_BUF_LEN]; +- unsigned int bufsize = sizeof(buf); + + *md_out = NULL; + +@@ -5153,23 +5147,12 @@ get_matching_data(krb5_context context, + if (md == NULL) + goto cleanup; + +- /* Get the subject name (in rfc2253 format). */ +- X509_NAME_oneline_ex(X509_get_subject_name(cert), buf, &bufsize, +- XN_FLAG_SEP_COMMA_PLUS); +- md->subject_dn = strdup(buf); +- if (md->subject_dn == NULL) { +- ret = ENOMEM; ++ ret = rfc2253_name(X509_get_subject_name(cert), &md->subject_dn); ++ if (ret) + goto cleanup; +- } +- +- /* Get the issuer name (in rfc2253 format). */ +- X509_NAME_oneline_ex(X509_get_issuer_name(cert), buf, &bufsize, +- XN_FLAG_SEP_COMMA_PLUS); +- md->issuer_dn = strdup(buf); +- if (md->issuer_dn == NULL) { +- ret = ENOMEM; ++ ret = rfc2253_name(X509_get_issuer_name(cert), &md->issuer_dn); ++ if (ret) + goto cleanup; +- } + + /* Get the SAN data. */ + ret = crypto_retrieve_X509_sans(context, plg_cryptoctx, req_cryptoctx, diff --git a/SOURCES/Fix-certauth-built-in-module-returns.patch b/SOURCES/Fix-certauth-built-in-module-returns.patch index 74498aa..72c9efb 100644 --- a/SOURCES/Fix-certauth-built-in-module-returns.patch +++ b/SOURCES/Fix-certauth-built-in-module-returns.patch @@ -20,8 +20,8 @@ there are no SANs at all. ticket: 8561 (cherry picked from commit 07243f85a760fb37f0622d7ff0177db3f19ab025) --- - src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 39 ++++++++++------------ - src/plugins/preauth/pkinit/pkinit_srv.c | 14 +++++--- + .../preauth/pkinit/pkinit_crypto_openssl.c | 39 +++++++++---------- + src/plugins/preauth/pkinit/pkinit_srv.c | 14 ++++--- 2 files changed, 27 insertions(+), 26 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c diff --git a/SOURCES/Fix-flaws-in-LDAP-DN-checking.patch b/SOURCES/Fix-flaws-in-LDAP-DN-checking.patch new file mode 100644 index 0000000..62a0cab --- /dev/null +++ b/SOURCES/Fix-flaws-in-LDAP-DN-checking.patch @@ -0,0 +1,350 @@ +From 997e1bbb2ec662357089aa43763e138183860cc3 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Fri, 12 Jan 2018 11:43:01 -0500 +Subject: [PATCH] Fix flaws in LDAP DN checking + +KDB_TL_USER_INFO tl-data is intended to be internal to the LDAP KDB +module, and not used in disk or wire principal entries. Prevent +kadmin clients from sending KDB_TL_USER_INFO tl-data by giving it a +type number less than 256 and filtering out type numbers less than 256 +in kadm5_create_principal_3(). (We already filter out low type +numbers in kadm5_modify_principal()). + +In the LDAP KDB module, if containerdn and linkdn are both specified +in a put_principal operation, check both linkdn and the computed +standalone_principal_dn for container membership. To that end, factor +out the checks into helper functions and call them on all applicable +client-influenced DNs. + +CVE-2018-5729: + +In MIT krb5 1.6 or later, an authenticated kadmin user with permission +to add principals to an LDAP Kerberos database can cause a null +dereference in kadmind, or circumvent a DN container check, by +supplying tagged data intended to be internal to the database module. +Thanks to Sharwan Ram and Pooja Anil for discovering the potential +null dereference. + +CVE-2018-5730: + +In MIT krb5 1.6 or later, an authenticated kadmin user with permission +to add principals to an LDAP Kerberos database can circumvent a DN +containership check by supplying both a "linkdn" and "containerdn" +database argument, or by supplying a DN string which is a left +extension of a container DN string but is not hierarchically within +the container DN. + +ticket: 8643 (new) +tags: pullup +target_version: 1.16-next +target_version: 1.15-next + +(cherry picked from commit e1caf6fb74981da62039846931ebdffed71309d1) +[rharwood@redhat.com fuzz - didn't port tests to expected_msg] +--- + src/lib/kadm5/srv/svr_principal.c | 7 + + src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h | 2 +- + .../kdb/ldap/libkdb_ldap/ldap_principal2.c | 200 ++++++++++-------- + src/tests/t_kdb.py | 14 ++ + 4 files changed, 128 insertions(+), 95 deletions(-) + +diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c +index 0d4f0a632..64a4a2e97 100644 +--- a/src/lib/kadm5/srv/svr_principal.c ++++ b/src/lib/kadm5/srv/svr_principal.c +@@ -330,6 +330,13 @@ kadm5_create_principal_3(void *server_handle, + return KADM5_BAD_MASK; + if((mask & ~ALL_PRINC_MASK)) + return KADM5_BAD_MASK; ++ if (mask & KADM5_TL_DATA) { ++ for (tl_data_tail = entry->tl_data; tl_data_tail != NULL; ++ tl_data_tail = tl_data_tail->tl_data_next) { ++ if (tl_data_tail->tl_data_type < 256) ++ return KADM5_BAD_TL_TYPE; ++ } ++ } + + /* + * Check to see if the principal exists +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h +index 06b477537..0c19804ad 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h ++++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h +@@ -141,7 +141,7 @@ extern int set_ldap_error (krb5_context ctx, int st, int op); + #define UNSTORE16_INT(ptr, val) (val = load_16_be(ptr)) + #define UNSTORE32_INT(ptr, val) (val = load_32_be(ptr)) + +-#define KDB_TL_USER_INFO 0x7ffe ++#define KDB_TL_USER_INFO 0xff + + #define KDB_TL_PRINCTYPE 0x01 + #define KDB_TL_PRINCCOUNT 0x02 +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +index 88a170495..b7c9212cb 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c ++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +@@ -651,6 +651,107 @@ cleanup: + return ret; + } + ++static krb5_error_code ++check_dn_in_container(krb5_context context, const char *dn, ++ char *const *subtrees, unsigned int ntrees) ++{ ++ unsigned int i; ++ size_t dnlen = strlen(dn), stlen; ++ ++ for (i = 0; i < ntrees; i++) { ++ if (subtrees[i] == NULL || *subtrees[i] == '\0') ++ return 0; ++ stlen = strlen(subtrees[i]); ++ if (dnlen >= stlen && ++ strcasecmp(dn + dnlen - stlen, subtrees[i]) == 0 && ++ (dnlen == stlen || dn[dnlen - stlen - 1] == ',')) ++ return 0; ++ } ++ ++ k5_setmsg(context, EINVAL, _("DN is out of the realm subtree")); ++ return EINVAL; ++} ++ ++static krb5_error_code ++check_dn_exists(krb5_context context, ++ krb5_ldap_server_handle *ldap_server_handle, ++ const char *dn, krb5_boolean nonkrb_only) ++{ ++ krb5_error_code st = 0, tempst; ++ krb5_ldap_context *ldap_context = context->dal_handle->db_context; ++ LDAP *ld = ldap_server_handle->ldap_handle; ++ LDAPMessage *result = NULL, *ent; ++ char *attrs[] = { "krbticketpolicyreference", "krbprincipalname", NULL }; ++ char **values; ++ ++ LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attrs, IGNORE_STATUS); ++ if (st != LDAP_SUCCESS) ++ return set_ldap_error(context, st, OP_SEARCH); ++ ++ ent = ldap_first_entry(ld, result); ++ CHECK_NULL(ent); ++ ++ values = ldap_get_values(ld, ent, "krbticketpolicyreference"); ++ if (values != NULL) ++ ldap_value_free(values); ++ ++ values = ldap_get_values(ld, ent, "krbprincipalname"); ++ if (values != NULL) { ++ ldap_value_free(values); ++ if (nonkrb_only) { ++ st = EINVAL; ++ k5_setmsg(context, st, _("ldap object is already kerberized")); ++ goto cleanup; ++ } ++ } ++ ++cleanup: ++ ldap_msgfree(result); ++ return st; ++} ++ ++static krb5_error_code ++validate_xargs(krb5_context context, ++ krb5_ldap_server_handle *ldap_server_handle, ++ const xargs_t *xargs, const char *standalone_dn, ++ char *const *subtrees, unsigned int ntrees) ++{ ++ krb5_error_code st; ++ ++ if (xargs->dn != NULL) { ++ /* The supplied dn must be within a realm container. */ ++ st = check_dn_in_container(context, xargs->dn, subtrees, ntrees); ++ if (st) ++ return st; ++ /* The supplied dn must exist without Kerberos attributes. */ ++ st = check_dn_exists(context, ldap_server_handle, xargs->dn, TRUE); ++ if (st) ++ return st; ++ } ++ ++ if (xargs->linkdn != NULL) { ++ /* The supplied linkdn must be within a realm container. */ ++ st = check_dn_in_container(context, xargs->linkdn, subtrees, ntrees); ++ if (st) ++ return st; ++ /* The supplied linkdn must exist. */ ++ st = check_dn_exists(context, ldap_server_handle, xargs->linkdn, ++ FALSE); ++ if (st) ++ return st; ++ } ++ ++ if (xargs->containerdn != NULL && standalone_dn != NULL) { ++ /* standalone_dn (likely composed using containerdn) must be within a ++ * container. */ ++ st = check_dn_in_container(context, standalone_dn, subtrees, ntrees); ++ if (st) ++ return st; ++ } ++ ++ return 0; ++} ++ + krb5_error_code + krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, + char **db_args) +@@ -662,12 +763,12 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, + LDAPMessage *result=NULL, *ent=NULL; + char **subtreelist = NULL; + char *user=NULL, *subtree=NULL, *principal_dn=NULL; +- char **values=NULL, *strval[10]={NULL}, errbuf[1024]; ++ char *strval[10]={NULL}, errbuf[1024]; + char *filtuser=NULL; + struct berval **bersecretkey=NULL; + LDAPMod **mods=NULL; + krb5_boolean create_standalone=FALSE; +- krb5_boolean krb_identity_exists=FALSE, establish_links=FALSE; ++ krb5_boolean establish_links=FALSE; + char *standalone_principal_dn=NULL; + krb5_tl_data *tl_data=NULL; + krb5_key_data **keys=NULL; +@@ -860,24 +961,6 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, + * any of the subtrees + */ + if (xargs.dn_from_kbd == TRUE) { +- /* make sure the DN falls in the subtree */ +- int dnlen=0, subtreelen=0; +- char *dn=NULL; +- krb5_boolean outofsubtree=TRUE; +- +- if (xargs.dn != NULL) { +- dn = xargs.dn; +- } else if (xargs.linkdn != NULL) { +- dn = xargs.linkdn; +- } else if (standalone_principal_dn != NULL) { +- /* +- * Even though the standalone_principal_dn is constructed +- * within this function, there is the containerdn input +- * from the user that can become part of the it. +- */ +- dn = standalone_principal_dn; +- } +- + /* Get the current subtree list if we haven't already done so. */ + if (subtreelist == NULL) { + st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees); +@@ -885,81 +968,10 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, + goto cleanup; + } + +- for (tre=0; tre= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) { +- outofsubtree = FALSE; +- break; +- } +- } +- } +- +- if (outofsubtree == TRUE) { +- st = EINVAL; +- k5_setmsg(context, st, _("DN is out of the realm subtree")); ++ st = validate_xargs(context, ldap_server_handle, &xargs, ++ standalone_principal_dn, subtreelist, ntrees); ++ if (st) + goto cleanup; +- } +- +- /* +- * dn value will be set either by dn, linkdn or the standalone_principal_dn +- * In the first 2 cases, the dn should be existing and in the last case we +- * are supposed to create the ldap object. so the below should not be +- * executed for the last case. +- */ +- +- if (standalone_principal_dn == NULL) { +- /* +- * If the ldap object is missing, this results in an error. +- */ +- +- /* +- * Search for krbprincipalname attribute here. +- * This is to find if a kerberos identity is already present +- * on the ldap object, in which case adding a kerberos identity +- * on the ldap object should result in an error. +- */ +- char *attributes[]={"krbticketpolicyreference", "krbprincipalname", NULL}; +- +- ldap_msgfree(result); +- result = NULL; +- LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS); +- if (st == LDAP_SUCCESS) { +- ent = ldap_first_entry(ld, result); +- if (ent != NULL) { +- if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) { +- ldap_value_free(values); +- } +- +- if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) { +- krb_identity_exists = TRUE; +- ldap_value_free(values); +- } +- } +- } else { +- st = set_ldap_error(context, st, OP_SEARCH); +- goto cleanup; +- } +- } +- } +- +- /* +- * If xargs.dn is set then the request is to add a +- * kerberos principal on a ldap object, but if +- * there is one already on the ldap object this +- * should result in an error. +- */ +- +- if (xargs.dn != NULL && krb_identity_exists == TRUE) { +- st = EINVAL; +- snprintf(errbuf, sizeof(errbuf), +- _("ldap object is already kerberized")); +- k5_setmsg(context, st, "%s", errbuf); +- goto cleanup; + } + + if (xargs.linkdn != NULL) { +diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py +index c0eeb0118..319687ff3 100755 +--- a/src/tests/t_kdb.py ++++ b/src/tests/t_kdb.py +@@ -171,6 +171,14 @@ out = realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=krb5', 'princ1'], + expected_code=1) + if 'DN is out of the realm subtree' not in out: + fail('Unexpected kadmin.local output for out-of-realm dn') ++ ++# Check that the DN container check is a hierarchy test, not a simple ++# suffix match (CVE-2018-5730). We expect this operation to fail ++# either way (because "xcn" isn't a valid DN tag) but the container ++# check should happen before the DN is parsed. ++realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=xcn=t1,cn=krb5', 'princ1'], ++ expected_code=1, expected_msg='DN is out of the realm subtree') ++ + realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'princ1']) + out = realm.run([kadminl, 'getprinc', 'princ1']) + if 'Principal: princ1' not in out: +@@ -209,6 +217,12 @@ out = realm.run([kadminl, 'modprinc', '-x', 'containerdn=cn=t2,cn=krb5', + if 'containerdn option not supported' not in out: + fail('Unexpected kadmin.local output trying to reset containerdn') + ++# Verify that containerdn is checked when linkdn is also supplied ++# (CVE-2018-5730). ++realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=krb5', ++ '-x', 'linkdn=cn=t2,cn=krb5', 'princ4'], expected_code=1, ++ expected_msg='DN is out of the realm subtree') ++ + # Create and modify a ticket policy. + kldaputil(['create_policy', '-maxtktlife', '3hour', '-maxrenewlife', '6hour', + '-allow_forwardable', 'tktpol']) diff --git a/SOURCES/Fix-hex-conversion-of-PKINIT-certid-strings.patch b/SOURCES/Fix-hex-conversion-of-PKINIT-certid-strings.patch new file mode 100644 index 0000000..f05c4ed --- /dev/null +++ b/SOURCES/Fix-hex-conversion-of-PKINIT-certid-strings.patch @@ -0,0 +1,92 @@ +From e427a9c2027446f1d0883ced077caf3515116b10 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 26 Jan 2018 11:47:50 -0500 +Subject: [PATCH] Fix hex conversion of PKINIT certid strings + +When parsing a PKCS11 token specification, correctly convert from hex +to binary instead of using OpenSSL bignum functions (which would strip +leading zeros). + +[ghudson@mit.edu: made hex_string_to_bin() a bit less verbose; wrote +commit message] + +ticket: 8636 +(cherry picked from commit 63e8b8142fd7b3931a7bf2d6448978ca536bafc0) +--- + .../preauth/pkinit/pkinit_crypto_openssl.c | 55 +++++++++++++++---- + 1 file changed, 44 insertions(+), 11 deletions(-) + +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index 7fa2efd21..6a95f8035 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -4640,6 +4640,43 @@ reassemble_pkcs11_name(pkinit_identity_opts *idopts) + return ret; + } + ++static int ++hex_string_to_bin(const char *str, int *bin_len_out, CK_BYTE **bin_out) ++{ ++ size_t str_len, i; ++ CK_BYTE *bin; ++ char *endptr, tmp[3] = { '\0', '\0', '\0' }; ++ long val; ++ ++ *bin_len_out = 0; ++ *bin_out = NULL; ++ ++ str_len = strlen(str); ++ if (str_len % 2 != 0) ++ return EINVAL; ++ bin = malloc(str_len / 2); ++ if (bin == NULL) ++ return ENOMEM; ++ ++ errno = 0; ++ for (i = 0; i < str_len / 2; i++) { ++ tmp[0] = str[i * 2]; ++ tmp[1] = str[i * 2 + 1]; ++ ++ val = strtol(tmp, &endptr, 16); ++ if (val < 0 || val > 255 || errno != 0 || endptr != &tmp[2]) { ++ free(bin); ++ return EINVAL; ++ } ++ ++ bin[i] = (CK_BYTE)val; ++ } ++ ++ *bin_len_out = str_len / 2; ++ *bin_out = bin; ++ return 0; ++} ++ + static krb5_error_code + pkinit_get_certs_pkcs11(krb5_context context, + pkinit_plg_crypto_context plg_cryptoctx, +@@ -4682,18 +4719,14 @@ pkinit_get_certs_pkcs11(krb5_context context, + } + /* Convert the ascii cert_id string into a binary blob */ + if (idopts->cert_id_string != NULL) { +- BIGNUM *bn = NULL; +- BN_hex2bn(&bn, idopts->cert_id_string); +- if (bn == NULL) +- return ENOMEM; +- id_cryptoctx->cert_id_len = BN_num_bytes(bn); +- id_cryptoctx->cert_id = malloc((size_t) id_cryptoctx->cert_id_len); +- if (id_cryptoctx->cert_id == NULL) { +- BN_free(bn); +- return ENOMEM; ++ r = hex_string_to_bin(idopts->cert_id_string, ++ &id_cryptoctx->cert_id_len, ++ &id_cryptoctx->cert_id); ++ if (r != 0) { ++ pkiDebug("Failed to convert certid string [%s]\n", ++ idopts->cert_id_string); ++ return r; + } +- BN_bn2bin(bn, id_cryptoctx->cert_id); +- BN_free(bn); + } + id_cryptoctx->slotid = idopts->slotid; + id_cryptoctx->pkcs11_method = 1; diff --git a/SOURCES/Fix-segfault-in-finish_dispatch.patch b/SOURCES/Fix-segfault-in-finish_dispatch.patch new file mode 100644 index 0000000..85b974e --- /dev/null +++ b/SOURCES/Fix-segfault-in-finish_dispatch.patch @@ -0,0 +1,135 @@ +From eb58cafce36423ece63a4c1b503a965b38527171 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Wed, 18 Apr 2018 14:13:28 -0400 +Subject: [PATCH] Fix segfault in finish_dispatch() + +dispatch() doesn't necessarily initialize state->active_realm which +led to an explicit NULL dereference in finish_dispatch(). + +Additionally, fix make_too_big_error() so that it won't subsequently +dereference state->active_realm. + +tags: pullup +target_version: 1.16-next +target_version: 1.15-next + +(cherry picked from commit c822bacc1b33970a2a20d9eae80f43307e783516) +--- + src/kdc/dispatch.c | 79 ++++++++++++++++++++++++---------------------- + 1 file changed, 42 insertions(+), 37 deletions(-) + +diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c +index 4ecc23481..1f4b70874 100644 +--- a/src/kdc/dispatch.c ++++ b/src/kdc/dispatch.c +@@ -35,9 +35,6 @@ + + static krb5_int32 last_usec = 0, last_os_random = 0; + +-static krb5_error_code make_too_big_error(kdc_realm_t *kdc_active_realm, +- krb5_data **out); +- + struct dispatch_state { + loop_respond_fn respond; + void *arg; +@@ -47,6 +44,41 @@ struct dispatch_state { + krb5_context kdc_err_context; + }; + ++ ++static krb5_error_code ++make_too_big_error(krb5_context context, krb5_principal tgsprinc, ++ krb5_data **out) ++{ ++ krb5_error errpkt; ++ krb5_error_code retval; ++ krb5_data *scratch; ++ ++ *out = NULL; ++ memset(&errpkt, 0, sizeof(errpkt)); ++ ++ retval = krb5_us_timeofday(context, &errpkt.stime, &errpkt.susec); ++ if (retval) ++ return retval; ++ errpkt.error = KRB_ERR_RESPONSE_TOO_BIG; ++ errpkt.server = tgsprinc; ++ errpkt.client = NULL; ++ errpkt.text.length = 0; ++ errpkt.text.data = 0; ++ errpkt.e_data.length = 0; ++ errpkt.e_data.data = 0; ++ scratch = malloc(sizeof(*scratch)); ++ if (scratch == NULL) ++ return ENOMEM; ++ retval = krb5_mk_error(context, &errpkt, scratch); ++ if (retval) { ++ free(scratch); ++ return retval; ++ } ++ ++ *out = scratch; ++ return 0; ++} ++ + static void + finish_dispatch(struct dispatch_state *state, krb5_error_code code, + krb5_data *response) +@@ -54,12 +86,17 @@ finish_dispatch(struct dispatch_state *state, krb5_error_code code, + loop_respond_fn oldrespond = state->respond; + void *oldarg = state->arg; + kdc_realm_t *kdc_active_realm = state->active_realm; ++ krb5_principal tgsprinc = NULL; ++ ++ if (kdc_active_realm != NULL) ++ tgsprinc = kdc_active_realm->realm_tgsprinc; + + if (state->is_tcp == 0 && response && + response->length > (unsigned int)max_dgram_reply_size) { +- krb5_free_data(kdc_context, response); ++ krb5_free_data(state->kdc_err_context, response); + response = NULL; +- code = make_too_big_error(kdc_active_realm, &response); ++ code = make_too_big_error(state->kdc_err_context, tgsprinc, ++ &response); + if (code) + krb5_klog_syslog(LOG_ERR, "error constructing " + "KRB_ERR_RESPONSE_TOO_BIG error: %s", +@@ -201,38 +238,6 @@ dispatch(void *cb, struct sockaddr *local_saddr, + finish_dispatch_cache(state, retval, response); + } + +-static krb5_error_code +-make_too_big_error(kdc_realm_t *kdc_active_realm, krb5_data **out) +-{ +- krb5_error errpkt; +- krb5_error_code retval; +- krb5_data *scratch; +- +- *out = NULL; +- memset(&errpkt, 0, sizeof(errpkt)); +- +- retval = krb5_us_timeofday(kdc_context, &errpkt.stime, &errpkt.susec); +- if (retval) +- return retval; +- errpkt.error = KRB_ERR_RESPONSE_TOO_BIG; +- errpkt.server = tgs_server; +- errpkt.client = NULL; +- errpkt.text.length = 0; +- errpkt.text.data = 0; +- errpkt.e_data.length = 0; +- errpkt.e_data.data = 0; +- scratch = malloc(sizeof(*scratch)); +- if (scratch == NULL) +- return ENOMEM; +- retval = krb5_mk_error(kdc_context, &errpkt, scratch); +- if (retval) { +- free(scratch); +- return retval; +- } +- +- *out = scratch; +- return 0; +-} + + krb5_context get_context(void *handle) + { diff --git a/SOURCES/Ignore-dotfiles-in-profile-includedir.patch b/SOURCES/Ignore-dotfiles-in-profile-includedir.patch new file mode 100644 index 0000000..26401ed --- /dev/null +++ b/SOURCES/Ignore-dotfiles-in-profile-includedir.patch @@ -0,0 +1,61 @@ +From f0eae5a57bf6904d9d64abd450f195a7ddfd897f Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Fri, 24 Mar 2017 11:07:21 -0400 +Subject: [PATCH] Ignore dotfiles in profile includedir + +Editors and filesystems may create artifacts related to .conf files +which don't change the file suffix; these artifacts generally begin +with "." so that they don't appear in normal directory listings +(e.g. ".