The KDC Option and Ticket Flag for the anonymous extension were changed
from 14 to 16 due to a conflict with S4U2Proxy in version 11 of the anonymous
draft (now RFC6112). Fix the definitions
A comparison of (len > len + 1) is permitted to be optimized out
as dead code because it can't be true. Overflowing is an exceptional
condition that results in undefined behavior. The correct conditional
is (len == SIZE_MAX) when len is size_t.
Change-Id: Ia5586556a973d9fa5228430c4304ea9792c996bb
When running as a service under systemd, kadmin cannot successfully use
setpgid(). The call fails with EPERM. Do not treat this as a fatal
error; instead, allow kadmind to continue starting up.
Provide a new internal function called get_switched() to encapsulate
the algorithm for selecting a credential cache when the selected
ccache type supports switching. There is no change in behavior for
UNIX which always calls krb5_cc_new_unique(). However, on Windows
alternate behavior is provided when the ccache type is API or MSLSA.
For the API ccache the default ccache name is stored in the Windows
registry which is shared across all logon sessions belonging to a
user. For users that are members of the Administrators group this
includes both the UAC restricted and elevated sessions sharing the
same desktop. It is very disconcerting when the elevated session obtains
credentials for the same client principal as the restricted session
and then all apps in the restricted session lose access to their
credential cache. For Windows, the API credential caches are named
after the principal that is stored within them. It provides for a
better end user experience.
For the MSLSA ccache tickets belonging to multiple principals are
all stored within the MSLSA ccache. As a result, all attempts to
switch ccache names default back to the one and only one name.
Change-Id: I7865cd044cff01ff38ab107ec0961e42788fa073
Now that test_fx checks 1DES keys, we need to call allow_weak_crypto on
the test's context.
Without this fix, "make check" was failing with the following error:
lt-test_fx: krb5_crypto_init: Encryption type des-cbc-crc not
supported
The hdb_ldap_create and hdb_ldapi_create prototypes use the "static"
keyword, but the functions themselves are not implemented as static.
Heimdal's buildsystem dynamically adds function declarations to
hdb-protos.h based on the actual function implementations. Those
declarations in hdb-protos.h are not declared as static.
Since the build system generates the declarations dynamically, just
remove them from hdb-ldap.c.
When we added the get-keys privilege we lost the ability to setup
keytabs with the kadmin ext command. The fix is to note that we got
bogus key data and randkey (as we used to).
(rebased on current Heimdal by abartlet)
The error Coverity complains about is in the malloc. krb5_enctypes is
an enum, so it is usually smaller than the size of a pointer. So we
overallocate, but in the memcpy further down we copy from potentially
invalid memory.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Nov 13 11:05:44 CET 2013 on sn-devel-104
In the error case without EXTRA_ADDRESSES we access ignore_addresses
without initialization
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This makes sure config.h gets includes first.
This should fix the build on AIX.
metze
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Jun 17 16:16:24 CEST 2012 on sn-devel-104
This should fix the build on AIX.
metze
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jun 16 23:59:07 CEST 2012 on sn-devel-104
This is a static const struct and the name is never used,
so just make it an anonymous struct.
This hopefully fixes the build on AIX:
"../lib/roken/roken-common.h", line 276.9: 1506-236 (W) Macro name __attribute__ has been redefined.
"../lib/roken/roken-common.h", line 276.9: 1506-358 (I) "__attribute__" is defined on line 45 of ../lib/com_err/com_err.h.
"../lib/krb5/expand_path.c", line 331.21: 1506-334 (S) Identifier token has already been defined on line 98 of "/usr/include/net/if_arp.h".
"../lib/krb5/expand_path.c", line 390.43: 1506-019 (S) Expecting an array or a pointer to object type.
"../lib/krb5/expand_path.c", line 391.31: 1506-019 (S) Expecting an array or a pointer to object type.
"../lib/krb5/expand_path.c", line 392.20: 1506-019 (S) Expecting an array or a pointer to object type.
"../lib/krb5/expand_path.c", line 392.48: 1506-019 (S) Expecting an array or a pointer to object type.
"../lib/krb5/expand_path.c", line 393.39: 1506-019 (S) Expecting an array or a pointer to object type.
Waf: Leaving directory `/opt/home/build/build_farm/samba_4_0_test/bin'
Build failed: -> task failed (err #1):
{task: cc expand_path.c -> expand_path_52.o}
gmake: *** [all] Error 1
metze
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jun 16 15:20:59 CEST 2012 on sn-devel-104
This handles referrals for SPNs of the form
E3514235-4B06-11D1-AB04-00C04FC2DCD2/NTDSGUID/REALM, which are
used during DRS replication when we don't know the dnsHostName of the
target DC (which we don't know until the first replication from that
DC completes).
We use the 3rd part of the SPN directly as the realm name in the
referral.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
