Combined with the synthetic_clients feature, this will allow hosts that
have a PKINIT-worthy client certificate with a SAN with their host
principals to create their own principals and "extract" their host
keytabs. Together with some other PKIX credential bootstrapping
protocol, this can help hosts bootstrap Kerberos host credentials.
Samba compiles Heimdal internally without HAVE_DLOPEN to keep
to internally supplied mechanisms and plugins.
Samba compiles with strict warning flags and on Ubuntu 20.04
with gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04) we see:
../../source4/heimdal/lib/gssapi/mech/gss_mech_switch.c: In function ‘_gss_load_mech’:
../../source4/heimdal/lib/gssapi/mech/gss_mech_switch.c:462:1: error: label ‘out’ defined but not used [-Werror=unused-label]
462 | out:
| ^~~
cc1: all warnings being treated as errors
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
When b->kdc_options.enc_tkt_in_skey is set, the variable 'spn'
provided to verify_flags() for the purpose of logging is not
yet set, it is still NULL from the initialiser.
On Samba we see, when compiling with -O3 and strict warning rules with
gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04):
$ make -k
PYTHONHASHSEED=1 WAF_MAKE=1 ./buildtools/bin/waf build
Waf: Entering directory `/home/abartlet/heimdal-import/samba/bin/default'
Selected embedded Heimdal build
[2822/4527] Compiling source4/heimdal/kdc/krb5tgs.c
In function ‘verify_flags’,
inlined from ‘verify_flags’ at ../../source4/heimdal/kdc/krb5tgs.c:625:1,
inlined from ‘tgs_build_reply.isra.0’ at ../../source4/heimdal/kdc/krb5tgs.c:1671:8:
../../source4/heimdal/kdc/krb5tgs.c:635:2: error: ‘%s’ directive argument is null [-Werror=format-overflow=]
635 | kdc_log(context, config, 4, "Ticket not valid (%s)", pstr);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function ‘verify_flags’,
inlined from ‘tgs_build_reply.isra.0’ at ../../source4/heimdal/kdc/krb5tgs.c:1671:8:
../../source4/heimdal/kdc/krb5tgs.c:631:2: error: ‘%s’ directive argument is null [-Werror=format-overflow=]
631 | kdc_log(context, config, 4, "Ticket expired (%s)", pstr);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
Essentially, with an optimising compiler, the funciton is inlined
and the compiler notices that the kdc_log() argument is always NULL.
Based on patches by Stefan Metzmacher <metze@samba.org>
in his master-heimdal branch at:
https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=2ac326b9cb8f896f874edfa6725f087034270322#patch2https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master-heimdal
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Sorting the units fixes a bug introduced in:
ae8908bf8 kadmin: Add disallow-client attribute
that I had fixed via:
f6ac4ee86 roken: Fix parse flags bug
which wasn't a bug at all.
This is useful for services that need not be clients. For example, an
untrusted service that need only accept authentication from clients,
but not initiate authentication to other services.
krb5_get_next() and krb5_get_cache_next() do not check for krb5_kcm_call()
returning non-zero before accessing the repsonse data; they only handle the
case where the return value is KRB5_CC_END.
Return immediately if the return value of krb5_kcm_call() is not KRB5_CC_END or
0. This was fixed in the Apple code.
Some compilers with -Wstring-concatenation enabled warned about a suspicious
concatenation of string literals in the initialization of the GSS-API error
message array.
At the expense of a long line, avoid this warning but explicitly concatenating
the offending string literal.
Fixes: #775
vis.h is not built on platforms (such as macOS) that already have
that header, which resulted in prototypes for Heimdal-specific
vis.h extensions being absent.
Move those prototypes to a separate header, vis-extras.h, which
must be explicitly included in order to use the Heimdal extensions.
- Don't log "Request from wrong address (ignoring)".
- Add "wrongaddr=yes" kv to final log message.
- Add request and ticket addresses (up to 3) to final log message.
If a DB does not already exist, ipropd-slave will use the compiled
default, which is not necessarily what is desired or configured in
`[kdc]`.
This change makes `hdb_default_db()` return the first dbanme in the
`[kdc]` configuration, falling back on `HDB_DEFAULT_DB`.
Also, this adds a `--database` option to `ipropd-slave`.
The codegen backend is faster than the template backend, even for
modules that don't use IOS. On x64 we see the template backend being
4% slower for TGS requests using the kdc-tester program.
So let's build both, libasn1 (codegen) and libasn1template when
configured with --disable-asn1-templating, but make sure that the
asn1_print utility is linked with libasn1template.
Eventually we'll want to either optimize the template backend better,
or add IOS and JSON printing support to the codegen backend.
