debian/0000755000000000000000000000000012250747621007174 5ustar debian/postinst0000644000000000000000000000246712250747621011013 0ustar #!/bin/sh # postinst script for msktutil # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-remove' # * `abort-deconfigure' `in-favour' # `removing' # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package case "$1" in configure) # Create a default default file if none exists. if ! [ -f "/etc/default/msktutil" ]; then cat > /etc/default/msktutil <&2 exit 1 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/rules0000755000000000000000000000116312250747621010255 0ustar #!/usr/bin/make -f # -*- makefile -*- # Sample debian/rules that uses debhelper. # This file was originally written by Joey Hess and Craig Small. # As a special exception, when this file is copied by dh-make into a # dh-make output file, you may use that output file without restriction. # This special exception was added by Craig Small in version 0.37 of dh-make. # Uncomment this to turn on verbose mode. export DH_VERBOSE=1 %: dh $@ override_dh_auto_configure: autoconf ./configure --prefix="/usr" override_dh_installman: dh_installman msktutil.M override_dh_clean: #rm -f ./configure dh_clean -Xautom4te.cache debian/changelog0000644000000000000000000000703312250747621011051 0ustar msktutil (0.5.1-1) unstable; urgency=low * New upstream release - Remove hardening patches incorporated upstream. * Bumps Standards-Version to 3.9.5 (no changes) * Update manpage (Closes: #731139) -- tony mancill Sat, 07 Dec 2013 16:57:13 -0800 msktutil (0.5-1) unstable; urgency=low * New upstream release. * Bumps Standards-Version to 3.9.4. * Update Vcs URLs in debian/control to be canonical. * Drop patch to override LIBS in Makefile. (Closes: #713698) -- tony mancill Sun, 11 Aug 2013 16:38:56 -0700 msktutil (0.4.1-4) unstable; urgency=low * Replace Ken Dreyer with myself as maintainer, at Ken's request. * Add postrm script to remove /etc/default/msktutil during purge. - (Closes: #685062) -- tony mancill Sun, 26 Aug 2012 10:53:36 -0700 msktutil (0.4.1-3) unstable; urgency=low * d/control - Bump Standards-Version to 3.9.3. - Add Jurjen Bokma and tony mancill to Uploaders. - Add Vcs-Git and Vcs-Browser fields * d/compat: set compat level to 9 (for build-hardening) * Add build_hardening_01 patch to d/patches * Initial upload to Debian unstable. -- tony mancill Sun, 12 Aug 2012 19:58:59 -0700 msktutil (0.4.1-2.local) unstable; urgency=low * Unofficial repackaging, non-maintainer upload if ever to be uploaded at all -- Jurjen Bokma Thu, 28 Jun 2012 13:48:58 +0200 msktutil (0.4.1-1) unstable; urgency=low * New upstream release. -- Ken Dreyer Tue, 7 Feb 2012 16:35:10 -0700 msktutil (0.4-2) unstable; urgency=low * New upstream release. * Include cron.daily script to rotate keytab (disabled by default; enable with /etc/default/msktutil) -- James Y. Knight Tue, 16 Feb 2010 18:22:53 -0500 msktutil (0.3.16-7) unstable; urgency=low * fix keytab bud in 0.3.16-6 -- Doug Engert Fri, 17 Apr 2009 10:48:00 -0500 msktutil (0.3.16-6) unstable; urgency=low * Work with W2008 without hotfix 951191 * SASL ssf varied depending on TLS to circumvent another W2008 bug * added --enctypes N where N is defind with W2008 http://msdn.microsoft.com/en-us/library/cc223853(PROT.10).aspx msDs-supportedEncrtptionTypes. 1=DES, 2=DES, 4=RC4, 8=AES128 16=AES256. N is sum of these. * Use /dev/urandom and 63 character password. * --verbose --verbose turns on LDAP debugging * #ifdef for use with Solairs LDAP * Cleanup of other ldap code and error handing * msktutil.interactive updated to work on Solaris and use msktutil from same directory. -- Doug Engert Tue, 14 Apr 2009 11:16:53 -0500 msktutil (0.3.16-5) unstable; urgency=low * Updated msktutil.interactive example script. -- Brian Elliott Finley Mon, 07 Aug 2006 16:59:24 -0500 msktutil (0.3.16-4) unstable; urgency=low * Updated msktutil.interactive example script. -- Brian Elliott Finley Thu, 27 Jul 2006 16:31:17 -0500 msktutil (0.3.16-3) unstable; urgency=low * Establish Build-Depends. -- Brian Elliott Finley Tue, 14 Mar 2006 15:46:08 -0600 msktutil (0.3.16-2) unstable; urgency=low * Depend on "libsasl2-gssapi-mit | libsasl2-modules-gssapi-heimdal". -- Brian Elliott Finley Tue, 14 Mar 2006 12:59:57 -0600 msktutil (0.3.16-1) unstable; urgency=low * Found version in output of 'msktutil --version'. Use that instead of date. -- Brian Elliott Finley Fri, 3 Mar 2006 15:42:00 -0600 debian/postrm0000644000000000000000000000100312250747621010435 0ustar #!