Commit message (Collapse)AuthorAgeFilesLines
* wipHEADmasterG√ľnther Deschner2014-03-052-0/+71
* Add tests for gic_pwd password changeGreg Hudson2014-03-032-0/+38
| | | | ticket: 7868
* Use preauth options when changing passwordGreg Hudson2014-03-031-12/+51
| | | | | | | | | | | If we try to change the password in rb5_get_init_creds_password, we must use all application-specified gic options which affect preauthentication when getting the kadmin/changepw ticket. Create a helper function make_chpw_options which copies the application's options, unsets the options we don't want, and sets options appropriate for a temporary ticket. ticket: 7868
* Check for malloc failure in process_chpw_requestGreg Hudson2014-03-031-2/+3
| | | | | | ticket: 7866 target_version: 1.12.2 tags: pullup
* Conditionalize use of LDAP_OPT_DEBUG_LEVELGreg Hudson2014-02-281-0/+2
| | | | | | | | | The LDAP debug level option (#7551) causes a build failure with the Solaris LDAP library, which does not have LDAP_OPT_DEBUG_LEVEL. ticket: 7870 (new) target_version: 1.12.2 tags: pullup
* Fix install rule for gssapi_krb5.hGreg Hudson2014-02-281-1/+1
| | | | Revert r16428 now that gssapi_krb5.h is in the source tree.
* Correct docs for "kdb5_util load" switchesJeff D'Angelo2014-02-281-5/+3
| | | | | | | | | | | | | | | Remove obsolete parenthetical statement in the description of the "-update" switch to "kdb5_util load". Using the "-update" flag to load a second dump made using the "-ov" switch is no longer necessary now that the "-r13" format is the default. Add statement that the "-b7" dump format was the default for versions prior to 1.2.2 (to match the statement from "dump" section). [ commit message] ticket: 7865 tags: pullup target_version: 1.12.2
* Missing type refs in docs due to stdint.h changesTom Yu2014-02-271-0/+2
| | | | | | References to krb5_int16.rst and krb5_ui_2.rst were missing, but recently began causing sphinx-build errors because Doxygen started generating them after the stdint.h changes.
* Fix two omissions in stdint.h changesGreg Hudson2014-02-262-4/+4
| | | | | | | | Since we no longer prefix an "#include <stdint.h>" in the gssapi.h preamble at build time, include it in gssapi.hin. Update util/gss/kernel-lib/ to account for gssapi_krb5.h being in the source tree.
* In kdb5_util dump, only lock DB for iprop dumpsGreg Hudson2014-02-261-10/+12
| | | | | | | | | | | | | | Revert #7384, as there are no longer policy refcounts. For iprop dumps we want to make sure that the reported serial number matches the DB state (although we could perhaps relax that requirement with enough analysis), but for non-iprop dumps we don't need any transactional guarantees. Also use the correct constant name for the locking mode (the numeric value is the same, fortunately), and only unlock the database if we successfully locked it. ticket: 7869 (new)
* Eliminate internal fixed-width type wrappersGreg Hudson2014-02-2627-138/+120
| | | | | Directly use stdint.h names for integer types in preference to the various internal names we have made up for them.
* Stop generating gssapi_krb5.hGreg Hudson2014-02-265-56/+50
| | | | | | | We started generating gssapi_krb5.h from gssapi_krb5.hin when we needed to use a 64-bit type for lucid contexts. Since we can now assume a standard name for 64-bit types, we can stop generating the header.
* Get rid of builtin AES uitypes.hGreg Hudson2014-02-2611-749/+612
| | | | | Remove uitypes.h and just include stdint.h; all we need from it is uint{8,16,32}_t.
* Assume <stdint.h> and fixed-width typesGreg Hudson2014-02-2611-209/+15
| | | | | | | Make unconditional use of <stdint.h> and fixed-width types such as uint32_t. k5-plugin.h doesn't use any special integer types, so remove the conditional include block there. Nothing uses INT64_FMT/UINT64_FMT, so leave those out of k5-platform.h for now.