#filename" for emacs interlock files). Make sure to ignore +any such artifacts when processing a profile includedir directive. + +ticket: 8563 (new) +target_version: 1.15-next +tags: pullup + +(cherry picked from commit e8e1d841f8e43e4f441b451d91333a01e43c1b6f) +--- + doc/admin/conf_files/krb5_conf.rst | 7 ++++--- + src/util/profile/prof_parse.c | 6 +++++- + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst +index c0e4349c0..1d9bc9e34 100644 +--- a/doc/admin/conf_files/krb5_conf.rst ++++ b/doc/admin/conf_files/krb5_conf.rst +@@ -55,9 +55,10 @@ following directives at the beginning of a line:: + directory must exist and be readable. Including a directory includes + all files within the directory whose names consist solely of + alphanumeric characters, dashes, or underscores. Starting in release +-1.15, files with names ending in ".conf" are also included. Included +-profile files are syntactically independent of their parents, so each +-included file must begin with a section header. ++1.15, files with names ending in ".conf" are also included, unless the ++name begins with ".". Included profile files are syntactically ++independent of their parents, so each included file must begin with a ++section header. + + The krb5.conf file can specify that configuration should be obtained + from a loadable module, rather than the file itself, using the +diff --git a/src/util/profile/prof_parse.c b/src/util/profile/prof_parse.c +index e7c1f65aa..1baceea9e 100644 +--- a/src/util/profile/prof_parse.c ++++ b/src/util/profile/prof_parse.c +@@ -222,12 +222,16 @@ static errcode_t parse_include_file(const char *filename, + } + + /* Return non-zero if filename contains only alphanumeric characters, dashes, +- * and underscores, or if the filename ends in ".conf". */ ++ * and underscores, or if the filename ends in ".conf" and is not a dotfile. */ + static int valid_name(const char *filename) + { + const char *p; + size_t len = strlen(filename); + ++ /* Ignore dotfiles, which might be editor or filesystem artifacts. */ ++ if (*filename == '.') ++ return 0; ++ + if (len >= 5 && !strcmp(filename + len - 5, ".conf")) + return 1; + diff --git a/SOURCES/Improve-PKINIT-UPN-SAN-matching.patch b/SOURCES/Improve-PKINIT-UPN-SAN-matching.patch index d4d45c6..73c9740 100644 --- a/SOURCES/Improve-PKINIT-UPN-SAN-matching.patch +++ b/SOURCES/Improve-PKINIT-UPN-SAN-matching.patch @@ -15,10 +15,10 @@ parse UPN values as enterprise principals. ticket: 8528 (new) (cherry picked from commit 46ff765e1fb8cbec2bb602b43311269e695dbedc) --- - src/include/krb5/kdcpreauth_plugin.h | 13 ++++++++++ - src/kdc/kdc_preauth.c | 28 ++++++++++++++++++++-- - src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 4 +++- - src/plugins/preauth/pkinit/pkinit_srv.c | 10 ++++---- + src/include/krb5/kdcpreauth_plugin.h | 13 +++++++++ + src/kdc/kdc_preauth.c | 28 +++++++++++++++++-- + .../preauth/pkinit/pkinit_crypto_openssl.c | 4 ++- + src/plugins/preauth/pkinit/pkinit_srv.c | 10 ++++--- 4 files changed, 48 insertions(+), 7 deletions(-) diff --git a/src/include/krb5/kdcpreauth_plugin.h b/src/include/krb5/kdcpreauth_plugin.h diff --git a/SOURCES/In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch b/SOURCES/In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch new file mode 100644 index 0000000..53e379a --- /dev/null +++ b/SOURCES/In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch @@ -0,0 +1,327 @@ +From e7266b788278f019ad15d2d2fe518401e98c5645 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 31 Jul 2018 13:47:26 -0400 +Subject: [PATCH] In FIPS mode, add plaintext fallback for RC4 usages and taint + +--- + src/lib/krad/attr.c | 38 ++++++++++++++++++++++++++++---------- + src/lib/krad/attrset.c | 5 +++-- + src/lib/krad/internal.h | 13 +++++++++++-- + src/lib/krad/packet.c | 18 +++++++++--------- + src/lib/krad/remote.c | 10 ++++++++-- + src/lib/krad/t_attr.c | 3 ++- + src/lib/krad/t_attrset.c | 4 +++- + 7 files changed, 64 insertions(+), 27 deletions(-) + +diff --git a/src/lib/krad/attr.c b/src/lib/krad/attr.c +index 9c13d9d75..f96153e2e 100644 +--- a/src/lib/krad/attr.c ++++ b/src/lib/krad/attr.c +@@ -38,7 +38,8 @@ + typedef krb5_error_code + (*attribute_transform_fn)(krb5_context ctx, const char *secret, + const unsigned char *auth, const krb5_data *in, +- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen); ++ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen, ++ krb5_boolean *is_fips); + + typedef struct { + const char *name; +@@ -51,12 +52,14 @@ typedef struct { + static krb5_error_code + user_password_encode(krb5_context ctx, const char *secret, + const unsigned char *auth, const krb5_data *in, +- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen); ++ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen, ++ krb5_boolean *is_fips); + + static krb5_error_code + user_password_decode(krb5_context ctx, const char *secret, + const unsigned char *auth, const krb5_data *in, +- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen); ++ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen, ++ krb5_boolean *ignored); + + static const attribute_record attributes[UCHAR_MAX] = { + {"User-Name", 1, MAX_ATTRSIZE, NULL, NULL}, +@@ -128,7 +131,8 @@ static const attribute_record attributes[UCHAR_MAX] = { + static krb5_error_code + user_password_encode(krb5_context ctx, const char *secret, + const unsigned char *auth, const krb5_data *in, +- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen) ++ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen, ++ krb5_boolean *is_fips) + { + const unsigned char *indx; + krb5_error_code retval; +@@ -156,7 +160,12 @@ user_password_encode(krb5_context ctx, const char *secret, + + retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &tmp, + &sum); +- if (retval != 0) { ++ if (retval == ENOMEM) { ++ /* I'm Linux, so we know this is a FIPS failure. RSA_MD5 doesn't ++ * provide security so let's move on. */ ++ *is_fips = TRUE; ++ sum.contents = calloc(1, BLOCKSIZE); ++ } else if (retval != 0) { + zap(tmp.data, tmp.length); + zap(outbuf, len); + krb5_free_data_contents(ctx, &tmp); +@@ -180,7 +189,8 @@ user_password_encode(krb5_context ctx, const char *secret, + static krb5_error_code + user_password_decode(krb5_context ctx, const char *secret, + const unsigned char *auth, const krb5_data *in, +- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen) ++ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen, ++ krb5_boolean *is_fips) + { + const unsigned char *indx; + krb5_error_code retval; +@@ -206,7 +216,12 @@ user_password_decode(krb5_context ctx, const char *secret, + + retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, + &tmp, &sum); +- if (retval != 0) { ++ if (retval == ENOMEM) { ++ /* I'm Linux, so we know this is a FIPS failure. Assume the ++ * other side is running locally and move on. */ ++ *is_fips = TRUE; ++ sum.contents = calloc(1, BLOCKSIZE); ++ } else if (retval != 0) { + zap(tmp.data, tmp.length); + zap(outbuf, in->length); + krb5_free_data_contents(ctx, &tmp); +@@ -248,7 +263,7 @@ krb5_error_code + kr_attr_encode(krb5_context ctx, const char *secret, + const unsigned char *auth, krad_attr type, + const krb5_data *in, unsigned char outbuf[MAX_ATTRSIZE], +- size_t *outlen) ++ size_t *outlen, krb5_boolean *is_fips) + { + krb5_error_code retval; + +@@ -265,7 +280,8 @@ kr_attr_encode(krb5_context ctx, const char *secret, + return 0; + } + +- return attributes[type - 1].encode(ctx, secret, auth, in, outbuf, outlen); ++ return attributes[type - 1].encode(ctx, secret, auth, in, outbuf, outlen, ++ is_fips); + } + + krb5_error_code +@@ -274,6 +290,7 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth, + unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen) + { + krb5_error_code retval; ++ krb5_boolean ignored; + + retval = kr_attr_valid(type, in); + if (retval != 0) +@@ -288,7 +305,8 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth, + return 0; + } + +- return attributes[type - 1].decode(ctx, secret, auth, in, outbuf, outlen); ++ return attributes[type - 1].decode(ctx, secret, auth, in, outbuf, outlen, ++ &ignored); + } + + krad_attr +diff --git a/src/lib/krad/attrset.c b/src/lib/krad/attrset.c +index 03c613716..d89982a13 100644 +--- a/src/lib/krad/attrset.c ++++ b/src/lib/krad/attrset.c +@@ -167,7 +167,8 @@ krad_attrset_copy(const krad_attrset *set, krad_attrset **copy) + krb5_error_code + kr_attrset_encode(const krad_attrset *set, const char *secret, + const unsigned char *auth, +- unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen) ++ unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen, ++ krb5_boolean *is_fips) + { + unsigned char buffer[MAX_ATTRSIZE]; + krb5_error_code retval; +@@ -181,7 +182,7 @@ kr_attrset_encode(const krad_attrset *set, const char *secret, + + K5_TAILQ_FOREACH(a, &set->list, list) { + retval = kr_attr_encode(set->ctx, secret, auth, a->type, &a->attr, +- buffer, &attrlen); ++ buffer, &attrlen, is_fips); + if (retval != 0) + return retval; + +diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h +index 996a89372..a53ce31ce 100644 +--- a/src/lib/krad/internal.h ++++ b/src/lib/krad/internal.h +@@ -49,6 +49,13 @@ + + typedef struct krad_remote_st krad_remote; + ++struct krad_packet_st { ++ char buffer[KRAD_PACKET_SIZE_MAX]; ++ krad_attrset *attrset; ++ krb5_data pkt; ++ krb5_boolean is_fips; ++}; ++ + /* Validate constraints of an attribute. */ + krb5_error_code + kr_attr_valid(krad_attr type, const krb5_data *data); +@@ -57,7 +64,8 @@ kr_attr_valid(krad_attr type, const krb5_data *data); + krb5_error_code + kr_attr_encode(krb5_context ctx, const char *secret, const unsigned char *auth, + krad_attr type, const krb5_data *in, +- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen); ++ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen, ++ krb5_boolean *is_fips); + + /* Decode an attribute. */ + krb5_error_code +@@ -69,7 +77,8 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth, + krb5_error_code + kr_attrset_encode(const krad_attrset *set, const char *secret, + const unsigned char *auth, +- unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen); ++ unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen, ++ krb5_boolean *is_fips); + + /* Decode attributes from a buffer. */ + krb5_error_code +diff --git a/src/lib/krad/packet.c b/src/lib/krad/packet.c +index c597174b6..2fbf0ee1e 100644 +--- a/src/lib/krad/packet.c ++++ b/src/lib/krad/packet.c +@@ -53,12 +53,6 @@ typedef unsigned char uchar; + #define pkt_auth(p) ((uchar *)offset(&(p)->pkt, OFFSET_AUTH)) + #define pkt_attr(p) ((unsigned char *)offset(&(p)->pkt, OFFSET_ATTR)) + +-struct krad_packet_st { +- char buffer[KRAD_PACKET_SIZE_MAX]; +- krad_attrset *attrset; +- krb5_data pkt; +-}; +- + typedef struct { + uchar x[(UCHAR_MAX + 1) / 8]; + } idmap; +@@ -190,7 +184,11 @@ auth_generate_response(krb5_context ctx, const char *secret, + retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &data, + &hash); + free(data.data); +- if (retval != 0) ++ if (retval == ENOMEM) { ++ /* We're on Linux, so this is a FIPS failure, and this checksum ++ * does very little security-wise anyway, so don't taint. */ ++ hash.contents = calloc(1, AUTH_FIELD_SIZE); ++ } else if (retval != 0) + return retval; + + memcpy(rauth, hash.contents, AUTH_FIELD_SIZE); +@@ -276,7 +274,7 @@ krad_packet_new_request(krb5_context ctx, const char *secret, krad_code code, + + /* Encode the attributes. */ + retval = kr_attrset_encode(set, secret, pkt_auth(pkt), pkt_attr(pkt), +- &attrset_len); ++ &attrset_len, &pkt->is_fips); + if (retval != 0) + goto error; + +@@ -314,7 +312,7 @@ krad_packet_new_response(krb5_context ctx, const char *secret, krad_code code, + + /* Encode the attributes. */ + retval = kr_attrset_encode(set, secret, pkt_auth(request), pkt_attr(pkt), +- &attrset_len); ++ &attrset_len, &pkt->is_fips); + if (retval != 0) + goto error; + +@@ -451,6 +449,8 @@ krad_packet_decode_response(krb5_context ctx, const char *secret, + const krb5_data * + krad_packet_encode(const krad_packet *pkt) + { ++ if (pkt->is_fips) ++ return NULL; + return &pkt->pkt; + } + +diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c +index 437f7e91a..0f90443ce 100644 +--- a/src/lib/krad/remote.c ++++ b/src/lib/krad/remote.c +@@ -263,7 +263,7 @@ on_io_write(krad_remote *rr) + request *r; + + K5_TAILQ_FOREACH(r, &rr->list, list) { +- tmp = krad_packet_encode(r->request); ++ tmp = &r->request->pkt; + + /* If the packet has already been sent, do nothing. */ + if (r->sent == tmp->length) +@@ -359,7 +359,7 @@ on_io_read(krad_remote *rr) + if (req != NULL) { + K5_TAILQ_FOREACH(r, &rr->list, list) { + if (r->request == req && +- r->sent == krad_packet_encode(req)->length) { ++ r->sent == req->pkt.length) { + request_finish(r, 0, rsp); + break; + } +@@ -455,6 +455,12 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs, + (krad_packet_iter_cb)iterator, &r, &tmp); + if (retval != 0) + goto error; ++ else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL && ++ rr->info->ai_family != AF_UNIX) { ++ /* This would expose cleartext passwords, so abort. */ ++ retval = ESOCKTNOSUPPORT; ++ goto error; ++ } + + K5_TAILQ_FOREACH(r, &rr->list, list) { + if (r->request == tmp) { +diff --git a/src/lib/krad/t_attr.c b/src/lib/krad/t_attr.c +index eb2a780c8..4d285ad9d 100644 +--- a/src/lib/krad/t_attr.c ++++ b/src/lib/krad/t_attr.c +@@ -50,6 +50,7 @@ main() + const char *tmp; + krb5_data in; + size_t len; ++ krb5_boolean is_fips = FALSE; + + noerror(krb5_init_context(&ctx)); + +@@ -73,7 +74,7 @@ main() + in = string2data((char *)decoded); + retval = kr_attr_encode(ctx, secret, auth, + krad_attr_name2num("User-Password"), +- &in, outbuf, &len); ++ &in, outbuf, &len, &is_fips); + insist(retval == 0); + insist(len == sizeof(encoded)); + insist(memcmp(outbuf, encoded, len) == 0); +diff --git a/src/lib/krad/t_attrset.c b/src/lib/krad/t_attrset.c +index 7928335ca..0f9576253 100644 +--- a/src/lib/krad/t_attrset.c ++++ b/src/lib/krad/t_attrset.c +@@ -49,6 +49,7 @@ main() + krb5_context ctx; + size_t len = 0, encode_len; + krb5_data tmp; ++ krb5_boolean is_fips = FALSE; + + noerror(krb5_init_context(&ctx)); + noerror(krad_attrset_new(ctx, &set)); +@@ -62,7 +63,8 @@ main() + noerror(krad_attrset_add(set, krad_attr_name2num("User-Password"), &tmp)); + + /* Encode attrset. */ +- noerror(kr_attrset_encode(set, "foo", auth, buffer, &encode_len)); ++ noerror(kr_attrset_encode(set, "foo", auth, buffer, &encode_len, ++ &is_fips)); + krad_attrset_free(set); + + /* Manually encode User-Name. */ diff --git a/SOURCES/Include-preauth-name-in-trace-output-if-possible.patch b/SOURCES/Include-preauth-name-in-trace-output-if-possible.patch new file mode 100644 index 0000000..9d17ba6 --- /dev/null +++ b/SOURCES/Include-preauth-name-in-trace-output-if-possible.patch @@ -0,0 +1,506 @@ +From 89c5f21992e055955c752aba4a207810aa201e9f Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Thu, 15 Mar 2018 14:37:28 -0400 +Subject: [PATCH] Include preauth name in trace output if possible + +Add a {patype} trace format specifier for a single pa-type value. Add +a krb5_preauthtype to string conversion function to trace machinery +and use it when formatting {patype} or {patypes}. + +[ghudson@mit.edu: wrote conversion function; edited commit message] + +ticket: 8653 (new) +(cherry picked from commit 9c68fe39b018666eabe033b639c1f35d03ba51c7) +[rharwood@redhat.com: freshness, expected_msg] +--- + src/include/k5-trace.h | 17 +-- + src/lib/krb5/os/t_trace.ref | 2 +- + src/lib/krb5/os/trace.c | 60 +++++++++- + src/tests/t_pkinit.py | 36 +++--- + src/tests/t_preauth.py | 216 ++++++++++++++++++------------------ + 5 files changed, 199 insertions(+), 132 deletions(-) + +diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h +index e60ee0b75..49b1b6756 100644 +--- a/src/include/k5-trace.h ++++ b/src/include/k5-trace.h +@@ -75,6 +75,7 @@ + * {cksum} const krb5_checksum *, display cksumtype and hex checksum + * {princ} krb5_principal, unparse and display + * {ptype} krb5_int32, krb5_principal type, display name ++ * {patype} krb5_preauthtype, a single padata type number + * {patypes} krb5_pa_data **, display list of padata type numbers + * {etype} krb5_enctype, display shortest name of enctype + * {etypes} krb5_enctype *, display list of enctypes +@@ -218,14 +219,14 @@ void krb5int_trace(krb5_context context, const char *fmt, ...); + #define TRACE_INIT_CREDS_PREAUTH_DECRYPT_FAIL(c, code) \ + TRACE(c, "Decrypt with preauth AS key failed: {kerr}", code) + #define TRACE_INIT_CREDS_PREAUTH_MORE(c, patype) \ +- TRACE(c, "Continuing preauth mech {int}", (int)patype) ++ TRACE(c, "Continuing preauth mech {patype}", patype) + #define TRACE_INIT_CREDS_PREAUTH_NONE(c) \ + TRACE(c, "Sending unauthenticated request") + #define TRACE_INIT_CREDS_PREAUTH_OPTIMISTIC(c) \ + TRACE(c, "Attempting optimistic preauth") + #define TRACE_INIT_CREDS_PREAUTH_TRYAGAIN(c, patype, code) \ +- TRACE(c, "Recovering from KDC error {int} using preauth mech {int}", \ +- (int)patype, (int)code) ++ TRACE(c, "Recovering from KDC error {int} using preauth mech {patype}", \ ++ patype, (int)code) + #define TRACE_INIT_CREDS_RESTART_FAST(c) \ + TRACE(c, "Restarting to upgrade to FAST") + #define TRACE_INIT_CREDS_RESTART_PREAUTH_FAILED(c) \ +@@ -269,7 +270,7 @@ void krb5int_trace(krb5_context context, const char *fmt, ...); + + #define TRACE_PREAUTH_CONFLICT(c, name1, name2, patype) \ + TRACE(c, "Preauth module {str} conflicts with module {str} for pa " \ +- "type {int}", name1, name2, (int) patype) ++ "type {patype}", name1, name2, patype) + #define TRACE_PREAUTH_COOKIE(c, len, data) \ + TRACE(c, "Received cookie: {lenstr}", (size_t) len, data) + #define TRACE_PREAUTH_ENC_TS_KEY_GAK(c, keyblock) \ +@@ -281,8 +282,8 @@ void krb5int_trace(krb5_context context, const char *fmt, ...); + TRACE(c, "Selected etype info: etype {etype}, salt \"{data}\", " \ + "params \"{data}\"", etype, salt, s2kparams) + #define TRACE_PREAUTH_INFO_FAIL(c, patype, code) \ +- TRACE(c, "Preauth builtin info function failure, type={int}: {kerr}", \ +- (int) patype, code) ++ TRACE(c, "Preauth builtin info function failure, type={patype}: {kerr}", \ ++ patype, code) + #define TRACE_PREAUTH_INPUT(c, padata) \ + TRACE(c, "Processing preauth types: {patypes}", padata) + #define TRACE_PREAUTH_OUTPUT(c, padata) \ +@@ -293,8 +294,8 @@ void krb5int_trace(krb5_context context, const char *fmt, ...); + #define TRACE_PREAUTH_SAM_KEY_GAK(c, keyblock) \ + TRACE(c, "AS key obtained for SAM: {keyblock}", keyblock) + #define TRACE_PREAUTH_SALT(c, salt, patype) \ +- TRACE(c, "Received salt \"{data}\" via padata type {int}", salt, \ +- (int) patype) ++ TRACE(c, "Received salt \"{data}\" via padata type {patype}", salt, \ ++ patype) + #define TRACE_PREAUTH_SKIP(c, name, patype) \ + TRACE(c, "Skipping previously used preauth module {str} ({int})", \ + name, (int) patype) +diff --git a/src/lib/krb5/os/t_trace.ref b/src/lib/krb5/os/t_trace.ref +index ca5818a1e..bd5d9b6b6 100644 +--- a/src/lib/krb5/os/t_trace.ref ++++ b/src/lib/krb5/os/t_trace.ref +@@ -38,7 +38,7 @@ int, krb5_principal type: Windows 2000 UPN and SID + int, krb5_principal type: NT 4 style name + int, krb5_principal type: NT 4 style name and SID + int, krb5_principal type: ? +-krb5_pa_data **, display list of padata type numbers: 3, 0 ++krb5_pa_data **, display list of padata type numbers: PA-PW-SALT (3), 0 + krb5_pa_data **, display list of padata type numbers: (empty) + krb5_enctype, display shortest name of enctype: des-cbc-crc + krb5_enctype *, display list of enctypes: 5, rc4-hmac-exp, 511 +diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c +index 8750b7650..5a80f5518 100644 +--- a/src/lib/krb5/os/trace.c ++++ b/src/lib/krb5/os/trace.c +@@ -123,6 +123,49 @@ principal_type_string(krb5_int32 type) + } + } + ++static char * ++padata_type_string(krb5_preauthtype type) ++{ ++ switch (type) { ++ case KRB5_PADATA_TGS_REQ: return "PA-TGS-REQ"; ++ case KRB5_PADATA_ENC_TIMESTAMP: return "PA-ENC-TIMESTAMP"; ++ case KRB5_PADATA_PW_SALT: return "PA-PW-SALT"; ++ case KRB5_PADATA_ENC_UNIX_TIME: return "PA-ENC-UNIX-TIME"; ++ case KRB5_PADATA_ENC_SANDIA_SECURID: return "PA-SANDIA-SECUREID"; ++ case KRB5_PADATA_SESAME: return "PA-SESAME"; ++ case KRB5_PADATA_OSF_DCE: return "PA-OSF-DCE"; ++ case KRB5_CYBERSAFE_SECUREID: return "PA-CYBERSAFE-SECUREID"; ++ case KRB5_PADATA_AFS3_SALT: return "PA-AFS3-SALT"; ++ case KRB5_PADATA_ETYPE_INFO: return "PA-ETYPE-INFO"; ++ case KRB5_PADATA_SAM_CHALLENGE: return "PA-SAM-CHALLENGE"; ++ case KRB5_PADATA_SAM_RESPONSE: return "PA-SAM-RESPONSE"; ++ case KRB5_PADATA_PK_AS_REQ_OLD: return "PA-PK-AS-REQ_OLD"; ++ case KRB5_PADATA_PK_AS_REP_OLD: return "PA-PK-AS-REP_OLD"; ++ case KRB5_PADATA_PK_AS_REQ: return "PA-PK-AS-REQ"; ++ case KRB5_PADATA_PK_AS_REP: return "PA-PK-AS-REP"; ++ case KRB5_PADATA_ETYPE_INFO2: return "PA-ETYPE-INFO2"; ++ case KRB5_PADATA_SVR_REFERRAL_INFO: return "PA-SVR-REFERRAL-INFO"; ++ case KRB5_PADATA_SAM_REDIRECT: return "PA-SAM-REDIRECT"; ++ case KRB5_PADATA_GET_FROM_TYPED_DATA: return "PA-GET-FROM-TYPED-DATA"; ++ case KRB5_PADATA_SAM_CHALLENGE_2: return "PA-SAM-CHALLENGE2"; ++ case KRB5_PADATA_SAM_RESPONSE_2: return "PA-SAM-RESPONSE2"; ++ case KRB5_PADATA_PAC_REQUEST: return "PA-PAC-REQUEST"; ++ case KRB5_PADATA_FOR_USER: return "PA-FOR_USER"; ++ case KRB5_PADATA_S4U_X509_USER: return "PA-FOR-X509-USER"; ++ case KRB5_PADATA_AS_CHECKSUM: return "PA-AS-CHECKSUM"; ++ case KRB5_PADATA_FX_COOKIE: return "PA-FX-COOKIE"; ++ case KRB5_PADATA_FX_FAST: return "PA-FX-FAST"; ++ case KRB5_PADATA_FX_ERROR: return "PA-FX-ERROR"; ++ case KRB5_PADATA_ENCRYPTED_CHALLENGE: return "PA-ENCRYPTED-CHALLENGE"; ++ case KRB5_PADATA_OTP_CHALLENGE: return "PA-OTP-CHALLENGE"; ++ case KRB5_PADATA_OTP_REQUEST: return "PA-OTP-REQUEST"; ++ case KRB5_PADATA_OTP_PIN_CHANGE: return "PA-OTP-PIN-CHANGE"; ++ case KRB5_PADATA_PKINIT_KX: return "PA-PKINIT-KX"; ++ case KRB5_ENCPADATA_REQ_ENC_PA_REP: return "PA-REQ-ENC-PA-REP"; ++ default: return NULL; ++ } ++} ++ + static char * + trace_format(krb5_context context, const char *fmt, va_list ap) + { +@@ -140,6 +183,8 @@ trace_format(krb5_context context, const char *fmt, va_list ap) + krb5_key key; + const krb5_checksum *cksum; + krb5_pa_data **padata; ++ krb5_preauthtype pa_type; ++ const char *name; + krb5_ccache ccache; + krb5_keytab keytab; + krb5_creds *creds; +@@ -271,10 +316,23 @@ trace_format(krb5_context context, const char *fmt, va_list ap) + if (padata == NULL || *padata == NULL) + k5_buf_add(&buf, "(empty)"); + for (; padata != NULL && *padata != NULL; padata++) { +- k5_buf_add_fmt(&buf, "%d", (int)(*padata)->pa_type); ++ pa_type = (*padata)->pa_type; ++ name = padata_type_string(pa_type); ++ if (name != NULL) ++ k5_buf_add_fmt(&buf, "%s (%d)", name, (int)pa_type); ++ else ++ k5_buf_add_fmt(&buf, "%d", (int)pa_type); ++ + if (*(padata + 1) != NULL) + k5_buf_add(&buf, ", "); + } ++ } else if (strcmp(tmpbuf, "patype") == 0) { ++ pa_type = va_arg(ap, krb5_preauthtype); ++ name = padata_type_string(pa_type); ++ if (name != NULL) ++ k5_buf_add_fmt(&buf, "%s (%d)", name, (int)pa_type); ++ else ++ k5_buf_add_fmt(&buf, "%d", (int)pa_type); + } else if (strcmp(tmpbuf, "etype") == 0) { + etype = va_arg(ap, krb5_enctype); + if (krb5_enctype_to_name(etype, TRUE, tmpbuf, sizeof(tmpbuf)) == 