From rt-comment at krbdev.mit.edu Thu Aug 6 16:51:22 2009 From: rt-comment at krbdev.mit.edu (Ezra Peisach via RT) Date: Thu, 6 Aug 2009 20:51:22 +0000 (UTC) Subject: [krbdev.mit.edu #6314] python configuration In-Reply-To: Message-ID: [raeburn - Mon Jan 5 13:29:22 2009]: > The Python-based sample service-location plugin was hard-coded to use > Python 2.3, and now handles 2.5 as well. It should instead look for > the python-config program, and use whatever is installed, with the > appropriate compilation and linker options for that version. I have been thinking about this... python-config did not exist in 2.3 - however, python-config gets it's info from the distutils module. How would you feel if we do some inline python groveling in configure... The autoconf macro library has some macros that do this - but I do not believe they are totally correct... Ezra From rt-comment at krbdev.mit.edu Mon Aug 10 15:12:49 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Mon, 10 Aug 2009 19:12:49 +0000 (UTC) Subject: [krbdev.mit.edu #6542] SVN Commit In-Reply-To: Message-ID: When processing DNS names or MS UPNs in pkinit certs, disallow embedded null characters. http://src.mit.edu/fisheye/changelog/krb5/?cs=22516 Commit By: ghudson Revision: 22516 Changed Files: U trunk/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c From rt-comment at krbdev.mit.edu Wed Aug 12 14:13:28 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Wed, 12 Aug 2009 18:13:28 +0000 (UTC) Subject: [krbdev.mit.edu #5668] DAL changes break --with-kdc-kdb-update build In-Reply-To: Message-ID: I just checked in revision 22518 on the trunk which makes most of the relevant code get compiled all the time, so we shouldn't see this problem resurface, and I think I've fixed up the necessary changes in function calls. If you're willing to try it out, please let me know of any problems. The code is still only enabled with a configure-time option, which we probably want to change someday. From rt-comment at krbdev.mit.edu Wed Aug 12 14:53:48 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Wed, 12 Aug 2009 18:53:48 +0000 (UTC) Subject: [krbdev.mit.edu #6543] SVN Commit In-Reply-To: Message-ID: user() was replying to the user command and then calling login(), which could send a continuation reply if it fails to chdir to the user's homedir. Continuation replies must come before the actual reply; the mis-ordering was causing ftp and ftpd to deadlock. To fix the bug, invoke login() before reply() so that the continuation reply comes first. http://src.mit.edu/fisheye/changelog/krb5/?cs=22519 Commit By: ghudson Revision: 22519 Changed Files: U trunk/src/appl/gssftp/ftpd/ftpd.c From rt-comment at krbdev.mit.edu Thu Aug 13 17:25:55 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Thu, 13 Aug 2009 21:25:55 +0000 (UTC) Subject: [krbdev.mit.edu #6544] SVN Commit In-Reply-To: Message-ID: The kadmin v1 API and the even older ovsec_kadm_* API were legacy when kadmin was first incorporated in 1996, and compatibility with them is no longer believed to be necessary. The uninstalled kadmin/passwd has been removed (since it used the ovsec API). The test suite has been updated to use the v2 API where appropriate, and the parts specifically designed to test the old API have been excised. http://src.mit.edu/fisheye/changelog/krb5/?cs=22521 Commit By: ghudson Revision: 22521 Changed Files: U trunk/src/config/pre.in U trunk/src/configure.in U trunk/src/kadmin/Makefile.in D trunk/src/kadmin/passwd/ U trunk/src/kadmin/server/Makefile.in U trunk/src/kadmin/server/misc.h U trunk/src/kadmin/server/ovsec_kadmd.c D trunk/src/kadmin/server/server_glue_v1.c U trunk/src/kadmin/server/server_stubs.c U trunk/src/kadmin/testing/scripts/env-setup.shin U trunk/src/kadmin/testing/scripts/init_db U trunk/src/kadmin/testing/scripts/make-host-keytab.plin U trunk/src/kadmin/testing/scripts/start_servers_local U trunk/src/kadmin/testing/util/Makefile.in U trunk/src/kadmin/testing/util/deps U trunk/src/kadmin/testing/util/tcl_kadm5.c U trunk/src/kadmin/testing/util/tcl_kadm5.h