krb5.git/src/lib/kadm5, branch master Unnamed repository; edit this file 'description' to name the repository. Stop generating gssapi_krb5.h 2014-02-26T21:15:20+00:00 Greg Hudson ghudson@mit.edu 2014-02-01T20:59:21+00:00 a7a2c02b618aea40ebd4f597ec956eaf0fe210f5 We started generating gssapi_krb5.h from gssapi_krb5.hin when we needed to use a 64-bit type for lucid contexts. Since we can now assume a standard name for 64-bit types, we can stop generating the header. 
We started generating gssapi_krb5.h from gssapi_krb5.hin when we
needed to use a 64-bit type for lucid contexts.  Since we can now
assume a standard name for 64-bit types, we can stop generating the
header.
Simplify ulog_map 2014-02-21T01:42:47+00:00 Greg Hudson ghudson@mit.edu 2014-01-24T21:52:47+00:00 6a4a4b7b5e3265e4a811a9fd72c2534e6c5f5fd4 Get rid of the caller parameter. The kproplog semantics (without -R) for mapping the ulog are simple and almost completely different from other users of the ulog, so implement them as a static helper in kproplog. With hierarchical iprop, kpropd will need the same semantics as FKCOMMAND and FKADMIND, which were already identical. Get rid of the db_args parameter, since ulog_map no longer opens the database after #7552. Remove an inoperative lseek() call when creating a new ulog file. Rename ulog_filesize to filesize and compute it from scratch each time we use it, for easier analysis. If kdb_hmagic is zero, init the ulog header but don't skip the rest of the function; it's possible that we need to expand the ulog file. Remove an unneeded conditional before calling extend_file_to for an existing ulog. ticket: 7855 
Get rid of the caller parameter.  The kproplog semantics (without -R)
for mapping the ulog are simple and almost completely different from
other users of the ulog, so implement them as a static helper in
kproplog.  With hierarchical iprop, kpropd will need the same
semantics as FKCOMMAND and FKADMIND, which were already identical.

Get rid of the db_args parameter, since ulog_map no longer opens the
database after #7552.

Remove an inoperative lseek() call when creating a new ulog file.
Rename ulog_filesize to filesize and compute it from scratch each time
we use it, for easier analysis.  If kdb_hmagic is zero, init the ulog
header but don't skip the rest of the function; it's possible that we
need to expand the ulog file.  Remove an unneeded conditional before
calling extend_file_to for an existing ulog.

ticket: 7855
Refactor krb5_string_to_keysalts() 2014-01-08T20:29:04+00:00 Tom Yu tlyu@mit.edu 2014-01-07T21:37:46+00:00 0918990bf1d8560d74473fc0e41d08d433da1a15 Use various standard C library functions rather than rolling our own. Previous code spent many lines reimplementing realloc(), strpbrk(), strtok_r(), etc. Make a separate string_to_keysalt() parser for an individual keysalt pair, which for now is private and destructive. 
Use various standard C library functions rather than rolling our own.
Previous code spent many lines reimplementing realloc(), strpbrk(),
strtok_r(), etc.

Make a separate string_to_keysalt() parser for an individual keysalt
pair, which for now is private and destructive.
Make salt defaulting work for keysalts 2014-01-06T22:17:02+00:00 Tom Yu tlyu@mit.edu 2014-01-06T22:17:02+00:00 cc26d29b8087e31d0ea1aca6bde45f8935e8b744 Make krb5_string_to_keysalts() default to only ":" as a key:salt separator character. Change most of its callers to pass NULL so they get the default separators. Adapted from a patch proposed by Jon Looney. ticket: 884 
Make krb5_string_to_keysalts() default to only ":" as a key:salt
separator character.  Change most of its callers to pass NULL so they
get the default separators.

Adapted from a patch proposed by Jon Looney.

ticket: 884
Default to normal salt instead of "ignore" 2014-01-06T21:56:49+00:00 Tom Yu tlyu@mit.edu 2014-01-06T21:32:50+00:00 25a3b1bd943199bcaa3a9d3a43f90f8ea05f1124 krb5_string_to_keysalts() treats an empty salt field as -1 ("ignore"), rather than as the normal salttype. Default to normal instead, so that omitting a salttype works as expected. ticket: 6042 
krb5_string_to_keysalts() treats an empty salt field as -1 ("ignore"),
rather than as the normal salttype.  Default to normal instead, so
that omitting a salttype works as expected.

