This is required to ensure the client still gets errors like KRB5KDC_ERR_PREAUTH_FAILED, rather than
KRB5KDC_ERR_PREAUTH_REQUIRED, which become a confusing KRB5_GET_IN_TKT_LOOP.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
The following sequence of events results in slave B having a stale HDB:
- slave A connects to master, master dumps HDB for the slave
- kadm5 operations
- slave B connects to master, master sends previously dumped HDB
slave B won't discover any updates until the next transaction.
The fix is simple: the slave should immediately call ihave() after
receiving a complete HDB.
It should be possible to pass a format string of "%.s" to permit
a non-nul terminated string to be used as input. The test of remaining
precision and the test for NUL needs to be reversed to permit this
behavior to function correctly.
Change-Id: I200f9c2886419dc4c3870f5f44bc10e81245f56c
gss_init_sec_context() with input_cred_handle != GSS_C_NO_CREDENTIAL
should NOT proceed if there is no element in the given credential for
the requested mechanism.
It isn't possible to use non-default credentials to init a context with
a mechanism for which the credential doesn't have an element. That's
exactly what was happening here. The code was left commented out to
describe how one might use SPNEGO with delegated credentials:
store them with gss_store_cred(), then acquire them back.
This is needed so that the NTLM GSS mechanism can have a meaningful
concept of default credential (the NTLM key for the default domain found
in the ccache).
Instead of hard coding 10 hours as the default ticket lifetime within
lib/krb5/init_cred_pw.c init_cred(), add a preprocessor macro,
KRB5_TKT_LIFETIME_DEFAULT, that can be overridden at build time.
The value of KRB5_TKT_LIFETIME_DEFAULT is 10 hours if not previously
defined.
Change-Id: I63e729fedee8e8c6f542e4a4665de5f40db34c03