A trunk/src/kadmin/testing/util/tcl_kadm5_syntax D trunk/src/kadmin/testing/util/tcl_ovsec_kadm.c D trunk/src/kadmin/testing/util/tcl_ovsec_kadm_syntax U trunk/src/kadmin/testing/util/test.c U trunk/src/lib/kadm5/Makefile.in U trunk/src/lib/kadm5/admin.h U trunk/src/lib/kadm5/admin_internal.h U trunk/src/lib/kadm5/chpass_util_strings.et U trunk/src/lib/kadm5/clnt/client_init.c U trunk/src/lib/kadm5/clnt/client_principal.c U trunk/src/lib/kadm5/clnt/clnt_policy.c U trunk/src/lib/kadm5/clnt/libkadm5clnt.exports U trunk/src/lib/kadm5/kadm_rpc_xdr.c U trunk/src/lib/kadm5/misc_free.c D trunk/src/lib/kadm5/ovsec_glue.c U trunk/src/lib/kadm5/srv/libkadm5srv.exports U trunk/src/lib/kadm5/srv/server_init.c U trunk/src/lib/kadm5/srv/svr_misc_free.c U trunk/src/lib/kadm5/srv/svr_policy.c U trunk/src/lib/kadm5/srv/svr_principal.c U trunk/src/lib/kadm5/unit-test/Makefile.in D trunk/src/lib/kadm5/unit-test/README.new-tests D trunk/src/lib/kadm5/unit-test/api.0/ D trunk/src/lib/kadm5/unit-test/api.1/lock.exp U trunk/src/lib/kadm5/unit-test/config/unix.exp U trunk/src/lib/kadm5/unit-test/destroy-test.c U trunk/src/lib/kadm5/unit-test/handle-test.c U trunk/src/lib/kadm5/unit-test/init-test.c U trunk/src/lib/kadm5/unit-test/iter-test.c U trunk/src/lib/kadm5/unit-test/lib/lib.t U trunk/src/lib/kadm5/unit-test/lock-test.c U trunk/src/lib/kadm5/unit-test/randkey-test.c U trunk/src/lib/kadm5/unit-test/site.exp U trunk/src/lib/rpc/unit-test/lib/helpers.exp U trunk/src/lib/rpc/unit-test/rpc_test_setup.sh From rt-comment at krbdev.mit.edu Thu Aug 13 17:41:02 2009 From: rt-comment at krbdev.mit.edu (mkraai@beckman.com via RT) Date: Thu, 13 Aug 2009 21:41:02 +0000 (UTC) Subject: [krbdev.mit.edu #6545] Fails to compile on QNX 6.4.1 In-Reply-To: Message-ID: Howdy, When I try to compile krb5 1.7 on a QNX 6.4.1 machine, it fails. There are a number of problems: * krb5 tries to include sys/errno.h, which doesn't exist, instead of errno.h, which does. * QNX does not define CERASE, etc. * The utmp structure doesn't have a ut_host member and the utmpx structure isn't declared. * krb5 doesn't know how to build shared libraries on QNX. * Some networking functions are provided by libsocket but applications which use them don't link against it. The attached patch fixes these issues. Matt The server made the following annotations --------------------------------------------------------------------------------- This message contains information that may be privileged or confidential and is the property of Beckman Coulter, Inc. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. --------------------------------------------------------------------------------- From rt-comment at krbdev.mit.edu Fri Aug 14 12:24:38 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Fri, 14 Aug 2009 16:24:38 +0000 (UTC) Subject: [krbdev.mit.edu #5468] SVN Commit In-Reply-To: Message-ID: In doc/Makefile, specify the new location of the kpasswd man page (the old one was removed in r22521. http://src.mit.edu/fisheye/changelog/krb5/?cs=22522 Commit By: ghudson Revision: 22522 Changed Files: U trunk/doc/Makefile From rt-comment at krbdev.mit.edu Mon Aug 17 10:39:46 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Mon, 17 Aug 2009 14:39:46 +0000 (UTC) Subject: [krbdev.mit.edu #5468] SVN Commit In-Reply-To: Message-ID: Remove unused variables resulting from r22521, and also remove the unused file svr_misc_free.c. http://src.mit.edu/fisheye/changelog/krb5/?cs=22523 Commit By: ghudson Revision: 22523 Changed Files: U trunk/src/kadmin/server/server_stubs.c U trunk/src/lib/kadm5/misc_free.c D trunk/src/lib/kadm5/srv/svr_misc_free.c U trunk/src/lib/kadm5/srv/svr_principal.c From rt-comment at krbdev.mit.edu Mon Aug 17 11:19:19 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Mon, 17 Aug 2009 15:19:19 +0000 (UTC) Subject: [krbdev.mit.edu #6546] KDB should use enctype of stashed master key In-Reply-To: Message-ID: Suppose you create a KDB with a non-default master key enctype: kdb5_util -k rc4-hmac create -s Now you have a K/M entry