krb5.git/src/windows/ms2mit/ChangeLog, branch keyring MIT Kerberos patches Remove ChangeLog files from the source tree. From now on, the 2006-04-11T21:28:48+00:00 Sam Hartman hartmans@mit.edu 2006-04-11T21:28:48+00:00 779066fca01df6c4354ccd4f80dcafe4e96d891c subversion commit log entry needs to include information that would have been in the changelog. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17893 dc483132-0cff-0310-8789-dd5450dbe970 
subversion commit log entry needs to include information that would
have been in the changelog.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17893 dc483132-0cff-0310-8789-dd5450dbe970
ms2mit.c: Apply KRB5_TC_NOTICKET to MSLSA: while searching for the 2004-09-09T23:25:56+00:00 Jeffrey Altman jaltman@secure-endpoints.com 2004-09-09T23:25:56+00:00 990a0c86db55e7af83598f08d46d8834ece79cd6 presence of an initial ticket to copy to the MIT cache ticket: 2688 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16733 dc483132-0cff-0310-8789-dd5450dbe970 
           presence of an initial ticket to copy to the MIT cache

ticket: 2688

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16733 dc483132-0cff-0310-8789-dd5450dbe970
* ms2mit.c: add -c ccache command line option 2004-09-02T00:42:50+00:00 Jeffrey Altman jaltman@secure-endpoints.com 2004-09-02T00:42:50+00:00 bb55b1f4e530efc5af24d79ca9705e8d7549676f * mit2ms.c: new command. Copies contents of the mit ccache to the MSLSA: ccache ticket: new git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16713 dc483132-0cff-0310-8789-dd5450dbe970 
    * mit2ms.c: new command.  Copies contents of the mit ccache
                to the MSLSA: ccache

ticket: new

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16713 dc483132-0cff-0310-8789-dd5450dbe970
Change subdir processing so that SUBDIRS will contain the configured 2004-03-08T07:20:55+00:00 Ken Raeburn raeburn@mit.edu 2004-03-08T07:20:55+00:00 39faf762d23d16ccd1d6b7c9b1d2046f6b1b2d0d subdirs only for the makefile in the directory with the configure script, and will have only $(LOCAL_SUBDIRS) elsewhere. Drop the use of "MY_SUBDIRS=." to override SUBDIRS in favor of this way of keeping SUBDIRS empty. Drop other uses of MY_SUBDIRS in favor of LOCAL_SUBDIRS or (in one case, the top level) overriding the SUBDIRS setting from pre.in. One less thing to keep tweaking as configure scripts get reorganized and merged. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16158 dc483132-0cff-0310-8789-dd5450dbe970 
subdirs only for the makefile in the directory with the configure
script, and will have only $(LOCAL_SUBDIRS) elsewhere.  Drop the use
of "MY_SUBDIRS=." to override SUBDIRS in favor of this way of keeping
SUBDIRS empty.  Drop other uses of MY_SUBDIRS in favor of
LOCAL_SUBDIRS or (in one case, the top level) overriding the SUBDIRS
setting from pre.in.

One less thing to keep tweaking as configure scripts get reorganized
and merged.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16158 dc483132-0cff-0310-8789-dd5450dbe970
* Do not perform ticket importing if the initial TGT is not available 2004-02-01T05:40:48+00:00 Jeffrey Altman jaltman@secure-endpoints.com 2004-02-01T05:40:48+00:00 250fdf95725849dfc0936adbfb3a0a921bc613d5 from the MSLSA krb5_ccache. This will be the case if the session key enctype is NULL. (AllowTGTSessionKey regkey = 0) ticket: new target: 1.3.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15994 dc483132-0cff-0310-8789-dd5450dbe970 
   from the MSLSA krb5_ccache.  This will be the case if the session key
   enctype is NULL.  (AllowTGTSessionKey regkey = 0)

