| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19596 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch addresses a problem discovered on some XP systems.
After rundll32.exe starts, the CreateProcess can fail to
start kfwcpcc.exe if the current directory is not %WinDir%\System32.
CreateProcess() should be called with the lpApplicationName parameter
set to NULL in order to permit the use of the PATH.
Also, in ConfigureLogonScript ensure that the trailing NUL of the
constructed command line is processed when producing the wide
character version of the string.
ticket: new
component: windows
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19488 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
will execute the NPLogonNotify function but if the logon is
re-connecting to an existing session, the LogonScript is ignored.
This leaves orphaned credential cache files.
This commit adds a function, KFW_cleanup_orphaned_caches, which
is called by NPLogonNotify to delete any orphaned cache files.
An orphaned cache file is one that is older than five minutes.
ticket: 5532
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19477 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change event log name from "KFW Logon" to "MIT Kerberos". This
is being done to avoid confusion with the "KFW Logon" functionality
that was provided by older versions of OpenAFS. (kfwlogon.h)
Remove logging of the inability to access the "Debug" registry value.
On Vista, kfwlogon.dll is no longer loaded by winlogin.exe. Instead
it is loaded by mpnotify.exe which is spawned once for each logon
request. (kfwcommon.c)
Add a test to ensure that RegisterEventSource succeeded before calling
ReportEvent. (kfwcommon.c)
Absolutely make sure that krb5_init_context() succeeded before calling
any other krb5 functions. (kfwcommon.c)
Add a comment explaining why NPGetCaps() says we are a file system even
though we are not. "It won't work otherwise." (kfwlogon.c)
Change all comparisions for Windows Station and AuthentInfoType names
to case insensitive comparisons. Vista does not use the same case as XP.
(kfwlogon.c)
Change the requested access to the temporary cache file from "All" to
"Read | Delete" when importing its contents into the API cache.
Otherwise, the access test will fail on Vista. (kfwlogon.c)
ticket: new
component: windows
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19476 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Non-interactive logons cause two problems:
(1) on XP/2003 the logon event handlers do not get triggered and on
all platforms the LogonScript does not get executed.
As a result, ccache files are not deleted.
(2) on all platforms, accessing the credential cache causes
krbcc32s.exe to be spawned. This process never terminates.
This patch tests for interactive logons. If the logon is not
interactive, the Network Provider exits immediately.
ticket: new
component: windows
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19296 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On Windows Vista the GINA architecture was removed. As a side
effect the support for the Logon Event Handlers was also removed.
The KFW Integrated Logon functionality relies on the "Logon"
event handler to migrate the user's tickets from a secure FILE:
ccache to an API: ccache so that the tickets will be available
to NetIDMgr and all other Kerberos applications.
This functionality is especially important on Vista for
accounts that are members of the Administrators group because
the User Account Control (UAC) restricts access to the session
keys of all tickets in the MSLSA ccache. The only way for
tickets to be made available to MIT Kerberos applications is
by obtaining them within the Network Provider and pushing them
into the Logon Session.
This patch replaces the missing Logon Event Handler support
with a new exported function "LogonEventHandler" which adheres
to the rundll32.exe specifications. The "LogonEventHandler"
function accepts as input the name of a FILE ccache and moves
the contents into an API: ccache and then deletes the FILE
ccache.
In order for this to work the FILE ccache must be owned by
the account that was used to logon to the current session.
The NPLogonNotify() function must therefore lookup the SID
for the active account, assign an appropriate DACL to the
ccache file, and change the owner. In addition, when Vista
is in use a LogonScript must be constructed that will perform
the call to rundll32.exe.
Other changes include altering the prototype of
KFW_copy_ccache_system_file to accept a filename instead of
the LogonID. This improves the abstraction and allows the
filename to be computed once and passed into multiple
functions from NPLogonNotify().
Many debugging calls were added to assist with implementation.
#define DEBUG 1 at the top of kfwcommon.c when you wish to
build with debugging that generates entries in the Windows
Application Event Viewer.
It is important to note that Integrated Logon attempts to
logon the username within the default realm within the
krb5.ini file using the provided password. This is so
a local machine account name matching the default realm
can obtain Kerberos tickets by synchronizing the password.
ticket: new
component: windows
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19221 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
| |
Windows 2000 does not support the ability to generate SIDs
from symbolic names.
Add more debugging and error condition checks.
ticket: new
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18387 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
ticket: 4048
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18382 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
ticket: 4048
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18381 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
KFW integrated login was failing when the user is
not a power user or administrator. This was occurring
because the temporary file ccache was being created in
a directory the user could not read. While fixing this
it was noticed that the ACLs on the ccache were too broad.
Instead of applying a fix to the FILE: krb5_ccache
implementation it was decided that simply applying a new
set of ACLs (SYSTEM and "user" with no inheritance) to
the file immediately after the krb5_cc_initialize() call
would close the broadest security issues.
The file is initially created in the SYSTEM %TEMP% directory
with "SYSTEM" ACL only. Then it is moved to the user's %TEMP%
directory with "SYSTEM" and "user" ACLs. Finally, after
copying the credentials to the API: ccache, the file is deleted.
ticket: new
tags: pullup
component: windows
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18379 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Wrap debugging statements
Fix bug in KFW_get_cred that prevents acquisition of
credentials.
ticket: new
component: windows
status: resolved
target_version: 1.4.4
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17534 dc483132-0cff-0310-8789-dd5450dbe970
|
|
The Logon Network Provider works like the OpenAFS Integrated
Logon. It uses the username entered by the user and the
default realm obtained from krb5.ini and the user entered
password. If possible, tickets are obtained and imported
into the user's CCAPI credential cache.
ticket: new
component: windows
target_version: 1.4.4
status: resolved
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17518 dc483132-0cff-0310-8789-dd5450dbe970
|