Branch: refs/heads/master
Home: https://github.com/heimdal/heimdal
Commit: 529a91d69ad9d44bfd1de0813d89e5bdac094f08
https://github.com/heimdal/heimdal/commit/529a91d69ad9d44bfd1de0813d89e5bdac094f08
Author: Viktor Dukhovni <viktor at twosigma.com>
Date: 2016-06-09 (Thu, 09 Jun 2016)
Changed paths:
M kdc/config.c
M kdc/connect.c
M kdc/kdc-tester.c
M kdc/kdc_locl.h
M kdc/main.c
M lib/hcrypto/evp-cc.c
Log Message:
-----------
MacOS/X fixes
Commit: 2623cee389b6a93b2096f494456490b5cf1f55ec
https://github.com/heimdal/heimdal/commit/2623cee389b6a93b2096f494456490b5cf1f55ec
Author: Nicolas Williams <nico at twosigma.com>
Date: 2016-06-09 (Thu, 09 Jun 2016)
Changed paths:
M lib/krb5/context.c
Log Message:
-----------
Do not search system paths for non-ccapi plugins
On OS X anyways, since Heimdal cannot be built to replace the system
Kerberos implementation in OS X (even though it's based on Heimdal).
Heimdal plugins other than the CCAPI plugins have private ABIs with
strong coupling to the internals of the Heimdal libraries, thus using
system plugins in a non-system Heimdal is likely to end in tears (e.g.,
segfaults).
This means, for example, that OS X's plugins for PAC creation and
verification cannot be used by Heimdal.
Commit: 812b01b4ed50d46e410bf14809b67bfde3a026c2
https://github.com/heimdal/heimdal/commit/812b01b4ed50d46e410bf14809b67bfde3a026c2
Author: Nicolas Williams <nico at twosigma.com>
Date: 2016-06-09 (Thu, 09 Jun 2016)
Changed paths:
M kdc/windc.c
Log Message:
-----------
Fix KDC segfault with OS X plugins
At least one "windc" plugin provided by OS X lacks a client_access()
entry point and caused the KDC to crash. The KDC now checks for each
entry point in "windc" plugins and either falls back on alternative
default functionality or fails more gracefully than by crashing.
Commit: 840dc40574530b1608d87411fdcde8eff1029b97
https://github.com/heimdal/heimdal/commit/840dc40574530b1608d87411fdcde8eff1029b97
Author: Viktor Dukhovni <viktor at twosigma.com>
Date: 2016-06-09 (Thu, 09 Jun 2016)
Changed paths:
M lib/krb5/get_cred.c
M lib/krb5/principal.c
Log Message:
-----------
Refine name canonicalization
When storing credentials whose ticket principal is not equal to the
requested principal, store the ticket under both names not only when
the original realm is the referral realm, but more generally for any
difference at all. This matches MIT behaviour.
Allow explicit name_canon rules to specify a realm to go with the
canonicalized hostname, if that realm is empty the effect is the
same "use-referrals"
Also fix segfault when no creds and debugging
Commit: 316e0d21846972bad85ef05ebaecd9804ca8e1f2
https://github.com/heimdal/heimdal/commit/316e0d21846972bad85ef05ebaecd9804ca8e1f2
Author: Nicolas Williams <nico at twosigma.com>
Date: 2016-06-09 (Thu, 09 Jun 2016)
Changed paths:
M lib/kadm5/ipropd_slave.c
Log Message:
-----------
Store the canonical client princ in ipropd-slave
Otherwise we risk storing a name with the referral (empty) realm name,
which will then cause various knock-on effects, such as thinking that
the start_realm is "", and failing to find matching credentials in the
ccache.
Compare: https://github.com/heimdal/heimdal/compare/ffd0dda237fd...316e0d218469