If there is no MSLSA: credential cache principal, then try to
fallback to the MIT default MIT credential cache name, API:krb5cc.
Change-Id: I8f981c5401b4f962cf808e7b0dc782e42bc03023
If there is no default credential cache obtained from the registry
or from configuration files, then check to see if there is a valid
principal available from the MSLSA: credential cache. If so, use
"MSLSA:" as the default credential cache. This will simply configuration
for users on domain joined Windows machines when logged in using a
domain account.
Change-Id: I4c4392e0fdcec89aff3d258ce1b753e6458e3eec
Remove unnecessary levels of indentation.
Switch the conditional from "(e == NULL)" to "(p == NULL)" since it
the variable 'p' that is actually used to store the name of the
default credential cache.
Change-Id: Id884e2cd80b42e47d3c219ac3777161087467a14
Windows queries the default ccache name via the registry. Prior
to this change only the HKEY_CURRENT_USER hive. Fallback to
HKEY_LOCAL_MACHINE if there is no "ccname" value specified for the
user. This permits system or domain administrators to set the
default ccache to MSLSA: for all users.
Change-Id: Ide3b51358f8fc6944ca698e4a68295be9463d4e0
As per
https://www.icann.org/en/system/files/files/name-collision-mitigation-01aug14-en.pdf
prior to a new top-level domain being put into service there is controlled
interuption service which will return explicit responses to DNS A, MX, SRV, and TXT
queries that can be used to detect private namespace collisions.
When performing fallback_get_hosts() check the AF_INET responses to ensure
that they are not the gTLD name collision address 127.0.53.53. If so, add
an error message to the context and return KRB5_KDC_UNREACH.
Write a warning to the log (if any).
Change-Id: I2578f13948b8327cc3f06542c1e489f02410143a
As per
https://www.icann.org/en/system/files/files/name-collision-mitigation-01aug14-en.pdf
prior to a new top-level domain being put into service there is a
controlled interuption service which will return explicit responses to DNS
A, MX, SRV, and TXT queries that can be used to detect private namespace collisions.
Modify SRV records lookups to detect the special hostname returned in the
SRV response, skip the response, and record an appropriate error if it is detected.
Write a warning to the log (if any).
Change-Id: I47e049b617e39e49939bc92d513a547de1d04624
As per
https://www.icann.org/en/system/files/files/name-collision-mitigation-01aug14-en.pdf
prior to a new top-level domain being put into service there is a
controlled interuption service which will return explicit responses to DNS
A, MX, SRV, and TXT queries that can be used to detect private namespace collisions.
Modify the signature of copy_txt_to_realm() to accept a krb5_context so
that meaningful errors can be recorded.
Write a warning to the log (if any).
Change-Id: I51ff8feed4f9d2af8b956bd4ba26e1c4644247c2
Instead of allocating a separate mutex object on the heap,
include the HEIMDAL_MUTEX in the krb5_context structure.
Change-Id: If6db484177410487176985e43e3b43e0f2166518
Add a basic set of tests for the HEIMDAL_MUTEX and HEIMDAL_RWLOCK
abstraction using both static and dynamic initialization.
Change-Id: Iaeb16e5dfcf00d29be7eaa4f2e6970c4f1268fb0
All source files in lib/hcrypto should be built the same way.
Since this source directory is dependent on libroken then all source
files must be built using the roken.h declarations and included headers.
Also, there is no config.h in the local directory so angle brackets
include of quotes should be used.
Finally, because roken.h includes stdio.h, stdlib.h, stdarg.h, limits.h,
strings.h, sys/types.h, etc., do not include them separately.
Start all source files with
#include <config.h>
#include <roken.h>
Change-Id: I09ab47f8a5472018efe6c8b59a0e51fde8f24724
Make memcmp() compare the name1 and name2 value instead of comparing
name1 with itself.
