2003-11-25 nalin
	* README: updates

2003-11-20 nalin
	* src/userinfo.c, src/userinfo.h: when setting things up for a user,
	obey "mappings" settings.  Because we can't be certain that the
	generated principal will pass through aname_to_lname correctly, don't
	do that any more.

2003-11-20 nalin
	* src/initopts.c(_pam_krb5_set_init_opts): set the ticket lifetime,
	if configured, as an initopt.  This change lets us fix #109331.

2003-11-20 nalin
	* src/options.c, src/options.h: add code for parsing a "mappings"
	setting.  Reintroduce ticket_lifetime, which I mistakenly thought was
	a libdefault setting now.

2003-11-20 nalin
	* src/map.c, src/map.h: add mapping functions which mimic OpenLDAP's
	saslRegexp functionality for mapping local user names to principal
	names.

2003-11-20 nalin
	* src/init.c: instead of forcing the realm when parsing principals,
	make realm= set the default realm.

2003-11-19 nalin
	* src/v5.c(v5_get_creds): use the realm from the unparsed version of
	the principal name when constructing service principals.

2003-09-22 nalin
	* src/session.c: actually return where we were supposed to return.

2003-09-19 nalin
	* src/session.c: if v5attempted is 0 or v5result is not 0, don't
	mess with tokens or credentials.  This allows apps which change their
	UIDs to keep tokens unless they obtained some of their own.
	* src/auth.c: before attempting authentication, reset v5attempted so
	that we don't count a previous authentication failure as a failure
	forever.
	* src/acct.c: if v5attempted is not set in the user's stash, attempt
	to get initial credentials for the user.  If the password check fails,
	assume the user name is valid.

2003-09-05 nalin
	* src/stash.h: add a v5attempted field to track whether or not we've
	attempted to get v5 creds for this user. add an afspag field to track
	whether or not we've created an afs PAG.
	* src/stash.c: initialize v5attempted and other fields, even if it's
	redundant after using memset to clear the whole structure.
	* src/auth.c: set v5attempted in the user's stash immediately after
	all calls to v5_get_creds.
	* src/acct.c: if v5attempted is not set in the user's stash, just
	return PAM_IGNORE.
	* src/tokens.c: only delete tokens on session close if we created a
	pag, lest we lose tokens when reverting back in su.  Only warn about
	errors getting tokens if v5attempted was set (else these become debug
	messages).
	* src/pam_krb5.8.in: note the behavior of the module in acct stacks.

2003-09-05 nalin
	* configure.ac: check for krb_time_to_life.
	* src/v4.c: use krb_time_to_life to convert lifetimes from seconds to
	bytes, not krb_life_to_time, which does the opposite.

2003-08-14 nalin
	* configure.ac: check for __posix_getpwnam_r.
	* src/userinfo.c(get_pw): use __posix_getpwnam_r if it is available and
	getpwnam_r isn't available

2003-08-14 nalin
	* src/session.c(pam_close_session), src/sly.c: return PAM_USER_UNKNOWN
	instead of PAM_SERVICE_ERR if we fail to get information about the user.

2003-08-14 nalin
	* src/auth.c(pam_sm_authenticate): log the PAM error code we're
	returning if we're returning a failure after all attempts have been
	made.  Save the password entered by the user in the normal we-prompted
	case.
	* pam_krb5.spec: bump version to 2.0.1

2003-08-14 nalin
	* src/auth.c, src/acct.c, src/session.c(pam_open_session),
	src/password.c: return PAM_USER_UNKNOWN instead of PAM_SERVICE_ERR if
	we fail to get information about the user.
	
2003-08-14 nalin
	* tests/run-tests: leave some time between expiring of passwords and
	attempts to check if they've truly been expired, in case the server
	implementation considers expiration time to be the end of the second
	instead of the start

2003-08-13 nalin
	* src/xstr.c, src/xstr.h: add xstrfree().
	* src/auth.c, src/options.c, src/password.c, src/prompter.c,
	src/stash.c, src/userinfo.c, src/v4.c, src/v5.c: use xstrfree() to
	free strings.

