10Sstevel@tonic-gate /* 20Sstevel@tonic-gate * CDDL HEADER START 30Sstevel@tonic-gate * 40Sstevel@tonic-gate * The contents of this file are subject to the terms of the 50Sstevel@tonic-gate * Common Development and Distribution License, Version 1.0 only 60Sstevel@tonic-gate * (the "License"). You may not use this file except in compliance 70Sstevel@tonic-gate * with the License. 80Sstevel@tonic-gate * 90Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 100Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 110Sstevel@tonic-gate * See the License for the specific language governing permissions 120Sstevel@tonic-gate * and limitations under the License. 130Sstevel@tonic-gate * 140Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 150Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 160Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 170Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 180Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 190Sstevel@tonic-gate * 200Sstevel@tonic-gate * CDDL HEADER END 210Sstevel@tonic-gate */ 220Sstevel@tonic-gate /* 230Sstevel@tonic-gate * ident "%Z%%M% %I% %E% SMI" 240Sstevel@tonic-gate * 25*96Ssemery * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 26*96Ssemery * Use is subject to license terms. 270Sstevel@tonic-gate */ 280Sstevel@tonic-gate 290Sstevel@tonic-gate import java.util.ListResourceBundle; 300Sstevel@tonic-gate 310Sstevel@tonic-gate // On-line spot help. Defined as strings of a "contents" object. 320Sstevel@tonic-gate 330Sstevel@tonic-gate public class HelpData extends ListResourceBundle { 340Sstevel@tonic-gate public Object [][] getContents() { 350Sstevel@tonic-gate return contents; 360Sstevel@tonic-gate } 370Sstevel@tonic-gate 380Sstevel@tonic-gate static final Object [][] contents = { 390Sstevel@tonic-gate 400Sstevel@tonic-gate // 410Sstevel@tonic-gate // Main Login Panel 420Sstevel@tonic-gate // 430Sstevel@tonic-gate 440Sstevel@tonic-gate {"MainLoginPanel", 450Sstevel@tonic-gate // Not currently available in GUI 460Sstevel@tonic-gate "This window enables you to log in and use the SEAM Administration" 470Sstevel@tonic-gate +"Tool. The default information that initially fills in the fields" 480Sstevel@tonic-gate +" is read from the system's /etc/krb5/krb5.conf file (except" 490Sstevel@tonic-gate +" for the principal name)."}, 500Sstevel@tonic-gate 510Sstevel@tonic-gate 520Sstevel@tonic-gate {"LoginName", 530Sstevel@tonic-gate "The principal name to log in with (without realm included)." 540Sstevel@tonic-gate +"In order to use the SEAM Administration Tool, your principal" 550Sstevel@tonic-gate +" must have the appropriate privileges specified in the master" 560Sstevel@tonic-gate +" KDC's kadm5.acl" 570Sstevel@tonic-gate +" file.\n" 580Sstevel@tonic-gate +" \n" 590Sstevel@tonic-gate +"The default principal name consists of your user name with the" 600Sstevel@tonic-gate +" 'admin' instance appended. For example, 'jdb/admin'."}, 610Sstevel@tonic-gate 620Sstevel@tonic-gate 630Sstevel@tonic-gate {"LoginPass", 640Sstevel@tonic-gate "The password for the principal."}, 650Sstevel@tonic-gate 660Sstevel@tonic-gate 670Sstevel@tonic-gate {"LoginRealm", 680Sstevel@tonic-gate "The Kerberos realm, which is similar to a DNS domain." 690Sstevel@tonic-gate +"In most cases, the realm name is your domain name, and it should" 700Sstevel@tonic-gate +" be upper-case. For example, 'MTN.ACME.COM'.\n" 710Sstevel@tonic-gate +" \n" 720Sstevel@tonic-gate +"Each realm has one master KDC and may include slave" 730Sstevel@tonic-gate +" KDCs that contain read-only copies of the master." 740Sstevel@tonic-gate +"The default realm is read from the system's" 750Sstevel@tonic-gate +" /etc/krb5/krb5.conf file."}, 760Sstevel@tonic-gate 770Sstevel@tonic-gate 780Sstevel@tonic-gate {"LoginServer", 790Sstevel@tonic-gate "The master KDC where the Kerberos administration server, kadmind," 800Sstevel@tonic-gate +" is running and where the KDC (Key Distribution Center) is located." 810Sstevel@tonic-gate +"You must provide a fully-qualified host name for the master KDC.\n" 820Sstevel@tonic-gate +" \n" 830Sstevel@tonic-gate +"The default admin server is read from the" 840Sstevel@tonic-gate +" system's /etc/krb5/krb5.conf file."}, 850Sstevel@tonic-gate 860Sstevel@tonic-gate 870Sstevel@tonic-gate {"LoginOK", 880Sstevel@tonic-gate "Checks the information" 890Sstevel@tonic-gate +" in this window, and if valid, logs you into the tool."}, 900Sstevel@tonic-gate 910Sstevel@tonic-gate 920Sstevel@tonic-gate {"LoginStartOver", 930Sstevel@tonic-gate "Resets all fields in this window to their initial" 940Sstevel@tonic-gate +" settings (when the tool was started)."}, 950Sstevel@tonic-gate 960Sstevel@tonic-gate 970Sstevel@tonic-gate // 980Sstevel@tonic-gate // Panel Tabs 990Sstevel@tonic-gate // 1000Sstevel@tonic-gate 1010Sstevel@tonic-gate 1020Sstevel@tonic-gate {"PrincipalTab", 1030Sstevel@tonic-gate "Sends you to the list of principals. If you are currently" 1040Sstevel@tonic-gate +" working on a principal or policy and you've made" 1050Sstevel@tonic-gate +" changes, you'll be prompted to cancel or save" 1060Sstevel@tonic-gate +" the changes before being sent to Principal List panel."}, 1070Sstevel@tonic-gate 1080Sstevel@tonic-gate 1090Sstevel@tonic-gate {"PolicyTab", 1100Sstevel@tonic-gate "Sends you to the list of policies. If you are currently working on a" 1110Sstevel@tonic-gate +" principal or policy and you've made changes, you'll be prompted to" 1120Sstevel@tonic-gate +" cancel or save the changes before being sent to Policy" 1130Sstevel@tonic-gate +" List panel."}, 1140Sstevel@tonic-gate 1150Sstevel@tonic-gate 1160Sstevel@tonic-gate 1170Sstevel@tonic-gate // 1180Sstevel@tonic-gate // Principal List Panel 1190Sstevel@tonic-gate // 1200Sstevel@tonic-gate 1210Sstevel@tonic-gate 1220Sstevel@tonic-gate {"PrinListPanel", 1230Sstevel@tonic-gate // Not currently available in GUI 1240Sstevel@tonic-gate "This panel enables you to select a principal from the list to modify," 1250Sstevel@tonic-gate +" delete, and duplicate. You can also create a new principal.\n" 1260Sstevel@tonic-gate +" \n" 1270Sstevel@tonic-gate +" principal is an entity to which tickets may be assigned, generally" 1280Sstevel@tonic-gate +" of the form <primary>/<instance>@<REALM>. For example," 1290Sstevel@tonic-gate +" jdb/admin@MTN.ACME.COM.\n" 1300Sstevel@tonic-gate +" \n" 1310Sstevel@tonic-gate +" display a specific principal or" 1320Sstevel@tonic-gate +" sublist of principals, enter a filter string in the Filter Pattern" 1330Sstevel@tonic-gate +" field and press" 1340Sstevel@tonic-gate +" return.\n" 1350Sstevel@tonic-gate +" \n" 1360Sstevel@tonic-gate +"To perform an operation on a principal, select it from the list and" 1370Sstevel@tonic-gate +" click the appropriate button. To create a new principal, click" 1380Sstevel@tonic-gate +" Create New."}, 1390Sstevel@tonic-gate 1400Sstevel@tonic-gate 1410Sstevel@tonic-gate {"PrList", 1420Sstevel@tonic-gate "Displays all the available principals in the specified realm.\n" 1430Sstevel@tonic-gate +" \n" 1440Sstevel@tonic-gate +"To select a principal, click on its name in the list;" 1450Sstevel@tonic-gate +" double-clicking on a principal is equivalent to selecting" 1460Sstevel@tonic-gate +" the principal and clicking Modify."