"Fossies" - the Fresh Open Source Software Archive

Member "krb5-1.18/doc/pdf/basic.tex" (12 Feb 2020, 28065 Bytes) of package /linux/misc/krb5-1.18.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) TeX and LaTeX source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 %% Generated by Sphinx.
    2 \def\sphinxdocclass{report}
    3 \documentclass[letterpaper,10pt,english]{sphinxmanual}
    4 \ifdefined\pdfpxdimen
    5    \let\sphinxpxdimen\pdfpxdimen\else\newdimen\sphinxpxdimen
    6 \fi \sphinxpxdimen=.75bp\relax
    7 
    8 \usepackage[utf8]{inputenc}
    9 \ifdefined\DeclareUnicodeCharacter
   10  \ifdefined\DeclareUnicodeCharacterAsOptional
   11   \DeclareUnicodeCharacter{"00A0}{\nobreakspace}
   12   \DeclareUnicodeCharacter{"2500}{\sphinxunichar{2500}}
   13   \DeclareUnicodeCharacter{"2502}{\sphinxunichar{2502}}
   14   \DeclareUnicodeCharacter{"2514}{\sphinxunichar{2514}}
   15   \DeclareUnicodeCharacter{"251C}{\sphinxunichar{251C}}
   16   \DeclareUnicodeCharacter{"2572}{\textbackslash}
   17  \else
   18   \DeclareUnicodeCharacter{00A0}{\nobreakspace}
   19   \DeclareUnicodeCharacter{2500}{\sphinxunichar{2500}}
   20   \DeclareUnicodeCharacter{2502}{\sphinxunichar{2502}}
   21   \DeclareUnicodeCharacter{2514}{\sphinxunichar{2514}}
   22   \DeclareUnicodeCharacter{251C}{\sphinxunichar{251C}}
   23   \DeclareUnicodeCharacter{2572}{\textbackslash}
   24  \fi
   25 \fi
   26 \usepackage{cmap}
   27 \usepackage[T1]{fontenc}
   28 \usepackage{amsmath,amssymb,amstext}
   29 \usepackage{babel}
   30 \usepackage{times}
   31 \usepackage[Bjarne]{fncychap}
   32 \usepackage[dontkeepoldnames]{sphinx}
   33 
   34 \usepackage{geometry}
   35 
   36 % Include hyperref last.
   37 \usepackage{hyperref}
   38 % Fix anchor placement for figures with captions.
   39 \usepackage{hypcap}% it must be loaded after hyperref.
   40 % Set up styles of URL: it should be placed after hyperref.
   41 \urlstyle{same}
   42 
   43 \addto\captionsenglish{\renewcommand{\figurename}{Fig.}}
   44 \addto\captionsenglish{\renewcommand{\tablename}{Table}}
   45 \addto\captionsenglish{\renewcommand{\literalblockname}{Listing}}
   46 
   47 \addto\captionsenglish{\renewcommand{\literalblockcontinuedname}{continued from previous page}}
   48 \addto\captionsenglish{\renewcommand{\literalblockcontinuesname}{continues on next page}}
   49 
   50 \addto\extrasenglish{\def\pageautorefname{page}}
   51 
   52 \setcounter{tocdepth}{0}
   53 
   54 
   55 
   56 \title{Kerberos Concepts}
   57 \date{ }
   58 \release{1.18}
   59 \author{MIT}
   60 \newcommand{\sphinxlogo}{\vbox{}}
   61 \renewcommand{\releasename}{Release}
   62 \makeindex
   63 
   64 \begin{document}
   65 
   66 \maketitle
   67 \sphinxtableofcontents
   68 \phantomsection\label{\detokenize{basic/index::doc}}
   69 
   70 
   71 
   72 \chapter{Credential cache}
   73 \label{\detokenize{basic/ccache_def:basic-concepts}}\label{\detokenize{basic/ccache_def::doc}}\label{\detokenize{basic/ccache_def:credential-cache}}\label{\detokenize{basic/ccache_def:ccache-definition}}\label{\detokenize{basic/ccache_def:kerberos-v5-concepts}}
   74 A credential cache (or “ccache”) holds Kerberos credentials while they
   75 remain valid and, generally, while the user’s session lasts, so that
   76 authenticating to a service multiple times (e.g., connecting to a web
   77 or mail server more than once) doesn’t require contacting the KDC
   78 every time.
   79 
   80 A credential cache usually contains one initial ticket which is
   81 obtained using a password or another form of identity verification.
   82 If this ticket is a ticket-granting ticket, it can be used to obtain
   83 additional credentials without the password.  Because the credential
   84 cache does not store the password, less long-term damage can be done
   85 to the user’s account if the machine is compromised.
