diff options
| author | Jeffrey Altman <jaltman@secure-endpoints.com> | 2006-10-09 18:08:10 +0000 |
|---|---|---|
| committer | Jeffrey Altman <jaltman@secure-endpoints.com> | 2006-10-09 18:08:10 +0000 |
| commit | 8cf95742d1527bcfd585cb8d1d565f3ef451b261 (patch) | |
| tree | 0879cc70d80ffa402f2e6dc6dfb710e80fb06a9c /src/windows/identity/plugins | |
| parent | ad8951bc9b574ea81f25eb595cd51251140f8fc9 (diff) | |
final commits for KFW 3.1 Beta 2
krb5cred.dll (1.1.2.0)
- Fix the control logic so that if the password is expired for an
identity, the krb5 credentials provider will initiate a change
password request. Once the password is successfully changed, the
new password will be used to obtain new credentials.
- Fix an incorrect condition which caused the new credentials dialog
to refresh custom prompts unnecessarily.
- Removing an identity from the list of NetIDMgr identities now causes
the corresponding principal to be removed from the LRU principals
list.
- Properly handle KMSG_CRED_PROCESS message when the user is
cancelling out.
- Add more debug output
- Do not renew Kerberos tickets which are not initial tickets.
- Fix whitespace in source code.
- When providing identity selection controls, disable the realm
selector when the user specifies the realm in the username control.
- k5_ident_valiate_name() will refuse principal names with empty or
unspecified realms.
- When updating identity properties, the identity provider will
correctly set the properties for identities that were destroyed.
This fixes a problem where the values may be incorrect if an
identity has two or more credential caches and one of them is
destroyed.
nidmgr32.dll (1.1.2.0)
- Send out a separate notification if the configuration information
associated with an identity is removed.
- If an identity is being removed from the NetIDMgr identity list in
the configuration panel, do not send out APPLY notifications to the
subpanels after the configuration information has been removed.
Otherwise this causes the configuration information to be reinstated
and prevent the identity from being removed.
- Properly initialize the new credentials blob including the UI
context structure.
netidmgr.exe (1.1.2.0)
- When suppressing error messages, make sure that the final
KMSG_CRED_END notification is sent. Otherwise the new credentials
acquisition operation will not be cleaned up.
- Autoinit option now checks to see if there are identity credentials
for the default identity and triggers the new credentials dialog if
there aren't any.
- Properly synchronize the configuration node list when applying
changes (e.g.: when removing or adding an identity).
- Fix a handle leak when removing an identity from the NetIDMgr
identity list.
- Refresh the properties for the active identities before calculating
the renewal and expiration timers. Otherwise the timestamps being
used might be incorrect.
- Add Identity dialog (in the configuration panel) now uses the
identity selection controls provided by the identity provider.
- Improve type safety when handling timer refreshes.
- When getting the expiration times and issue times for an identity,
the timer refresh code may fail over to the expiration and issue
times for the credential it is currently looking at. Now the code
makes sure that both the issue and expiration times come from the
identity or the credential but not mixed.
- Not being able to get the time of issue of a credential now does not
result in the credential being skipped from the timer refresh pass.
However, not having a time of issue will result in the half-life
algorithm not being applied for the renew timer.
- Fix a bug which caused a credential to be abandoned from the timer
refresh pass if the reamining lifetime of the credential is less
than the renewal threshold.
- Fix a bug where the vertical scroll bars for the hypertext window
would not appear when the contents of the window changed.
- Trigger a refresh of the configuration nodes when adding or removing
an identity.
source for (1.1.2.0)
- Explicitly include <prsht.h> so that the SDK can be used in build
environments that define WIN32_LEAN_AND_MEAN.
