Tom Yu [Tue, 28 Nov 2006 23:02:22 +0000 (23:02 +0000)]
pull up r18863 from trunk
r18863@cathode-dark-space: jaltman | 2006-11-22 13:11:16 -0500
ticket: new
subject: KFW 3.1 commits for Final Release
tags: pullup
KfW 3.1 final (NetIDMgr 1.1.8.0)
nidmgr32.dll (1.1.8.0)
- When detecting IP address changes, wait for things to settle down
before setting of the IP address change notification.
krb5cred.dll (1.1.8.0)
- Fixed the Kerberos 5 configuration dialog which didn't handle
setting the default realm properly. Setting the default realm now
sets the correct string in krb5.ini.
- Changing the default realm now marks the relevant configuration node
as dirty, and enabled the 'Apply' button.
- Changing the 'renewable', 'forwardable' and 'addressless' checkboxes
in the identity configuration panels now mark the relevant
configuration nodes as dirty, and enables the 'Apply' button.
- The location of the Kerberos 5 configuration file is now read-only
in the Kerberos 5 configuration dialog.
- Set the maximum number of characters for the edit controls in the
configuration dialog.
krb4cred.dll (1.1.8.0)
- The location of the Kerberos 4 configuration files are now read-only
in the Kerberos 4 configuration dialog.
- Handles setting the ticket string.
- Changing the ticket string now marks the relevant configuration node
as dirty, and enables the 'Apply' button.
- Fixed the plug-in initialization code to perform the initial ticket
listing at the end of the initializaton process.
Tom Yu [Fri, 17 Nov 2006 23:48:30 +0000 (23:48 +0000)]
pull up r18840 from trunk
r18840@cathode-dark-space: jaltman | 2006-11-17 18:14:27 -0500
ticket: new
tags: pullup
subject: reset use_master flag when master_kdc cannot be found
krb5_get_init_creds_password:
if the master_kdc cannot be identified reset the use_master
flag. otherwise, the krb5_get_init_creds("kadmin/changepw")
call will attempt to communicate with the master_kdc that
cannot be reached.
Tom Yu [Fri, 17 Nov 2006 19:29:54 +0000 (19:29 +0000)]
pull up r18828 from trunk
r18828@cathode-dark-space: jaltman | 2006-11-17 12:23:24 -0500
ticket: new
subject: commits for KFW 3.1 Beta 4
tags: pullup
KfW 3.1 beta 4 (NetIDMgr 1.1.6.0)
nidmgr32.dll (1.1.6.0)
- Fix a race condition where the initialization process might be
flagged as complete even if the identity provider hasn't finished
initialization yet.
krb5cred.dll (1.1.6.0)
- When assigning the default credentials cache for each identity,
favor API and FILE caches over MSLSA if they exist.
- When renewing an identity which was the result of importing
credentials from the MSLSA cache, attempt to re-import the
credentials from MSLSA instead of renewing the imported credentials.
- Prevent possible crash if a Kerberos 5 context could not be obtained
during the renewal operation.
- Prevent memory leak in the credentials destroy handler due to the
failure to free a Kerberos 5 context.
- Properly match principals and realms when importing credentials from
the MSLSA cache.
- Determine the correct credentials cache to place imported
credentials in by checking the configuration for preferred cache
name.
- Keep track of identities where credentials imports have occurred.
- When setting the default identity, ignore the KRB5CCNAME environment
variable.
- Do not re-compute the credentials cache and timestamps when updating
an identity. The cache and timestamp information is computed when
listing credentials and do not change between listing and identity
update.
- When refreshing the default identity, also handle the case where the
default credentials cache does not contain a principal, but the name
of the cache can be used to infer the principal name.
- Invoke a listing of credentials after a successful import.
- Do not free a Kerberos 5 context prematurely during plug-in
initialization.
netidmgr.exe (1.1.6.0)
- Fix the UI context logic to handle layouts which aren't based around
identities.
- Don't try to show a property sheet when there are no property pages
supplied for the corresponding UI context.
- Use consistent context menus.
- Bring a modal dialog box to the foreground when it should be active.
- Do not accept action triggers when the application is not ready to
process actions yet.
- Do not force the new credentials dialog to the top if there's
already a modal dialog box showing.
- Change the default per-identity layout to also group by location.
- The configuration provider was incorrectly handling the case where a
configuration value also specifies a configuration path, resulting
in the configuration value not being found. Fixed.
- Fix a race condition when refreshing identities where removing an
identity during a refresh cycle may a crash.
- Fix a bug which would cause an assertion to fail if an item was
removed from one of the system defined menus.