Thu Aug  7 2003 nalin
- Major overhaul and refactoring of everything.

Thu Jan 30 2003 Nalin Dahyabhai <nalin@redhat.com>
- Fix uninitialized pointer crash when we fail to retrieve cached return values.

Wed Jan 29 2003 Nalin Dahyabhai <nalin@redhat.com>
- Fix accidental double-free because libpam doesn't appear to make copies of
  the names for data items.

Fri Aug 23 2002 Nalin Dahyabhai <nalin@redhat.com>
- Update docs on the location of the anoncvs tree.
- Add warnings to the list of options we invoke $(CC) with.
- Use per-user stash and stored return value names.

Wed Aug  7 2002 Nalin Dahyabhai <nalin@redhat.com>
- Treat PAM_REFRESH_CRED like PAM_REINITIALIZE_CRED.  From Jason Heiss.

Fri May 24 2002 Nalin Dahyabhai <nalin@redhat.com>
- Fix a parser bug, pointed out by Balazs GAL.

Wed May 22 2002 Nalin Dahyabhai <nalin@redhat.com>
- Guess that the current cell name is the same as the realm name, lower-cased.

Fri Feb 15 2002 Nalin Dahyabhai <nalin@redhat.com>
- Update docs to give info about the account management function.

Mon Feb 11 2002 Nalin Dahyabhai <nalin@redhat.com>
- Add account management, which checks for key expiration and .k5login files.

Tue Sep 25 2001 Nalin Dahyabhai <nalin@redhat.com>
- Fix parsing of options which have multiple whitespace-separated values,
  like afs_cells.

Wed Sep  5 2001 Nalin Dahyabhai <nalin@redhat.com>
- Link with libresolv to get res_search, tip from Justin McNutt, who
  built it statically.
- Explicitly link with libdes425.
- Handle cases where getpwnam_r fails but still sets the result pointer.
- If use_authtok is given and there is no authtok, error out.

Mon Aug 27 2001 Nalin Dahyabhai <nalin@redhat.com>
- Set the default realm when a default realm is specified.

Thu Aug 23 2001 Nalin Dahyabhai <nalin@redhat.com>
- Only use Kerberos error codes when there is no PAM error yet.

Wed Aug 22 2001 Nalin Dahyabhai <nalin@redhat.com>
- Add minimum UID support. (#52358)
- Don't link pam_krb5 with libkrbafs; that dependency should only exist for
  pam_krb5afs.

Wed Aug 22 2001 Nalin Dahyabhai <nalin@redhat.com>
- Add minimum UID support (suggested by Matthew Miller).
- Don't link pam_krb5 with libkrbafs.
- Make all options in krb5.conf available as PAM config options.  This should
  make things more interesting.

Tue Jul 31 2001 Nalin Dahyabhai <nalin@redhat.com>
- Merge patch from Chris Chiappa for building with Heimdal.

Mon Jul 24 2001 Nalin Dahyabhai <nalin@redhat.com>
- Note that we had to prepend the current directory to a given path in
  dlopen.c when we had to (noted by Onime Clement).

Tue Jul 17 2001 Nalin Dahyabhai <nalin@redhat.com>
- Return PAM_NEW_AUTHTOK_REQD when attempts to get initial credentials
  fail with KRB5KDC_ERR_KEY_EXP (noted by Onime Clement).

Thu Jul 12 2001 Nalin Dahyabhai <nalin@redhat.com>
- Add info about accessing the CVS repository to the README.
- Parser cleanups (thanks to Dane Skow for a more complicated sample).

Fri Jul  6 2001 Nalin Dahyabhai <nalin@redhat.com>
- Don't set forwardable and assorted other flags when getting password-
  changing service ticket (noted, and fix supplied, by Onime Clement).
- Try __posix_getpwnam_r on Solaris before we try getpwnam_r, which may
  or may not be expecting the same number/type of arguments (noted by
  Onime Clement).
- Use krb5_aname_to_localname to convert the principal to a login name
  and set PAM_USER to the result when authenticating.
- Some autoconf fixes for failure cases.

Wed Jun 26 2001 Nalin Dahyabhai <nalin@redhat.com>
- Use krb5_change_password() to change passwords.