* Minimize race conditions in t_iprop.pyGreg Hudson2014-02-262-36/+77
| | | | | | | | | | | | Augment kpropd's debugging output so we can see the starting and ending serial numbers of a sync, and check them in's wait_for_prop to make sure we're observing the correct sync each time. Try to make sure we only send SIGUSR1 when kpropd is actually sleeping, by waiting for it to print its pre-sleep message to stderr after a full dump and after each sync. This isn't perfect, as there is a short window between printing to stderr and actually sleeping, but we can't do any better until kpropd has a more reliable mechanism for triggering immediate updates.
* Avoid duplicate "/etc/krb5.conf" in profile pathTom Yu2014-02-263-3/+14
| | | | | | | | | | | | | | | | If configure gets run with --sysconfdir=/etc, "/etc/krb5.conf" shows up twice in the profile path, which causes its contents to be read twice. This can cause some confusing and possibly problematic behavior. Add some logic to to avoid adding the duplicate entry for "/etc/krb5.conf". Reported independently by Denis Vlasenko and Fredrik Tolf. ticket: 3277 tags: pullup target_version: 1.12.2
* Update kadmin set_string documentZhanna Tsitkov2014-02-262-6/+22
| | | | | Added 'otp' as an acceptable attribute name. Added examples. Also, x-ref kadmin document from otp.rst.
* Document hierarchical ipropGreg Hudson2014-02-201-6/+13
| | | | | | | Also remove an outdated caveat, but add a new one about policy changes causing full resyncs. ticket: 7855
* Test iprop slave ulog managementGreg Hudson2014-02-201-98/+238
| | | | | | | | | | | | Check the ulog more thoroughly after each operation, including the principal names we expect in each update entry. Verify that the slave ulog contains actual update entries received from master. Add a second slave which receives updates from the first. Test a wider variety of principal operations. Add two additional operations after the full resync to test that incremental updates resume after a full resync (albeit with some lag). ticket: 7855
* Implement kpropd -AGreg Hudson2014-02-202-0/+13
| | | | | | | | | | The -A option causes kpropd to contact a specified admin server (normally an intermediate slave running kadmind -proponly) instead of the master admin server. Based on code submitted by Richard Basch. ticket: 7855
* Implement kadmind -proponlyGreg Hudson2014-02-202-15/+29
| | | | | | | | | | | The -proponly option causes kadmind to only service the iprop service, not the kpasswd or kadmin services. An intermediate slave in a hierarchical iprop setup runs kadmind -proponly in order to provide incremental updates to downstream slaves. Based on code submitted by Richard Basch. ticket: 7855
* Maintain complete ulog on iprop slavesGreg Hudson2014-02-201-75/+73
| | | | | | | | | | | | | | | | | | | | | | | | | | Factor out most of ulog_add_update into a helper function named store_update, and make ulog_add_update just responsible for assigning a serial number and timestamp to the update before storing it. In ulog_replay, use store_update and ulog_finish_update to add each update to the ulog in addition to replaying it to the database. Don't use incr_ret->lastentry to set kdb_last_sno/kdb_last_time, since it will have been set properly by adding the individual updates; instead, just reinitialize the ulog on error. Slave ulogs use serial numbers provided from upstream, and thus do not always begin at serial number 1 after a header reset. As a result, we must: (A) in store_update, detect the first update (for which we must assign kdb_first_sno/kdb_first_time) by comparing kdb_num to 0, instead of by comparing the serial number to 1; (B) in store_update, detect that we are overwriting the first update by comparing kdb_num to ulogentries, instead of comparing the serial number to ulogentries; and (C) in ulog_map, detect that ulogentries changed by verifying the first and last serial number and timestamp against the actual ulog entries, rather than simply comparing kdb_last_sno to kdb_num. Based on code submitted by Richard Basch. ticket: 7855
* Simplify ulog_mapGreg Hudson2014-02-2010-123/+61
| | | | | | | | | | | | | | | | | | | | Get rid of the caller parameter. The kproplog semantics (without -R) for mapping the ulog are simple and almost completely different from other users of the ulog, so implement them as a static helper in kproplog. With hierarchical iprop, kpropd will need the same semantics as FKCOMMAND and FKADMIND, which were already identical. Get rid of the db_args parameter, since ulog_map no longer opens the database after #7552. Remove an inoperative lseek() call when creating a new ulog file. Rename ulog_filesize to filesize and compute it from scratch each time we use it, for easier analysis. If kdb_hmagic is zero, init the ulog header but don't skip the rest of the function; it's possible that we need to expand the ulog file. Remove an unneeded conditional before calling extend_file_to for an existing ulog. ticket: 7855
* Lock around more ulog operationsGreg Hudson2014-02-208-67/+150
| | | | | | | | | | | | | | | Always lock the ulog when accessing it. We can currently get away with some laxness on iprop slaves because they are mostly synchronous, but hierarchical iprop will allow master and slave operations to take place concurrently, requiring more strict locking. Add new functions ulog_get_last and ulog_set_last, which access the ulog header with locking, and use them in kdb5_util and kpropd. Add locking to ulog_replay and ulog_init_header. ulog_lock and ulog_sync_header are no longer used outside of kdb_log.c after these changes, so make them static functions and remove the ulog_ prefix. Add an unlock_ulog function for clarity.
