[Heimdal-source-changes] [heimdal/heimdal] c555ed: KDC: Allow hdb to set the issued ticket's realm

GitHub noreply at github.com
Ons Dec 26 23:55:15 CET 2018 

  Branch: refs/heads/master
  Home:   https://github.com/heimdal/heimdal
  Commit: c555ed6a1f7ddb1cb391326140a0c30a68a9b700
      https://github.com/heimdal/heimdal/commit/c555ed6a1f7ddb1cb391326140a0c30a68a9b700
  Author: Isaac Boukris <iboukris at gmail.com>
  Date:   2018-12-26 (Wed, 26 Dec 2018)

  Changed paths:
    M kdc/krb5tgs.c

  Log Message:
  -----------
  KDC: Allow hdb to set the issued ticket's realm

This is used by Samba to set the canonical realm in
case netbios realm was requested (same as Windows).

Regression introduced by upstream commit:
378f34b4be9865ed3949918fba8d2dd877b395c0

Signed-off-by: Isaac Boukris <iboukris at gmail.com>


  Commit: c67b29669432be7bab1d3ca1565127b587640e48
      https://github.com/heimdal/heimdal/commit/c67b29669432be7bab1d3ca1565127b587640e48
  Author: Isaac Boukris <iboukris at gmail.com>
  Date:   2018-12-26 (Wed, 26 Dec 2018)

  Changed paths:
    M kdc/kerberos5.c

  Log Message:
  -----------
  KDC: Add ETYPE_INFO{,2} padata on PREAUTH_FAILED

Without it, Windows clients will perform an
extra AS-REQ, causing password lockout count
to increase by two instead of one.

This is an alternative to Samba commit:
978bc8681e74ffa17f96fd5d4355094c4a26691c

One difference however, it doesn't return
ENC_TIMESTAMP in PREAUTH_REQUIRED, only the
necessary ETYPE_INFO{,2} (same as Windows).

Signed-off-by: Isaac Boukris <iboukris at gmail.com>


  Commit: 2ee4169dd199e78d80d610602f44cfaa82cb39b4
      https://github.com/heimdal/heimdal/commit/2ee4169dd199e78d80d610602f44cfaa82cb39b4
  Author: Isaac Boukris <iboukris at gmail.com>
  Date:   2018-12-26 (Wed, 26 Dec 2018)

  Changed paths:
    M lib/krb5/get_cred.c

  Log Message:
  -----------
  Avoid shadowing KDC returned error code

The referral function does not handle short names,
so avoid falling over it in case capath fails, in
order to preserve the error code returned by the
KDC (it wasn't a problem before the order between
the two functions has changed).

Signed-off-by: Isaac Boukris <iboukris at gmail.com>


  Commit: efb111e450e1b3e3cc4d853fc393b1d3babc1981
      https://github.com/heimdal/heimdal/commit/efb111e450e1b3e3cc4d853fc393b1d3babc1981
  Author: Isaac Boukris <iboukris at gmail.com>
  Date:   2018-12-26 (Wed, 26 Dec 2018)

  Changed paths:
    M kuser/kinit.c
    M lib/krb5/init_creds_pw.c
    M tests/kdc/check-pkinit.in
    M tests/kdc/check-referral.in

  Log Message:
  -----------
  Separate enterprise and canonicalize flags

The meaning of the two is different and we should
not implicitly set both if one was requested (this
aligns the logic with MIT kinit -C/-E options).

Signed-off-by: Isaac Boukris <iboukris at gmail.com>


Compare: https://github.com/heimdal/heimdal/compare/434f76bcb777...efb111e450e1
      **NOTE:** This service has been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/

      Functionality will be removed from GitHub.com on January 31st, 2019.

More information about the Heimdal-source-changes mailing list