   86 
   87 A credentials cache stores a default client principal name, set when
   88 the cache is created.  This is the name shown at the top of the
   89 \DUrole{xref,std,std-ref}{klist(1)} \sphinxstyleemphasis{-A} output.
   90 
   91 Each normal cache entry includes a service principal name, a client
   92 principal name (which, in some ccache types, need not be the same as
   93 the default), lifetime information, and flags, along with the
   94 credential itself.  There are also other entries, indicated by special
   95 names, that store additional information.
   96 
   97 
   98 \section{ccache types}
   99 \label{\detokenize{basic/ccache_def:ccache-types}}
  100 The credential cache interface, like the {\hyperref[\detokenize{basic/keytab_def:keytab-definition}]{\sphinxcrossref{\DUrole{std,std-ref}{keytab}}}} and
  101 {\hyperref[\detokenize{basic/rcache_def:rcache-definition}]{\sphinxcrossref{\DUrole{std,std-ref}{replay cache}}}} interfaces, uses \sphinxtitleref{TYPE:value} strings to
  102 indicate the type of credential cache and any associated cache naming
  103 data to use.
  104 
  105 There are several kinds of credentials cache supported in the MIT
  106 Kerberos library.  Not all are supported on every platform.  In most
  107 cases, it should be correct to use the default type built into the
  108 library.
  109 \begin{enumerate}
  110 \item {} 
  111 \sphinxstylestrong{API} is only implemented on Windows.  It communicates with a
  112 server process that holds the credentials in memory for the user,
  113 rather than writing them to disk.
  114 
  115 \item {} 
  116 \sphinxstylestrong{DIR} points to the storage location of the collection of the
  117 credential caches in \sphinxstyleemphasis{FILE:} format. It is most useful when dealing
  118 with multiple Kerberos realms and KDCs.  For release 1.10 the
  119 directory must already exist.  In post-1.10 releases the
  120 requirement is for parent directory to exist and the current
  121 process must have permissions to create the directory if it does
  122 not exist. See {\hyperref[\detokenize{basic/ccache_def:col-ccache}]{\sphinxcrossref{\DUrole{std,std-ref}{Collections of caches}}}} for details.  New in release 1.10.
  123 The following residual forms are supported:
  124 \begin{itemize}
  125 \item {} 
  126 DIR:dirname
  127 
  128 \item {} 
  129 DIR::dirpath/filename - a single cache within the directory
  130 
  131 \end{itemize}
  132 
  133 Switching to a ccache of the latter type causes it to become the
  134 primary for the directory.
  135 
  136 \item {} 
  137 \sphinxstylestrong{FILE} caches are the simplest and most portable. A simple flat
  138 file format is used to store one credential after another.  This is
  139 the default ccache type if no type is specified in a ccache name.
  140 
  141 \item {} 
  142 \sphinxstylestrong{KCM} caches work by contacting a daemon process called \sphinxcode{kcm}
  143 to perform cache operations.  If the cache name is just \sphinxcode{KCM:},
  144 the default cache as determined by the KCM daemon will be used.
  145 Newly created caches must generally be named \sphinxcode{KCM:uid:name},
  146 where \sphinxstyleemphasis{uid} is the effective user ID of the running process.
  147 
  148 KCM client support is new in release 1.13.  A KCM daemon has not
  149 yet been implemented in MIT krb5, but the client will interoperate
  150 with the KCM daemon implemented by Heimdal.  macOS 10.7 and higher
  151 provides a KCM daemon as part of the operating system, and the
  152 \sphinxstylestrong{KCM} cache type is used as the default cache on that platform in
  153 a default build.
  154 
  155 \item {} 
  156 \sphinxstylestrong{KEYRING} is Linux-specific, and uses the kernel keyring support
  157 to store credential data in unswappable kernel memory where only
  158 the current user should be able to access it.  The following
  159 residual forms are supported:
  160 \begin{itemize}
  161 \item {} 
  162 KEYRING:name
  163 
  164 \item {} 
  165 KEYRING:process:name - process keyring
  166 
  167 \item {} 
  168 KEYRING:thread:name -  thread keyring
  169 
  170 \end{itemize}
  171 
  172 Starting with release 1.12 the \sphinxstyleemphasis{KEYRING} type supports collections.
  173 The following new residual forms were added:
  174 \begin{itemize}
  175 \item {} 
  176 KEYRING:session:name - session keyring
  177 
  178 \item {} 
  179 KEYRING:user:name - user keyring
  180 
  181 \item {} 
  182 KEYRING:persistent:uidnumber - persistent per-UID collection.
  183 Unlike the user keyring, this collection survives after the user
  184 logs out, until the cache credentials expire.  This type of
  185 ccache requires support from the kernel; otherwise, it will fall
  186 back to the user keyring.