Tue Jun 12 2001 Nalin Dahyabhai <nalin@redhat.com>
- Use getpwnam_r instead of getpwnam when available.

Fri Jun  8 2001 Nalin Dahyabhai <nalin@redhat.com>
- Cleanup some autoconf checks.

Thu Jun  7 2001 Nalin Dahyabhai <nalin@redhat.com>
- Don't call initialize_krb5_error_table() or initialize_ovk_error_table()
  if they're not found at compile-time (reported for RHL 6.x by Chris Riley).

Thu May 31 2001 Nalin Dahyabhai <nalin@redhat.com>
- Note that [pam] is still checked in addition to [appdefaults].
- Note that AFS and Kerberos IV support requires working Kerberos IV
  configuration files (i.e., kinit -4 needs to work) (doc changes
  suggested by Martin Schulz).

Tue May 29 2001 Nalin Dahyabhai <nalin@redhat.com>
- Add max_timeout, timeout_shift, initial_timeout, and addressless options
  (patches from Simon Wilkinson).
- Fix the README to document the [appdefaults] section instead of [pam].
- Change example host and cell names in the README to use example domains.

Wed May  2 2001 Nalin Dahyabhai <nalin@redhat.com>
- Don't delete tokens unless we're also removing ticket files (report and
  patch from Sean Dilda).
- Report initialization errors better.

Thu Apr 26 2001 Nalin Dahyabhai <nalin@redhat.com>
- Treat semicolons as a comment character, like hash marks (bug reported by
  Greg Francis at Gonzaga University).
- Use the [:blank:] equivalence class to simplify the configuration file parser.
- Don't mess with the real environment.
- Implement mostly-complete aging support.

Sat Apr  7 2001 Nalin Dahyabhai <nalin@redhat.com>
- Tweak the man page (can't use italics and bold simultaneously).

Fri Apr  6 2001 Nalin Dahyabhai <nalin@redhat.com>
- Restore the default TGS value (#35015).

Wed Mar 28 2001 Nalin Dahyabhai <nalin@redhat.com>
- Fix a debug message.
- Fix uninitialized pointer error.

Mon Mar 26 2001 Nalin Dahyabhai <nalin@redhat.com>
- Don't fail to fixup the krb5 ccache if something goes wrong obtaining
  v4 credentials or creating a krb4 ticket file (#33262).

Thu Mar 22 2001 Nalin Dahyabhai <nalin@redhat.com>
- Fixup the man page.
- Log return code from k_setpag() when debugging.
- Create credentials and get tokens when setcred is called for REINITIALIZE.

Wed Mar 21 2001 Nalin Dahyabhai <nalin@redhat.com>
- Don't twiddle ownerships until after we get AFS tokens.
- Use the current time instead of the issue time when storing v4 creds, since
  we don't know the issuing host's byte order.
- Depend on a PAM development header again instead of pam-devel.

Tue Mar 20 2001 Nalin Dahyabhai <nalin@redhat.com>
- Add a separate config file parser for compatibility with settings that
  predate the appdefault API.
- Use a version script under Linux to avoid polluting the global namespace.
- Don't have a default for afs_cells.
- Need to close the file when we succeed in fixing permissions (noted by
  jlkatz@eos.ncsu.edu).

Mon Mar 19 2001 Nalin Dahyabhai <nalin@redhat.com>
- Use the appdefault API to read krb5.conf if available.
- Create v4 tickets in such a way as to allow 1.2.2 to not think there's
  something fishy going on.

Tue Feb 13 2001 Nalin Dahyabhai <nalin@redhat.com>
- Don't log unknown user names to syslog -- they might be sensitive information.

Fri Feb  9 2001 Nalin Dahyabhai <nalin@redhat.com>
- Handle cases where krb5_init_context() fails.

Wed Jan 17 2001 Nalin Dahyabhai <nalin@redhat.com>
- Be more careful around memory allocation (fixes from David J. MacKenzie).

Mon Jan 15 2001 Nalin Dahyabhai <nalin@redhat.com>
- No fair trying to make me authenticate '(null)'!

