From rt-comment at krbdev.mit.edu  Mon Jul  1 20:20:47 2024
From: rt-comment at krbdev.mit.edu (Greg Hudson via RT)
Date: Mon, 01 Jul 2024 20:20:47 -0400
Subject: [krbdev.mit.edu #9131] git commit
References: <RT-Ticket-9131@mit.edu>
Message-ID: <rt-4.4.3-2-814301-1719879647-239.9131-4-0@mit.edu>


Mon Jul 01 20:20:47 2024: Request 9131 was acted upon.
 Transaction: Ticket created by ghudson at mit.edu
       Queue: krb5
     Subject: git commit
       Owner: ghudson at mit.edu
  Requestors: 
      Status: new
 Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9131 >



Adjust removed cred detection in FILE ccache

In the FILE ccache, consider a cred to be removed if it has endtime 0
and authtime non-zero, instead of specifically authtime -1.  This
change will let us filter out normal credentials deleted by Heimdal,
although not synthetic credentials such as config entries.

https://github.com/krb5/krb5/commit/4c0838bb4c232866b95c9f2f72a55bf77cfc1308
Author: Greg Hudson <ghudson at mit.edu>
Commit: 4c0838bb4c232866b95c9f2f72a55bf77cfc1308
Branch: master
 src/lib/krb5/ccache/cc_file.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)


From rt-comment at krbdev.mit.edu  Mon Jul  1 21:29:53 2024
From: rt-comment at krbdev.mit.edu (Greg Hudson via RT)
Date: Mon, 01 Jul 2024 21:29:53 -0400
Subject: [krbdev.mit.edu #9132] git commit
References: <RT-Ticket-9132@mit.edu>
Message-ID: <rt-4.4.3-2-821844-1719883793-1293.9132-4-0@mit.edu>


Mon Jul 01 21:29:53 2024: Request 9132 was acted upon.
 Transaction: Ticket created by ghudson at mit.edu
       Queue: krb5
     Subject: git commit
       Owner: ghudson at mit.edu
  Requestors: 
      Status: new
 Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9132 >



Change krb5_get_credentials() endtime behavior

Historically, krb5_get_credentials() uses in_creds->times.endtime both
as the TGS request endtime and as a cache lookup criterion.  These
uses are in conflict; setting a TGS request endtime can only serve to
limit the maximum lifetime of the issued ticket, while a cache lookup
endtime restricts the minimum lifetime of an acceptable cached ticket.
The likely outcome is to never use a cached ticket, leading to poor
performance as we add an entry to the cache for each request.

Change to the Heimdal behavior of using in_creds->times.endtime only
as the TGS request endtime.

https://github.com/krb5/krb5/commit/e68890329f8ab766f9b746351b5c7d2d18d8dd48
Author: Greg Hudson <ghudson at mit.edu>
Commit: e68890329f8ab766f9b746351b5c7d2d18d8dd48
Branch: master
 src/include/krb5/krb5.hin    |  8 ++++----
 src/lib/krb5/krb/get_creds.c | 13 +++++--------
 2 files changed, 9 insertions(+), 12 deletions(-)


From rt at krbdev.mit.edu  Mon Jul 22 17:09:57 2024
From: rt at krbdev.mit.edu (Greg Hudson via RT)
Date: Mon, 22 Jul 2024 17:09:57 -0400
Subject: [krbdev.mit.edu #9130] git commit
References: <RT-Ticket-9130@mit.edu>
Message-ID: <rt-4.4.3-2-3882675-1721682597-1325.9130-5-0@mit.edu>


<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9130 >


Make krb5_get_default_config_files() public

Add krb5_get_default_config_files() to the public API; it was already
in the library export list and the DLL export list.  Also add
krb5_free_config_files().

https://github.com/krb5/krb5/commit/8e60fc5600d1771769dc9cabd282f0d533b4c524
Author: Greg Hudson <ghudson at mit.edu>
Commit: 8e60fc5600d1771769dc9cabd282f0d533b4c524
Branch: master
 doc/appdev/refs/api/index.rst |  2 ++
 src/include/k5-int.h          |  4 ----
 src/include/krb5/krb5.hin     | 27 +++++++++++++++++++++++++++
 3 files changed, 29 insertions(+), 4 deletions(-)


From rt-comment at krbdev.mit.edu  Mon Jul 22 17:25:42 2024
From: rt-comment at krbdev.mit.edu (Greg Hudson via RT)
Date: Mon, 22 Jul 2024 17:25:42 -0400
Subject: [krbdev.mit.edu #9133] git commit
References: <RT-Ticket-9133@mit.edu>
Message-ID: <rt-4.4.3-2-3884895-1721683541-1025.9133-4-0@mit.edu>


Mon Jul 22 17:25:41 2024: Request 9133 was acted upon.
 Transaction: Ticket created by ghudson at mit.edu
       Queue: krb5
     Subject: git commit
       Owner: ghudson at mit.edu
  Requestors: 
      Status: new
 Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9133 >



Add acceptor-side IAKERB realm discovery

draft-ietf-kitten-iakerb-03 section 3.1 specifies a way for the
initiator to query the acceptor's realm.  Implement this facility in
the IAKERB acceptor.

https://github.com/krb5/krb5/commit/6e20892369a9fafa09294529fb4d331e4fcbb97a
Author: Greg Hudson <ghudson at mit.edu>
Commit: 6e20892369a9fafa09294529fb4d331e4fcbb97a
Branch: master
 .gitignore                   |  1 +
 src/lib/gssapi/krb5/iakerb.c | 66 +++++++++++++++++++++++++++++----
 src/tests/gssapi/Makefile.in | 32 ++++++++--------
 src/tests/gssapi/t_gssapi.py |  2 +
 src/tests/gssapi/t_iakerb.c  | 88 ++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 167 insertions(+), 22 deletions(-)


From rt-comment at kerborg-prod-app-1.mit.edu  Wed Jul 31 19:57:37 2024
From: rt-comment at kerborg-prod-app-1.mit.edu (dmitry.dubinsky@barclays.com via RT)
Date: Wed, 31 Jul 2024 19:57:37 -0400
Subject: [krbdev.mit.edu #9134] Documentation__krb5.conf
In-Reply-To: <SA3PR12MB78063CE6F083C51682D1D4F184B12@SA3PR12MB7806.namprd12.prod.outlook.com>
References: <RT-Ticket-9134@kerborg-prod-app-1.mit.edu>
 <SA3PR12MB78063CE6F083C51682D1D4F184B12@SA3PR12MB7806.namprd12.prod.outlook.com>
Message-ID: <rt-4.4.3-2-924399-1722470257-768.9134-4-0@kerborg-prod-app-1.mit.edu>


Wed Jul 31 19:57:37 2024: Request 9134 was acted upon.
 Transaction: Ticket created by dmitry.dubinsky at barclays.com
       Queue: krb5
     Subject: Documentation__krb5.conf
       Owner: Nobody
  Requestors: dmitry.dubinsky at barclays.com
      Status: new
 Ticket <URL: http://kerborg-prod-app-1.mit.edu/rt/Ticket/Display.html?id=9134 >


Hello,

Description of "dns_lookup_realm" is not listed under section [libdefaults]

However, examples do provide that relation.

Is it possible to include in your documentation?



Thank

Dmitry



Restricted - External

This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.

Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons.

Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.

Barclays Bank PLC. Registered in England and Wales (registered no. 1026167). Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom. 

Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register No. 122702).