- When creating an indirect UI context, khui_context_create() will
correctly fill up a credential set using the selected credentials.
krb5cred.dll (1.1.4.0)
- Fix a race condition during new credentials acquisition which may
cause the Krb5 plug-in to abandon a call to
krb5_get_init_creds_password() and make another call unnecessarily.
- If krb5_get_init_creds_password() KRB5KDC_ERR_KEY_EXP, the new
credentials dialog will automatically prompt for a password change
instead of notifying the user that the password needs to be changed.
- When handling WMNC_DIALOG_PREPROCESS messages, the plug-in thread
would only be notified of any changes to option if the user
confirmed the new credentials operation instead of cancelling it.
- Additional debug output for the DEBUG build.
- Reset the sync flag when reloading new credentials options for an
identity. Earlier, the flag was not being reset, which can result
in the new credentials dialog not obtaining credentials using the
new options.
- Handle the case where the new credentials dialog maybe closed during
the plug-in thread is processing a request.
- Fix a condition which would cause the Krb5 plug-in to clear the
custom prompts even if Krb5 was not the identity provider.
- Once a password is changed, use the new password to obtain new
credentials for the identity.
netidmgr.exe (1.1.4.0)
- Fix a redraw issue which left areas of the credentials window
unupdated if another window was dragged across it.
- Handle WM_PRINTCLIENT messages so that the NetIDMgr window will
support window animation and other features that require a valid
WM_PRINTCLIENT handler.
- During window repaints, NetIDMgr will no longer invoke the default
window procedure.
- Add support for properly activating and bringing the NetIDMgr window
to the foreground when necessary. If the window cannot be brought
to the foreground, it will flash the window to notify the user that
she needs to manually activate the NetIDMgr window.
- When a new credentials dialog is launched as a result of an external
application requesting credentials, if the NetIDMgr application is
not minimized, it will be brought to the foreground before the new
credentials dialog is brought to the foreground. Earlier, the new
credentials dialog may remain hidden behind other windows in some
circumstances.
- When displaying custom prompts for the new credentials dialog, align
the input controls on the right.
Tom Yu [Wed, 8 Nov 2006 23:43:23 +0000 (23:43 +0000)]
pull up r18764 from trunk
r18764@cathode-dark-space: jaltman | 2006-11-06 16:55:13 -0500
ticket: new
tags: pullup
subject: krb5_get_init_creds_password does not consistently prompt for password changing
krb5_get_init_creds_password() previously did not consistently
handle KRB5KDC_ERR_KEY_EXP errors. If there is a "master_kdc"
entry for the realm and the KDC is reachable, then the function
will prompt the user for a password change. Otherwise, it will
return the error code to the caller. If the caller is a ticket
manager, it will prompt the user for a password change with a
dialog that is different from the one generated by the prompter
function passed to krb5_get_init_creds_password.
With this change krb5_get_init_creds_password() will always
prompt the user if it would return KRB5KDC_ERR_KEY_EXP unless
the function is compiled with USE_LOGIN_LIBRARY. (KFM)
Tom Yu [Wed, 11 Oct 2006 19:43:21 +0000 (19:43 +0000)]
pull up r18670 from trunk
r18670@cathode-dark-space: jaltman | 2006-10-09 14:08:10 -0400
ticket: new
subject: final commits for KFW 3.1 Beta 2
tags: pullup
krb5cred.dll (1.1.2.0)
- Fix the control logic so that if the password is expired for an
identity, the krb5 credentials provider will initiate a change
password request. Once the password is successfully changed, the
new password will be used to obtain new credentials.
- Fix an incorrect condition which caused the new credentials dialog
to refresh custom prompts unnecessarily.
- Removing an identity from the list of NetIDMgr identities now causes
the corresponding principal to be removed from the LRU principals
list.
- Properly handle KMSG_CRED_PROCESS message when the user is
cancelling out.
- Add more debug output
- Do not renew Kerberos tickets which are not initial tickets.
- Fix whitespace in source code.
- When providing identity selection controls, disable the realm
selector when the user specifies the realm in the username control.
- k5_ident_valiate_name() will refuse principal names with empty or
unspecified realms.
- When updating identity properties, the identity provider will
correctly set the properties for identities that were destroyed.
This fixes a problem where the values may be incorrect if an
identity has two or more credential caches and one of them is
destroyed.
nidmgr32.dll (1.1.2.0)
- Send out a separate notification if the configuration information
associated with an identity is removed.
- If an identity is being removed from the NetIDMgr identity list in
the configuration panel, do not send out APPLY notifications to the
subpanels after the configuration information has been removed.