  187 
  188 \end{itemize}
  189 
  190 See {\hyperref[\detokenize{basic/ccache_def:col-ccache}]{\sphinxcrossref{\DUrole{std,std-ref}{Collections of caches}}}} for details.
  191 
  192 \item {} 
  193 \sphinxstylestrong{MEMORY} caches are for storage of credentials that don’t need to
  194 be made available outside of the current process.  For example, a
  195 memory ccache is used by \DUrole{xref,std,std-ref}{kadmin(1)} to store the
  196 administrative ticket used to contact the admin server.  Memory
  197 ccaches are faster than file ccaches and are automatically
  198 destroyed when the process exits.
  199 
  200 \item {} 
  201 \sphinxstylestrong{MSLSA} is a Windows-specific cache type that accesses the
  202 Windows credential store.
  203 
  204 \end{enumerate}
  205 
  206 
  207 \section{Collections of caches}
  208 \label{\detokenize{basic/ccache_def:collections-of-caches}}\label{\detokenize{basic/ccache_def:col-ccache}}
  209 Some credential cache types can support collections of multiple
  210 caches.  One of the caches in the collection is designated as the
  211 \sphinxstyleemphasis{primary} and will be used when the collection is resolved as a cache.
  212 When a collection-enabled cache type is the default cache for a
  213 process, applications can search the specified collection for a
  214 specific client principal, and GSSAPI applications will automatically
  215 select between the caches in the collection based on criteria such as
  216 the target service realm.
  217 
  218 Credential cache collections are new in release 1.10, with support
  219 from the \sphinxstylestrong{DIR} and \sphinxstylestrong{API} ccache types.  Starting in release 1.12,
  220 collections are also supported by the \sphinxstylestrong{KEYRING} ccache type.
  221 Collections are supported by the \sphinxstylestrong{KCM} ccache type in release 1.13.
  222 
  223 
  224 \subsection{Tool alterations to use cache collection}
  225 \label{\detokenize{basic/ccache_def:tool-alterations-to-use-cache-collection}}\begin{itemize}
  226 \item {} 
  227 \DUrole{xref,std,std-ref}{kdestroy(1)} \sphinxstyleemphasis{-A} will destroy all caches in the collection.
  228 
  229 \item {} 
  230 If the default cache type supports switching, \DUrole{xref,std,std-ref}{kinit(1)}
  231 \sphinxstyleemphasis{princname} will search the collection for a matching cache and
  232 store credentials there, or will store credentials in a new unique
  233 cache of the default type if no existing cache for the principal
  234 exists.  Either way, kinit will switch to the selected cache.
  235 
  236 \item {} 
  237 \DUrole{xref,std,std-ref}{klist(1)} \sphinxstyleemphasis{-l} will list the caches in the collection.
  238 
  239 \item {} 
  240 \DUrole{xref,std,std-ref}{klist(1)} \sphinxstyleemphasis{-A} will show the content of all caches in the
  241 collection.
  242 
  243 \item {} 
  244 \DUrole{xref,std,std-ref}{kswitch(1)} \sphinxstyleemphasis{-p princname} will search the collection for a
  245 matching cache and switch to it.
  246 
  247 \item {} 
  248 \DUrole{xref,std,std-ref}{kswitch(1)} \sphinxstyleemphasis{-c cachename} will switch to a specified cache.
  249 
  250 \end{itemize}
  251 
  252 
  253 \section{Default ccache name}
  254 \label{\detokenize{basic/ccache_def:default-ccache-name}}
  255 The default credential cache name is determined by the following, in
  256 descending order of priority:
  257 \begin{enumerate}
  258 \item {} 
  259 The \sphinxstylestrong{KRB5CCNAME} environment variable.  For example,
  260 \sphinxcode{KRB5CCNAME=DIR:/mydir/}.
  261 
  262 \item {} 
  263 The \sphinxstylestrong{default\_ccache\_name} profile variable in \DUrole{xref,std,std-ref}{libdefaults}.
  264 
  265 \item {} 
  266 The hardcoded default, \DUrole{xref,std,std-ref}{DEFCCNAME}.
  267 
  268 \end{enumerate}
  269 
  270 
  271 \chapter{keytab}
  272 \label{\detokenize{basic/keytab_def:keytab}}\label{\detokenize{basic/keytab_def::doc}}\label{\detokenize{basic/keytab_def:keytab-definition}}
  273 A keytab (short for “key table”) stores long-term keys for one or more
  274 principals.  Keytabs are normally represented by files in a standard
  275 format, although in rare cases they can be represented in other ways.
  276 Keytabs are used most often to allow server applications to accept
  277 authentications from clients, but can also be used to obtain initial
  278 credentials for client applications.
