Anonymous PKINIT tickets discard the realm information used to locate the
issuing AS. Store the issuing realm in the credentials cache in order to locate
a KDC which can renew them.
even if tgt used an enctype with a different checksum.
Per [MS-SFU] 2.2.1 PA-FOR-USER the checksum is always
HMAC_MD5, and that's what Windows and MIT clients send.
In heimdal both the client and kdc use instead the
checksum of the tgt, and therefore work with each other
but windows and MIT clients fail against heimdal KDC.
Both Windows and MIT KDC would allow any keyed checksum
to be used so Heimdal client work fine against it.
Change Heimdal KDC to allow HMAC_MD5 even for non RC4
based tgt in order to support per-spec clients.
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
windc doesn't link against libkdc, so it doesn't need to check its instance;
however, we will continue to export kdc_get_instance() from libkdc in case
other windc plugins do link against it.
Implement the GSS-API credential store API extensions defined by MIT here:
https://k5wiki.kerberos.org/wiki/Projects/Credential_Store_extensions
Note: we kill off gss_acquire_cred_ext() here. This was never a public API,
although mechanisms could have implemented it and I briefly used it in my
BrowserID prototype mechanism. gss_acquire_cred_ext_from() occupies the place
in the dispatch table where gss_acquire_cred_ext() used to, but this structure
was never visible outside Heimdal (i.e. it is only used by internal
mechanisms);
(Mechanisms that need to accept arbitrary key/value dictionaries from
applications should now implement gss_acquire_cred_from().)
- Add --keepold/keepallold/pruneall options to various kadmin/ktutil
commands. Default behavior to "prune old keys".
- When setting keys for a service, we need to specify enctypes for it:
- Always use kadm5_randkey_principal_3() instead of the older
kadm5_randkey_principal().
- Add krb5_string_to_keysalts2(), like MIT's krb5_string_to_keysalts(),
but with a context, and simpler.
- Add --enctypes options to various kadmin/ktutil commands.
- Add [libdefaults] supported_enctypes param with enctype[:salttype]
list.
- Add [realms] realm supported_enctypes param with enctype[:salttype]
list.
Default to aes128-cts-hmac-sha1-96:normal.
We start slapd in the foreground (-d0) but backgrounded in the shell,
then we wait 4 seconds. This causes a race condition however. This
commit makes the slapd-init script more robust and limits the wait to
however many seconds (up to 30) that slapd needs to start service.
The meaning of the two is different and we should
not implicitly set both if one was requested (this
aligns the logic with MIT kinit -C/-E options).
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
This patch adds the "enforce_on_admin_set" configuration knob in the
[password_quality] section. When this is enabled, administrative password
changes via the kadmin or kpasswd protocols will be subject to password quality
checks. (An administrative password change is one where the authenticating
principal is different to the principal whose password is being changed.)
Note that kadmin running in local mode (-l) is unaffected by this patch.
From a suggestion by nicowilliams, put double quotes aroung the varaible
$foopassword in case the password contains whitespace or other special
characters.
When we use a custom patch that makes strong passwords required even for
administrators the check-kadmin test will fail because "foo" (the password
used in check-kadmin.in) is not a strong password. So, we make the
password used in check-kadmin.in settable as a parameter. This way, we
only have to change one line of check-kadmin.in rather than a dozen to get
check-kadmin to pass when using the strong-passwords everywhere patch.
Note that this change makes no real change to any of the tests in
check-kadmin.in: no tests are changed, removed, or added.
Solaris make won't allow @echo in a shell command string as there is no
command called @echo, and it passes the whole shell command to the shell
without poaching off the @ itself first
Though a race was never observed, the re-sync, slave DB deletion,
master changes and restart did not take into account late changes
in the master before slave down.
Creation of a random key HDB entry takes 3 updates, not one. Instead of
hard-coding this magic count, wait for the appearance of the expected
entry with no "invalid" flag among its attributes.
Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm
to not be added to the transit path of issued tickets. This may, in
some cases, enable bypass of capath policy in Heimdal versions 1.5
through 7.2.
Note, this may break sites that rely on the bug. With the bug some
incomplete [capaths] worked, that should not have. These may now break
authentication in some cross-realm configurations.
The output of `wc -l` includes leading white-space, and at least
in FreeBSD 11, `expr 1 + "$foo"` fails when "$foo" (captured as
`wc -l` output) has leading whitespace. Instead, just emit one
more line for "wc" to count.
Apparmor on Ubuntu prevents slapd from using the Unix domain socket we
want it to. The fix is to copy the slapd executable into the objdir,
which disables the apparmor profile for slapd.
Also, make sure the ldapi: URI has the right path for the socket in
krb5.conf.
This fixes the following problems from #210:
- hdb_ldap doesn't load even when installed correctly
- loadable hdb backends not listed by kdc --builtin-hdb
Not fixed:
- hdb_ldap.so not installed in plugin dir
This is part of the fix to #173. MSFT RODCs insist on the name type for
krbtgt principals be set to KRB5_NT_SRV_INST.
Commentary from Jeffrey Altman <jaltman@secure-endpoints.com>
As reported by David Mulder of Dell's Quest, Active Directory will
return a BAD_INTEGRITY error when a request for a krbtgt service
ticket is received with principal type NT-PRINCIPAL instead of NT-SRV-INST
as required by RFC 4120.
[Nico: RFC4120 does not require this. See the description of the
name-type field of PrincipalName on page 55.]
ERROR: VAS_ERR_KRB5: Failed to obtain credentials.
Client: SLED10-32$@F.QAS,
Service: SLED10-32$@F.QAS, Server: ad2-f.f.qas
Caused by: KRB5KRB_AP_ERR_BAD_INTEGRITY (-1765328353): Decrypt integrity check failed
Microsoft began enforcing principal type checking for RODCs in 2008R2.
Microsoft does state that ALL krgtgt/REALM tickets SHOULD be sent using
principal name type of KRB5_NT_SRV_INST instead of KRB5_NT_PRINCIPAL.
From Microsoft:
"I believe we discovered the problem. There isn't a bug in Windows.
There's been a code change to address another issue which puts in additional
checks for Kerberos tickets. The problem is with the Unix clients when the
client request a TGT. The Unix clients are using Name-type Principal
[KRB_NT_PRINCIPAL (1)] instead of using Name-type Service and Instance
[KRB_NT_SRV_INST (2)]...."
This change assigns the NT-SRV-INST principal type each time a krbtgt
service principal is created. Unlike Microsoft, the Heimdal mostly does
not care about the name-type of any principals, with the exception of
referrals, where the name type is needed to decide how to find a
next-hop realm.