ticket: new
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18670 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/windows/identity/plugins')
| -rw-r--r-- | src/windows/identity/plugins/krb5/krb5funcs.c | 134 | ||||
| -rw-r--r-- | src/windows/identity/plugins/krb5/krb5identpro.c | 163 | ||||
| -rw-r--r-- | src/windows/identity/plugins/krb5/krb5newcreds.c | 82 | ||||
| -rw-r--r-- | src/windows/identity/plugins/krb5/krb5plugin.c | 19 | ||||
| -rw-r--r-- | src/windows/identity/plugins/krb5/krbcred.h | 3 | ||||
| -rw-r--r-- | src/windows/identity/plugins/krb5/lang/en_us/langres.rc | 8 |
6 files changed, 284 insertions, 125 deletions
diff --git a/src/windows/identity/plugins/krb5/krb5funcs.c b/src/windows/identity/plugins/krb5/krb5funcs.c index 95f9a38c6..331e789dc 100644 --- a/src/windows/identity/plugins/krb5/krb5funcs.c +++ b/src/windows/identity/plugins/krb5/krb5funcs.c @@ -702,6 +702,19 @@ khm_krb5_renew_cred(khm_handle cred) khm_boolean brenewIdentity = FALSE;
khm_boolean istgt = FALSE;
+ khm_int32 flags;
+
+ cbname = sizeof(wname);
+ kcdb_cred_get_name(cred, wname, &cbname);
+ _reportf(L"Krb5 renew cred for %s", wname);
+
+ kcdb_cred_get_flags(cred, &flags);
+
+ if (!(flags & KCDB_CRED_FLAG_INITIAL)) {
+ _reportf(L"Krb5 skipping renewal because this is not an initial credential");
+ return 0;
+ }
+
memset(&in_creds, 0, sizeof(in_creds));
memset(&cc_creds, 0, sizeof(cc_creds));
@@ -2161,80 +2174,79 @@ khm_krb5_changepwd(char * principal, if ( !pkrb5_init_context )
goto cleanup;
- if (rc = pkrb5_init_context(&context)) {
- goto cleanup;
- }
-
- if (rc = pkrb5_parse_name(context, principal, &princ)) {
- goto cleanup;
- }
-
- pkrb5_get_init_creds_opt_init(&opts);
- pkrb5_get_init_creds_opt_set_tkt_life(&opts, 5*60);
- pkrb5_get_init_creds_opt_set_renew_life(&opts, 0);
- pkrb5_get_init_creds_opt_set_forwardable(&opts, 0);
- pkrb5_get_init_creds_opt_set_proxiable(&opts, 0);
- pkrb5_get_init_creds_opt_set_address_list(&opts,NULL);
-
- if (rc = pkrb5_get_init_creds_password(context, &creds, princ,
- password, 0, 0, 0,
- "kadmin/changepw", &opts)) {
- if (rc == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
+ if (rc = pkrb5_init_context(&context)) {
+ goto cleanup;
+ }
+
+ if (rc = pkrb5_parse_name(context, principal, &princ)) {
+ goto cleanup;
+ }
+
+ pkrb5_get_init_creds_opt_init(&opts);
+ pkrb5_get_init_creds_opt_set_tkt_life(&opts, 5*60);
+ pkrb5_get_init_creds_opt_set_renew_life(&opts, 0);
+ pkrb5_get_init_creds_opt_set_forwardable(&opts, 0);
+ pkrb5_get_init_creds_opt_set_proxiable(&opts, 0);
+ pkrb5_get_init_creds_opt_set_address_list(&opts,NULL);
+
+ if (rc = pkrb5_get_init_creds_password(context, &creds, princ,
+ password, 0, 0, 0,
+ "kadmin/changepw", &opts)) {
+ if (rc == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
#if 0
- com_err(argv[0], 0,
