RT/krbdev.mit.edu: Ticket #4048 Windows Integrated Login Fixes for KFW 3.1

RT/krbdev.mit.edu: Ticket #4048 Windows Integrated Login Fixes for KFW 3.1

Signed in as guest.
[Logout]

[Home]

[Search]

[Configuration]

[Display]

[History]

[Basics]

[Dates]

[People]

[Links]

[Jumbo]

The Basics

Id
4048

Status
resolved

Worked
0 min

Priority
0/0

Queue
krb5

Keyword Selections

Component	windows
Version_reported
Version_Fixed	1.4.4
Target_Version
Tags	pullup

Relationships

Depends on:

Depended on by:

Parents:

Children:

Refers to:

Referred to by:

Dates

Created:	Mon Jul 24 02:58:30 2006
Starts:	Not set
Started:	Mon Jul 24 02:58:35 2006
Last Contact:	Mon Jul 24 22:32:14 2006
Due:	Not set
Updated:	Mon Jul 24 22:32:14 2006 by tlyu

People

Owner
jaltman
Requestors
jaltman@mit.edu
Cc

AdminCc

More about Jeffrey Altman

Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:

1527: krb5_rd_safe_basic() throws exception when sender_addr is NULL (new)
1809: Krb5 Telnet[d] improperly truncates 3DES keys to DES key (new)
2137: krb5_cc_get_principal prevents implementation of auto kinit dialogs in KfM/KfW (new)
2145: gss_release_buffer() too easily deallocates memory it should not (new)
2147: Debug output hooks need to be added to support Windows Help Desk (open)
2253: W2K+3 vs MIT RC4-HMAC based cross-realm trusts (open)
2536: Krb5 Admin Guide fails to document krb524 (new)
2547: Add support for kpasswd/TCP to kadmind (open)
2596: src/krb524/README out of date (new)
2602: Don't reject renewable of non-renewable tickets (new)
2636: replace all calls to getenv()/setenv() with Get/SetEnvironmentVariable on Windows (open)
2640: krb5_cc_default() blocks for two minutes when MSLSA and Logon Server Unavailable (open)
2736: recode krb5_get_credentials to work without a ccache (new)
3112: telnet does not build on Fedora Core 4 (new)
4157: Windows README is out of date (new)
4325: src/include/krb5_err.h needs to be updated to match RFC4120 (new)
4328: Implement new krb5_get_credentials option: KRB5_GC_REPLACE (open)
4740: cccursor backend for MSLSA (new)
5501: Vista UAC impact on Windows Installer requires modifications to admin privilege test (open)
5536: Build Script Fails to build KFW (open)
5543: Build Scripts fail to package with "beta" version (new)
5714: Build Script - Update for 64-bit Windows build (open)
5718: NIM: BUG: APP: Configuration Identity Panel Apply Button (open)
5720: NIM: BUG: APP: Create command-line request queue (open)
5721: NIM: BUG: KRB5: Identity validation can succeed without prompts (open)

History

Display mode: [Brief headers] [Full headers]

