Will Fiveash [Mon, 4 Dec 2006 21:47:50 +0000 (21:47 +0000)]
fix for kdb5_util load bug with dumps from a LDAP KDB
I found a bug when I did a "kdb5_util load -update ldap-dump" where
ldap-dump was a dump done from a LDAP based KDB. The issue is that this
sort of dump contains principal_dn data which is not the case for a db2
KDB dump.
Kevin Coffman [Fri, 1 Dec 2006 19:18:26 +0000 (19:18 +0000)]
Return edata from non-"PA_REQUIRED" preauth types
* src/kdc/kdc_preauth.c (check_padata)
Return e-data from any failing preauth module.
Save the e-data and return value from the first failing module.
If a subsequent module marked as PA_REQUIRED fails, return
its e-data and error instead.
* src/kdc/kdc_preauth.c (load_preauth_plugins)
Quiet compiler warning by setting pointer to NULL.
ticket: new
Target_Version: 1.6
tags: pullup
Component: krb5-kdc
Tom Yu [Fri, 1 Dec 2006 17:09:42 +0000 (17:09 +0000)]
* src/kadmin/dbutil/dump.c (load_db): Open the dumpfile as
read-only; we only get a shared lock, so no reason to open for
writing for the sake of getting a lock.
Tom Yu [Thu, 30 Nov 2006 20:50:02 +0000 (20:50 +0000)]
* src/lib/krb5/krb/gc_via_tkt.c (check_reply_server): New function
to check server principal in reply. Ensures that the reply is
self-consistent, allows rewrites if canonicalization is requested,
and allows limited rewrites of TGS principals if canonicalization
is not requested.
(krb5_get_cred_via_tkt): Move server principal checks into
check_reply_server().
Tom Yu [Thu, 30 Nov 2006 20:46:32 +0000 (20:46 +0000)]
* src/lib/krb5/krb/gc_frm_kdc.c: Also do style cleanup.
(krb5_get_cred_from_kdc_opt): If server principal was rewritten,
fall back unless it was rewritten to a TGS principal. This fixes
a bug when a MS AD rewrites the service principal into a
single-component NETBIOS-style name. If we get a referral back to
the immediately preceding realm, fall back to non-referral
handling. This fixes the changepw failure. To prevent memory
leaks, when falling back to non-referral handling, free any tgts
previously obtained by the initial non-referral do_traversal()
call.
Kevin Coffman [Wed, 29 Nov 2006 00:17:52 +0000 (00:17 +0000)]
skip all modules in plugin if init function fails
If the plugin initialization function fails, skip all modules in
the plugin, not just the first. Also, print the error message from
the plugin if supplied.
ticket: new
Target_Version: 1.6
Tags: pullup
Component: krb5-kdc
Jeffrey Altman [Wed, 22 Nov 2006 18:11:16 +0000 (18:11 +0000)]
KFW 3.1 commits for Final Release
KfW 3.1 final (NetIDMgr 1.1.8.0)
nidmgr32.dll (1.1.8.0)
- When detecting IP address changes, wait for things to settle down
before setting of the IP address change notification.
krb5cred.dll (1.1.8.0)
- Fixed the Kerberos 5 configuration dialog which didn't handle
setting the default realm properly. Setting the default realm now
sets the correct string in krb5.ini.
- Changing the default realm now marks the relevant configuration node
as dirty, and enabled the 'Apply' button.
- Changing the 'renewable', 'forwardable' and 'addressless' checkboxes
in the identity configuration panels now mark the relevant
configuration nodes as dirty, and enables the 'Apply' button.
- The location of the Kerberos 5 configuration file is now read-only
in the Kerberos 5 configuration dialog.
- Set the maximum number of characters for the edit controls in the
configuration dialog.
krb4cred.dll (1.1.8.0)
- The location of the Kerberos 4 configuration files are now read-only
in the Kerberos 4 configuration dialog.
- Handles setting the ticket string.
- Changing the ticket string now marks the relevant configuration node
as dirty, and enables the 'Apply' button.
- Fixed the plug-in initialization code to perform the initial ticket
listing at the end of the initializaton process.
Kevin Coffman [Tue, 21 Nov 2006 14:37:11 +0000 (14:37 +0000)]
free error message when freeing context
Call krb5_clear_error_message() to free any allocated error message
before freeing the context.
The condition that triggered this was a plugin library which fails to
load because of unresolved references. It appears dlopen() on Linux
leaks four bytes for each failing library in this situation.
Tom Yu [Sat, 18 Nov 2006 01:53:27 +0000 (01:53 +0000)]
* src/lib/krb5/ccache/ccbase.c (krb5int_cc_getops): Internal
function to fetch ops vector given ccache prefix string.