  279 
  280 Keytabs are named using the format \sphinxstyleemphasis{type}\sphinxcode{:}\sphinxstyleemphasis{value}.  Usually
  281 \sphinxstyleemphasis{type} is \sphinxcode{FILE} and \sphinxstyleemphasis{value} is the absolute pathname of the file.
  282 The other possible value for \sphinxstyleemphasis{type} is \sphinxcode{MEMORY}, which indicates a
  283 temporary keytab stored in the memory of the current process.
  284 
  285 A keytab contains one or more entries, where each entry consists of a
  286 timestamp (indicating when the entry was written to the keytab), a
  287 principal name, a key version number, an encryption type, and the
  288 encryption key itself.
  289 
  290 A keytab can be displayed using the \DUrole{xref,std,std-ref}{klist(1)} command with the
  291 \sphinxcode{-k} option.  Keytabs can be created or appended to by extracting
  292 keys from the KDC database using the \DUrole{xref,std,std-ref}{kadmin(1)} \DUrole{xref,std,std-ref}{ktadd}
  293 command.  Keytabs can be manipulated using the \DUrole{xref,std,std-ref}{ktutil(1)} and
  294 \DUrole{xref,std,std-ref}{k5srvutil(1)} commands.
  295 
  296 
  297 \section{Default keytab}
  298 \label{\detokenize{basic/keytab_def:default-keytab}}
  299 The default keytab is used by server applications if the application
  300 does not request a specific keytab.  The name of the default keytab is
  301 determined by the following, in decreasing order of preference:
  302 \begin{enumerate}
  303 \item {} 
  304 The \sphinxstylestrong{KRB5\_KTNAME} environment variable.
  305 
  306 \item {} 
  307 The \sphinxstylestrong{default\_keytab\_name} profile variable in \DUrole{xref,std,std-ref}{libdefaults}.
  308 
  309 \item {} 
  310 The hardcoded default, \DUrole{xref,std,std-ref}{DEFKTNAME}.
  311 
  312 \end{enumerate}
  313 
  314 
  315 \section{Default client keytab}
  316 \label{\detokenize{basic/keytab_def:default-client-keytab}}
  317 The default client keytab is used, if it is present and readable, to
  318 automatically obtain initial credentials for GSSAPI client
  319 applications.  The principal name of the first entry in the client
  320 keytab is used by default when obtaining initial credentials.  The
  321 name of the default client keytab is determined by the following, in
  322 decreasing order of preference:
  323 \begin{enumerate}
  324 \item {} 
  325 The \sphinxstylestrong{KRB5\_CLIENT\_KTNAME} environment variable.
  326 
  327 \item {} 
  328 The \sphinxstylestrong{default\_client\_keytab\_name} profile variable in
  329 \DUrole{xref,std,std-ref}{libdefaults}.
  330 
  331 \item {} 
  332 The hardcoded default, \DUrole{xref,std,std-ref}{DEFCKTNAME}.
  333 
  334 \end{enumerate}
  335 
  336 
  337 \chapter{replay cache}
  338 \label{\detokenize{basic/rcache_def:replay-cache}}\label{\detokenize{basic/rcache_def:rcache-definition}}\label{\detokenize{basic/rcache_def::doc}}
  339 A replay cache (or “rcache”) keeps track of all authenticators
  340 recently presented to a service.  If a duplicate authentication
  341 request is detected in the replay cache, an error message is sent to
  342 the application program.
  343 
  344 The replay cache interface, like the credential cache and
  345 {\hyperref[\detokenize{basic/keytab_def:keytab-definition}]{\sphinxcrossref{\DUrole{std,std-ref}{keytab}}}} interfaces, uses \sphinxtitleref{type:residual} strings to
  346 indicate the type of replay cache and any associated cache naming
  347 data to use.
  348 
  349 
  350 \section{Background information}
  351 \label{\detokenize{basic/rcache_def:background-information}}
  352 Some Kerberos or GSSAPI services use a simple authentication mechanism
  353 where a message is sent containing an authenticator, which establishes
  354 the encryption key that the client will use for talking to the
  355 service.  But nothing about that prevents an eavesdropper from
  356 recording the messages sent by the client, establishing a new
  357 connection, and re-sending or “replaying” the same messages; the
  358 replayed authenticator will establish the same encryption key for the
  359 new session, and the following messages will be decrypted and
  360 processed.  The attacker may not know what the messages say, and can’t
  361 generate new messages under the same encryption key, but in some
  362 instances it may be harmful to the user (or helpful to the attacker)
  363 to cause the server to see the same messages again a second time.  For
  364 example, if the legitimate client sends “delete first message in
  365 mailbox”, a replay from an attacker may delete another, different
  366 “first” message.  (Protocol design to guard against such problems has
  367 been discussed in \index{RFC!RFC 4120\#section-10}\sphinxhref{https://tools.ietf.org/html/rfc4120.html\#section-10}{\sphinxstylestrong{RFC 4120\#section-10}}.)