- "Password incorrect while getting initial ticket");
+ com_err(argv[0], 0,
+ "Password incorrect while getting initial ticket");
#endif
- }
- else {
+ } else {
#if 0
- com_err(argv[0], ret, "getting initial ticket");
+ com_err(argv[0], ret, "getting initial ticket");
#endif
- }
- goto cleanup;
- }
+ }
+ goto cleanup;
+ }
- if (rc = pkrb5_change_password(context, &creds, newpassword,
- &result_code, &result_code_string,
- &result_string)) {
+ if (rc = pkrb5_change_password(context, &creds, newpassword,
+ &result_code, &result_code_string,
+ &result_string)) {
#if 0
- com_err(argv[0], ret, "changing password");
+ com_err(argv[0], ret, "changing password");
#endif
- goto cleanup;
- }
-
- if (result_code) {
- int len = result_code_string.length +
- (result_string.length ? (sizeof(": ") - 1) : 0) +
- result_string.length;
- if (len && error_str) {
- *error_str = PMALLOC(len + 1);
- if (*error_str)
- StringCchPrintfA(*error_str, len+1,
- "%.*s%s%.*s",
- result_code_string.length,
- result_code_string.data,
- result_string.length?": ":"",
- result_string.length,
- result_string.data);
- }
- rc = result_code;
- goto cleanup;
- }
+ goto cleanup;
+ }
+
+ if (result_code) {
+ int len = result_code_string.length +
+ (result_string.length ? (sizeof(": ") - 1) : 0) +
+ result_string.length;
+ if (len && error_str) {
+ *error_str = PMALLOC(len + 1);
+ if (*error_str)
+ StringCchPrintfA(*error_str, len+1,
+ "%.*s%s%.*s",
+ result_code_string.length,
+ result_code_string.data,
+ result_string.length?": ":"",
+ result_string.length,
+ result_string.data);
+ }
+ rc = result_code;
+ goto cleanup;
+ }
cleanup:
- if (result_string.data)
- pkrb5_free_data_contents(context, &result_string);
+ if (result_string.data)
+ pkrb5_free_data_contents(context, &result_string);
- if (result_code_string.data)
- pkrb5_free_data_contents(context, &result_code_string);
+ if (result_code_string.data)
+ pkrb5_free_data_contents(context, &result_code_string);
- if (princ)
- pkrb5_free_principal(context, princ);
+ if (princ)
+ pkrb5_free_principal(context, princ);
- if (context)
- pkrb5_free_context(context);
+ if (context)
+ pkrb5_free_context(context);
- return rc;
+ return rc;
}
khm_int32 KHMAPI
diff --git a/src/windows/identity/plugins/krb5/krb5identpro.c b/src/windows/identity/plugins/krb5/krb5identpro.c index 11a7410b1..05f93fcd3 100644 --- a/src/windows/identity/plugins/krb5/krb5identpro.c +++ b/src/windows/identity/plugins/krb5/krb5identpro.c @@ -226,8 +226,10 @@ update_crossfeed(khui_new_creds * nc, un_realm = khm_get_realm_from_princ(un);
- if (un_realm == NULL)
+ if (un_realm == NULL) {
+ EnableWindow(d->hw_realm, TRUE);
return FALSE;
+ }
if (ctrl_id_src == K5_NCID_UN) {
@@ -270,6 +272,15 @@ update_crossfeed(khui_new_creds * nc, SetWindowText(d->hw_realm,
un_realm);
+ if (GetFocus() == d->hw_realm) {
