RT/krbdev.mit.edu: Ticket #5703 NIM: BUG: KRB5: FILE ccache support did not make use of OPENCLOSE flags

RT/krbdev.mit.edu: Ticket #5703 NIM: BUG: KRB5: FILE ccache support did not make use of OPENCLOSE flags

Signed in as guest.
[Logout]

[Home]

[Search]

[Configuration]

[Display]

[History]

[Basics]

[Dates]

[People]

[Links]

[Jumbo]

The Basics

Id
5703

Status
resolved

Worked
0 min

Priority
0/0

Queue
krb5

Keyword Selections

Component	windows
Version_reported
Version_Fixed	1.6.3
Target_Version	1.6.3
Tags	pullup

Relationships

Depends on:

Depended on by:

Parents:

5691: (jaltman) Post KFW 3.2.1 Tracking Ticket [resolved]

Children:

Refers to:

Referred to by:

5772: (jaltman) NIM: BUG: SRC: Increase size of max ccache name buffers and remove extraneous trailing path component separators [resolved]

Dates

Created:	Wed Aug 29 18:38:32 2007
Starts:	Not set
Started:	Wed Aug 29 18:38:39 2007
Last Contact:	Fri Sep 28 20:02:52 2007
Due:	Not set
Updated:	Tue Jun 17 11:31:11 2008 by guest

People

Owner
jaltman
Requestors
jaltman@mit.edu
Cc

AdminCc

More about Jeffrey Altman

Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:

1527: krb5_rd_safe_basic() throws exception when sender_addr is NULL (new)
1809: Krb5 Telnet[d] improperly truncates 3DES keys to DES key (new)
2137: krb5_cc_get_principal prevents implementation of auto kinit dialogs in KfM/KfW (new)
2145: gss_release_buffer() too easily deallocates memory it should not (new)
2147: Debug output hooks need to be added to support Windows Help Desk (open)
2253: W2K+3 vs MIT RC4-HMAC based cross-realm trusts (open)
2536: Krb5 Admin Guide fails to document krb524 (new)
2547: Add support for kpasswd/TCP to kadmind (open)
2596: src/krb524/README out of date (new)
2602: Don't reject renewable of non-renewable tickets (new)
2636: replace all calls to getenv()/setenv() with Get/SetEnvironmentVariable on Windows (open)
2640: krb5_cc_default() blocks for two minutes when MSLSA and Logon Server Unavailable (open)
2736: recode krb5_get_credentials to work without a ccache (new)
3112: telnet does not build on Fedora Core 4 (new)
4157: Windows README is out of date (new)
4325: src/include/krb5_err.h needs to be updated to match RFC4120 (new)
4328: Implement new krb5_get_credentials option: KRB5_GC_REPLACE (open)
4740: cccursor backend for MSLSA (new)
5501: Vista UAC impact on Windows Installer requires modifications to admin privilege test (open)
5536: Build Script Fails to build KFW (open)
5543: Build Scripts fail to package with "beta" version (new)
5714: Build Script - Update for 64-bit Windows build (open)
5718: NIM: BUG: APP: Configuration Identity Panel Apply Button (open)
5720: NIM: BUG: APP: Create command-line request queue (open)
5721: NIM: BUG: KRB5: Identity validation can succeed without prompts (open)

History

Display mode: [Brief headers] [Full headers]

