Add --no-automatic-renewal option to disable automatic TGT renewal.
Renewal can also be disabled by setting automatic_renewal to false
in the [kcm] section of krb5.conf.
Both MIT and Heimdal are unable to, in krb5_cc_default(), call to KCM
(or CCAPI, or LSA, or...) to get the user's default ccache name in their
collection. Instead, the default ccache name is obtained in a static
way, and for KCM that's "%{UID}". When we krb5_cc_switch(), we simply
maintain a pointer to the name of the ccache that was made the default,
but klist can't make use of this because krb5_cc_default() can't.
The solution here is to first try resolving the ccache name given by the
client, and if that fails but the name happens to be what would be the
library's default KCM ccache name for that user, then try resolving it
through the default ccache name pointer saved at switch time.
'uuid' is seen as an 'unsigned char*', thus '*uuid' is an 'unsigned char' where size is 1.
This solves a problem where two KCM ccaches's uuid have the same first byte hides each other.
What we observe:
* A user cannot discover tickets with (klist -l) but can access it with it's name
* The 'rpc.gssd' daemon is doing the same kind of pattern but using GSS calls (gss_acquire_cred)
Whet GDB told us:
* The 'kcm_ccache_get_uuids' is okay, all ccache are really present
* The 'kcm_ccache_resolve_by_uuid' is buggy, it only compare the first byte of each uuid.
Which may be the same as the one we're seeking. Selected ccache that will be, most probably, filtered-out afterward with a call to 'kcm_access'.
This leads to 'KRB5_FCC_NOFILE' errors while the uuid is correct.
Similar calls may be present.
This reverts commit 936017e4d6,
Samba is starting to protect against bi-di attacks and the starting point
is to require that input files be fully UTF-8. In 2021 this is a reasonable
starting point anyway.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
- Formalize the TYPE:collection_name:subsidiary_name naming scheme for
ccaches in ccache collections
- KEYRING: ccaches are weird because they have one more optional field: the
"anchor", so rather than just assume a naming convention everywhere, we
add new functions as well
- Add krb5_cc_{resolve,default}_sub() that allows one to specify a
"subsidiary" ccache name in a collection separately from the
collection name
- Add krb5_cc_{resolve,default}_for() which take a principal name,
unparse it, and use it as the subsidiary ccache name (with colons
replaced)
- Make kinit use the new interfaces
- Add missing DIR ccache iteration functionality
- Revamps test_cc
- Add krb5_cc_get_collection() and krb5_cc_get_subsidiary()
- Bump the ccops SPI version number
- Add gss_store_cred_into2()
- Make MEMORY:anonymous not linked into the global MEMORY ccache
collection, and uses this for delegated cred handles
TBD:
- Split this up into a krb5 change and gss mech_krb5 change?
- Add krb5_cc_init_and_store() utility, per Greg's suggestion?
In KCM, when allocating new kcm_ccache struct, there is missing inicialization
of kdc_offset. It is getting random values in my case and stored tickets are
unusable, last time I got this value to "klist -v": KDC time offset: 61 years
11 months 2 weeks 3 days 5 hours 28 minutes 32 seconds This commit seems to
correct it.
Instead of imposing a default 10 hour ticket lifetime and 1 month renew
lifetime when requesting tickets, increase the default lifetime and
renew lifetime to 2147483647 seconds. This ensures that in the absence
of any other configuration or command line parameters that the KDC will
determine the ticket lifetime and renew lifetime.
Change-Id: I52b6eeac1ee830a9bf4d0130e8f4ec7b70bc8694
Signed-off-by: Nicolas Williams <nico@twosigma.com>
This adds a new backend for libhcrypto: the OpenSSL backend.
Now libhcrypto has these backends:
- hcrypto itself (i.e., the algorithms coded in lib/hcrypto)
- Common Crypto (OS X)
- PKCS#11 (specifically for Solaris, but not Solaris-specific)
- Windows CNG (Windows)
- OpenSSL (generic)
The ./configure --with-openssl=... option no longer disables the use of
hcrypto. Instead it enables the use of OpenSSL as a (and the default)
backend in libhcrypto. The libhcrypto framework is now always used.
OpenSSL should no longer be used directly within Heimdal, except in the
OpenSSL hcrypto backend itself, and files where elliptic curve (EC)
crypto is needed.
Because libhcrypto's EC support is incomplete, we can only use OpenSSL
for EC. Currently that means separating all EC-using code so that it
does not use hcrypto, thus the libhx509/hxtool and PKINIT EC code has
been moved out of the files it used to be in.
Tests that start daemons have to "wait" for them to start.
This commit makes Heimdal daemons prep to detach (when requested) by
forking early, then having the child signal readiness to the parent when
the child really is ready. The parent exits only which the child is
ready. This means that tests will no longer need to wait for daemons.
However, tests will still need a pidfile or such so they can stop the
daemons.
Note that the --detach options should not be used on OS X from launchd,
only from tests.
To stop the errors when building concurrently, we make a number of
changes:
1. stop including generated files in *_SOURCES,
2. make *-protos.h and *-private.h depend on the *_SOURCES,
3. make all objects depend on *-{protos,private}.h,
4. in a few places change dir/header.h to $(srcdir)/dir/header.h,
This appears to work for me with make -j16 on a 4-way box.
We turn on a few extra warnings and fix the fallout that occurs
when building with --enable-developer. Note that we get different
warnings on different machines and so this will be a work in
progress. So far, we have built on NetBSD/amd64 5.99.64 (which
uses gcc 4.5.3) and Ubuntu 10.04.3 LTS (which uses gcc 4.4.3).
Notably, we fixed
1. a lot of missing structure initialisers,
2. unchecked return values for functions that glibc
marks as __attribute__((warn-unused-result)),
3. made minor modifications to slc and asn1_compile
which can generate code which generates warnings,
and
4. a few stragglers here and there.
We turned off the extended warnings for many programs in appl/ as
they are nearing the end of their useful lifetime, e.g. rsh, rcp,
popper, ftp and telnet.
Interestingly, glibc's strncmp() macro needed to be worked around
whereas the function calls did not.
We have not yet tried this on 32 bit platforms, so there will be
a few more warnings when we do.