+ HWND hw_next = GetNextDlgTabItem(nc->hwnd, d->hw_realm,
+ FALSE);
+ if (hw_next)
+ SetFocus(hw_next);
+ }
+
+ EnableWindow(d->hw_realm, FALSE);
+
return TRUE;
}
/* else... */
@@ -739,6 +750,7 @@ k5_ident_valiate_name(khm_int32 msg_type, char princ_name[KCDB_IDENT_MAXCCH_NAME];
kcdb_ident_name_xfer * nx;
krb5_error_code code;
+ wchar_t * atsign;
nx = (kcdb_ident_name_xfer *) vparam;
@@ -759,11 +771,18 @@ k5_ident_valiate_name(khm_int32 msg_type, return KHM_ERROR_SUCCESS;
}
- if (princ != NULL)
+ if (princ != NULL)
pkrb5_free_principal(k5_identpro_ctx,
princ);
- nx->result = KHM_ERROR_SUCCESS;
+ /* krb5_parse_name() accepts principal names with no realm or an
+ empty realm. We don't. */
+ atsign = wcschr(nx->name_src, L'@');
+ if (atsign == NULL || atsign[1] == L'\0') {
+ nx->result = KHM_ERROR_INVALID_NAME;
+ } else {
+ nx->result = KHM_ERROR_SUCCESS;
+ }
return KHM_ERROR_SUCCESS;
}
@@ -1032,15 +1051,23 @@ k5_ident_notify_create(khm_int32 msg_type, return KHM_ERROR_SUCCESS;
}
+struct k5_ident_update_data {
+ khm_handle identity;
+
+ FILETIME ft_expire; /* expiration */
+ FILETIME ft_issue; /* issue */
+ FILETIME ft_rexpire; /* renew expiration */
+ wchar_t ccname[KRB5_MAXCCH_CCNAME];
+ khm_int32 k5_flags;
+};
+
static khm_int32 KHMAPI
k5_ident_update_apply_proc(khm_handle cred,
void * rock) {
- wchar_t ccname[KRB5_MAXCCH_CCNAME];
- khm_handle tident = (khm_handle) rock;
+ struct k5_ident_update_data * d = (struct k5_ident_update_data *) rock;
khm_handle ident = NULL;
khm_int32 t;
khm_int32 flags;
- FILETIME t_expire;
FILETIME t_cexpire;
FILETIME t_rexpire;
khm_size cb;
@@ -1049,12 +1076,15 @@ k5_ident_update_apply_proc(khm_handle cred, if (KHM_FAILED(kcdb_cred_get_type(cred, &t)) ||
t != credtype_id_krb5 ||
KHM_FAILED(kcdb_cred_get_identity(cred, &ident)))
+
return KHM_ERROR_SUCCESS;
- if (!kcdb_identity_is_equal(ident,tident))
+ if (!kcdb_identity_is_equal(ident,d->identity))
+
goto _cleanup;
if (KHM_FAILED(kcdb_cred_get_flags(cred, &flags)))
+
flags = 0;
if (flags & KCDB_CRED_FLAG_INITIAL) {
@@ -1064,13 +1094,9 @@ k5_ident_update_apply_proc(khm_handle cred, NULL,
&t_cexpire,
&cb))) {
- cb = sizeof(t_expire);
- if (KHM_FAILED(kcdb_identity_get_attr(tident,
- KCDB_ATTR_EXPIRE,
- NULL,
- &t_expire,
- &cb)) ||
- CompareFileTime(&t_cexpire, &t_expire) > 0) {
+ if ((d->ft_expire.dwLowDateTime == 0 &&
+ d->ft_expire.dwHighDateTime == 0) ||
+ CompareFileTime(&t_cexpire, &d->ft_expire) > 0) {
goto update_identity;
}
}
@@ -1080,52 +1106,35 @@ k5_ident_update_apply_proc(khm_handle cred, update_identity:
- kcdb_identity_set_attr(tident, KCDB_ATTR_EXPIRE,
- &t_cexpire, sizeof(t_cexpire));
+ d->ft_expire = t_cexpire;
- cb = sizeof(ccname);
- if (KHM_SUCCEEDED(kcdb_cred_get_attr(cred, KCDB_ATTR_LOCATION,
- NULL,
- ccname,
- &cb))) {
- kcdb_identity_set_attr(tident, attr_id_krb5_ccname,