  368 
  369 Even if one protocol uses further protection to verify that the client
  370 side of the connection actually knows the encryption keys (and thus is
  371 presumably a legitimate user), if another service uses the same
  372 service principal name, it may be possible to record an authenticator
  373 used with the first protocol and “replay” it against the second.
  374 
  375 The replay cache mitigates these attacks somewhat, by keeping track of
  376 authenticators that have been seen until their five-minute window
  377 expires.  Different authenticators generated by multiple connections
  378 from the same legitimate client will generally have different
  379 timestamps, and thus will not be considered the same.
  380 
  381 This mechanism isn’t perfect.  If a message is sent to one application
  382 server but a man-in-the-middle attacker can prevent it from actually
  383 arriving at that server, the attacker could then use the authenticator
  384 (once!) against a different service on the same host.  This could be a
  385 problem if the message from the client included something more than
  386 authentication in the first message that could be useful to the
  387 attacker (which is uncommon; in most protocols the server has to
  388 indicate a successful authentication before the client sends
  389 additional messages), or if the simple act of presenting the
  390 authenticator triggers some interesting action in the service being
  391 attacked.
  392 
  393 
  394 \section{Replay cache types}
  395 \label{\detokenize{basic/rcache_def:replay-cache-types}}
  396 Unlike the credential cache and keytab interfaces, replay cache types
  397 are in lowercase.  The following types are defined:
  398 \begin{enumerate}
  399 \item {} 
  400 \sphinxstylestrong{none} disables the replay cache.  The residual value is ignored.
  401 
  402 \item {} 
  403 \sphinxstylestrong{file2} (new in release 1.18) uses a hash-based format to store
  404 replay records.  The file may grow to accommodate hash collisions.
  405 The residual value is the filename.
  406 
  407 \item {} 
  408 \sphinxstylestrong{dfl} is the default type if no environment variable or
  409 configuration specifies a different type.  It stores replay data in
  410 a file2 replay cache with a filename based on the effective uid.
  411 The residual value is ignored.
  412 
  413 \end{enumerate}
  414 
  415 For the dfl type, the location of the replay cache file is determined
  416 as follows:
  417 \begin{enumerate}
  418 \item {} 
  419 The directory is taken from the \sphinxstylestrong{KRB5RCACHEDIR} environment
  420 variable, or the \sphinxstylestrong{TMPDIR} environment variable, or a temporary
  421 directory determined at configuration time such as \sphinxcode{/var/tmp}, in
  422 descending order of preference.
  423 
  424 \item {} 
  425 The filename is \sphinxcode{krb5\_EUID.rcache2} where EUID is the effective
  426 uid of the process.
  427 
  428 \item {} 
  429 The file is opened without following symbolic links, and ownership
  430 of the file is verified to match the effective uid.
  431 
  432 \end{enumerate}
  433 
  434 On Windows, the directory for the dfl type is the local appdata
  435 directory, unless overridden by the \sphinxstylestrong{KRB5RCACHEDIR} environment
  436 variable.  The filename on Windows is \sphinxcode{krb5.rcache2}, and the file
  437 is opened normally.
  438 
  439 
  440 \section{Default replay cache name}
  441 \label{\detokenize{basic/rcache_def:default-replay-cache-name}}
  442 The default replay cache name is determined by the following, in
  443 descending order of priority:
  444 \begin{enumerate}
  445 \item {} 
  446 The \sphinxstylestrong{KRB5RCACHENAME} environment variable (new in release 1.18).
  447 
  448 \item {} 
  449 The \sphinxstylestrong{KRB5RCACHETYPE} environment variable.  If this variable is
  450 set, the residual value is empty.
  451 
  452 \item {} 
  453 The \sphinxstylestrong{default\_rcache\_name} profile variable in \DUrole{xref,std,std-ref}{libdefaults}
  454 (new in release 1.18).
  455 
  456 \item {} 
  457 If none of the above are set, the default replay cache name is
  458 \sphinxcode{dfl:}.
  459 
  460 \end{enumerate}
  461 
  462 
  463 \chapter{stash file}
  464 \label{\detokenize{basic/stash_file_def:stash-file}}\label{\detokenize{basic/stash_file_def::doc}}\label{\detokenize{basic/stash_file_def:stash-definition}}
  465 The stash file is a local copy of the master key that resides in
  466 encrypted form on the KDC’s local disk.  The stash file is used to
  467 authenticate the KDC to itself automatically before starting the
  468 \DUrole{xref,std,std-ref}{kadmind(8)} and \DUrole{xref,std,std-ref}{krb5kdc(8)} daemons (e.g., as part of the
  469 machine’s boot sequence).  The stash file, like the keytab file (see
  470 \DUrole{xref,std,std-ref}{keytab\_file}) is a potential point-of-entry for a break-in, and
  471 if compromised, would allow unrestricted access to the Kerberos
  472 database.  If you choose to install a stash file, it should be
  473 readable only by root, and should exist only on the KDC’s local disk.
