In the case that one name has no MNs and the second name only has an MN, then
the order in which the two names are passed in matters, but it shouldn't. Run
the comparison both ways.
Coverity determined that a NULL pointer segmentation fault could occur
if krb5_storage_emem() fails. Use krb5_enomem() to set an error message
on the context and do not perform further krb5_storage operations.
Change-Id: I9587208e46c184bb061443a44581a32dd722de33
- Add --keepold/keepallold/pruneall options to various kadmin/ktutil
commands. Default behavior to "prune old keys".
- When setting keys for a service, we need to specify enctypes for it:
- Always use kadm5_randkey_principal_3() instead of the older
kadm5_randkey_principal().
- Add krb5_string_to_keysalts2(), like MIT's krb5_string_to_keysalts(),
but with a context, and simpler.
- Add --enctypes options to various kadmin/ktutil commands.
- Add [libdefaults] supported_enctypes param with enctype[:salttype]
list.
- Add [realms] realm supported_enctypes param with enctype[:salttype]
list.
Default to aes128-cts-hmac-sha1-96:normal.
libhx509 is not built according to the same export and calling conventions
on Windows as the other libraries. This change declares and applies
HX509_LIB_FUNCTION, HX509_LIB_NORETURN_FUNCTION, HX509_LIB_CALL and
HX509_LIB_VARIABLE to lib/hx509.
As a result of this change the calling convention for exported functions
will be __stdcall instead of __cdecl.
Change-Id: Ibc3f05e8088030ef7d13798f1d9c9b190bc57797
If a memory allocation failure occurs, return an error instead of
triggering a segmentation fault.
Change-Id: I38f5e88ca2f1ba7411b05a35b925168015261eb4
fix breakage introduced by 6341132175
("roken: fix build breakage, AT_HWCAP2 may be undefined (#446)").
Detected by Coverity.
Change-Id: Iefdb73d4392e5184a69a99208945ece6b7b8ecb3
For compatibility with MIT Kerberos, support automatic acquisition of initiator
credentials if a client keytab is available. The default path on non-Windows is
/var/heimdal/user/%{euid}/client.keytab, but can be overriden with the
KRB5_CLIENT_KTNAME environment variable or the default_client_keytab_name
configuration option. If a client keytab does not exist, or exists but does not
contain the principal for which initiator credentials are being acquired, the
system keytab is tried.
It turns out gss_add_cred() really needed a complete rewrite. It's much
better to first have a gss_duplicate_cred() (which has been needed for
other reasons anyways), and use that when the input_cred_handle is not
GSS_C_NO_CREDENTIAL and output_cred_handle is not NULL, then mutate that
duplicate credential handle (or the input_cred_handle if
output_cred_handle is NULL).
When WIN32 is undefined an unreachable code warning was generated
since "/bin/sh" is returned as the default resposne.
Change-Id: I757c9d05db62c1d52fee0e510259098d73273a84
We start slapd in the foreground (-d0) but backgrounded in the shell,
then we wait 4 seconds. This causes a race condition however. This
commit makes the slapd-init script more robust and limits the wait to
however many seconds (up to 30) that slapd needs to start service.
Since c6bf100b password quality checks have been moved out of kadmindd and into
libkadm5. This means that all password changes are subject to quality checks,
if enforce_on_admin_set is true (the default). In rare instances it could be
possible for realm initialization to fail because the randomly generated
passwords do not pass the password quality test. Fix this by creating
principals with no password or key, rather than with a random password.
Random *keys* continue to be set immediately after the principal is created,
and before DISALLOW_ALL_TIX is unset, so there should be no functionality or
security implications from this change. It is safe to call a server-side API
such as kadm5_s_create_principal_with_key() as local_flag is asserted to be
true.
Since c6bf100b password quality checks have been moved out of kadmindd and into
libkadm5. This means that all password changes are subject to quality checks,
if enforce_on_admin_set is true (the default). In rare instances it could be
possible for realm initialization to fail because the randomly generated
passwords do not pass the password quality test. Fix this by creating
principals with no password or key, rather than with a random password.
Random *keys* continue to be set immediately after the principal is created,
and before DISALLOW_ALL_TIX is unset, so there should be no functionality or
security implications from this change. It is safe to call a server-side API
such as kadm5_s_create_principal_with_key() as local_flag is asserted to be
true.
Centralize logging for kadm5 hook failure, log successful hook loading, better
logging on hook load failures and on platforms that do not support dlopen().
The meaning of the two is different and we should
not implicitly set both if one was requested (this
aligns the logic with MIT kinit -C/-E options).
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
The referral function does not handle short names,
so avoid falling over it in case capath fails, in
order to preserve the error code returned by the
KDC (it wasn't a problem before the order between
the two functions has changed).
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Without it, Windows clients will perform an
extra AS-REQ, causing password lockout count
to increase by two instead of one.
This is an alternative to Samba commit:
978bc8681e74ffa17f96fd5d4355094c4a26691c
One difference however, it doesn't return
ENC_TIMESTAMP in PREAUTH_REQUIRED, only the
necessary ETYPE_INFO{,2} (same as Windows).
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
This is used by Samba to set the canonical realm in
case netbios realm was requested (same as Windows).
Regression introduced by upstream commit:
378f34b4be
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