- ccname, cb);
- } else {
- kcdb_identity_set_attr(tident, attr_id_krb5_ccname,
- NULL, 0);
+ cb = sizeof(d->ccname);
+ if (KHM_FAILED(kcdb_cred_get_attr(cred, KCDB_ATTR_LOCATION, NULL, d->ccname, &cb))) {
+ d->ccname[0] = L'\0';
}
-
- cb = sizeof(t);
- if (KHM_SUCCEEDED(kcdb_cred_get_attr(cred,
- attr_id_krb5_flags,
- NULL,
- &t,
- &cb))) {
- kcdb_identity_set_attr(tident, attr_id_krb5_flags,
- &t, sizeof(t));
+ cb = sizeof(d->k5_flags);
+ if (KHM_FAILED(kcdb_cred_get_attr(cred, attr_id_krb5_flags, NULL,
+ &d->k5_flags, &cb))) {
+ d->k5_flags = 0;
+ }
- cb = sizeof(t_rexpire);
- if (!(t & TKT_FLG_RENEWABLE) ||
- KHM_FAILED(kcdb_cred_get_attr(cred,
- KCDB_ATTR_RENEW_EXPIRE,
- NULL,
- &t_rexpire,
- &cb))) {
- kcdb_identity_set_attr(tident, KCDB_ATTR_RENEW_EXPIRE,
- NULL, 0);
- } else {
- kcdb_identity_set_attr(tident, KCDB_ATTR_RENEW_EXPIRE,
- &t_rexpire, sizeof(t_rexpire));
- }
- } else {
- kcdb_identity_set_attr(tident, attr_id_krb5_flags,
- NULL, 0);
- kcdb_identity_set_attr(tident, KCDB_ATTR_RENEW_EXPIRE,
- NULL, 0);
+ cb = sizeof(d->ft_issue);
+ if (KHM_FAILED(kcdb_cred_get_attr(cred, KCDB_ATTR_ISSUE, NULL, &d->ft_issue, &cb))) {
+ ZeroMemory(&d->ft_issue, sizeof(d->ft_issue));
}
- rv = KHM_ERROR_EXIT;
+ cb = sizeof(t_rexpire);
+ if ((d->k5_flags & TKT_FLG_RENEWABLE) &&
+ KHM_SUCCEEDED(kcdb_cred_get_attr(cred,
+ KCDB_ATTR_RENEW_EXPIRE,
+ NULL,
+ &t_rexpire,
+ &cb))) {
+ d->ft_rexpire = t_rexpire;
+ } else {
+ ZeroMemory(&d->ft_rexpire, sizeof(d->ft_rexpire));
+ }
_cleanup:
if (ident)
@@ -1140,6 +1149,7 @@ k5_ident_update(khm_int32 msg_type, khm_ui_4 uparam,
void * vparam) {
+ struct k5_ident_update_data d;
khm_handle ident;
khm_handle tident;
krb5_ccache cc = NULL;
@@ -1153,9 +1163,52 @@ k5_ident_update(khm_int32 msg_type, if (ident == NULL)
return KHM_ERROR_SUCCESS;
+ ZeroMemory(&d, sizeof(d));
+ d.identity = ident;
+
kcdb_credset_apply(NULL,
k5_ident_update_apply_proc,
- (void *) ident);
+ (void *) &d);
+
+ if (d.ft_expire.dwLowDateTime != 0 ||
+ d.ft_expire.dwHighDateTime != 0) {
+
+ /* we found a TGT */
+
+ kcdb_identity_set_attr(ident, KCDB_ATTR_EXPIRE,
+ &d.ft_expire, sizeof(d.ft_expire));
+ if (d.ft_issue.dwLowDateTime != 0 ||
+ d.ft_issue.dwHighDateTime != 0)
+ kcdb_identity_set_attr(ident, KCDB_ATTR_ISSUE,
+ &d.ft_issue, sizeof(d.ft_issue));
+ else
+ kcdb_identity_set_attr(ident, KCDB_ATTR_ISSUE, NULL, 0);
+
+ if (d.ft_rexpire.dwLowDateTime != 0 ||
+ d.ft_rexpire.dwHighDateTime != 0)
+ kcdb_identity_set_attr(ident, KCDB_ATTR_RENEW_EXPIRE,
+ &d.ft_rexpire, sizeof(d.ft_rexpire));
+ else
+ kcdb_identity_set_attr(ident, KCDB_ATTR_RENEW_EXPIRE, NULL, 0);
+
+ kcdb_identity_set_attr(ident, attr_id_krb5_flags,
+ &d.k5_flags, sizeof(d.k5_flags));
+
+ if (d.ccname[0])
+ kcdb_identity_set_attr(ident, attr_id_krb5_ccname,
+ d.ccname, KCDB_CBSIZE_AUTO);
+ else
