Ben Kaduk [Thu, 11 Oct 2012 16:42:05 +0000 (12:42 -0400)]
Disconnect the texinfo admin guide from the build
Its content has been migrated to or superseded by the reST documentation,
essentially entirely in krb_admins.
A few portions of the texinfo document are simply no longer relevant
and do not need to be migrated. In particular:
Information about reporting bugs lives on k5wiki.kerberos.org.
General Kerberos concepts/introduction will be elsewhere in the tree.
We do not need to document the time zones accepted by kadmin.
We do not need a table of the various error codes and strings in our
formal documentation.
A complete description of the layout of our source tree is not useful
or relevant to most Kerberos administrators.
Greg Hudson [Thu, 11 Oct 2012 17:22:29 +0000 (13:22 -0400)]
Fix cast regexp in C style checker
In check_cast, we want to match cast operators with or without spaces
after the closing paren, and then check for spaces after we match.
Also, per the comment, we want to match potential cast operators
followed by an open paren.
Ben Kaduk [Tue, 9 Oct 2012 20:00:53 +0000 (16:00 -0400)]
Improve the ktadd and ktremove synopses
Mention the options on the synopsis line, and do not imply that
the principal argument(s) for ktadd are optional.
reST line blocks are needed to keep the two forms of ktadd on
separate lines.
Ben Kaduk [Fri, 5 Oct 2012 20:44:40 +0000 (16:44 -0400)]
Fix ordered list style
Sphynx outputs class information that corresponds to its generated
basic.css, which we do not include. This results in all lists,
even nested lists, using arabic numerals.
Import the class properties into kerb.css for now.
Ben Kaduk [Fri, 5 Oct 2012 18:35:45 +0000 (14:35 -0400)]
Fix copy/paste errors in dbadmin
We should include the stashsrvpw content in that section, not
the list content. Likewise, the list_policy content instead
of the destroy_policy content.
Ben Kaduk [Fri, 5 Oct 2012 17:04:16 +0000 (13:04 -0400)]
Update kdb5_util example output
This text has not caught up with changes to the utility itself.
As a side effect, our output text box is narrower and does not have
to scroll on as many browser windows.
Ben Kaduk [Fri, 5 Oct 2012 16:44:52 +0000 (12:44 -0400)]
Wordsmith kdb5_util stash -f
The keyfile worth overriding is the one in kdc.conf. Though using
stash -f would override kdb5_util's -sf argument, there is no reason to
pass both flags to the same invocation.
In any case, the "at startup" language is not really correct.
Ben Kaduk [Thu, 4 Oct 2012 22:04:41 +0000 (18:04 -0400)]
Correct kadm5.acl synopsis
The target principal and restrictions arguments are not orthogonal;
a target principal argument must be given in order for a restriction
list to be supplied.
Ben Kaduk [Thu, 4 Oct 2012 22:00:07 +0000 (18:00 -0400)]
Make the kadm5.acl example sane
It is an eggregious security violation to give all admin principals
admin rights and then give all null instances permission to change
the password of the associated admin instance.
While here, don't assume that admin and root are the only non-null
instances, and correct the formatting of an entry with restrictions.
Greg Hudson [Wed, 10 Oct 2012 17:11:46 +0000 (13:11 -0400)]
Fix slow kprop dejagnu test
Fix kpropd -S -t to actually exit after processing one connection (it
was breaking out of the switch statement, not the while loop). Use
the -t when invoking kpropd from the dejagnu test framework;
previously it was unnecessary because kpropd -S -d exited after one
connection. Clear up some confusion in the kprop.exp comments about
whether kpropd is expected to exit.
Ben Kaduk [Thu, 4 Oct 2012 17:42:13 +0000 (13:42 -0400)]
Document TXT records for realm lookup
Even though they are subject to vulnerabilities via DNS spoofing
and we accordingly don't recommend their use, we do have the code
to use them. Just as we document dns_lookup_realm in krb5.conf(5),
document them here.
Ben Kaduk [Wed, 3 Oct 2012 20:44:28 +0000 (16:44 -0400)]
Remove unused texinfo sources
Now that the install guide make rules are removed, nothing references
build.texinfo or install.texinfo any more (other than the tgz target,
which is updated accordingly).
Ben Kaduk [Wed, 3 Oct 2012 20:16:26 +0000 (16:16 -0400)]
Disconnect texinfo install guide from the build
Its content has been migrated to or superseded by the RST documentation,
split amongst krb_build and various sections of krb_admins.