with the specified enctype, and a stash keytab containing a nicely tagged key of the specified enctype. However, if you try to access the KDB, you will get: kadmin.local: No matching key in entry while initializing kadmin.local interface So the code is specifically looking for a key of the expected master key enctype (either the one specified in the profile's master_key_type or the default) instead of using what it can find in the stash file. This is a big problem if we ever want to change the master key type between releases (which we do, since the default is currently triple DES). Databases created with the old master key type will stop working unless the admin adds a master_key_type setting to kdc.conf, which is not a friendly experience. From rt-comment at krbdev.mit.edu Mon Aug 17 12:41:00 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Mon, 17 Aug 2009 16:41:00 +0000 (UTC) Subject: [krbdev.mit.edu #6546] KDB should use enctype of stashed master key In-Reply-To: Message-ID: While the title of this ticket suggests using the enctype of the stashed master key, another approach would be trying the enctypes of the keys in K/M db entries. The latter approach is perhaps more interesting because it would also work for typed passwords. From rt-comment at krbdev.mit.edu Mon Aug 17 15:40:50 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Mon, 17 Aug 2009 19:40:50 +0000 (UTC) Subject: [krbdev.mit.edu #6547] SVN Commit In-Reply-To: Message-ID: Add krb5_context parameters to all kadm5 initialization functions. This allows extended error information to be retrieved by the caller when an error is returned. http://src.mit.edu/fisheye/changelog/krb5/?cs=22527 Commit By: ghudson Revision: 22527 Changed Files: U trunk/src/kadmin/cli/kadmin.c U trunk/src/kadmin/dbutil/kadm5_create.c U trunk/src/kadmin/server/ovsec_kadmd.c U trunk/src/kadmin/testing/util/tcl_kadm5.c U trunk/src/lib/kadm5/admin.h U trunk/src/lib/kadm5/clnt/client_init.c U trunk/src/lib/kadm5/srv/server_init.c U trunk/src/lib/kadm5/unit-test/destroy-test.c U trunk/src/lib/kadm5/unit-test/handle-test.c U trunk/src/lib/kadm5/unit-test/init-test.c U trunk/src/lib/kadm5/unit-test/iter-test.c U trunk/src/lib/kadm5/unit-test/randkey-test.c U trunk/src/lib/kadm5/unit-test/setkey-test.c U trunk/src/slave/kpropd.c From rt-comment at krbdev.mit.edu Mon Aug 17 16:07:22 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Mon, 17 Aug 2009 20:07:22 +0000 (UTC) Subject: [krbdev.mit.edu #6547] SVN Commit In-Reply-To: Message-ID: Bump sonames of libkadm5 libraries, since r22527 changed their ABIs. http://src.mit.edu/fisheye/changelog/krb5/?cs=22528 Commit By: ghudson Revision: 22528 Changed Files: U trunk/src/lib/kadm5/clnt/Makefile.in U trunk/src/lib/kadm5/srv/Makefile.in From rt-comment at krbdev.mit.edu Wed Aug 19 18:56:35 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Wed, 19 Aug 2009 22:56:35 +0000 (UTC) Subject: [krbdev.mit.edu #6548] strptime() doesn't like being touched that way by krb5_ldap_get_time In-Reply-To: Message-ID: I noticed this problem on Mac OS X, but we probably want to fix it in the general case for portability reasons. getepochtime(), called by krb5_ldap_get_time(), passes a format string of "%Y%m%d%H%M%SZ" to strptime(), causing a a return of EINVAL on Mac OS X when any KDC programs attempt to fetch the master key list when using an LDAP back end. According to POSIX / SUS, the application must provide nonalphanumeric separators between format specifiers in the format string of strptime(). Experimentation with a test program implies that the "%Y" format specifier to strptime() tries to eat as many digits as it can, which is about ten. This happens to be the number of decimal digits required to represent a 32-bit integer... From rt-comment at krbdev.mit.edu Wed Aug 19 23:08:27 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Thu, 20 Aug 2009 03:08:27 +0000 (UTC) Subject: [krbdev.mit.edu #6548] strptime() doesn't like being touched that way by krb5_ldap_get_time In-Reply-To: Message-ID: On Aug 19, 2009, at 