+ kcdb_identity_set_attr(ident, attr_id_krb5_ccname, NULL, 0);
+
+ } else {
+ /* Clear out the attributes. We don't have any information
+ about this identity */
+ kcdb_identity_set_attr(ident, KCDB_ATTR_EXPIRE, NULL, 0);
+ kcdb_identity_set_attr(ident, KCDB_ATTR_ISSUE, NULL, 0);
+ kcdb_identity_set_attr(ident, KCDB_ATTR_RENEW_EXPIRE, NULL, 0);
+ kcdb_identity_set_attr(ident, attr_id_krb5_flags, NULL, 0);
+ kcdb_identity_set_attr(ident, attr_id_krb5_ccname, NULL, 0);
+ }
if (KHM_SUCCEEDED(kcdb_identity_get_default(&tident))) {
kcdb_identity_release(tident);
diff --git a/src/windows/identity/plugins/krb5/krb5newcreds.c b/src/windows/identity/plugins/krb5/krb5newcreds.c index db9462eb6..e7641df8a 100644 --- a/src/windows/identity/plugins/krb5/krb5newcreds.c +++ b/src/windows/identity/plugins/krb5/krb5newcreds.c @@ -232,6 +232,20 @@ k5_handle_wmnc_notify(HWND hwnd, d->pwd_change = TRUE;
+ if (is_k5_identpro &&
+ d->nc->n_identities > 0 &&
+ d->nc->identities[0]) {
+
+ kcdb_identity_set_flags(d->nc->identities[0],
+ KCDB_IDENT_FLAG_VALID,
+ KCDB_IDENT_FLAG_VALID);
+
+ }
+
+ PostMessage(d->nc->hwnd, KHUI_WM_NC_NOTIFY,
+ MAKEWPARAM(0, WMNC_UPDATE_CREDTEXT),
+ (LPARAM) d->nc);
+
return TRUE;
}
}
@@ -347,7 +361,7 @@ k5_handle_wmnc_notify(HWND hwnd, /* the above notification effectively takes all our
changes into account. The data we have is no
longer out of sync */
- d->sync = FALSE;
+ d->sync = TRUE;
}
}
break;
@@ -1574,6 +1588,47 @@ k5_find_tgt_filter(khm_handle cred, }
khm_int32
+k5_remove_from_LRU(khm_handle identity)
+{
+ wchar_t * wbuf = NULL;
+ wchar_t idname[KCDB_IDENT_MAXCCH_NAME];
+ khm_size cb;
+ khm_size cb_ms;
+ khm_int32 rv = KHM_ERROR_SUCCESS;
+
+ cb = sizeof(idname);
+ rv = kcdb_identity_get_name(identity, idname, &cb);
+ assert(rv == KHM_ERROR_SUCCESS);
+
+ rv = khc_read_multi_string(csp_params, L"LRUPrincipals", NULL, &cb_ms);
+ if (rv != KHM_ERROR_TOO_LONG)
+ cb_ms = sizeof(wchar_t) * 2;
+
+ wbuf = PMALLOC(cb_ms);
+ assert(wbuf);
+
+ cb = cb_ms;
+
+ if (rv == KHM_ERROR_TOO_LONG) {
+ rv = khc_read_multi_string(csp_params, L"LRUPrincipals", wbuf, &cb);
+ assert(KHM_SUCCEEDED(rv));
+
+ if (multi_string_find(wbuf, idname, KHM_CASE_SENSITIVE) != NULL) {
+ multi_string_delete(wbuf, idname, KHM_CASE_SENSITIVE);
+ }
+ } else {
+ multi_string_init(wbuf, cb_ms);
+ }
+
+ rv = khc_write_multi_string(csp_params, L"LRUPrincipals", wbuf);
+
+ if (wbuf)
+ PFREE(wbuf);
+
+ return rv;
+}
+
+khm_int32
k5_update_LRU(khm_handle identity)
{
wchar_t * wbuf = NULL;
@@ -1915,6 +1970,13 @@ k5_msg_cred_dialog(khm_int32 msg_type, assert(nc->subtype == KMSG_CRED_NEW_CREDS);
+ /* If we are forcing a password change, then we don't do
+ anything here. Note that if the identity changed, then
+ this field would have been reset, so we would proceed
+ as usual. */
+ if (d->pwd_change)
+ return KHM_ERROR_SUCCESS;
+
