oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
28,218 Commits 2 Branches 2 Tags
298ee93ac25467c8ebfcf4d1a88caaa371755fa2
Commit Graph

32 Commits

Author SHA1 Message Date
Roland C. Dowdeswell
352a7e94a3 Make the KDC use a multi-process model. 
We now fork(2) a number of separate KDC processes rather than a single
process.  By default, the number is selected by asking how many CPUs
the machine has.  We also have a master process which monitors all
of the children (which do the actual work) and it will restart kids
who die for any reason.  The children will die when the parent dies.

In the case of MacOS X, we also move the bonjour code into another
separate child as it creates threads and this is known to play
rather poorly with fork(2).  We could move this logic into a
designated child at some point in the future.

We slow down the spawning to one every 25ms to prevent instant crashes
and restarts from consuming all available system time.  This approach
may want to be revisited in the future.
 2015-11-06 15:39:30 -05:00
Nicolas Williams
c757eb7fb0 Rename and fix as/tgs-use-strongest-key config parameters 
Different ticket session key enctype selection options should
    distinguish between target principal type (krbtgt vs. not), not
    between KDC request types.
 2011-11-25 17:21:04 -06:00
Love Hörnquist Åstrand
c5db78a3c2 switch to use use_strongest_server_key 
use the same behavior as 1.4 release.
 2011-07-24 10:33:28 -07:00
Nicolas Williams
f93a56f931 Set improved enctypes parameter defaults to better match the RFC. 
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-14 20:35:19 -07:00
Nicolas Williams
8ada355954 Forgot to default use_strongest_server_key... 
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-14 20:35:19 -07:00
Nicolas Williams
76a192b906 Forgot to default preauth_use_strongest_session_key... 
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-14 20:35:19 -07:00
Nicolas Williams
256cf6ea12 This patch adds support for a use-strongest-server-key krb5.conf kdc parameter that controls how the KDC (AS and TGS) selects a long-term key from a service principal's HDB entry. If TRUE the KDC picks the strongest supported key from the service principal's current keyset. If FALSE the KDC picks the first supported key from the service principal's current keyset. 
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-14 20:35:19 -07:00
Nicolas Williams
481fe133b2 Also added preauth-use-strongest-session-key krb5.conf kdc parameter, similar to {as, tgs}-use-strongest-session-key. The latter two control ticket session key enctype selection in the AS and TGS cases, respectively, while the former controls PA-ETYPE-INFO2 enctype selection in the AS case. 
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-14 20:35:19 -07:00
Nicolas Williams
a7a8a7e95c Initial patch to add as-use-strongest-session-key and same for tgs krb5.conf parameters for the KDC. These control the session key enctype selection algorithm for the AS and TGS respectively: if TRUE then they prefer the strongest enctype supported by the client, the KDC and the target principal, else they prefer the first enctype fromt he client's list that is also supported by the KDC and the target principal. 
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-14 20:35:19 -07:00
Love Hornquist Astrand
0879b9831a remove trailing whitespace 2011-05-21 11:57:31 -07:00
Love Hornquist Astrand
657297a738 clean the last bits of KRB4 support in KDC 2011-05-07 11:44:15 -07:00
Love Hornquist Astrand
290aed8056 add missing ; 2010-11-28 19:49:27 -08:00
Andrew Bartlett
b819f1fe2b Push PKINIT configuration into default_config.c 
The interaction with Samba4 is subtle - it calls
krb5_kdc_get_config(), but not configure() - but must have PKINIT set
up.

Andrew Bartlett

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
 2010-11-28 19:45:18 -08:00
Love Hornquist Astrand
dde9ae659b drop RCSID 2010-03-16 12:50:09 -07:00
Love Hornquist Astrand
72fbb8714f make pkinit non optional 2009-11-22 00:27:45 -08:00
Love Hörnquist Åstrand
89edf1be0e make digest, kx509 and krb4 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24484 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-01-25 20:50:15 +00:00
Love Hörnquist Åstrand
0c4d8d3a16 Add switch to select friendly_name of the certificate. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24195 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-12-15 04:31:22 +00:00
Love Hörnquist Åstrand
6937d41a02 remove trailing whitespace 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23815 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-09-13 09:21:03 +00:00
Love Hörnquist Åstrand
e172367898 switch to utf8 encoding of all files 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23814 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-09-13 08:53:55 +00:00
Love Hörnquist Åstrand
7fcd266fdd use krb5_set_error_message 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23316 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-06-23 04:32:32 +00:00
Love Hörnquist Åstrand
007d16660b Split out krb5_kdc_set_dbinfo, From Andrew Bartlett 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21405 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-07-04 10:35:45 +00:00
Love Hörnquist Åstrand
36bcc8529e Rename require_binding to win2k_require_binding to match client 
configuration.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21296 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-06-25 14:49:11 +00:00
Love Hörnquist Åstrand
ea8a0d2891 Add [kdc]pkinit_require_binding option. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21291 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-06-25 14:14:41 +00:00
Love Hörnquist Åstrand
cd83aef979 rename pkinit_princ_in_cert and add pkinit_require_binding 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21288 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-06-25 14:09:55 +00:00
Love Hörnquist Åstrand
dd6d82336b Remove extra \n. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21166 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-06-19 00:05:50 +00:00
Love Hörnquist Åstrand
c561d08c04 export get_dbinfo as krb5_kdc_set_dbinfo and call from users. This to allows libkdc users to to specify their own databases 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21110 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-06-18 10:52:20 +00:00
Love Hörnquist Åstrand
ef7201572e Make the default configuration fetch info from the krb5.conf. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20532 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-04-23 07:46:57 +00:00
Love Hörnquist Åstrand
7a339bab7d revert 20447, it doesnt pass the regression tests, exports too much 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20454 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-04-19 20:21:51 +00:00
Love Hörnquist Åstrand
0c2182a3ba Call out to Heimdal's krb5.conf processing to configure many aspects 
of KDC behaviour.  This should allow PKINIT to be turned on and
managed with reasonable sanity.

From Andrew Bartlet



git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20447 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-04-19 18:22:41 +00:00
Love Hörnquist Åstrand
dfcd435953 (krb5_kdc_default_config): default to all bits set to zero. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17912 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-08-24 08:52:53 +00:00
Love Hörnquist Åstrand
c69e1634dc (krb5_kdc_default_config): set kdc_warn_pwexpire to 0 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17642 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-06-12 21:35:22 +00:00
Love Hörnquist Åstrand
0dc8e6af03 Merge in the libkdc/kdc configuration split from Andrew Bartlet <abartlet@samba.org> 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15537 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2005-06-30 15:33:03 +00:00