0) +diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py +index c25475096..64ff2393a 100755 +--- a/src/tests/t_pkinit.py ++++ b/src/tests/t_pkinit.py +@@ -161,10 +161,18 @@ realm.start_kdc() + realm.run([kadminl, 'delprinc', 'WELLKNOWN/ANONYMOUS']) + + # Run the basic test - PKINIT with FILE: identity, with no password on the key. +-realm.run(['./responder', '-x', 'pkinit=', +- '-X', 'X509_user_identity=%s' % file_identity, realm.user_princ]) ++msgs = ('Sending unauthenticated request', ++ '/Additional pre-authentication required', ++ 'Preauthenticating using KDC method data', ++ 'PKINIT loading CA certs and CRLs from FILE', ++ 'PKINIT client making DH request', ++ ' preauth for next request: PA-FX-COOKIE (133), PA-PK-AS-REQ (16)', ++ 'PKINIT client verified DH reply', ++ 'PKINIT client found id-pkinit-san in KDC cert', ++ 'PKINIT client matched KDC principal krbtgt/') + realm.kinit(realm.user_princ, +- flags=['-X', 'X509_user_identity=%s' % file_identity]) ++ flags=['-X', 'X509_user_identity=%s' % file_identity], ++ expected_trace=msgs) + realm.klist(realm.user_princ) + realm.run([kvno, realm.host_princ]) + +@@ -181,19 +189,19 @@ minbits_kdc_conf = {'realms': {'$realm': {'pkinit_dh_min_bits': '4096'}}} + minbits_env = realm.special_env('restrict', True, kdc_conf=minbits_kdc_conf) + realm.stop_kdc() + realm.start_kdc(env=minbits_env) +-expected_trace = ('Sending unauthenticated request', +- '/Additional pre-authentication required', +- 'Preauthenticating using KDC method data', +- 'Preauth module pkinit (16) (real) returned: 0/Success', +- 'Produced preauth for next request: 133, 16', +- '/Key parameters not accepted', +- 'Preauth tryagain input types (16): 109, 133', +- 'trying again with KDC-provided parameters', +- 'Preauth module pkinit (16) tryagain returned: 0/Success', +- 'Followup preauth for next request: 16, 133') ++msgs = ('Sending unauthenticated request', ++ '/Additional pre-authentication required', ++ 'Preauthenticating using KDC method data', ++ 'Preauth module pkinit (16) (real) returned: 0/Success', ++ ' preauth for next request: PA-FX-COOKIE (133), PA-PK-AS-REQ (16)', ++ '/Key parameters not accepted', ++ 'Preauth tryagain input types (16): 109, PA-FX-COOKIE (133)', ++ 'trying again with KDC-provided parameters', ++ 'Preauth module pkinit (16) tryagain returned: 0/Success', ++ ' preauth for next request: PA-PK-AS-REQ (16), PA-FX-COOKIE (133)') + realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % file_identity], +- expected_trace=expected_trace) ++ expected_trace=msgs) + realm.stop_kdc() + realm.start_kdc() + +diff --git a/src/tests/t_preauth.py b/src/tests/t_preauth.py +index 7d4d299dc..b2b0983aa 100644 +--- a/src/tests/t_preauth.py ++++ b/src/tests/t_preauth.py +@@ -22,15 +22,15 @@ if 'no key' not in out: + # PA-FX-COOKIE; 2 is encrypted timestamp. + + # Test normal preauth flow. +-expected_trace = ('Sending unauthenticated request', +- '/Additional pre-authentication required', +- 'Preauthenticating using KDC method data', +- 'Processing preauth types:', +- 'Preauth module test (-123) (real) returned: 0/Success', +- 'Produced preauth for next request: 133, -123', +- 'Decrypted AS reply') ++msgs = ('Sending unauthenticated request', ++ '/Additional pre-authentication required', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: PA-FX-COOKIE (133), -123', ++ 'Decrypted AS reply') + realm.run(['./icred', realm.user_princ, password('user')], +- expected_msg='testval', expected_trace=expected_trace) ++ expected_msg='testval', expected_trace=msgs) + + # Test successful optimistic preauth. + expected_trace = ('Attempting optimistic preauth', +@@ -43,136 +43,136 @@ realm.run(['./icred', '-o', '-123', realm.user_princ, password('user')], + + # Test optimistic preauth failing on client, followed by successful + # preauth using the same module. +-expected_trace = ('Attempting optimistic preauth', +- 'Processing preauth types: -123', +- '/induced optimistic fail', +- 'Sending unauthenticated request', +- '/Additional pre-authentication required', +- 'Preauthenticating using KDC method data', +- 'Processing preauth types:', +- 'Preauth module test (-123) (real) returned: 0/Success', +- 'Produced preauth for next request: 133, -123', +- 'Decrypted AS reply') ++msgs = ('Attempting optimistic preauth', ++ 'Processing preauth types: -123', ++ '/induced optimistic fail', ++ 'Sending unauthenticated request', ++ '/Additional pre-authentication required', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: PA-FX-COOKIE (133), -123', ++ 'Decrypted AS reply') + realm.run(['./icred', '-o', '-123', '-X', 'fail_optimistic', realm.user_princ, + password('user')], expected_msg='testval', +- expected_trace=expected_trace) ++ expected_trace=msgs) + + # Test optimistic preauth failing on KDC, followed by successful preauth + # using the same module. + realm.run([kadminl, 'setstr', realm.user_princ, 'failopt', 'yes']) +-expected_trace = ('Attempting optimistic preauth', +- 'Processing preauth types: -123', +- 'Preauth module test (-123) (real) returned: 0/Success', +- 'Produced preauth for next request: -123', +- '/Preauthentication failed', +- 'Preauthenticating using KDC method data', +- 'Processing preauth types:', +- 'Preauth module test (-123) (real) returned: 0/Success', +- 'Produced preauth for next request: 133, -123', +- 'Decrypted AS reply') ++msgs = ('Attempting optimistic preauth', ++ 'Processing preauth types: -123', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: -123', ++ '/Preauthentication failed', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: PA-FX-COOKIE (133), -123', ++ 'Decrypted AS reply') + realm.run(['./icred', '-o', '-123', realm.user_princ, password('user')], +- expected_msg='testval', expected_trace=expected_trace) ++ expected_msg='testval', expected_trace=msgs) + realm.run([kadminl, 'delstr', realm.user_princ, 'failopt']) + + # Test KDC_ERR_MORE_PREAUTH_DATA_REQUIRED and secure cookies. + realm.run([kadminl, 'setstr', realm.user_princ, '2rt', 'secondtrip']) +-expected_trace = ('Sending unauthenticated request', +- '/Additional pre-authentication required', +- 'Preauthenticating using KDC method data', +- 'Processing preauth types:', +- 'Preauth module test (-123) (real) returned: 0/Success', +- 'Produced preauth for next request: 133, -123', +- '/More preauthentication data is required', +- 'Continuing preauth mech -123', +- 'Processing preauth types: -123, 133', +- 'Produced preauth for next request: 133, -123', +- 'Decrypted AS reply') ++msgs = ('Sending unauthenticated request', ++ '/Additional pre-authentication required', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: PA-FX-COOKIE (133), -123', ++ '/More preauthentication data is required', ++ 'Continuing preauth mech -123', ++ 'Processing preauth types: -123, PA-FX-COOKIE (133)', ++ 'Produced preauth for next request: PA-FX-COOKIE (133), -123', ++ 'Decrypted AS reply') + realm.run(['./icred', realm.user_princ, password('user')], +- expected_msg='2rt: secondtrip', expected_trace=expected_trace) ++ expected_msg='2rt: secondtrip', expected_trace=msgs) + + # Test client-side failure after KDC_ERR_MORE_PREAUTH_DATA_REQUIRED, + # falling back to encrypted timestamp. +-expected_trace = ('Sending unauthenticated request', +- '/Additional pre-authentication required', +- 'Preauthenticating using KDC method data', +- 'Processing preauth types:', +- 'Preauth module test (-123) (real) returned: 0/Success', +- 'Produced preauth for next request: 133, -123', +- '/More preauthentication data is required', +- 'Continuing preauth mech -123', +- 'Processing preauth types: -123, 133', +- '/induced 2rt fail', +- 'Preauthenticating using KDC method data', +- 'Processing preauth types:', +- 'Encrypted timestamp (for ', +- 'module encrypted_timestamp (2) (real) returned: 0/Success', +- 'Produced preauth for next request: 133, 2', +- 'Decrypted AS reply') ++msgs = ('Sending unauthenticated request', ++ '/Additional pre-authentication required', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: PA-FX-COOKIE (133), -123', ++ '/More preauthentication data is required', ++ 'Continuing preauth mech -123', ++ 'Processing preauth types: -123, PA-FX-COOKIE (133)', ++ '/induced 2rt fail', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Encrypted timestamp (for ', ++ 'module encrypted_timestamp (2) (real) returned: 0/Success', ++ 'preauth for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)', ++ 'Decrypted AS reply') + realm.run(['./icred', '-X', 'fail_2rt', realm.user_princ, password('user')], +- expected_msg='2rt: secondtrip', expected_trace=expected_trace) ++ expected_msg='2rt: secondtrip', expected_trace=msgs) + + # Test KDC-side failure after KDC_ERR_MORE_PREAUTH_DATA_REQUIRED, + # falling back to encrypted timestamp. + realm.run([kadminl, 'setstr', realm.user_princ, 'fail2rt', 'yes']) +-expected_trace = ('Sending unauthenticated request', +- '/Additional pre-authentication required', +- 'Preauthenticating using KDC method data', +- 'Processing preauth types:', +- 'Preauth module test (-123) (real) returned: 0/Success', +- 'Produced preauth for next request: 133, -123', +- '/More preauthentication data is required', +- 'Continuing preauth mech -123', +- 'Processing preauth types: -123, 133', +- 'Preauth module test (-123) (real) returned: 0/Success', +- 'Produced preauth for next request: 133, -123', +- '/Preauthentication failed', +- 'Preauthenticating using KDC method data', +- 'Processing preauth types:', +- 'Encrypted timestamp (for ', +- 'module encrypted_timestamp (2) (real) returned: 0/Success', +- 'Produced preauth for next request: 133, 2', +- 'Decrypted AS reply') ++msgs = ('Sending unauthenticated request', ++ '/Additional pre-authentication required', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: PA-FX-COOKIE (133), -123', ++ '/More preauthentication data is required', ++ 'Continuing preauth mech -123', ++ 'Processing preauth types: -123, PA-FX-COOKIE (133)', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: PA-FX-COOKIE (133), -123', ++ '/Preauthentication failed', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Encrypted timestamp (for ', ++ 'module encrypted_timestamp (2) (real) returned: 0/Success', ++ 'preauth for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)', ++ 'Decrypted AS reply') + realm.run(['./icred', realm.user_princ, password('user')], +- expected_msg='2rt: secondtrip', expected_trace=expected_trace) ++ expected_msg='2rt: secondtrip', expected_trace=msgs) + realm.run([kadminl, 'delstr', realm.user_princ, 'fail2rt']) + + # Test tryagain flow by inducing a KDC_ERR_ENCTYPE_NOSUPP error on the KDC. + realm.run([kadminl, 'setstr', realm.user_princ, 'err', 'testagain']) +-expected_trace = ('Sending unauthenticated request', +- '/Additional pre-authentication required', +- 'Preauthenticating using KDC method data', +- 'Processing preauth types:', +- 'Preauth module test (-123) (real) returned: 0/Success', +- 'Produced preauth for next request: 133, -123', +- '/KDC has no support for encryption type', +- 'Recovering from KDC error 14 using preauth mech -123', +- 'Preauth tryagain input types (-123): -123, 133', +- 'Preauth module test (-123) tryagain returned: 0/Success', +- 'Followup preauth for next request: -123, 133', +- 'Decrypted AS reply') ++msgs = ('Sending unauthenticated request', ++ '/Additional pre-authentication required', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: PA-FX-COOKIE (133), -123', ++ '/KDC has no support for encryption type', ++ 'Recovering from KDC error 14 using preauth mech -123', ++ 'Preauth tryagain input types (-123): -123, PA-FX-COOKIE (133)', ++ 'Preauth module test (-123) tryagain returned: 0/Success', ++ 'Followup preauth for next request: -123, PA-FX-COOKIE (133)', ++ 'Decrypted AS reply') + realm.run(['./icred', realm.user_princ, password('user')], +- expected_msg='tryagain: testagain', expected_trace=expected_trace) ++ expected_msg='tryagain: testagain', expected_trace=msgs) + + # Test a client-side tryagain failure, falling back to encrypted + # timestamp. +-expected_trace = ('Sending unauthenticated request', +- '/Additional pre-authentication required', +- 'Preauthenticating using KDC method data', +- 'Processing preauth types:', +- 'Preauth module test (-123) (real) returned: 0/Success', +- 'Produced preauth for next request: 133, -123', +- '/KDC has no support for encryption type', +- 'Recovering from KDC error 14 using preauth mech -123', +- 'Preauth tryagain input types (-123): -123, 133', +- '/induced tryagain fail', +- 'Preauthenticating using KDC method data', +- 'Processing preauth types:', +- 'Encrypted timestamp (for ', +- 'module encrypted_timestamp (2) (real) returned: 0/Success', +- 'Produced preauth for next request: 133, 2', +- 'Decrypted AS reply') ++msgs = ('Sending unauthenticated request', ++ '/Additional pre-authentication required', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Preauth module test (-123) (real) returned: 0/Success', ++ 'Produced preauth for next request: PA-FX-COOKIE (133), -123', ++ '/KDC has no support for encryption type', ++ 'Recovering from KDC error 14 using preauth mech -123', ++ 'Preauth tryagain input types (-123): -123, PA-FX-COOKIE (133)', ++ '/induced tryagain fail', ++ 'Preauthenticating using KDC method data', ++ 'Processing preauth types:', ++ 'Encrypted timestamp (for ', ++ 'module encrypted_timestamp (2) (real) returned: 0/Success', ++ 'preauth for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)', ++ 'Decrypted AS reply') + realm.run(['./icred', '-X', 'fail_tryagain', realm.user_princ, +- password('user')], expected_trace=expected_trace) ++ password('user')], expected_trace=msgs) + + # Test that multiple stepwise initial creds operations can be + # performed with the same krb5_context, with proper tracking of diff --git a/SOURCES/Make-krb5_preauth_context-a-pointer-type.patch b/SOURCES/Make-krb5_preauth_context-a-pointer-type.patch new file mode 100644 index 0000000..b31a98c --- /dev/null +++ b/SOURCES/Make-krb5_preauth_context-a-pointer-type.patch @@ -0,0 +1,140 @@ +From 676588d0f878a1b235805c9cf3fb28f14d55638a Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Tue, 20 Dec 2016 15:25:29 -0500 +Subject: [PATCH] Make krb5_preauth_context a pointer type + +For consistency with krb5_context and krb5_init_creds_context, make +krb5_preauth_context a pointer type. In preauth2.c, use the typedef +name rather than the structure tag except when defining the structure. + +(cherry picked from commit 459a081dec6e91ae480a37acb805631742afe1e2) +--- + src/include/k5-int.h | 4 ++-- + src/lib/krb5/krb/preauth2.c | 22 +++++++++++----------- + 2 files changed, 13 insertions(+), 13 deletions(-) + +diff --git a/src/include/k5-int.h b/src/include/k5-int.h +index e31004a7c..10b034037 100644 +--- a/src/include/k5-int.h ++++ b/src/include/k5-int.h +@@ -1198,7 +1198,7 @@ k5_plugin_free_context(krb5_context context); + struct _kdb5_dal_handle; /* private, in kdb5.h */ + typedef struct _kdb5_dal_handle kdb5_dal_handle; + struct _kdb_log_context; +-typedef struct krb5_preauth_context_st krb5_preauth_context; ++typedef struct krb5_preauth_context_st *krb5_preauth_context; + struct ccselect_module_handle; + struct localauth_module_handle; + struct hostrealm_module_handle; +@@ -1235,7 +1235,7 @@ struct _krb5_context { + struct plugin_dir_handle libkrb5_plugins; + + /* preauth module stuff */ +- krb5_preauth_context *preauth_context; ++ krb5_preauth_context preauth_context; + + /* cache module stuff */ + struct ccselect_module_handle **ccselect_handles; +diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c +index ca26fb0e3..b04d14829 100644 +--- a/src/lib/krb5/krb/preauth2.c ++++ b/src/lib/krb5/krb/preauth2.c +@@ -161,7 +161,7 @@ k5_init_preauth_context(krb5_context context) + list[count] = NULL; + + /* Place the constructed preauth context into the krb5 context. */ +- context->preauth_context = malloc(sizeof(struct krb5_preauth_context_st)); ++ context->preauth_context = malloc(sizeof(*context->preauth_context)); + if (context->preauth_context == NULL) + goto cleanup; + context->preauth_context->tried = NULL; +@@ -181,7 +181,7 @@ cleanup: + void + k5_reset_preauth_types_tried(krb5_context context) + { +- struct krb5_preauth_context_st *pctx = context->preauth_context; ++ krb5_preauth_context pctx = context->preauth_context; + + if (pctx == NULL) + return; +@@ -196,7 +196,7 @@ k5_reset_preauth_types_tried(krb5_context context) + void + k5_free_preauth_context(krb5_context context) + { +- struct krb5_preauth_context_st *pctx = context->preauth_context; ++ krb5_preauth_context pctx = context->preauth_context; + + if (pctx == NULL) + return; +@@ -211,7 +211,7 @@ k5_free_preauth_context(krb5_context context) + void + k5_preauth_request_context_init(krb5_context context) + { +- struct krb5_preauth_context_st *pctx = context->preauth_context; ++ krb5_preauth_context pctx = context->preauth_context; + clpreauth_handle *hp, h; + + if (pctx == NULL) { +@@ -233,7 +233,7 @@ k5_preauth_request_context_init(krb5_context context) + void + k5_preauth_request_context_fini(krb5_context context) + { +- struct krb5_preauth_context_st *pctx = context->preauth_context; ++ krb5_preauth_context pctx = context->preauth_context; + clpreauth_handle *hp, h; + + if (pctx == NULL) +@@ -495,7 +495,7 @@ void + k5_preauth_prepare_request(krb5_context context, krb5_get_init_creds_opt *opt, + krb5_kdc_req *req) + { +- struct krb5_preauth_context_st *pctx = context->preauth_context; ++ krb5_preauth_context pctx = context->preauth_context; + clpreauth_handle *hp, h; + krb5_enctype *ep; + +@@ -556,7 +556,7 @@ pa_type_allowed(krb5_init_creds_context ctx, krb5_preauthtype pa_type) + static krb5_boolean + already_tried(krb5_context context, krb5_preauthtype pa_type) + { +- struct krb5_preauth_context_st *pctx = context->preauth_context; ++ krb5_preauth_context pctx = context->preauth_context; + size_t count; + krb5_preauthtype *newptr; + +@@ -580,7 +580,7 @@ process_pa_data(krb5_context context, krb5_init_creds_context ctx, + krb5_pa_data ***out_pa_list, int *out_pa_list_size, + krb5_preauthtype *out_type) + { +- struct krb5_preauth_context_st *pctx = context->preauth_context; ++ krb5_preauth_context pctx = context->preauth_context; + struct errinfo save = EMPTY_ERRINFO; + krb5_pa_data *pa, **pa_ptr, **mod_pa; + krb5_error_code ret = 0; +@@ -858,7 +858,7 @@ krb5_error_code + k5_preauth_tryagain(krb5_context context, krb5_init_creds_context ctx, + krb5_pa_data **in_padata, krb5_pa_data ***padata_out) + { +- struct krb5_preauth_context_st *pctx = context->preauth_context; ++ krb5_preauth_context pctx = context->preauth_context; + krb5_error_code ret; + krb5_pa_data **mod_pa; + clpreauth_handle h; +@@ -897,7 +897,7 @@ static krb5_error_code + fill_response_items(krb5_context context, krb5_init_creds_context ctx, + krb5_pa_data **in_padata) + { +- struct krb5_preauth_context_st *pctx = context->preauth_context; ++ krb5_preauth_context pctx = context->preauth_context; + krb5_error_code ret; + krb5_pa_data *pa; + clpreauth_handle h; +@@ -1004,7 +1004,7 @@ krb5_preauth_supply_preauth_data(krb5_context context, + krb5_get_init_creds_opt *opt, + const char *attr, const char *value) + { +- struct krb5_preauth_context_st *pctx = context->preauth_context; ++ krb5_preauth_context pctx = context->preauth_context; + clpreauth_handle *hp, h; + krb5_error_code ret; + diff --git a/SOURCES/Make-timestamp-manipulations-y2038-safe.patch b/SOURCES/Make-timestamp-manipulations-y2038-safe.patch index b729c48..83f47ad 100644 --- a/SOURCES/Make-timestamp-manipulations-y2038-safe.patch +++ b/SOURCES/Make-timestamp-manipulations-y2038-safe.patch @@ -25,69 +25,69 @@ safely convert from libkrb5 timestamp values. ticket: 8352 (cherry picked from commit a9cbbf0899f270fbb14f63ffbed1b6d542333641) --- - src/clients/kinit/kinit.c | 2 +- - src/clients/klist/klist.c | 20 ++++------- - src/clients/ksu/ccache.c | 20 +++-------- - src/clients/ksu/ksu.h | 2 +- - src/kadmin/cli/getdate.y | 2 +- - src/kadmin/cli/kadmin.c | 5 ++- - src/kadmin/dbutil/dump.c | 27 ++++++++------- - src/kadmin/dbutil/kdb5_mkey.c | 6 ++-- - src/kadmin/dbutil/tabdump.c | 2 +- - src/kadmin/testing/util/tcl_kadm5.c | 12 +++---- - src/kdc/do_as_req.c | 2 +- - src/kdc/do_tgs_req.c | 6 ++-- - src/kdc/extern.c | 4 ++- - src/kdc/fast_util.c | 4 +-- - src/kdc/kdc_log.c | 14 ++++---- - src/kdc/kdc_util.c | 20 +++++------ - src/kdc/kdc_util.h | 2 ++ - src/kdc/replay.c | 2 +- - src/kdc/tgs_policy.c | 7 ++-- - src/lib/gssapi/krb5/accept_sec_context.c | 8 +++-- - src/lib/gssapi/krb5/acquire_cred.c | 13 ++++--- - src/lib/gssapi/krb5/context_time.c | 2 +- - src/lib/gssapi/krb5/export_cred.c | 5 +-- - src/lib/gssapi/krb5/iakerb.c | 4 +-- - src/lib/gssapi/krb5/init_sec_context.c | 9 ++--- - src/lib/gssapi/krb5/inq_context.c | 2 +- - src/lib/gssapi/krb5/inq_cred.c | 5 +-- - src/lib/gssapi/krb5/s4u_gss_glue.c | 2 +- - src/lib/kadm5/chpass_util.c | 8 ++--- - src/lib/kadm5/srv/server_acl.c | 5 +-- - src/lib/kadm5/srv/svr_principal.c | 12 +++---- - src/lib/kdb/kdb5.c | 2 +- - src/lib/krb5/asn.1/asn1_k_encode.c | 3 +- - src/lib/krb5/ccache/cc_keyring.c | 14 ++++---- - src/lib/krb5/ccache/cc_memory.c | 4 +-- - src/lib/krb5/ccache/cc_retr.c | 4 +-- - src/lib/krb5/ccache/ccapi/stdcc_util.c | 40 +++++++++++----------- - src/lib/krb5/ccache/cccursor.c | 2 +- - src/lib/krb5/keytab/kt_file.c | 6 ++-- - src/lib/krb5/krb/gc_via_tkt.c | 7 ++-- - src/lib/krb5/krb/get_creds.c | 2 +- - src/lib/krb5/krb/get_in_tkt.c | 38 ++++++-------------- - src/lib/krb5/krb/gic_pwd.c | 4 +-- - src/lib/krb5/krb/int-proto.h | 2 +- - src/lib/krb5/krb/pac.c | 2 +- - src/lib/krb5/krb/str_conv.c | 4 +-- - src/lib/krb5/krb/t_kerb.c | 12 ++----- - src/lib/krb5/krb/valid_times.c | 4 +-- - src/lib/krb5/krb/vfy_increds.c | 2 +- - src/lib/krb5/os/timeofday.c | 2 +- - src/lib/krb5/os/toffset.c | 2 +- - src/lib/krb5/os/ustime.c | 6 ++-- - src/lib/krb5/rcache/rc_dfl.c | 3 +- - src/lib/krb5/rcache/t_replay.c | 8 ++--- - src/plugins/kdb/db2/lockout.c | 8 ++--- - src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 2 +- - src/plugins/kdb/ldap/libkdb_ldap/lockout.c | 8 ++--- - src/windows/cns/tktlist.c | 10 +++--- - src/windows/include/leashwin.h | 12 +++---- - src/windows/leash/KrbListTickets.cpp | 12 +++---- - src/windows/leash/LeashView.cpp | 22 ++++++------ - src/windows/leashdll/lshfunc.c | 2 +- - src/windows/ms2mit/ms2mit.c | 2 +- + src/clients/kinit/kinit.c | 2 +- + src/clients/klist/klist.c | 20 ++++------ + src/clients/ksu/ccache.c | 20 +++------- + src/clients/ksu/ksu.h | 2 +- + src/kadmin/cli/getdate.y | 2 +- + src/kadmin/cli/kadmin.c | 5 +-- + src/kadmin/dbutil/dump.c | 27 +++++++------ + src/kadmin/dbutil/kdb5_mkey.c | 6 +-- + src/kadmin/dbutil/tabdump.c | 2 +- + src/kadmin/testing/util/tcl_kadm5.c | 12 +++--- + src/kdc/do_as_req.c | 2 +- + src/kdc/do_tgs_req.c | 6 +-- + src/kdc/extern.c | 4 +- + src/kdc/fast_util.c | 4 +- + src/kdc/kdc_log.c | 14 +++---- + src/kdc/kdc_util.c | 20 +++++----- + src/kdc/kdc_util.h | 2 + + src/kdc/replay.c | 2 +- + src/kdc/tgs_policy.c | 7 ++-- + src/lib/gssapi/krb5/accept_sec_context.c | 8 ++-- + src/lib/gssapi/krb5/acquire_cred.c | 13 +++--- + src/lib/gssapi/krb5/context_time.c | 2 +- + src/lib/gssapi/krb5/export_cred.c | 5 ++- + src/lib/gssapi/krb5/iakerb.c | 4 +- + src/lib/gssapi/krb5/init_sec_context.c | 9 +++-- + src/lib/gssapi/krb5/inq_context.c | 2 +- + src/lib/gssapi/krb5/inq_cred.c | 5 ++- + src/lib/gssapi/krb5/s4u_gss_glue.c | 2 +- + src/lib/kadm5/chpass_util.c | 8 +--- + src/lib/kadm5/srv/server_acl.c | 5 ++- + src/lib/kadm5/srv/svr_principal.c | 12 +++--- + src/lib/kdb/kdb5.c | 2 +- + src/lib/krb5/asn.1/asn1_k_encode.c | 3 +- + src/lib/krb5/ccache/cc_keyring.c | 14 ++++--- + src/lib/krb5/ccache/cc_memory.c | 4 +- + src/lib/krb5/ccache/cc_retr.c | 4 +- + src/lib/krb5/ccache/ccapi/stdcc_util.c | 40 +++++++++---------- + src/lib/krb5/ccache/cccursor.c | 2 +- + src/lib/krb5/keytab/kt_file.c | 6 ++- + src/lib/krb5/krb/gc_via_tkt.c | 7 ++-- + src/lib/krb5/krb/get_creds.c | 2 +- + src/lib/krb5/krb/get_in_tkt.c | 38 +++++------------- + src/lib/krb5/krb/gic_pwd.c | 4 +- + src/lib/krb5/krb/int-proto.h | 2 +- + src/lib/krb5/krb/pac.c | 2 +- + src/lib/krb5/krb/str_conv.c | 4 +- + src/lib/krb5/krb/t_kerb.c | 12 +----- + src/lib/krb5/krb/valid_times.c | 4 +- + src/lib/krb5/krb/vfy_increds.c | 2 +- + src/lib/krb5/os/timeofday.c | 2 +- + src/lib/krb5/os/toffset.c | 2 +- + src/lib/krb5/os/ustime.c | 6 +-- + src/lib/krb5/rcache/rc_dfl.c | 3 +- + src/lib/krb5/rcache/t_replay.c | 8 ++-- + src/plugins/kdb/db2/lockout.c | 8 ++-- + .../kdb/ldap/libkdb_ldap/ldap_principal2.c | 2 +- + src/plugins/kdb/ldap/libkdb_ldap/lockout.c | 8 ++-- + src/windows/cns/tktlist.c | 10 +++-- + src/windows/include/leashwin.h | 12 +++--- + src/windows/leash/KrbListTickets.cpp | 12 +++--- + src/windows/leash/LeashView.cpp | 22 +++++----- + src/windows/leashdll/lshfunc.c | 2 +- + src/windows/ms2mit/ms2mit.c | 2 +- 63 files changed, 230 insertions(+), 255 deletions(-) diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c diff --git a/SOURCES/Merge-duplicate-subsections-in-profile-library.patch b/SOURCES/Merge-duplicate-subsections-in-profile-library.patch new file mode 100644 index 0000000..54e2bc4 --- /dev/null +++ b/SOURCES/Merge-duplicate-subsections-in-profile-library.patch @@ -0,0 +1,122 @@ +From 7e2b7bb44c4996c425a93f6aacf151480cd08595 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 10 Apr 2018 15:55:41 -0400 +Subject: [PATCH] Merge duplicate subsections in profile library + +Modify profile_add_node() to return the existing node, rather than +making a new one, when adding subsection configuration. + +This fixes an issue where the first instance of a subsection will hide +the second instance entirely. In particular, it was previously +impossible to split realm-specific configuration across multiple +config files. + +[ghudson@mit.edu: adjusted style, added test case] + +(cherry picked from commit efab9fa5a6d23c486467264e20b58bf5a9c60f0c) + +ticket: 7863 +version_fixed: 1.16.1 + +(cherry picked from commit 98d0061c8083af960438ad1ac088f60497694a68) +--- + src/util/profile/prof_test1 | 22 ++++++++++++++++++++++ + src/util/profile/prof_tree.c | 15 +++++++++++---- + src/util/profile/test.ini | 6 ++++++ + 3 files changed, 39 insertions(+), 4 deletions(-) + +diff --git a/src/util/profile/prof_test1 b/src/util/profile/prof_test1 +index 7e30fc12f..7d13c9389 100644 +--- a/src/util/profile/prof_test1 ++++ b/src/util/profile/prof_test1 +@@ -341,6 +341,27 @@ proc test9 {} { + puts "OK: test9: profile_flush_to_file with no changes" + } + ++proc test10 {} { ++ global wd verbose ++ ++ # Regression test for #7863: multiply-specified subsections should ++ # be merged. ++ set p [profile_init_path $wd/test2.ini] ++ set x [profile_get_values $p {{test section 2} child_section2 child}] ++ if $verbose { puts "Read $x from profile" } ++ if ![string equal $x "slick harry {john\tb } ron"] { ++ puts stderr "Error: test10: Did not get expected merged children." ++ exit 1 ++ } ++ ++ set x [profile_get_string $p {test section 2} child_section2 chores] ++ if $verbose { puts "Read $x from profile" } ++ if ![string equal $x "cleaning"] { ++ puts stderr "Error: test10: Did not find expected chores." ++ exit 1 ++ } ++} ++ + test1 + test2 + test3 +@@ -350,5 +371,6 @@ test6 + test7 + test8 + test9 ++test10 + + exit 0 +diff --git a/src/util/profile/prof_tree.c b/src/util/profile/prof_tree.c +index 081f688e4..38aadc4e5 100644 +--- a/src/util/profile/prof_tree.c ++++ b/src/util/profile/prof_tree.c +@@ -9,7 +9,7 @@ + * + * Each node may represent either a relation or a section header. + * +- * A section header must have its value field set to 0, and may a one ++ * A section header must have its value field be null, and may have one + * or more child nodes, pointed to by first_child. + * + * A relation has as its value a pointer to allocated memory +@@ -159,15 +159,22 @@ errcode_t profile_add_node(struct profile_node *section, const char *name, + return PROF_ADD_NOT_SECTION; + + /* +- * Find the place to insert the new node. We look for the +- * place *after* the last match of the node name, since ++ * Find the place to insert the new node. If we are adding a subsection ++ * and already have a subsection with that name, merge them. Otherwise, ++ * we look for the place *after* the last match of the node name, since + * order matters. + */ + for (p=section->first_child, last = 0; p; last = p, p = p->next) { + int cmp; + cmp = strcmp(p->name, name); +- if (cmp > 0) ++ if (cmp > 0) { + break; ++ } else if (value == NULL && cmp == 0 && ++ p->value == NULL && p->deleted != 1) { ++ /* Found duplicate subsection, so don't make a new one. */ ++ *ret_node = p; ++ return 0; ++ } + } + retval = profile_create_node(name, value, &new); + if (retval) +diff --git a/src/util/profile/test.ini b/src/util/profile/test.ini +index 23ca89677..6622df108 100644 +--- a/src/util/profile/test.ini ++++ b/src/util/profile/test.ini +@@ -10,6 +10,12 @@ this is a comment. Everything up to the first square brace is ignored. + } + child_section2 = foo + ++[test section 2] ++ child_section2 = { ++ child = ron ++ chores = cleaning ++ } ++ + [realms] + ATHENA.MIT.EDU = { + server = KERBEROS.MIT.EDU:88 diff --git a/SOURCES/Preserve-method-data-in-get_in_tkt.c.patch b/SOURCES/Preserve-method-data-in-get_in_tkt.c.patch new file mode 100644 index 0000000..187993d --- /dev/null +++ b/SOURCES/Preserve-method-data-in-get_in_tkt.c.patch @@ -0,0 +1,222 @@ +From 129e5a5694783bb033532e5933b2eeefabc5a35d Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Fri, 13 Jan 2017 15:35:48 -0500 +Subject: [PATCH] Preserve method data in get_in_tkt.c + +To continue after preauth failures, we need a persistent field in +krb5_init_creds_context containing the METHOD-DATA from a +KDC_PREAUTH_REQUIRED or KDC_PREAUTH_FAILED error. If we overwrite +this field with the padata in a KDC_MORE_PREAUTH_DATA_REQUIRED error, +or conflate it with an optimistic padata list, we won't be able to +correctly continue after a preauth failure. + +In krb5_init_creds_context, split the preauth_to_use field into +optimistic_padata, method_padata, and more_padata. Separately handle +KDC_ERR_MORE_PREAUTH_DATA_REQUIRED in init_creds_step_request() and +init_creds_step_reply(), and separately handle optimistic preauth in +init_creds_step_request(). Do not call k5_preauth() if none of the +padata lists are set. + +Also stop clearing ctx->err_reply when processing a +KDC_ERR_PREAUTH_REQUIRED response. Instead look for that error code +in init_creds_step_request(). Eliminate the preauth_required field of +krb5_init_creds_context as it can be inferred from whether we are +performing optimistic preauth. + +ticket: 8537 +(cherry picked from commit 97a9b0c4ef3fc7b20e6ae592201bcb132d58bbe5) +--- + src/include/k5-trace.h | 11 +++++ + src/lib/krb5/krb/get_in_tkt.c | 71 +++++++++++++++++++++---------- + src/lib/krb5/krb/init_creds_ctx.h | 5 ++- + 3 files changed, 62 insertions(+), 25 deletions(-) + +diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h +index 814da3195..e60ee0b75 100644 +--- a/src/include/k5-trace.h ++++ b/src/include/k5-trace.h +@@ -213,8 +213,19 @@ void krb5int_trace(krb5_context context, const char *fmt, ...); + TRACE(c, "Looked up etypes in keytab: {etypes}", etypes) + #define TRACE_INIT_CREDS_KEYTAB_LOOKUP_FAILED(c, code) \ + TRACE(c, "Couldn't lookup etypes in keytab: {kerr}", code) ++#define TRACE_INIT_CREDS_PREAUTH(c) \ ++ TRACE(c, "Preauthenticating using KDC method data") + #define TRACE_INIT_CREDS_PREAUTH_DECRYPT_FAIL(c, code) \ + TRACE(c, "Decrypt with preauth AS key failed: {kerr}", code) ++#define TRACE_INIT_CREDS_PREAUTH_MORE(c, patype) \ ++ TRACE(c, "Continuing preauth mech {int}", (int)patype) ++#define TRACE_INIT_CREDS_PREAUTH_NONE(c) \ ++ TRACE(c, "Sending unauthenticated request") ++#define TRACE_INIT_CREDS_PREAUTH_OPTIMISTIC(c) \ ++ TRACE(c, "Attempting optimistic preauth") ++#define TRACE_INIT_CREDS_PREAUTH_TRYAGAIN(c, patype, code) \ ++ TRACE(c, "Recovering from KDC error {int} using preauth mech {int}", \ ++ (int)patype, (int)code) + #define TRACE_INIT_CREDS_RESTART_FAST(c) \ + TRACE(c, "Restarting to upgrade to FAST") + #define TRACE_INIT_CREDS_RESTART_PREAUTH_FAILED(c) \ +diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c +index bc903b6e9..8c7919e65 100644 +--- a/src/lib/krb5/krb/get_in_tkt.c ++++ b/src/lib/krb5/krb/get_in_tkt.c +@@ -575,7 +575,9 @@ krb5_init_creds_free(krb5_context context, + krb5_free_data(context, ctx->inner_request_body); + krb5_free_data(context, ctx->encoded_previous_request); + krb5int_fast_free_state(context, ctx->fast_state); +- krb5_free_pa_data(context, ctx->preauth_to_use); ++ krb5_free_pa_data(context, ctx->optimistic_padata); ++ krb5_free_pa_data(context, ctx->method_padata); ++ krb5_free_pa_data(context, ctx->more_padata); + krb5_free_data_contents(context, &ctx->salt); + krb5_free_data_contents(context, &ctx->s2kparams); + krb5_free_keyblock_contents(context, &ctx->as_key); +@@ -827,10 +829,13 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx, + { + krb5_error_code code = 0; + +- krb5_free_pa_data(context, ctx->preauth_to_use); ++ krb5_free_pa_data(context, ctx->optimistic_padata); ++ krb5_free_pa_data(context, ctx->method_padata); ++ krb5_free_pa_data(context, ctx->more_padata); + krb5_free_pa_data(context, ctx->err_padata); + krb5_free_error(context, ctx->err_reply); +- ctx->preauth_to_use = ctx->err_padata = NULL; ++ ctx->optimistic_padata = ctx->method_padata = ctx->more_padata = NULL; ++ ctx->err_padata = NULL; + ctx->err_reply = NULL; + ctx->selected_preauth_type = KRB5_PADATA_NONE; + +@@ -849,7 +854,7 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx, + if (ctx->opt->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST) { + code = make_preauth_list(context, ctx->opt->preauth_list, + ctx->opt->preauth_list_length, +- &ctx->preauth_to_use); ++ &ctx->optimistic_padata); + if (code) + goto cleanup; + } +@@ -1301,6 +1306,7 @@ init_creds_step_request(krb5_context context, + krb5_data *out) + { + krb5_error_code code; ++ krb5_preauthtype pa_type; + + if (ctx->loopcount >= MAX_IN_TKT_LOOPS) { + code = KRB5_GET_IN_TKT_LOOP; +@@ -1331,17 +1337,36 @@ init_creds_step_request(krb5_context context, + read_cc_config_in_data(context, ctx); + clear_cc_config_out_data(context, ctx); + +- if (ctx->err_reply == NULL) { +- /* Either our first attempt, or retrying after KDC_ERR_PREAUTH_REQUIRED +- * or KDC_ERR_MORE_PREAUTH_DATA_REQUIRED. */ +- code = k5_preauth(context, ctx, ctx->preauth_to_use, +- ctx->preauth_required, &ctx->request->padata, +- &ctx->selected_preauth_type); ++ ctx->request->padata = NULL; ++ if (ctx->optimistic_padata != NULL) { ++ /* Our first attempt, using an optimistic padata list. */ ++ TRACE_INIT_CREDS_PREAUTH_OPTIMISTIC(context); ++ code = k5_preauth(context, ctx, ctx->optimistic_padata, FALSE, ++ &ctx->request->padata, &ctx->selected_preauth_type); ++ krb5_free_pa_data(context, ctx->optimistic_padata); ++ ctx->optimistic_padata = NULL; + if (code != 0) + goto cleanup; +- } else { +- /* Retry after an error other than PREAUTH_NEEDED, using error padata ++ } if (ctx->more_padata != NULL) { ++ /* Continuing after KDC_ERR_MORE_PREAUTH_DATA_REQUIRED. */ ++ TRACE_INIT_CREDS_PREAUTH_MORE(context, ctx->selected_preauth_type); ++ code = k5_preauth(context, ctx, ctx->more_padata, TRUE, ++ &ctx->request->padata, &pa_type); ++ if (code != 0) ++ goto cleanup; ++ } else if (ctx->err_reply != NULL && ++ ctx->err_reply->error == KDC_ERR_PREAUTH_REQUIRED) { ++ /* Continuing after KDC_ERR_PREAUTH_REQUIRED, using method data. */ ++ TRACE_INIT_CREDS_PREAUTH(context); ++ code = k5_preauth(context, ctx, ctx->method_padata, TRUE, ++ &ctx->request->padata, &ctx->selected_preauth_type); ++ if (code != 0) ++ goto cleanup; ++ } else if (ctx->err_reply != NULL) { ++ /* Retry after an error other than PREAUTH_REQUIRED, using error padata + * to figure out what to change. */ ++ TRACE_INIT_CREDS_PREAUTH_TRYAGAIN(context, ctx->err_reply->error, ++ ctx->selected_preauth_type); + code = k5_preauth_tryagain(context, ctx, ctx->selected_preauth_type, + ctx->err_reply, ctx->err_padata, + &ctx->request->padata); +@@ -1351,6 +1376,8 @@ init_creds_step_request(krb5_context context, + goto cleanup; + } + } ++ if (ctx->request->padata == NULL) ++ TRACE_INIT_CREDS_PREAUTH_NONE(context); + + /* Remember when we sent this request (after any preauth delay). */ + ctx->request_time = time(NULL); +@@ -1467,8 +1494,9 @@ init_creds_step_reply(krb5_context context, + ctx->request->client->type == KRB5_NT_ENTERPRISE_PRINCIPAL; + + if (ctx->err_reply != NULL) { ++ krb5_free_pa_data(context, ctx->more_padata); + krb5_free_pa_data(context, ctx->err_padata); +- ctx->err_padata = NULL; ++ ctx->more_padata = ctx->err_padata = NULL; + code = krb5int_fast_process_error(context, ctx->fast_state, + &ctx->err_reply, &ctx->err_padata, + &retry); +@@ -1494,21 +1522,18 @@ init_creds_step_reply(krb5_context context, + * FAST upgrade. */ + ctx->restarted = FALSE; + code = restart_init_creds_loop(context, ctx, FALSE); +- } else if ((reply_code == KDC_ERR_MORE_PREAUTH_DATA_REQUIRED || +- reply_code == KDC_ERR_PREAUTH_REQUIRED) && retry) { +- krb5_free_pa_data(context, ctx->preauth_to_use); +- ctx->preauth_to_use = ctx->err_padata; ++ } else if (reply_code == KDC_ERR_PREAUTH_REQUIRED && retry) { ++ krb5_free_pa_data(context, ctx->method_padata); ++ ctx->method_padata = ctx->err_padata; + ctx->err_padata = NULL; + note_req_timestamp(context, ctx, ctx->err_reply->stime, + ctx->err_reply->susec); +- /* This will trigger a new call to k5_preauth(). */ +- krb5_free_error(context, ctx->err_reply); +- ctx->err_reply = NULL; + code = sort_krb5_padata_sequence(context, + &ctx->request->client->realm, +- ctx->preauth_to_use); +- ctx->preauth_required = TRUE; +- ++ ctx->method_padata); ++ } else if (reply_code == KDC_ERR_MORE_PREAUTH_DATA_REQUIRED && retry) { ++ ctx->more_padata = ctx->err_padata; ++ ctx->err_padata = NULL; + } else if (canon_flag && is_referral(context, ctx->err_reply, + ctx->request->client)) { + TRACE_INIT_CREDS_REFERRAL(context, &ctx->err_reply->client->realm); +diff --git a/src/lib/krb5/krb/init_creds_ctx.h b/src/lib/krb5/krb/init_creds_ctx.h +index 8c8b7494b..fe769685b 100644 +--- a/src/lib/krb5/krb/init_creds_ctx.h ++++ b/src/lib/krb5/krb/init_creds_ctx.h +@@ -50,7 +50,9 @@ struct _krb5_init_creds_context { + krb5_data *inner_request_body; /**< For preauth */ + krb5_data *encoded_previous_request; + struct krb5int_fast_request_state *fast_state; +- krb5_pa_data **preauth_to_use; ++ krb5_pa_data **optimistic_padata; /* from gic options */ ++ krb5_pa_data **method_padata; /* from PREAUTH_REQUIRED or PREAUTH_FAILED */ ++ krb5_pa_data **more_padata; /* from MORE_PREAUTH_DATA_REQUIRED */ + krb5_boolean default_salt; + krb5_data salt; + krb5_data s2kparams; +@@ -58,7 +60,6 @@ struct _krb5_init_creds_context { + krb5_enctype etype; + krb5_boolean enc_pa_rep_permitted; + krb5_boolean restarted; +- krb5_boolean preauth_required; + struct krb5_responder_context_st rctx; + krb5_preauthtype selected_preauth_type; + krb5_preauthtype allowed_preauth_type; diff --git a/SOURCES/Process-profile-includedir-in-sorted-order.patch b/SOURCES/Process-profile-includedir-in-sorted-order.patch new file mode 100644 index 0000000..05ef4f5 --- /dev/null +++ b/SOURCES/Process-profile-includedir-in-sorted-order.patch @@ -0,0 +1,115 @@ +From bcbc07379fec90a2026d621e864db9a1f2c31e92 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Wed, 6 Jun 2018 17:58:41 -0400 +Subject: [PATCH] Process profile includedir in sorted order + +In the profile library, use k5_dir_filenames() so that files within an +included directory are read in a predictable order (alphanumeric +within the C locale). + +ticket: 8686 +(cherry picked from commit f574eda48740ad192f51e9a382a205e2ea0e60ad) +(cherry picked from commit 5d868264bca1771aa16abbc8cc0aefb0e1750a73) +--- + doc/admin/conf_files/krb5_conf.rst | 4 ++- + src/util/profile/prof_parse.c | 56 +++++------------------------- + 2 files changed, 12 insertions(+), 48 deletions(-) + +diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst +index 1d9bc9e34..a959e0e60 100644 +--- a/doc/admin/conf_files/krb5_conf.rst ++++ b/doc/admin/conf_files/krb5_conf.rst +@@ -58,7 +58,9 @@ alphanumeric characters, dashes, or underscores. Starting in release + 1.15, files with names ending in ".conf" are also included, unless the + name begins with ".". Included profile files are syntactically + independent of their parents, so each included file must begin with a +-section header. ++section header. Starting in release 1.17, files are read in ++alphanumeric order; in previous releases, they may be read in any ++order. + + The krb5.conf file can specify that configuration should be obtained + from a loadable module, rather than the file itself, using the +diff --git a/src/util/profile/prof_parse.c b/src/util/profile/prof_parse.c +index 1baceea9e..531e4a099 100644 +--- a/src/util/profile/prof_parse.c ++++ b/src/util/profile/prof_parse.c +@@ -246,59 +246,22 @@ static int valid_name(const char *filename) + * Include files within dirname. Only files with names ending in ".conf", or + * consisting entirely of alphanumeric characters, dashes, and underscores are + * included. This restriction avoids including editor backup files, .rpmsave +- * files, and the like. ++ * files, and the like. Files are processed in alphanumeric order. + */ + static errcode_t parse_include_dir(const char *dirname, + struct profile_node *root_section) + { +-#ifdef _WIN32 +- char *wildcard = NULL, *pathname; +- WIN32_FIND_DATA ffd; +- HANDLE handle; + errcode_t retval = 0; ++ char **fnames, *pathname; ++ int i; + +- if (asprintf(&wildcard, "%s\\*", dirname) < 0) +- return ENOMEM; +- +- handle = FindFirstFile(wildcard, &ffd); +- if (handle == INVALID_HANDLE_VALUE) { +- retval = PROF_FAIL_INCLUDE_DIR; +- goto cleanup; +- } +- +- do { +- if (!valid_name(ffd.cFileName)) +- continue; +- if (asprintf(&pathname, "%s\\%s", dirname, ffd.cFileName) < 0) { +- retval = ENOMEM; +- break; +- } +- retval = parse_include_file(pathname, root_section); +- free(pathname); +- if (retval) +- break; +- } while (FindNextFile(handle, &ffd) != 0); +- +- FindClose(handle); +- +-cleanup: +- free(wildcard); +- return retval; +- +-#else /* not _WIN32 */ +- +- DIR *dir; +- char *pathname; +- errcode_t retval = 0; +- struct dirent *ent; +- +- dir = opendir(dirname); +- if (dir == NULL) ++ if (k5_dir_filenames(dirname, &fnames) != 0) + return PROF_FAIL_INCLUDE_DIR; +- while ((ent = readdir(dir)) != NULL) { +- if (!valid_name(ent->d_name)) ++ ++ for (i = 0; fnames != NULL && fnames[i] != NULL; i++) { ++ if (!valid_name(fnames[i])) + continue; +- if (asprintf(&pathname, "%s/%s", dirname, ent->d_name) < 0) { ++ if (asprintf(&pathname, "%s/%s", dirname, fnames[i]) < 0) { + retval = ENOMEM; + break; + } +@@ -307,9 +270,8 @@ cleanup: + if (retval) + break; + } +- closedir(dir); ++ k5_free_filenames(fnames); + return retval; +-#endif /* not _WIN32 */ + } + + static errcode_t parse_line(char *line, struct parse_state *state, diff --git a/SOURCES/Properly-scope-per-request-preauth-data.patch b/SOURCES/Properly-scope-per-request-preauth-data.patch new file mode 100644 index 0000000..624e6c3 --- /dev/null +++ b/SOURCES/Properly-scope-per-request-preauth-data.patch @@ -0,0 +1,533 @@ +From 44fdcedd2a61cd40fe68aef533c878b5f2f665a8 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Tue, 20 Dec 2016 16:06:24 -0500 +Subject: [PATCH] Properly scope per-request preauth data + +It should be possible to successfully use multiple initial credentials +contexts with the same library context. Create a new internal type +krb5_preauth_req_context containing per-request preauth state, +including the clpreauth modreq handles and the list of preauth types +already tried. Remove this state from clpreauth_handle and +krb5_preauth_context. + +ticket: 7877 +(cherry picked from commit b061f419cfc9653b7549b905e54fbbd78deea49e) +--- + src/include/k5-trace.h | 3 + + src/lib/krb5/krb/get_in_tkt.c | 12 +- + src/lib/krb5/krb/init_creds_ctx.h | 3 + + src/lib/krb5/krb/int-proto.h | 8 +- + src/lib/krb5/krb/preauth2.c | 190 +++++++++++++++++++----------- + 5 files changed, 135 insertions(+), 81 