}, 1470Sstevel@tonic-gate 1480Sstevel@tonic-gate 1490Sstevel@tonic-gate {"PrNoList", 1500Sstevel@tonic-gate "This list panel is blank when you don't have list privileges" 1510Sstevel@tonic-gate +" or you've chosen not to show lists."}, 1520Sstevel@tonic-gate 1530Sstevel@tonic-gate 1540Sstevel@tonic-gate {"PrListPattern", 1550Sstevel@tonic-gate "Enables you to apply a filter on the available principals to" 1560Sstevel@tonic-gate +" display a particular principal or sublist of principals." 1570Sstevel@tonic-gate +"The filter string you enter may consist of one or more" 1580Sstevel@tonic-gate +" characters. And, because the filter mechanism is case" 1590Sstevel@tonic-gate +" sensitive, you need to use the appropriate upper-case and" 1600Sstevel@tonic-gate +" lower-case letters for the filter.\n" 1610Sstevel@tonic-gate +" \n" 1620Sstevel@tonic-gate +"For example, entering 'user' for the filter would match" 1630Sstevel@tonic-gate +" and display principals such as 'enguser', 'user1'," 1640Sstevel@tonic-gate +" and 'useradmin'.\n" 1650Sstevel@tonic-gate +" '\n" 1660Sstevel@tonic-gate +"To display a particular principal or sublist of" 1670Sstevel@tonic-gate +" principals, enter a filter string and press return.\n" 1680Sstevel@tonic-gate +" \n" 1690Sstevel@tonic-gate +"To display the entire list of principals, click Clear" 1700Sstevel@tonic-gate +" Filter(or clear the Filter Pattern field and press return)."}, 1710Sstevel@tonic-gate 1720Sstevel@tonic-gate 1730Sstevel@tonic-gate {"PrNameNoList", 1740Sstevel@tonic-gate "When the principal list is not displayed," 1750Sstevel@tonic-gate +" you must enter principal names in this field to perform" 1760Sstevel@tonic-gate +" operations on them. Entering a name is equivalent to selecting" 1770Sstevel@tonic-gate +" an item from the principal list in normal operation.\n" 1780Sstevel@tonic-gate +" \n" 1790Sstevel@tonic-gate +"To clear the principal entry, click Clear Name (or clear the" 1800Sstevel@tonic-gate +" Name field and press return)."}, 1810Sstevel@tonic-gate 1820Sstevel@tonic-gate 1830Sstevel@tonic-gate {"PrListClear", 1840Sstevel@tonic-gate "Clears the filter and displays the full list of available", 1850Sstevel@tonic-gate " principals."}, 1860Sstevel@tonic-gate 1870Sstevel@tonic-gate 1880Sstevel@tonic-gate {"PrNoListClear", 1890Sstevel@tonic-gate "Clears the Name field."}, 1900Sstevel@tonic-gate 1910Sstevel@tonic-gate 1920Sstevel@tonic-gate {"PrListModify", 1930Sstevel@tonic-gate "Opens a series of panels that enable you to modify the selected" 1940Sstevel@tonic-gate +" principal, such as the principal's password, expiry date," 1950Sstevel@tonic-gate +" and policy."}, 1960Sstevel@tonic-gate 1970Sstevel@tonic-gate 1980Sstevel@tonic-gate {"PrListAdd", 1990Sstevel@tonic-gate "Opens a series of panels that enable you to create a new principal." 2000Sstevel@tonic-gate +" The panels will have some of the fields already filled in with" 2010Sstevel@tonic-gate +" default values, which you can set up by choosing Properties from" 2020Sstevel@tonic-gate +" the Edit menu.\n" 2030Sstevel@tonic-gate +" \n" 2040Sstevel@tonic-gate +"The Duplicate button performs the same function; however," 2050Sstevel@tonic-gate +" instead of the fields filled in with default values, the fields" 2060Sstevel@tonic-gate +" are filled in with the same values as the selected principal."}, 2070Sstevel@tonic-gate 2080Sstevel@tonic-gate 2090Sstevel@tonic-gate {"PrListDelete", 2100Sstevel@tonic-gate "Deletes the selected principal from the Kerberos realm. The deleted" 2110Sstevel@tonic-gate +" principal can no longer be assigned Kerberos tickets."}, 2120Sstevel@tonic-gate 2130Sstevel@tonic-gate 2140Sstevel@tonic-gate {"PrListDuplicate", 2150Sstevel@tonic-gate "Opens a series of panels that enable you to duplicate the selected" 2160Sstevel@tonic-gate +" principal. The panels will have the fields already filled in" 2170Sstevel@tonic-gate +" with the same values as the selected principal," 2180Sstevel@tonic-gate +" except for the principal's name and password." 2190Sstevel@tonic-gate +"You can use this button to quickly create a new principal using " 2200Sstevel@tonic-gate +" another principal as a template.\n" 2210Sstevel@tonic-gate +" \n" 2220Sstevel@tonic-gate +"The Create New button performs the same function; however," 2230Sstevel@tonic-gate +" instead of" 2240Sstevel@tonic-gate +" the fields filled in with the same values as the selected" 2250Sstevel@tonic-gate +" principal, the fields are filled in with default values."}, 2260Sstevel@tonic-gate 2270Sstevel@tonic-gate 2280Sstevel@tonic-gate 2290Sstevel@tonic-gate // 2300Sstevel@tonic-gate // Principal Basics Panel 2310Sstevel@tonic-gate // 2320Sstevel@tonic-gate 2330Sstevel@tonic-gate 2340Sstevel@tonic-gate {"PrincipalBasicsPanel", 2350Sstevel@tonic-gate // Not currently available in GUI 2360Sstevel@tonic-gate "This panel enables you to specify the basic attributes for a" 2370Sstevel@tonic-gate +" principal."}, 2380Sstevel@tonic-gate 2390Sstevel@tonic-gate 2400Sstevel@tonic-gate {"PrName", 2410Sstevel@tonic-gate "The name of the principal (the <primary>/<instance> part of a" 2420Sstevel@tonic-gate +" fully-qualified principal name). A principal is a unique identity" 2430Sstevel@tonic-gate +" to which the KDC can assign tickets.\n" 2440Sstevel@tonic-gate +" \n" 2450Sstevel@tonic-gate +"If you are modifying a principal," 2460Sstevel@tonic-gate +" you cannot edit a principal's name.\n" 2470Sstevel@tonic-gate +" \n" 2480Sstevel@tonic-gate +"For service (or host) principal names, the <primary> part must be" 2490Sstevel@tonic-gate +" the name of a service, such as 'host' for telnet and rsh" 2500Sstevel@tonic-gate +" services,'ftp', or 'nfs'." 2510Sstevel@tonic-gate +"The < instance > part must be the name of the system" 2520Sstevel@tonic-gate +" that requires Kerberos authentication for that service." 2530Sstevel@tonic-gate +"For example, 'host/denver.mtn.acme.com'.\n" 2540Sstevel@tonic-gate +" \n" 2550Sstevel@tonic-gate +"For user principal names, the < primary > part must be" 2560Sstevel@tonic-gate +" the name of the" 2570Sstevel@tonic-gate +" user." 2580Sstevel@tonic-gate +"The < instance > part is optional, but it can be a term used to" 2590Sstevel@tonic-gate +" describe the intended use for the principals, such as 'admin', or" 2600Sstevel@tonic-gate +" it can be the name of a system, which enables you to create" 2610Sstevel@tonic-gate +" different" 2620Sstevel@tonic-gate +" principals for the same user on a per-system basis." 2630Sstevel@tonic-gate +" For example, 'jdb/admin', 'jdb/denver@acme.com', or 'jdb'."}, 2640Sstevel@tonic-gate 2650Sstevel@tonic-gate 2660Sstevel@tonic-gate {"PrComments", 2670Sstevel@tonic-gate "Comments related to the principal (for example," 2680Sstevel@tonic-gate +" 'Temporary Account')."}, 2690Sstevel@tonic-gate 2700Sstevel@tonic-gate 2710Sstevel@tonic-gate {"PrPolicy", 2720Sstevel@tonic-gate "A menu of available policies for the principal."}, 2730Sstevel@tonic-gate 2740Sstevel@tonic-gate 2750Sstevel@tonic-gate {"PrPassword", 2760Sstevel@tonic-gate "The password for the principal."}, 2770Sstevel@tonic-gate 2780Sstevel@tonic-gate 2790Sstevel@tonic-gate {"PrBasicRandomPw", 2800Sstevel@tonic-gate "Creates a random password for the principal and copies it into" 2810Sstevel@tonic-gate +" the Password field."