/* if the fiber is already in a kinit, cancel it */
if(g_fjob.state == FIBER_STATE_KINIT) {
g_fjob.command = FIBER_CMD_CANCEL;
@@ -1965,7 +2027,7 @@ k5_msg_cred_dialog(khm_int32 msg_type, break;
case KRB5KDC_ERR_KEY_EXP:
- /* password needs changing */
+ /* password needs changing. */
LoadString(hResModule, IDS_K5ERR_KEY_EXPIRED,
msg, ARRAYLENGTH(msg));
break;
@@ -2320,7 +2382,7 @@ k5_msg_cred_dialog(khm_int32 msg_type, kherr_suggestion sug_id;
/* if we failed to get new tickets, but the
- identity isstill valid, then we assume that
+ identity is still valid, then we assume that
the current tickets are still good enough
for other credential types to obtain their
credentials. */
@@ -2374,7 +2436,13 @@ k5_msg_cred_dialog(khm_int32 msg_type, khui_cw_lock_nc(nc);
- if (nc->n_identities == 0 ||
+ if (nc->result == KHUI_NC_RESULT_CANCEL) {
+
+ khui_cw_set_response(nc, credtype_id_krb5,
+ KHUI_NC_RESPONSE_SUCCESS |
+ KHUI_NC_RESPONSE_EXIT);
+
+ } else if (nc->n_identities == 0 ||
nc->identities[0] == NULL) {
_report_mr0(KHERR_ERROR, MSG_PWD_NO_IDENTITY);
_suggest_mr(MSG_PWD_S_NO_IDENTITY, KHERR_SUGGEST_RETRY);
@@ -2382,6 +2450,7 @@ k5_msg_cred_dialog(khm_int32 msg_type, khui_cw_set_response(nc, credtype_id_krb5,
KHUI_NC_RESPONSE_FAILED |
KHUI_NC_RESPONSE_NOEXIT);
+
} else {
wchar_t widname[KCDB_IDENT_MAXCCH_NAME];
char idname[KCDB_IDENT_MAXCCH_NAME];
@@ -2483,9 +2552,12 @@ k5_msg_cred_dialog(khm_int32 msg_type, goto _pwd_exit;
}
+ /* the password change phase is now done */
+ d->pwd_change = FALSE;
+
code = khm_krb5_kinit(NULL, /* context (create one) */
idname, /* principal_name */
- npwd, /* password */
+ npwd, /* new password */
NULL, /* ccache name (figure out the identity cc)*/
(krb5_deltat) d->tc_lifetime.current,
d->forwardable,
diff --git a/src/windows/identity/plugins/krb5/krb5plugin.c b/src/windows/identity/plugins/krb5/krb5plugin.c index 7c5287769..e80e01c47 100644 --- a/src/windows/identity/plugins/krb5/krb5plugin.c +++ b/src/windows/identity/plugins/krb5/krb5plugin.c @@ -169,6 +169,23 @@ k5_msg_system(khm_int32 msg_type, khm_int32 msg_subtype, return rv;
}
+khm_int32 KHMAPI
+k5_msg_kcdb(khm_int32 msg_type, khm_int32 msg_subtype,
+ khm_ui_4 uparam, void * vparam)
+{
+ khm_int32 rv = KHM_ERROR_SUCCESS;
+
+ switch(msg_subtype) {
+ case KMSG_KCDB_IDENT:
+ if (uparam == KCDB_OP_DELCONFIG) {
+ k5_remove_from_LRU((khm_handle) vparam);
+ }
+ break;
+ }
+
+ return rv;
+}
+
/* Handler for CRED type messages
@@ -241,6 +258,8 @@ k5_msg_callback(khm_int32 msg_type, khm_int32 msg_subtype, return k5_msg_system(msg_type, msg_subtype, uparam, vparam);
case KMSG_CRED:
return k5_msg_cred(msg_type, msg_subtype, uparam, vparam);
+ case KMSG_KCDB:
+ return k5_msg_kcdb(msg_type, msg_subtype, uparam, vparam);
}
return KHM_ERROR_SUCCESS;
}
