krb5.git/src/lib/kadm5/unit-test/api.current, branch master MIT Kerberos patches Make empty passwords work via init_creds APIs 2013-05-27T16:49:34+00:00 Greg Hudson ghudson@mit.edu 2013-05-23T19:33:58+00:00 f3458ed803ae97b6c6c7c63baeb82b26c4943d4c In the gak_data value used by krb5_get_as_key_password, separate the already-known password from the storage we might have allocated to put it in, so that we no longer use an empty data buffer to determine whether we know the password. This allows empty passwords to work via the API. Remove the kadm5 test which explicitly uses an empty password. Based on a patch from Stef Walter. ticket: 7642 
In the gak_data value used by krb5_get_as_key_password, separate the
already-known password from the storage we might have allocated to put
it in, so that we no longer use an empty data buffer to determine
whether we know the password.  This allows empty passwords to work via
the API.

Remove the kadm5 test which explicitly uses an empty password.

Based on a patch from Stef Walter.

ticket: 7642
Fold kadm5 internal policy functions into callers 2013-01-09T20:35:44+00:00 Greg Hudson ghudson@mit.edu 2013-01-09T07:07:05+00:00 ecb9c348dd3e82aa8e68a466d89150dc0df3d46c kadm5_create_policy and kadm5_modify_policy had _internal variants in libkadm5srv (but not libkadm5clnt) which only existed to protect the policy_refcnt field from modification over the wire. Now that policy_refcnt is no longer used, we don't need the separation. Bump the library soname since this is technically an ABI change. 
kadm5_create_policy and kadm5_modify_policy had _internal variants in
libkadm5srv (but not libkadm5clnt) which only existed to protect the
policy_refcnt field from modification over the wire.  Now that
policy_refcnt is no longer used, we don't need the separation.

Bump the library soname since this is technically an ABI change.
Allow principals to refer to nonexistent policies 2013-01-09T20:35:43+00:00 Greg Hudson ghudson@mit.edu 2013-01-08T20:20:45+00:00 0780e46fc13dbafa177525164997cd204cc50b51 Stop using and maintaining the policy_refcnt field, and do not try to prevent deletion of a policy which is still referenced by principals. Instead, allow principals to refer to policy names which do not exist as policy objects; treat those principals as having no associated policy. In the kadmin client, warn if addprinc or modprinc tries to reference a policy which doesn't exist, since the server will no longer error out in this case. ticket: 7385 
Stop using and maintaining the policy_refcnt field, and do not try to
prevent deletion of a policy which is still referenced by principals.
Instead, allow principals to refer to policy names which do not exist
as policy objects; treat those principals as having no associated
policy.

In the kadmin client, warn if addprinc or modprinc tries to reference
a policy which doesn't exist, since the server will no longer error
out in this case.

ticket: 7385
Make kadmin work over IPv6 2010-06-26T03:32:55+00:00 Greg Hudson ghudson@mit.edu 2010-06-26T03:32:55+00:00 0080380b3b3e945c5eb84504771d9d01ee76a611 Make gssrpc work over IPv6 TCP sockets provided that the client creates and connects/binds the sockets and doesn't query their addresses or use bindresvport(). Make kadmin work within those constraints and handle IPv6. Specific changes: * Make svctcp_create() able to extract the port from an IPv6 socket, using a new helper function getport(). * Make clnttcp_create() handle a null raddr value if *sockp is set. * Make kadm5_get_service_name() use getaddrinfo() to canonicalize the admin server name. * Make libkadm5clnt's init_any() responsible for connecting its socket using a new helper function connect_to_server(), which uses getaddrinfo instead of gethostbyname. Pass a null address to clnttcp_create(). * Make libapputil's net-server.c set up IPv6 as well as IPv4 listener ports for RPC connections. * Adjust the error code expected in a libkadm5 unit test. ticket: 6746 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24147 dc483132-0cff-0310-8789-dd5450dbe970 
Make gssrpc work over IPv6 TCP sockets provided that the client
creates and connects/binds the sockets and doesn't query their
addresses or use bindresvport().  Make kadmin work within those
constraints and handle IPv6.  Specific changes:

* Make svctcp_create() able to extract the port from an IPv6 socket,
  using a new helper function getport().
* Make clnttcp_create() handle a null raddr value if *sockp is set.
* Make kadm5_get_service_name() use getaddrinfo() to canonicalize the
  admin server name.
* Make libkadm5clnt's init_any() responsible for connecting its socket
  using a new helper function connect_to_server(), which uses
  getaddrinfo instead of gethostbyname.  Pass a null address to
  clnttcp_create().
* Make libapputil's net-server.c set up IPv6 as well as IPv4 listener
  ports for RPC connections.
* Adjust the error code expected in a libkadm5 unit test.

ticket: 6746

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24147 dc483132-0cff-0310-8789-dd5450dbe970
Lazy history key creation 2010-03-11T17:05:24+00:00 Greg Hudson ghudson@mit.edu 2010-03-11T17:05:24+00:00 49abf1c55ae0d9a79239cd22ada98b2cfc54e224 Create kadmin/history lazily when we need it (i.e. when a password is changed on a principal with a policy) instead of whenever we open the database. Allows kadmin.local to be used as a read-only tool on non- kadmin-conformant database back ends such as the Samba bridge. ticket: 6679 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23799 dc483132-0cff-0310-8789-dd5450dbe970 
Create kadmin/history lazily when we need it (i.e. when a password is
changed on a principal with a policy) instead of whenever we open the
database.  Allows kadmin.local to be used as a read-only tool on non-
kadmin-conformant database back ends such as the Samba bridge.

ticket: 6679

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23799 dc483132-0cff-0310-8789-dd5450dbe970
Remove some more test suite cruft: 2010-02-28T20:32:00+00:00 Greg Hudson ghudson@mit.edu 2010-02-28T20:32:00+00:00 9f79427d9b3793dff35e2c787e7b27f4d62e50f5 * localhostname from get_hostname was unused. * database_name is no longer used except (misleadingly) in kdb5_util output. * admin_database_name and admin_database_lockfile are no longer used. * default_domain is only used for v4->v5 principal conversion, which isn't tested. * libkadm5's init-v2.exp had a copy of get_hostname; domain and localhostname from it were unused. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23759 dc483132-0cff-0310-8789-dd5450dbe970 
* localhostname from get_hostname was unused.
* database_name is no longer used except (misleadingly) in kdb5_util
  output.
* admin_database_name and admin_database_lockfile are no longer used.
* default_domain is only used for v4->v5 principal conversion, which
  isn't tested.
* libkadm5's init-v2.exp had a copy of get_hostname; domain and
  localhostname from it were unused.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23759 dc483132-0cff-0310-8789-dd5450dbe970
Minimal support for updating history key 2010-02-11T16:07:08+00:00 Greg Hudson ghudson@mit.edu 2010-02-11T16:07:08+00:00 fe68c6595b7f90ec6891b4dbb0b227ee859090e5 Add minimal support for re-randomizing the history key: * cpw -randkey kadmin/history now works, but creates only one key. * cpw -randkey -keepold kadmin/history still fails. * libkadm5 no longer caches the history key. Performance impact is minimal since password changes are not common. * randkey no longer checks the newly randomized key against old keys, and the disabled code to do so in setkey/setv4key is gone, so now only kadm5_chpass_principal_3 accesses the password history. ticket: 6660 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23716 dc483132-0cff-0310-8789-dd5450dbe970 
Add minimal support for re-randomizing the history key:

* cpw -randkey kadmin/history now works, but creates only one key.
* cpw -randkey -keepold kadmin/history still fails.
* libkadm5 no longer caches the history key.  Performance impact
  is minimal since password changes are not common.
* randkey no longer checks the newly randomized key against old keys,
  and the disabled code to do so in setkey/setv4key is gone, so now
  only kadm5_chpass_principal_3 accesses the password history.

ticket: 6660
target_version: 1.8
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23716 dc483132-0cff-0310-8789-dd5450dbe970
Rename api.3 to api.current in the libkadm5 unit tests. This way the 2009-10-29T16:13:36+00:00 Greg Hudson ghudson@mit.edu 2009-10-29T16:13:36+00:00 88dce422743e99b8a6814b730b0ff1d219c513ea main body of tests won't have to be moved every time the current API version of libkadm5 changes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23087 dc483132-0cff-0310-8789-dd5450dbe970 
main body of tests won't have to be moved every time the current API
version of libkadm5 changes.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23087 dc483132-0cff-0310-8789-dd5450dbe970