}, 2820Sstevel@tonic-gate 2830Sstevel@tonic-gate 2840Sstevel@tonic-gate {"PrinBasLastPrincipalChange", 2850Sstevel@tonic-gate "The date on which information for the principal was" 2860Sstevel@tonic-gate +" last modified."}, 2870Sstevel@tonic-gate 2880Sstevel@tonic-gate 2890Sstevel@tonic-gate {"PrinBasLastChangedBy", 2900Sstevel@tonic-gate "The name of the principal who last modified the account for this" 2910Sstevel@tonic-gate +" principal."}, 2920Sstevel@tonic-gate 293*96Ssemery {"EncList", 294*96Ssemery "The encryption types that the principal's keys will be created with." 295*96Ssemery +" Use a white space to separate encryption types." 296*96Ssemery +" Leave blank if the default set of encryption types is desired." 297*96Ssemery +" Refer to krb5.conf for the available encryption types supported." 298*96Ssemery +" The default set of dialog choices can be over-ridden by defining" 299*96Ssemery +" supported_enctypes with the desired list of encryption types in" 300*96Ssemery +" the realm's section of krb5.conf." 301*96Ssemery +" \n" 302*96Ssemery +"Changing encryption types is only applicable when creating a" 303*96Ssemery +" principal or when changing a password. So a password must be" 304*96Ssemery +" accompanied with any encryption type changes."}, 3050Sstevel@tonic-gate 3060Sstevel@tonic-gate {"PrExpiry", 3070Sstevel@tonic-gate "The date and time on which the principal's account expires. When the" 3080Sstevel@tonic-gate +" account expires, the principal can no longer" 3090Sstevel@tonic-gate +" get a ticket-granting ticket (TGT) and may not be able to log in.\n" 3100Sstevel@tonic-gate +" \n" 3110Sstevel@tonic-gate +"To set up the account with no expiration date," 3120Sstevel@tonic-gate +" enter the word 'never' in the field.\n" 3130Sstevel@tonic-gate +" \n" 3140Sstevel@tonic-gate +"To help create a formatted date and time entry, click the adjacent" 3150Sstevel@tonic-gate +" '...' button to bring up a helper."}, 3160Sstevel@tonic-gate 3170Sstevel@tonic-gate 3180Sstevel@tonic-gate {"PrSave", 3190Sstevel@tonic-gate "Saves any changes you've made to the current principal."}, 3200Sstevel@tonic-gate 3210Sstevel@tonic-gate 3220Sstevel@tonic-gate {"PrCancel", 3230Sstevel@tonic-gate "Discards all the changes you've made to the current principal" 3240Sstevel@tonic-gate +" and sends you back to the list of principals."}, 3250Sstevel@tonic-gate 3260Sstevel@tonic-gate 3270Sstevel@tonic-gate {"PrBasicPrevious", 3280Sstevel@tonic-gate "Sends you back to the list of principals.\n" 3290Sstevel@tonic-gate +" \n" 3300Sstevel@tonic-gate +"Note that you must save or cancel any changes you've made to" 3310Sstevel@tonic-gate +" the current principal before you can go back to the list."}, 3320Sstevel@tonic-gate 3330Sstevel@tonic-gate 3340Sstevel@tonic-gate {"PrBasicNext", 3350Sstevel@tonic-gate "Sends you to the next Principal Details panel that contains" 3360Sstevel@tonic-gate +" the password and ticket lifetime attributes for the principal."}, 3370Sstevel@tonic-gate 3380Sstevel@tonic-gate 3390Sstevel@tonic-gate 3400Sstevel@tonic-gate // 3410Sstevel@tonic-gate // Principal Detail Panel 3420Sstevel@tonic-gate // 3430Sstevel@tonic-gate 3440Sstevel@tonic-gate 3450Sstevel@tonic-gate {"PrincipalDetailPanel", 3460Sstevel@tonic-gate // Not currently available in GUI 3470Sstevel@tonic-gate "This panel enables you to specify the password and" 3480Sstevel@tonic-gate +" ticket lifetime attributes for the principal principal."}, 3490Sstevel@tonic-gate 3500Sstevel@tonic-gate 3510Sstevel@tonic-gate {"PrinDetLastSuccess", 3520Sstevel@tonic-gate "The date and time when the principal last logged in successfully."}, 3530Sstevel@tonic-gate 3540Sstevel@tonic-gate 3550Sstevel@tonic-gate {"PrinDetLastFailure", 3560Sstevel@tonic-gate "The date and time when the last login failure for the" 3570Sstevel@tonic-gate +" principal occurred."}, 3580Sstevel@tonic-gate 3590Sstevel@tonic-gate 3600Sstevel@tonic-gate {"PrinDetFailureCount", 3610Sstevel@tonic-gate "The number of times that there has been a login failure" 3620Sstevel@tonic-gate +" for the principal."}, 3630Sstevel@tonic-gate 3640Sstevel@tonic-gate 3650Sstevel@tonic-gate {"PrinDetLastPasswordChange", 3660Sstevel@tonic-gate "The date and time when the principal's password was " 3670Sstevel@tonic-gate +" last changed."}, 3680Sstevel@tonic-gate 3690Sstevel@tonic-gate 3700Sstevel@tonic-gate {"PrPwExpiry", 3710Sstevel@tonic-gate "The date and time when the principal's current password" 3720Sstevel@tonic-gate +" will expire.\n" 3730Sstevel@tonic-gate +" \n" 3740Sstevel@tonic-gate +"To set up the password with no expiration date, enter the" 3750Sstevel@tonic-gate +" word 'never'in the field.\n" 3760Sstevel@tonic-gate +" \n" 3770Sstevel@tonic-gate +"To help create a formatted date and time entry, click the adjacent" 3780Sstevel@tonic-gate +" '...' button to bring up a helper."}, 3790Sstevel@tonic-gate 3800Sstevel@tonic-gate 3810Sstevel@tonic-gate {"PrKvno", 3820Sstevel@tonic-gate "The key version number for the principal; this is normally" 3830Sstevel@tonic-gate +" changed only when a password has been compromised."}, 3840Sstevel@tonic-gate 3850Sstevel@tonic-gate 3860Sstevel@tonic-gate {"PrMaxLifetime", 3870Sstevel@tonic-gate "The maximum length of time for which a ticket can be" 3880Sstevel@tonic-gate +" granted for the principal (without renewal).\n" 3890Sstevel@tonic-gate +" \n" 3900Sstevel@tonic-gate +"To help create a time duration in seconds, click the adjacent" 3910Sstevel@tonic-gate +" '...' button to bring up a helper."}, 3920Sstevel@tonic-gate 3930Sstevel@tonic-gate 3940Sstevel@tonic-gate {"PrMaxRenewal", 3950Sstevel@tonic-gate "The maximum length of time for which an existing" 3960Sstevel@tonic-gate +" ticket may be renewed for the principal.\n" 3970Sstevel@tonic-gate +" \n" 3980Sstevel@tonic-gate +"To help create a time duration in seconds, click the adjacent" 3990Sstevel@tonic-gate +" '...' button to bring up a helper."}, 4000Sstevel@tonic-gate 4010Sstevel@tonic-gate 4020Sstevel@tonic-gate {"PrDetailPrevious", 4030Sstevel@tonic-gate "Sends you back to the previous Principal Basics panel."}, 4040Sstevel@tonic-gate 4050Sstevel@tonic-gate 4060Sstevel@tonic-gate {"PrDetailNext", 4070Sstevel@tonic-gate "Sends you to the next Principal Flags panel that contains" 4080Sstevel@tonic-gate +" security, ticket control, and miscellaneous attributes for" 4090Sstevel@tonic-gate +" the principal."}, 4100Sstevel@tonic-gate 4110Sstevel@tonic-gate 4120Sstevel@tonic-gate 4130Sstevel@tonic-gate // 4140Sstevel@tonic-gate // Principal Flags Panel 4150Sstevel@tonic-gate // 4160Sstevel@tonic-gate 4170Sstevel@tonic-gate 4180Sstevel@tonic-gate 4190Sstevel@tonic-gate {"PrincipalFlagsPanel", 4200Sstevel@tonic-gate // Not currently available in GUI 4210Sstevel@tonic-gate "This panel enables you to specify the security, ticket control, and" 4220Sstevel@tonic-gate +" miscellaneous attributes for the principal."}, 4230Sstevel@tonic-gate 4240Sstevel@tonic-gate 4250Sstevel@tonic-gate {"PrLockAcct", 4260Sstevel@tonic-gate "When checked, prevents the principal from logging in." 4270Sstevel@tonic-gate +" This is a easy way to temporarily freeze" 4280Sstevel@tonic-gate +" a principal account for any reason."