blob: 71577d979d82693ab9af2d568f6be300ad5d2999 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
2003-12-11 Jeffrey Altman <jaltman@mit.edu>
* ms2mit.c, Makefile.in:
Remove all of the code that manipulates the MS LSA cache. Instead
of reading in the TGT directly we now take advantage of the new
"MSLSA:" krb5_ccache type. We open the MS LSA cache as a read-only
ccache and copy it to the default ccache for the system.
This removes the dependency on secur32.dll from this file.
2003-10-21 Jeffrey Altman <jaltman@mit.edu>
* ms2mit.c:
Because of the failure of Windows 2000 and Windows XP to perform
proper ticket expiration time management, the MS Kerberos LSA will
return tickets to a calling application with lifetimes as short as
one second. Tickets with lifetimes less than five minutes can cause
problems for most apps. Tickets with lifetimes less than 20 minutes
will trigger the Leash ticket lifetime warnings.
Instead of accepting whatever tickets are returned by MS LSA from
the cache, if the ticket lifetime is less than 20 minutes force a
retrieval operation bypassing the LSA ticket cache.
2003-07-16 Jeffrey Altman <jaltman@mit.edu>
* ms2mit.c:
Functional changes:
(1) do not restrict ourselves to DES-CBC-CRC instead support any
ticket with an enctype we support. as of this date (rev 1.3)
this includes all but RC4-MD4.
(2) do not accept invalid tickets
(3) when attempting to retrieve tickets do not specify either the
enctype or cache options (if possible). doing so will force a
TGS request and prevent the results from being stored into the
cache.
(4) when the LSA cache contains a TGT which has expired Microsoft will
not perform a new TGS request until the cache has been purged.
Instead the expired ticket continues to be used along with its
embedded authorization data. When PURGE_ENABLED is defined, if the
tickets are expired, the cache will be purged before requesting
new tickets, else we ignore the contents of the cache and force
a new TGS request.
(5) when the LSA cache is empty do not abort. On XP or 2003, use
the SecurityLogonSessionData to determine the Realm (UserDnsDomain
in MS-speak) and request an appropriate TGT. On 2000, check the
Registry for the HKCU\"Volatile Environment":"USERDNSDOMAIN"
instead. This will allow ms2mit to be used to repopulate the
LSA cache. If the current session is not Kerberos authenticated
an appropriate error message will be generated.
Code changes:
(1) several memory leaks plugged
(2) several support functions copied from the Leashw32.dll sources
(3) get_STRING_from_registry() uses the ANSI versions of the Registry
functions and should at a later date be converted to use the
Unicode versions.
Notes: an ms2mit.exe based on the Leash_import() function
should be considered. Leash_import() not only imports the TGT from
the LSA but also performs the krb524 conversion and AFS token retrieval.
Of course, that version of ms2mit.exe could not exist within the krb5
source tree.
2003-06-20 Jeffrey Altman <jaltman@mit.edu>
* ms2mit.c: Windows Credentials are addressless. Do not store the
credentials in the MIT cache with addresses since they do not
contain addresses in the encrypted portion of the credential.
Instead generate a valid empty address list.
2002-08-29 Ken Raeburn <raeburn@mit.edu>
* Makefile.in: Revert $(S)=>/ change, for Windows support.
2002-08-23 Ken Raeburn <raeburn@mit.edu>
* Makefile.in: Change $(S)=>/ and $(U)=>.. globally.
2001-11-28 Danilo Almeida <dalmeida@mit.edu>
* ms2mit.c: Make sure we get a des-cbc-crc session key instead of
potentially getting whatever happens to be in the cache. Remove
unnecessary static variables. Make function headers use a
consistent format. Rename ShowLastError() to ShowWinError() and
ShowNTError() to ShowLsaError().
|