Wed Nov  7 2000 Nalin Dahyabhai <nalin@redhat.com>
- Only try to delete ccache files once.
- Ignore extra data in v4 TGTs, but do log it.
- Require "validate" to be true to try validating, and fail if validation fails.

Thu Aug 10 2000 Nalin Dahyabhai <nalin@redhat.com>
- Fix handing of null passwords.

Wed Jul  5 2000 Nalin Dahyabhai <nalin@redhat.com>
- Integrate some fixes for Solaris 7 from Trevor Schroeder (flock.c is
  entirely his).

Tue Jun 27 2000 Nalin Dahyabhai <nalin@redhat.com>
- Integrate Seth Vidal's "no_user_check" argument, so that non-privileged
  users (i.e., secure web servers) can also do checks.

Wed May 17 2000 Nalin Dahyabhai <nalin@redhat.com>
- Make errors chown()ing ccache files non-fatal if (getuid() != 0), suggested
  by Steve Langasek.

Mon May 15 2000 Nalin Dahyabhai <nalin@redhat.com>
- Attempt to get initial Kerberos IV credentials when we get Kerberos 5 creds

Thu Apr 20 2000 Nalin Dahyabhai <nalin@redhat.com>
- Chris Chiappa's modifications for customizing the ccache directory

Wed Apr 19 2000 Nalin Dahyabhai <nalin@redhat.com>
- Mark Dawson's fix for krb4_convert not being forced on when afs_cells defined

Thu March 23 2000 Nalin Dahyabhai <nalin@redhat.com>
- fix problem with leftover ticket files after multiple setcred() calls

Mon March 20 2000 Nalin Dahyabhai <nalin@redhat.com>
- add proper copyright statements
- save password for modules later in the stack

Fri March 03 2000 Nalin Dahyabhai <nalin@redhat.com>
- clean up prompter

Thu March 02 2000 Nalin Dahyabhai <nalin@redhat.com>
- add krbafs as a requirement

Fri February 04 2000 Nalin Dahyabhai <nalin@redhat.com>
- pick up non-afs PAM config files again

Wed February 02 2000 Nalin Dahyabhai <nalin@redhat.com>
- autoconf and putenv() fixes for broken apps
- fix for compressed man pages

Fri January 14 2000 Nalin Dahyabhai <nalin@redhat.com>
- fix stupid bug in password-changing
- add check that user exists in Kerberos before prompting to make password-
  changing sane for mixed environments

Thu January 6 2000 Nalin Dahyabhai <nalin@redhat.com>
- merge in spelling and other fixes from Michael K. Johnson
- modify to build both normal and AFS-aware version if krbafs.h is found

Fri December 31 1999 Nalin Dahyabhai <nalin@redhat.com>
- change to using ticket files created with mkstemp()

Tue December 28 1999 Nalin Dahyabhai <nalin@redhat.com>
- make setcred() return the same code as authenticate() to make sure that libpam
  walks the auth stack the same way for both functions

Wed December 22 1999 Nalin Dahyabhai <nalin@redhat.com>
- add man pages that don't mention AFS at all

Tue November 30 1999 Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
- add linking with libcrypt, remove linking with libpam

Mon November 29 1999 Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
- Make creating the Kerberos IV ticket a non-fatal error if there are problems.
- Add man pages.

Mon November 8 1999 Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
- Clean up PAM_AUTHTOK_RECOVER{,Y}_ERR definition problems and Solaris LD flags.
  Problems spotted and solution proposed by Nitin Dahyabhai <nitind@pobox.com>.

Wed November 3 1999 Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
- Massive restructuring and cleaning out of 1.0-specific code.

Mon October 4 1999 Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
- Update for krb5 1.1 release

Mon July 26 1999 Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
- Configure should die if krb5.h or krbafs.h isn't found (bfdimmic@eos.ncsu.edu)

Thu July 15 1999 Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
- Added reason to authentication failure messages (wjlyerly@eos.ncsu.edu)
- Only prompt for second password if first password fails

Fri June 18 1999 Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
- First public release.  Bwah-ha-ha-ha-ha-ha-ha!