Otherwise this causes the configuration information to be reinstated
and prevent the identity from being removed.
- Properly initialize the new credentials blob including the UI
context structure.
netidmgr.exe (1.1.2.0)
- When suppressing error messages, make sure that the final
KMSG_CRED_END notification is sent. Otherwise the new credentials
acquisition operation will not be cleaned up.
- Autoinit option now checks to see if there are identity credentials
for the default identity and triggers the new credentials dialog if
there aren't any.
- Properly synchronize the configuration node list when applying
changes (e.g.: when removing or adding an identity).
- Fix a handle leak when removing an identity from the NetIDMgr
identity list.
- Refresh the properties for the active identities before calculating
the renewal and expiration timers. Otherwise the timestamps being
used might be incorrect.
- Add Identity dialog (in the configuration panel) now uses the
identity selection controls provided by the identity provider.
- Improve type safety when handling timer refreshes.
- When getting the expiration times and issue times for an identity,
the timer refresh code may fail over to the expiration and issue
times for the credential it is currently looking at. Now the code
makes sure that both the issue and expiration times come from the
identity or the credential but not mixed.
- Not being able to get the time of issue of a credential now does not
result in the credential being skipped from the timer refresh pass.
However, not having a time of issue will result in the half-life
algorithm not being applied for the renew timer.
- Fix a bug which caused a credential to be abandoned from the timer
refresh pass if the reamining lifetime of the credential is less
than the renewal threshold.
- Fix a bug where the vertical scroll bars for the hypertext window
would not appear when the contents of the window changed.
- Trigger a refresh of the configuration nodes when adding or removing
an identity.
source for (1.1.2.0)
- Explicitly include <prsht.h> so that the SDK can be used in build
environments that define WIN32_LEAN_AND_MEAN.
Tom Yu [Mon, 25 Sep 2006 23:09:50 +0000 (23:09 +0000)]
pull up r18561 from trunk
r18561@cathode-dark-space: jaltman | 2006-09-05 14:47:29 -0400
ticket: new
subject: windows ccache and keytab file paths without a prefix
ktbase.c, ccbase.c: When a file path is specified without
the prefix we must infer the use of the "FILE" prefix.
However, we were setting the prefix including the colon
separator when the separator should have been ignored.
Tom Yu [Mon, 25 Sep 2006 22:14:02 +0000 (22:14 +0000)]
pull up r18604 from trunk
r18604@cathode-dark-space: jaltman | 2006-09-21 17:49:41 -0400
ticket: new
subject: KFW 3.1 Beta 2 NetIDMgr Changes
component: windows
tags: pullup
source for (1.1.0.1)
- Updated documentation with additional information and fixed errors.
nidmgr32.dll (1.1.0.1)
- Fixed a deadlock in the configuration provider that may cause
NetIDMgr to deadlock on load.
- Prevent the configuration provider handle list from getting
corrupted in the event of a plug-in freeing a handle twice.
- Add more parameter validation for the configuration provider.
- If a plug-in is only partially registered (only some of the entries
were set in the registry), the completion of the registration didn't
complete successfully, leaving the plug-in in an unusable state.
This has been fixed. Plug-ins will now successfully complete
registration once they are loaded for the first time, assuming the
correct resources are present in the module.
- Fixed notifications for setting a default identity. Notifications
were not being properly sent out resulting in the credentials window
not being updated when the default identity changed.
- Changes to the API for type safety.
- Handling of binary data fields was changed to support validation and
comparison.
- Data types that do not support KCDB_CBSIZE_AUTO now check for and
report an error if it is specified.
- Password fields in the new credentials dialog will trim leading and
trailing whitespace before using a user-entered value.
- Change password action will no longer be disabled if no identity is
selected. An identity selection control is present in the dialog
making this restriction unnecessary.
- When renewing credentials, error messages will be suppressed if the
renewal was for an identity and the identity does not have any
identity credentials associated with it.
- Error messages that are related to credentials acquisition or
password changes will now display the name of the identity that the
error applies to.
- Automatic renewals now renews all identities that have credentials
associated with them instead of just the default identity.
- Fixed a bug where error messages did not have a default button which
can be invoked with the return key or the space bar.
- The new credentials window will force itself to the top. This can
be disabled via a registry setting, but is on by default.
- Fixed the sort order in the new credentials tabs to respect sort
hints provided by plug-ins.
- If a new credentials operation fails, the password fields will be
cleared.
- Once a new credentials operation starts, the controls for specifying
the identity and password and any other custom prompts will be
disabled until the operation completes.
