kadmin-remctl (3.6-1~sbp70+1) stable; urgency=low

  * Backport to stable.

 -- Russ Allbery <rra@debian.org>  Wed, 15 Jan 2014 15:11:33 -0800

kadmin-remctl (3.6-1) unstable; urgency=low

  * New upstream release.
    - Add per-instance configuration to set password expiration on initial
      account creation.
    - Map password quality errors on create and reset_passwd to a generic
      error message.
  * Add necessary keyring and watch configuration for uscan to verify
    PGP signatures on new upstream releases.
  * Prefer xz compression in the watch configuration.
  * Remove now-unnecessary dh_builddeb override to force xz compression.
  * Update standards version to 3.9.5 (no changes required).

 -- Russ Allbery <rra@debian.org>  Wed, 15 Jan 2014 14:56:11 -0800

kadmin-remctl (3.5-1) unstable; urgency=low

  * New upstream release.
    - Increase the timeouts for kpasswd interaction.
    - Fix Perl warnings if kpasswd times out.
    - Use get instead of list with Heimdal to check principal existence.
    - Recognize the new Heimdal kpasswd prompts.
    - Stop mapping password quality errors in the Heimdal backend.
    - Check the existence of the principal before enabling or disabling it
      in the Heimdal backend in order to report more sensible errors.

 -- Russ Allbery <rra@debian.org>  Thu, 10 Oct 2013 19:09:18 -0700

kadmin-remctl (3.4-1) unstable; urgency=low

  * New upstream release.
    - Set the disallow-svr flag on all newly-created principals.
    - Change the default principal regex to allow two-character principal
      names.
  * Drop --as-needed for now for easier backporting to squeeze.

 -- Russ Allbery <rra@debian.org>  Tue, 09 Jul 2013 16:55:27 -0700

kadmin-remctl (3.3-1) unstable; urgency=low

  * New upstream release.
    - In the Heimdal version, retry the kadmin connection once if it fails
      and suppress standard error from the Heimdal libraries during the
      connection attempt.
    - Clean up error reporting in the Heimdal version of kadmin-backend.
    - Exit with a non-zero status if check_passwd rejects a password.
    - Produce a better error when attempting to change the password of a
      disabled account in the Heimdal kadmin-backend.
    - Strip whitespace from usernames in passwd_change.
  * Use full path to Stanford's password file in password-change.
  * Switch to xz compression for the upstream and Debian tarballs.
  * Move single-debian-patch to local-options and patch-header to
    local-patch-header so that they only apply to the packages I build and
    NMUs get regular version-numbered patches.
  * Use dh-autoreconf to rebuild the Autotools build system, and link with
    --as-needed to remove the additional unnecessary library dependencies
    for the client.
  * Update to debhelper compatibility level V9.
    - Enable parallel builds.
    - Enable build hardening flags.
    - Use DEB_CFLAGS_MAINT_APPEND to add the Stanford-specific settings
      for the password file path and remctl host for password changes.
  * Update to standards version 3.9.4.
    - Add branch information to the Vcs-Git header.
  * Convert debian/copyright to copyright-format 1.0.

 -- Russ Allbery <rra@debian.org>  Mon, 25 Mar 2013 11:06:03 -0700

kadmin-remctl (3.2-1) unstable; urgency=low

  * New upstream release.
    - Add support for a separate blacklist of accounts whose passwords
      cannot be reset with reset_passwd.
    - Properly handle incorrect password errors from Heimdal kpasswd.
    - Yet more fixes to the Heimdal default attribute configuration.
  * Update to debhelper compatibility level V8.
  * Update to standards version 3.9.2 (no changes required).