The memcmp() is only executed if the left-hand side of the || is false
i.e. when both length are equal so the length argument is correct (no out-of-bounds reads).
We need the uber record all the time now, actually, except when merely
inspecting a log file. This is important as we depend on replaying
entries written to the log in order to complete the HDB writes, and if
we don't have an uber record we can't do this step.
Also, log_init() should cleanup on error.
When new keys are added (typically via kadm5_setkey_principal_3),
truncate the key history to remove old keys, that is keys older than
the newest key which was in effect prior longer ago than the principal's
maximum ticket lifetime. This feature is controlled via the "[kadmin]"
section's "prune-key-history" boolean parameter, which defaults to false.
Currently this happens only when kadm5_setkey_principal_3()
is called directly on the server, the client API simulates
kadm5_setkey_principal_3() via a get, update, modify sequence that does
not prune the key history. The plan is to add a new kadm5 protocol RPC
and convert clients to call that instead.
In setkey_principal_3 seal keys after entry key update
Also, for now, don't check the return value of kadm5_log_modify() in
the new kadm5_s_setkey_principal_3(). This has to be addressed more
globally.
Censor stale keys in kadm5_s_get_principal
- fix int/uint confusion and use unsigned integral types for time
- improve messages
- add --verbose option
- attempt transaction recovery in ipropd-master during idle times
- begin hardening daemons against dying at the slightest provocation
- better recovery from various errors
- daemons now restart automatically in most of the many error cases
where the daemons still die
We used to update the iprop log and HDB in different orders depending on
the kadm5 operation, which then led to various race conditions.
The iprop log now functions as a two-phase commit (with roll forward)
log for HDB changes. The log is auto-truncated, keeping the latest
entries that fit in a configurable maximum number of bytes (defaults to
50MB). See the log-max-size parameter description in krb5.conf(5).
The iprop log format and the protocol remain backwards-compatible with
earlier versions of Heimdal. This is NOT a flag-day; there is NO need
to update all the slaves at once with the master, though it is advisable
in general. Rolling upgrades and downgrades should work.
The sequence of updates is now (with HDB and log open and locked):
a) check that the HDB operation will succeed if attempted,
b) append to iprop log and fsync() it,
c) write to HDB (which should fsync()),
d) mark last log record committed (no fsync in this case).
Every kadm5 write operation recover transactions not yet confirmed as
committed, thus there can be at most one unconfirmed commit on a master
KDC.
Reads via kadm5_get_principal() also attempt to lock the log, and if
successful, recover unconfirmed transactions; readers must have write
access and must win any race to lock the iprop log.
The ipropd-master daemon also attempts to recover unconfirmed
transactions when idle.
The log now starts with a nop record whose payload records the offset of
the logical end of the log: the end of the last confirmed committed
transaction. This is kown as the "uber record". Its purpose is
two-fold: act as the confirmation of committed transactions, and provide
an O(1) method of finding the end of the log (i.e., without having to
traverse the entire log front to back).
Two-phase commit makes all kadm5 writes single-operation atomic
transactions (though some kadm5 operations, such as renames of
principals, and changes to principals' aliases, use multiple low-level
HDB write operations, but still all in one transaction). One can still
hold a lock on the HDB across many operations (e.g., by using the lock
command in a kadmin -l or calling kadm5_lock()) in order to push
multiple transactions in sequence, but this sequence will not be atomic
if the process or host crashes in the middle.
As before, HDB writes which do not go through the kadm5 API are excluded
from all of this, but there should be no such writes.
Lastly, the iprop-log(1) command is enhanced as follows:
- The dump, last-version, truncate, and replay sub-commands now have an
option to not lock the log. This is useful for inspecting a running
system's log file, especially on slave KDCs.
- The dump, last-version, truncate, and replay sub-commands now take an
optional iprop log file positional argument, so that they may be used
to inspect log files other than the running system's
configured/default log file.
Extensive code review and some re-writing for clarity by Viktor Dukhovni.
