Release 1.2.2

- Improve CI
- configure.ac: more robust krb5 autodetection
- configure.ac: Replace obsoleted AC_CONFIG_HEADER with AC_CONFIG_HEADERS
- configure.ac: fix linking with minimal LIBS
- Use getnameinfo(3) instead of inet_ntop(3)
- dns_lookup_kdc setting in create_fake_krb5_conf causes issue when using a trusted domain user to create computer account (#208)
- Fix several messages
- Style fixes

Release 1.2.1

- Bugfix: correct AUTHORS section of manpage
- Revert installation to $PREFIX/bin

Release 1.2

- New co-maintainer Michael Osipov
- Improvement: allow to delete and reset computer account
- Improvement: prefer SASL mechanism GSS-SPNEGO over GSSAPI for LDAP
               connections to domain controllers (thanks, James Ralston!)
- Improvement: allow custom script to be called for Samba callouts
               (thanks, Jarek Polok!)
- Improvement: install executable to 'bin' rather than 'sbin' by default
- Improvement: consistent qualification of default SPN entries
- Improvement: query domain controller for proper salting information
               (feature available with MIT Kerberos 1.17 or later)
- Improvement: consistent and improved log messages
- Improvement: documentation updates
- Bugfix: Ignore errors from Samba callout

Release 1.1
- Improvement: Add paragraph regarding autogen.sh to INSTALL

Release 1.1rc3:
- Improvement: Adapt dist target to previous naming

Release 1.1rc2:
- Bugfix: various improvement in Makefile
- Bugfix: Fix for Heimdal: Keyblock
- Bugfix: Makefile.in: explicitly set permissions on install 
- Improvement: Silence warning from autotools

Release 1.1rc1:
- Bugfix: keytab entries generated with wrong salt
- Bugfix: try_machine_keytab_princ is not called when keytab is not explicitly given via --keytab
- Bugfix: failure to write keytab entries for more than one principal
- Bugfix: duplicate entries when using service account
- New Option --dont-update-dnshostname
- Create service keytabs without changing the password
- Delete account renamed to delete mode
- Improved AD SRV lookups
- Fixed compilation Warnings
- Kerberos flavor incorrectly detected on FreeBSD

Release 1.0:

- Fixes for "#59 Kerberos flavor incorrectly detected on FreeBSD"

Release 1.0rc2:

- New co-maintainer, Daniel Kobras
- Skip LDAP replication check by default
- Fix segfault
- rewrite ldap_check_account()

Release 1.0rc1:

- New cleanup mode: remove old keytab entries based on time stamp or
  encryption type [Ticket #32]
- New command line syntax: modes (i.e. create, update, ..)  can be
  given on the command line without leading dashes (--create, --update
  is still working).
- New option "-n": disable reverse lookups on client hostname [Ticket
  #50]
- Restructured manual page
- set LDAP_OPT_X_SASL_SSF_MIN to 56 [Ticket #36]
- Restore compatibility with OpenLDAP 2.3 [Ticket #38]
- disable LDAPS [Ticket #46]
- Re-factor msktldap.cpp [Ticket #53]
- AIX does not compile std::lower [Ticket #42]
- Compiler Error on AIX com_err.h needs extern "C" [Ticket #35]
- Add support for udns dns resolver library (--with-udns)
- Many fixes for memory management
- New work flow for keytab updates
- Avoid endless recursion in set_password due to slow replication
  [Ticket #40]
- fixed permission problems with --upn [Ticket #47]
- Add compatibility for keytabs that have been created by other tools
  [Ticket #48]

Release 0.5.1:

- Add --keytab-auth-as option (thanks Andrew Deason)
- Add --allow-weak-crypto switch, to support single DES (thanks Andrew
  Deason and Mark Pröhl)
- If servicePrincipalName begins with "HOST/", rewrite to "host/"
  (thanks Boleslaw Tokarski for the report)
- msktutil manual page fixes (thanks Andrew Deason and Mark Pröhl)
- Fix possible samAccountName corruption bug with uniniatialized
  variables (thanks Jaroslaw Polok for the report)
- Adjust --precreate to match ADUC's behavior with long account names
  (thanks Erik de Vries)
- Build fixes for HPUX and NetBSD
- Fix issue with private glibc function on RHEL5 (thanks Daniel Kobras)
- Incorporate hardening patches from Debian (thanks Tony Mancill)
- Delete "debian" directory (this will be maintained downstream)