 -- Russ Allbery <rra@debian.org>  Thu, 09 Jun 2011 15:05:21 -0700

kadmin-remctl (3.1-1) unstable; urgency=low

  * New upstream release.
    - Fix default principal attributes during creation with Heimdal.
    - Don't unconditionally set preauth during creation with Heimdal.
    - Remove boolean checking parameter for MIT.  Instead, add a new
      configuration parameter that sets the password policy to use for
      newly created accounts.
    - Add expiration and pwexpiration commands to set the expiration and
      password expiration of accounts.
    - Add check_expire command which returns the expiration date of an
      account or its password.
    - The MIT backend now supports a create_opts configuration parameter
      that defines additional options to pass to kadmin addprinc.
    - Allow underscores in principal names in examine.
  * Switch to 3.0 (quilt) source format.  Force a single Debian patch and
    include a custom patch header explaining that it is a rollup of any
    fixes cherry-picked from upstream and breaking those patches out
    separately would be work for no gain.
  * Set a Bugs header directing bug reports to me personally.
  * Update standards version to 3.9.0 (no changes required).

 -- Russ Allbery <rra@debian.org>  Wed, 21 Jul 2010 14:55:59 -0700

kadmin-remctl (3.0-1) unstable; urgency=low

  * New upstream release.
    - Add a version of kadmin-backend for Heimdal.
    - Allow - in principal names in the examine function.
    - Add a configuration option to check via an external program whether
      a principal is locked and disallow enables if it is.
    - Significantly improve error reporting in ksetpass and
      passwd_change.
  * Package the Heimdal version of kadmin-backend as a separate
    kadmin-remctl-heimdal package.
  * Remove comerr-dev build dependency, no longer required with the better
    error handling in ksetpass and passwd_change.
  * Add Homepage, Vcs-Git, and Vcs-Browser control fields.
  * Update standards version to 3.8.4 (no changes required).

 -- Russ Allbery <rra@debian.org>  Wed, 17 Feb 2010 12:49:14 -0800

kadmin-remctl (2.4-1) unstable; urgency=low

  * New upstream release.
    - Fix LDIF syntax when activing or deactivating AD accounts.
  * Update to debhelper compatibility level V7.
    - Use debhelper rule minimization with overrides.
    - Add ${misc:Depends} to all dependencies.
  * Update standards version to 3.8.3 (no changes required).

 -- Russ Allbery <rra@debian.org>  Mon, 05 Oct 2009 16:13:02 -0700

kadmin-remctl (2.3-1) unstable; urgency=low

  * New upstream release.
    - Support examining principals with instances we don't manage.
    - Better conversion of Kerberos v5 principals to Kerberos v4.

 -- Russ Allbery <rra@debian.org>  Wed, 07 Jan 2009 20:36:46 -0800

kadmin-remctl (2.2-1) unstable; urgency=low

  * New upstream release.
    - AFS kaserver support is now frozen.
    - Check return status from kasetkey properly.
    - Better error messages if REMOTE_USER isn't set.
  * Add watch file.
  * Update standards version to 3.8.0.
    - Use filter instead of findstring for DEB_BUILD_OPTIONS.

 -- Russ Allbery <rra@debian.org>  Thu, 31 Jul 2008 19:51:19 -0700

kadmin-remctl (2.1-1) unstable; urgency=low

  * New upstream release.
    - Use kasetkey for all AFS kaserver operations.
    - Honor allowed principal regexes for examine as well.
  * Add a versioned recommends on kasetkey to get enable, disable, and
    examine support.
  * Update copyright based on the upstream LICENSE file.

 -- Russ Allbery <rra@debian.org>  Fri, 25 Apr 2008 10:19:32 -0700

kadmin-remctl (2.0-1) unstable; urgency=low

  * New upstream release.
    - Significant changes to the kadmin-backend configuration.  Many
      global settings are now per-instance, different environments may be
      updated for different instances, and the empty instance is now
      configured just like any other instance.
    - Support updating Active Directory directly without K5.
    - Add a ksetpass client to kadmin-remctl to set passwords via the
      Kerberos password change protocol.
    - Support an account creation workaround for Windows Server 2008 that
      creates an account disabled without a password and then sets the
      password with ksetpass.
    - Support enable and disable for instance management.
    - Handle instance list errors and errors printed in two pieces from
      kadmin correctly.
    - Support include in ACL files.
  * kadmin-remctl is now Architecture: any since it includes ksetpass.
  * No longer include the supervise configuration for the password reset
    remctld instance in the kadmin-remctl package.
  * Move remctl-server and libtext-template-perl to Recommends since
    kadmin-remctl doesn't always need them.
  * Update the long description for kadmin-remctl.  It's no longer very
    Stanford-specific as packaged.
  * Use touch $@ to create stamp files.
  * Update to standards version 3.7.3 (no changes required).