18:56, Tom Yu via RT wrote: > I noticed this problem on Mac OS X, but we probably want to fix it in > the general case for portability reasons. > > getepochtime(), called by krb5_ldap_get_time(), passes a format string > of "%Y%m%d%H%M%SZ" to strptime(), causing a a return of EINVAL on Mac > OS X when any KDC programs attempt to fetch the master key list when > using an LDAP back end. According to POSIX / SUS, the application > must provide nonalphanumeric separators between format specifiers in > the format string of strptime(). I think we might see similar problems in krb5_string_to_timestamp, too. Currently it ignores conversion errors (assumes that the pattern tried wasn't applicable so the next pattern should be tried). The t_kerb test program can exercise krb5_string_to_timestamp, but we don't currently have it do so. Ken From rt-comment at krbdev.mit.edu Tue Aug 25 14:43:50 2009 From: rt-comment at krbdev.mit.edu (Chris via RT) Date: Tue, 25 Aug 2009 18:43:50 +0000 (UTC) Subject: [krbdev.mit.edu #6549] Documentation typo for auth_to_local In-Reply-To: Message-ID: There seems to be a typo in the example given for auth_to_local in the admin guide. The example there contains a regex that will never match based on the rewrite. RULE:[2:$2](^.*;root)s/^.*$/root/ This was probably meant to be RULE:[2:$2](^.*root)s/^.*$/root/ I think one semicolon may have got lose, and snuck in from the example directly above: RULE:[2:$1;$2](^.*;admin$)s/;admin$// From rt-comment at krbdev.mit.edu Tue Aug 25 16:32:04 2009 From: rt-comment at krbdev.mit.edu (william.fiveash@sun.com via RT) Date: Tue, 25 Aug 2009 20:32:04 +0000 (UTC) Subject: [krbdev.mit.edu #6550] old_stash_bendian is a keytab In-Reply-To: Message-ID: In tests/mkeystash_compat the file, old_stash_bendian, is supposed to be an old format mkey stash file generated on a big endian system. It is actually a keytab format file which does not provide backwards compatibility testing when the mkeystash_compat test is run on a big endian system. From rt-comment at krbdev.mit.edu Wed Aug 26 14:54:27 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Wed, 26 Aug 2009 18:54:27 +0000 (UTC) Subject: [krbdev.mit.edu #6534] getaddrinfo in src/util/support/fake-addrinfo.c causes leak In-Reply-To: Message-ID: Thanks for the report and proposed fix. I have an idea for fixing the problem more robustly. I don't have any better ideas than yours on how to detect whether we need the workaround, but when we do apply the workaround, we shouldn't need to make assumptions about whether the system getaddrinfo() allocated ai_canonname or not. What we should do instead is: 1. Store the system getaddrinfo result in a temporary. 2. Construct our own copy of the result, allocated with our own code, containing the modified ai_canonname fields. 3. Free the system getaddrinfo result with the system freeaddrinfo. 4. When our freeaddrinfo wrapper is called, use our own code to free the addrinfo structure, which we know was constructed with our own code. I will likely apply your patch in addition so that we aren't doing unnecessary extra work on modern Linux systems. From rt-comment at krbdev.mit.edu Thu Aug 27 09:40:52 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Thu, 27 Aug 2009 13:40:52 +0000 (UTC) Subject: [krbdev.mit.edu #6551] SVN Commit In-Reply-To: Message-ID: If the underlying mechanism's accept_sec_context returns an error, the spnego accept_sec_context was leaving allocated data in *context_handle, which is incorrect for the first call according to RFC 2744. Fix this by mirroring some code from the spnego init_sec_context, which always cleans up the half-constructed context in case of error. This is allowed (though not encouraged) by RFC 2744 for second and subsequent calls; since we were already doing it in init_sec_context, it seems simpler to do that than keep track of whether this is a first call or not. http://src.mit.edu/fisheye/changelog/krb5/?cs=22636 Commit By: ghudson Revision: 22636 Changed Files: U trunk/src/lib/gssapi/spnego/spnego_mech.c