/bin/sh set -e #DEBHELPER# CONFFILE=/etc/default/msktutil case "$1" in remove) # Nothing to do here ;; purge) # ignore errors during purge set +e if [ -x "/usr/bin/ucf" ]; then ucf --purge $CONFFILE fi rm -rf $CONFFILE set -e ;; upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) # Nothing to do here ;; *) echo "$0 called with unknown argument \`$1'" >&2 exit 1 ;; esac debian/msktutil.install.aside0000644000000000000000000000002312250747621013517 0ustar msktutil /usr/sbin debian/patches/0000755000000000000000000000000012250747621010623 5ustar debian/patches/fix_AC_LANG_SOURCE_in_configure_dot_in0000644000000000000000000000061512250747621017645 0ustar --- a/configure.in +++ b/configure.in @@ -191,6 +191,7 @@ # Since OpenLDAP libldap depends on it anyway, no additional dependency added. # AC_CHECK_LIB([lber], [ber_alloc], , [AC_MSG_WARN([liblber not found])]) +AC_CHECK_LIB([com_err], [error_message], , [AC_MSG_ERROR([libcom_err not found])]) if test "$ac_cv_header_com_err_h"; then AC_MSG_CHECKING([whether com_err.h needs extern "C"]); debian/patches/Makefile.in.patch0000644000000000000000000000054012250747621013765 0ustar --- a/Makefile.in +++ b/Makefile.in @@ -36,7 +36,7 @@ clean : @$(RM) $(PROG) $(objects) distclean: clean - @$(RM) Makefile config.h config.log config.cache config.status autom4te.cache config.h~ config.h.in~ + @$(RM) Makefile config.h config.log config.cache config.status config.h~ config.h.in~ install: all @$(MKDIR) -p $(DESTDIR)$(sbindir) debian/patches/build_hardening_010000644000000000000000000000222112250747621014161 0ustar Description: patch to allow compilation with hardening flags Author: tony mancill Origin: vendor Forwarded: no Reviewed-By: Last-Update: 2012-07-09 --- The information above should follow the Patch Tagging Guidelines, please checkout http://dep.debian.net/deps/dep3/ to learn about the format. --- a/msktconf.cpp +++ b/msktconf.cpp @@ -128,7 +128,7 @@ switch_default_ccache(ccache_name); return true; } catch (KRB5Exception &e) { - VERBOSE(e.what()); + VERBOSE("%s", e.what()); VERBOSE("Authentication with keytab failed"); return false; } @@ -145,7 +145,7 @@ switch_default_ccache(ccache_name); return true; } catch (KRB5Exception &e) { - VERBOSE(e.what()); + VERBOSE("%s", e.what()); VERBOSE("Authentication with password failed"); return false; } @@ -201,7 +201,7 @@ return true; } catch(KRB5Exception &e) { - VERBOSE(e.what()); + VERBOSE("%s", e.what()); VERBOSE("User ticket cache was not valid."); return false; } debian/patches/no_format_arguments0000644000000000000000000000117612250747621014624 0ustar --- a/msktconf.cpp +++ b/msktconf.cpp @@ -162,7 +162,7 @@ switch_default_ccache(ccache_name); return true; } catch (KRB5Exception &e) { - VERBOSE(e.what()); + VERBOSE("%s", e.what()); if (e.err() == KRB5KDC_ERR_KEY_EXP) { VERBOSE("Password needs to be changed"); flags->password_expired = true; @@ -186,7 +186,7 @@ switch_default_ccache(ccache_name.c_str()); return true; } catch (KRB5Exception &e) { - VERBOSE(e.what()); + VERBOSE("%s", e.what()); VERBOSE("Authentication with password failed"); return false; } debian/patches/series0000644000000000000000000000020112250747621012031 0ustar replace_manpage_template.patch Makefile.in.patch fix_AC_LANG_SOURCE_in_configure_dot_in #build_hardening_01 #no_format_arguments debian/patches/replace_manpage_template.patch0000644000000000000000000002512112250747621016643 0ustar --- a/msktutil.M +++ b/msktutil.M @@ -1,20 +1,20 @@ -.TH REPLACE_PROGNAME 1 REPLACE_VERSION +.TH msktutil 1 0.5.1 .SH NAME -REPLACE_PROGNAME \- fetches and manages kerberos keytabs in an Active Directory environment +msktutil \- fetches and manages kerberos keytabs in an Active Directory environment .SH SYNOPSIS -.B