(krb5_cc_new_unique): New function to generate a new unique
ccache of a given type.
* src/include/krb5/krb5.hin: Prototype for krb5_cc_new_unique().
Jeffrey Altman [Fri, 17 Nov 2006 23:14:27 +0000 (23:14 +0000)]
reset use_master flag when master_kdc cannot be found
krb5_get_init_creds_password:
if the master_kdc cannot be identified reset the use_master
flag. otherwise, the krb5_get_init_creds("kadmin/changepw")
call will attempt to communicate with the master_kdc that
cannot be reached.
Jeffrey Altman [Fri, 17 Nov 2006 17:23:24 +0000 (17:23 +0000)]
commits for KFW 3.1 Beta 4
KfW 3.1 beta 4 (NetIDMgr 1.1.6.0)
nidmgr32.dll (1.1.6.0)
- Fix a race condition where the initialization process might be
flagged as complete even if the identity provider hasn't finished
initialization yet.
krb5cred.dll (1.1.6.0)
- When assigning the default credentials cache for each identity,
favor API and FILE caches over MSLSA if they exist.
- When renewing an identity which was the result of importing
credentials from the MSLSA cache, attempt to re-import the
credentials from MSLSA instead of renewing the imported credentials.
- Prevent possible crash if a Kerberos 5 context could not be obtained
during the renewal operation.
- Prevent memory leak in the credentials destroy handler due to the
failure to free a Kerberos 5 context.
- Properly match principals and realms when importing credentials from
the MSLSA cache.
- Determine the correct credentials cache to place imported
credentials in by checking the configuration for preferred cache
name.
- Keep track of identities where credentials imports have occurred.
- When setting the default identity, ignore the KRB5CCNAME environment
variable.
- Do not re-compute the credentials cache and timestamps when updating
an identity. The cache and timestamp information is computed when
listing credentials and do not change between listing and identity
update.
- When refreshing the default identity, also handle the case where the
default credentials cache does not contain a principal, but the name
of the cache can be used to infer the principal name.
- Invoke a listing of credentials after a successful import.
- Do not free a Kerberos 5 context prematurely during plug-in
initialization.
netidmgr.exe (1.1.6.0)
- Fix the UI context logic to handle layouts which aren't based around
identities.
- Don't try to show a property sheet when there are no property pages
supplied for the corresponding UI context.
- Use consistent context menus.
- Bring a modal dialog box to the foreground when it should be active.
- Do not accept action triggers when the application is not ready to
process actions yet.
- Do not force the new credentials dialog to the top if there's
already a modal dialog box showing.
- Change the default per-identity layout to also group by location.
Ken Raeburn [Thu, 16 Nov 2006 01:20:47 +0000 (01:20 +0000)]
* rd_req_dec.c: Whitespace changes in function headers.
(krb5_rd_req_decoded_opt): Include more info in error text for AP_WRONG_PRINC
and NOPERM_ETYPE errors.
Ken Raeburn [Thu, 16 Nov 2006 01:14:14 +0000 (01:14 +0000)]
avoid double frees in ccache manipulation around gen_new
* krb5/krb/vfy_increds.c (krb5_verify_init_creds): If krb5_cc_gen_new fails,
don't both close and destroy the template ccache.
* gssapi/krb5/accept_sec_context.c (rd_and_store_for_creds): Likewise.
Ken Raeburn [Thu, 16 Nov 2006 00:51:21 +0000 (00:51 +0000)]
fix some warnings in ldap code
* libkdb_ldap/ldap_realm.c (ignore_duplicates, compare): Unused functions deleted.
(krb5_ldap_modify_realm, krb5_ldap_read_realm_params): Conditionalize declarations of
automatic variables that are only used for eDirectory.
* libkdb_ldap/ldap_service_stash.c (tohex): Use one sprintf call instead of two.
(dec_password): Use an unsigned type to fetch values with %x.
* libkdb_ldap/ldap_realm.h (ldap_filter_correct): Declare.
* libkdb_dlap/ldap_misc.c (my_strndup): Only define if HAVE_LDAP_STR2DN.
(populate_krb5_db_entry): Remove unused automatic variable.
* ldap_util/kdb5_ldap_util.c (cmd_table): Fix typo in preprocessing conditional.
* ldap_util/kdb5_ldap_realm.c (get_ticket_policy): Declarations first, then code.
* ldap_util/kdb5_ldap_services.c (kdb5_ldap_stash_service_password): On error, increment
exit_status; don't return a value.
* ldap_util/kdb5_ldap_services.h (kdb5_ldap_stash_service_password): Update decl.