A few portions of the texinfo document are simply no longer relevant
and do not need to be migrated. In particular:
It's 2012; we don't need to specify that we require a C89 compiler.
It's 2012; it will be easy to get enough disk to build krb5.
The KADM5 tests are part of 'make check' and don't need separate
documentation.
Shared library support is not limited to "a few operating systems".
We do not need to document incompatibilities with ancient/dead OSes.
kadmind4 and v5passwdd are no longer relevant.
Ben Kaduk [Wed, 3 Oct 2012 19:56:46 +0000 (15:56 -0400)]
Add section on updating from single-DES
There are, unfortunately, still some single-DES deployments out
there. Try to help them along by documenting a procedure for
migrating to stronger crypto.
The texinfo install guide had a section on "upgrading", but it was
not really suitable for direct import into a RST document. For one,
it gave a high profile to the on-disk incompatibilities in upgrades
to 1.1 and 1.2. It also was driven at upgrading *to* triple-des (or RC4),
which are something of a dead-end. This new text attempts to be more
general and applicable to today's environment.
Ben Kaduk [Wed, 3 Oct 2012 16:29:20 +0000 (12:29 -0400)]
Add a kdb5_util examples for old KDC upgrades
It's a slightly less-contrived use case of the utility than the
other example, which reads more like a usage statement.
Give a motivating sentence before each example, and note that this
new example is not needed in the general upgrade case.
The need to dump/load for upgrades prior to 1.2 was documented in
the texinfo install guide, but not in any RST sources until now.
Greg Hudson [Tue, 9 Oct 2012 18:27:04 +0000 (14:27 -0400)]
De-conditionalize Camellia code
The Camellia enctypes and cksumtypes have received IANA assignments.
Add #defines using those assignments to krb5.h, remove the CAMELLIA
conditional, and enable testing code as appropriate.
The Camellia draft has not received an RFC number yet, so there is no
Doxygen markup for the enctype and cksumtype #defines. That can be
added once the RFC number is known.
Greg Hudson [Mon, 8 Oct 2012 16:18:35 +0000 (12:18 -0400)]
Remove iprop dejagnu test
Both the Python and dejagnu iprop tests are slow since they use sleeps
to give kpropd time to do its work (although we can fix this with some
work). Since the Python tests cover the same ground as the dejagnu
tests, we don't need both.
Nicolas Williams [Mon, 24 Sep 2012 23:04:50 +0000 (18:04 -0500)]
Remove an old, incorrect comment in kpropd.c
We absolutely do not want a parking brake on the kprop protocol as
described in the comment being removed. Instead the kprop command
should be fixed so it doesn't die on error (assuming it even still does
or ever did, neither of which I've checked).
If a kdb5_util load gets killed between rename()ing the new KDB file
into place and resetting the iprop ulog then the ulog can reflect the
pre-load state, which will almost certainly be incorrect.
This matters because we want to impose a timeout on full resyncs in
kpropd when iprop dictates that a full resync is needed, and the
simplest timeout scheme involves signaling the kdb5_util load process.
But also, we want no such races in general.
The fix is simple: re-initialize the ulog before renaming the new KDB
file into place, then proceed as usual. If the ulog is not properly
updated at the end of the load it will at least always result in
subsequent iprop get updates operations always indicating that a full
resync is required.
Nicolas Williams [Thu, 20 Sep 2012 19:37:45 +0000 (15:37 -0400)]
Make kadmind iprop never return UPDATE_BUSY
Currently kadmind allows slaves to poll for updates as often as they
like, but not within 10s of the last update. This means that iprop will
appear to fail to synchronize the KDC at any site whose master KDC
processes at least one write transaction every 10 seconds consistently.
The original intention must have been to throttle iprop clients (slave
KDCs) that poll too often. But UPDATE_BUSY as implemented is not that,
and implementing a throttle would be difficult (requires keeping state
in a table) and mostly useless (admins can manage their poll timers just
fine without a throttle in kadmind).
Nicolas Williams [Mon, 24 Sep 2012 22:48:48 +0000 (17:48 -0500)]
Remove MAX_ULOGENTRIES
If a master KDC uses only a 64-bit libkadm5srv then there is no reason
to impose any limit on ulog size: the practical maximum will be given by
the filesystem and available storage space.
Even when using a 32-bit libkadm5srv the maximum practical ulog size
will be found easily enough when mmap() fails.
