| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
| |
'sid' is a stack variable, by assigning its address to the domain_sid pointer
we were later referencing grabage (whatever on the stack ha[ppened to be at
that address.
Properly copy the sid and allocate it on the provided memory context.
|
|
|
|
|
|
| |
We were using the wrong principal in the s4u2proxy case.
Fixes: https://fedorahosted.org/freeipa/ticket/2504
|
|
|
|
|
|
|
| |
These definitions were needed during development to be a le to build against
krb5 version < 1.10
These function headers and defintions are now available in 1.10 that is a hard
dependency for freeipa 3.0, so we can safely drop them.
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/2170
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch requires a forthcoming change in MIT libraries which allows to pass
NULL for the server_key to the krb5_pac_verify() function.
In most cases we should always only check the KDC checksum to verify the PAC
validity.
The only exception is when we are releasing a ticket to a client from another
realm. In this case the only signature we can check is the server checksum, and
we use the cross-realm key to validate in this case.
The previous code was working for normal cases because the kdc uses the same
key to create the server and the kdc checksum for a TGT, but that is not true
for evidence tickets (s4u2proxy) or cross-realm TGTs.
Fixes: https://fedorahosted.org/freeipa/ticket/2169
|
| |
|
|
|
|
|
| |
Allow to deref more than one attribute.
The attrs searched are the same for all deref attributes at this time.
|
| |
|
| |
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/2122
|
|
|
|
| |
Fake code for now, to be rebased later
|
|
|