Ken Raeburn [Wed, 15 Nov 2006 23:56:02 +0000 (23:56 +0000)]
LDAP patch from Novell, 2006-10-13
Patch from 13 November from Savitha R:
> Fix for delpol deleting ticket policies
> Removed references to old schema
> Moved some unused code under #ifdef HAVE_EDIRECTORY
Kevin Coffman [Mon, 13 Nov 2006 22:59:55 +0000 (22:59 +0000)]
allow server preauth plugin verify_padata function to return e-data
Change server-side preauth plugin interface to allow the plugin's
verify_padata function to return e-data to be returned to the client.
(Patch from Nalin Dahyabhai <nalin@redhat.com>)
Update sample plugins to return e-data to exercise the code.
Fix memory leak in the wpse plugin.
ticket: new
Component: krb5-kdc
Target_Version: 1.6
Tags: pullup
Russ Allbery [Thu, 9 Nov 2006 23:29:26 +0000 (23:29 +0000)]
Delay kadmind random number initialization until after fork
Target_Version 1.6
Tags: pullup
Delay initialization of the random number generator in kadmind until
after the fork and backgrounding of the process. Otherwise, a lack of
sufficient entropy during the system boot process will delay system
boot on systems that run each init script in series and that start
kadmind via an init script.
ticket: new
Component: krb5-admin
Version_Reported: 1.4.4
Jeffrey Altman [Wed, 8 Nov 2006 09:58:49 +0000 (09:58 +0000)]
commits for KFW 3.1 Beta 3
KfW 3.1 beta 3 (NetIDMgr 1.1.4.0)
source for 1.1.4.0
- Eliminate unused commented out code.
nidmgr32.dll (1.1.4.0)
- The configuration provider was incorrectly handling the case where a
configuration value also specifies a configuration path, resulting
in the configuration value not being found. Fixed.
- Fix a race condition when refreshing identities where removing an
identity during a refresh cycle may a crash.
- Fix a bug which would cause an assertion to fail if an item was
removed from one of the system defined menus.
- When creating an indirect UI context, khui_context_create() will
correctly fill up a credential set using the selected credentials.
krb5cred.dll (1.1.4.0)
- Fix a race condition during new credentials acquisition which may
cause the Krb5 plug-in to abandon a call to
krb5_get_init_creds_password() and make another call unnecessarily.
- If krb5_get_init_creds_password() KRB5KDC_ERR_KEY_EXP, the new
credentials dialog will automatically prompt for a password change
instead of notifying the user that the password needs to be changed.
- When handling WMNC_DIALOG_PREPROCESS messages, the plug-in thread
would only be notified of any changes to option if the user
confirmed the new credentials operation instead of cancelling it.
- Additional debug output for the DEBUG build.
- Reset the sync flag when reloading new credentials options for an
identity. Earlier, the flag was not being reset, which can result
in the new credentials dialog not obtaining credentials using the
new options.
- Handle the case where the new credentials dialog maybe closed during
the plug-in thread is processing a request.
- Fix a condition which would cause the Krb5 plug-in to clear the
custom prompts even if Krb5 was not the identity provider.
- Once a password is changed, use the new password to obtain new
credentials for the identity.
netidmgr.exe (1.1.4.0)
- Fix a redraw issue which left areas of the credentials window
unupdated if another window was dragged across it.
- Handle WM_PRINTCLIENT messages so that the NetIDMgr window will
support window animation and other features that require a valid
WM_PRINTCLIENT handler.
- During window repaints, NetIDMgr will no longer invoke the default
window procedure.
- Add support for properly activating and bringing the NetIDMgr window
to the foreground when necessary. If the window cannot be brought
to the foreground, it will flash the window to notify the user that
she needs to manually activate the NetIDMgr window.
- When a new credentials dialog is launched as a result of an external
application requesting credentials, if the NetIDMgr application is
not minimized, it will be brought to the foreground before the new
credentials dialog is brought to the foreground. Earlier, the new
credentials dialog may remain hidden behind other windows in some
circumstances.
- When displaying custom prompts for the new credentials dialog, align
the input controls on the right.
krb5.h not C++-safe due to "struct krb5_cccol_cursor"
Fixed definition of "struct krb5_cccol_cursor" in krb5.h to be C++ safe.
In C++ the struct name is also a type so there can't be a typedef of the same
name, in this case "typedef struct krb5_cccol_cursor *krb5_cccol_cursor;".
ticket: new
status: open
target_version: 1.6
tags: pullup
Jeffrey Altman [Mon, 6 Nov 2006 21:55:13 +0000 (21:55 +0000)]
krb5_get_init_creds_password does not consistently prompt for password changing
krb5_get_init_creds_password() previously did not consistently
handle KRB5KDC_ERR_KEY_EXP errors. If there is a "master_kdc"
entry for the realm and the KDC is reachable, then the function
will prompt the user for a password change. Otherwise, it will
return the error code to the caller. If the caller is a ticket
manager, it will prompt the user for a password change with a
dialog that is different from the one generated by the prompter
function passed to krb5_get_init_creds_password.