ticket: new
target: 1.3.2
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15994 dc483132-0cff-0310-8789-dd5450dbe970
* Added new krb5_ccache type "MSLSA" for Windows only. 2003-12-12T22:22:36+00:00 Jeffrey Altman jaltman@secure-endpoints.com 2003-12-12T22:22:36+00:00 1024cce992605494dec0566a963efb1bdc0ff1d5 This new ccache type provides an interface for the MIT krb5_cc api functions to be used to access the contents of the MS Kerberos LSA cache. The ccache type is read-only because the MS Kerberos LSA does not allow third party applications to insert credentials into the cache. The primary motivation of this work was to encapsulate the complex operations necessary to manipulate the MS Kerberos LSA. The code was far from trivial and was often implemented incorrectly. Worse still was the fact that each version of Windows since W2K modified the use of the LSA API. The code which was originally donated in the form of ms2mit.c had many memory and handle leaks which were acceptable for a one time application such as ms2mit.c. Unfortunately, this code has started to appear in many other applications: KfW's Leash, the AFS Wake systray tool, and others. By using the new MSLSA ccache the implementation of ms2mit.c went from 890 lines to 50 lines of code and comments. All that is necessary is for the MSLSA ccache to be resolved and for its contents to be copied with krb5_cc_copy_creds to the default ccache. The MSLSA ccache implements all of the functions of a ccache except those which would be used to store data into the ccache. When a write attempt is performed the new error KRB5_CC_READONLY is returned. The residual portion of the MSLSA ccache name is current ignored but preserved. If you ask for ccache "MSLSA:myname" you will be given access to the LSA cache for the current Logon Session. If you later ask for the name of the ccache you will be returned the same name. In the future, the residual might be used to provide information necessary to identify a specific logon session whose cache it is desired to access. If this is ever done, the applications which use it will have to possess the SeTcbPrivilege privilege. Using KfW's Leash it is now possible to set the Krb5 credential cache to "MSLSA:" and use it to monitor the contents of the MS Kerberos LSA cache. As part of adding this functionality, krb5_32.dll is not linked against the "secur32.lib" library as the Lsa security sdk routines are stored in the SECUR32.DLL file. ticket: 2049 target_version: 1.3.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15886 dc483132-0cff-0310-8789-dd5450dbe970 
   This new ccache type provides an interface for the MIT krb5_cc api
   functions to be used to access the contents of the MS Kerberos LSA
   cache.  The ccache type is read-only because the MS Kerberos LSA
   does not allow third party applications to insert credentials into
   the cache.

   The primary motivation of this work was to encapsulate the complex
   operations necessary to manipulate the MS Kerberos LSA.  The code
   was far from trivial and was often implemented incorrectly.  Worse
   still was the fact that each version of Windows since W2K modified
   the use of the LSA API.

   The code which was originally donated in the form of ms2mit.c had
   many memory and handle leaks which were acceptable for a one time
   application such as ms2mit.c. Unfortunately, this code has started
   to appear in many other applications: KfW's Leash, the AFS Wake
   systray tool, and others.

   By using the new MSLSA ccache the implementation of ms2mit.c went
   from 890 lines to 50 lines of code and comments.  All that is necessary
   is for the MSLSA ccache to be resolved and for its contents to be
   copied with krb5_cc_copy_creds to the default ccache.

   The MSLSA ccache implements all of the functions of a ccache except
   those which would be used to store data into the ccache.  When a
   write attempt is performed the new error KRB5_CC_READONLY is returned.

   The residual portion of the MSLSA ccache name is current ignored
   but preserved.  If you ask for ccache "MSLSA:myname" you will be
   given access to the LSA cache for the current Logon Session.  If
   you later ask for the name of the ccache you will be returned the
   same name.  In the future, the residual might be used to provide
   information necessary to identify a specific logon session whose
   cache it is desired to access.  If this is ever done, the applications
   which use it will have to possess the SeTcbPrivilege privilege.

   Using KfW's Leash it is now possible to set the Krb5 credential
   cache to "MSLSA:" and use it to monitor the contents of the
   MS Kerberos LSA cache.

   As part of adding this functionality, krb5_32.dll is not linked
   against the "secur32.lib" library as the Lsa security sdk routines
   are stored in the SECUR32.DLL file.

ticket: 2049
target_version: 1.3.2
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15886 dc483132-0cff-0310-8789-dd5450dbe970
Because of the failure of Windows 2000 and Windows XP to perform proper 2003-10-21T22:20:48+00:00 Jeffrey Altman jaltman@secure-endpoints.com 2003-10-21T22:20:48+00:00 e3dc77a76f29f0484eab155f4d6789b0a20eb8df ticket expiration time management, the MS Kerberos LSA will return tickets to a calling application with lifetimes as short as one second. Tickets with lifetimes less than five minutes can cause problems for most apps. Tickets with lifetimes less than 20 minutes will trigger the Leash ticket lifetime warnings. Instead of accepting whatever tickets are returned by MS LSA from the cache, if the ticket lifetime is less than 20 minutes force a retrieval operation bypassing the LSA ticket cache. ticket: 1962 target_version: 1.3.2 tags: pullup owner: jaltman@mit.edu status: resolved git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15843 dc483132-0cff-0310-8789-dd5450dbe970 
ticket expiration time management, the MS Kerberos LSA will return
tickets to a calling application with lifetimes as short as one second.
 Tickets with lifetimes less than five minutes can cause problems for
most apps.  Tickets with lifetimes less than 20 minutes will trigger the
Leash ticket lifetime warnings.