  474 The file should not be part of any backup of the machine, unless
  475 access to the backup data is secured as tightly as access to the
  476 master password itself.
  477 
  478 \begin{sphinxadmonition}{note}{Note:}
  479 If you choose not to install a stash file, the KDC will prompt you for the master key each time it starts up.
  480 This means that the KDC will not be able to start automatically, such as after a system reboot.
  481 \end{sphinxadmonition}
  482 
  483 
  484 \chapter{Supported date and time formats}
  485 \label{\detokenize{basic/date_format:supported-date-and-time-formats}}\label{\detokenize{basic/date_format::doc}}\label{\detokenize{basic/date_format:datetime}}
  486 
  487 \section{Time duration}
  488 \label{\detokenize{basic/date_format:duration}}\label{\detokenize{basic/date_format:time-duration}}
  489 This format is used to express a time duration in the Kerberos
  490 configuration files and user commands.  The allowed formats are:
  491 \begin{quote}
  492 
  493 
  494 \begin{savenotes}\sphinxattablestart
  495 \centering
  496 \begin{tabulary}{\linewidth}[t]{|T|T|T|}
  497 \hline
  498 
  499 Format
  500 &
  501 Example
  502 &
  503 Value
  504 \\
  505 \hline
  506 h:m{[}:s{]}
  507 &
  508 36:00
  509 &
  510 36 hours
  511 \\
  512 \hline
  513 NdNhNmNs
  514 &
  515 8h30s
  516 &
  517 8 hours 30 seconds
  518 \\
  519 \hline
  520 N (number of seconds)
  521 &
  522 3600
  523 &
  524 1 hour
  525 \\
  526 \hline
  527 \end{tabulary}
  528 \par
  529 \sphinxattableend\end{savenotes}
  530 \end{quote}
  531 
  532 Here \sphinxstyleemphasis{N} denotes a number, \sphinxstyleemphasis{d} - days, \sphinxstyleemphasis{h} - hours, \sphinxstyleemphasis{m} - minutes,
  533 \sphinxstyleemphasis{s} - seconds.
  534 
  535 \begin{sphinxadmonition}{note}{Note:}
  536 The time interval should not exceed 2147483647 seconds.
  537 \end{sphinxadmonition}
  538 
  539 Examples:
  540 
  541 \fvset{hllines={, ,}}%
  542 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  543 \PYG{n}{Request} \PYG{n}{a} \PYG{n}{ticket} \PYG{n}{valid} \PYG{k}{for} \PYG{n}{one} \PYG{n}{hour}\PYG{p}{,} \PYG{n}{five} \PYG{n}{hours}\PYG{p}{,} \PYG{l+m+mi}{30} \PYG{n}{minutes}
  544 \PYG{o+ow}{and} \PYG{l+m+mi}{10} \PYG{n}{days} \PYG{n}{respectively}\PYG{p}{:}
  545 
  546   \PYG{n}{kinit} \PYG{o}{\PYGZhy{}}\PYG{n}{l} \PYG{l+m+mi}{3600}
  547   \PYG{n}{kinit} \PYG{o}{\PYGZhy{}}\PYG{n}{l} \PYG{l+m+mi}{5}\PYG{p}{:}\PYG{l+m+mi}{00}
  548   \PYG{n}{kinit} \PYG{o}{\PYGZhy{}}\PYG{n}{l} \PYG{l+m+mi}{30}\PYG{n}{m}
  549   \PYG{n}{kinit} \PYG{o}{\PYGZhy{}}\PYG{n}{l} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{10d 0h 0m 0s}\PYG{l+s+s2}{\PYGZdq{}}
  550 \end{sphinxVerbatim}
  551 
  552 
  553 \section{getdate time}
  554 \label{\detokenize{basic/date_format:getdate-time}}\label{\detokenize{basic/date_format:getdate}}
  555 Some of the kadmin and kdb5\_util commands take a date-time in a
  556 human-readable format.  Some of the acceptable date-time
  557 strings are:
  558 \begin{quote}
  559 
  560 
  561 \begin{savenotes}\sphinxattablestart
  562 \centering
  563 \begin{tabulary}{\linewidth}[t]{|T|T|T|}
  564 \hline
  565 \sphinxstylethead{\sphinxstyletheadfamily \unskip}\relax &\sphinxstylethead{\sphinxstyletheadfamily 