 -- Russ Allbery <rra@debian.org>  Tue, 25 Mar 2008 21:09:57 -0700

kadmin-remctl (1.9-1) unstable; urgency=low

  * New upstream release.
    - Add support for adding instances to an Active Directory group.

 -- Russ Allbery <rra@debian.org>  Tue, 11 Sep 2007 19:24:16 -0700

kadmin-remctl (1.8-1) unstable; urgency=low

  * New upstream release.
    - Increase Expect timeouts in kadmin-backend.
    - Improved error message stripping in kadmin-backend.
    - Add a newline after remctl errors in passwd_change.

 -- Russ Allbery <rra@debian.org>  Wed, 08 Aug 2007 16:13:15 -0700

kadmin-remctl (1.7-1) unstable; urgency=low

  * New upstream release.
    - Support a $K5_HOST variable to use a non-default admin server.

 -- Russ Allbery <rra@debian.org>  Mon, 06 Aug 2007 16:57:24 -0700

kadmin-remctl (1.6-1) unstable; urgency=low

  * New upstream release.
    - Fix problems with deleting instances from Active Directory.
    - Correctly encode the Active Directory unicodePwd field.
    - Support listing instances in foreign realms.
    - Fix kadmin examine output when K4 output faking is enabled.

 -- Russ Allbery <rra@debian.org>  Fri, 13 Jul 2007 10:33:23 -0700

kadmin-remctl (1.5-1) unstable; urgency=low

  * New upstream release.
    - Add support for instance propagation to Active Directory.
    - Fix time zone problems with K4 output faking.
    - Fix configuration details in passwd_change documentation.
  * Update debhelper compatibility level to V5 (no changes required).

 -- Russ Allbery <rra@debian.org>  Wed, 11 Jul 2007 10:16:03 -0700

kadmin-remctl (1.4-1) unstable; urgency=low

  * New upstream release.
    - Fix K4 examine faking when the account doesn't exist.
    - passwd_change now takes configuration from krb5.conf.
  * Drop the local patch to change the passwd_change defaults and instead
    pass Stanford's defaults as compiler options in debian/rules.

 -- Russ Allbery <rra@debian.org>  Thu, 28 Jun 2007 17:05:38 -0700

kadmin-remctl (1.3-1) unstable; urgency=low

  * New upstream release.
    - Don't assume that kadmin returns a reasonable error status.
    - Add support for faking K4 examine output based on K5.

 -- Russ Allbery <rra@debian.org>  Mon, 11 Jun 2007 15:07:26 -0700

kadmin-remctl (1.2-1) unstable; urgency=low

  * New upstream release.
    - Support disabling the Kerberos v4 synchronization.
  * Only recommend kasetkey, don't depend on it, since Kerberos v4
    synchronization is disabled by default.
  * Install the password-reset run script executable.
  * Install a lintian override file for the kadmin-remctl password-reset
    service directory.

 -- Russ Allbery <rra@debian.org>  Tue, 05 Jun 2007 16:00:11 -0700

kadmin-remctl (1.1-1) unstable; urgency=low

  * New upstream release.
    - Add support for manipulating account instances.
    - Add support for a kadmin-remctl configuration file.
    - Add support for reserved principals.
    - Fix errors in the output for reset_passwd and change_passwd.
    - Support signalling passwd_change that the user is invalid.

 -- Russ Allbery <rra@debian.org>  Thu, 31 May 2007 17:01:05 -0700

kadmin-remctl (1.0-1) unstable; urgency=low

  * Initial release.

 -- Russ Allbery <rra@debian.org>  Wed, 21 Mar 2007 23:31:27 -0700

