Multiple concurrent writers would cause the HDB to become corrupted
as the locking was not sufficient to prevent these sorts of issues
from occurring. We fix this in a similar way to the prior DB1 patch.
Multiple concurrent writers would cause the HDB to become corrupted
as the locking was not sufficient to prevent these sorts of issues
from occurring. We have changed the locking to obtain the appropriate
kind of lock on database open and to hold that lock until the
database closes. We need to do this as Berkeley DB 1.85 will cache
information from the database in memory and if if this information
is updated without our knowledge then our later writes will corrupt
the database. We speculate that there would be issues with a single
writer and reader but did not reproduce them.
Before this change Heimdal could read KDBs. Now it can write to
them too.
Heimdal can now also dump HDBs (including KDBs) in MIT format, which
can then be imported with kdb5_util load.
This is intended to help in migrations from MIT to Heimdal by
allowing migrations from Heimdal to MIT so that it is possible
to rollback from Heimdal to MIT should there be any issues. The
idea is to allow a) running Heimdal kdc/kadmind with a KDB, or
b) running Heimdal with an HDB converted from a KDB and then
rollback by dumping the HDB and loading a KDB.
Note that not all TL data types are supported, only two: last
password change and modify-by. This is the minimum necessary.
PKINIT users may need to add support for KRB5_TL_USER_CERTIFICATE,
and for databases with K/M history we may need to add KRB5_TL_MKVNO
support.
Support for additional TL data types can be added in
lib/hdb/hdb-mitdb.c:_hdb_mdb_value2entry() and
lib/hdb/print.c:entry2mit_string_int().
appl/test/tcp_server and gssapi_server try to open the keytab file only when processing a connection.
This patch verifies the existence of the keytab file on program startup, so that troubleshooting is easier. In addition it adds some comments.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
...rather than the authenticated principal's realm section. We do
this both to maintain compatibility with MIT and because it makes
more sense. We should likely also fix the auth_to_local_names as
cursory inspection reveals that it has the same incompatibility.
The source files generated by compile_et and asn1-compile must
begin with:
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
This permits conditional includes based on HAVE_STDINT_H and
HAVE_UNISTD_H to work.
Change-Id: Iefe25317ac3cb1970793748b8318174bcd7a087f
Commit c04aa9e082 specified the
mutex type, pthread_mutex_t, directly instead of using the
abstraction, HEIMDAL_MUTEX.
Change-Id: Iedfc46163140cf23014d357cc8ccc9f0e6224327
__gss_krb5_mechanism_oid_desc is now defined in gssapi/gssapi_oid.h,
so remove the definition in gssapi/gssapi_krb5.h in favor of including
that header.
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
md2.c was doing memset(m, 0, sizeof(m)), and so was only clearing
the first 4 bytes of the passed md2 structure in MD2_Final. Fix
this to clear the entire structure, as expected.
In most cases stdint.h should be inherited from roken.h.
In those cases where it cannot be, it must be protected by
#ifdef HAVE_STDINT_H
Change-Id: I46cbaeab1d65939468f84179aeeef7e4f898b0bb