Mon Jul 24 02:58:31 2006	jaltman - Ticket created
From: jaltman@mit.edu Subject: SVN Commit KFW integrated login was failing when the user is not a power user or administrator. This was occurring because the temporary file ccache was being created in a directory the user could not read. While fixing this it was noticed that the ACLs on the ccache were too broad. Instead of applying a fix to the FILE: krb5_ccache implementation it was decided that simply applying a new set of ACLs (SYSTEM and "user" with no inheritance) to the file immediately after the krb5_cc_initialize() call would close the broadest security issues. The file is initially created in the SYSTEM %TEMP% directory with "SYSTEM" ACL only. Then it is moved to the user's %TEMP% directory with "SYSTEM" and "user" ACLs. Finally, after copying the credentials to the API: ccache, the file is deleted. Commit By: jaltman Revision: 18379 Changed Files: U trunk/src/windows/kfwlogon/Makefile.in U trunk/src/windows/kfwlogon/kfwcommon.c U trunk/src/windows/kfwlogon/kfwcpcc.c U trunk/src/windows/kfwlogon/kfwlogon.c U trunk/src/windows/kfwlogon/kfwlogon.h		Download (untitled) 1k
Mon Jul 24 02:58:35 2006	jaltman - Tags pullup added
Mon Jul 24 02:58:35 2006	jaltman - Status changed from new to resolved
Mon Jul 24 02:58:36 2006	jaltman - Component windows added
Mon Jul 24 02:58:37 2006	jaltman - Requestor jaltman@mit.edu added
Mon Jul 24 16:37:40 2006	jaltman - Correspondence added
From: jaltman@mit.edu Subject: SVN Commit undo previous commit due to EOL issues Commit By: jaltman Revision: 18381 Changed Files: U trunk/src/windows/kfwlogon/Makefile.in U trunk/src/windows/kfwlogon/kfwcommon.c U trunk/src/windows/kfwlogon/kfwcpcc.c U trunk/src/windows/kfwlogon/kfwlogon.c U trunk/src/windows/kfwlogon/kfwlogon.h		Download (untitled) 307b
Mon Jul 24 16:39:35 2006	jaltman - Correspondence added
From: jaltman@mit.edu Subject: SVN Commit commit again without using patch to apply the diff Commit By: jaltman Revision: 18382 Changed Files: U trunk/src/windows/kfwlogon/Makefile.in U trunk/src/windows/kfwlogon/kfwcommon.c U trunk/src/windows/kfwlogon/kfwcpcc.c U trunk/src/windows/kfwlogon/kfwlogon.c U trunk/src/windows/kfwlogon/kfwlogon.h		Download (untitled) 321b
Mon Jul 24 19:40:24 2006	tlyu - Version_Fixed 1.4.4 added
Mon Jul 24 19:40:25 2006	tlyu - Correspondence added
From: tlyu@mit.edu Subject: SVN Commit pull up r18382 from trunk r18382@cathode-dark-space: jaltman \| 2006-07-24 16:39:31 -0400 ticket: 4048 commit again without using patch to apply the diff Commit By: tlyu Revision: 18383 Changed Files: _U branches/krb5-1-4/ U branches/krb5-1-4/src/windows/kfwlogon/Makefile.in U branches/krb5-1-4/src/windows/kfwlogon/kfwcommon.c U branches/krb5-1-4/src/windows/kfwlogon/kfwcpcc.c U branches/krb5-1-4/src/windows/kfwlogon/kfwlogon.c U branches/krb5-1-4/src/windows/kfwlogon/kfwlogon.h		Download (untitled) 514b
Mon Jul 24 19:40:29 2006	tlyu - Correspondence added
From: tlyu@mit.edu Subject: SVN Commit revert previous Commit By: tlyu Revision: 18384 Changed Files: _U branches/krb5-1-4/ U branches/krb5-1-4/src/windows/kfwlogon/Makefile.in U branches/krb5-1-4/src/windows/kfwlogon/kfwcommon.c U branches/krb5-1-4/src/windows/kfwlogon/kfwcpcc.c U branches/krb5-1-4/src/windows/kfwlogon/kfwlogon.c U branches/krb5-1-4/src/windows/kfwlogon/kfwlogon.h		Download (untitled) 361b
Mon Jul 24 19:40:34 2006	tlyu - Correspondence added
From: tlyu@mit.edu Subject: SVN Commit pull up r18379 from trunk in order to get correct commit log r18379@cathode-dark-space: jaltman \| 2006-07-24 02:58:23 -0400 ticket: new subject: Windows Integrated Login Fixes for KFW 3.1 tags: pullup component: windows KFW integrated login was failing when the user is not a power user or administrator. This was occurring because the temporary file ccache was being created in a directory the user could not read. While fixing this it was noticed that the ACLs on the ccache were too broad. Instead of applying a fix to the FILE: krb5_ccache implementation it was decided that simply applying a new set of ACLs (SYSTEM and "user" with no inheritance) to the file immediately after the krb5_cc_initialize() call would close the broadest security issues. The file is initially created in the SYSTEM %TEMP% directory with "SYSTEM" ACL only. Then it is moved to the user's %TEMP% directory with "SYSTEM" and "user" ACLs. Finally, after copying the credentials to the API: ccache, the file is deleted. Commit By: tlyu Revision: 18385 Changed Files: _U branches/krb5-1-4/ U branches/krb5-1-4/src/windows/kfwlogon/Makefile.in U branches/krb5-1-4/src/windows/kfwlogon/kfwcommon.c U branches/krb5-1-4/src/windows/kfwlogon/kfwcpcc.c U branches/krb5-1-4/src/windows/kfwlogon/kfwlogon.c U branches/krb5-1-4/src/windows/kfwlogon/kfwlogon.h		Download (untitled) 1.4k
Mon Jul 24 22:32:12 2006	tlyu - Correspondence added
From: tlyu@mit.edu Subject: SVN Commit pull up r18379 from trunk r18379@cathode-dark-space: jaltman \| 2006-07-24 02:58:23 -0400 ticket: new subject: Windows Integrated Login Fixes for KFW 3.1 tags: pullup component: windows KFW integrated login was failing when the user is not a power user or administrator. This was occurring because the temporary file ccache was being created in a directory the user could not read. While fixing this it was noticed that the ACLs on the ccache were too broad. Instead of applying a fix to the FILE: krb5_ccache implementation it was decided that simply applying a new set of ACLs (SYSTEM and "user" with no inheritance) to the file immediately after the krb5_cc_initialize() call would close the broadest security issues. The file is initially created in the SYSTEM %TEMP% directory with "SYSTEM" ACL only. Then it is moved to the user's %TEMP% directory with "SYSTEM" and "user" ACLs. Finally, after copying the credentials to the API: ccache, the file is deleted. Commit By: tlyu Revision: 18386 Changed Files: _U branches/krb5-1-5/ U branches/krb5-1-5/src/windows/kfwlogon/Makefile.in U branches/krb5-1-5/src/windows/kfwlogon/kfwcommon.c U branches/krb5-1-5/src/windows/kfwlogon/kfwcpcc.c U branches/krb5-1-5/src/windows/kfwlogon/kfwlogon.c U branches/krb5-1-5/src/windows/kfwlogon/kfwlogon.h		Download (untitled) 1.3k