- fix int/uint confusion and use unsigned integral types for time
- improve messages
- add --verbose option
- attempt transaction recovery in ipropd-master during idle times
- begin hardening daemons against dying at the slightest provocation
- better recovery from various errors
- daemons now restart automatically in most of the many error cases
where the daemons still die
We used to update the iprop log and HDB in different orders depending on
the kadm5 operation, which then led to various race conditions.
The iprop log now functions as a two-phase commit (with roll forward)
log for HDB changes. The log is auto-truncated, keeping the latest
entries that fit in a configurable maximum number of bytes (defaults to
50MB). See the log-max-size parameter description in krb5.conf(5).
The iprop log format and the protocol remain backwards-compatible with
earlier versions of Heimdal. This is NOT a flag-day; there is NO need
to update all the slaves at once with the master, though it is advisable
in general. Rolling upgrades and downgrades should work.
The sequence of updates is now (with HDB and log open and locked):
a) check that the HDB operation will succeed if attempted,
b) append to iprop log and fsync() it,
c) write to HDB (which should fsync()),
d) mark last log record committed (no fsync in this case).
Every kadm5 write operation recover transactions not yet confirmed as
committed, thus there can be at most one unconfirmed commit on a master
KDC.
Reads via kadm5_get_principal() also attempt to lock the log, and if
successful, recover unconfirmed transactions; readers must have write
access and must win any race to lock the iprop log.
The ipropd-master daemon also attempts to recover unconfirmed
transactions when idle.
The log now starts with a nop record whose payload records the offset of
the logical end of the log: the end of the last confirmed committed
transaction. This is kown as the "uber record". Its purpose is
two-fold: act as the confirmation of committed transactions, and provide
an O(1) method of finding the end of the log (i.e., without having to
traverse the entire log front to back).
Two-phase commit makes all kadm5 writes single-operation atomic
transactions (though some kadm5 operations, such as renames of
principals, and changes to principals' aliases, use multiple low-level
HDB write operations, but still all in one transaction). One can still
hold a lock on the HDB across many operations (e.g., by using the lock
command in a kadmin -l or calling kadm5_lock()) in order to push
multiple transactions in sequence, but this sequence will not be atomic
if the process or host crashes in the middle.
As before, HDB writes which do not go through the kadm5 API are excluded
from all of this, but there should be no such writes.
Lastly, the iprop-log(1) command is enhanced as follows:
- The dump, last-version, truncate, and replay sub-commands now have an
option to not lock the log. This is useful for inspecting a running
system's log file, especially on slave KDCs.
- The dump, last-version, truncate, and replay sub-commands now take an
optional iprop log file positional argument, so that they may be used
to inspect log files other than the running system's
configured/default log file.
Extensive code review and some re-writing for clarity by Viktor Dukhovni.
A caller may want to specify an explicit order of PAC elements,
e.g. the PAC_UPN_DNS_INFO element should be placed after the PAC_LOGON_NAME
element.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
The build was failing at lib/hcrypto/evp-pkcs11.c because roken.h was
being included after <assert.h>. It's not clear why that would be a
problem.
Here are some of the errors and warnings that resulted from including
<roken.h> after <assert.h> in evp-pkcs11.c:
evp-pkcs11.c C:\Program Files\Microsoft SDKs\Windows\v7.1\INCLUDE\ws2def.h(91) : warning C4005: 'AF_IPX' : macro redefinition s C:\Program Files\Microsoft SDKs\Windows\v7.1\INCLUDE\winsock.h(460) : see previous definition of 'AF_IPX'
C:\Program Files\Microsoft SDKs\Windows\v7.1\INCLUDE\ws2def.h(124) : warning C4005: 'AF_MAX' : macro redefinition
C:\Program Files\Microsoft SDKs\Windows\v7.1\INCLUDE\winsock.h(479) : see previous definition of 'AF_MAX'
C:\Program Files\Microsoft SDKs\Windows\v7.1\INCLUDE\ws2def.h(168) : warning C4005: 'SO_DONTLINGER' : macro redefinition
C:\Program Files\Microsoft SDKs\Windows\v7.1\INCLUDE\winsock.h(402) : see previous definition of 'SO_DONTLINGER'
C:\Program Files\Microsoft SDKs\Windows\v7.1\INCLUDE\ws2def.h(212) : error C2011: 'sockaddr' : 'struct' type redefinition
C:\Program Files\Microsoft SDKs\Windows\v7.1\INCLUDE\winsock.h(485) : see declaration of 'sockaddr'
C:\Program Files\Microsoft SDKs\Windows\v7.1\INCLUDE\ws2def.h(390) : error C2059: syntax error : 'constant'
C:\Program Files\Microsoft SDKs\Windows\v7.1\INCLUDE\ws2def.h(524) : warning C4005: 'IN_CLASSA' : macro redefinition
C:\Program Files\Microsoft SDKs\Windows\v7.1\INCLUDE\winsock.h(287) : see previous definition of 'IN_CLASSA'
restore correct OID for GSS_C_PEER_HAS_UPDATED_SPNEGO, this should have no
ABI implications, it's for internal use only. The current OID was incorrectly
copied in commit dbeeb18a, it should belong to 1.3.6.1.4.1.5322.19 which is
... enterprise(1) padl(5322) gssKrb5Extensions(19). The OID we were camping
on belongs to another party.
As implemented by Jeffrey Altman heim_base_once_f() is a variant of the
"double-checked gate lock pattern". Full memory barriers must be used
when determining whether or not to call SwitchToThread().
Change-Id: I2f8446a56c50a37c921d6e993433c9a3f7488f50
Provide a Windows implementation of heim_base_once that relies upon
InterlockedCompareExchange() and SwitchToThread().
Change-Id: I9cdbda796d1a27fe1e17be63f287b10132858d7f
When __APPLE__ is defined and HCRYPTO_DEF_PROVIDER is not defined,
define HCRYPTO_DEF_PROVIDER to be "cc" so that Apple's CommonCrypto
implementations are used instead of the built-in "hcrypto"
implementations.
Change-Id: I393e5fc3f6c3b9339c96db58d926ff8ea1867cbb
The EGD daemon is completely unmaintained and has not seen a release
since 13 years which is not an acceptable timeframe for cryptographic
software. It is not packaged in any linux distribution I know of
and definitely not in *BSD.
LibreSSL has already dropped support for RAND_egd.
A careful code review was undertaken, and it was determined
that the best way to store the extended attributes was in a
native ASN1 encoded field. LDAP does not understand the
SEQUENCE of SEQUENCE structures used extensively throughout
the extended attributes structure, and there was already a
precedent set for storing the krb5Key data in a native ASN1
encoded field.
Change 29f6290fe6 removed the
PA_ClientCanon* ASN.1 functionality but failed to remove the generated
symbols from the Windows export list.
Change-Id: I9a46532ed7d8612fbc597dec9848505d4b440e09