REPLACE_PROGNAME +.B msktutil [command 1] [command 2] [command 3] ... .SH DESCRIPTION -REPLACE_PROGNAME is a Unix/Linux keytab client for Microsoft Active Directory environments. This program is +msktutil is a Unix/Linux keytab client for Microsoft Active Directory environments. This program is capable of creating accounts in Active Directory, adding service principals to those accounts, and creating local keytab files so that kerberizied services can utilize Active directory as a Kerberos realm. -REPLACE_PROGNAME will create and manage machine accounts by default. The --use-service-account option -lets REPLACE_PROGNAME operate on service accounts. REPLACE_PROGNAME requires that the Kerberos client +msktutil will create and manage machine accounts by default. The --use-service-account option +lets msktutil operate on service accounts. msktutil requires that the Kerberos client libraries are properly installed and configured to use Active Directory as a realm. .PP Whenever a principal is added or a keytab is updated, the secret password for the corresponding account is changed. By default, the password is not stored, so it needs to be reset each time -REPLACE_PROGNAME is executed. All entries in the keytab will be automatically updated whenever the +msktutil is executed. All entries in the keytab will be automatically updated whenever the password is reset. The previous entries will be left in the keytab, so sessions using the older key versions will not break. This behavior is similar to the way Windows hosts handle machine password changes. @@ -25,18 +25,18 @@ invoke the program with such credentials, you can create a new computer account or service account from scratch. .PP -The second is to pre-create the accounts with such credentials, and then invoke REPLACE_PROGNAME on +The second is to pre-create the accounts with such credentials, and then invoke msktutil on a machine without any special permissions. When the computer account or service account exists already, -REPLACE_PROGNAME will attempt to authenticate as that account using either the existing keytab, or +msktutil will attempt to authenticate as that account using either the existing keytab, or if that fails, a default password. When that default password is not specified with the option ---old-account-password, REPLACE_PROGNAME will use the default machine password. It will then change +--old-account-password, msktutil will use the default machine password. It will then change the password and update the keytab appropriately. This is usually the more convenient option when joining many computers to the domain. .PP To pre-create a computer account, you may use the Active Directory Users and Computers GUI, select "new computer" from the right click menu, and type the short DNS name, then right click on the newly created object and select "Reset account" to set the password to the default value. Another -alternative is to invoke REPLACE_PROGNAME with the --precreate argument. Both methods accomplish the +alternative is to invoke msktutil with the --precreate argument. Both methods accomplish the same thing. .PP To pre-create a service account, you may use the Active Directory Users and Computers GUI, select @@ -49,19 +49,19 @@ 30 days, and thus many domains have a 90-day password expiry window, after which your keytab will stop working. There are two ways to deal with this: .PP -a) (Preferred): Make sure you're running a daily cron job to run REPLACE_PROGNAME --auto-update, which +a) (Preferred): Make sure you're running a daily cron job to run msktutil --auto-update, which will change the password automatically 30 days after it was last changed and update the keytab. .PP b) (Not preferred): disable password expiry for the account via the --dont-expire-password option (or otherwise setting DONT_EXPIRE_PASSWORD flag in userAccountControl in AD). .SH PASSWORD POLICY ISSUES .PP -This section only applies to REPLACE_PROGNAME --use-service-account. +This section only applies to msktutil --use-service-account. .PP While machine account passwords may be changed at any time, service accounts are user