In krb5_parse_name_flags(), if the principal name is not an enterprise
name, is one component in length and contains an '@', set the principal
type to NT-SMTP-NAME as specified by RFC 4120.
Treat principals of type NT-UNKNOWN as NT-SRV-HST if the first component
of the principal name is "host".
Change-Id: I28fb619379daac827436040e701d4ab7b279852b
The _kdc_is_anonymous() helper function must take into account
that principals of type NT-UNKNOWN can match any other principal
type including NT-WELLKNOWN.
Change-Id: I6085b9471f6f1d662119e359491bbdce629ef048
This is part of the fix to #173. MSFT RODCs insist on the name type for
krbtgt principals be set to KRB5_NT_SRV_INST.
Commentary from Jeffrey Altman <jaltman@secure-endpoints.com>
As reported by David Mulder of Dell's Quest, Active Directory will
return a BAD_INTEGRITY error when a request for a krbtgt service
ticket is received with principal type NT-PRINCIPAL instead of NT-SRV-INST
as required by RFC 4120.
[Nico: RFC4120 does not require this. See the description of the
name-type field of PrincipalName on page 55.]
ERROR: VAS_ERR_KRB5: Failed to obtain credentials.
Client: SLED10-32$@F.QAS,
Service: SLED10-32$@F.QAS, Server: ad2-f.f.qas
Caused by: KRB5KRB_AP_ERR_BAD_INTEGRITY (-1765328353): Decrypt integrity check failed
Microsoft began enforcing principal type checking for RODCs in 2008R2.
Microsoft does state that ALL krgtgt/REALM tickets SHOULD be sent using
principal name type of KRB5_NT_SRV_INST instead of KRB5_NT_PRINCIPAL.
From Microsoft:
"I believe we discovered the problem. There isn't a bug in Windows.
There's been a code change to address another issue which puts in additional
checks for Kerberos tickets. The problem is with the Unix clients when the
client request a TGT. The Unix clients are using Name-type Principal
[KRB_NT_PRINCIPAL (1)] instead of using Name-type Service and Instance
[KRB_NT_SRV_INST (2)]...."
This change assigns the NT-SRV-INST principal type each time a krbtgt
service principal is created. Unlike Microsoft, the Heimdal mostly does
not care about the name-type of any principals, with the exception of
referrals, where the name type is needed to decide how to find a
next-hop realm.
In client_connect() getaddrinfo() stores the head of the allocated
addrinfo structure list in 'res0'. 'res' is used to walk the list
and will be NULL at the end of the for() loop when freeaddrinfo(res)
is executed. Pass 'res0' to freeaddrinfo() instead of 'res'.
Change-Id: Ie1358c0356b6b0f98470e46e25216cfa0ab4adac
In hdb_ldap_common() the test
if (search_base == NULL && search_base[0] == '\0')
error handling ...
must be
if (search_base == NULL || search_base[0] == '\0')
error handling ...
Change-Id: I8d876a9c56833431b3c4b582fbb0a8cc7353893d
The prior patch removed the definition of the XUA check but failed
to remove the execution of the check. Do so now.
Change-Id: I648a374370d3549db0d98b90f810bd018dc28962
gsskrb5_acceptor_start() was making a copy of the global pointer
_gsskrb5_keytab to use later. This invites a race condition where
another thread could call gsskrb5_register_acceptor_identity()
(thus invalidating the target of the copied pointer) before it is
used by gsskrb5_acceptor_start().
So instead, clone the keytab to a new one while protected by the
mutex lock (similar to get_keytab() in acquire_cred.c).
Signed-off-by: Nicolas Williams <nico@twosigma.com>
Instead of imposing a default 10 hour ticket lifetime and 1 month renew
lifetime when requesting tickets, increase the default lifetime and
renew lifetime to 2147483647 seconds. This ensures that in the absence
of any other configuration or command line parameters that the KDC will
determine the ticket lifetime and renew lifetime.
Change-Id: I52b6eeac1ee830a9bf4d0130e8f4ec7b70bc8694
Signed-off-by: Nicolas Williams <nico@twosigma.com>
The original motivation was to avoid extra timeouts when the network is
broken. However this doesn't avoid one of the timeouts and adds
complexity and introduced bugs.
To really suppress search lists use ndots.
In lib/roken/resolve.c, we find rk_dns_srv_order() which re-orders
the results of an SRV RR lookup by the algorithm in RFC2782. We
note that the algorithm doesn't behave according to the RFC w.r.t.
entries of weight zero. We solve this by scaling out the remaining
weights by the number of zeros we find at a particular priority
level and acting like the zero weights have a weight of one.
In lib/roken/resolve.c, we find rk_dns_srv_order() which re-orders
the results of an SRV RR lookup by the algorithm in RFC2782. We
fix a bias in the random weight sorting by changing the order of
operations when selecting rnd. rnd should be a non-zero random
number less than the sum of the weights at a particular priority,
but zero was included as a legitimate output thus biasing the
selection process. rk_random() % sum is still biased as a 32
bit int modulo a number which doesn't divide 2^32 does not have
a uniform distribution, but the bias should be small enough to
live with for our purposes here.
Apending '.' to the hostname passed to `getaddrinfo()` is good for
avoiding extra timeouts when the search list is non-empty and the
network is broken, but searches in /etc/hosts are typically inhibited
then. The fix is to try again without the trailing '.' if the first
lookup failed for any reason other than a timeout.
On 32-bit architectures with _FILE_OFFSET_BITS=64,
sizeof(off_t) > sizeof(size_t) .
LOG_HEADER_SZ was #define'd as an expression of type size_t, so in order
to get the sign extension right we need -(off_t)LOG_HEADER_SZ instead of
(off_t)(-LOG_HEADER_SZ). However, we can just define the *_SZ macros to
cast to off_t, then we don't need to worry about negation.
Fixes Debian bug #822749, PR 175.
Signed-off-by (and updated by): Nicolas Williams <nico@twosigma.com>