- Notifications during the new credentials operation now supply a
handle to the proper data structures as documented.
- Hyperlinks in the new credentials dialog now support markup that
will prevent the dialog from switching to the credentials type panel
when the link is activated.
- If there are too many buttons added by plug-ins in the new
credentials dialog, they will be resized to accomodate all of them.
- The options button in the new credentials dialog will be disabled
while a new credentials operation is in progress.
- The 'about' dialog retains the original copyright strings included
in the resource.
- Multiple modal dialogs are now supported. Only the topmost one will
be active. Once it is closed, the other dialogs will gain focus in
turn. This allows for error messages to be displayed from other
modal dialogs.
- The hypertext window supports italics.
krb4cred.dll (1.1.0.1)
- Fixed a bug where the plug-in would attempt to free a handle twice.
- Fixed a handle leak.
- Changed the facility name used for event reporting to match the
credentials type name.
krb5cred.dll (1.1.0.1)
- Fixed handling of expired passwords. If the password for an
identity is found to have expired at the time a new credentials
acquisition is in progress, the user will be given an opportunity to
change the password. If this is successful, the new credentials
operation will continue with the new password.
- Prevent the new credentials dialog from switching to the Kerberos 5
credentials panel during a password change.
- Prompts that were cached indefinitely will now have a limited
lifetime. Prompt caches that were created using prior versions of
the plug-in will automatically expire.
- Multistrings in the resource files were converted to CSV to protect
them against a bug in Visual Studio 2005 which corrupted
multistrings.
- Added handling of and reporting WinSock errors that are returned
from the Kerberos 5 libraries.
- Fixed uninitialized variables.
- The username and realm that is entered when selecting an identity
will be trimmed of leading and trailing whitespace.
- Changed the facility name used for event reporting to match the
credentials type name.
Tom Yu [Mon, 25 Sep 2006 21:06:43 +0000 (21:06 +0000)]
pull up r18600 from trunk
r18600@cathode-dark-space: jaltman | 2006-09-20 22:43:12 -0400
ticket: new
subject: windows thread support frees thread local storage after TlsSetValue
tags: pullup
threads.c: The return value of TlsSetValue is non-zero on
success. As a result of misinterpreting the
return value, the memory set in TLS is then freed.
A subsequent call to TlsGetValue returns the
invalid pointer.
Tom Yu [Tue, 22 Aug 2006 21:45:17 +0000 (21:45 +0000)]
pull up r18464 from trunk
r18464@cathode-dark-space: jaltman | 2006-08-16 21:21:00 -0400
ticket: new
subject: NetIDMgr Credential Provider Sample Code and Documentation
tags: pullup
This commit provides a template for a Network Identity Manager
Credential Provider. It doesn't provide any real functionality
but it does provide all of the functions that need to be specified
and filled in as part of the process of producing a NetIdMgr plug-in.
This code should be pulled up to 1.4.x for inclusion in the KFW 3.1
SDK as well as to 1.5.x.
* src/clients/ksu/main.c (sweep_up): Don't check return value of
krb5_seteuid(0), as it is not harmful for it to fail, and it will
fail after setuid(target_user). Correct error message.
Tom Yu [Mon, 24 Jul 2006 23:40:28 +0000 (23:40 +0000)]
pull up r18379 from trunk in order to get correct commit log
r18379@cathode-dark-space: jaltman | 2006-07-24 02:58:23 -0400
ticket: new
subject: Windows Integrated Login Fixes for KFW 3.1
tags: pullup
component: windows
KFW integrated login was failing when the user is
not a power user or administrator. This was occurring
because the temporary file ccache was being created in
a directory the user could not read. While fixing this
it was noticed that the ACLs on the ccache were too broad.
Instead of applying a fix to the FILE: krb5_ccache
implementation it was decided that simply applying a new
set of ACLs (SYSTEM and "user" with no inheritance) to
the file immediately after the krb5_cc_initialize() call
would close the broadest security issues.
The file is initially created in the SYSTEM %TEMP% directory
with "SYSTEM" ACL only. Then it is moved to the user's %TEMP%
directory with "SYSTEM" and "user" ACLs. Finally, after
copying the credentials to the API: ccache, the file is deleted.
Tom Yu [Sat, 22 Jul 2006 00:58:33 +0000 (00:58 +0000)]
pull up r18243 from trunk
r18243@cathode-dark-space: tlyu | 2006-06-27 18:01:22 -0400
ticket: new
tags: pullup
target_version: 1.5
subject: mkrel should only generate doc/CHANGES for checkouts
* src/util/mkrel: Only write doc/CHANGES if doing a checkout.
