When the master sees a burst of updates (perhaps sustained), the
slaves "I_HAVE" messages can fall behind the version we've already
sent, and the unpatched code would retransmit already sent diffs!
This can result in substantial amplification (in a local test, 3000
ops turned into 427,000 ops). Though the number of *messages* sent
was actually somewhat smaller, the ever growing message size
ultimately leads to failure.
chpass_principal_with_key_hook_cb added by 57c25d9828 must be
KRB5_LIB_CALL for 32-bit Windows builds.
Change-Id: Ifd61caeee76f9d048bb13f93e226b99ce7e8b75c
On 32-bit Windows Intel builds the __cdecl and __stdcall calling
conventions are different so labeling the functions that are
exported or assigned to function pointers matters.
Change-Id: I03b6f34baeb9ffb2e683fd979f12f27a5078a4da
Add a hook for changing a password with a key. This hook should be consolidated
into one shared with randkey and setkey, but for now I have continued to have
the hooks follow the kadm5 APIs themselves in both signature and quantity.
(This means the randkey one isn't actually very useful because it doesn't
provide the hook with the keys.)
Refactor plugin framework to use a single list of loaded plugins; add a new
plugin API where DSOs export a load function that can declare dependencies and
export multiple plugins; refactor kadm5 hook API to use krb5 plugin framework.
More information in krb5-plugin(7).
- Add --keepold/keepallold/pruneall options to various kadmin/ktutil
commands. Default behavior to "prune old keys".
- When setting keys for a service, we need to specify enctypes for it:
- Always use kadm5_randkey_principal_3() instead of the older
kadm5_randkey_principal().
- Add krb5_string_to_keysalts2(), like MIT's krb5_string_to_keysalts(),
but with a context, and simpler.
- Add --enctypes options to various kadmin/ktutil commands.
- Add [libdefaults] supported_enctypes param with enctype[:salttype]
list.
- Add [realms] realm supported_enctypes param with enctype[:salttype]
list.
Default to aes128-cts-hmac-sha1-96:normal.
Since c6bf100b password quality checks have been moved out of kadmindd and into
libkadm5. This means that all password changes are subject to quality checks,
if enforce_on_admin_set is true (the default). In rare instances it could be
possible for realm initialization to fail because the randomly generated
passwords do not pass the password quality test. Fix this by creating
principals with no password or key, rather than with a random password.
Random *keys* continue to be set immediately after the principal is created,
and before DISALLOW_ALL_TIX is unset, so there should be no functionality or
security implications from this change. It is safe to call a server-side API
such as kadm5_s_create_principal_with_key() as local_flag is asserted to be
true.
Centralize logging for kadm5 hook failure, log successful hook loading, better
logging on hook load failures and on platforms that do not support dlopen().
Note that this has a slight behavior change to c89d3f3b in order to continue
allow kadmin in local mode to bypass password quality checks. Password quality
checks are always bypassed if the *client* kadmin principal is kadmin/admin,
i.e. that of the kadmin service itself. This is the case when running kadmin in
local mode. As this is the equivalent of a superuser account, one would
anticipate that deployments would use specific administrator instances for
appropriate ACLs for day-to-day administration; operations by these will be
subject to password quality checks if enforce_on_admin_set is TRUE, or if the
user is changing their own password.
This change adds plugin support to the kadmin libraries for performing
actions before and after a password change is committed to the KDC database
and after a change is made to the attributes of a principal (specifically,
a change to DISALLOW_ALL_TIX).
This change adds a hook_libraries configuration option to the [kadmin]
section of krb5.conf (or kdc.conf if you use that file) that must be set
to load the module. That configuration option is in the form:
[kadmin]
hook_libraries = /usr/local/lib/krb5/plugins/kadm5_hook/krb5_sync.so
where the value is the full path to the plugin that you want to load. If
this option is not present, kadmind will not load a plugin and the changes
from the patch will be inactive. If this option is given and the plugin
cannot be loaded, kadmind startup will abort with a (hopefully useful)
error message in syslog.
Any plugin used with this patch must expose a public function named
kadm5_hook_init of type kadm5_hook_init_t that returns a kadm5_hook structure.
See sample_hook.c for an example of this initialization function.
typedef struct kadm5_hook {
const char *name;
uint32_t version;
const char *vendor;
void (KRB5_CALLCONV *fini)(krb5_context, void *data);
krb5_error_code (KRB5_CALLCONV *chpass)(krb5_context context,
void *data,
enum kadm5_hook_stage stage,
krb5_error_code code,
krb5_const_principal princ,
uint32_t flags,
size_t n_ks_tuple,
krb5_key_salt_tuple *ks_tuple,
const char *password,
char **error_msg);
...
};
where enum kadm5_hook_stage is:
enum kadm5_hook_stage {
KADM5_HOOK_STAGE_PRECOMMIT,
KADM5_HOOK_STAGE_POSTCOMMIT
};
init creates a hook context that is passed into all subsequent calls.
chpass is called for password changes, create is called for principal
creation (with the newly-created principal in the kadm5_principal_ent_t
argument), and modify is called when a principal is modified. The purpose of
the remaining functions should be self-explanatory.
returning 0 on success and a Kerberos error code on failure, setting the
Kerberos error message in the provided context. The error code passed in is
valid for post-commit hooks and contains the result of the update operation.
This change is submitted under the following license
Copyright 2012, 2013
The Board of Trustees of the Leland Stanford Junior University
Portions Copyright 2018 AuriStor Inc.
Copying and distribution of this file, with or without modification, are
permitted in any medium without royalty provided the copyright notice and
this notice are preserved. This file is offered as-is, without any
warranty.
Perform error checking for each function call and consistently return
errors at the point of failure.
Refactor functions to use a common exit path. Preserve error messages
stored in the kadm5_client_context.context when appropriate.
Change-Id: I7aa04020e4de3454066f0d88ba805fed999dbd1a
Doing an fsync per-record when receiving the complete HDB is a performance
disaster. Among other things, if the HDB is very large, then one slave
receving a full HDB can cause other slaves to timeout and, if HDB write
activity is high enough to cause iprop log truncation, then also need full
syncs, which leads to a cycle of full syncs for all slaves until HDB write
activity drops.
Allowing the iprop log to be larger helps, but improving receive_everything()
performance helps even more.
The change to the signature of hdb_generate_key_set_password() in
Heimdal 7.1 broke API/ABI compatibility with previous releases. We
fix this by renaming it hdb_generate_key_set_password_with_ks_tuple()
and creating a new hdb_generate_key_set_password() which calls our
new function with zeroes for the added arguments.
Issue #246https://github.com/heimdal/heimdal/issues/246
if krb5_get_config_strings() returns the empty string do not return
immediately. Instead the for() loop will be skipped because the empty
string represents the end of the string list permitting
krb5_config_free_strings() to free the allocated memory.
Change-Id: Ia6fdb13f716c07b53c8b3857af4f7ab8be578882
On 32-bit architectures with _FILE_OFFSET_BITS=64,
sizeof(off_t) > sizeof(size_t) .
LOG_HEADER_SZ was #define'd as an expression of type size_t, so in order
to get the sign extension right we need -(off_t)LOG_HEADER_SZ instead of
(off_t)(-LOG_HEADER_SZ). However, we can just define the *_SZ macros to
cast to off_t, then we don't need to worry about negation.
Fixes Debian bug #822749, PR 175.
Signed-off-by (and updated by): Nicolas Williams <nico@twosigma.com>
On a low update rate master, if we don't update old_version after
processing a poll timeout, we will generate spurious warnings about
missed (change) signals every time the timer expires, and will
needlessly contact the slaves.