accounts and your Active Directory domain may have special password policies for those user accounts. E.g., "minimum password age" is typically set to 1 day, which means that you will have to wait for that -time to pass until you may invoke REPLACE_PROGNAME --update --use-service-account. +time to pass until you may invoke msktutil --update --use-service-account. .SH OTHER NOTES .PP Unlike other kerberos implementations, Active Directory has only a single key for all of the @@ -80,15 +80,15 @@ computer account credentials). Both 'computername$' and the value of userPrincipalName are treated as valid account names to kinit as. .PP -REPLACE_PROGNAME will use kerberized LDAP operations to talk to domain controllers. To obtain a LDAP service +msktutil will use kerberized LDAP operations to talk to domain controllers. To obtain a LDAP service ticket, the DNS service will be used to construct the domain controllers LDAP principal name. If DNS is mis-configured, this construction may fail. To work around this issue, you may specify the fully qualified DNS name of your domain controller with the --server option and additionally use the --no-reverse-lookups option. .PP Samba (www.samba.org) provides the net command that can be used to manage kerberos keytabs as -well. Using REPLACE_PROGNAME and commands like "net ads join" or "net ads keytab" together can lead to -trouble. With the --set-samba-secret option, REPLACE_PROGNAME can be used as a replacement for net. +well. Using msktutil and commands like "net ads join" or "net ads keytab" together can lead to +trouble. With the --set-samba-secret option, msktutil can be used as a replacement for net. .PP Active Directory includes authorization data (e.g. information about group memberships) in Kerberos tickets. This information is called PAC and may lead to very large ticket sizes. Especially HTTP services are @@ -153,7 +153,7 @@ .TP --old-account-password Use supplied account password for authentication. This is useful if the keytab does not yet exist -but the password of the computer account is known. This password will be changed by REPLACE_PROGNAME in order +but the password of the computer account is known. This password will be changed by msktutil in order to create or update the keytab .TP -h, --hostname @@ -170,8 +170,8 @@ account password. Default: /etc/krb5.keytab --keytab-auth-as Specifies which principal name we should try to use, when we authenticate from a keytab. Normally, -REPLACE_PROGNAME will try to use the account name or the host principal for the current host. If -this option is specified, instead REPLACE_PROGNAME will try to use the given principal name first, +msktutil will try to use the account name or the host principal for the current host. If +this option is specified, instead msktutil will try to use the given principal name first, and only fall back to the default behavior if we fail to authenticate with the given name. This option can be useful if you do not know the current password for the relevant account, do not have a keytab with the account principal, but you do have a keytab with a service principal associated @@ -293,14 +293,14 @@ For unprivileged users the most common invocations are: .PP .nf -REPLACE_PROGNAME --update --service host --service HTTP +msktutil --update --service host --service HTTP .fi .PP This will update a computer account in Active Directory with a new password, write out a new keytab, and ensure that it has both "host" and "HTTP" service principals are on it for the hostname. .PP .nf -REPLACE_PROGNAME --auto-update +msktutil --auto-update .fi .PP This is useful in a daily cron job to check and rotate the password automatically when it's 30 days @@ -310,30 +310,30 @@ For users with admin privileges in AD, some common uses: .PP .nf -REPLACE_PROGNAME --create --service host --service HTTP +msktutil --create --service host --service HTTP .fi .PP This will create a computer account in Active Directory with a new password, write out a new keytab, and ensure that it has both "host" and "HTTP" service principals are on it for the hostname. .PP .nf -REPLACE_PROGNAME --precreate --host computer1.example.com +msktutil --precreate --host computer1.example.com .fi .PP This will pre-create an account for computer1 with the default password using your credentials. This can be done on a central host, e.g. to script the addition of many hosts. You can then use -REPLACE_PROGNAME --create on the hosts themselves (without special credentials) to join them to the +msktutil --create on the hosts themselves (without special credentials) to join them to the domain. .PP .nf -REPLACE_PROGNAME --host afs --service afs --enctypes 0x03 +msktutil --host afs --service afs --enctypes 0x03 .fi .PP This will create an afs/cell.name@REALM principal, and associate that principal with a computer account called 'afs'. The principal will be marked as DES-only, which is required for AFS. .PP .nf -REPLACE_PROGNAME --create --use-service-account --service HTTP/hostname.example.com --keytab /etc/apache/krb5.keytab --accountname srv-http --no-pac +msktutil --create --use-service-account --service HTTP/hostname.example.com --keytab /etc/apache/krb5.keytab --accountname srv-http --no-pac .fi .PP This will create an HTTP/hostname.example.com@REALM principal, and associate that principal with a service @@ -341,7 +341,7 @@ The size of Kerberos tickets for that service will stay small because no PAC information will be included. .PP .nf -REPLACE_PROGNAME --create --service host/hostname --service host/hostname.example.com --set-samba-secret --enctypes 0x4 +msktutil --create --service host/hostname --service host/hostname.example.com --set-samba-secret --enctypes 0x4 .fi .PP This will create a computer account in Active Directory that is compatible with Samba. The command creates @@ -351,4 +351,7 @@ As Samba (version 3) only supports arcfour-encrypted Kerberos tickets the --enctypes option must be used to select only that encryption type. .SH AUTHOR -REPLACE_AUTHOR + (C) 2004-2006 Dan Perry + (C) 2006 Brian Elliott Finley (finley@anl.gov) + (C) 2009-2010 Doug Engert (deengert@anl.gov) + (C) 2010 James Knight debian/patches/fix_link_order_in_Makefile_dot_in0000644000000000000000000000043212250747621017362 0ustar --- a/Makefile.in +++ b/Makefile.in @@ -26,7 +26,7 @@ $(PROG) : $(objects) @$(ECHO) "Assembling $(PROG)" - $(CXX) $(LDFLAGS) $(LIBS) $(objects) -o $(PROG) + $(CXX) $(LDFLAGS) $(objects) $(LIBS) -o $(PROG) %.o : %.cpp msktutil.h krb5wrap.h config.h @$(ECHO) "Compiling $<" debian/manpage.xml0000644000000000000000000002540012250747621011327 0ustar .
will be generated. You may view the manual page with: nroff -man .
| less'. A typical entry in a Makefile or Makefile.am is: DB2MAN = /usr/share/sgml/docbook/stylesheet/xsl/docbook-xsl/manpages/docbook.xsl XP = xsltproc -''-nonet -''-param man.charmap.use.subset "0" manpage.1: manpage.xml $(XP) $(DB2MAN) $< The xsltproc binary is found in the xsltproc package. The XSL files are in docbook-xsl. A description of the parameters you can use can be found in the docbook-xsl-doc-* packages. Please remember that if you create the nroff version in one of the debian/rules file targets (such as build), you will need to include xsltproc and docbook-xsl in your Build-Depends control field. Alternatively use the xmlto command/package. That will also automatically pull in xsltproc and docbook-xsl. Notes for using docbook2x: docbook2x-man does not automatically create the AUTHOR(S) and COPYRIGHT sections. In this case, please add them manually as ... . To disable the automatic creation of the AUTHOR(S) and COPYRIGHT sections read /usr/share/doc/docbook-xsl/doc/manpages/authors.html. This file can be found in the docbook-xsl-doc-html package. Validation can be done using: `xmllint -''-noout -''-valid manpage.xml` General documentation about man-pages and man-page-formatting: man(1), man(7), http://www.tldp.org/HOWTO/Man-Page/ --> ]> &dhtitle; &dhpackage; &dhfirstname; &dhsurname; Wrote this manpage for the Debian system.
&dhemail;
