On Windows a file descriptor is an int value allocated by the
local module instance of the C Run Time Library. A socket handle is a
SOCKET value allocated by a Winsock Provider for the requested family and
protocol. These two values cannot be mixed and there is no mechanism for
converting between the two. The _get_osfhandle() and _open_osfhandle()
functions can work with a standard HANDLE (file, pipe, etc) but cannot be
used for a SOCKET.
The Heimdal krb5_storage_from_fd() routine counted on the osf conversion
functions working on SOCKET values. Since they do not any attempt to call
krb5_storage_from_fd() on a socket resulted in an assertion being thrown
by the C RTL.
Another problem is SOCKET value truncation when storing a 64-bit value
into a 32-bit int.
To address these problems a new krb5_storage_from_socket() routine is
introduced. This routine setups a krb5_storage that stores a socket value
as a rk_socket_t and provides a set of helper routines that always use
network ready functions.
The krb5_storage_from_fd() routines no longer use net_read() and
net_write() but provide helpers that follow their logic so that pipes can
be processed.
All call sites that allocate a socket now store the socket as rk_socket_t
and call krb5_storage_from_socket().
All locations that previously called the bare close() on a socket value
now call rk_closesocket().
Change-Id: I045f775b2a5dbf5cf803751409490bc27fffe597
kadm5_c_destroy did not use rk_closesocket when cleaning up
the context. This results in an exception on Windows since a
socket is not a file descriptor.
Change-Id: I9ebddad61f0199acb495a0773925df4f41e4fef2
In the previous implementation when .k5login or .k5login.d existed
and k5login_authoritative was false, no further plugins were tried.
Also when k5login_authoritative was true and .k5login did not match,
the directory was never tried.
mechanism credentials created by dynamically loaded mechanisms do not work
because the gm_mech_oid field is unset for such mechanisms (instead, only
gm_mech.gm_mech_oid is).
In order to support plugins for kadmin that use libkadm5srv, the
libkadm5clnt library has to be versioned to avoid hijacking all
of the function calls that should go to the server library. Omit
the _kadm5_ clients from the public interface, and version
everything else.
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
kx509 fails to create certs for principals with slashes in them. For
example:
client% kinit foo/admin
foo/admin@EXAMPLE.COM's Password:
client% kx509
Timed out waiting on KCA
The KCA reports: "Principal is not a user." However, there is a use
case set out in this post:
https://thestaticvoid.com/post/2012/10/25/protecting-puppet-with-kerberos/
that would create a kx509 cert for a host principal for authenticating
against a secure HTTP service. This commit modifies the certificate
creation code to allow principals with slashes in them.
The TGS was incorrectly using authtime to compute renew_till for new
tickets, which was in turn leading to endtime potentially being equal to
starttime, which caused the TGS to return KRB5KDC_ERR_NEVER_VALID.
This happens when the TGT renewal lifetime is longer than the max renew
lifetime of any other services, after that much time (target services'
max renew life) passes. The TGT is still good but TGS-REQs fail.
This makes it easier to install Heimdal and MIT kerberos on
the same system by just providing the heimdal-krb5.pc file;
the krb5.pc file is provided by both.
This is similar to what's done with heimdal-gssapi.pc/krb5-gssapi.pc.
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
