diff options
| author | Jeffrey Altman <jaltman@secure-endpoints.com> | 2003-07-18 13:17:47 +0000 |
|---|---|---|
| committer | Jeffrey Altman <jaltman@secure-endpoints.com> | 2003-07-18 13:17:47 +0000 |
| commit | 4aa7e1ee05e648e30b1c7184074348b0abe68dd5 (patch) | |
| tree | 549f855a6cc621ef8e1dad218e1ca64913502d36 /src/windows/ms2mit/ChangeLog | |
| parent | 4ce1f7c3a46485e342d3a68b4c60b76c196d1851 (diff) | |
| download | krb5-4aa7e1ee05e648e30b1c7184074348b0abe68dd5.tar.gz krb5-4aa7e1ee05e648e30b1c7184074348b0abe68dd5.tar.xz krb5-4aa7e1ee05e648e30b1c7184074348b0abe68dd5.zip | |
* ms2mit.c:
Functional changes:
(1) do not restrict ourselves to DES-CBC-CRC instead support any
ticket with an enctype we support. as of this date (rev 1.3)
this includes all but RC4-MD4.
(2) do not accept invalid tickets
(3) when attempting to retrieve tickets do not specify either the
enctype or cache options (if possible). doing so will force a
TGS request and prevent the results from being stored into the
cache.
(4) when the LSA cache contains a TGT which has expired Microsoft will
not perform a new TGS request until the cache has been purged.
Instead the expired ticket continues to be used along with its
embedded authorization data. When PURGE_ENABLED is defined, if the
tickets are expired, the cache will be purged before requesting
new tickets, else we ignore the contents of the cache and force
a new TGS request.
(5) when the LSA cache is empty do not abort. On XP or 2003, use
the SecurityLogonSessionData to determine the Realm (UserDnsDomain
in MS-speak) and request an appropriate TGT. On 2000, check the
Registry for the HKCU\"Volatile Environment":"USERDNSDOMAIN"
instead. This will allow ms2mit to be used to repopulate the
LSA cache. If the current session is not Kerberos authenticated
an appropriate error message will be generated.
Code changes:
(1) several memory leaks plugged
(2) several support functions copied from the Leashw32.dll sources
(3) get_STRING_from_registry() uses the ANSI versions of the Registry
functions and should at a later date be converted to use the
Unicode versions.
Notes: an ms2mit.exe based on the Leash_import() function
should be considered. Leash_import() not only imports the TGT from
the LSA but also performs the krb524 conversion and AFS token retrieval.
Of course, that version of ms2mit.exe could not exist within the krb5
source tree.
ticket: 1667
target_version: 1.3.1
tags: pullup
owner: jaltman@mit.edu
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15696 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/windows/ms2mit/ChangeLog')
| -rw-r--r-- | src/windows/ms2mit/ChangeLog | 49 |
1 files changed, 45 insertions, 4 deletions
diff --git a/src/windows/ms2mit/ChangeLog b/src/windows/ms2mit/ChangeLog index 8741abbc05..1c5a9c45f8 100644 --- a/src/windows/ms2mit/ChangeLog +++ b/src/windows/ms2mit/ChangeLog @@ -1,21 +1,62 @@ +2003-07-16 Jeffrey Altman <jaltman@mit.edu> + + * ms2mit.c: + + Functional changes: + (1) do not restrict ourselves to DES-CBC-CRC instead support any + ticket with an enctype we support. as of this date (rev 1.3) + this includes all but RC4-MD4. + (2) do not accept invalid tickets + (3) when attempting to retrieve tickets do not specify either the + enctype or cache options (if possible). doing so will force a + TGS request and prevent the results from being stored into the + cache. + (4) when the LSA cache contains a TGT which has expired Microsoft will + not perform a new TGS request until the cache has been purged. + Instead the expired ticket continues to be used along with its + embedded authorization data. When PURGE_ENABLED is defined, if the + tickets are expired, the cache will be purged before requesting + new tickets, else we ignore the contents of the cache and force + a new TGS request. + (5) when the LSA cache is empty do not abort. On XP or 2003, use + the SecurityLogonSessionData to determine the Realm (UserDnsDomain + in MS-speak) and request an appropriate TGT. On 2000, check the + Registry for the HKCU\"Volatile Environment":"USERDNSDOMAIN" + instead. This will allow ms2mit to be used to repopulate the + LSA cache. If the current session is not Kerberos authenticated + an appropriate error message will be generated. + + Code changes: + (1) several memory leaks plugged + (2) several support functions copied from the Leashw32.dll sources + (3) get_STRING_from_registry() uses the ANSI versions of the Registry + functions and should at a later date be converted to use the + Unicode versions. + + Notes: an ms2mit.exe based on the Leash_import() function + should be considered. Leash_import() not only imports the TGT from + the LSA but also performs the krb524 conversion and AFS token retrieval. + Of course, that version of ms2mit.exe could not exist within the krb5 + source tree. + 2003-06-20 Jeffrey Altman <jaltman@mit.edu> - * ms2mit.c: Windows Credentials are addressless. Do not store the + * ms2mit.c: Windows Credentials are addressless. Do not store the credentials in the MIT cache with addresses since they do not contain addresses in the encrypted portion of the credential. Instead generate a valid empty address list. 2002-08-29 Ken Raeburn <raeburn@mit.edu> - * Makefile.in: Revert $(S)=>/ change, for Windows support. + * Makefile.in: Revert $(S)=>/ change, for Windows support. 2002-08-23 Ken Raeburn <raeburn@mit.edu> - * Makefile.in: Change $(S)=>/ and $(U)=>.. globally. + * Makefile.in: Change $(S)=>/ and $(U)=>.. globally. 2001-11-28 Danilo Almeida <dalmeida@mit.edu> - * ms2mit.c: Make sure we get a des-cbc-crc session key instead of + * ms2mit.c: Make sure we get a des-cbc-crc session key instead of potentially getting whatever happens to be in the cache. Remove unnecessary static variables. Make function headers use a consistent format. Rename ShowLastError() to ShowWinError() and |