From rt-comment at krbdev.mit.edu Fri Aug 28 11:14:31 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Fri, 28 Aug 2009 15:14:31 +0000 (UTC) Subject: [krbdev.mit.edu #6534] getaddrinfo in src/util/support/fake-addrinfo.c causes leak In-Reply-To: Message-ID: I started trying to implement my idea and decided it was too much work, with too much potential for bugginess, for a piece of code which is only going to work around old buggy glibc versions. So I'm just going to take your patch and adjust the comments a bit. Thanks again. From rt-comment at krbdev.mit.edu Fri Aug 28 11:56:02 2009 From: rt-comment at krbdev.mit.edu (rweikusat@mssgmbh.com via RT) Date: Fri, 28 Aug 2009 15:56:02 +0000 (UTC) Subject: [krbdev.mit.edu #6534] getaddrinfo in src/util/support/fake-addrinfo.c causes leak In-Reply-To: Message-ID: "Greg Hudson via RT" writes: > I started trying to implement my idea and decided it was too much work, > with too much potential for bugginess, for a piece of code which is only > going to work around old buggy glibc versions. So I'm just going to > take your patch and adjust the comments a bit. Thanks again. I am not quite sure if replying to this is the polite or the impolite action, but 'I am always happy if can do something more universally useful than just adapting code written by others for proprietary applications'. From rt-comment at krbdev.mit.edu Fri Aug 28 12:00:55 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Fri, 28 Aug 2009 16:00:55 +0000 (UTC) Subject: [krbdev.mit.edu #6534] SVN Commit In-Reply-To: Message-ID: Disable the COPY_FIRST_CANONNAME workaround on Linux glibc 2.4 and later, since it leaks memory on fixed glibc versions. We will still leak memory on glibc 2.3.4 through 2.3.6 (e.g. RHEL 4) but that's harder to detect. http://src.mit.edu/fisheye/changelog/krb5/?cs=22643 Commit By: ghudson Revision: 22643 Changed Files: U trunk/src/util/support/fake-addrinfo.c From rt-comment at krbdev.mit.edu Fri Aug 28 13:23:21 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Fri, 28 Aug 2009 17:23:21 +0000 (UTC) Subject: [krbdev.mit.edu #6552] SVN Commit In-Reply-To: Message-ID: kinit -C (canonicalize name) and -E (enterprise principal name) weren't documented in the man page. http://src.mit.edu/fisheye/changelog/krb5/?cs=22644 Commit By: ghudson Revision: 22644 Changed Files: U trunk/src/clients/kinit/kinit.M From rt-comment at krbdev.mit.edu Fri Aug 28 16:29:25 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Fri, 28 Aug 2009 20:29:25 +0000 (UTC) Subject: [krbdev.mit.edu #5468] SVN Commit In-Reply-To: Message-ID: Remove bogus conditional from tcl_kadm5_randkey_principal(), which was causing unparse_keyblocks() to get stack garbage as num_keys when num_var was "null", thus overrunning the end of the array. http://src.mit.edu/fisheye/changelog/krb5/?cs=22645 Commit By: tlyu Revision: 22645 Changed Files: U trunk/src/kadmin/testing/util/tcl_kadm5.c From rt-comment at krbdev.mit.edu Fri Aug 28 17:02:52 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Fri, 28 Aug 2009 21:02:52 +0000 (UTC) Subject: [krbdev.mit.edu #5468] SVN Commit In-Reply-To: Message-ID: Update a kadm5 testing library function which was calling kadm5_get_principal without a mask argment. This was causing many lib/kadm5 tests to fail, but the failures weren't being recorded properly, so "make check" was still exiting successfully. http://src.mit.edu/fisheye/changelog/krb5/?cs=22646 Commit By: ghudson Revision: 22646 Changed Files: U trunk/src/lib/kadm5/unit-test/lib/lib.t From rt-comment at krbdev.mit.edu Fri Aug 28 17:36:30 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Fri, 28 Aug 2009 21:36:30 +0000 (UTC) Subject: [krbdev.mit.edu #6553] SVN Commit In-Reply-To: Message-ID: Use "perror" instead of "error" to ensure that framework error conditions actually cause "make check" to report failure. http://src.mit.edu/fisheye/changelog/krb5/?cs=22648 Commit By: tlyu Revision: 22648 Changed Files: U trunk/src/lib/kadm5/unit-test/config/unix.exp U trunk/src/lib/kadm5/unit-test/lib/lib.t