diff --git a/src/windows/identity/plugins/krb5/krbcred.h b/src/windows/identity/plugins/krb5/krbcred.h index f31bde4e6..694323ce3 100644 --- a/src/windows/identity/plugins/krb5/krbcred.h +++ b/src/windows/identity/plugins/krb5/krbcred.h @@ -200,6 +200,9 @@ k5_msg_ident(khm_int32 msg_type, khm_ui_4 uparam,
void * vparam);
+khm_int32
+k5_remove_from_LRU(khm_handle identity);
+
int
k5_get_realm_from_nc(khui_new_creds * nc,
wchar_t * buf,
diff --git a/src/windows/identity/plugins/krb5/lang/en_us/langres.rc b/src/windows/identity/plugins/krb5/lang/en_us/langres.rc index 54f3ed787..dde30e387 100644 --- a/src/windows/identity/plugins/krb5/lang/en_us/langres.rc +++ b/src/windows/identity/plugins/krb5/lang/en_us/langres.rc @@ -59,7 +59,7 @@ FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN
CONTROL "Kerberos 5 Ticket Options",IDC_STATIC,"Static",SS_LEFTNOWORDWRAP | SS_SUNKEN | WS_GROUP,7,7,286,11
LTEXT "Realm",IDC_STATIC,7,25,52,13
- COMBOBOX IDC_NCK5_REALM,60,25,233,17,CBS_DROPDOWN | CBS_AUTOHSCROLL | CBS_SORT | WS_VSCROLL | WS_TABSTOP
+ COMBOBOX IDC_NCK5_REALM,60,25,233,51,CBS_DROPDOWN | CBS_AUTOHSCROLL | CBS_SORT | WS_VSCROLL | WS_TABSTOP
PUSHBUTTON "Specify &additional realms ...",IDC_NCK5_ADD_REALMS,181,43,112,16,BS_NOTIFY | NOT WS_VISIBLE | WS_DISABLED
LTEXT "&Lifetime",IDC_STATIC,7,67,61,12
EDITTEXT IDC_NCK5_LIFETIME_EDIT,85,67,107,12,ES_AUTOHSCROLL
@@ -119,7 +119,7 @@ STYLE DS_SETFONT | DS_FIXEDSYS | WS_CHILD | WS_SYSMENU FONT 8, "MS Shell Dlg", 400, 0, 0x1
BEGIN
LTEXT "Default Realm",IDC_CFG_LBL_REALM,13,9,46,8
- COMBOBOX IDC_CFG_DEFREALM,76,7,166,30,CBS_DROPDOWN | CBS_SORT | WS_VSCROLL | WS_TABSTOP
+ COMBOBOX IDC_CFG_DEFREALM,76,7,166,51,CBS_DROPDOWN | CBS_SORT | WS_VSCROLL | WS_TABSTOP
PUSHBUTTON "Configure Realms ...",IDC_CFG_CFGREALMS,76,25,84,14,NOT WS_VISIBLE | WS_DISABLED
GROUPBOX "Keberos Configuration File",IDC_CFG_CFGFILEGRP,7,45,241,61
LTEXT "Location",IDC_CFG_LBL_CFGFILE,13,61,28,8
@@ -134,7 +134,7 @@ BEGIN LTEXT "Domain",IDC_CFG_LBL_DOMAIN,13,141,24,8
EDITTEXT IDC_CFG_DOMAIN,76,138,166,14,ES_AUTOHSCROLL | ES_READONLY
LTEXT "Import tickets",IDC_LBL_IMPORT,13,158,45,8
- COMBOBOX IDC_CFG_IMPORT,76,156,166,30,CBS_DROPDOWNLIST | WS_VSCROLL | WS_TABSTOP
+ COMBOBOX IDC_CFG_IMPORT,76,156,166,51,CBS_DROPDOWNLIST | WS_VSCROLL | WS_TABSTOP
END
IDD_CFG_REALMS DIALOGEX 0, 0, 255, 182
@@ -195,7 +195,7 @@ FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN
CONTROL "Kerberos 5 Change Password Options",IDC_STATIC,"Static",SS_LEFTNOWORDWRAP | SS_SUNKEN | WS_GROUP,7,7,286,11
LTEXT "Realm",IDC_STATIC,7,25,52,13
- COMBOBOX IDC_NCK5_REALM,60,25,233,17,CBS_DROPDOWN | CBS_AUTOHSCROLL | CBS_SORT | WS_VSCROLL | WS_TABSTOP
+ COMBOBOX IDC_NCK5_REALM,60,25,233,51,CBS_DROPDOWN | CBS_AUTOHSCROLL | CBS_SORT | WS_VSCROLL | WS_TABSTOP
PUSHBUTTON "Specify &additional realms ...",IDC_NCK5_ADD_REALMS,181,43,112,16,BS_NOTIFY | WS_DISABLED
END
|