This starts up the pkinit configuration and sets some default values,
and is needed in a seperate function so Samba4 can call it from it's
own KDC wrapper.
Andrew Bartlett
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Some hdb modules (samba4) may change the case of the realm in
a returned result. Use that to determine if it matches the krbtgt
realm also returned from the DB (the DB will return it in the 'right' case)
Andrew Bartlett
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
If we don't do this, the PAC is given for the machine accout, not the
account being impersonated.
Andrew Bartlett
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
This allows us to resolve multiple forms of a name, allowing for
example machine$@REALM to get an S4U2Self ticket for
host/machine@REALM.
Andrew Bartlett
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Once DLLs and EXEs are built, they need to have their manifests
processed and signed. These steps are encapsulated in the EXEPREP and
DLLPREP Makefile macros. Use them instead of invoking each processing
macro individually.
An MIT dump file may contain multiple key sets for one principal, with
different kvnos. The Heimdal database can only represent a single
kvno, and previously the kvno was set to the last key found in the entry
and all keys were added to the entry. Since kvnos are given from high
to low in the database dump, this would result in the principal getting
the kvno of the oldest key and all keys stored without regard for kvno.
Instead, ignore all keys with kvnos lower than the first kvno we see and
only store keys with a kvno matching it. If we see a key with a kvno
higher than the first kvno we see, exit with an error since that case is
not currently handled (and should not happen in a typical MIT database
dump).
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Use calloc instead of malloc when allocating data structures while
importing a dump in hprop. Fixes a crash in hprop when reading MIT
dump files due unintialized memory in the Salt data structure, plus
will be more robust against any future changes to the data model.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
If a Berkeley DB database is used as the underlying database, renaming
the database before closing it can produce error messages like the
following on close:
/var/lib/heimdal-kdc/heimdal~.db: unable to flush: No such file or directory
since the underlying database library caches the old file name. There
is a rename() method in the Berkeley DB API, but it also invalidates
the database handle and requires that it be reopened. Since the
hdb_rename implementation does not require that the database be open,
close the database before renaming it to avoid this problem.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Dump formats 5 and 6 differ from the supported version 4 dump format
only in that they include policy information for each principal in an
extension that the dump parsing code already knows how to ignore and
that they include policy lines. Ignore the policy information, since
there isn't a corresponding concept in Heimdal, and accept the new
dump format versions.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
If the MIT dump file includes a last password change date, allocate
a database extension structure to hold that information and include
it in the corresponding Heimdal database entry.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
hprop may be decrypting an old database encrypted with a DES master
key, in which case it shouldn't fail because DES is disabled by default.
This could permit weak enctypes to be used when authenticating to a
remote hpropd, although stronger enctypes are still preferred.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
* h-github/master: (64 commits)
refix socket wrappers with rk_
Patch from Secure Endpoints/Asanka Herath for windows support
unset KRB5CCNAME
its really just LIBADD more most of them
correct quoting
Use -lpthread for modern freebsd instead
clean KRB5CCNAME and KRB5_CONFIG, require test to reset them
more up ${env_setup}
use PTHREADS_LIBADD for freebsd6 and newer
add PTHREAD_LIBADD
add PTHREAD_LIBADD
add PTHREAD_LIBADD
switch to PTHREADS_LIBADD
log what the error string say too
More debug logging
sprinkle more 'echo "test failed"'
sprinkle 'echo "test failed"'
use calloc(), indent more prettier
in sh, equal compare is really = for strings, not ==
Check for duplicates, already loaded mechs
...
Conflicts (resolved):
lib/krb5/auth_context.c
lib/krb5/changepw.c
lib/krb5/context.c
lib/krb5/error_string.c
lib/krb5/kuserok.c
lib/krb5/libkrb5-exports.def.in
lib/krb5/net_write.c
lib/krb5/store_fd.c
lib/krb5/test_cc.c
lib/roken/strerror_r.c