ticket: 6042
Fix uninitialized warning in client_init.c 2013-12-21T15:08:06+00:00 Greg Hudson ghudson@mit.edu 2013-12-21T15:08:06+00:00 815565f918f2c64c59561dbe37efc251ddb67c22 ticket: 7800 
ticket: 7800
Allow realm in kadm5_init service names 2013-12-21T05:06:22+00:00 Greg Hudson ghudson@mit.edu 2013-12-19T18:33:33+00:00 5341cfde2b3e607e294bb0d057dc3540172a8b1b Previously, if you passed a service name with a realm part to a kadm5_init function, you would get a KRB5_PARSE_MALFORMED error because the code would internally append its own '@realm' suffix before parsing the name. Fix this as follows: Change gic_iter so instead of producing a full service name, it produces a krb5_principal which is taken from the cred it acquires. Pass the client and full service name around as principals, rather than strings, and use the gss_nt_krb5_principal name type to import them in setup_gss(). Don't append a realm to the input service name; instead, pass the input service name directly to the gic functions (which do not need a realm in the service name and will ignore the realm if one is present). For the INIT_CREDS case, parse the input service name with KRB5_PRINCIPAL_PARSE_IGNORE_REALM and then set the realm. ticket: 7800 
Previously, if you passed a service name with a realm part to a
kadm5_init function, you would get a KRB5_PARSE_MALFORMED error
because the code would internally append its own '@realm' suffix
before parsing the name.  Fix this as follows:

Change gic_iter so instead of producing a full service name, it
produces a krb5_principal which is taken from the cred it acquires.
Pass the client and full service name around as principals, rather
than strings, and use the gss_nt_krb5_principal name type to import
them in setup_gss().  Don't append a realm to the input service name;
instead, pass the input service name directly to the gic functions
(which do not need a realm in the service name and will ignore the
realm if one is present).  For the INIT_CREDS case, parse the input
service name with KRB5_PRINCIPAL_PARSE_IGNORE_REALM and then set the
realm.

ticket: 7800
Simplify libkadm5 client realm initialization 2013-12-21T05:06:22+00:00 Greg Hudson ghudson@mit.edu 2013-12-19T17:22:47+00:00 33b06596be92f7d8458ac6b136f092e235dec834 The "realm" variable in init_any is used only to fill in the realm of the service principal in gic_iter(). The service principal realm should always be the realm we looked up config parameters for, so we can supply that realm to get_init_creds() unconditionally and eliminate the case where we use the client principal realm. Also get rid of an outdated comment and an #if 0 block we will never need again, and use SNPRINTF_OVERFLOW to check the snprintf result. 
The "realm" variable in init_any is used only to fill in the realm of
the service principal in gic_iter().  The service principal realm
should always be the realm we looked up config parameters for, so we
can supply that realm to get_init_creds() unconditionally and
eliminate the case where we use the client principal realm.

Also get rid of an outdated comment and an #if 0 block we will never
need again, and use SNPRINTF_OVERFLOW to check the snprintf result.
Avoid deprecated krb5_get_in_tkt_with_keytab 2013-11-04T18:51:14+00:00 Ben Kaduk kaduk@mit.edu 2012-07-10T14:14:52+00:00 29dee7d2cece615bec4616fa9b727e77210051db The kprop code has been pretty unloved, and uses some routines that are marked as deprecated (which show up as warnings in the build log). Use the documented replacement for krb5_get_in_tkt_with_keytab, krb5_get_init_creds_keytab, instead. As a bonus, there is no longer a side effect of a credentials cache that needs to be destroyed. The also-deprecated function krb5_get_in_tkt_with_skey was backending to it when no keyblock was passed in; we can unroll the call to krb5_get_init_creds_keytab ourselves as the documented workaround. While here, improve style compliance with regards to cleanup. The setkey test just wants to know whether it can use the key it just put into a keytab to get credentials; as such the recommended krb5_get_init_creds_keytab is quite sufficient. While here, use that interface to request the particular enctype as well, reducing the scope of an XXX comment. ticket: 6366 
The kprop code has been pretty unloved, and uses some routines that
are marked as deprecated (which show up as warnings in the build log).
Use the documented replacement for krb5_get_in_tkt_with_keytab,
krb5_get_init_creds_keytab, instead.  As a bonus, there is no longer
a side effect of a credentials cache that needs to be destroyed.

The also-deprecated function krb5_get_in_tkt_with_skey was backending
to it when no keyblock was passed in; we can unroll the call to
krb5_get_init_creds_keytab ourselves as the documented workaround.
While here, improve style compliance with regards to cleanup.

The setkey test just wants to know whether it can use the key it
just put into a keytab to get credentials; as such the recommended
krb5_get_init_creds_keytab is quite sufficient.
While here, use that interface to request the particular enctype
as well, reducing the scope of an XXX comment.

ticket: 6366
Don't cache active master key list in kadmind 2013-10-25T15:36:11+00:00 Greg Hudson ghudson@mit.edu 2013-10-23T22:56:20+00:00 74c1420ea4dffc1105247e362decf608440751ae "kdb5_util use_mkey" should not require a kadmind restart to take effect. At the cost of fetching the K/M principal once for each key change operation, make kadmind use the current active master key list for each operation. ticket: 7685 target_version: 1.12 tags: pullup 
"kdb5_util use_mkey" should not require a kadmind restart to take
effect.  At the cost of fetching the K/M principal once for each key
change operation, make kadmind use the current active master key list
for each operation.

ticket: 7685
target_version: 1.12
tags: pullup