* Factor out ulog serial number status checkGreg Hudson2014-02-204-54/+78
| | | | | | | | | | | | | | | Add a new function ulog_get_sno_status, which checks a serial number and timestamp against the ulog for currency. Use it in kdb5_util dump and in ulog_get_entries. Adjust parse_iprop_header's contract in dump.c to better match the ulog_get_sno_status contract. This change causes some minor behavior differences. kadmind will check for an empty ulog unless the last serial number matches exactly, and will never set lastentry when returning UPDATE_FULL_RESYNC_NEEDED (which was pointless). kdb5_util dump will recognize a dump file as current if it exactly matches the last serial number, even if the ulog is empty; it will be more robust in the presence of non-monotonic clocks; and it will properly lock around the ulog access.
* Simplify iprop update locking and avoid deadlockGreg Hudson2014-02-203-140/+37
| | | | | | | | | | | | | Since we are no longer treating the update log like a journal (#7552), we don't need two-stage update logging. In kdb5.c, add an update log entry after each DB change in one step, without getting an explicit lock. In kdb_log.c, combine ulog_add_update with ulog_finish_update, and make ulog_add_update lock the ulog internally. This change avoids deadlock by removing the only cases where the ulog is locked before the DB. ticket: 7861
* Use system dictionary for db2 tests againGreg Hudson2014-02-191-4/+13
| | | | | | | | | | The built-in word list is not long enough for all of the libdb2 tests to run properly. Revert d21a86e47a7cda29225013e08d060095b94b2ee7 and go back to using the system dictionary if we find one. However, omit any lines from the chosen word list which contain non-alphabetical characters. ticket: 7860
* Use TAILQ macros instead of CIRCLEQ in libdb2Greg Hudson2014-02-192-27/+24
| | | | | | | | | The optimizer in gcc 4.8.1 (but not the current gcc head revision) breaks the queue.h CIRCLEQ macros, apparently due to an overzealous strict aliasing deduction. Use TAILQ macros in the libdb2 mpool code instead. ticket: 7860
* Document 1.12 changes in MIT Kerberos Features docZhanna Tsitkov2014-02-193-2/+17
| | | | ticket: 7857
* Make KDC "status" statements more homogeneousZhanna Tsitkov2014-02-193-21/+35
| | | | | | | | | | | | | | | | | | | | | | Generally we want KDC status strings to be concise, informative and follow some common rules: - All letters in the status string should be capitalized; - the words in the status phrase are separated by underscore; - abbreviations should be avoided. Some acceptable "standard" acronyms are AS_REQ, TGS_REP etc. - since in almost all cases KDC status is set on error, no need to state this fact as part of the status string; - KDC status string should be an imperative phrase. For example, "DECRYPT_SERVER_KEY". This commit is to modify some KDC status messages to follow this format. Even though KDC status messages are not standardized, it is possible that some administrators use them in the Kerberos log file processing. Hence, the vast majority of them are left unchanged pending further investigation (mostly, feedback from the administrators).
