| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
The "rcache" URN can specify a cache type and name to be used with
the credentials being acquired.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
| |
ticket: 7800
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, if you passed a service name with a realm part to a
kadm5_init function, you would get a KRB5_PARSE_MALFORMED error
because the code would internally append its own '@realm' suffix
before parsing the name. Fix this as follows:
Change gic_iter so instead of producing a full service name, it
produces a krb5_principal which is taken from the cred it acquires.
Pass the client and full service name around as principals, rather
than strings, and use the gss_nt_krb5_principal name type to import
them in setup_gss(). Don't append a realm to the input service name;
instead, pass the input service name directly to the gic functions
(which do not need a realm in the service name and will ignore the
realm if one is present). For the INIT_CREDS case, parse the input
service name with KRB5_PRINCIPAL_PARSE_IGNORE_REALM and then set the
realm.
ticket: 7800
|
| |
|
|
|
|
|
|
|
|
|
| |
The "realm" variable in init_any is used only to fill in the realm of
the service principal in gic_iter(). The service principal realm
should always be the realm we looked up config parameters for, so we
can supply that realm to get_init_creds() unconditionally and
eliminate the case where we use the client principal realm.
Also get rid of an outdated comment and an #if 0 block we will never
need again, and use SNPRINTF_OVERFLOW to check the snprintf result.
|
| | |
|
| |
|
|
|
| |
A tree configured to use the system libverto will be missing
$(VERTO_DEPS) in dependencies, so disallow make depend.
|
| |
|
|
|
|
|
|
|
| |
keyctl purge was added in keyutils 1.5 (released in March 2011). Use
keyctl unlink to clean up keys instead, as it is more universal.
ticket: 7810
target_version: 1.12.1
tags: pullup
|
| |
|
|
|
|
|
|
|
|
| |
Add an adapted version of extended_com_err_fn from kinit to klist and
use it. In do_ccache(), rely on the ccache type to set a reasonable
message if krb5_cc_set_flags() or krb5_cc_get_principal() fails due to
a nonexistent or unreadable ccache, and don't confuse the user with
the name of the ccache operation that failed.
ticket: 7809
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When attempting to use a keyring cache that doesn't exist, set an error
message when we fail to read a principal name, as we do when we return
the same error code when using a file ccache.
[ghudson: removed unnecessary check for d->name nullity.]
ticket: 7809
target_version: 1.12.1
tags: pullup
|
| |
|
|
|
|
|
|
|
|
| |
libkrad relies on verto_set_flags, which was added to libverto in
release 0.2.4. Make sure the system libverto has this function before
choosing it over the built-in version.
ticket: 7808 (new)
target_version: 1.12.1
tags: pullup
|
| |
|
|
|
| |
Their previous location - kdc_util.c - seems to be overloaded with
various helper functions. No code changes.
|
| |
|
|
| |
Missing $
|
| |
|
|
|
|
|
| |
The plan is to make Troubleshooting section of the documentation a
one-stop-shop place for all error diagnostics, explanations and possible
solutions. The relocation of kprop error messages descriptions is part of
this consolidation effort.
|
| |
|
|
|
|
|
|
| |
This test program isn't completely proof against the kind of mistakes
we've made with krb5_copy_context in the past, but it at least
exercises krb5_copy_context and can detect some kinds of bugs.
ticket: 7807
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
krb5_copy_context has been broken since 1.8 (it broke in r22456)
because k5_copy_etypes crashes on null enctype lists. Subsequent
additions to the context structure were not reflected in
krb5_copy_context, creating double-free bugs. Make k5_copy_etypes
handle null input and account for all new fields in krb5_copy_context.
Reported by Arran Cudbard-Bell.
ticket: 7807 (new)
target_version: 1.12.1
tags: pullup
|
| |
|
|
|
|
|
| |
Now that #7045 is fixed, we can check for the correct error message
from t_s4u2proxy_krb5 with --spnego.
ticket: 7045
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To avoid potential recursion we use a thread local variable that tells
us whether the ancestor was called via spnego_gss_display_name(). If
we detect recursion, we assume that we returned a com_err code like
ENOMEM and call error_message(); in the worst case that will result in
an "Unknown error" message.
[ghudson@mit.edu: Edited comments and commit message; removed an
unneeded line of code.]
ticket: 7045
target_version: 1.12.1
tags: pullup
|
| |
|
|
|
| |
The vtbl and locate_fptrs fields were ostensibly related to the locate
pluggable interface, but weren't actually used.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The documentation for klist -s erroneously suggests that it doesn't
affect the exit status behavior and that it merely checks for the
existence of the ccache (only mentioning the expired ticket check at
the end). Make it clearer and simpler, but avoid going into a lot of
detail about the nature of the expiration check.
ticket: 7806 (new)
target_version: 1.12.1
tags: pullup
|
| |
|
|
|
| |
We haven't been using it or keeping it up to date, and there's no
need to keep it checked in.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
For a long time we have allowed krb5 contexts to be initialized in the
absence of krb5.conf--but only if KRB5_DNS_LOOKUP is defined,
presumably on the theory that no KDCs could be contacted without
either DNS support or profile configuration. But locate plugins could
provide the ability to find KDCs, and some libkrb5 operations (such as
IAKERB initiation) could succeed without needing to locate KDCs.
Also get rid of the profile_in_memory context flag, since we don't use
it any more.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When acquiring acceptor creds with a specified name, if we fail to
open a replay cache, we leak the keytab handle. If there is no
specified name and we discover that there is no content in the keytab,
we leak the keytab handle and return the wrong major code. Memory
leak reported by Andrea Campi.
ticket: 7805
target_version: 1.12.1
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If we eliminate a mechanism from the initiator list because
gss_init_sec_context fails, free the memory for that mech OID before
removing it from the list.