deletions(-) + +diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h +index 2885408a2..f44f162d3 100644 +--- a/src/include/k5-trace.h ++++ b/src/include/k5-trace.h +@@ -291,6 +291,9 @@ void krb5int_trace(krb5_context context, const char *fmt, ...); + TRACE(c, "Preauth tryagain input types: {patypes}", padata) + #define TRACE_PREAUTH_TRYAGAIN_OUTPUT(c, padata) \ + TRACE(c, "Followup preauth for next request: {patypes}", padata) ++#define TRACE_PREAUTH_WRONG_CONTEXT(c) \ ++ TRACE(c, "Wrong context passed to krb5_init_creds_free(); leaking " \ ++ "modreq objects") + + #define TRACE_PROFILE_ERR(c,subsection, section, retval) \ + TRACE(c, "Bad value of {str} from [{str}] in conf file: {kerr}", \ +diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c +index ed15550f0..80f5e1870 100644 +--- a/src/lib/krb5/krb/get_in_tkt.c ++++ b/src/lib/krb5/krb/get_in_tkt.c +@@ -565,7 +565,7 @@ krb5_init_creds_free(krb5_context context, + k5_response_items_free(ctx->rctx.items); + free(ctx->in_tkt_service); + zapfree(ctx->gakpw.storage.data, ctx->gakpw.storage.length); +- k5_preauth_request_context_fini(context); ++ k5_preauth_request_context_fini(context, ctx); + krb5_free_error(context, ctx->err_reply); + krb5_free_pa_data(context, ctx->err_padata); + krb5_free_cred_contents(context, &ctx->cred); +@@ -816,8 +816,8 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx, + if (fast_upgrade) + ctx->fast_state->fast_state_flags |= KRB5INT_FAST_DO_FAST; + +- k5_preauth_request_context_fini(context); +- k5_preauth_request_context_init(context); ++ k5_preauth_request_context_fini(context, ctx); ++ k5_preauth_request_context_init(context, ctx); + krb5_free_data(context, ctx->outer_request_body); + ctx->outer_request_body = NULL; + if (ctx->opt->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST) { +@@ -1504,7 +1504,7 @@ init_creds_step_reply(krb5_context context, + } else if ((reply_code == KDC_ERR_MORE_PREAUTH_DATA_REQUIRED || + reply_code == KDC_ERR_PREAUTH_REQUIRED) && retry) { + /* reset the list of preauth types to try */ +- k5_reset_preauth_types_tried(context); ++ k5_reset_preauth_types_tried(ctx); + krb5_free_pa_data(context, ctx->preauth_to_use); + ctx->preauth_to_use = ctx->err_padata; + ctx->err_padata = NULL; +@@ -1555,7 +1555,7 @@ init_creds_step_reply(krb5_context context, + goto cleanup; + + /* process any preauth data in the as_reply */ +- k5_reset_preauth_types_tried(context); ++ k5_reset_preauth_types_tried(ctx); + code = krb5int_fast_process_response(context, ctx->fast_state, + ctx->reply, &strengthen_key); + if (code != 0) +@@ -1640,7 +1640,7 @@ init_creds_step_reply(krb5_context context, + k5_prependmsg(context, code, _("Failed to store credentials")); + } + +- k5_preauth_request_context_fini(context); ++ k5_preauth_request_context_fini(context, ctx); + + /* success */ + ctx->complete = TRUE; +diff --git a/src/lib/krb5/krb/init_creds_ctx.h b/src/lib/krb5/krb/init_creds_ctx.h +index 38c01c775..a7cded942 100644 +--- a/src/lib/krb5/krb/init_creds_ctx.h ++++ b/src/lib/krb5/krb/init_creds_ctx.h +@@ -6,6 +6,8 @@ + #include "k5-json.h" + #include "int-proto.h" + ++typedef struct krb5_preauth_req_context_st *krb5_preauth_req_context; ++ + struct krb5_responder_context_st { + k5_response_items *items; + }; +@@ -67,6 +69,7 @@ struct _krb5_init_creds_context { + krb5_timestamp pa_offset; + krb5_int32 pa_offset_usec; + enum { NO_OFFSET = 0, UNAUTH_OFFSET, AUTH_OFFSET } pa_offset_state; ++ krb5_preauth_req_context preauth_reqctx; + }; + + krb5_error_code +diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h +index 9c746d05b..f1667c238 100644 +--- a/src/lib/krb5/krb/int-proto.h ++++ b/src/lib/krb5/krb/int-proto.h +@@ -194,17 +194,19 @@ void + k5_free_preauth_context(krb5_context context); + + void +-k5_reset_preauth_types_tried(krb5_context context); ++k5_reset_preauth_types_tried(krb5_init_creds_context ctx); + + void + k5_preauth_prepare_request(krb5_context context, krb5_get_init_creds_opt *opt, + krb5_kdc_req *request); + + void +-k5_preauth_request_context_init(krb5_context context); ++k5_preauth_request_context_init(krb5_context context, ++ krb5_init_creds_context ctx); + + void +-k5_preauth_request_context_fini(krb5_context context); ++k5_preauth_request_context_fini(krb5_context context, ++ krb5_init_creds_context ctx); + + krb5_error_code + k5_response_items_new(k5_response_items **ri_out); +diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c +index b04d14829..9a178f4e3 100644 +--- a/src/lib/krb5/krb/preauth2.c ++++ b/src/lib/krb5/krb/preauth2.c +@@ -46,14 +46,18 @@ + typedef struct { + struct krb5_clpreauth_vtable_st vt; + krb5_clpreauth_moddata data; +- krb5_clpreauth_modreq req; + } *clpreauth_handle; + + struct krb5_preauth_context_st { +- krb5_preauthtype *tried; + clpreauth_handle *handles; + }; + ++struct krb5_preauth_req_context_st { ++ krb5_context orig_context; ++ krb5_preauthtype *tried; ++ krb5_clpreauth_modreq *modreqs; ++}; ++ + /* Release the memory used by a list of handles. */ + static void + free_handles(krb5_context context, clpreauth_handle *handles) +@@ -71,21 +75,44 @@ free_handles(krb5_context context, clpreauth_handle *handles) + free(handles); + } + +-/* Find the handle in handles which can process pa_type. */ +-static clpreauth_handle +-find_module(clpreauth_handle *handles, krb5_preauthtype pa_type) ++/* Return an index into handles which can process pa_type, or -1 if none is ++ * found found. */ ++static int ++search_module_list(clpreauth_handle *handles, krb5_preauthtype pa_type) + { +- clpreauth_handle *hp, h; +- krb5_preauthtype *tp; ++ clpreauth_handle h; ++ int i, j; + +- for (hp = handles; *hp != NULL; hp++) { +- h = *hp; +- for (tp = h->vt.pa_type_list; *tp != 0; tp++) { +- if (*tp == pa_type) +- return h; ++ for (i = 0; handles[i] != NULL; i++) { ++ h = handles[i]; ++ for (j = 0; h->vt.pa_type_list[j] != 0; j++) { ++ if (h->vt.pa_type_list[j] == pa_type) ++ return i; + } + } +- return FALSE; ++ return -1; ++} ++ ++/* Find the handle which can process pa_type, or NULL if none is found. On ++ * success, set *modreq_out to the corresponding per-request module data. */ ++static clpreauth_handle ++find_module(krb5_context context, krb5_init_creds_context ctx, ++ krb5_preauthtype pa_type, krb5_clpreauth_modreq *modreq_out) ++{ ++ krb5_preauth_context pctx = context->preauth_context; ++ krb5_preauth_req_context reqctx = ctx->preauth_reqctx; ++ int i; ++ ++ *modreq_out = NULL; ++ if (pctx == NULL || reqctx == NULL) ++ return NULL; ++ ++ i = search_module_list(pctx->handles, pa_type); ++ if (i == -1) ++ return NULL; ++ ++ *modreq_out = reqctx->modreqs[i]; ++ return pctx->handles[i]; + } + + /* Initialize the preauth state for a krb5 context. */ +@@ -93,7 +120,8 @@ void + k5_init_preauth_context(krb5_context context) + { + krb5_plugin_initvt_fn *modules = NULL, *mod; +- clpreauth_handle *list = NULL, h, h2; ++ clpreauth_handle *list = NULL, h; ++ int i; + size_t count; + krb5_preauthtype *tp; + +@@ -140,9 +168,10 @@ k5_init_preauth_context(krb5_context context) + + /* Check for a preauth type conflict with an existing module. */ + for (tp = h->vt.pa_type_list; *tp != 0; tp++) { +- h2 = find_module(list, *tp); +- if (h2 != NULL) { +- TRACE_PREAUTH_CONFLICT(context, h->vt.name, h2->vt.name, *tp); ++ i = search_module_list(list, *tp); ++ if (i != -1) { ++ TRACE_PREAUTH_CONFLICT(context, h->vt.name, list[i]->vt.name, ++ *tp); + break; + } + } +@@ -164,7 +193,6 @@ k5_init_preauth_context(krb5_context context) + context->preauth_context = malloc(sizeof(*context->preauth_context)); + if (context->preauth_context == NULL) + goto cleanup; +- context->preauth_context->tried = NULL; + context->preauth_context->handles = list; + list = NULL; + +@@ -179,14 +207,14 @@ cleanup: + * AS-REP). + */ + void +-k5_reset_preauth_types_tried(krb5_context context) ++k5_reset_preauth_types_tried(krb5_init_creds_context ctx) + { +- krb5_preauth_context pctx = context->preauth_context; ++ krb5_preauth_req_context reqctx = ctx->preauth_reqctx; + +- if (pctx == NULL) ++ if (reqctx == NULL) + return; +- free(pctx->tried); +- pctx->tried = NULL; ++ free(reqctx->tried); ++ reqctx->tried = NULL; + } + + +@@ -200,7 +228,6 @@ k5_free_preauth_context(krb5_context context) + + if (pctx == NULL) + return; +- free(pctx->tried); + free_handles(context, pctx->handles); + free(pctx); + context->preauth_context = NULL; +@@ -209,10 +236,13 @@ k5_free_preauth_context(krb5_context context) + /* Initialize the per-AS-REQ context. This means calling the client_req_init + * function to give the plugin a chance to allocate a per-request context. */ + void +-k5_preauth_request_context_init(krb5_context context) ++k5_preauth_request_context_init(krb5_context context, ++ krb5_init_creds_context ctx) + { + krb5_preauth_context pctx = context->preauth_context; +- clpreauth_handle *hp, h; ++ clpreauth_handle h; ++ krb5_preauth_req_context reqctx; ++ size_t count, i; + + if (pctx == NULL) { + k5_init_preauth_context(context); +@@ -220,30 +250,50 @@ k5_preauth_request_context_init(krb5_context context) + if (pctx == NULL) + return; + } +- k5_reset_preauth_types_tried(context); +- for (hp = pctx->handles; *hp != NULL; hp++) { +- h = *hp; ++ ++ reqctx = calloc(1, sizeof(*reqctx)); ++ if (reqctx == NULL) ++ return; ++ reqctx->orig_context = context; ++ ++ /* Create an array of per-request module data objects corresponding to the ++ * preauth context's array of handles. */ ++ for (count = 0; pctx->handles[count] != NULL; count++); ++ reqctx->modreqs = calloc(count, sizeof(*reqctx->modreqs)); ++ for (i = 0; i < count; i++) { ++ h = pctx->handles[i]; + if (h->vt.request_init != NULL) +- h->vt.request_init(context, h->data, &h->req); ++ h->vt.request_init(context, h->data, &reqctx->modreqs[i]); + } ++ ctx->preauth_reqctx = reqctx; + } + + /* Free the per-AS-REQ context. This means clearing any request-specific + * context which the plugin may have created. */ + void +-k5_preauth_request_context_fini(krb5_context context) ++k5_preauth_request_context_fini(krb5_context context, ++ krb5_init_creds_context ctx) + { + krb5_preauth_context pctx = context->preauth_context; +- clpreauth_handle *hp, h; ++ krb5_preauth_req_context reqctx = ctx->preauth_reqctx; ++ size_t i; ++ clpreauth_handle h; + +- if (pctx == NULL) ++ if (reqctx == NULL) + return; +- for (hp = pctx->handles; *hp != NULL; hp++) { +- h = *hp; +- if (h->req != NULL && h->vt.request_fini != NULL) +- h->vt.request_fini(context, h->data, h->req); +- h->req = NULL; ++ if (reqctx->orig_context == context && pctx != NULL) { ++ for (i = 0; pctx->handles[i] != NULL; i++) { ++ h = pctx->handles[i]; ++ if (reqctx->modreqs[i] != NULL && h->vt.request_fini != NULL) ++ h->vt.request_fini(context, h->data, reqctx->modreqs[i]); ++ } ++ } else { ++ TRACE_PREAUTH_WRONG_CONTEXT(context); + } ++ free(reqctx->modreqs); ++ free(reqctx->tried); ++ free(reqctx); ++ ctx->preauth_reqctx = NULL; + } + + /* Return 1 if pa_type is a real preauthentication mechanism according to the +@@ -259,6 +309,7 @@ clpreauth_is_real(krb5_context context, clpreauth_handle h, + + static krb5_error_code + clpreauth_prep_questions(krb5_context context, clpreauth_handle h, ++ krb5_clpreauth_modreq modreq, + krb5_get_init_creds_opt *opt, + krb5_clpreauth_callbacks cb, krb5_clpreauth_rock rock, + krb5_kdc_req *req, krb5_data *req_body, +@@ -266,35 +317,35 @@ clpreauth_prep_questions(krb5_context context, clpreauth_handle h, + { + if (h->vt.prep_questions == NULL) + return 0; +- return h->vt.prep_questions(context, h->data, h->req, opt, cb, rock, req, ++ return h->vt.prep_questions(context, h->data, modreq, opt, cb, rock, req, + req_body, prev_req, pa_data); + } + + static krb5_error_code + clpreauth_process(krb5_context context, clpreauth_handle h, +- krb5_get_init_creds_opt *opt, krb5_clpreauth_callbacks cb, +- krb5_clpreauth_rock rock, krb5_kdc_req *req, +- krb5_data *req_body, krb5_data *prev_req, ++ krb5_clpreauth_modreq modreq, krb5_get_init_creds_opt *opt, ++ krb5_clpreauth_callbacks cb, krb5_clpreauth_rock rock, ++ krb5_kdc_req *req, krb5_data *req_body, krb5_data *prev_req, + krb5_pa_data *pa_data, krb5_prompter_fct prompter, + void *prompter_data, krb5_pa_data ***pa_data_out) + { +- return h->vt.process(context, h->data, h->req, opt, cb, rock, req, ++ return h->vt.process(context, h->data, modreq, opt, cb, rock, req, + req_body, prev_req, pa_data, prompter, prompter_data, + pa_data_out); + } + + static krb5_error_code + clpreauth_tryagain(krb5_context context, clpreauth_handle h, +- krb5_get_init_creds_opt *opt, krb5_clpreauth_callbacks cb, +- krb5_clpreauth_rock rock, krb5_kdc_req *req, +- krb5_data *req_body, krb5_data *prev_req, ++ krb5_clpreauth_modreq modreq, krb5_get_init_creds_opt *opt, ++ krb5_clpreauth_callbacks cb, krb5_clpreauth_rock rock, ++ krb5_kdc_req *req, krb5_data *req_body, krb5_data *prev_req, + krb5_preauthtype pa_type, krb5_error *error, + krb5_pa_data **error_padata, krb5_prompter_fct prompter, + void *prompter_data, krb5_pa_data ***pa_data_out) + { + if (h->vt.tryagain == NULL) + return 0; +- return h->vt.tryagain(context, h->data, h->req, opt, cb, rock, req, ++ return h->vt.tryagain(context, h->data, modreq, opt, cb, rock, req, + req_body, prev_req, pa_type, error, error_padata, + prompter, prompter_data, pa_data_out); + } +@@ -554,22 +605,22 @@ pa_type_allowed(krb5_init_creds_context ctx, krb5_preauthtype pa_type) + * types and return false. + */ + static krb5_boolean +-already_tried(krb5_context context, krb5_preauthtype pa_type) ++already_tried(krb5_init_creds_context ctx, krb5_preauthtype pa_type) + { +- krb5_preauth_context pctx = context->preauth_context; +- size_t count; ++ krb5_preauth_req_context reqctx = ctx->preauth_reqctx; ++ size_t i; + krb5_preauthtype *newptr; + +- for (count = 0; pctx->tried != NULL && pctx->tried[count] != 0; count++) { +- if (pctx->tried[count] == pa_type) ++ for (i = 0; reqctx->tried != NULL && reqctx->tried[i] != 0; i++) { ++ if (reqctx->tried[i] == pa_type) + return TRUE; + } +- newptr = realloc(pctx->tried, (count + 2) * sizeof(*newptr)); ++ newptr = realloc(reqctx->tried, (i + 2) * sizeof(*newptr)); + if (newptr == NULL) + return FALSE; +- pctx->tried = newptr; +- pctx->tried[count] = pa_type; +- pctx->tried[count + 1] = ENCTYPE_NULL; ++ reqctx->tried = newptr; ++ reqctx->tried[i] = pa_type; ++ reqctx->tried[i + 1] = ENCTYPE_NULL; + return FALSE; + } + +@@ -580,16 +631,13 @@ process_pa_data(krb5_context context, krb5_init_creds_context ctx, + krb5_pa_data ***out_pa_list, int *out_pa_list_size, + krb5_preauthtype *out_type) + { +- krb5_preauth_context pctx = context->preauth_context; + struct errinfo save = EMPTY_ERRINFO; + krb5_pa_data *pa, **pa_ptr, **mod_pa; + krb5_error_code ret = 0; ++ krb5_clpreauth_modreq modreq; + clpreauth_handle h; + int real, i; + +- if (pctx == NULL) +- return ENOENT; +- + /* Process all informational padata types, then the first real preauth type + * we succeed on. */ + for (real = 0; real <= 1; real++) { +@@ -598,17 +646,17 @@ process_pa_data(krb5_context context, krb5_init_creds_context ctx, + /* Restrict real mechanisms to the chosen one if we have one. */ + if (real && !pa_type_allowed(ctx, pa->pa_type)) + continue; +- h = find_module(pctx->handles, pa->pa_type); ++ h = find_module(context, ctx, pa->pa_type, &modreq); + if (h == NULL) + continue; + /* Make sure this type is for the current pass. */ + if (clpreauth_is_real(context, h, pa->pa_type) != real) + continue; + /* Only try a real mechanism once per authentication. */ +- if (real && already_tried(context, pa->pa_type)) ++ if (real && already_tried(ctx, pa->pa_type)) + continue; + mod_pa = NULL; +- ret = clpreauth_process(context, h, ctx->opt, &callbacks, ++ ret = clpreauth_process(context, h, modreq, ctx->opt, &callbacks, + (krb5_clpreauth_rock)ctx, ctx->request, + ctx->inner_request_body, + ctx->encoded_previous_request, pa, +@@ -858,24 +906,22 @@ krb5_error_code + k5_preauth_tryagain(krb5_context context, krb5_init_creds_context ctx, + krb5_pa_data **in_padata, krb5_pa_data ***padata_out) + { +- krb5_preauth_context pctx = context->preauth_context; + krb5_error_code ret; + krb5_pa_data **mod_pa; ++ krb5_clpreauth_modreq modreq; + clpreauth_handle h; + int i; + + *padata_out = NULL; +- if (pctx == NULL) +- return KRB5KRB_ERR_GENERIC; + + TRACE_PREAUTH_TRYAGAIN_INPUT(context, in_padata); + + for (i = 0; in_padata[i] != NULL; i++) { +- h = find_module(pctx->handles, in_padata[i]->pa_type); ++ h = find_module(context, ctx, in_padata[i]->pa_type, &modreq); + if (h == NULL) + continue; + mod_pa = NULL; +- ret = clpreauth_tryagain(context, h, ctx->opt, &callbacks, ++ ret = clpreauth_tryagain(context, h, modreq, ctx->opt, &callbacks, + (krb5_clpreauth_rock)ctx, ctx->request, + ctx->inner_request_body, + ctx->encoded_previous_request, +@@ -897,9 +943,9 @@ static krb5_error_code + fill_response_items(krb5_context context, krb5_init_creds_context ctx, + krb5_pa_data **in_padata) + { +- krb5_preauth_context pctx = context->preauth_context; + krb5_error_code ret; + krb5_pa_data *pa; ++ krb5_clpreauth_modreq modreq; + clpreauth_handle h; + int i; + +@@ -908,11 +954,11 @@ fill_response_items(krb5_context context, krb5_init_creds_context ctx, + pa = in_padata[i]; + if (!pa_type_allowed(ctx, pa->pa_type)) + continue; +- h = find_module(pctx->handles, pa->pa_type); ++ h = find_module(context, ctx, pa->pa_type, &modreq); + if (h == NULL) + continue; +- ret = clpreauth_prep_questions(context, h, ctx->opt, &callbacks, +- (krb5_clpreauth_rock)ctx, ++ ret = clpreauth_prep_questions(context, h, modreq, ctx->opt, ++ &callbacks, (krb5_clpreauth_rock)ctx, + ctx->request, ctx->inner_request_body, + ctx->encoded_previous_request, pa); + if (ret) diff --git a/SOURCES/Remove-nodes-option-from-make-certs-scripts.patch b/SOURCES/Remove-nodes-option-from-make-certs-scripts.patch new file mode 100644 index 0000000..93c0351 --- /dev/null +++ b/SOURCES/Remove-nodes-option-from-make-certs-scripts.patch @@ -0,0 +1,46 @@ +From 7e7719fcad9c0c5a14b4006989f5481dfbd78c3d Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Thu, 3 May 2018 14:40:45 -0400 +Subject: [PATCH] Remove "-nodes" option from make-certs scripts + +The openssl command does not recognize options after positional +arguments, so in "openssl genrsa $KEYSIZE -nodes", the "-nodes" was +ignored as a excess positional argument prior to OpenSSL 1.1.0h, and +now causes an error. "-nodes" is an option to the openssl req and +pkcs12 subcommands, but genrsa creates unencrypted keys by default. + +[ghudson@mit.edu: edited commit message] + +(cherry picked from commit 928a36aae326d496c9a73f2cd41b4da45eef577c) +(cherry picked from commit 83da5675551dba13fee837adc26ce885a061dbc1) +--- + src/tests/dejagnu/pkinit-certs/make-certs.sh | 2 +- + src/tests/dejagnu/proxy-certs/make-certs.sh | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/tests/dejagnu/pkinit-certs/make-certs.sh b/src/tests/dejagnu/pkinit-certs/make-certs.sh +index 23426af8a..fa937f449 100755 +--- a/src/tests/dejagnu/pkinit-certs/make-certs.sh ++++ b/src/tests/dejagnu/pkinit-certs/make-certs.sh +@@ -114,7 +114,7 @@ extendedKeyUsage = $CLIENT_EKU_LIST + EOF + + # Generate a private key. +-openssl genrsa $KEYSIZE -nodes > privkey.pem ++openssl genrsa $KEYSIZE > privkey.pem + openssl rsa -in privkey.pem -out privkey-enc.pem -des3 -passout pass:encrypted + + # Generate a "CA" certificate. +diff --git a/src/tests/dejagnu/proxy-certs/make-certs.sh b/src/tests/dejagnu/proxy-certs/make-certs.sh +index 1191bf05e..24ef91bde 100755 +--- a/src/tests/dejagnu/proxy-certs/make-certs.sh ++++ b/src/tests/dejagnu/proxy-certs/make-certs.sh +@@ -79,7 +79,7 @@ extendedKeyUsage = $PROXY_EKU_LIST + EOF + + # Generate a private key. +-openssl genrsa $KEYSIZE -nodes > privkey.pem ++openssl genrsa $KEYSIZE > privkey.pem + + # Generate a "CA" certificate. + SUBJECT=signer openssl req -config openssl.cnf -new -x509 -extensions exts_ca \ diff --git a/SOURCES/Remove-sent_nontrivial_preauth-field.patch b/SOURCES/Remove-sent_nontrivial_preauth-field.patch new file mode 100644 index 0000000..e5b0f89 --- /dev/null +++ b/SOURCES/Remove-sent_nontrivial_preauth-field.patch @@ -0,0 +1,56 @@ +From 34acacec560fa0bb1beeaf1f54d50e580747d731 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Mon, 16 Jan 2017 13:42:18 -0500 +Subject: [PATCH] Remove sent_nontrivial_preauth field + +In krb5_init_creds_context, the selected_preauth_type field subsumes +the need for sent_nontrivial_preauth. Use it instead. + +(cherry picked from commit 5fef7aa7e43e45d227f2d53c661a23c932caafca) +--- + src/lib/krb5/krb/get_in_tkt.c | 5 +---- + src/lib/krb5/krb/init_creds_ctx.h | 1 - + 2 files changed, 1 insertion(+), 5 deletions(-) + +diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c +index 988fca233..48dc00ea6 100644 +--- a/src/lib/krb5/krb/get_in_tkt.c ++++ b/src/lib/krb5/krb/get_in_tkt.c +@@ -1359,8 +1359,6 @@ init_creds_step_request(krb5_context context, + krb5_free_data(context, ctx->encoded_previous_request); + ctx->encoded_previous_request = NULL; + } +- if (ctx->request->padata) +- ctx->sent_nontrivial_preauth = TRUE; + if (ctx->enc_pa_rep_permitted) { + code = add_padata(&ctx->request->padata, KRB5_ENCPADATA_REQ_ENC_PA_REP, + NULL, 0); +@@ -1485,7 +1483,7 @@ init_creds_step_reply(krb5_context context, + ctx->restarted = TRUE; + code = restart_init_creds_loop(context, ctx, TRUE); + } else if (!ctx->restarted && reply_code == KDC_ERR_PREAUTH_FAILED && +- !ctx->sent_nontrivial_preauth) { ++ ctx->selected_preauth_type == KRB5_PADATA_NONE) { + /* The KDC didn't like our informational padata (probably a pre-1.7 + * MIT krb5 KDC). Retry without it. */ + ctx->enc_pa_rep_permitted = FALSE; +@@ -1525,7 +1523,6 @@ init_creds_step_reply(krb5_context context, + goto cleanup; + /* Reset per-realm negotiation state. */ + ctx->restarted = FALSE; +- ctx->sent_nontrivial_preauth = FALSE; + ctx->enc_pa_rep_permitted = TRUE; + code = restart_init_creds_loop(context, ctx, FALSE); + } else { +diff --git a/src/lib/krb5/krb/init_creds_ctx.h b/src/lib/krb5/krb/init_creds_ctx.h +index a7cded942..8c8b7494b 100644 +--- a/src/lib/krb5/krb/init_creds_ctx.h ++++ b/src/lib/krb5/krb/init_creds_ctx.h +@@ -58,7 +58,6 @@ struct _krb5_init_creds_context { + krb5_enctype etype; + krb5_boolean enc_pa_rep_permitted; + krb5_boolean restarted; +- krb5_boolean sent_nontrivial_preauth; + krb5_boolean preauth_required; + struct krb5_responder_context_st rctx; + krb5_preauthtype selected_preauth_type; diff --git a/SOURCES/Return-UPN-SANs-as-strings.patch b/SOURCES/Return-UPN-SANs-as-strings.patch new file mode 100644 index 0000000..c11efd0 --- /dev/null +++ b/SOURCES/Return-UPN-SANs-as-strings.patch @@ -0,0 +1,204 @@ +From c7c702a9fee22a0f5173d94d8b1d5c2fac975f5c Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Thu, 22 Mar 2018 20:07:17 -0400 +Subject: [PATCH] Return UPN SANs as strings + +(cherry picked from commit fd3c824e3be56a1fa77d140fd7e93934bfd6e565) +--- + src/plugins/preauth/pkinit/pkinit_crypto.h | 4 +-- + .../preauth/pkinit/pkinit_crypto_openssl.c | 28 +++++++------------ + src/plugins/preauth/pkinit/pkinit_matching.c | 16 ++--------- + src/plugins/preauth/pkinit/pkinit_srv.c | 21 +++++++++----- + 4 files changed, 29 insertions(+), 40 deletions(-) + +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h +index c14f4456a..b6e4e0ac3 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto.h ++++ b/src/plugins/preauth/pkinit/pkinit_crypto.h +@@ -101,7 +101,7 @@ typedef struct _pkinit_cert_matching_data { + unsigned int ku_bits; /* key usage information */ + unsigned int eku_bits; /* extended key usage information */ + krb5_principal *sans; /* Null-terminated array of PKINIT SANs */ +- krb5_principal *upns; /* Null-terimnated array of UPN SANs */ ++ char **upns; /* Null-terimnated array of UPN SANs */ + } pkinit_cert_matching_data; + + /* +@@ -253,7 +253,7 @@ krb5_error_code crypto_retrieve_cert_sans + if non-NULL, a null-terminated array of + id-pkinit-san values found in the certificate + are returned */ +- krb5_principal **upn_sans, /* OUT ++ char ***upn_sans, /* OUT + if non-NULL, a null-terminated array of + id-ms-upn-san values found in the certificate + are returned */ +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index a38738f45..3f106973c 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -29,6 +29,7 @@ + * SUCH DAMAGES. + */ + ++#include "k5-int.h" + #include "pkinit_crypto_openssl.h" + #include "k5-buf.h" + #include +@@ -2095,15 +2096,14 @@ crypto_retrieve_X509_sans(krb5_context context, + pkinit_plg_crypto_context plgctx, + pkinit_req_crypto_context reqctx, + X509 *cert, +- krb5_principal **princs_ret, +- krb5_principal **upn_ret, ++ krb5_principal **princs_ret, char ***upn_ret, + unsigned char ***dns_ret) + { + krb5_error_code retval = EINVAL; + char buf[DN_BUF_LEN]; + int p = 0, u = 0, d = 0, ret = 0, l; + krb5_principal *princs = NULL; +- krb5_principal *upns = NULL; ++ char **upns = NULL; + unsigned char **dnss = NULL; + unsigned int i, num_found = 0, num_sans = 0; + X509_EXTENSION *ext = NULL; +@@ -2153,7 +2153,7 @@ crypto_retrieve_X509_sans(krb5_context context, + } + } + if (upn_ret != NULL) { +- upns = calloc(num_sans + 1, sizeof(krb5_principal)); ++ upns = calloc(num_sans + 1, sizeof(*upns)); + if (upns == NULL) { + retval = ENOMEM; + goto cleanup; +@@ -2196,16 +2196,9 @@ crypto_retrieve_X509_sans(krb5_context context, + /* Prevent abuse of embedded null characters. */ + if (memchr(name.data, '\0', name.length)) + break; +- ret = krb5_parse_name_flags(context, name.data, +- KRB5_PRINCIPAL_PARSE_ENTERPRISE, +- &upns[u]); +- if (ret) { +- pkiDebug("%s: failed parsing ms-upn san value\n", +- __FUNCTION__); +- } else { +- u++; +- num_found++; +- } ++ upns[u] = k5memdup0(name.data, name.length, &ret); ++ if (upns[u] == NULL) ++ goto cleanup; + } else { + pkiDebug("%s: unrecognized othername oid in SAN\n", + __FUNCTION__); +@@ -2257,7 +2250,7 @@ cleanup: + krb5_free_principal(context, princs[i]); + free(princs); + for (i = 0; upns != NULL && upns[i] != NULL; i++) +- krb5_free_principal(context, upns[i]); ++ free(upns[i]); + free(upns); + for (i = 0; dnss != NULL && dnss[i] != NULL; i++) + free(dnss[i]); +@@ -2281,8 +2274,7 @@ crypto_retrieve_cert_sans(krb5_context context, + pkinit_plg_crypto_context plgctx, + pkinit_req_crypto_context reqctx, + pkinit_identity_crypto_context idctx, +- krb5_principal **princs_ret, +- krb5_principal **upn_ret, ++ krb5_principal **princs_ret, char ***upn_ret, + unsigned char ***dns_ret) + { + krb5_error_code retval = EINVAL; +@@ -5111,7 +5103,7 @@ crypto_cert_free_matching_data(krb5_context context, + krb5_free_principal(context, md->sans[i]); + free(md->sans); + for (i = 0; md->upns != NULL && md->upns[i] != NULL; i++) +- krb5_free_principal(context, md->upns[i]); ++ free(md->upns[i]); + free(md->upns); + free(md); + } +diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c +index fe1e0f386..d929fb3c0 100644 +--- a/src/plugins/preauth/pkinit/pkinit_matching.c ++++ b/src/plugins/preauth/pkinit/pkinit_matching.c +@@ -490,11 +490,7 @@ component_match(krb5_context context, + break; + } + for (i = 0; md->upns != NULL && md->upns[i] != NULL; i++) { +- krb5_unparse_name_flags(context, md->upns[i], +- KRB5_PRINCIPAL_UNPARSE_NO_REALM, +- &princ_string); +- match = regexp_match(context, rc, princ_string); +- krb5_free_unparsed_name(context, princ_string); ++ match = regexp_match(context, rc, md->upns[i]); + if (match) + break; + } +@@ -584,14 +580,8 @@ check_all_certs(krb5_context context, + pkiDebug("%s: PKINIT san: '%s'\n", __FUNCTION__, san_string); + krb5_free_unparsed_name(context, san_string); + } +- for (j = 0; md->upns != NULL && md->upns[j] != NULL; j++) { +- char *san_string; +- krb5_unparse_name_flags(context, md->upns[j], +- KRB5_PRINCIPAL_UNPARSE_NO_REALM, +- &san_string); +- pkiDebug("%s: UPN san: '%s'\n", __FUNCTION__, san_string); +- krb5_free_unparsed_name(context, san_string); +- } ++ for (j = 0; md->upns != NULL && md->upns[j] != NULL; j++) ++ pkiDebug("%s: UPN san: '%s'\n", __FUNCTION__, md->upns[j]); + #endif + certs_checked++; + for (rc = rs->crs; rc != NULL; rc = rc->next) { +diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c +index 143d331a2..42ad45fe4 100644 +--- a/src/plugins/preauth/pkinit/pkinit_srv.c ++++ b/src/plugins/preauth/pkinit/pkinit_srv.c +@@ -174,8 +174,9 @@ verify_client_san(krb5_context context, + int *valid_san) + { + krb5_error_code retval; +- krb5_principal *princs = NULL; +- krb5_principal *upns = NULL; ++ krb5_principal *princs = NULL, upn; ++ krb5_boolean match; ++ char **upns = NULL; + int i; + #ifdef DEBUG_SAN_INFO + char *client_string = NULL, *san_string; +@@ -251,12 +252,18 @@ verify_client_san(krb5_context context, + pkiDebug("%s: Checking upn sans\n", __FUNCTION__); + for (i = 0; upns[i] != NULL; i++) { + #ifdef DEBUG_SAN_INFO +- krb5_unparse_name(context, upns[i], &san_string); + pkiDebug("%s: Comparing client '%s' to upn san value '%s'\n", +- __FUNCTION__, client_string, san_string); +- krb5_free_unparsed_name(context, san_string); ++ __FUNCTION__, client_string, upns[i]); + #endif +- if (cb->match_client(context, rock, upns[i])) { ++ retval = krb5_parse_name_flags(context, upns[i], ++ KRB5_PRINCIPAL_PARSE_ENTERPRISE, &upn); ++ if (retval) { ++ /* XXX trace */ ++ continue; ++ } ++ match = cb->match_client(context, rock, upn); ++ krb5_free_principal(context, upn); ++ if (match) { + TRACE_PKINIT_SERVER_MATCHING_UPN_FOUND(context); + *valid_san = 1; + retval = 0; +@@ -282,7 +289,7 @@ out: + } + if (upns != NULL) { + for (i = 0; upns[i] != NULL; i++) +- krb5_free_principal(context, upns[i]); ++ free(upns[i]); + free(upns); + } + #ifdef DEBUG_SAN_INFO diff --git a/SOURCES/Save-SANs-separately-and-unparse-them-with-NO_REALM.patch b/SOURCES/Save-SANs-separately-and-unparse-them-with-NO_REALM.patch new file mode 100644 index 0000000..0502aa1 --- /dev/null +++ b/SOURCES/Save-SANs-separately-and-unparse-them-with-NO_REALM.patch @@ -0,0 +1,148 @@ +From 38692624d6e2f23309f6652c98dd04b0af37308c Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Thu, 22 Mar 2018 19:46:22 -0400 +Subject: [PATCH] Save SANs separately and unparse them with NO_REALM + +(cherry picked from commit 23ea8d6a9617d17ae5a529c23174d77adac39055) +--- + src/plugins/preauth/pkinit/pkinit_crypto.h | 4 +- + .../preauth/pkinit/pkinit_crypto_openssl.c | 37 ++----------------- + src/plugins/preauth/pkinit/pkinit_matching.c | 30 +++++++++++---- + 3 files changed, 28 insertions(+), 43 deletions(-) + +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h +index a0176acad..c14f4456a 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto.h ++++ b/src/plugins/preauth/pkinit/pkinit_crypto.h +@@ -100,8 +100,8 @@ typedef struct _pkinit_cert_matching_data { + char *issuer_dn; /* rfc2253-style issuer name string */ + unsigned int ku_bits; /* key usage information */ + unsigned int eku_bits; /* extended key usage information */ +- krb5_principal *sans; /* Null-terminated array of subject alternative +- name info (pkinit and ms-upn) */ ++ krb5_principal *sans; /* Null-terminated array of PKINIT SANs */ ++ krb5_principal *upns; /* Null-terimnated array of UPN SANs */ + } pkinit_cert_matching_data; + + /* +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index 1eb273808..a38738f45 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -5110,6 +5110,9 @@ crypto_cert_free_matching_data(krb5_context context, + for (i = 0; md->sans != NULL && md->sans[i] != NULL; i++) + krb5_free_principal(context, md->sans[i]); + free(md->sans); ++ for (i = 0; md->upns != NULL && md->upns[i] != NULL; i++) ++ krb5_free_principal(context, md->upns[i]); ++ free(md->upns); + free(md); + } + +@@ -5138,8 +5141,6 @@ get_matching_data(krb5_context context, + { + krb5_error_code ret = ENOMEM; + pkinit_cert_matching_data *md = NULL; +- krb5_principal *pkinit_sans = NULL, *upn_sans = NULL; +- size_t i, j; + + *md_out = NULL; + +@@ -5156,40 +5157,10 @@ get_matching_data(krb5_context context, + + /* Get the SAN data. */ + ret = crypto_retrieve_X509_sans(context, plg_cryptoctx, req_cryptoctx, +- cert, &pkinit_sans, &upn_sans, NULL); ++ cert, &md->sans, &md->upns, NULL); + if (ret) + goto cleanup; + +- j = 0; +- if (pkinit_sans != NULL) { +- for (i = 0; pkinit_sans[i] != NULL; i++) +- j++; +- } +- if (upn_sans != NULL) { +- for (i = 0; upn_sans[i] != NULL; i++) +- j++; +- } +- if (j != 0) { +- md->sans = calloc((size_t)j+1, sizeof(*md->sans)); +- if (md->sans == NULL) { +- ret = ENOMEM; +- goto cleanup; +- } +- j = 0; +- if (pkinit_sans != NULL) { +- for (i = 0; pkinit_sans[i] != NULL; i++) +- md->sans[j++] = pkinit_sans[i]; +- free(pkinit_sans); +- } +- if (upn_sans != NULL) { +- for (i = 0; upn_sans[i] != NULL; i++) +- md->sans[j++] = upn_sans[i]; +- free(upn_sans); +- } +- md->sans[j] = NULL; +- } else +- md->sans = NULL; +- + /* Get the KU and EKU data. */ + ret = crypto_retrieve_X509_key_usage(context, plg_cryptoctx, + req_cryptoctx, cert, &md->ku_bits, +diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c +index d6775dc4f..fe1e0f386 100644 +--- a/src/plugins/preauth/pkinit/pkinit_matching.c ++++ b/src/plugins/preauth/pkinit/pkinit_matching.c +@@ -470,7 +470,6 @@ component_match(krb5_context context, + { + int match = 0; + int i; +- krb5_principal p; + char *princ_string; + + switch (rc->kwval_type) { +@@ -483,10 +482,17 @@ component_match(krb5_context context, + match = regexp_match(context, rc, md->issuer_dn); + break; + case kw_san: +- if (md->sans == NULL) +- break; +- for (i = 0, p = md->sans[i]; p != NULL; p = md->sans[++i]) { +- krb5_unparse_name(context, p, &princ_string); ++ for (i = 0; md->sans != NULL && md->sans[i] != NULL; i++) { ++ krb5_unparse_name(context, md->sans[i], &princ_string); ++ match = regexp_match(context, rc, princ_string); ++ krb5_free_unparsed_name(context, princ_string); ++ if (match) ++ break; ++ } ++ for (i = 0; md->upns != NULL && md->upns[i] != NULL; i++) { ++ krb5_unparse_name_flags(context, md->upns[i], ++ KRB5_PRINCIPAL_UNPARSE_NO_REALM, ++ &princ_string); + match = regexp_match(context, rc, princ_string); + krb5_free_unparsed_name(context, princ_string); + if (match) +@@ -572,10 +578,18 @@ check_all_certs(krb5_context context, + pkiDebug("%s: subject: '%s'\n", __FUNCTION__, md->subject_dn); + #if 0 + pkiDebug("%s: issuer: '%s'\n", __FUNCTION__, md->subject_dn); +- for (j = 0, p = md->sans[j]; p != NULL; p = md->sans[++j]) { ++ for (j = 0; md->sans != NULL && md->sans[j] != NULL; j++) { + char *san_string; +- krb5_unparse_name(context, p, &san_string); +- pkiDebug("%s: san: '%s'\n", __FUNCTION__, san_string); ++ krb5_unparse_name(context, md->sans[j], &san_string); ++ pkiDebug("%s: PKINIT san: '%s'\n", __FUNCTION__, san_string); ++ krb5_free_unparsed_name(context, san_string); ++ } ++ for (j = 0; md->upns != NULL && md->upns[j] != NULL; j++) { ++ char *san_string; ++ krb5_unparse_name_flags(context, md->upns[j], ++ KRB5_PRINCIPAL_UNPARSE_NO_REALM, ++ &san_string); ++ pkiDebug("%s: UPN san: '%s'\n", __FUNCTION__, san_string); + krb5_free_unparsed_name(context, san_string); + } + #endif diff --git a/SOURCES/Simplify-PKINIT-cert-iteration-and-selection.patch b/SOURCES/Simplify-PKINIT-cert-iteration-and-selection.patch new file mode 100644 index 0000000..4804c65 --- /dev/null +++ b/SOURCES/Simplify-PKINIT-cert-iteration-and-selection.patch @@ -0,0 +1,843 @@ +From 68c478bbc5a130bf4cc800b856da73b2fd5e83ed Mon Sep 17 00:00:00 2001 +From: Matt Rogers +Date: Tue, 21 Mar 2017 21:24:14 -0400 +Subject: [PATCH] Simplify PKINIT cert iteration and selection + +Remove the pkinit_cert_handle structures and iteration functions used +during certificate matching. Instead, make pkinit_matching.c obtain a +list of matching data objects from the crypto code, and then select a +cert based on the index into that list. + +Also fix a typo in the name of crypto_retrieve_X509_key_usage(). + +[ghudson@mit.edu: simplified code] + +(cherry picked from commit 01b1c0e26252a00f2215408b0e473b84aa0f6a87) +--- + src/plugins/preauth/pkinit/pkinit_crypto.h | 75 +--- + .../preauth/pkinit/pkinit_crypto_openssl.c | 383 +++++++----------- + .../preauth/pkinit/pkinit_crypto_openssl.h | 19 - + src/plugins/preauth/pkinit/pkinit_matching.c | 139 +------ + 4 files changed, 194 insertions(+), 422 deletions(-) + +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h +index 49b96b8ee..a0176acad 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto.h ++++ b/src/plugins/preauth/pkinit/pkinit_crypto.h +@@ -96,7 +96,6 @@ typedef struct _pkinit_cert_iter_info *pkinit_cert_iter_handle; + #define PKINIT_ITER_NO_MORE 0x11111111 /* XXX */ + + typedef struct _pkinit_cert_matching_data { +- pkinit_cert_handle ch; /* cert handle for this certificate */ + char *subject_dn; /* rfc2253-style subject name string */ + char *issuer_dn; /* rfc2253-style issuer name string */ + unsigned int ku_bits; /* key usage information */ +@@ -458,68 +457,38 @@ krb5_error_code crypto_free_cert_info + + + /* +- * Get number of certificates available after crypto_load_certs() ++ * Get a null-terminated list of certificate matching data objects for the ++ * certificates loaded in id_cryptoctx. + */ +-krb5_error_code crypto_cert_get_count +- (krb5_context context, /* IN */ +- pkinit_plg_crypto_context plg_cryptoctx, /* IN */ +- pkinit_req_crypto_context req_cryptoctx, /* IN */ +- pkinit_identity_crypto_context id_cryptoctx, /* IN */ +- int *cert_count); /* OUT */ ++krb5_error_code ++crypto_cert_get_matching_data(krb5_context context, ++ pkinit_plg_crypto_context plg_cryptoctx, ++ pkinit_req_crypto_context req_cryptoctx, ++ pkinit_identity_crypto_context id_cryptoctx, ++ pkinit_cert_matching_data ***md_out); + + /* +- * Begin iteration over the certs loaded in crypto_load_certs() ++ * Free a matching data object. + */ +-krb5_error_code crypto_cert_iteration_begin +- (krb5_context context, /* IN */ +- pkinit_plg_crypto_context plg_cryptoctx, /* IN */ +- pkinit_req_crypto_context req_cryptoctx, /* IN */ +- pkinit_identity_crypto_context id_cryptoctx, /* IN */ +- pkinit_cert_iter_handle *iter_handle); /* OUT */ ++void ++crypto_cert_free_matching_data(krb5_context context, ++ pkinit_cert_matching_data *md); + + /* +- * End iteration over the certs loaded in crypto_load_certs() ++ * Free a list of matching data objects. + */ +-krb5_error_code crypto_cert_iteration_end +- (krb5_context context, /* IN */ +- pkinit_cert_iter_handle iter_handle); /* IN */ ++void ++crypto_cert_free_matching_data_list(krb5_context context, ++ pkinit_cert_matching_data **matchdata); + + /* +- * Get next certificate handle ++ * Choose one of the certificates loaded in idctx to use for PKINIT client ++ * operations. cred_index must be an index into the array of matching objects ++ * returned by crypto_cert_get_matching_data(). + */ +-krb5_error_code crypto_cert_iteration_next +- (krb5_context context, /* IN */ +- pkinit_cert_iter_handle iter_handle, /* IN */ +- pkinit_cert_handle *cert_handle); /* OUT */ +- +-/* +- * Release cert handle +- */ +-krb5_error_code crypto_cert_release +- (krb5_context context, /* IN */ +- pkinit_cert_handle cert_handle); /* IN */ +- +-/* +- * Get certificate matching information +- */ +-krb5_error_code crypto_cert_get_matching_data +- (krb5_context context, /* IN */ +- pkinit_cert_handle cert_handle, /* IN */ +- pkinit_cert_matching_data **ret_data); /* OUT */ +- +-/* +- * Free certificate information +- */ +-krb5_error_code crypto_cert_free_matching_data +- (krb5_context context, /* IN */ +- pkinit_cert_matching_data *data); /* IN */ +- +-/* +- * Make the given certificate "the chosen one" +- */ +-krb5_error_code crypto_cert_select +- (krb5_context context, /* IN */ +- pkinit_cert_matching_data *data); /* IN */ ++krb5_error_code ++crypto_cert_select(krb5_context context, pkinit_identity_crypto_context idctx, ++ size_t cred_index); + + /* + * Select the default certificate as "the chosen one" +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index 6a95f8035..b243dca30 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -4974,136 +4974,16 @@ cleanup: + return retval; + } + +-/* +- * Get number of certificates available after crypto_load_certs() +- */ +-krb5_error_code +-crypto_cert_get_count(krb5_context context, +- pkinit_plg_crypto_context plg_cryptoctx, +- pkinit_req_crypto_context req_cryptoctx, +- pkinit_identity_crypto_context id_cryptoctx, +- int *cert_count) +-{ +- int count; +- +- if (id_cryptoctx == NULL || id_cryptoctx->creds[0] == NULL) +- return EINVAL; +- +- for (count = 0; +- count <= MAX_CREDS_ALLOWED && id_cryptoctx->creds[count] != NULL; +- count++); +- *cert_count = count; +- return 0; +-} +- +- +-/* +- * Begin iteration over the certs loaded in crypto_load_certs() +- */ +-krb5_error_code +-crypto_cert_iteration_begin(krb5_context context, +- pkinit_plg_crypto_context plg_cryptoctx, +- pkinit_req_crypto_context req_cryptoctx, +- pkinit_identity_crypto_context id_cryptoctx, +- pkinit_cert_iter_handle *ih_ret) +-{ +- struct _pkinit_cert_iter_data *id; +- +- if (id_cryptoctx == NULL || ih_ret == NULL) +- return EINVAL; +- if (id_cryptoctx->creds[0] == NULL) /* No cred info available */ +- return ENOENT; +- +- id = calloc(1, sizeof(*id)); +- if (id == NULL) +- return ENOMEM; +- id->magic = ITER_MAGIC; +- id->plgctx = plg_cryptoctx, +- id->reqctx = req_cryptoctx, +- id->idctx = id_cryptoctx; +- id->index = 0; +- *ih_ret = (pkinit_cert_iter_handle) id; +- return 0; +-} +- +-/* +- * End iteration over the certs loaded in crypto_load_certs() +- */ +-krb5_error_code +-crypto_cert_iteration_end(krb5_context context, +- pkinit_cert_iter_handle ih) +-{ +- struct _pkinit_cert_iter_data *id = (struct _pkinit_cert_iter_data *)ih; +- +- if (id == NULL || id->magic != ITER_MAGIC) +- return EINVAL; +- free(ih); +- return 0; +-} +- +-/* +- * Get next certificate handle +- */ +-krb5_error_code +-crypto_cert_iteration_next(krb5_context context, +- pkinit_cert_iter_handle ih, +- pkinit_cert_handle *ch_ret) +-{ +- struct _pkinit_cert_iter_data *id = (struct _pkinit_cert_iter_data *)ih; +- struct _pkinit_cert_data *cd; +- pkinit_identity_crypto_context id_cryptoctx; +- +- if (id == NULL || id->magic != ITER_MAGIC) +- return EINVAL; +- +- if (ch_ret == NULL) +- return EINVAL; +- +- id_cryptoctx = id->idctx; +- if (id_cryptoctx == NULL) +- return EINVAL; +- +- if (id_cryptoctx->creds[id->index] == NULL) +- return PKINIT_ITER_NO_MORE; +- +- cd = calloc(1, sizeof(*cd)); +- if (cd == NULL) +- return ENOMEM; +- +- cd->magic = CERT_MAGIC; +- cd->plgctx = id->plgctx; +- cd->reqctx = id->reqctx; +- cd->idctx = id->idctx; +- cd->index = id->index; +- cd->cred = id_cryptoctx->creds[id->index++]; +- *ch_ret = (pkinit_cert_handle)cd; +- return 0; +-} +- +-/* +- * Release cert handle +- */ +-krb5_error_code +-crypto_cert_release(krb5_context context, +- pkinit_cert_handle ch) +-{ +- struct _pkinit_cert_data *cd = (struct _pkinit_cert_data *)ch; +- if (cd == NULL || cd->magic != CERT_MAGIC) +- return EINVAL; +- free(cd); +- return 0; +-} +- + /* + * Get certificate Key Usage and Extended Key Usage + */ + static krb5_error_code +-crypto_retieve_X509_key_usage(krb5_context context, +- pkinit_plg_crypto_context plgcctx, +- pkinit_req_crypto_context reqcctx, +- X509 *x, +- unsigned int *ret_ku_bits, +- unsigned int *ret_eku_bits) ++crypto_retrieve_X509_key_usage(krb5_context context, ++ pkinit_plg_crypto_context plgcctx, ++ pkinit_req_crypto_context reqcctx, ++ X509 *x, ++ unsigned int *ret_ku_bits, ++ unsigned int *ret_eku_bits) + { + krb5_error_code retval = 0; + int i; +@@ -5202,55 +5082,99 @@ X509_NAME_oneline_ex(X509_NAME * a, + } + + /* +- * Get certificate information ++ * Get number of certificates available after crypto_load_certs() + */ +-krb5_error_code +-crypto_cert_get_matching_data(krb5_context context, +- pkinit_cert_handle ch, +- pkinit_cert_matching_data **ret_md) ++static krb5_error_code ++crypto_cert_get_count(pkinit_identity_crypto_context id_cryptoctx, ++ int *cert_count) + { +- krb5_error_code retval; +- pkinit_cert_matching_data *md; +- krb5_principal *pkinit_sans =NULL, *upn_sans = NULL; +- struct _pkinit_cert_data *cd = (struct _pkinit_cert_data *)ch; +- unsigned int i, j; ++ int count; ++ ++ *cert_count = 0; ++ if (id_cryptoctx == NULL || id_cryptoctx->creds[0] == NULL) ++ return EINVAL; ++ ++ for (count = 0; ++ count <= MAX_CREDS_ALLOWED && id_cryptoctx->creds[count] != NULL; ++ count++); ++ *cert_count = count; ++ return 0; ++} ++ ++void ++crypto_cert_free_matching_data(krb5_context context, ++ pkinit_cert_matching_data *md) ++{ ++ int i; ++ ++ if (md == NULL) ++ return; ++ free(md->subject_dn); ++ free(md->issuer_dn); ++ for (i = 0; md->sans != NULL && md->sans[i] != NULL; i++) ++ krb5_free_principal(context, md->sans[i]); ++ free(md->sans); ++ free(md); ++} ++ ++/* ++ * Free certificate matching data. ++ */ ++void ++crypto_cert_free_matching_data_list(krb5_context context, ++ pkinit_cert_matching_data **list) ++{ ++ int i; ++ ++ for (i = 0; list != NULL && list[i] != NULL; i++) ++ crypto_cert_free_matching_data(context, list[i]); ++ free(list); ++} ++ ++/* ++ * Get certificate matching data for cert. ++ */ ++static krb5_error_code ++get_matching_data(krb5_context context, ++ pkinit_plg_crypto_context plg_cryptoctx, ++ pkinit_req_crypto_context req_cryptoctx, X509 *cert, ++ pkinit_cert_matching_data **md_out) ++{ ++ krb5_error_code ret = ENOMEM; ++ pkinit_cert_matching_data *md = NULL; ++ krb5_principal *pkinit_sans = NULL, *upn_sans = NULL; ++ size_t i, j; + char buf[DN_BUF_LEN]; + unsigned int bufsize = sizeof(buf); + +- if (cd == NULL || cd->magic != CERT_MAGIC) +- return EINVAL; +- if (ret_md == NULL) +- return EINVAL; ++ *md_out = NULL; + + md = calloc(1, sizeof(*md)); + if (md == NULL) +- return ENOMEM; ++ goto cleanup; + +- md->ch = ch; +- +- /* get the subject name (in rfc2253 format) */ +- X509_NAME_oneline_ex(X509_get_subject_name(cd->cred->cert), +- buf, &bufsize, XN_FLAG_SEP_COMMA_PLUS); ++ /* Get the subject name (in rfc2253 format). */ ++ X509_NAME_oneline_ex(X509_get_subject_name(cert), buf, &bufsize, ++ XN_FLAG_SEP_COMMA_PLUS); + md->subject_dn = strdup(buf); + if (md->subject_dn == NULL) { +- retval = ENOMEM; ++ ret = ENOMEM; + goto cleanup; + } + +- /* get the issuer name (in rfc2253 format) */ +- X509_NAME_oneline_ex(X509_get_issuer_name(cd->cred->cert), +- buf, &bufsize, XN_FLAG_SEP_COMMA_PLUS); ++ /* Get the issuer name (in rfc2253 format). */ ++ X509_NAME_oneline_ex(X509_get_issuer_name(cert), buf, &bufsize, ++ XN_FLAG_SEP_COMMA_PLUS); + md->issuer_dn = strdup(buf); + if (md->issuer_dn == NULL) { +- retval = ENOMEM; ++ ret = ENOMEM; + goto cleanup; + } + +- /* get the san data */ +- retval = crypto_retrieve_X509_sans(context, cd->plgctx, cd->reqctx, +- cd->cred->cert, &pkinit_sans, +- &upn_sans, NULL); +- if (retval) ++ /* Get the SAN data. */ ++ ret = crypto_retrieve_X509_sans(context, plg_cryptoctx, req_cryptoctx, ++ cert, &pkinit_sans, &upn_sans, NULL); ++ if (ret) + goto cleanup; + + j = 0; +@@ -5265,7 +5189,7 @@ crypto_cert_get_matching_data(krb5_context context, + if (j != 0) { + md->sans = calloc((size_t)j+1, sizeof(*md->sans)); + if (md->sans == NULL) { +- retval = ENOMEM; ++ ret = ENOMEM; + goto cleanup; + } + j = 0; +@@ -5283,88 +5207,96 @@ crypto_cert_get_matching_data(krb5_context context, + } else + md->sans = NULL; + +- /* get the KU and EKU data */ +- +- retval = crypto_retieve_X509_key_usage(context, cd->plgctx, cd->reqctx, +- cd->cred->cert, +- &md->ku_bits, &md->eku_bits); +- if (retval) ++ /* Get the KU and EKU data. */ ++ ret = crypto_retrieve_X509_key_usage(context, plg_cryptoctx, ++ req_cryptoctx, cert, &md->ku_bits, ++ &md->eku_bits); ++ if (ret) + goto cleanup; + +- *ret_md = md; +- retval = 0; ++ *md_out = md; ++ md = NULL; ++ + cleanup: +- if (retval) { +- if (md) +- crypto_cert_free_matching_data(context, md); ++ crypto_cert_free_matching_data(context, md); ++ return ret; ++} ++ ++krb5_error_code ++crypto_cert_get_matching_data(krb5_context context, ++ pkinit_plg_crypto_context plg_cryptoctx, ++ pkinit_req_crypto_context req_cryptoctx, ++ pkinit_identity_crypto_context id_cryptoctx, ++ pkinit_cert_matching_data ***md_out) ++{ ++ krb5_error_code ret; ++ pkinit_cert_matching_data **md_list = NULL; ++ int count, i; ++ ++ ret = crypto_cert_get_count(id_cryptoctx, &count); ++ if (ret) ++ goto cleanup; ++ ++ md_list = calloc(count + 1, sizeof(*md_list)); ++ if (md_list == NULL) { ++ ret = ENOMEM; ++ goto cleanup; + } +- return retval; ++ ++ for (i = 0; i < count; i++) { ++ ret = get_matching_data(context, plg_cryptoctx, req_cryptoctx, ++ id_cryptoctx->creds[i]->cert, &md_list[i]); ++ if (ret) { ++ pkiDebug("%s: crypto_cert_get_matching_data error %d, %s\n", ++ __FUNCTION__, ret, error_message(ret)); ++ goto cleanup; ++ } ++ } ++ ++ *md_out = md_list; ++ md_list = NULL; ++ ++cleanup: ++ crypto_cert_free_matching_data_list(context, md_list); ++ return ret; + } + + /* +- * Free certificate information ++ * Set the certificate in idctx->creds[cred_index] as the selected certificate. + */ + krb5_error_code +-crypto_cert_free_matching_data(krb5_context context, +- pkinit_cert_matching_data *md) ++crypto_cert_select(krb5_context context, pkinit_identity_crypto_context idctx, ++ size_t cred_index) + { +- krb5_principal p; +- int i; ++ pkinit_cred_info ci = NULL; + +- if (md == NULL) +- return EINVAL; +- if (md->subject_dn) +- free(md->subject_dn); +- if (md->issuer_dn) +- free(md->issuer_dn); +- if (md->sans) { +- for (i = 0, p = md->sans[i]; p != NULL; p = md->sans[++i]) +- krb5_free_principal(context, p); +- free(md->sans); +- } +- free(md); +- return 0; +-} +- +-/* +- * Make this matching certificate "the chosen one" +- */ +-krb5_error_code +-crypto_cert_select(krb5_context context, +- pkinit_cert_matching_data *md) +-{ +- struct _pkinit_cert_data *cd; +- if (md == NULL) +- return EINVAL; +- +- cd = (struct _pkinit_cert_data *)md->ch; +- if (cd == NULL || cd->magic != CERT_MAGIC) +- return EINVAL; ++ if (cred_index >= MAX_CREDS_ALLOWED || idctx->creds[cred_index] == NULL) ++ return ENOENT; + ++ ci = idctx->creds[cred_index]; + /* copy the selected cert into our id_cryptoctx */ +- if (cd->idctx->my_certs != NULL) { +- sk_X509_pop_free(cd->idctx->my_certs, X509_free); +- } +- cd->idctx->my_certs = sk_X509_new_null(); +- sk_X509_push(cd->idctx->my_certs, cd->cred->cert); +- free(cd->idctx->identity); ++ if (idctx->my_certs != NULL) ++ sk_X509_pop_free(idctx->my_certs, X509_free); ++ idctx->my_certs = sk_X509_new_null(); ++ sk_X509_push(idctx->my_certs, ci->cert); ++ free(idctx->identity); + /* hang on to the selected credential name */ +- if (cd->idctx->creds[cd->index]->name != NULL) +- cd->idctx->identity = strdup(cd->idctx->creds[cd->index]->name); ++ if (ci->name != NULL) ++ idctx->identity = strdup(ci->name); + else +- cd->idctx->identity = NULL; +- cd->idctx->creds[cd->index]->cert = NULL; /* Don't free it twice */ +- cd->idctx->cert_index = 0; ++ idctx->identity = NULL; + +- if (cd->idctx->pkcs11_method != 1) { +- cd->idctx->my_key = cd->cred->key; +- cd->idctx->creds[cd->index]->key = NULL; /* Don't free it twice */ ++ ci->cert = NULL; /* Don't free it twice */ ++ idctx->cert_index = 0; ++ if (idctx->pkcs11_method != 1) { ++ idctx->my_key = ci->key; ++ ci->key = NULL; /* Don't free it twice */ + } + #ifndef WITHOUT_PKCS11 + else { +- cd->idctx->cert_id = cd->cred->cert_id; +- cd->idctx->creds[cd->index]->cert_id = NULL; /* Don't free it twice */ +- cd->idctx->cert_id_len = cd->cred->cert_id_len; ++ idctx->cert_id = ci->cert_id; ++ ci->cert_id = NULL; /* Don't free it twice */ ++ idctx->cert_id_len = ci->cert_id_len; + } + #endif + return 0; +@@ -5380,15 +5312,12 @@ crypto_cert_select_default(krb5_context context, + pkinit_identity_crypto_context id_cryptoctx) + { + krb5_error_code retval; +- int cert_count = 0; ++ int cert_count; + +- retval = crypto_cert_get_count(context, plg_cryptoctx, req_cryptoctx, +- id_cryptoctx, &cert_count); +- if (retval) { +- pkiDebug("%s: crypto_cert_get_count error %d, %s\n", +- __FUNCTION__, retval, error_message(retval)); ++ retval = crypto_cert_get_count(id_cryptoctx, &cert_count); ++ if (retval) + goto errout; +- } ++ + if (cert_count != 1) { + TRACE_PKINIT_NO_DEFAULT_CERT(context, cert_count); + retval = EINVAL; +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h +index 2fe357c5e..7411348fa 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h +@@ -115,23 +115,4 @@ struct _pkinit_req_crypto_context { + DH *dh; + }; + +-#define CERT_MAGIC 0x53534c43 +-struct _pkinit_cert_data { +- unsigned int magic; +- pkinit_plg_crypto_context plgctx; +- pkinit_req_crypto_context reqctx; +- pkinit_identity_crypto_context idctx; +- pkinit_cred_info cred; +- unsigned int index; /* Index of this cred in the creds[] array */ +-}; +- +-#define ITER_MAGIC 0x53534c49 +-struct _pkinit_cert_iter_data { +- unsigned int magic; +- pkinit_plg_crypto_context plgctx; +- pkinit_req_crypto_context reqctx; +- pkinit_identity_crypto_context idctx; +- unsigned int index; +-}; +- + #endif /* _PKINIT_CRYPTO_OPENSSL_H */ +diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c +index cad4c2b9a..d6775dc4f 100644 +--- a/src/plugins/preauth/pkinit/pkinit_matching.c ++++ b/src/plugins/preauth/pkinit/pkinit_matching.c +@@ -544,7 +544,7 @@ check_all_certs(krb5_context context, + rule_set *rs, /* rule to check */ + pkinit_cert_matching_data **matchdata, + int *match_found, +- pkinit_cert_matching_data **matching_cert) ++ size_t *match_index) + { + krb5_error_code retval; + pkinit_cert_matching_data *md; +@@ -553,12 +553,12 @@ check_all_certs(krb5_context context, + int total_cert_matches = 0; + rule_component *rc; + int certs_checked = 0; +- pkinit_cert_matching_data *save_match = NULL; ++ size_t save_index = 0; + +- if (match_found == NULL || matching_cert == NULL) ++ if (match_found == NULL || match_index == NULL) + return EINVAL; + +- *matching_cert = NULL; ++ *match_index = 0; + *match_found = 0; + + pkiDebug("%s: matching rule relation is %s with %d components\n", +@@ -590,7 +590,7 @@ check_all_certs(krb5_context context, + pkiDebug("%s: cert matches rule (OR relation)\n", + __FUNCTION__); + total_cert_matches++; +- save_match = md; ++ save_index = i; + goto nextcert; + } + if (!comp_match && rs->relation == relation_and) { +@@ -602,7 +602,7 @@ check_all_certs(krb5_context context, + if (rc == NULL && comp_match) { + pkiDebug("%s: cert matches rule (AND relation)\n", __FUNCTION__); + total_cert_matches++; +- save_match = md; ++ save_index = i; + } + nextcert: + continue; +@@ -611,7 +611,7 @@ check_all_certs(krb5_context context, + __FUNCTION__, certs_checked, total_cert_matches); + if (total_cert_matches == 1) { + *match_found = 1; +- *matching_cert = save_match; ++ *match_index = save_index; + } + + retval = 0; +@@ -621,111 +621,6 @@ check_all_certs(krb5_context context, + return retval; + } + +-static krb5_error_code +-free_all_cert_matching_data(krb5_context context, +- pkinit_cert_matching_data **matchdata) +-{ +- krb5_error_code retval; +- pkinit_cert_matching_data *md; +- int i; +- +- if (matchdata == NULL) +- return EINVAL; +- +- for (i = 0, md = matchdata[i]; md != NULL; md = matchdata[++i]) { +- pkinit_cert_handle ch = md->ch; +- retval = crypto_cert_free_matching_data(context, md); +- if (retval) { +- pkiDebug("%s: crypto_cert_free_matching_data error %d, %s\n", +- __FUNCTION__, retval, error_message(retval)); +- goto cleanup; +- } +- retval = crypto_cert_release(context, ch); +- if (retval) { +- pkiDebug("%s: crypto_cert_release error %d, %s\n", +- __FUNCTION__, retval, error_message(retval)); +- goto cleanup; +- } +- } +- free(matchdata); +- retval = 0; +- +-cleanup: +- return retval; +-} +- +-static krb5_error_code +-obtain_all_cert_matching_data(krb5_context context, +- pkinit_plg_crypto_context plg_cryptoctx, +- pkinit_req_crypto_context req_cryptoctx, +- pkinit_identity_crypto_context id_cryptoctx, +- pkinit_cert_matching_data ***all_matching_data) +-{ +- krb5_error_code retval; +- int i, cert_count; +- pkinit_cert_iter_handle ih = NULL; +- pkinit_cert_handle ch; +- pkinit_cert_matching_data **matchdata = NULL; +- +- retval = crypto_cert_get_count(context, plg_cryptoctx, req_cryptoctx, +- id_cryptoctx, &cert_count); +- if (retval) { +- pkiDebug("%s: crypto_cert_get_count error %d, %s\n", +- __FUNCTION__, retval, error_message(retval)); +- goto cleanup; +- } +- +- pkiDebug("%s: crypto_cert_get_count says there are %d certs\n", +- __FUNCTION__, cert_count); +- +- matchdata = calloc((size_t)cert_count + 1, sizeof(*matchdata)); +- if (matchdata == NULL) +- return ENOMEM; +- +- retval = crypto_cert_iteration_begin(context, plg_cryptoctx, req_cryptoctx, +- id_cryptoctx, &ih); +- if (retval) { +- pkiDebug("%s: crypto_cert_iteration_begin returned %d, %s\n", +- __FUNCTION__, retval, error_message(retval)); +- goto cleanup; +- } +- +- for (i = 0; i < cert_count; i++) { +- retval = crypto_cert_iteration_next(context, ih, &ch); +- if (retval) { +- if (retval == PKINIT_ITER_NO_MORE) +- pkiDebug("%s: We thought there were %d certs, but " +- "crypto_cert_iteration_next stopped after %d?\n", +- __FUNCTION__, cert_count, i); +- else +- pkiDebug("%s: crypto_cert_iteration_next error %d, %s\n", +- __FUNCTION__, retval, error_message(retval)); +- goto cleanup; +- } +- +- retval = crypto_cert_get_matching_data(context, ch, &matchdata[i]); +- if (retval) { +- pkiDebug("%s: crypto_cert_get_matching_data error %d, %s\n", +- __FUNCTION__, retval, error_message(retval)); +- goto cleanup; +- } +- +- } +- +- *all_matching_data = matchdata; +- retval = 0; +-cleanup: +- if (ih != NULL) +- crypto_cert_iteration_end(context, ih); +- if (retval) { +- if (matchdata != NULL) +- free_all_cert_matching_data(context, matchdata); +- } +- pkiDebug("%s: returning %d, certinfo %p\n", +- __FUNCTION__, retval, *all_matching_data); +- return retval; +-} +- + krb5_error_code + pkinit_cert_matching(krb5_context context, + pkinit_plg_crypto_context plg_cryptoctx, +@@ -740,7 +635,7 @@ pkinit_cert_matching(krb5_context context, + rule_set *rs = NULL; + int match_found = 0; + pkinit_cert_matching_data **matchdata = NULL; +- pkinit_cert_matching_data *the_matching_cert = NULL; ++ size_t match_index = 0; + + /* If no matching rules, select the default cert and we're done */ + pkinit_libdefault_strings(context, krb5_princ_realm(context, princ), +@@ -777,7 +672,7 @@ pkinit_cert_matching(krb5_context context, + * until we are done. + */ + if (matchdata == NULL) { +- retval = obtain_all_cert_matching_data(context, plg_cryptoctx, ++ retval = crypto_cert_get_matching_data(context, plg_cryptoctx, + req_cryptoctx, id_cryptoctx, + &matchdata); + if (retval || matchdata == NULL) { +@@ -790,7 +685,7 @@ pkinit_cert_matching(krb5_context context, + + retval = check_all_certs(context, plg_cryptoctx, req_cryptoctx, + id_cryptoctx, princ, rs, matchdata, +- &match_found, &the_matching_cert); ++ &match_found, &match_index); + if (retval) { + pkiDebug("%s: Error %d, checking certs against rule '%s'\n", + __FUNCTION__, retval, rules[x]); +@@ -803,9 +698,9 @@ pkinit_cert_matching(krb5_context context, + } + } + +- if (match_found && the_matching_cert != NULL) { ++ if (match_found) { + pkiDebug("%s: Selecting the matching cert!\n", __FUNCTION__); +- retval = crypto_cert_select(context, the_matching_cert); ++ retval = crypto_cert_select(context, id_cryptoctx, match_index); + if (retval) { + pkiDebug("%s: crypto_cert_select error %d, %s\n", + __FUNCTION__, retval, error_message(retval)); +@@ -818,12 +713,10 @@ pkinit_cert_matching(krb5_context context, + } + + retval = 0; ++ + cleanup: +- if (rules != NULL) +- profile_free_list(rules); +- if (rs != NULL) +- free_rule_set(context, rs); +- if (matchdata != NULL) +- free_all_cert_matching_data(context, matchdata); ++ profile_free_list(rules); ++ free_rule_set(context, rs); ++ crypto_cert_free_matching_data_list(context, matchdata); + return retval; + } diff --git a/SOURCES/Simplify-k5_preauth_tryagain.patch b/SOURCES/Simplify-k5_preauth_tryagain.patch new file mode 100644 index 0000000..fe716dd --- /dev/null +++ b/SOURCES/Simplify-k5_preauth_tryagain.patch @@ -0,0 +1,182 @@ +From 9b525f2406da57eb7a064fc56398a41e2680999a Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Fri, 13 Jan 2017 20:45:48 -0500 +Subject: [PATCH] Simplify k5_preauth_tryagain() + +When retrying pre-authentication for an error, try only the module for +the selected preauth type, not all preauth types in the original +method data. Pass the error and its padata to k5_preauth_tryagain() +explicitly, so that those fields of krb5_init_creds_context are only +referenced in get_in_tkt.c. Handle a degenerate case in +init_creds_step_reply() to simplify the code in +init_creds_step_request(). + +ticket: 8537 +(cherry picked from commit 27628e5d9d5e6fcfa73276106edbd8149d134dc0) +--- + src/include/k5-trace.h | 7 ++-- + src/lib/krb5/krb/get_in_tkt.c | 20 ++++------- + src/lib/krb5/krb/int-proto.h | 3 +- + src/lib/krb5/krb/preauth2.c | 64 +++++++++++++++++++---------------- + 4 files changed, 48 insertions(+), 46 deletions(-) + +diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h +index f44f162d3..814da3195 100644 +--- a/src/include/k5-trace.h ++++ b/src/include/k5-trace.h +@@ -287,8 +287,11 @@ void krb5int_trace(krb5_context context, const char *fmt, ...); + #define TRACE_PREAUTH_SKIP(c, name, patype) \ + TRACE(c, "Skipping previously used preauth module {str} ({int})", \ + name, (int) patype) +-#define TRACE_PREAUTH_TRYAGAIN_INPUT(c, padata) \ +- TRACE(c, "Preauth tryagain input types: {patypes}", padata) ++#define TRACE_PREAUTH_TRYAGAIN_INPUT(c, patype, padata) \ ++ TRACE(c, "Preauth tryagain input types ({int}): {patypes}", patype, padata) ++#define TRACE_PREAUTH_TRYAGAIN(c, name, patype, code) \ ++ TRACE(c, "Preauth module {str} ({int}) tryagain returned: {kerr}", \ ++ name, (int)patype, code) + #define TRACE_PREAUTH_TRYAGAIN_OUTPUT(c, padata) \ + TRACE(c, "Followup preauth for next request: {patypes}", padata) + #define TRACE_PREAUTH_WRONG_CONTEXT(c) \ +diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c +index da12204ac..988fca233 100644 +--- a/src/lib/krb5/krb/get_in_tkt.c ++++ b/src/lib/krb5/krb/get_in_tkt.c +@@ -1340,17 +1340,11 @@ init_creds_step_request(krb5_context context, + if (code != 0) + goto cleanup; + } else { +- if (ctx->preauth_to_use != NULL) { +- /* +- * Retry after an error other than PREAUTH_NEEDED, +- * using ctx->err_padata to figure out what to change. +- */ +- code = k5_preauth_tryagain(context, ctx, ctx->preauth_to_use, +- &ctx->request->padata); +- } else { +- /* No preauth supplied, so can't query the plugins. */ +- code = KRB5KRB_ERR_GENERIC; +- } ++ /* Retry after an error other than PREAUTH_NEEDED, using error padata ++ * to figure out what to change. */ ++ code = k5_preauth_tryagain(context, ctx, ctx->selected_preauth_type, ++ ctx->err_reply, ctx->err_padata, ++ &ctx->request->padata); + if (code != 0) { + /* couldn't come up with anything better */ + code = ctx->err_reply->error + ERROR_TABLE_BASE_krb5; +@@ -1535,10 +1529,10 @@ init_creds_step_reply(krb5_context context, + ctx->enc_pa_rep_permitted = TRUE; + code = restart_init_creds_loop(context, ctx, FALSE); + } else { +- if (retry) { ++ if (retry && ctx->selected_preauth_type != KRB5_PADATA_NONE) { + code = 0; + } else { +- /* error + no hints = give up */ ++ /* error + no hints (or no preauth mech) = give up */ + code = (krb5_error_code)reply_code + ERROR_TABLE_BASE_krb5; + } + } +diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h +index 628f0baa8..8903df232 100644 +--- a/src/lib/krb5/krb/int-proto.h ++++ b/src/lib/krb5/krb/int-proto.h +@@ -185,7 +185,8 @@ k5_preauth(krb5_context context, krb5_init_creds_context ctx, + + krb5_error_code + k5_preauth_tryagain(krb5_context context, krb5_init_creds_context ctx, +- krb5_pa_data **in_padata, krb5_pa_data ***padata_out); ++ krb5_preauthtype pa_type, krb5_error *err, ++ krb5_pa_data **err_padata, krb5_pa_data ***padata_out); + + void + k5_init_preauth_context(krb5_context context); +diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c +index cfe3dd5b0..354234a93 100644 +--- a/src/lib/krb5/krb/preauth2.c ++++ b/src/lib/krb5/krb/preauth2.c +@@ -911,49 +911,53 @@ add_s4u_x509_user_padata(krb5_context context, krb5_s4u_userid *userid, + } + + /* +- * If one of the modules can adjust its AS_REQ data using the contents of the +- * err_reply, return 0. If it's the sort of correction which requires that we +- * ask the user another question, we let the calling application deal with it. ++ * If the module for pa_type can adjust its AS_REQ data using the contents of ++ * err and err_padata, return 0 with *padata_out set to a padata list for the ++ * next request. If it's the sort of correction which requires that we ask the ++ * user another question, we let the calling application deal with it. + */ + krb5_error_code + k5_preauth_tryagain(krb5_context context, krb5_init_creds_context ctx, +- krb5_pa_data **in_padata, krb5_pa_data ***padata_out) ++ krb5_preauthtype pa_type, krb5_error *err, ++ krb5_pa_data **err_padata, krb5_pa_data ***padata_out) + { + krb5_error_code ret; + krb5_pa_data **mod_pa; + krb5_clpreauth_modreq modreq; + clpreauth_handle h; +- int i, count; ++ int count; + + *padata_out = NULL; + +- TRACE_PREAUTH_TRYAGAIN_INPUT(context, in_padata); ++ TRACE_PREAUTH_TRYAGAIN_INPUT(context, pa_type, err_padata); + +- for (i = 0; in_padata[i] != NULL; i++) { +- h = find_module(context, ctx, in_padata[i]->pa_type, &modreq); +- if (h == NULL) +- continue; +- mod_pa = NULL; +- ret = clpreauth_tryagain(context, h, modreq, ctx->opt, &callbacks, +- (krb5_clpreauth_rock)ctx, ctx->request, +- ctx->inner_request_body, +- ctx->encoded_previous_request, +- in_padata[i]->pa_type, +- ctx->err_reply, ctx->err_padata, +- ctx->prompter, ctx->prompter_data, &mod_pa); +- if (ret == 0 && mod_pa != NULL) { +- for (count = 0; mod_pa[count] != NULL; count++); +- ret = copy_cookie(context, ctx->err_padata, &mod_pa, &count); +- if (ret) { +- krb5_free_pa_data(context, mod_pa); +- return ret; +- } +- TRACE_PREAUTH_TRYAGAIN_OUTPUT(context, mod_pa); +- *padata_out = mod_pa; +- return 0; +- } ++ h = find_module(context, ctx, pa_type, &modreq); ++ if (h == NULL) ++ return KRB5KRB_ERR_GENERIC; ++ mod_pa = NULL; ++ ret = clpreauth_tryagain(context, h, modreq, ctx->opt, &callbacks, ++ (krb5_clpreauth_rock)ctx, ctx->request, ++ ctx->inner_request_body, ++ ctx->encoded_previous_request, pa_type, err, ++ err_padata, ctx->prompter, ctx->prompter_data, ++ &mod_pa); ++ TRACE_PREAUTH_TRYAGAIN(context, h->vt.name, pa_type, ret); ++ if (!ret && mod_pa == NULL) ++ ret = KRB5KRB_ERR_GENERIC; ++ if (ret) ++ return ret; ++ ++ ++ for (count = 0; mod_pa[count] != NULL; count++); ++ ret = copy_cookie(context, err_padata, &mod_pa, &count); ++ if (ret) { ++ krb5_free_pa_data(context, mod_pa); ++ return ret; + } +- return KRB5KRB_ERR_GENERIC; ++ ++ TRACE_PREAUTH_TRYAGAIN_OUTPUT(context, mod_pa); ++ *padata_out = mod_pa; ++ return 0; + } + + /* Compile the set of response items for in_padata by invoke each module's diff --git a/SOURCES/Track-preauth-failures-instead-of-tries.patch b/SOURCES/Track-preauth-failures-instead-of-tries.patch new file mode 100644 index 0000000..3ef2750 --- /dev/null +++ b/SOURCES/Track-preauth-failures-instead-of-tries.patch @@ -0,0 +1,189 @@ +From 4a8e9b806ce2fc1234504498fc54f36dd8b482f8 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Fri, 13 Jan 2017 12:16:04 -0500 +Subject: [PATCH] Track preauth failures instead of tries + +In preauth2.c, instead of noting whenever we try a real preauth mech, +note when a mechanism fails on our side. Tracking only failures +eliminates the need to reset the list for multi-step preauth exchanges +or for processing padata in the AS-REP, but we will need the function +later for continuing after optimistic preauth failures. + +ticket: 8537 +(cherry picked from commit a1dc81d22304e77edaa8388c7d7d75cade81dc80) +--- + src/lib/krb5/krb/get_in_tkt.c | 3 -- + src/lib/krb5/krb/int-proto.h | 3 ++ + src/lib/krb5/krb/preauth2.c | 65 ++++++++++++++++++++--------------- + 3 files changed, 40 insertions(+), 31 deletions(-) + +diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c +index 48dc00ea6..bc903b6e9 100644 +--- a/src/lib/krb5/krb/get_in_tkt.c ++++ b/src/lib/krb5/krb/get_in_tkt.c +@@ -1496,8 +1496,6 @@ init_creds_step_reply(krb5_context context, + code = restart_init_creds_loop(context, ctx, FALSE); + } else if ((reply_code == KDC_ERR_MORE_PREAUTH_DATA_REQUIRED || + reply_code == KDC_ERR_PREAUTH_REQUIRED) && retry) { +- /* reset the list of preauth types to try */ +- k5_reset_preauth_types_tried(ctx); + krb5_free_pa_data(context, ctx->preauth_to_use); + ctx->preauth_to_use = ctx->err_padata; + ctx->err_padata = NULL; +@@ -1547,7 +1545,6 @@ init_creds_step_reply(krb5_context context, + goto cleanup; + + /* process any preauth data in the as_reply */ +- k5_reset_preauth_types_tried(ctx); + code = krb5int_fast_process_response(context, ctx->fast_state, + ctx->reply, &strengthen_key); + if (code != 0) +diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h +index 8903df232..41a69c207 100644 +--- a/src/lib/krb5/krb/int-proto.h ++++ b/src/lib/krb5/krb/int-proto.h +@@ -197,6 +197,9 @@ k5_free_preauth_context(krb5_context context); + void + k5_reset_preauth_types_tried(krb5_init_creds_context ctx); + ++krb5_error_code ++k5_preauth_note_failed(krb5_init_creds_context ctx, krb5_preauthtype pa_type); ++ + void + k5_preauth_prepare_request(krb5_context context, krb5_get_init_creds_opt *opt, + krb5_kdc_req *request); +diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c +index 354234a93..17f2133b1 100644 +--- a/src/lib/krb5/krb/preauth2.c ++++ b/src/lib/krb5/krb/preauth2.c +@@ -54,7 +54,7 @@ struct krb5_preauth_context_st { + + struct krb5_preauth_req_context_st { + krb5_context orig_context; +- krb5_preauthtype *tried; ++ krb5_preauthtype *failed; + krb5_clpreauth_modreq *modreqs; + }; + +@@ -201,11 +201,7 @@ cleanup: + free_handles(context, list); + } + +-/* +- * Reset the memory of which preauth types we have already tried, because we +- * are entering a new phase of padata processing (such as the padata in an +- * AS-REP). +- */ ++/* Reset the memory of which preauth types we have already tried. */ + void + k5_reset_preauth_types_tried(krb5_init_creds_context ctx) + { +@@ -213,10 +209,27 @@ k5_reset_preauth_types_tried(krb5_init_creds_context ctx) + + if (reqctx == NULL) + return; +- free(reqctx->tried); +- reqctx->tried = NULL; ++ free(reqctx->failed); ++ reqctx->failed = NULL; + } + ++/* Add pa_type to the list of types which has previously failed. */ ++krb5_error_code ++k5_preauth_note_failed(krb5_init_creds_context ctx, krb5_preauthtype pa_type) ++{ ++ krb5_preauth_req_context reqctx = ctx->preauth_reqctx; ++ krb5_preauthtype *newptr; ++ size_t i; ++ ++ for (i = 0; reqctx->failed != NULL && reqctx->failed[i] != 0; i++); ++ newptr = realloc(reqctx->failed, (i + 2) * sizeof(*newptr)); ++ if (newptr == NULL) ++ return ENOMEM; ++ reqctx->failed = newptr; ++ reqctx->failed[i] = pa_type; ++ reqctx->failed[i + 1] = 0; ++ return 0; ++} + + /* Free the per-krb5_context preauth_context. This means clearing any + * plugin-specific context which may have been created, and then +@@ -291,7 +304,7 @@ k5_preauth_request_context_fini(krb5_context context, + TRACE_PREAUTH_WRONG_CONTEXT(context); + } + free(reqctx->modreqs); +- free(reqctx->tried); ++ free(reqctx->failed); + free(reqctx); + ctx->preauth_reqctx = NULL; + } +@@ -612,28 +625,17 @@ pa_type_allowed(krb5_init_creds_context ctx, krb5_preauthtype pa_type) + pa_type == ctx->allowed_preauth_type; + } + +-/* +- * If pa_type has already been tried as a real preauth type for this +- * authentication, return true. Otherwise ass pa_type to the list of tried +- * types and return false. +- */ ++/* Return true if pa_type previously failed during this authentication. */ + static krb5_boolean +-already_tried(krb5_init_creds_context ctx, krb5_preauthtype pa_type) ++previously_failed(krb5_init_creds_context ctx, krb5_preauthtype pa_type) + { + krb5_preauth_req_context reqctx = ctx->preauth_reqctx; + size_t i; +- krb5_preauthtype *newptr; + +- for (i = 0; reqctx->tried != NULL && reqctx->tried[i] != 0; i++) { +- if (reqctx->tried[i] == pa_type) ++ for (i = 0; reqctx->failed != NULL && reqctx->failed[i] != 0; i++) { ++ if (reqctx->failed[i] == pa_type) + return TRUE; + } +- newptr = realloc(reqctx->tried, (i + 2) * sizeof(*newptr)); +- if (newptr == NULL) +- return FALSE; +- reqctx->tried = newptr; +- reqctx->tried[i] = pa_type; +- reqctx->tried[i + 1] = ENCTYPE_NULL; + return FALSE; + } + +@@ -665,8 +667,8 @@ process_pa_data(krb5_context context, krb5_init_creds_context ctx, + /* Make sure this type is for the current pass. */ + if (clpreauth_is_real(context, h, pa->pa_type) != real) + continue; +- /* Only try a real mechanism once per authentication. */ +- if (real && already_tried(ctx, pa->pa_type)) ++ /* Don't try a real mechanism again after failure. */ ++ if (real && previously_failed(ctx, pa->pa_type)) + continue; + mod_pa = NULL; + ret = clpreauth_process(context, h, modreq, ctx->opt, &callbacks, +@@ -694,6 +696,12 @@ process_pa_data(krb5_context context, krb5_init_creds_context ctx, + /* Save the first error we get from a real preauth type. */ + k5_save_ctx_error(context, ret, &save); + } ++ if (real && ret) { ++ /* Don't try this mechanism again for this authentication. */ ++ ret = k5_preauth_note_failed(ctx, pa->pa_type); ++ if (ret) ++ goto cleanup; ++ } + } + } + +@@ -944,9 +952,10 @@ k5_preauth_tryagain(krb5_context context, krb5_init_creds_context ctx, + TRACE_PREAUTH_TRYAGAIN(context, h->vt.name, pa_type, ret); + if (!ret && mod_pa == NULL) + ret = KRB5KRB_ERR_GENERIC; +- if (ret) ++ if (ret) { ++ k5_preauth_note_failed(ctx, pa_type); + return ret; +- ++ } + + for (count = 0; mod_pa[count] != NULL; count++); + ret = copy_cookie(context, err_padata, &mod_pa, &count); diff --git a/SOURCES/Use-SHA-256-instead-of-MD5-for-audit-ticket-IDs.patch b/SOURCES/Use-SHA-256-instead-of-MD5-for-audit-ticket-IDs.patch new file mode 100644 index 0000000..21766ce --- /dev/null +++ b/SOURCES/Use-SHA-256-instead-of-MD5-for-audit-ticket-IDs.patch @@ -0,0 +1,53 @@ +From ec9660539473b0fe00974b6ef30078e0f3c0041f Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Tue, 10 Jul 2018 16:17:15 -0400 +Subject: [PATCH] Use SHA-256 instead of MD5 for audit ticket IDs + +ticket: 8711 (new) +(cherry picked from commit c1e1bfa26bd2f045e88e6013c500fca9428c98f3) +--- + src/kdc/kdc_audit.c | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +diff --git a/src/kdc/kdc_audit.c b/src/kdc/kdc_audit.c +index c9a7f9f9d..f40913dc8 100644 +--- a/src/kdc/kdc_audit.c ++++ b/src/kdc/kdc_audit.c +@@ -146,7 +146,7 @@ kau_make_tkt_id(krb5_context context, + { + krb5_error_code ret = 0; + char *hash = NULL, *ptr; +- krb5_checksum cksum; ++ uint8_t hashbytes[K5_SHA256_HASHLEN]; + unsigned int i; + + *out = NULL; +@@ -154,19 +154,18 @@ kau_make_tkt_id(krb5_context context, + if (ticket == NULL) + return EINVAL; + +- ret = krb5_c_make_checksum(context, CKSUMTYPE_RSA_MD5, NULL, 0, +- &ticket->enc_part.ciphertext, &cksum); ++ ret = k5_sha256(&ticket->enc_part.ciphertext, 1, hashbytes); + if (ret) + return ret; + +- hash = k5alloc(cksum.length * 2 + 1, &ret); +- if (hash != NULL) { +- for (i = 0, ptr = hash; i < cksum.length; i++, ptr += 2) +- snprintf(ptr, 3, "%02X", cksum.contents[i]); +- *ptr = '\0'; +- *out = hash; +- } +- krb5_free_checksum_contents(context, &cksum); ++ hash = k5alloc(sizeof(hashbytes) * 2 + 1, &ret); ++ if (hash == NULL) ++ return ret; ++ ++ for (i = 0, ptr = hash; i < sizeof(hashbytes); i++, ptr += 2) ++ snprintf(ptr, 3, "%02X", hashbytes[i]); ++ *ptr = '\0'; ++ *out = hash; + + return 0; + } diff --git a/SOURCES/kadmin.service b/SOURCES/kadmin.service index ede159e..018a14e 100644 --- a/SOURCES/kadmin.service +++ b/SOURCES/kadmin.service @@ -1,6 +1,7 @@ [Unit] Description=Kerberos 5 Password-changing and Administration -After=syslog.target network.target +Wants=network-online.target +After=syslog.target network.target network-online.target [Service] Type=forking diff --git a/SOURCES/kprop.service b/SOURCES/kprop.service index da6a6b8..5903bd1 100644 --- a/SOURCES/kprop.service +++ b/SOURCES/kprop.service @@ -1,6 +1,7 @@ [Unit] Description=Kerberos 5 Propagation -After=syslog.target network.target +Wants=network-online.target +After=syslog.target network.target network-online.target [Service] Type=forking diff --git a/SOURCES/krb5-1.12-ktany.patch b/SOURCES/krb5-1.12-ktany.patch index a518ebf..d7fe63a 100644 --- a/SOURCES/krb5-1.12-ktany.patch +++ b/SOURCES/krb5-1.12-ktany.patch @@ -5,7 +5,7 @@ Subject: [PATCH] krb5-1.12-ktany.patch --- src/lib/krb5/keytab/Makefile.in | 3 + - src/lib/krb5/keytab/kt_any.c | 292 ++++++++++++++++++++++++++++++++++++++++ + src/lib/krb5/keytab/kt_any.c | 292 ++++++++++++++++++++++++++++++++ src/lib/krb5/keytab/ktbase.c | 7 +- 3 files changed, 301 insertions(+), 1 deletion(-) create mode 100644 src/lib/krb5/keytab/kt_any.c diff --git a/SOURCES/krb5-1.12.1-pam.patch b/SOURCES/krb5-1.12.1-pam.patch index 87eeec9..9ea8088 100644 --- a/SOURCES/krb5-1.12.1-pam.patch +++ b/SOURCES/krb5-1.12.1-pam.patch @@ -4,11 +4,11 @@ Date: Mon, 18 Apr 2016 15:57:38 -0400 Subject: [PATCH] krb5-1.12.1-pam.patch --- - src/aclocal.m4 | 67 ++++++++ + src/aclocal.m4 | 67 +++++++ src/clients/ksu/Makefile.in | 8 +- - src/clients/ksu/main.c | 88 +++++++++- - src/clients/ksu/pam.c | 389 ++++++++++++++++++++++++++++++++++++++++++++ - src/clients/ksu/pam.h | 57 +++++++ + src/clients/ksu/main.c | 88 +++++++- + src/clients/ksu/pam.c | 389 ++++++++++++++++++++++++++++++++++++ + src/clients/ksu/pam.h | 57 ++++++ src/configure.in | 2 + 6 files changed, 608 insertions(+), 3 deletions(-) create mode 100644 src/clients/ksu/pam.c diff --git a/SOURCES/krb5-1.13-dirsrv-accountlock.patch b/SOURCES/krb5-1.13-dirsrv-accountlock.patch index 1c7182a..4ef1afa 100644 --- a/SOURCES/krb5-1.13-dirsrv-accountlock.patch +++ b/SOURCES/krb5-1.13-dirsrv-accountlock.patch @@ -4,9 +4,9 @@ Date: Fri, 22 Apr 2016 10:01:15 -0400 Subject: [PATCH] krb5-1.13-dirsrv-accountlock.patch --- - src/aclocal.m4 | 9 +++++++++ - src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 17 +++++++++++++++++ - src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c | 3 +++ + src/aclocal.m4 | 9 +++++++++ + src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 17 +++++++++++++++++ + .../kdb/ldap/libkdb_ldap/ldap_principal.c | 3 +++ 3 files changed, 29 insertions(+) diff --git a/src/aclocal.m4 b/src/aclocal.m4 diff --git a/SOURCES/krb5-1.15-beta1-selinux-label.patch b/SOURCES/krb5-1.15-beta1-selinux-label.patch index 0e79ce9..2a11b20 100644 --- a/SOURCES/krb5-1.15-beta1-selinux-label.patch +++ b/SOURCES/krb5-1.15-beta1-selinux-label.patch @@ -4,31 +4,31 @@ Date: Wed, 4 Jan 2017 13:17:28 -0500 Subject: [PATCH] krb5-1.15-beta1-selinux-label.patch --- - src/aclocal.m4 | 49 +++ - src/build-tools/krb5-config.in | 3 +- - src/config/pre.in | 3 +- - src/configure.in | 2 + - src/include/k5-int.h | 1 + - src/include/k5-label.h | 32 ++ - src/include/krb5/krb5.hin | 6 + - src/kadmin/dbutil/dump.c | 11 +- - src/kdc/main.c | 2 +- - src/lib/kadm5/logger.c | 4 +- - src/lib/kdb/kdb_log.c | 2 +- - src/lib/krb5/ccache/cc_dir.c | 26 +- - src/lib/krb5/keytab/kt_file.c | 4 +- - src/lib/krb5/os/trace.c | 2 +- - src/lib/krb5/rcache/rc_dfl.c | 13 + - src/plugins/kdb/db2/adb_openclose.c | 2 +- - src/plugins/kdb/db2/kdb_db2.c | 4 +- - src/plugins/kdb/db2/libdb2/btree/bt_open.c | 3 +- - src/plugins/kdb/db2/libdb2/hash/hash.c | 3 +- - src/plugins/kdb/db2/libdb2/recno/rec_open.c | 4 +- - .../kdb/ldap/ldap_util/kdb5_ldap_services.c | 11 +- - src/slave/kpropd.c | 9 + - src/util/profile/prof_file.c | 3 +- - src/util/support/Makefile.in | 3 +- - src/util/support/selinux.c | 406 +++++++++++++++++++++ + src/aclocal.m4 | 49 +++ + src/build-tools/krb5-config.in | 3 +- + src/config/pre.in | 3 +- + src/configure.in | 2 + + src/include/k5-int.h | 1 + + src/include/k5-label.h | 32 ++ + src/include/krb5/krb5.hin | 6 + + src/kadmin/dbutil/dump.c | 11 +- + src/kdc/main.c | 2 +- + src/lib/kadm5/logger.c | 4 +- + src/lib/kdb/kdb_log.c | 2 +- + src/lib/krb5/ccache/cc_dir.c | 26 +- + src/lib/krb5/keytab/kt_file.c | 4 +- + src/lib/krb5/os/trace.c | 2 +- + src/lib/krb5/rcache/rc_dfl.c | 13 + + src/plugins/kdb/db2/adb_openclose.c | 2 +- + src/plugins/kdb/db2/kdb_db2.c | 4 +- + src/plugins/kdb/db2/libdb2/btree/bt_open.c | 3 +- + src/plugins/kdb/db2/libdb2/hash/hash.c | 3 +- + src/plugins/kdb/db2/libdb2/recno/rec_open.c | 4 +- + .../kdb/ldap/ldap_util/kdb5_ldap_services.c | 11 +- + src/slave/kpropd.c | 9 + + src/util/profile/prof_file.c | 3 +- + src/util/support/Makefile.in | 3 +- + src/util/support/selinux.c | 406 ++++++++++++++++++ 25 files changed, 587 insertions(+), 21 deletions(-) create mode 100644 src/include/k5-label.h create mode 100644 src/util/support/selinux.c diff --git a/SOURCES/krb5.conf b/SOURCES/krb5.conf index 77d794a..c5fa3cf 100644 --- a/SOURCES/krb5.conf +++ b/SOURCES/krb5.conf @@ -12,6 +12,7 @@ includedir /etc/krb5.conf.d/ renew_lifetime = 7d forwardable = true rdns = false + pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt # default_realm = EXAMPLE.COM [realms] diff --git a/SOURCES/krb5kdc.service b/SOURCES/krb5kdc.service index bc49204..806b062 100644 --- a/SOURCES/krb5kdc.service +++ b/SOURCES/krb5kdc.service @@ -1,6 +1,7 @@ [Unit] Description=Kerberos 5 KDC -After=syslog.target network.target +Wants=network-online.target +After=syslog.target network.target network-online.target [Service] Type=forking diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec index 5ea0c61..9e84678 100644 --- a/SPECS/krb5.spec +++ b/SPECS/krb5.spec @@ -12,7 +12,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.15.1 -Release: 19%{?dist} +Release: 34%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar @@ -89,6 +89,39 @@ Patch174: Fix-certauth-built-in-module-returns.patch Patch175: Add-test-cert-with-no-extensions.patch Patch176: Expose-context-errors-in-pkinit_server_plugin_init.patch Patch177: Limit-ticket-lifetime-to-2-31-1-seconds.patch +Patch178: Fix-hex-conversion-of-PKINIT-certid-strings.patch +Patch179: Simplify-PKINIT-cert-iteration-and-selection.patch +Patch180: Fix-PKINIT-cert-matching-data-construction.patch +Patch181: Save-SANs-separately-and-unparse-them-with-NO_REALM.patch +Patch182: Return-UPN-SANs-as-strings.patch +Patch183: Fix-segfault-in-finish_dispatch.patch +Patch184: Fix-flaws-in-LDAP-DN-checking.patch +Patch185: Merge-duplicate-subsections-in-profile-library.patch +Patch186: Continue-after-KRB5_CC_END-in-KCM-cache-iteration.patch +Patch187: Exit-with-status-0-from-kadmind.patch +Patch188: Ignore-dotfiles-in-profile-includedir.patch +Patch189: Add-k5_dir_filenames-to-libkrb5support.patch +Patch190: Process-profile-includedir-in-sorted-order.patch +Patch191: Add-German-translation.patch +Patch192: Remove-nodes-option-from-make-certs-scripts.patch +Patch193: Make-krb5_preauth_context-a-pointer-type.patch +Patch194: Properly-scope-per-request-preauth-data.patch +Patch195: Add-tests-for-per-request-preauth-data-scoping.patch +Patch196: Document-and-check-init_creds-context-requirement.patch +Patch197: Add-test-case-for-PKINIT-DH-renegotiation.patch +Patch198: Echo-KDC-cookies-in-preauth-tryagain.patch +Patch199: Adjust-processing-of-pa_type-ccache-config.patch +Patch200: Simplify-k5_preauth_tryagain.patch +Patch201: Remove-sent_nontrivial_preauth-field.patch +Patch202: Track-preauth-failures-instead-of-tries.patch +Patch203: Preserve-method-data-in-get_in_tkt.c.patch +Patch204: Continue-preauth-after-client-side-failures.patch +Patch205: Continue-after-KDC_ERR_PREAUTH_FAILED.patch +Patch206: Add-test-cases-for-preauth-fallback-behavior.patch +Patch207: Include-preauth-name-in-trace-output-if-possible.patch +Patch208: Add-vector-support-to-k5_sha256.patch +Patch209: Use-SHA-256-instead-of-MD5-for-audit-ticket-IDs.patch +Patch210: In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -311,6 +344,39 @@ ONLY by kerberos itself. Do not depend on this package. %patch175 -p1 -b .Add-test-cert-with-no-extensions %patch176 -p1 -b .Expose-context-errors-in-pkinit_server_plugin_init %patch177 -p1 -b .Limit-ticket-lifetime-to-2-31-1-seconds +%patch178 -p1 -b .Fix-hex-conversion-of-PKINIT-certid-strings +%patch179 -p1 -b .Simplify-PKINIT-cert-iteration-and-selection +%patch180 -p1 -b .Fix-PKINIT-cert-matching-data-construction +%patch181 -p1 -b .Save-SANs-separately-and-unparse-them-with-NO_REALM +%patch182 -p1 -b .Return-UPN-SANs-as-strings +%patch183 -p1 -b .Fix-segfault-in-finish_dispatch +%patch184 -p1 -b .Fix-flaws-in-LDAP-DN-checking +%patch185 -p1 -b .Merge-duplicate-subsections-in-profile-library +%patch186 -p1 -b .Continue-after-KRB5_CC_END-in-KCM-cache-iteration +%patch187 -p1 -b .Exit-with-status-0-from-kadmind +%patch188 -p1 -b .Ignore-dotfiles-in-profile-includedir +%patch189 -p1 -b .Add-k5_dir_filenames-to-libkrb5support +%patch190 -p1 -b .Process-profile-includedir-in-sorted-order +%patch191 -p1 -b .Add-German-translation +%patch192 -p1 -b .Remove-nodes-option-from-make-certs-scripts +%patch193 -p1 -b .Make-krb5_preauth_context-a-pointer-type +%patch194 -p1 -b .Properly-scope-per-request-preauth-data +%patch195 -p1 -b .Add-tests-for-per-request-preauth-data-scoping +%patch196 -p1 -b .Document-and-check-init_creds-context-requirement +%patch197 -p1 -b .Add-test-case-for-PKINIT-DH-renegotiation +%patch198 -p1 -b .Echo-KDC-cookies-in-preauth-tryagain +%patch199 -p1 -b .Adjust-processing-of-pa_type-ccache-config +%patch200 -p1 -b .Simplify-k5_preauth_tryagain +%patch201 -p1 -b .Remove-sent_nontrivial_preauth-field +%patch202 -p1 -b .Track-preauth-failures-instead-of-tries +%patch203 -p1 -b .Preserve-method-data-in-get_in_tkt.c +%patch204 -p1 -b .Continue-preauth-after-client-side-failures +%patch205 -p1 -b .Continue-after-KDC_ERR_PREAUTH_FAILED +%patch206 -p1 -b .Add-test-cases-for-preauth-fallback-behavior +%patch207 -p1 -b .Include-preauth-name-in-trace-output-if-possible +%patch208 -p1 -b .Add-vector-support-to-k5_sha256 +%patch209 -p1 -b .Use-SHA-256-instead-of-MD5-for-audit-ticket-IDs +%patch210 -p1 -b .In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a ln NOTICE LICENSE @@ -394,6 +460,7 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`" --with-dirsrv-account-locking \ %endif --enable-pkinit \ + --with-crypto-impl=openssl \ --with-pkinit-crypto-impl=openssl \ --with-tls-impl=openssl \ --with-system-verto \ @@ -815,6 +882,73 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Wed Aug 01 2018 Robbie Harwood - 1.15.1-34 +- In FIPS mode, add plaintext fallback for RC4 usages and taint +- Resolves: #1570600 + +* Tue Jul 10 2018 Robbie Harwood - 1.15.1-33 +- Use SHA-256 instead of MD5 for audit ticket IDs +- Resolves: #1570600 + +* Mon Jun 11 2018 Robbie Harwood - 1.15.1-32 +- Include preauth name in trace output if possible +- Update cert generation scripts to work on modern openssl +- Fix per-request preauth scoping +- Add test case for PKINIT DH renegotiation +- Echo KDC cookies in preauth tryagain +- Fall back to other preauth mechanisms after failures +- Resolves: #1540130 + +* Fri Jun 08 2018 Robbie Harwood - 1.15.1-31 +- Add German translation +- Resolves: #1497301 + +* Fri Jun 08 2018 Robbie Harwood - 1.15.1-30 +- Add default pkinit_anchors value to krb5.conf +- Resolves: #1508081 + +* Thu Jun 07 2018 Robbie Harwood - 1.15.1-29 +- Process profile includedir in sorted order +- Also, ignore dotfiles in included directories +- Resolves: #1539824 + +* Thu Jun 07 2018 Robbie Harwood - 1.15.1-28 +- Exit with status 0 from kadmind +- Resolves: #1373909 + +* Thu Jun 07 2018 Robbie Harwood - 1.15.1-27 +- Continue after KRB5_CC_END in KCM cache iteration +- Resolves: #1563166 + +* Thu Jun 07 2018 Robbie Harwood - 1.15.1-26 +- Merge duplicate subsections in profile library +- Resolves: #1519625 + +* Thu Jun 07 2018 Robbie Harwood - 1.15.1-25 +- Fix service dependencies on network state +- Resolves: #1525232 + +* Thu Jun 07 2018 Robbie Harwood - 1.15.1-24 +- Explicitly use openssl rather than builtin crypto +- Resolves: #1570600 + +* Mon Apr 30 2018 Robbie Harwood - 1.15.1-23 +- Fix flaws in LDAP DN checking (CVE-2018-5729, CVE-2018-5730) +- Resolves: #1562684 +- Resolves: #1562679 + +* Wed Apr 18 2018 Robbie Harwood - 1.15.1-22 +- Fix segfault in finish_dispatch() +- Resolves: #1568970 + +* Thu Apr 05 2018 Robbie Harwood - 1.15.1-21 +- Unparse SANs with NO_REALM +- Resolves: #1482457 + +* Thu Mar 22 2018 Robbie Harwood - 1.15.1-20 +- Fix hex conversion of PKINIT certid strings +- Resolves: #1538491 + * Fri Mar 02 2018 Robbie Harwood - 1.15.1-19 - Limit ticket lifetime to 2^31-1 seconds - Resolves: #1554723