  566 Format
  567 \unskip}\relax &\sphinxstylethead{\sphinxstyletheadfamily 
  568 Example
  569 \unskip}\relax \\
  570 \hline\sphinxmultirow{3}{4}{%
  571 \begin{varwidth}[t]{\sphinxcolwidth{1}{3}}
  572 Date
  573 \par
  574 \vskip-\baselineskip\vbox{\hbox{\strut}}\end{varwidth}%
  575 }%
  576 &
  577 mm/dd/yy
  578 &
  579 07/27/12
  580 \\
  581 \cline{2-3}\sphinxtablestrut{4}&
  582 month dd, yyyy
  583 &
  584 Jul 27, 2012
  585 \\
  586 \cline{2-3}\sphinxtablestrut{4}&
  587 yyyy-mm-dd
  588 &
  589 2012-07-27
  590 \\
  591 \hline\sphinxmultirow{2}{11}{%
  592 \begin{varwidth}[t]{\sphinxcolwidth{1}{3}}
  593 Absolute
  594 time
  595 \par
  596 \vskip-\baselineskip\vbox{\hbox{\strut}}\end{varwidth}%
  597 }%
  598 &
  599 HH:mm{[}:ss{]}pp
  600 &
  601 08:30 PM
  602 \\
  603 \cline{2-3}\sphinxtablestrut{11}&
  604 hh:mm{[}:ss{]}
  605 &
  606 20:30
  607 \\
  608 \hline
  609 Relative
  610 time
  611 &
  612 N tt
  613 &
  614 30 sec
  615 \\
  616 \hline\sphinxmultirow{2}{19}{%
  617 \begin{varwidth}[t]{\sphinxcolwidth{1}{3}}
  618 Time zone
  619 \par
  620 \vskip-\baselineskip\vbox{\hbox{\strut}}\end{varwidth}%
  621 }%
  622 &
  623 Z
  624 &
  625 EST
  626 \\
  627 \cline{2-3}\sphinxtablestrut{19}&
  628 z
  629 &
  630 -0400
  631 \\
  632 \hline
  633 \end{tabulary}
  634 \par
  635 \sphinxattableend\end{savenotes}
  636 \end{quote}
  637 
  638 (See {\hyperref[\detokenize{basic/date_format:abbreviation}]{\sphinxcrossref{\DUrole{std,std-ref}{Abbreviations used in this document}}}}.)
  639 
  640 Examples:
  641 
  642 \fvset{hllines={, ,}}%
  643 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  644 \PYG{n}{Create} \PYG{n}{a} \PYG{n}{principal} \PYG{n}{that} \PYG{n}{expires} \PYG{n}{on} \PYG{n}{the} \PYG{n}{date} \PYG{n}{indicated}\PYG{p}{:}
  645     \PYG{n}{addprinc} \PYG{n}{test1} \PYG{o}{\PYGZhy{}}\PYG{n}{expire} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{3/27/12 10:00:07 EST}\PYG{l+s+s2}{\PYGZdq{}}
  646     \PYG{n}{addprinc} \PYG{n}{test2} \PYG{o}{\PYGZhy{}}\PYG{n}{expire} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{January 23, 2015 10:05pm}\PYG{l+s+s2}{\PYGZdq{}}
  647     \PYG{n}{addprinc} \PYG{n}{test3} \PYG{o}{\PYGZhy{}}\PYG{n}{expire} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{22:00 GMT}\PYG{l+s+s2}{\PYGZdq{}}
  648 \PYG{n}{Add} \PYG{n}{a} \PYG{n}{principal} \PYG{n}{that} \PYG{n}{will} \PYG{n}{expire} \PYG{o+ow}{in} \PYG{l+m+mi}{30} \PYG{n}{minutes}\PYG{p}{:}
  649     \PYG{n}{addprinc} \PYG{n}{test4} \PYG{o}{\PYGZhy{}}\PYG{n}{expire} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{30 minutes}\PYG{l+s+s2}{\PYGZdq{}}
  650 \end{sphinxVerbatim}
  651 
  652 
  653 \section{Absolute time}
  654 \label{\detokenize{basic/date_format:abstime}}\label{\detokenize{basic/date_format:absolute-time}}
  655 This rarely used date-time format can be noted in one of the
  656 following ways:
  657 \begin{quote}
  658 
  659 
  660 \begin{savenotes}\sphinxattablestart
  661 \centering
  662 \begin{tabulary}{\linewidth}[t]{|T|T|T|}
  663 \hline
  664 \sphinxstylethead{\sphinxstyletheadfamily 
  665 Format
  666 \unskip}\relax &\sphinxstylethead{\sphinxstyletheadfamily 
  667 Example
  668 \unskip}\relax &\sphinxstylethead{\sphinxstyletheadfamily 
  669 Value
  670 \unskip}\relax \\
