Admin Principal, osa_princ_ent_t

The admin principal database stores records of the type osa_princ_ent_t (declared in $<$kadm5/adb.h$>$), which is the subset of the kadm5_principal_ent_t structure that is not stored in the Kerberos database plus the necessary bookkeeping information. The records are keyed by the ASCII representation of the principal's name, including the trailing NULL.

typedef struct _osa_pw_hist_t {
     int n_key_data;
     krb5_key_data *key_data;
} osa_pw_hist_ent, *osa_pw_hist_t;

typedef struct _osa_princ_ent_t {
        char * policy;
        u_int32 aux_attributes;

        unsigned int old_key_len;
        unsigned int old_key_next;
        krb5_kvno admin_history_kvno;
        osa_pw_hist_ent *old_keys;


        u_int32 num_old_keys;
        u_int32 next_old_key;
        krb5_kvno admin_history_kvno;
        osa_pw_hist_ent *old_keys;
} osa_princ_ent_rec, *osa_princ_ent_t;

The fields that are different from kadm5_principal_ent_t are:

num_old_keys

The number of previous keys in the old_keys array. This value must be 0 $\le$ num_old_keys $<$ pw_history_num.

old_key_next

The index into old_keys where the next key should be inserted. This value must be 0 $\le$ old_key_next $\le$ num_old_keys.

admin_history_kvno

The key version number of the kadmin/history principal's key used to encrypt the values in old_keys. If the server library finds that kadmin/history's kvno is different from the value in this field, it returns KADM5_BAD_HIST_KEY.

old_keys

The array of the principal's previous passwords, each encrypted in the kadmin/history key. There are num_old_keys elements. Each ``password'' in the array is itself an array of n_key_data krb5_key_data structures, one for each keysalt type the password was encoded in.