* Support referrals from Windows Server 2003Nate Rosenblum2014-02-181-3/+32
| | | | | | | | | | | | | | | | | Although RFC 6806 Section 7 requires servers to indicate a client referral in a WRONG_REALM message, Microsoft Windows Server 2003 returns this information in a message with error code PRINCIPAL_UNKNOWN. Failure to follow the referral in these messages prevents referral chasing in Windows Server 2003 forests. Detect referral messages of this type by checking for a non-empty client.realm field in the response, and activate the referral logic in these cases. [ style, comments, and commit message] ticket: 7856 (new) target_version: 1.12.2 tags: pullup
* Update doc build instructionsTom Yu2014-02-142-22/+7
| | | | | | | | | Documentation build instructions in doc/README were out of date. Update them. ticket: 7864 (new) tags: pullup target_version: 1.12.2
* Generate dependencies for t_stringattrGreg Hudson2014-02-122-1/+12
| | | | | When t_stringattr.c was introduced, it wasn't added to EXTRADEPSRCS, so no dependencies were created for it. Fix that now.
* Don't use system dictionary files for DB2 testsGreg Hudson2014-02-111-8/+0
| | | | | | | | | The system dictionary may contain entries with punctuation, which can confuse the shell. It's more predictable to always use the word list from the source tree. ticket: 7860 status: open
* Fix SAM-2 preauth when password argument is usedGreg Hudson2014-02-111-2/+3
| | | | | | | | | | | | | | | | sam2_process accesses gak_data to get the password, so that it can do string-to-key with the etype in the SAM-2 challenge. When #7642 changed gic_pwd.c to use struct gak_password instead of krb5_data, sam2_process wasn't altered to match. We don't see a problem when the password is read through the prompter (as with kinit), because the password winds up in the storage field at the beginning of the gak_password structure. But when a password is supplied as a parameter (as with ksu), the storage field is empty and we get the wrong answer from sam2_process. ticket: 7862 target_version: 1.12.2 tags: pullup
* Correctly get default realm in kdb5.cGreg Hudson2014-02-112-15/+13
| | | | | | | Call krb5_get_default_realm instead of directly accessing context->default_realm, to remove the requirement that krb5_get_default_realm or krb5_set_default_realm be used before krb5_db_open.
* Move OTP sockets to KDC_RUN_DIRNathaniel McCallum2014-02-0610-3/+23
| | | | | | | | | | | | Some system configurations expect Unix-domain sockets to live under /run or /var/run, and not other parts of /var where persistent application state lives. Define a new directory KDC_RUN_DIR using $runstatedir (new in autoconf 2.70, so fall back to $localstatedir/run if it's not set) and use that for the default socket path. [ commit message, otp.rst formatting fix] ticket: 7859 (new)
* Test SPNEGO acceptor response to MS krb5 mech OIDGreg Hudson2014-02-051-4/+60
| | | | | | | | | | | | In t_spnego.c, add code to make a SPNEGO request with the erroneous Microsoft OID value and examine the response to make sure that it uses the same OID value as the request did. The token and tmp variables were unused, so rename them to itok and atok for the purpose of the new test code. ticket: 7858 target_version: 1.12.2 tags: pullup
* Properly reflect MS krb5 mech in SPNEGO acceptorGreg Hudson2014-02-051-4/+4
| | | | | | | | | | | | | | | r25590 changed negotiate_mech() to return an alias into the acceptor's mech set, with the unfortunate side effect of transforming the erroneous Microsoft krb5 mech OID into the correct krb5 mech OID, meaning that we answer with a different OID than the requested one. Return an alias into the initiator's mech set instead, and store that in mech_set field the SPNEGO context. The acceptor code only uses mech_set to hold the allocated storage pointed into by internal_mech, so this change is safe. ticket: 7858 target_version: 1.12.2 tags: pullup
* Don't get KDB lock in ulog_get_entriesGreg Hudson2014-02-051-12/+0
| | | | | | | | ulog_get_entries does not access the KDB, only the ulog, so it does not need a KDB lock; its read lock on the ulog is sufficient to prevent logged updates from happening while it is running. There is no reason to serialize against unlogged KDB updates such as those performed by the KDC, as those do not affect the ulog.
