Treat principals of type NT-UNKNOWN as NT-SRV-HST if the first component
of the principal name is "host".
Change-Id: I28fb619379daac827436040e701d4ab7b279852b
When storing credentials whose ticket principal is not equal to the
requested principal, store the ticket under both names not only when
the original realm is the referral realm, but more generally for any
difference at all. This matches MIT behaviour.
Allow explicit name_canon rules to specify a realm to go with the
canonicalized hostname, if that realm is empty the effect is the
same "use-referrals"
Also fix segfault when no creds and debugging
When looking for a ticket, use the capath codepath first when we know
the service's realm: because we might have local policy as to how to get
there.
Then, if that doesn't work, try referrals. (For now unconditionally.)
krb5_get_credentials_with_flags() and krb5_get_creds() do not store
obtained TGTs if the KRB5_GC_NO_STORE flag is set.
Change-Id: Ie999ec4e985463ff60e9d499c3e870880033dfa7
In get_cred_kdc_capath_worker() if the credentials obtained by
get_cred_kdc_address() does not exactly match the requested service
principal discard them and return KRB5KC_ERR_S_PRINCIPAL_UNKNOWN.
Change-Id: Iaeacd07f87374f64e3a7bb860adfeb2dc9550fd1
Prior to this change _krb5_get_cred_kdc_any() would include TGTs obtained
via KDC referrals in the "*ret_tgts" array returned to the caller. The
caller typically stores these TGTs in the active credential cache.
However, referrals TGTs must not be cached or reused for any request
beyond the one it was issued for. The referral is for a specific service
principal and the resulting TGT could include service specific AuthData.
The referral might also direct the client along a transitive path that
is specific to this service and not applicable in the general case.
This change removes the *ret_tgts parameter from get_cred_kdc_referral()
so that the obtained TGTs are never returned to its caller. This also
prevents these TGTs from being used by any subsequent call to
get_cred_kdc_capath().
Change-Id: Iacc76c5b1639af3cf6bf277966cfd1535dd1e84d
This is necessary because some applications actually need or run
better with renewable service tickets. kca is an example
application; AFS tokens are also another example.
most of these warnings are not problems because of ample
use of abort() calls. However, the large number of warnings
makes it difficult to identify real problems. Initialize
the variables to shut up the compilers.
Change-Id: I8477c11b17c7b6a7d9074c721fdd2d7303b186a8
If the is Windows 2000 DC, we need to retry with key usage 8 when doing ARCFOUR.
Thanks to Andrew and Tridge that helped me debug this using their systems.