Nicolas Williams [Fri, 17 Aug 2012 23:19:31 +0000 (18:19 -0500)]
Use a single global dump for iprop full syncs
Use a global dump (the default dump file) for full syncs for iprop.
When a slave asks for a fullsync we kprop the existing global dump to it
if that is good enough, else we dump the DB and send the new global
dump.
Before this change kadmind would run kdb5_util dump -i... each time a
slave asked for a full dump. This was done in a sub-process,
thankfully, but it was still a waste of time and storage (e.g., if one
has a huge KDB).
Also, long dump times might cause a slave to give up (the timeout for
this is now configurable). But since iprop dumps bear a serial number
and timestamp and since slaves will resync from that point forward, it
doesn't matter if the dump we send a slave is fresh as long as it is
fresh enough (i.e., that its sno and timestamp are in the ulog).
Also:
- Rename dumps into place instead of unlink, create, write (but we
still keep the dump ok files as lock files and as a method of
signaling to kprop that the dump is complete).
Nicolas Williams [Tue, 25 Sep 2012 02:09:17 +0000 (21:09 -0500)]
Improve kpropd behavior in iprop mode
- Make kpropd in iprop mode fork a child to listen for kprops from the
master. The child writes progress and outcome reports to the parent
for each kprop. This fixes a race between asking for a full resync
and setting up a listener socket for it.
- Add runonce (-t) for kpropd do_standalone() too.
- Add a new iprop parameter: iprop_resync_timeout. kpropd will keep
asking for incremental updates while waiting for a full resync to
finish, and will re-request a full resync if kadmind continues to
indicate that one is needed after this timeout passes since the
previous full resync was requested.
- Allow polling intervals less than 10 seconds.
[ghudson@mit.edu: split out debug output changes; note polling interval
change in commit message]
util/cstyle-file.py checks a file for C style issues and displays
line-by-line output. It is not terribly sophisticated, and can
probably be improved upon (e.g. by doing an emacs batch-reindent of
the file and checking for differences in indentation).
util/cstyle.py produces diffs using git, runs the file checker on each
modified C source file in each diff, and displays the output lines
attribute to the diff.
Luke Howard [Sat, 1 Sep 2012 01:08:27 +0000 (11:08 +1000)]
GENC should always export composite names
RFC 6680 requires that gss_export_name_composite begin the output
token with 04 02. So we must produce a composite token even if the
name has no authdata, and be able to consume a composite token with no
authdata attributes.
Simo Sorce [Tue, 28 Aug 2012 14:47:23 +0000 (16:47 +0200)]
Add SPI calls to import objects by mech oid
An interposer mech needs to be able to handle multiple mechanisms.
When importing a mech token for a name, cred, or context, the
interposer mech needs to know the mech type of the token being
imported. To make this work, add SPI calls which accept a mech type
argument.
Simo Sorce [Tue, 5 Jun 2012 12:09:15 +0000 (08:09 -0400)]
Use interposer mechanisms in mechglue functions
Wherever a GSSAPI mechglue function accepts a mech OID from the
caller, use gssint_select_mech_type() to choose the mechanism to use.
Wherever a mechglue function outputs a mech OID to the caller, use
gssint_get_public_oid() or gssint_make_public_oid_set() to expose the
public mech OID.
Simo Sorce [Mon, 11 Jun 2012 15:50:26 +0000 (11:50 -0400)]
Add primitives for using interposed mechanisms
Add gssint_select_mechanism() to determine what mechanism to use for a
caller-specified OID, gssint_get_public_oid() to determine what
mechanism to expose to the caller, and gssint_make_public_oid_set to
translate an array of mech OIDs into a set of public OIDs. In
gssint_get_mechanism(), match interposed OIDs as well as real ones.
Simo Sorce [Tue, 18 Sep 2012 02:00:44 +0000 (22:00 -0400)]
Add support for loading interposer modules
Extend the syntax of the gss mech config file to allow a module type
delimited by triangle brackets. If the module type is "interposer",
flag the mechanism entry as being an interposer mechanism. A module
marked as an interposer is loaded immediately (so it can interpose a
built-in mechanism) and produces a list of OIDs to interpose.
Interposer mechanisms are not exposed to applications.
Tom Yu [Thu, 27 Sep 2012 21:18:18 +0000 (17:18 -0400)]
Cache TGS-REPs too
Changes in r25660 inadvertently failed to insert TGS-REPs into the
lookaside cache. Call finish_dispatch_cache() at the end of
dispatch() to handle this case.
