[krbdev.mit.edu #5703] SVN Commit

Jeffrey Altman via RT rt-comment at krbdev.mit.edu
Wed Aug 29 18:38:37 EDT 2007


NIM supports the ability of the user to specify an
explicit ccache name for use with an identity.  If
this ccache is a FILE ccache, we need to be able to 
store credentials into the ccache.  krb5cred.dll 
did not previously specify the KRB5_TC_OPENCLOSE flag
on the ccache when setting other flags such as 
KRB5_TC_NOTICKET (which is used with MSLSA ccaches).
As a result, open/close mode was turned off, the 
ccache file would be opened in read-only mode and 
attempts to store credentials into the ccache would
fail.  This is fixed by specifying KRB5_TC_OPENCLOSE
when setting the ccache flags.

When a CCAPI implementation is unavailable, we need
to automatically generate the FILE ccache name if 
one has not already been specified.  We default to
a file stored in the user's Local Settings\Temp 
directory.  The generated ccache is then added to
the file ccache watch list.

Finally, some users have complained about the 
behavior of Microsoft Vista's UAC mode and how
it makes the CCAPI cache useless for storing
credentials that must be used in conjunction 
with processes that do not have restricted 
privileges since those processes run in a 
separate logon session.  For these users we 
have added a "DefaultToFileCache" registry 
value that can be specified to force the use
of FILE ccaches in preference to CCAPI ccaches
when there is no explicit ccache specified 
for a given identity.  Unlike CCAPI ccaches,
the FILE ccaches are accessible from both 
restricted and unrestricted processes when
UAC is active.
Commit By: jaltman



Revision: 19897
Changed Files:
U   trunk/src/windows/identity/plugins/krb5/krb5configid.c
U   trunk/src/windows/identity/plugins/krb5/krb5funcs.c
U   trunk/src/windows/identity/plugins/krb5/krb5newcreds.c
U   trunk/src/windows/identity/plugins/krb5/krbconfig.csv




More information about the krb5-bugs mailing list