Rename the "windc" plugin API to the more general "kdc" plugin API, for two
reasons: the Heimdal KDC uses the Windows PAC even when not emulating a domain
controller, and the plugin API has accreted methods that are not specific to
emulating a domain controller (such as referral_policy and finalize_reply).
Add support for GSS-API pre-authentication to the KDC, using a simplified
variation of draft-perez-krb-wg-gss-preauth-02 that encodes GSS-API context
tokens directly in PADATA, and uses FX-COOKIE for state management.
More information on the protocol and implementation may be found in
lib/gssapi/preauth/README.md.
We now fork(2) a number of separate KDC processes rather than a single
process. By default, the number is selected by asking how many CPUs
the machine has. We also have a master process which monitors all
of the children (which do the actual work) and it will restart kids
who die for any reason. The children will die when the parent dies.
In the case of MacOS X, we also move the bonjour code into another
separate child as it creates threads and this is known to play
rather poorly with fork(2). We could move this logic into a
designated child at some point in the future.
We slow down the spawning to one every 25ms to prevent instant crashes
and restarts from consuming all available system time. This approach
may want to be revisited in the future.
Use calloc instead of malloc when allocating data structures while
importing a dump in hprop. Fixes a crash in hprop when reading MIT
dump files due unintialized memory in the Salt data structure, plus
will be more robust against any future changes to the data model.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
kdc Allow a password change when the password is expired
This requires a rework on Heimdal's windc plugin layer, as we want
full control over what tickets Heimdal will issue. (In particular, in
case our requirements become more complex in future).
The original problem was that Heimdal's check would permit the ticket,
but Samba would then deny it, not knowing it was for kadmin/changepw
Andrew Bartlett
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25294 ec53bebd-3082-4978-b11e-865c3cabbd6b
openssl's libcrypto or krb4's libdes that has all the required
functionality (md4, md5, sha1, des, rc4). if there is no such
library, the included lib/des is built.
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@10519 ec53bebd-3082-4978-b11e-865c3cabbd6b
