2004-01-31 Jeffrey Altman * ms2mit.c: Do not allow ticket importing of the Initial TGT cannot be obtained. The MSLSA krb5_ccache will not export the Initial TGT if the session key enctype is NULL. 2003-12-11 Jeffrey Altman * ms2mit.c, Makefile.in: Remove all of the code that manipulates the MS LSA cache. Instead of reading in the TGT directly we now take advantage of the new "MSLSA:" krb5_ccache type. We open the MS LSA cache as a read-only ccache and copy it to the default ccache for the system. This removes the dependency on secur32.dll from this file. 2003-10-21 Jeffrey Altman * ms2mit.c: Because of the failure of Windows 2000 and Windows XP to perform proper ticket expiration time management, the MS Kerberos LSA will return tickets to a calling application with lifetimes as short as one second. Tickets with lifetimes less than five minutes can cause problems for most apps. Tickets with lifetimes less than 20 minutes will trigger the Leash ticket lifetime warnings. Instead of accepting whatever tickets are returned by MS LSA from the cache, if the ticket lifetime is less than 20 minutes force a retrieval operation bypassing the LSA ticket cache. 2003-07-16 Jeffrey Altman * ms2mit.c: Functional changes: (1) do not restrict ourselves to DES-CBC-CRC instead support any ticket with an enctype we support. as of this date (rev 1.3) this includes all but RC4-MD4. (2) do not accept invalid tickets (3) when attempting to retrieve tickets do not specify either the enctype or cache options (if possible). doing so will force a TGS request and prevent the results from being stored into the cache. (4) when the LSA cache contains a TGT which has expired Microsoft will not perform a new TGS request until the cache has been purged. Instead the expired ticket continues to be used along with its embedded authorization data. When PURGE_ENABLED is defined, if the tickets are expired, the cache will be purged before requesting new tickets, else we ignore the contents of the cache and force a new TGS request. (5) when the LSA cache is empty do not abort. On XP or 2003, use the SecurityLogonSessionData to determine the Realm (UserDnsDomain in MS-speak) and request an appropriate TGT. On 2000, check the Registry for the HKCU\"Volatile Environment":"USERDNSDOMAIN" instead. This will allow ms2mit to be used to repopulate the LSA cache. If the current session is not Kerberos authenticated an appropriate error message will be generated. Code changes: (1) several memory leaks plugged (2) several support functions copied from the Leashw32.dll sources (3) get_STRING_from_registry() uses the ANSI versions of the Registry functions and should at a later date be converted to use the Unicode versions. Notes: an ms2mit.exe based on the Leash_import() function should be considered. Leash_import() not only imports the TGT from the LSA but also performs the krb524 conversion and AFS token retrieval. Of course, that version of ms2mit.exe could not exist within the krb5 source tree. 2003-06-20 Jeffrey Altman * ms2mit.c: Windows Credentials are addressless. Do not store the credentials in the MIT cache with addresses since they do not contain addresses in the encrypted portion of the credential. Instead generate a valid empty address list. 2002-08-29 Ken Raeburn * Makefile.in: Revert $(S)=>/ change, for Windows support. 2002-08-23 Ken Raeburn * Makefile.in: Change $(S)=>/ and $(U)=>.. globally. 2001-11-28 Danilo Almeida * ms2mit.c: Make sure we get a des-cbc-crc session key instead of potentially getting whatever happens to be in the cache. Remove unnecessary static variables. Make function headers use a consistent format. Rename ShowLastError() to ShowWinError() and ShowNTError() to ShowLsaError().