}, 4290Sstevel@tonic-gate 4300Sstevel@tonic-gate 4310Sstevel@tonic-gate {"PrForcePwChange", 4320Sstevel@tonic-gate "When checked, expires the principal's current password, forcing the" 4330Sstevel@tonic-gate +" user to use the kpasswd command to create a new password." 4340Sstevel@tonic-gate +" This is useful if" 4350Sstevel@tonic-gate +" there is a security breach and you need to make sure that old" 4360Sstevel@tonic-gate +" passwords are replaced."}, 4370Sstevel@tonic-gate 4380Sstevel@tonic-gate 4390Sstevel@tonic-gate {"PrAllowPostdated", 4400Sstevel@tonic-gate "When checked, allows the principal to obtain postdated tickets.\n" 4410Sstevel@tonic-gate +" \n" 4420Sstevel@tonic-gate +"For example, you may need to use postdated tickets for cron jobs" 4430Sstevel@tonic-gate +" that need to run after hours and can't obtain tickets in" 4440Sstevel@tonic-gate +" advance because of short ticket lifetimes."}, 4450Sstevel@tonic-gate 4460Sstevel@tonic-gate 4470Sstevel@tonic-gate {"PrAllowRenewable", 4480Sstevel@tonic-gate "When checked, allows the principal to obtain renewable tickets.\n" 4490Sstevel@tonic-gate +" \n" 4500Sstevel@tonic-gate +"A principal can automatically extend the expiration date or time of" 4510Sstevel@tonic-gate +" a ticket that is renewable (rather than having to get a new" 4520Sstevel@tonic-gate +" ticket after the first one expires). Currently, the NFS service" 4530Sstevel@tonic-gate +" is the only service that can renew tickets."}, 4540Sstevel@tonic-gate 4550Sstevel@tonic-gate 4560Sstevel@tonic-gate {"PrAllowSvr", 4570Sstevel@tonic-gate "When checked, allows service tickets to be issued for" 4580Sstevel@tonic-gate +" the principal.\n" 4590Sstevel@tonic-gate +" \n" 4600Sstevel@tonic-gate +"You should not allow service tickets to be issued for the" 4610Sstevel@tonic-gate +" 'kadmin/admin' and 'changepw/admin' principals." 4620Sstevel@tonic-gate +" This will ensure that these" 4630Sstevel@tonic-gate +" principals can only update the KDC database." }, 4640Sstevel@tonic-gate 4650Sstevel@tonic-gate 4660Sstevel@tonic-gate {"PrAllowForwardable", 4670Sstevel@tonic-gate "When checked, allows the principal to obtain forwardable" 4680Sstevel@tonic-gate +" tickets.\n" 4690Sstevel@tonic-gate +" \n" 4700Sstevel@tonic-gate +"Forwardable tickets are tickets that are forwarded to the" 4710Sstevel@tonic-gate +" remote host to provide a single-sign-on session." 4720Sstevel@tonic-gate +"For example, if you are using forwardable tickets and you" 4730Sstevel@tonic-gate +" authenticate yourself through ftp or rsh, other services," 4740Sstevel@tonic-gate +" such as NFS, are available without you being prompted" 4750Sstevel@tonic-gate +" for another password."}, 4760Sstevel@tonic-gate 4770Sstevel@tonic-gate 4780Sstevel@tonic-gate {"PrAllowProxiable", 4790Sstevel@tonic-gate "When checked, allows the principal to obtain proxiable tickets.\n" 4800Sstevel@tonic-gate +" \n" 4810Sstevel@tonic-gate +"A proxiable ticket is a ticket that can be used by a service" 4820Sstevel@tonic-gate +" on behalf of a client to perform an operation for the client." 4830Sstevel@tonic-gate +" With a proxiable ticket, a service can take on the identity" 4840Sstevel@tonic-gate +" of a client and obtain a ticket for another service, but it" 4850Sstevel@tonic-gate +" cannot obtain a ticket-granting ticket."}, 4860Sstevel@tonic-gate 4870Sstevel@tonic-gate 4880Sstevel@tonic-gate {"PrEnforcePolicy", 4890Sstevel@tonic-gate "When checked, the policy selected for this principal" 4900Sstevel@tonic-gate +" will be enforced."}, 4910Sstevel@tonic-gate 4920Sstevel@tonic-gate 4930Sstevel@tonic-gate {"PrAllowTGT", 4940Sstevel@tonic-gate "When checked, allows the service principal to provide services" 4950Sstevel@tonic-gate +" to another principal. More specifically, it allows the KDC to" 4960Sstevel@tonic-gate +" issue a service ticket for the service principal.\n" 4970Sstevel@tonic-gate +" \n" 4980Sstevel@tonic-gate +"This attribute is valid only for service principals." 4990Sstevel@tonic-gate +"When not checked, service tickets cannot be issued for" 5000Sstevel@tonic-gate +" the service principal."}, 5010Sstevel@tonic-gate 5020Sstevel@tonic-gate 5030Sstevel@tonic-gate {"PrRequirePreAuth", 5040Sstevel@tonic-gate "When checked, the KDC will not send a requested ticket-granting" 5050Sstevel@tonic-gate +" ticket(TGT) to the principal until it can" 5060Sstevel@tonic-gate +" authenticate (through software) that it is really the principal" 5070Sstevel@tonic-gate +" requesting the TGT. This preauthentication is usually done" 5080Sstevel@tonic-gate +" through an extra password, for example, from a DES card.\n" 5090Sstevel@tonic-gate +" \n" 5100Sstevel@tonic-gate +"When not checked, the KDC will not need to preauthenticate" 5110Sstevel@tonic-gate +" the principal before it sends a requested TGT to it."}, 5120Sstevel@tonic-gate 5130Sstevel@tonic-gate 5140Sstevel@tonic-gate {"PrAllowDupAuth", 5150Sstevel@tonic-gate "When checked, allows the user principal to obtain service tickets for" 5160Sstevel@tonic-gate +" other user principals.\n" 5170Sstevel@tonic-gate +" \n" 5180Sstevel@tonic-gate +"This attribute is valid only for user principals. When not checked," 5190Sstevel@tonic-gate +" the user principal can still obtain service tickets for" 5200Sstevel@tonic-gate +" service principals, but not for other user principals."}, 5210Sstevel@tonic-gate 5220Sstevel@tonic-gate 5230Sstevel@tonic-gate {"PrRequireHwPreAuth", 5240Sstevel@tonic-gate "When checked, the KDC will not send a requested ticket-granting" 5250Sstevel@tonic-gate +" ticket(TGT) to the principal until" 5260Sstevel@tonic-gate +" it can authenticate (through hardware) that it is really the" 5270Sstevel@tonic-gate +" principal requesting the TGT. Hardware preauthentication could" 5280Sstevel@tonic-gate +" be something like a Java ring reader.\n" 5290Sstevel@tonic-gate +" \n" 5300Sstevel@tonic-gate +"When not checked, the KDC will not need to preauthenticate" 5310Sstevel@tonic-gate +" the principal before it sends a requested TGT to it."}, 5320Sstevel@tonic-gate 5330Sstevel@tonic-gate 5340Sstevel@tonic-gate {"PrFlagsPrevious", 5350Sstevel@tonic-gate "Sends you back to the previous Principal Details panel."}, 5360Sstevel@tonic-gate 5370Sstevel@tonic-gate // 5380Sstevel@tonic-gate // Done Button 5390Sstevel@tonic-gate // 5400Sstevel@tonic-gate 5410Sstevel@tonic-gate {"PrFlagsNext", 5420Sstevel@tonic-gate "Saves any changes you've made to the current principal and" 5430Sstevel@tonic-gate +" sends you back to list of principals."}, 5440Sstevel@tonic-gate 5450Sstevel@tonic-gate 5460Sstevel@tonic-gate 5470Sstevel@tonic-gate // 5480Sstevel@tonic-gate // Policies Panel 5490Sstevel@tonic-gate // 5500Sstevel@tonic-gate 5510Sstevel@tonic-gate 5520Sstevel@tonic-gate 5530Sstevel@tonic-gate {"PoliciesPanel", 5540Sstevel@tonic-gate // Not currently available in GUI 5550Sstevel@tonic-gate "This panel enables you to select a policy from the list to" 5560Sstevel@tonic-gate +" modify, delete, or duplicate. You can also create a new policy.\n" 5570Sstevel@tonic-gate +" \n" 5580Sstevel@tonic-gate +"A policy is a set of behaviors regarding" 5590Sstevel@tonic-gate +" passwords and tickets that can be applied to a principal." 5600Sstevel@tonic-gate +" For example, the principals for system administrators might" 5610Sstevel@tonic-gate +" all have the same policy." 