Ben Kaduk [Fri, 21 Sep 2012 17:01:06 +0000 (13:01 -0400)]
Remove kerbsrc.win
It has been unloved and broken repeatedly for many years, requiring
updating of several variables whenever new directories are added
and similar tedia. It was originally intended to avoid the need
for Unix utilities on Windows, but Microsoft provides the Utilities
and SDK for UNIX-based Applications which is enough rope to do a
native build.
Leave behind a warning message to anyone who does try to build the
target.
Clean up some now-unused infrastructure in the build system.
Ben Kaduk [Fri, 21 Sep 2012 15:13:32 +0000 (11:13 -0400)]
Remove kerbsrc-nt
NT is long-gone; we don't need to keep a special-case error message
around telling people not to use it.
Clean out the unneeded code from the Makefile.in
Ben Kaduk [Thu, 20 Sep 2012 22:03:54 +0000 (18:03 -0400)]
Remove kerbsrc83
It's been a long time since systems were limited to 8.3 format
for file names. No one should be thinking to try and build this
target, and if they do, we don't need a custom error message anymore.
Clean out the unneeded code from the Makefile.in.
Ben Kaduk [Thu, 20 Sep 2012 18:03:20 +0000 (14:03 -0400)]
Do not add empty dir to the include search list
windows/leashdll/include contains only a krb4 directory.
We have a dubious need for the latter through AFSroutines.c,
but the former can be eliminated.
Ben Kaduk [Wed, 19 Sep 2012 16:13:30 +0000 (12:13 -0400)]
Update windows/README
The build instructions have changed somewhat, as have the requirements
for a build environment.
The default behavior for KRB5_CONFIG and KRB5CCNAME has also changed.
Attempt to remove mention of overly specific Windows versions that
are now quite old when the behavior persists in newer versions of Windows.
Document the usage of DNS by default and the reduced need for a large
krb5.ini file.
Talk a little more about the LSA cache.
Unlike most GSS test programs, t_s4u2proxy_krb5 uses a cleanup
handler, so we have to be careful to initialize everything we clean
up--particularly service2_name, which is initialized after a possible
goto. Also, remember to release acceptor_name.
krb5_rc_recover_or_initialize is not a public function, but is now
used by the krb5 mechanism when importing a credential. Mark it as
PRIVATE GSSAPI in the export list.
It might have been safe to access the krb5 verifier cred without a
lock before constrained delegation, but it is less likely to be safe
now that we might access both the initiator and acceptor parts of the
cred. Hold a lock on the cred for the full accept_sec_context
operation.
If the verifier cred handle is of type GSS_C_BOTH, we need to resolve
the initiator part of it in order to create a s4u2proxy delegated
credential handle. (If it's of type GSS_C_ACCEPT, kg_resolve_cred
won't do anything beyond locking and validating the credential.)
Ben Kaduk [Tue, 18 Sep 2012 21:53:18 +0000 (17:53 -0400)]
Remove NSIS installs when upgrading to 64-bit
The NSIS installer appears to have only ever existed as a 32-bit
software. As such, unconditionally check the 32-bit registry tree
for an uninstall string; the architecture of the current package
being installed is not relevant to what was previously installed.
Get rid of gssint_get_mechanisms, gssint_mech_to_oid, and
gssint_oid_to_mech, which constructed a list of mechanism names and
mapped between mech names and OIDs. These functions were only used by
gss_inquire_mechs_for_name, which now uses gss_indicate_mechs instead.
Use gss_indicate_mechs instead of gssint_get_mechanisms and
gssint_mech_to_oid to iterate over the list of mechanism OIDs. Use a
static helper to determine whether a mech supports a name type,
avoiding most of the work done in the for loop. Use a cleanup
handler. Don't leave partial results in the output parameter on
error.
Simo Sorce [Tue, 14 Aug 2012 13:14:15 +0000 (15:14 +0200)]
Avoid leaks on gss_accept_sec_context errors
Failure handling during the postprocessing of
mech->gss_accept_sec_context was inconsistent. In one case we delete
the output token but leave the partly-constructed context present in
*context_handle (violating RFC 2744 if this is the first call); in
other cases we leave the output token in the caller's buffer but do
destroy the partly-constructed context. Make this more consistent by
always destroying the output token and partly-constructed context.
