krb5.git/src, branch gss_cs MIT Kerberos patches Add way to specify rcache when acquiring creds 2014-01-14T20:11:54+00:00 Simo Sorce simo@redhat.com 2013-12-27T00:05:34+00:00 5d3c7091d401b0a562131dee8fa210d416b441df The "rcache" URN can specify a cache type and name to be used with the credentials being acquired. Signed-off-by: Simo Sorce <simo@redhat.com> 
The "rcache" URN can specify a cache type and name to be used with
the credentials being acquired.

Signed-off-by: Simo Sorce <simo@redhat.com>
Fix uninitialized warning in client_init.c 2013-12-21T15:08:06+00:00 Greg Hudson ghudson@mit.edu 2013-12-21T15:08:06+00:00 815565f918f2c64c59561dbe37efc251ddb67c22 ticket: 7800 
ticket: 7800
Allow realm in kadm5_init service names 2013-12-21T05:06:22+00:00 Greg Hudson ghudson@mit.edu 2013-12-19T18:33:33+00:00 5341cfde2b3e607e294bb0d057dc3540172a8b1b Previously, if you passed a service name with a realm part to a kadm5_init function, you would get a KRB5_PARSE_MALFORMED error because the code would internally append its own '@realm' suffix before parsing the name. Fix this as follows: Change gic_iter so instead of producing a full service name, it produces a krb5_principal which is taken from the cred it acquires. Pass the client and full service name around as principals, rather than strings, and use the gss_nt_krb5_principal name type to import them in setup_gss(). Don't append a realm to the input service name; instead, pass the input service name directly to the gic functions (which do not need a realm in the service name and will ignore the realm if one is present). For the INIT_CREDS case, parse the input service name with KRB5_PRINCIPAL_PARSE_IGNORE_REALM and then set the realm. ticket: 7800 
Previously, if you passed a service name with a realm part to a
kadm5_init function, you would get a KRB5_PARSE_MALFORMED error
because the code would internally append its own '@realm' suffix
before parsing the name.  Fix this as follows:

Change gic_iter so instead of producing a full service name, it
produces a krb5_principal which is taken from the cred it acquires.
Pass the client and full service name around as principals, rather
than strings, and use the gss_nt_krb5_principal name type to import
them in setup_gss().  Don't append a realm to the input service name;
instead, pass the input service name directly to the gic functions
(which do not need a realm in the service name and will ignore the
realm if one is present).  For the INIT_CREDS case, parse the input
service name with KRB5_PRINCIPAL_PARSE_IGNORE_REALM and then set the
realm.

ticket: 7800
Simplify libkadm5 client realm initialization 2013-12-21T05:06:22+00:00 Greg Hudson ghudson@mit.edu 2013-12-19T17:22:47+00:00 33b06596be92f7d8458ac6b136f092e235dec834 The "realm" variable in init_any is used only to fill in the realm of the service principal in gic_iter(). The service principal realm should always be the realm we looked up config parameters for, so we can supply that realm to get_init_creds() unconditionally and eliminate the case where we use the client principal realm. Also get rid of an outdated comment and an #if 0 block we will never need again, and use SNPRINTF_OVERFLOW to check the snprintf result. 
The "realm" variable in init_any is used only to fill in the realm of
the service principal in gic_iter().  The service principal realm
should always be the realm we looked up config parameters for, so we
can supply that realm to get_init_creds() unconditionally and
eliminate the case where we use the client principal realm.

Also get rid of an outdated comment and an #if 0 block we will never
need again, and use SNPRINTF_OVERFLOW to check the snprintf result.
make depend 2013-12-21T04:13:57+00:00 Greg Hudson ghudson@mit.edu 2013-12-21T04:13:57+00:00 f5d5fa24c6c58b54349351beaea8220f5ca0f3ef 






Require built-in verto for make depend
2013-12-21T04:10:03+00:00

Greg Hudson
ghudson@mit.edu

2013-12-20T23:42:04+00:00

3a4a4fd6f70bde630bba09bb268c8558de9a326e

A tree configured to use the system libverto will be missing
$(VERTO_DEPS) in dependencies, so disallow make depend.





A tree configured to use the system libverto will be missing
$(VERTO_DEPS) in dependencies, so disallow make depend.







Avoid keyctl purge in keyring ccache tests
2013-12-21T04:10:03+00:00

Greg Hudson
ghudson@mit.edu

2013-12-20T20:19:06+00:00

94da4584645475272abec6259d1666e34bd59594

keyctl purge was added in keyutils 1.5 (released in March 2011).  Use
keyctl unlink to clean up keys instead, as it is more universal.

ticket: 7810
target_version: 1.12.1
tags: pullup





keyctl purge was added in keyutils 1.5 (released in March 2011).  Use
keyctl unlink to clean up keys instead, as it is more universal.

ticket: 7810
target_version: 1.12.1
tags: pullup







Use an extended com_err hook in klist
2013-12-21T04:10:03+00:00

Greg Hudson
ghudson@mit.edu

2013-12-20T16:06:52+00:00

ae027dd69fc80cca549c9198d10afad389f30873

Add an adapted version of extended_com_err_fn from kinit to klist and
use it.  In do_ccache(), rely on the ccache type to set a reasonable
message if krb5_cc_set_flags() or krb5_cc_get_principal() fails due to
a nonexistent or unreadable ccache, and don't confuse the user with
the name of the ccache operation that failed.

ticket: 7809





Add an adapted version of extended_com_err_fn from kinit to klist and
use it.  In do_ccache(), rely on the ccache type to set a reasonable
message if krb5_cc_set_flags() or krb5_cc_get_principal() fails due to
a nonexistent or unreadable ccache, and don't confuse the user with
the name of the ccache operation that failed.

ticket: 7809







Set an error message when keyring get_princ fails
2013-12-21T04:10:03+00:00

Nalin Dahyabhai
nalin@dahyabhai.net

2013-12-05T18:54:09+00:00

c25fc42e8eac7350209df61e4a7b9960d17755ca

When attempting to use a keyring cache that doesn't exist, set an error
message when we fail to read a principal name, as we do when we return
the same error code when using a file ccache.

[ghudson: removed unnecessary check for d->name nullity.]

ticket: 7809
target_version: 1.12.1
tags: pullup





When attempting to use a keyring cache that doesn't exist, set an error
message when we fail to read a principal name, as we do when we return
the same error code when using a file ccache.

[ghudson: removed unnecessary check for d->name nullity.]

ticket: 7809
target_version: 1.12.1
tags: pullup







Test for verto_set_flags in system libverto
2013-12-21T04:10:03+00:00

Greg Hudson
ghudson@mit.edu

2013-12-20T04:47:22+00:00

a47d639770f32418c6e3fa8a0503019c9b376d2a

libkrad relies on verto_set_flags, which was added to libverto in
release 0.2.4.  Make sure the system libverto has this function before
choosing it over the built-in version.

ticket: 7808 (new)
target_version: 1.12.1
tags: pullup





libkrad relies on verto_set_flags, which was added to libverto in
release 0.2.4.  Make sure the system libverto has this function before
choosing it over the built-in version.

ticket: 7808 (new)
target_version: 1.12.1
tags: pullup