5620Sstevel@tonic-gate +" \n" 5630Sstevel@tonic-gate +"To display a specific policy or sublist of policy," 5640Sstevel@tonic-gate +" enter a filter string in the Filter Pattern field and press" 5650Sstevel@tonic-gate +" return.\n" 5660Sstevel@tonic-gate +" \n" 5670Sstevel@tonic-gate +"To perform an operation on a policy, select it from the list and" 5680Sstevel@tonic-gate +" click the appropriate button. To add a new policy, click New."}, 5690Sstevel@tonic-gate 5700Sstevel@tonic-gate 5710Sstevel@tonic-gate {"Pollist", 5720Sstevel@tonic-gate "Displays the all the available policies in the specified realm.\n" 5730Sstevel@tonic-gate +" \n" 5740Sstevel@tonic-gate +"To select a policy, click on its name in the list; double-clicking" 5750Sstevel@tonic-gate +" on a policy is equivalent to selecting the policy and clicking" 5760Sstevel@tonic-gate +" Modify"}, 5770Sstevel@tonic-gate 5780Sstevel@tonic-gate {"PolNoList", 5790Sstevel@tonic-gate "This list panel is blank when you don't have list privileges" 5800Sstevel@tonic-gate +" or you've chosen not to show lists."}, 5810Sstevel@tonic-gate 5820Sstevel@tonic-gate {"PoListPattern", 5830Sstevel@tonic-gate "Enables you to apply a filter on the available policies to display a" 5840Sstevel@tonic-gate +" particular policy or sublist of policies. The filter string you" 5850Sstevel@tonic-gate +" enter may consist of one or more characters, And, because" 5860Sstevel@tonic-gate +" the filter mechanism is case-sensitive, you need to use the" 5870Sstevel@tonic-gate +" appropriate upper-case and lower-case letters for the filter.\n" 5880Sstevel@tonic-gate +" \n" 5890Sstevel@tonic-gate +"For example, entering 'adm' for the filter would match and display," 5900Sstevel@tonic-gate +" policies such as 'admpol', 'adm1', and 'poladmin'.\n" 5910Sstevel@tonic-gate +" \n" 5920Sstevel@tonic-gate +"To display a particular policy or sublist of" 5930Sstevel@tonic-gate +" policies, enter a filter string and press" 5940Sstevel@tonic-gate +" return.\n" 5950Sstevel@tonic-gate +" \n" 5960Sstevel@tonic-gate +"To display the entire list of policies, click Clear" 5970Sstevel@tonic-gate +" Filter (or clear the Filter Pattern field and press return)."}, 5980Sstevel@tonic-gate 5990Sstevel@tonic-gate 6000Sstevel@tonic-gate {"PoNameNoList", 6010Sstevel@tonic-gate "When the policy list is not displayed," 6020Sstevel@tonic-gate +" you must enter policy names in this field to perform" 6030Sstevel@tonic-gate +" operations on them. Entering a name is equivalent to selecting" 6040Sstevel@tonic-gate +" an item from the list in normal operation.\n" 6050Sstevel@tonic-gate +" \n" 6060Sstevel@tonic-gate +"To clear the policy entry, click Clear Name (or clear the" 6070Sstevel@tonic-gate +" Name field and press return)."}, 6080Sstevel@tonic-gate 6090Sstevel@tonic-gate 6100Sstevel@tonic-gate {"PoListClear", 6110Sstevel@tonic-gate "Clears the filter and displays the full list of available policies."}, 6120Sstevel@tonic-gate 6130Sstevel@tonic-gate 6140Sstevel@tonic-gate {"PoNoListClear", 6150Sstevel@tonic-gate "Clears the Name field."}, 6160Sstevel@tonic-gate 6170Sstevel@tonic-gate 6180Sstevel@tonic-gate {"PoListModify", 6190Sstevel@tonic-gate "Opens the Policy Details panel that enables you to modify the" 6200Sstevel@tonic-gate +" selected policy attributes, such as the policy's minimum password" 6210Sstevel@tonic-gate +" length and the minimum ticket lifetime."}, 6220Sstevel@tonic-gate 6230Sstevel@tonic-gate 6240Sstevel@tonic-gate 6250Sstevel@tonic-gate {"PoListAdd", 6260Sstevel@tonic-gate "Opens the Policy Details panel that enables you to create a new" 6270Sstevel@tonic-gate +" policy. The panel will have some of the fields already filled" 6280Sstevel@tonic-gate +" in with default values.\n" 6290Sstevel@tonic-gate +" \n" 6300Sstevel@tonic-gate +"The Duplicate button performs the same function; however," 6310Sstevel@tonic-gate +" instead of the fields filled in with default values, the" 6320Sstevel@tonic-gate +" fields are filled in with the same values as the selected policy."}, 6330Sstevel@tonic-gate 6340Sstevel@tonic-gate 6350Sstevel@tonic-gate {"PoListDelete", 6360Sstevel@tonic-gate "Deletes the selected policy from the Kerberos realm."}, 6370Sstevel@tonic-gate 6380Sstevel@tonic-gate 6390Sstevel@tonic-gate 6400Sstevel@tonic-gate {"PoListDuplicate", 6410Sstevel@tonic-gate "Opens the Policy Details panel that enables you to duplicate" 6420Sstevel@tonic-gate +" the selected policy. The panels will have the fields already" 6430Sstevel@tonic-gate +" filled in with the same values as the selected policy," 6440Sstevel@tonic-gate +" except for the policy's name." 6450Sstevel@tonic-gate +"You can use this button to quickly create a new policy using" 6460Sstevel@tonic-gate +" another policy as a template.\n" 6470Sstevel@tonic-gate +" \n" 6480Sstevel@tonic-gate +"The Create New button performs the same function; however," 6490Sstevel@tonic-gate +" the fields are filled in with default values."}, 6500Sstevel@tonic-gate 6510Sstevel@tonic-gate 6520Sstevel@tonic-gate 6530Sstevel@tonic-gate // 6540Sstevel@tonic-gate // Policy.Detail 6550Sstevel@tonic-gate // 6560Sstevel@tonic-gate 6570Sstevel@tonic-gate 6580Sstevel@tonic-gate {"PoName", 6590Sstevel@tonic-gate "The name of the policy. A policy is set of rules governing a" 6600Sstevel@tonic-gate +" principal's password and tickets.\n" 6610Sstevel@tonic-gate +" \n" 6620Sstevel@tonic-gate +"If you are modifying a policy, you cannot edit a policy's name."}, 6630Sstevel@tonic-gate 6640Sstevel@tonic-gate 6650Sstevel@tonic-gate 6660Sstevel@tonic-gate {"PoMinPwLength", 6670Sstevel@tonic-gate "The minimum length for the principal's password."}, 6680Sstevel@tonic-gate 6690Sstevel@tonic-gate 6700Sstevel@tonic-gate {"PoMinPwClass", 6710Sstevel@tonic-gate "The minimum number of different character types required in the" 6720Sstevel@tonic-gate +" principal's password." 6730Sstevel@tonic-gate +"For example, a minimum classes value of 2 means that the" 6740Sstevel@tonic-gate +" password must have at least two different character types," 6750Sstevel@tonic-gate +" such as letters and numbers(hi2mom). A value of 3 means that" 6760Sstevel@tonic-gate +" the password must have at least three different character" 6770Sstevel@tonic-gate +" types, such as letters, numbers, and punctuation (hi2mom!)." 6780Sstevel@tonic-gate +"And so on. \n" 6790Sstevel@tonic-gate +" \n" 6800Sstevel@tonic-gate +"A value of 1 basically sets no restriction on the number of password" 6810Sstevel@tonic-gate +" character types."}, 6820Sstevel@tonic-gate 6830Sstevel@tonic-gate 6840Sstevel@tonic-gate {"PoSavedPasswords", 6850Sstevel@tonic-gate "The number of previous passwords that have been used by the principal" 6860Sstevel@tonic-gate +" and cannot be reused."}, 6870Sstevel@tonic-gate 6880Sstevel@tonic-gate 6890Sstevel@tonic-gate {"PoMinTicketLifetime", 6900Sstevel@tonic-gate "The minimum time that the password must be used before it can be" 6910Sstevel@tonic-gate +" changed.\n" 6920Sstevel@tonic-gate +" \n" 6930Sstevel@tonic-gate +"To help create a time duration in seconds, click the adjacent" 6940Sstevel@tonic-gate +" '...' button to bring up a helper."}, 6950Sstevel@tonic-gate 6960Sstevel@tonic-gate 6970Sstevel@tonic-gate {"PoMaxTicketLifetime", 6980Sstevel@tonic-gate "The maximum time that the password can be used before it must be" 6990Sstevel@tonic-gate +" changed.