* In kdb5_util load, init ulog closer to promoteGreg Hudson2014-02-053-10/+8
| | | | | | | Always map the ulog with FKCOMMAND, not FKLOAD which reinitializes the ulog. Don't reinitialize the ulog until just before calling krb5_db_promote(). Get rid of FKLOAD since it isn't needed any more; we can just call ulog_init_header() manually.
* Clean up ovsec_kadmd.cGreg Hudson2014-02-051-717/+342
| | | | | | | | | | | | | | | Fix code formatting issues. Use static scope when possible, and put all helper functions before main so that forward declarations aren't needed. Use GSS_KRB5_NT_PRINCIPAL_NAME instead of constructing it with gss_str_to_oid, and get rid of display_status as that was the only use. Replace large verbose function comments with concise ones. Factor out main loop setup and KDB keytab setup into helper functions. Create a helper function fail_to_start for logging and exiting on initialization failures, and use it instead of the large cleanup blocks in main. Some initialization error messages have changed; no other functional changes.
* Modernize iprop codeGreg Hudson2014-02-057-1062/+758
| | | | | | | | | | | | | | | | | | | | * Don't use "extern" for kdb_log.h prototypes. * Avoid passing structures by value. * Avoid the need to cast the result of the INDEX macro, and use char * instead of unsigned long for pointer arithmetic. * Reorganize kdb_log.c so static helpers are at the top and don't use the "ulog_" prefix. * Get rid of ulog_finish_update_slave since it's more concise to open-code it in ulog_replay. * Get rid of ulog_delete_update. In krb5_db_delete_principal, just call ulog_add_update with kdb_deleted set in upd. * Modernize coding style of kproplog.c. Use k5memdup0 instead of snprintf in print_str to convert a byte range to a C string. Remove an unnecesary textdomain call; libkrb5 takes care of calling bindtextdomain in the library initializer. * Modernize coding style of kpropd.c and kprop.c. No functional changes.
* Fix kpropd -xGreg Hudson2014-01-301-0/+1
| | | | | | | | | A missing break in the switch statement caused kpropd -x to error out with a usage message. ticket: 7854 (new) target_version: 1.12.2 tags: pullup
* Remove kdb5_util load iprop safety netGreg Hudson2014-01-301-14/+0
| | | | | | | | | Revert the safety net added #7370. As written it only applied to the master KDC, where a normal load sometimes makes sense. Even on a slave, there are edge cases where it can make sense to do a normal load. ticket: 7850 (new)
* Check for unstable ulog in ulog_get_entriesGreg Hudson2014-01-301-6/+4
| | | | | | | | | | | | | If a process terminates in the middle of a logged database update, it will release its lock and leave the ulog in the KDB_UNSTABLE state. kadmind should notice this when it calls ulog_get_entries, but right now it only checks for the KDB_CORRUPT state (which is never set any more) and does not recover. Check for any state other than KDB_STABLE and recover by resetting the ulog and forcing full resyncs to slaves. ticket: 7853 (new) target_version: 1.12.2 tags: pullup
* Add test case for ulog serial number wrappingGreg Hudson2014-01-305-0/+119
| | | | | | | | | Add a unit test program named t_ulog. Make it map a ulog file, set up header state where kdb_last_sno is the last serial number, and then add an empty update. Check that the result is a ulog header with one update at serial number 1. ticket: 7839
* Reinitialize ulog when wrapping serial numberGreg Hudson2014-01-301-13/+8
| | | | | | | | | | | When we wrap the serial number, reinitialize the ulog so that kdb_num starts counting from 1, instead of leaving the ulog in a weird state where kdb_num == ulogentries but kdb_last_sno == 1 and the serial numbers in the circular array aren't necessarily contiguous. ticket: 7839 (new) target_version: 1.12.2 tags: pullup
* Remove krb5-send-prTom Yu2014-01-2814-1466/+12
| | | | | | | Remove the GNATS-based krb5-send-pr script and replace it with a script that instructs users to send email. ticket: 7840 (new)
* Add test coverage for gss_pseudo_randomGreg Hudson2014-01-223-6/+193
| | | | | Add a test program which compares gss_pseudo_random outputs against expected values for each enctype.