src/windows/ms2mit/ChangeLog


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108

2004-08-20  Jeffrey Altman <jaltman@mit.edu>
 
    * ms2mit.c: add -c ccache command line option

    * mit2ms.c: new command.  Copies contents of the mit ccache
                to the MSLSA: ccache

2004-03-08  Ken Raeburn  <raeburn@mit.edu>

    * Makefile.in (MY_SUBDIRS): Deleted.

2004-01-31  Jeffrey Altman <jaltman@mit.edu>

    * ms2mit.c: Do not allow ticket importing of the Initial TGT cannot
      be obtained.  The MSLSA krb5_ccache will not export the Initial TGT
      if the session key enctype is NULL.  

2003-12-11  Jeffrey Altman <jaltman@mit.edu>

    * ms2mit.c, Makefile.in:

    Remove all of the code that manipulates the MS LSA cache.  Instead
    of reading in the TGT directly we now take advantage of the new
    "MSLSA:" krb5_ccache type.  We open the MS LSA cache as a read-only
    ccache and copy it to the default ccache for the system.

    This removes the dependency on secur32.dll from this file.

2003-10-21  Jeffrey Altman <jaltman@mit.edu>

    * ms2mit.c:

    Because of the failure of Windows 2000 and Windows XP to perform 
    proper ticket expiration time management, the MS Kerberos LSA will 
    return tickets to a calling application with lifetimes as short as 
    one second.  Tickets with lifetimes less than five minutes can cause 
    problems for most apps.  Tickets with lifetimes less than 20 minutes 
    will trigger the Leash ticket lifetime warnings.

    Instead of accepting whatever tickets are returned by MS LSA from 
    the cache, if the ticket lifetime is less than 20 minutes force a 
    retrieval operation bypassing the LSA ticket cache.


2003-07-16  Jeffrey Altman <jaltman@mit.edu>

    * ms2mit.c: 

    Functional changes:
    (1) do not restrict ourselves to DES-CBC-CRC instead support any
        ticket with an enctype we support.  as of this date (rev 1.3)
        this includes all but RC4-MD4.
    (2) do not accept invalid tickets
    (3) when attempting to retrieve tickets do not specify either the
        enctype or cache options (if possible).  doing so will force a 
        TGS request and prevent the results from being stored into the 
        cache.
    (4) when the LSA cache contains a TGT which has expired Microsoft will 
        not perform a new TGS request until the cache has been purged.
        Instead the expired ticket continues to be used along with its
        embedded authorization data.  When PURGE_ENABLED is defined, if the 
        tickets are expired, the cache will be purged before requesting
        new tickets, else we ignore the contents of the cache and force 
        a new TGS request.
    (5) when the LSA cache is empty do not abort.  On XP or 2003, use
        the SecurityLogonSessionData to determine the Realm (UserDnsDomain
        in MS-speak) and request an appropriate TGT.  On 2000, check the
        Registry for the HKCU\"Volatile Environment":"USERDNSDOMAIN" 
        instead.  This will allow ms2mit to be used to repopulate the
        LSA cache.  If the current session is not Kerberos authenticated
        an appropriate error message will be generated.

    Code changes:
    (1) several memory leaks plugged
    (2) several support functions copied from the Leashw32.dll sources
    (3) get_STRING_from_registry() uses the ANSI versions of the Registry
        functions and should at a later date be converted to use the 
        Unicode versions.

    Notes: an ms2mit.exe based on the Leash_import() function
    should be considered.  Leash_import() not only imports the TGT from
    the LSA but also performs the krb524 conversion and AFS token retrieval.
    Of course, that version of ms2mit.exe could not exist within the krb5
    source tree.

2003-06-20  Jeffrey Altman <jaltman@mit.edu>

    * ms2mit.c: Windows Credentials are addressless. Do not store the
	credentials in the MIT cache with addresses since they do not
	contain addresses in the encrypted portion of the credential.
	Instead generate a valid empty address list.

2002-08-29  Ken Raeburn  <raeburn@mit.edu>

    * Makefile.in: Revert $(S)=>/ change, for Windows support.

2002-08-23  Ken Raeburn  <raeburn@mit.edu>

    * Makefile.in: Change $(S)=>/ and $(U)=>.. globally.

2001-11-28  Danilo Almeida  <dalmeida@mit.edu>

    * ms2mit.c: Make sure we get a des-cbc-crc session key instead of
	potentially getting whatever happens to be in the cache.  Remove
	unnecessary static variables.  Make function headers use a
	consistent format.  Rename ShowLastError() to ShowWinError() and
	ShowNTError() to ShowLsaError().