\n" 7000Sstevel@tonic-gate +" \n" 7010Sstevel@tonic-gate +"To help create a time duration in seconds, click the adjacent" 7020Sstevel@tonic-gate +" '...' button to bring up a helper."}, 7030Sstevel@tonic-gate 7040Sstevel@tonic-gate 7050Sstevel@tonic-gate {"PolDetPrincipalsUsingThisPolicy", 7060Sstevel@tonic-gate "The number of principals to which this policy currently applies."}, 7070Sstevel@tonic-gate 7080Sstevel@tonic-gate 7090Sstevel@tonic-gate {"PoSave", 7100Sstevel@tonic-gate "Saves any changes you've made to the current policy."}, 7110Sstevel@tonic-gate 7120Sstevel@tonic-gate 7130Sstevel@tonic-gate {"PoCancel", 7140Sstevel@tonic-gate "Discards all the changes you've made to the current policy and sends" 7150Sstevel@tonic-gate +" you back to the list of policies."}, 7160Sstevel@tonic-gate 7170Sstevel@tonic-gate 7180Sstevel@tonic-gate {"PoDetailPrevious", 7190Sstevel@tonic-gate "Sends you back to the list of policies.\n" 7200Sstevel@tonic-gate +" \n" 7210Sstevel@tonic-gate +"Note that you must save or cancel any changes you've made to the" 7220Sstevel@tonic-gate +" current policy before you can go back to the list."}, 7230Sstevel@tonic-gate 7240Sstevel@tonic-gate 7250Sstevel@tonic-gate {"PoDetailDone", 7260Sstevel@tonic-gate "Saves any changes you've made to the current policy and sends" 7270Sstevel@tonic-gate +" you back to list of policies."}, 7280Sstevel@tonic-gate 7290Sstevel@tonic-gate 7300Sstevel@tonic-gate 7310Sstevel@tonic-gate // 7320Sstevel@tonic-gate // Defaults Panel 7330Sstevel@tonic-gate // 7340Sstevel@tonic-gate 7350Sstevel@tonic-gate 7360Sstevel@tonic-gate {"DefaultsPanel", 7370Sstevel@tonic-gate // Not currently available in GUI 7380Sstevel@tonic-gate "This window enables you to change the default settings for adding new" 7390Sstevel@tonic-gate +" principals."}, 7400Sstevel@tonic-gate 7410Sstevel@tonic-gate 7420Sstevel@tonic-gate {"GlobalLockAcct", 7430Sstevel@tonic-gate "When checked, prevents the new principal from logging in." 7440Sstevel@tonic-gate +"This is a easy way to temporarily freeze" 7450Sstevel@tonic-gate +" new principal accounts for any reason. For example, you may want" 7460Sstevel@tonic-gate +" to add a number of new principals in the beginning of the week," 7470Sstevel@tonic-gate +" but you might not want to activate them until the end of the" 7480Sstevel@tonic-gate +" week."}, 7490Sstevel@tonic-gate 7500Sstevel@tonic-gate 7510Sstevel@tonic-gate {"GlobalAllowPostdated", 7520Sstevel@tonic-gate "When checked, allows the new principal to obtain postdated tickets.\n" 7530Sstevel@tonic-gate +" \n" 7540Sstevel@tonic-gate +"For example, you may need to use postdated tickets for cron jobs" 7550Sstevel@tonic-gate +" that need to run after hours and can't obtain tickets in advance" 7560Sstevel@tonic-gate +" because of short ticket lifetimes."}, 7570Sstevel@tonic-gate 7580Sstevel@tonic-gate 7590Sstevel@tonic-gate {"GlobalAllowRenewable", 7600Sstevel@tonic-gate "When checked, allows the new principal to obtain renewable tickets.\n" 7610Sstevel@tonic-gate +" \n" 7620Sstevel@tonic-gate +"A principal can automatically extend the expiration date or time of" 7630Sstevel@tonic-gate +" a ticket that is renewable (rather than having to get a new ticket" 7640Sstevel@tonic-gate +" after the first one expires). Currently, the NFS service is the" 7650Sstevel@tonic-gate +" only service that can obtain renewable tickets."}, 7660Sstevel@tonic-gate 7670Sstevel@tonic-gate 7680Sstevel@tonic-gate {"GlobalEnforcePolicy", 7690Sstevel@tonic-gate "When checked, the policy selected for the new principal" 7700Sstevel@tonic-gate +" will be enforced."}, 7710Sstevel@tonic-gate 7720Sstevel@tonic-gate {"GlobalAllowTGT", 7730Sstevel@tonic-gate "When checked, allows the new service principal to provide services to" 7740Sstevel@tonic-gate +" another principal. More specifically, it allows the KDC to issue a" 7750Sstevel@tonic-gate +" service ticket for the new service principal.\n" 7760Sstevel@tonic-gate +" \n" 7770Sstevel@tonic-gate +"This attribute is valid only for service principals." 7780Sstevel@tonic-gate +"When not checked," 7790Sstevel@tonic-gate +" service tickets cannot be issued for the new service principal."}, 7800Sstevel@tonic-gate 7810Sstevel@tonic-gate 7820Sstevel@tonic-gate {"GlobalForcePwChange", 7830Sstevel@tonic-gate "When checked, expires the principal's current password, forcing the" 7840Sstevel@tonic-gate +" user to use the kpasswd command to create a new password. This is" 7850Sstevel@tonic-gate +" is useful if you want to force users with new principals to set" 7860Sstevel@tonic-gate +" up their own passwords."}, 7870Sstevel@tonic-gate 7880Sstevel@tonic-gate 7890Sstevel@tonic-gate {"GlobalAllowForwardable", 7900Sstevel@tonic-gate "When checked, allows the new principal to obtain forwardable" 7910Sstevel@tonic-gate +" tickets.\n" 7920Sstevel@tonic-gate +" \n" 7930Sstevel@tonic-gate +"Forwardable tickets are tickets that are forwarded to the remote" 7940Sstevel@tonic-gate +" host to provide a single-sign-on session. For example, if you" 7950Sstevel@tonic-gate +" are using forwardable tickets and you authenticate yourself" 7960Sstevel@tonic-gate +" through ftp or rsh, other services, such as NFS, are available" 7970Sstevel@tonic-gate +" without you being prompted for another password."}, 7980Sstevel@tonic-gate 7990Sstevel@tonic-gate 8000Sstevel@tonic-gate {"GlobalAllowSvr", 8010Sstevel@tonic-gate "When checked, allows service tickets to be issued for" 8020Sstevel@tonic-gate +" the new principal.\n" 8030Sstevel@tonic-gate +" \n" 8040Sstevel@tonic-gate +"You should not allow service tickets to be issued for the" 8050Sstevel@tonic-gate +" 'kadmin/admin' and the 'changepw/admin' principals." 8060Sstevel@tonic-gate +" This will ensure that these" 8070Sstevel@tonic-gate +" principals can only update the KDC database." }, 8080Sstevel@tonic-gate 8090Sstevel@tonic-gate 8100Sstevel@tonic-gate {"GlobalAllowProxiable", 8110Sstevel@tonic-gate "When checked, allows the new principal to obtain proxiable tickets.\n" 8120Sstevel@tonic-gate +" \n" 8130Sstevel@tonic-gate +"A proxiable ticket is a ticket that can be used by a service on" 8140Sstevel@tonic-gate +" behalf of a client to perform an operation for the client." 8150Sstevel@tonic-gate +"With a proxiable ticket, a service can take on the identity of" 8160Sstevel@tonic-gate +" a client and obtain a ticket for another service, but it cannot" 8170Sstevel@tonic-gate +" obtain a ticket-granting ticket."}, 8180Sstevel@tonic-gate 8190Sstevel@tonic-gate 8200Sstevel@tonic-gate 8210Sstevel@tonic-gate {"GlobalAllowDupAuth", 8220Sstevel@tonic-gate "When checked, allows the new user principal to obtain service" 8230Sstevel@tonic-gate +" tickets for other user principals.\n" 8240Sstevel@tonic-gate +" \n" 8250Sstevel@tonic-gate +"This attribute is valid only for user principals. When not checked," 8260Sstevel@tonic-gate +" the new user principal can still obtain service tickets for" 8270Sstevel@tonic-gate +" service principals, but not for other user principals."}, 8280Sstevel@tonic-gate 8290Sstevel@tonic-gate 8300Sstevel@tonic-gate {"GlobalRequirePreAuth", 8310Sstevel@tonic-gate "When checked, the KDC will not send a requested ticket-granting" 8320Sstevel@tonic-gate +" ticket(TGT)" 8330Sstevel@tonic-gate +" for the new principal until" 8340Sstevel@tonic-gate +" it can authenticate (through software) that it is really the" 8350Sstevel@tonic-gate +" principal requesting the TGT. This preauthentication is usually" 8360Sstevel@tonic-gate +" done through an extra password, for example, from a DES card.