Release 0.5:

- New co-maintainer, Olaf Flebbe
- Support service accounts in addition to computer accounts
- Add option to set the samba secret password
- Add option ("--realm") to specify a custom realm
- Various build fixes
- Add support for clients behind a NAT firewall

Release 0.4.2:

- New co-maintainer, Mark Pröhl
- Increase computer name character limit from 18 to 19 characters,
  matching AD's own limits.
- Add option ("-N") to disable reverse lookups on DCs
- Add option ("--old-account-password") to use the old computer account
  password to create a new keytab on a host.
- Return the proper error code when krb5_change_password fails.
- Better autodetection for krb5-config location.
- Compatibility with autoconf >= 2.68.
- Build fixes for Red Hat and Ubuntu.
- Update documentation for single-DES and AFS.

Release 0.4.1:

- Ken Dreyer took over maintenance, based upon master at
  http://repo.or.cz/w/msktutil.git
- Build fixes for Red Hat

Release 0.4:

- James Y Knight took over maintenance, based upon msktutil_0.3.16-7
  downloaded from: http://download.systemimager.org/~finley/msktutil/

- Made most functionality work properly with only the machine account
  credentials.

- Adds COMPUTERNAME$ to the keytab, and authenticates with that, so
  that setting userPrincipalName to host/COMPUTERNAME.DOMAIN@REALM
  isn't necessary. (since userPrincipalName isn't settable without
  admin perms)

- Now attempts to authenticate with the default machine account
  password so that AD "reset account" is functional.

- Gets the default LDAP OU to create new machines in from the magic
  GUID from AD, instead of assuming CN=Computers.

- Added --precreate option to allow an administrator to script
  creation of accounts without touching a local keytab.

- Added --auto-update for use from a crontab to auto-rotate password.

- No longer attempts to disable password expiry by default: So note,
  you need to either run --auto-update from cron or else pass the
  (new) argument --dont-expire-password when creating the account.

- Added --remove-service argument.

- Fixed old kvno expiration policy so that it keeps old principals
   around in the keytab for a week, instead of just keeping the
   immediately-prior kvno.

- Disabled use of DES keys by default. You will have to explicitly
  request them with --enctypes if you want them.

- Removed --des-only option, you can use --enctypes if you really want
  to use single DES. (which, of course, you shouldn't, given that it's
  now 2010 and Single DES was known to be utterly broken for over 10
  years by now!)

- Fixed salting to lowercase the account name, as the AD server does.

- Switched languages from C to C++.

- Lots of other cleanup and various bugfixes.

****

Changelog of non-packaging changes from previous releases:

msktutil 0.3.16-7

  * fix keytab bug in 0.3.16-6

 -- Doug Engert <deengert@anl.gov>  Fri, 17 Apr 2009 10:48:00 -0500

msktutil 0.3.16-6

  * Work with W2008 without hotfix 951191

  * SASL ssf varied depending on TLS to circumvent another W2008 bug

  * added --enctypes N where N is defined with W2008
    http://msdn.microsoft.com/en-us/library/cc223853(PROT.10).aspx
    msDs-supportedEncrtptionTypes. 1=DES, 2=DES, 4=RC4,
    8=AES128 16=AES256. N is sum of these.

  * Use /dev/urandom and 63 character password.

  * --verbose --verbose turns on LDAP debugging

  * #ifdef for use with Solairs LDAP

  * Cleanup of other LDAP code and error handing

  * msktutil.interactive updated to work on Solaris and use msktutil
    from same directory.

 -- Doug Engert <deengert@anl.gov>  Tue, 14 Apr 2009 11:16:53 -0500

msktutil (0.3.16-5)

  * Updated msktutil.interactive example script.

 -- Brian Elliott Finley <brian@thefinleys.com>  Mon, 07 Aug 2006 16:59:24 -0500

msktutil (0.3.16-4)

  * Updated msktutil.interactive example script.

 -- Brian Elliott Finley <brian@thefinleys.com>  Thu, 27 Jul 2006 16:31:17 -0500