Instead of accepting whatever tickets are returned by MS LSA from the
cache, if the ticket lifetime is less than 20 minutes force a retrieval
operation bypassing the LSA ticket cache.

ticket: 1962
target_version: 1.3.2
tags: pullup
owner: jaltman@mit.edu
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15843 dc483132-0cff-0310-8789-dd5450dbe970
* ms2mit.c: 2003-07-18T13:17:47+00:00 Jeffrey Altman jaltman@secure-endpoints.com 2003-07-18T13:17:47+00:00 4aa7e1ee05e648e30b1c7184074348b0abe68dd5 Functional changes: (1) do not restrict ourselves to DES-CBC-CRC instead support any ticket with an enctype we support. as of this date (rev 1.3) this includes all but RC4-MD4. (2) do not accept invalid tickets (3) when attempting to retrieve tickets do not specify either the enctype or cache options (if possible). doing so will force a TGS request and prevent the results from being stored into the cache. (4) when the LSA cache contains a TGT which has expired Microsoft will not perform a new TGS request until the cache has been purged. Instead the expired ticket continues to be used along with its embedded authorization data. When PURGE_ENABLED is defined, if the tickets are expired, the cache will be purged before requesting new tickets, else we ignore the contents of the cache and force a new TGS request. (5) when the LSA cache is empty do not abort. On XP or 2003, use the SecurityLogonSessionData to determine the Realm (UserDnsDomain in MS-speak) and request an appropriate TGT. On 2000, check the Registry for the HKCU\"Volatile Environment":"USERDNSDOMAIN" instead. This will allow ms2mit to be used to repopulate the LSA cache. If the current session is not Kerberos authenticated an appropriate error message will be generated. Code changes: (1) several memory leaks plugged (2) several support functions copied from the Leashw32.dll sources (3) get_STRING_from_registry() uses the ANSI versions of the Registry functions and should at a later date be converted to use the Unicode versions. Notes: an ms2mit.exe based on the Leash_import() function should be considered. Leash_import() not only imports the TGT from the LSA but also performs the krb524 conversion and AFS token retrieval. Of course, that version of ms2mit.exe could not exist within the krb5 source tree. ticket: 1667 target_version: 1.3.1 tags: pullup owner: jaltman@mit.edu status: resolved git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15696 dc483132-0cff-0310-8789-dd5450dbe970 
    Functional changes:
    (1) do not restrict ourselves to DES-CBC-CRC instead support any
        ticket with an enctype we support.  as of this date (rev 1.3)
        this includes all but RC4-MD4.
    (2) do not accept invalid tickets
    (3) when attempting to retrieve tickets do not specify either the
        enctype or cache options (if possible).  doing so will force a
        TGS request and prevent the results from being stored into the
        cache.
    (4) when the LSA cache contains a TGT which has expired Microsoft will
        not perform a new TGS request until the cache has been purged.
        Instead the expired ticket continues to be used along with its
        embedded authorization data.  When PURGE_ENABLED is defined, if the
        tickets are expired, the cache will be purged before requesting
        new tickets, else we ignore the contents of the cache and force
        a new TGS request.
    (5) when the LSA cache is empty do not abort.  On XP or 2003, use
        the SecurityLogonSessionData to determine the Realm (UserDnsDomain
        in MS-speak) and request an appropriate TGT.  On 2000, check the
        Registry for the HKCU\"Volatile Environment":"USERDNSDOMAIN"
        instead.  This will allow ms2mit to be used to repopulate the
        LSA cache.  If the current session is not Kerberos authenticated
        an appropriate error message will be generated.

    Code changes:
    (1) several memory leaks plugged
    (2) several support functions copied from the Leashw32.dll sources
    (3) get_STRING_from_registry() uses the ANSI versions of the Registry
        functions and should at a later date be converted to use the
        Unicode versions.

    Notes: an ms2mit.exe based on the Leash_import() function
    should be considered.  Leash_import() not only imports the TGT from
    the LSA but also performs the krb524 conversion and AFS token retrieval.
    Of course, that version of ms2mit.exe could not exist within the krb5
    source tree.

ticket: 1667
target_version: 1.3.1
tags: pullup
owner: jaltman@mit.edu
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15696 dc483132-0cff-0310-8789-dd5450dbe970
apply patch from jaltman: 2003-06-24T02:29:47+00:00 Tom Yu tlyu@mit.edu 2003-06-24T02:29:47+00:00 aaeeeefe2c6fa2ecc9a40756965c58fe39b839b6 * ms2mit.c: Windows Credentials are addressless. Do not store the credentials in the MIT cache with addresses since they do not contain addresses in the encrypted portion of the credential. Instead generate a valid empty address list. ticket: 1618 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15648 dc483132-0cff-0310-8789-dd5450dbe970 
	* ms2mit.c: Windows Credentials are addressless. Do not store the
	credentials in the MIT cache with addresses since they do not
	contain addresses in the encrypted portion of the credential.
	Instead generate a valid empty address list.

ticket: 1618
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15648 dc483132-0cff-0310-8789-dd5450dbe970
* Makefile.in: Revert $(S)=>/ change, for Windows support 2002-08-29T09:10:29+00:00 Ken Raeburn raeburn@mit.edu 2002-08-29T09:10:29+00:00 b1c3b4e30f01d4a38f1c49c23c54e64b5ae0e398 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14786 dc483132-0cff-0310-8789-dd5450dbe970 
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14786 dc483132-0cff-0310-8789-dd5450dbe970