\n" 8370Sstevel@tonic-gate +" \n" 8380Sstevel@tonic-gate +"When not checked, the KDC will not need preauthenticate the new" 8390Sstevel@tonic-gate +" principal before it sends a requested TGT for it."}, 8400Sstevel@tonic-gate 8410Sstevel@tonic-gate 8420Sstevel@tonic-gate {"GlobalRequireHwPreAuth", 8430Sstevel@tonic-gate "When checked, the KDC will not send a requested ticket-granting" 8440Sstevel@tonic-gate +" ticket(TGT) for the new principal until it can authenticate" 8450Sstevel@tonic-gate +" (through hardware) that it is really the principal" 8460Sstevel@tonic-gate +" requesting the TGT. Hardware preauthentication could be something" 8470Sstevel@tonic-gate +" like a Java ring reader.\n" 8480Sstevel@tonic-gate +" \n" 8490Sstevel@tonic-gate +"When not checked, the KDC will not need to preauthenticate the new" 8500Sstevel@tonic-gate +" principal with hardware before it sends a requested TGT for it."}, 8510Sstevel@tonic-gate 8520Sstevel@tonic-gate {"GlDefServerSide", 8530Sstevel@tonic-gate "When checked, the ticket lifetime values in the new principal are set" 8540Sstevel@tonic-gate +" such that " 8550Sstevel@tonic-gate +"the maximum value is used. When issuing a ticket the KDC uses the" 8560Sstevel@tonic-gate +" minimum of the value defined in the principal entry, in " 8570Sstevel@tonic-gate +" /etc/krb5/kdc.conf, or whatever the client requests with kinit."}, 8580Sstevel@tonic-gate 8590Sstevel@tonic-gate {"GlDefLife", 8600Sstevel@tonic-gate "The maximum length of time for which a ticket can be" 8610Sstevel@tonic-gate +" granted for the new principal (without renewal).\n" 8620Sstevel@tonic-gate +" \n" 8630Sstevel@tonic-gate +"To help create a time duration in seconds, click the adjacent" 8640Sstevel@tonic-gate +" '...' button to bring up a helper."}, 8650Sstevel@tonic-gate 8660Sstevel@tonic-gate {"GlDefRenewableLife", 8670Sstevel@tonic-gate "The maximum length of time for which an existing" 8680Sstevel@tonic-gate +" ticket may be renewed for the new principal.\n" 8690Sstevel@tonic-gate +" \n" 8700Sstevel@tonic-gate +"To help create a time duration in seconds, click the adjacent" 8710Sstevel@tonic-gate +" '...' button to bring up a helper."}, 8720Sstevel@tonic-gate 8730Sstevel@tonic-gate 8740Sstevel@tonic-gate {"GlDefExpiry", 8750Sstevel@tonic-gate "The date and time on which the new principal's account expires." 8760Sstevel@tonic-gate +"When the account expires, the principal can no longer" 8770Sstevel@tonic-gate +" get a ticket-granting ticket (TGT) and may not be able to log in.\n" 8780Sstevel@tonic-gate +" \n" 8790Sstevel@tonic-gate +"To set up the new account with no expiration date, enter the word" 8800Sstevel@tonic-gate +" 'never' in the field.\n" 8810Sstevel@tonic-gate +" \n" 8820Sstevel@tonic-gate +"To help create a formatted date and time entry, click the adjacent" 8830Sstevel@tonic-gate +" '...' button to bring up a helper."}, 8840Sstevel@tonic-gate 8850Sstevel@tonic-gate 8860Sstevel@tonic-gate 8870Sstevel@tonic-gate {"GlDefShowLists", 8880Sstevel@tonic-gate "When checked, the principal and policy lists will be loaded and" 8890Sstevel@tonic-gate +" displayed in the list panels. Large lists may produce significant" 8900Sstevel@tonic-gate +" loading times, so it may be more convenient to work without lists" 8910Sstevel@tonic-gate +" when they are very large, or you should cache them." 8920Sstevel@tonic-gate +"The default is on."}, 8930Sstevel@tonic-gate 8940Sstevel@tonic-gate 8950Sstevel@tonic-gate {"GlDefStaticLists", 8960Sstevel@tonic-gate "When checked, the principal and policy lists will be cached" 8970Sstevel@tonic-gate +" when they are initially loaded, and the lists will not be refreshed" 8980Sstevel@tonic-gate +" from the server unless you use the Refresh menu. Because large" 8990Sstevel@tonic-gate +" lists may produce significant loading times, you should cache" 9000Sstevel@tonic-gate +" large lists and refresh them when necessary. The default" 9010Sstevel@tonic-gate +" is off."}, 9020Sstevel@tonic-gate 9030Sstevel@tonic-gate 9040Sstevel@tonic-gate {"GlDefCacheTime", 9050Sstevel@tonic-gate "The period of time that the principal and policy lists will be" 9060Sstevel@tonic-gate +" cached before being considered stale and refreshed from the" 9070Sstevel@tonic-gate +" server. The default is 300 seconds (6 minutes)."}, 9080Sstevel@tonic-gate 9090Sstevel@tonic-gate 9100Sstevel@tonic-gate {"GlobalSave", 9110Sstevel@tonic-gate "Makes a permanent change to the default values by writing them" 9120Sstevel@tonic-gate +" to ~/.gkadmin, updates the tool, and closes the window."}, 9130Sstevel@tonic-gate 9140Sstevel@tonic-gate 9150Sstevel@tonic-gate {"GlobalApply", 9160Sstevel@tonic-gate "Makes a temporary change to the default values in the tool and" 9170Sstevel@tonic-gate +" closes the window. This does not update ~/.gkadmin."}, 9180Sstevel@tonic-gate 9190Sstevel@tonic-gate 9200Sstevel@tonic-gate {"GlobalCancel", 9210Sstevel@tonic-gate "Discards all the changes you've made to the current defaults and" 9220Sstevel@tonic-gate +" closes the window."}, 9230Sstevel@tonic-gate 9240Sstevel@tonic-gate // 9250Sstevel@tonic-gate // Generic Helper Button Descriptions 9260Sstevel@tonic-gate // 9270Sstevel@tonic-gate 9280Sstevel@tonic-gate {"DateHelperButton", 9290Sstevel@tonic-gate "Opens the Date and Time Helper window to help you create" 9300Sstevel@tonic-gate +" a formatted date and time entry for the associated field."}, 9310Sstevel@tonic-gate 9320Sstevel@tonic-gate {"DurationHelperButton", 9330Sstevel@tonic-gate "Opens the Time Duration Helper window to help you create a time" 9340Sstevel@tonic-gate +" duration in seconds for the associated field."}, 935*96Ssemery 936*96Ssemery {"EncListHelperButton", 937*96Ssemery "Opens the Encryption Types Helper window to help you create" 938*96Ssemery +" the principal's keys from the default set."}, 939*96Ssemery 940*96Ssemery // 941*96Ssemery // EncryptionTypeDialogHelp 942*96Ssemery // 943*96Ssemery 944*96Ssemery {"EncryptionTypeDialogHelp", 945*96Ssemery "You can select/deselect encryption types for this principal as" 946*96Ssemery +" needed. Certain encryption types are similar therefore when" 947*96Ssemery +" one of these encryption types is selected the other type(s)" 948*96Ssemery +" will be deselected. If no encryption types are selected the" 949*96Ssemery +" default set of types will be used, see krb5.conf(4) for these.\n" 950*96Ssemery +" \n" 951*96Ssemery +"Click OK to copy the encryption list that you've selected to the" 952*96Ssemery +" corresponding field.\n" 953*96Ssemery +" \n" 954*96Ssemery +"Click Clear to unselect all encryption types listed."}, 9550Sstevel@tonic-gate 9560Sstevel@tonic-gate // 9570Sstevel@tonic-gate // DateTimeDialog 9580Sstevel@tonic-gate // 9590Sstevel@tonic-gate 9600Sstevel@tonic-gate {"DateTimeDialogHelp", 9610Sstevel@tonic-gate "To change the month, choose from the Month menu.