With this change krb5_get_init_creds_password() will always
prompt the user if it would return KRB5KDC_ERR_KEY_EXP unless
the function is compiled with USE_LOGIN_LIBRARY. (KFM)
Kevin Coffman [Wed, 1 Nov 2006 22:40:30 +0000 (22:40 +0000)]
Modify the preath plugin interface so that a plugin's context is
global to all the modules within a plugin. Also, change the
client-side interface so that the preauth plugin context (once
created) lives the lifetime of a krb5_context. This will allow
future changes that can set plugin parameters. The client side
request context lives the lifetime of a call to krb5_get_init_creds().
Make the sample preauth plugins buildable outside the source tree.
Fix minor memory leak in sort_krb5_padata_sequence().
Add a prototype for krb5_do_preauth_tryagain() and change the plugin
interface.
Incorporates fixes from Nalin Dahyabhai <nalin@redhat.com> for leaks
of the function table pointers (rt #4566) and fix KDC crash (rt #4567)
Will Fiveash [Mon, 30 Oct 2006 20:56:57 +0000 (20:56 +0000)]
latest Novell ldap patches and kdb5_util dump support for ldap
I've applied Novell's latest patches for their LDAP KDB plugin. I've
also implemented and tested support for kdb5_util dump using the LDAP
KDB plugin. I also added a Sun copyright on files that I've modified.
Ken Raeburn [Sat, 28 Oct 2006 03:06:30 +0000 (03:06 +0000)]
don't confuse profile iterator in 425 princ conversion
The profile iterator code hangs onto and uses the list of names passed
in. The krb5_425_conv_principal code reuses that array when the
iterator may still be used.
* conv_princ.c (krb5_425_conv_principal): Use separate name arrays for
the iterator and the v4_realm lookup that may be done inside the
iteration loop.
Will Fiveash [Mon, 23 Oct 2006 21:36:46 +0000 (21:36 +0000)]
fix krb5_ldap_iterate to handle NULL match_expr and open_db_and_mkey to use KRB5_KDB_SRV_TYPE_ADMIN
When I ran kdb5_util dump I had two initial problems. First, the LDAP
plugin was not finding the bind DN because open_db_and_mkey() was
passing KRB5_KDB_SRV_TYPE_OTHER to krb5_db_open(). When I change this
to KRB5_KDB_SRV_TYPE_ADMIN then the ldap_kadmind_dn parameter is used
from krb5.conf and a valid bind DN is found. Second,
krb5_ldap_iterate() will core dump when it is called withy a NULL
match_expr arg. This is how dump_db calls krb5_db_iterate(). I updated
krb5_ldap_iterate() to use a default_match_expr of "*" if match_expr ==
NULL.
Kevin Coffman [Mon, 23 Oct 2006 16:15:50 +0000 (16:15 +0000)]
fix invalid access found by valgrind
Valgrind found that we were reading past the end of the
preferred padata string. p is manually updated within
the loop and there is no need for the increment. It was
causing the null terminator to be skipped over, rather
than properly terminating the loop.
Ezra Peisach [Sun, 22 Oct 2006 11:59:02 +0000 (11:59 +0000)]
osf1 -oldstyle_liblookup typo
Not really relevant anymore - as we do not support static linking now.
But in ticket 927 (r16776) - a test was added to determine if gnu ld
was in use and change the linker flags accordingly. The variable in
aclocal.m4 was krb5_cv_prog_gnu_ld and this was testing for
krb5_cv_gnu_ld.
Sam Hartman [Sat, 21 Oct 2006 20:20:30 +0000 (20:20 +0000)]
Delete src/lib/ccapi.
The ccapi shipped in 1.6 will not be based off this code
and will live in src/ccapi.
It will be copied onto the trunk and branch when ready, but this code is being removed before the branch cut.
Will Fiveash [Sat, 21 Oct 2006 00:33:24 +0000 (00:33 +0000)]
enabling LDAP mix-in support for kdb5_util load
I now have mix-in working for the kdb5_util load. If the krbSubTrees
realm attr contains a base DN where non-krb entries live the
load/krb5_ldap_put_principal() code will modify those entries whose
krbPrincipalName attr matches that of the dump princ record being loaded
otherwise a standalone krbprinc entry will be created under the realm
container.
I also fixed a small bug in krb5_ldap_policydn_to_name() for the version
that uses ldap_explode_dn().
projects / thirdparty / krb5.git / log