[ghudson@mit.edu: clarified commit message]
ticket: 7803 (new)
target_version: 1.12.1
tags: pullup
|
| |
|
|
|
|
|
|
| |
In init_ctx_cont, if the response token contains no fields, we set a
return value but don't actually quit out of the function. We do not
need this check (we will fail later on if a piece of required
information isn't present), so just remove it. Reported by
simo@redhat.com.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IIS 6.0 and similar return a zero length reponse buffer in the last
SPNEGO packet when context initiation is performed without mutual
authentication. In this case the underlying Kerberos mechanism has
already completed successfully on the first invocation, and SPNEGO
does not expect a mech response token in the answer. If we get an
empty mech response token when the mech is complete during
negotiation, ignore it.
[ghudson@mit.edu: small code style and commit message changes]
ticket: 7797 (new)
target_version: 1.12.1
tags: pullup
|
| |
|
|
|
| |
A few test programs didn't make it into .gitignore, OBJS, or
EXTRADEPSRCS.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
MSSQLSvc principal names can contain a ":port" or ":instance" trailer
on the hostname part. If we see that in the hostname argument of
krb5_sname_to_principal(), remove it before canonicalizing the
hostname and put it back on afterwards.
ticket: 7795 (new)
|
| |
|
|
|
| |
Refactor and edit sn2princ.c to match current coding style. No
behavior changes, except to be less chatty in trace logs.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Add a new section to kdc_conf.rst to describe keysalt lists, and
update other documentation to better distinguish enctype lists from
keysalt lists.
ticket: 7608
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
|
| |
If we read a zero-length token in spnego_mech.c's get_input_token(),
set the value pointer to NULL instead of calling malloc(0).
ticket: 7794 (new)
|
| |
|
|
|
|
|
|
|
|
|
| |
When we added FAST TGS support in 1.11, we broke S4U2Self against KDCs
which don't support FAST, because the S4U2Self padata is only present
within the FAST request. For now, duplicate that padata in the outer
request so that both FAST and non-FAST KDCs can see it.
ticket: 7791
target_version: 1.11.5
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
| |
Some error messages that kprop could print were quoted incorrectly in
install_kdc.rst.
Also fix minor typos.
ticket: 7785 (new)
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
| |
Add another blank line before section headers. Avoid contractions.
Change some whiches to thats where it seems appropriate. Fix some
missing or extra words.
|
| |
|
|
|
|
| |
Bump minor version for the new log_badauth2 interfaces.
ticket: 7770
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Define client_addr() in server_stubs.c and use it consistently in that
file and ipropd_svc.c to get the client address from a transport
handle. In it, call getpeername() on the client socket and use
inet_ntop() on the result, instead of using inet_ntoa() on the IPv4
socket address. Provide a log_badauth2 callback to GSSRPC, so that we
get a transport handle instead of an IPv4 socket address, and use
client_addr() within it instead of inet_ntoa().
ticket: 7770
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
|
|
|
|
| |
libgssrpc supports two callbacks for gss_accept_sec_context failures
on servers (one for AUTH_GSS and one for AUTH_GSSAPI), which are
IPv4-specific. Provide an alternate version which supplies the
transport handle instead of the address, so that we can get the
address via the file descriptor for TCP connections.
ticket: 7770
|
| |
|
|
|
|
|
| |
It is not needed.
In general, we shouldn't be using inet_ntoa(), anyway, as it is
IPv4-specific and we have IPv6 support almost everywhere.
|
| |
|
|
|
|
|
|
|
| |
kdb5_util.rst incorrectly describes the current default dump format
version as 6 when it should be 7. Reported by Jeff D'Angelo.
ticket: 7777
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
|
| |
Re-fill to 70 columns. Replace non-ascii apostrophes with ASCII ones.
Edit wording slightly.
ticket: 7776
|
| |
|
|
|
|
|
|
|
| |
This is to add a short introductory document on credential
caches to the Concepts section of Kerberos documentation.
ticket: 7776 (new)
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Document the lifetime and caching behavior of the
krb5_cc_default_name() return value. Document that
krb5_cc_set_default_name() may be called with NULL to purge the cached
value. Correct a typo in the krb5_cc_default() summary and explicitly
reference krb5_cc_default_name().
ticket: 7775 (new)
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
In kadm5.acl, *N in the target principal name refers to the Nth
wildcard in the acting principal pattern, not the Nth component.
ticket: 7774 (new)
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
| |
Add a test using backreferences which don't correspond directly to
principal components, to verify that *N refers to the Nth wildcard and
not the Nth component.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In the "KDC replication and account lockout" section of lockout.rst,
specifically call out kprop and incremental propagation as the
mechanisms which do not replicate account lockout state, and add a
note that KDCs using LDAP may not be affected by that section's
concerns.
ticket: 7773 (new)
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
| |
This configure option hasn't done anything since 1.8, so don't mention
it in configure --help or the documentation. The disable_last_success
and disable_lockout DB options are now used to turn it off.
|
| |
|
|
|
|
|
| |
On 32-bit platforms, the code to translate an iteration count of 0 to
2^32 can trigger a compiler warning. Since we will basically never
accept an iteration count that high (right now we reject anything
above 2^24), just reject it out of hand.
|
| |
|
|
|
|
|
|
|
|
|
| |
By setting the timeout based on the credetial's timeout we let the
system automatically cleanup expired credentials.
[ghudson@mit.edu: simplified code slightly]
ticket: 7769 (new)
target_version: 1.12
tags: pullup
|