This makes nightly snapshots saner.
This commit corrects errors in the Wix installer script
files that violate the Wix schema but which were not
caught by earlier releases of the Wix 2.0 installer.
cc_mslsa.c: The WOW64 environment on 64-bit versions of
Windows prior to Vista Beta 2 did not implement the Lsa
functions used by the MSLSA: ccache. This patch disables
the MSLSA: ccache in broken WOW64 environments by checking
the Windows version and the existence and response of the
IsWow64Process API.
Tom Yu [Fri, 21 Jul 2006 23:35:31 +0000 (23:35 +0000)]
pull up r18163 from trunk
r18163@cathode-dark-space: jaltman | 2006-06-19 13:33:36 -0400
ticket: new
subject: Export krb5_gss_register_acceptor_identity in KFW
krb5_gss_register_acceptor_identity is a gss krb5 extension that is
part of the public ABI. It does not have a gss_krb5_* name due to
historical reasons. Instead there is a gss_krb5_register_acceptor_identity
macro that uses this export.
Tom Yu [Fri, 21 Jul 2006 23:24:08 +0000 (23:24 +0000)]
pull up r17735 from trunk
r17735@cathode-dark-space: jaltman | 2006-03-13 12:02:13 -0500
ticket: new
add new file windows/winlevel.h and update windows/version.rc
to allow for a configurable KRB5_BUILDLEVEL. This will be used
to distinguish binary files from the same version 1.4.3 but
different releases (alpha-1, alpha-2, beta-1, beta-2, final)
* add scrollbars to option tree pane in configuration dialog
* convert to using Microsoft's safe string library both to ensure
safe string manipulation and to avoid deprecation warnings
* disable deprecation warnings for Platform SDK header shlwapi.h
which cannot otherwise be compiled
* add kerberos 5 kvno property to tickets. display in properties
dialog and main window if column selected by user
* improve manifest handling in order to support both manifests
generated by the compiler and those hand crafted in order to
specify the correct versions of the custom control libraries.
* update khimaira message types and credential acquisition
documentation
Tom Yu [Fri, 21 Jul 2006 23:09:49 +0000 (23:09 +0000)]
pull up r17907 from trunk
r17907@cathode-dark-space: jaltman | 2006-04-13 22:48:45 -0400
ticket: 3542
status: open
identity/plugins/common/dynimport.c:
During the interop session we concluded that the ccapi32.dll should
not be required for netidmgr to operate. netidmgr should work with
only FILE: ccaches. After the interop the removal of the error
check post-load was not removed.
identity/doc/Makefile:
The 'clean' rules failed to specify the /Q switch which silently
removes the directory tree. As a result, during the build the
user was prompted.
Tom Yu [Fri, 21 Jul 2006 23:09:38 +0000 (23:09 +0000)]
pull up r17832 from trunk
r17832@cathode-dark-space: jaltman | 2006-04-01 23:28:26 -0500
ticket: new
Results from Kerberos Interop session:
- 64-bit Windows compatibility
- correct uninitialized variables
- work without kerberos 4 libraries including krb524
- add a mechanism to add and remove identities from
the options dialog. This allows a configuration
to be specified using a separate file based ccache
for each identity
- work without availability of ccapi
- force a renew of credentials on startup to support
the case when MSLSA is the only credential cache
Tom Yu [Fri, 21 Jul 2006 23:09:00 +0000 (23:09 +0000)]
pull up r17752 from trunk
r17752@cathode-dark-space: jaltman | 2006-03-20 18:23:33 -0500
ticket: new
This commit updates:
+ the HTMLHelp formatted documentation
+ the build system to produce separate binaries for Windows 2000
and Windows XP and beyond. Separate binaries are required
because we make heavy use of some of the UI features found in
XP that don't exist in 2000. If we build only for XP then the
binaries won't run on 2000 and if we build for 2000, then the
functionality we desire for balloon text and the tracker
windows does not work properly on XP or above. (Note for Vista
we will need to build three sets of binaries if we want to take
advantage of the new functionality that is available only there.)
+ Add more debugging to the krb4 plug-in and ensure that all
checkboxes are initialized.
+ remove plugins/krb5/krb5util.c which is an unused file
+ Use mixed case for Alt, Ctrl and Shift text designators
+ Increment the build number to 1.1.0.1
+ Plug a memory leak when dialogs are closed
+ Add a new Options->Appearance configuration page that can be
used to allow user customized font selection. This page will
also be used for custom color selection in a future release.
projects / thirdparty / krb5.git / log