  671 \hline
  672 yyyymmddhhmmss
  673 &
  674 20141231235900
  675 &\sphinxmultirow{5}{6}{%
  676 \begin{varwidth}[t]{\sphinxcolwidth{1}{3}}
  677 One minute
  678 before 2015
  679 \par
  680 \vskip-\baselineskip\vbox{\hbox{\strut}}\end{varwidth}%
  681 }%
  682 \\
  683 \cline{1-2}
  684 yyyy.mm.dd.hh.mm.ss
  685 &
  686 2014.12.31.23.59.00
  687 &\sphinxtablestrut{6}\\
  688 \cline{1-2}
  689 yymmddhhmmss
  690 &
  691 141231235900
  692 &\sphinxtablestrut{6}\\
  693 \cline{1-2}
  694 yy.mm.dd.hh.mm.ss
  695 &
  696 14.12.31.23.59.00
  697 &\sphinxtablestrut{6}\\
  698 \cline{1-2}
  699 dd-month-yyyy:hh:mm:ss
  700 &
  701 31-Dec-2014:23:59:00
  702 &\sphinxtablestrut{6}\\
  703 \hline
  704 hh:mm:ss
  705 &
  706 20:00:00
  707 &\sphinxmultirow{2}{17}{%
  708 \begin{varwidth}[t]{\sphinxcolwidth{1}{3}}
  709 8 o’clock in
  710 the evening
  711 \par
  712 \vskip-\baselineskip\vbox{\hbox{\strut}}\end{varwidth}%
  713 }%
  714 \\
  715 \cline{1-2}
  716 hhmmss
  717 &
  718 200000
  719 &\sphinxtablestrut{17}\\
  720 \hline
  721 \end{tabulary}
  722 \par
  723 \sphinxattableend\end{savenotes}
  724 \end{quote}
  725 
  726 (See {\hyperref[\detokenize{basic/date_format:abbreviation}]{\sphinxcrossref{\DUrole{std,std-ref}{Abbreviations used in this document}}}}.)
  727 
  728 Example:
  729 
  730 \fvset{hllines={, ,}}%
  731 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  732 \PYG{n}{Set} \PYG{n}{the} \PYG{n}{default} \PYG{n}{expiration} \PYG{n}{date} \PYG{n}{to} \PYG{n}{July} \PYG{l+m+mi}{27}\PYG{p}{,} \PYG{l+m+mi}{2012} \PYG{n}{at} \PYG{l+m+mi}{20}\PYG{p}{:}\PYG{l+m+mi}{30}
  733 \PYG{n}{default\PYGZus{}principal\PYGZus{}expiration} \PYG{o}{=} \PYG{l+m+mi}{20120727203000}
  734 \end{sphinxVerbatim}
  735 
  736 
  737 \subsection{Abbreviations used in this document}
  738 \label{\detokenize{basic/date_format:abbreviation}}\label{\detokenize{basic/date_format:abbreviations-used-in-this-document}}
  739 \begin{DUlineblock}{0em}
  740 \item[] \sphinxstyleemphasis{month}  : locale’s month name or its abbreviation;
  741 \item[] \sphinxstyleemphasis{dd}   : day of month (01-31);
  742 \item[] \sphinxstyleemphasis{HH}   : hours (00-12);
  743 \item[] \sphinxstyleemphasis{hh}   : hours (00-23);
  744 \item[] \sphinxstyleemphasis{mm}   : in time - minutes (00-59); in date - month (01-12);
  745 \item[] \sphinxstyleemphasis{N}    : number;
  746 \item[] \sphinxstyleemphasis{pp}   : AM or PM;
  747 \item[] \sphinxstyleemphasis{ss}   : seconds  (00-60);
  748 \item[] \sphinxstyleemphasis{tt}   : time units (hours, minutes, min, seconds, sec);
  749 \item[] \sphinxstyleemphasis{yyyy} : year;
  750 \item[] \sphinxstyleemphasis{yy}   : last two digits of the year;
  751 \item[] \sphinxstyleemphasis{Z}    : alphabetic time zone abbreviation;
  752 \item[] \sphinxstyleemphasis{z}    : numeric time zone;
  753 \end{DUlineblock}
  754 
  755 \begin{sphinxadmonition}{note}{Note:}\begin{itemize}
  756 \item {} 
  757 If the date specification contains spaces, you may need to
  758 enclose it in double quotes;
  759 
  760 \item {} 
  761 All keywords are case-insensitive.
  762 
  763 \end{itemize}
  764 \end{sphinxadmonition}
  765 
  766 
  767 
  768 \renewcommand{\indexname}{Index}
  769 \printindex
  770 \end{document}