(RFC 2744 prefers, but does not require, leaving the
partly-constructed context present on error if it was present on
entry. At the moment we are ignoring that preference.)
[ghudson@mit.edu: Rewrote commit message with more details]
Tom Yu [Fri, 14 Sep 2012 17:55:36 +0000 (13:55 -0400)]
Avoid multiply defining OIDs in tests/gssapi
Declarations of gss_OID_desc mech_krb5, etc. in tests/gssapi/common.h
can result in multiple definitions when the test programs are linked.
Prefix the declarations with "extern" to prevent this.
Factor out some common functions used by multiple test programs. Use
a common argument format for importing names (p:princname,
h:hostbasedname, or u:username) and adjust the Python tests to match
it. Use more consistent conventions in test programs and fix some
coding style issues. Normalize how the test programs are built.
Ben Kaduk [Wed, 12 Sep 2012 18:17:59 +0000 (14:17 -0400)]
Improve LEASHAUTOINIT description
This installer option determines whether the -autoinit argument
is passed to the MIT Kerberos executable.
On startup, if this argument is passed, and if there are no tickets
in the default cache, and if no useful tickets can be imported from
the LSA cache, MIT Kerberos will open the get ticket dialog and prompt
for a password; this option does not appear to have any other effect.
Nicolas Williams [Wed, 12 Sep 2012 16:36:54 +0000 (11:36 -0500)]
Fix lock inconsistency in ctx_unlock()
The lock inconsistency fixed here is quite possibly the same as
described in https://bugzilla.redhat.com/show_bug.cgi?id=586032 .
The problem is that ctx_unlock() fails to unlock the principal DB if
it fails to unlock the policy DB, and this happens when ctx_lock()
fails to lock the policy DB (likely because the caller is racing
against a kdb5_util load, which will be using a "permanent" lock,
meaning that the lock file will be unlinked after acquiring the
lock). The fix is to perform both unlock operations *then* handle
any errors that either or both might have returned.
Additionally, we don't really need or want to use non-blocking locks,
and we certainly don't want to sleep(1) in krb5kdc (possibly several
times, as there was a loop over this) when either of the principal or
policy DB is locked. Some callers still request non-blocking locks,
and ctx_lock() still honors this.
Nicolas Williams [Wed, 12 Sep 2012 02:37:53 +0000 (21:37 -0500)]
Use blocking locks in krb5kdc and libkadm5srv
We don't really need or want to use non-blocking locks, and we certainly
don't want to sleep(1) in krb5kdc (possibly several times, as there was
a loop over this) when either of the principal or policy DB is locked.
Some callers still request non-blocking locks, and ctx_lock() still
honors this.
Nicolas Williams [Wed, 12 Sep 2012 02:32:28 +0000 (21:32 -0500)]
Map CANTLOCK_DB to SVC_UNAVAILABLE in krb5kdc
The KDC should not return KRB5KRB_ERR_GENERIC (KRB_ERR_GENERIC) when the
KDB plugin returns KRB5_KDB_CANTLOCK_DB: it should return
KRB5KDC_ERR_SVC_UNAVAILABLE (KDC_ERR_SVC_UNAVAILABLE) instead. This
allows clients to immediately fallback onto other KDCs.
When we switch to using blocking locks in the db2 KDB backend we'll very
rarely hit this code path, perhaps only when racing against a kdb5_util load.
Other KDB backends might still return KRB5_KDB_CANTLOCK_DB often enough that
this change is desirable.
Ben Kaduk [Wed, 12 Sep 2012 15:35:04 +0000 (11:35 -0400)]
Unregister error message key on library unload
Revision fcdd2de1 added the K5_KEY_GSS_KRB5_ERROR_MESSAGE key, and
registered it in the gssapi library initialization routine, but
did not unregister it in the libary finalization routine.
When the library is unloaded and reloaded in the same process,
this leads to an assertion failure, since we check that
destructors_set[keynum] is zero (no destructor set) when registering
a key in util/support/threads.c.
Unregister the key on library cleanup to resolve the error.
Greg Hudson [Sun, 19 Aug 2012 03:40:29 +0000 (23:40 -0400)]
Introduce gss_export_cred and gss_import_cred
Add gss_export_cred and gss_import_cred mechglue functions to
serialize and unserialize GSSAPI credential handles. Mechanism
implementations and tests will follow.
projects / thirdparty / krb5.git / log