Wed Aug 29 18:38:32 2007	jaltman - Ticket created
From: jaltman@mit.edu Subject: SVN Commit NIM supports the ability of the user to specify an explicit ccache name for use with an identity. If this ccache is a FILE ccache, we need to be able to store credentials into the ccache. krb5cred.dll did not previously specify the KRB5_TC_OPENCLOSE flag on the ccache when setting other flags such as KRB5_TC_NOTICKET (which is used with MSLSA ccaches). As a result, open/close mode was turned off, the ccache file would be opened in read-only mode and attempts to store credentials into the ccache would fail. This is fixed by specifying KRB5_TC_OPENCLOSE when setting the ccache flags. When a CCAPI implementation is unavailable, we need to automatically generate the FILE ccache name if one has not already been specified. We default to a file stored in the user's Local Settings\Temp directory. The generated ccache is then added to the file ccache watch list. Finally, some users have complained about the behavior of Microsoft Vista's UAC mode and how it makes the CCAPI cache useless for storing credentials that must be used in conjunction with processes that do not have restricted privileges since those processes run in a separate logon session. For these users we have added a "DefaultToFileCache" registry value that can be specified to force the use of FILE ccaches in preference to CCAPI ccaches when there is no explicit ccache specified for a given identity. Unlike CCAPI ccaches, the FILE ccaches are accessible from both restricted and unrestricted processes when UAC is active. Commit By: jaltman Revision: 19897 Changed Files: U trunk/src/windows/identity/plugins/krb5/krb5configid.c U trunk/src/windows/identity/plugins/krb5/krb5funcs.c U trunk/src/windows/identity/plugins/krb5/krb5newcreds.c U trunk/src/windows/identity/plugins/krb5/krbconfig.csv		Download (untitled) 1.7k
Wed Aug 29 18:38:38 2007	jaltman - Requestor jaltman@mit.edu added
Wed Aug 29 18:38:39 2007	jaltman - Status changed from new to resolved
Wed Aug 29 18:38:40 2007	jaltman - Component windows added
Fri Sep 28 17:28:48 2007	jaltman - Target_Version 1.6.4 added
Fri Sep 28 17:28:48 2007	jaltman - Tags pullup added
Fri Sep 28 18:20:00 2007	tlyu - Target_Version 1.6.4 changed to 1.6.3
Fri Sep 28 20:02:49 2007	tlyu - Version_Fixed 1.6.3 added
Fri Sep 28 20:02:49 2007	tlyu - Correspondence added
From: tlyu@mit.edu Subject: SVN Commit pull up r19897 from trunk r19897@cathode-dark-space: jaltman \| 2007-08-29 18:38:26 -0400 ticket: new subject: NIM file ccache support improvements component: windows NIM supports the ability of the user to specify an explicit ccache name for use with an identity. If this ccache is a FILE ccache, we need to be able to store credentials into the ccache. krb5cred.dll did not previously specify the KRB5_TC_OPENCLOSE flag on the ccache when setting other flags such as KRB5_TC_NOTICKET (which is used with MSLSA ccaches). As a result, open/close mode was turned off, the ccache file would be opened in read-only mode and attempts to store credentials into the ccache would fail. This is fixed by specifying KRB5_TC_OPENCLOSE when setting the ccache flags. When a CCAPI implementation is unavailable, we need to automatically generate the FILE ccache name if one has not already been specified. We default to a file stored in the user's Local Settings\Temp directory. The generated ccache is then added to the file ccache watch list. Finally, some users have complained about the behavior of Microsoft Vista's UAC mode and how it makes the CCAPI cache useless for storing credentials that must be used in conjunction with processes that do not have restricted privileges since those processes run in a separate logon session. For these users we have added a "DefaultToFileCache" registry value that can be specified to force the use of FILE ccaches in preference to CCAPI ccaches when there is no explicit ccache specified for a given identity. Unlike CCAPI ccaches, the FILE ccaches are accessible from both restricted and unrestricted processes when UAC is active. Commit By: tlyu Revision: 20009 Changed Files: _U branches/krb5-1-6/ U branches/krb5-1-6/src/windows/identity/plugins/krb5/krb5configid.c U branches/krb5-1-6/src/windows/identity/plugins/krb5/krb5funcs.c U branches/krb5-1-6/src/windows/identity/plugins/krb5/krb5newcreds.c U branches/krb5-1-6/src/windows/identity/plugins/krb5/krbconfig.csv		Download (untitled) 2k
Wed Oct 3 15:34:49 2007	jaltman - Subject changed from NIM file ccache support improvements to NIM: BUG: KRB5: FILE ccache support did not make use of OPENCLOSE flags