\n " 9620Sstevel@tonic-gate +" \n" 9630Sstevel@tonic-gate +"To change the other date and time fields, click in the field and" 9640Sstevel@tonic-gate +" enter a value, or use the +/- buttons to increment/decrement their" 9650Sstevel@tonic-gate +" value. (Hint: Keeping the buttons pressed makes the value change" 9660Sstevel@tonic-gate +" at a faster rate.)\n" 9670Sstevel@tonic-gate +" \n" 9680Sstevel@tonic-gate +"Click Midnight to change the time to midnight, and click Now to" 9690Sstevel@tonic-gate +" change the time to the current time based on the system's clock.\n" 9700Sstevel@tonic-gate +" \n" 9710Sstevel@tonic-gate +"Click OK to copy the date and time settings you've changed to" 9720Sstevel@tonic-gate +" the corresponding field."}, 9730Sstevel@tonic-gate 9740Sstevel@tonic-gate 9750Sstevel@tonic-gate // 9760Sstevel@tonic-gate // DurationHelper 9770Sstevel@tonic-gate // 9780Sstevel@tonic-gate 9790Sstevel@tonic-gate {"DurationHelperHelp", 9800Sstevel@tonic-gate "To help create a time duration in seconds, choose a unit of time" 9810Sstevel@tonic-gate +" from the Unit menu, enter a number of units under the" 9820Sstevel@tonic-gate +" Value field, and press return (or click '='). The number of" 9830Sstevel@tonic-gate +" seconds based on your input will be displayed.\n" 9840Sstevel@tonic-gate +" \n" 9850Sstevel@tonic-gate +"Click OK to copy the number of seconds you've specified into the" 9860Sstevel@tonic-gate +" corresponding field."}, 9870Sstevel@tonic-gate 9880Sstevel@tonic-gate // 9890Sstevel@tonic-gate // PrintUtil 9900Sstevel@tonic-gate // 9910Sstevel@tonic-gate 9920Sstevel@tonic-gate {"PrintUtilHelp", 9930Sstevel@tonic-gate "You can either print to a printer or a file.\n" 9940Sstevel@tonic-gate +" \n" 9950Sstevel@tonic-gate +"To print directly to a printer, click the Print Command" 9960Sstevel@tonic-gate +" radio button, enter a print command (if you don't want the default" 9970Sstevel@tonic-gate +" print command), and click Print.\n" 9980Sstevel@tonic-gate +" \n" 9990Sstevel@tonic-gate +"To print to a file, click the File Name radio button, enter a file" 10000Sstevel@tonic-gate +" name, and click Print. The file name can be an absolute path." 10010Sstevel@tonic-gate +" If no path is given, the file will be saved in the directory" 10020Sstevel@tonic-gate +" where gkadmin was started. Click '...' next to the File Name field" 10030Sstevel@tonic-gate +" to open the File Helper window to help you specify a" 10040Sstevel@tonic-gate +" a location and name for the file."}, 10050Sstevel@tonic-gate 10060Sstevel@tonic-gate // 10070Sstevel@tonic-gate // Menubar context sensitive help 10080Sstevel@tonic-gate // 10090Sstevel@tonic-gate 10100Sstevel@tonic-gate {"ContextSensitiveHelp", 10110Sstevel@tonic-gate "Opens the Context-Sensitive Help window and switches the tool into" 10120Sstevel@tonic-gate +" help mode. In help mode, you can get help on any part of the" 10130Sstevel@tonic-gate +" current window just by clicking on it. To dismiss the Help window" 10140Sstevel@tonic-gate +" and switch back to the normal mode, click Dismiss on the Help" 10150Sstevel@tonic-gate +" window."}, 10160Sstevel@tonic-gate 10170Sstevel@tonic-gate {"PrintCurrentPrincipal", 10180Sstevel@tonic-gate "Prints the attributes of the currently selected principal in the" 10190Sstevel@tonic-gate +" list or the currently loaded principal."}, 10200Sstevel@tonic-gate 10210Sstevel@tonic-gate {"PrintCurrentPolicy", 10220Sstevel@tonic-gate "Prints the attributes of the currently selected policy in the" 10230Sstevel@tonic-gate +" list or the currently loaded policy."}, 10240Sstevel@tonic-gate 10250Sstevel@tonic-gate {"PrintPrincipalList", 10260Sstevel@tonic-gate "Prints the list of all the available principals on the master KDC."}, 10270Sstevel@tonic-gate 10280Sstevel@tonic-gate {"PrintPolicyList", 10290Sstevel@tonic-gate "Prints the list of all the available policies on the master KDC."}, 10300Sstevel@tonic-gate 10310Sstevel@tonic-gate {"Logout", 10320Sstevel@tonic-gate "Quits the current session and sends you back to the Login window, so" 10330Sstevel@tonic-gate +" you can change the login fields and log in again."}, 10340Sstevel@tonic-gate 10350Sstevel@tonic-gate {"EditPreferences", 10360Sstevel@tonic-gate "Opens the Properties window, which enables you to" 10370Sstevel@tonic-gate +" specify the default settings for creating new principals" 10380Sstevel@tonic-gate +" and how the tool should manage the principal" 10390Sstevel@tonic-gate +" and policy lists."}, 10400Sstevel@tonic-gate 10410Sstevel@tonic-gate {"RefreshPrincipals", 10420Sstevel@tonic-gate "Forces the principal list to be updated from the server."}, 10430Sstevel@tonic-gate 10440Sstevel@tonic-gate {"RefreshPolicies", 10450Sstevel@tonic-gate "Forces the policy list to be updated from the server."}, 10460Sstevel@tonic-gate 10470Sstevel@tonic-gate {"Exit", 10480Sstevel@tonic-gate "Quits the SEAM Administration Tool."}, 10490Sstevel@tonic-gate 10500Sstevel@tonic-gate {"HelpBrowser", 10510Sstevel@tonic-gate "Opens an HTML browser that provides pointers to overview and task" 10520Sstevel@tonic-gate +" information" 10530Sstevel@tonic-gate +" for the SEAM Administration Tool. This provides the same" 10540Sstevel@tonic-gate +" information as the 'Sun Enterprise Authentication Management" 10550Sstevel@tonic-gate +" Guide'."}, 10560Sstevel@tonic-gate 10570Sstevel@tonic-gate {"About", 10580Sstevel@tonic-gate "Displays the current version of the SEAM Administration Tool."}, 10590Sstevel@tonic-gate 10600Sstevel@tonic-gate {"DateTime...", 10610Sstevel@tonic-gate "Opens the SEAM Date and Time Helper window, which enables you to" 10620Sstevel@tonic-gate +" set the date and time. After you set the date and time and click" 10630Sstevel@tonic-gate +" OK, the settings are automatically formatted and copied into the" 10640Sstevel@tonic-gate +" corresponding field."}, 10650Sstevel@tonic-gate 10660Sstevel@tonic-gate {"Duration...", 10670Sstevel@tonic-gate "Opens the SEAM Duration Helper window, which enables you to specify a" 10680Sstevel@tonic-gate +" time duration and have it converted into seconds." 10690Sstevel@tonic-gate +" After you specify the time" 10700Sstevel@tonic-gate +" and click OK, the time duration is copied into the corresponding" 10710Sstevel@tonic-gate +" field."}, 1072*96Ssemery 1073*96Ssemery {"EncList...", 1074*96Ssemery "Opens the SEAM Encryption Type List Helper window, which enables you" 1075*96Ssemery +" to specify custom encryption types for the principal. " 1076*96Ssemery +" After you select the encryption types and click OK, the encryption" 1077*96Ssemery +" type list is copied into the corresponding field."}, 1078*96Ssemery 10790Sstevel@tonic-gate {"Print...", 10800Sstevel@tonic-gate "Opens the SEAM Print Dialog window, which enables you to specify a" 10810Sstevel@tonic-gate +" printer" 10820Sstevel@tonic-gate +" to print the information or a file name in which to save the" 10830Sstevel@tonic-gate +" information."}, 10840Sstevel@tonic-gate 10850Sstevel@tonic-gate {"Bad Duration", 10860Sstevel@tonic-gate "Please enter the duration (in seconds) correctly."}, 10870Sstevel@tonic-gate 10880Sstevel@tonic-gate {"Bad Date", 10890Sstevel@tonic-gate "Please enter the date correctly."}, 10900Sstevel@tonic-gate 10910Sstevel@tonic-gate {"Bad Number", 10920Sstevel@tonic-gate "Please enter the number correctly."} 10930Sstevel@tonic-gate 10940Sstevel@tonic-gate }; // end contents object 10950Sstevel@tonic-gate 10960Sstevel@tonic-gate } 1097