2007 &dhusername; This manual page was written for the Debian system (and may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or (at your option) any later version published by the Free Software Foundation. On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. &dhucpackage; &dhsection; &dhpackage; program to do something &dhpackage; this this that &dhpackage; DESCRIPTION This manual page documents briefly the &dhpackage; and bar commands. This manual page was written for the Debian distribution because the original program does not have a manual page. Instead, it has documentation in the GNU info 1 format; see below. &dhpackage; is a program that... OPTIONS The program follows the usual GNU command line syntax, with long options starting with two dashes (`-'). A summary of options is included below. For a complete description, see the info 1 files. Does this and that. Show summary of options. Show version of program. FILES /etc/foo.conf The system-wide configuration file to control the behaviour of &dhpackage;. See foo.conf 5 for further details. ${HOME}/.foo.conf The per-user configuration file to control the behaviour of &dhpackage;. See foo.conf 5 for further details. ENVIONMENT FOO_CONF If used, the defined file is used as configuration file (see also ). DIAGNOSTICS The following diagnostics may be issued on stderr: Bad configuration file. Exiting. The configuration file seems to contain a broken configuration line. Use the option, to get more info. &dhpackage; provides some return codes, that can be used in scripts: Code Diagnostic 0 Program exited successfully. 1 The configuration file seems to be broken. BUGS The program is currently limited to only work with the foobar library. The upstreams BTS can be found at . SEE ALSO bar 1 , baz 1 , foo.conf 5 The programs are documented fully by The Rise and Fall of a Fooish Bar available via the info 1 system. debian/source/0000755000000000000000000000000012250747621010474 5ustar debian/source/format0000644000000000000000000000001412250747621011702 0ustar 3.0 (quilt) debian/compat0000644000000000000000000000000212250747621010372 0ustar 9 debian/msktutil.cron.daily0000644000000000000000000000052412250747621013035 0ustar #!/bin/sh test -x /usr/sbin/msktutil || exit 0 # These options are overridden in /etc/default/msktutil. # Edit there, not here. AUTOUPDATE_ENABLED="false" AUTOUPDATE_OPTIONS="" [ -r /etc/default/msktutil ] && . /etc/default/msktutil [ "$AUTOUPDATE_ENABLED" = "true" ] || exit 0 exec /usr/sbin/msktutil --auto-update $AUTOUPDATE_OPTIONS debian/copyright0000644000000000000000000000226312250747621011132 0ustar Format: http://dep.debian.net/deps/dep5 Upstream-Name: msktutil Source: http://fuhm.net/software/msktutil/ Files: * Copyright: (C) 2004-2006 Dan Perry (C) 2006 Brian Elliott Finley (finley@anl.gov) (C) 2009-2010 Doug Engert (deengert@anl.gov) (C) 2010 James Y Knight License: GPL-2.0+ Files: debian/* Copyright: 2012 Jurjen Bokma License: GPL-2.0+ License: GPL-2.0+ This package is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. . This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this program. If not, see . On Debian systems, the complete text of the GNU General Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". debian/control0000644000000000000000000000202712250747621010600 0ustar Source: msktutil Section: net Priority: optional Homepage: http://fuhm.net/software/msktutil/ Maintainer: tony mancill Uploaders: Jurjen Bokma Build-Depends: debhelper (>= 9), libldap2-dev, libkrb5-dev, libsasl2-dev, autoconf Standards-Version: 3.9.5 Vcs-Git: git://anonscm.debian.org/collab-maint/pkg-msktutil.git Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/pkg-msktutil.git Package: msktutil Architecture: any Homepage: http://fuhm.net/software/msktutil/ Depends: ${shlibs:Depends}, ${misc:Depends}, libsasl2-modules-gssapi-mit | libsasl2-gssapi-mit | libsasl2-modules-gssapi-heimdal Description: Utility for interoperability with Active Directory msktutil is a utility that fetches and manages Kerberos keytabs in a Microsoft Active Directory envionment. . It can perform the following functions: - Create a computer account in Active Directory - Create a system Kerberos keytab - Add and remove principals to and from a system keytab - Change a computer account's password