1 files changed, 84 insertions, 3 deletions

diff --git a/src/windows/ms2mit/ChangeLog b/src/windows/ms2mit/ChangeLog
index b68c646..d7ac6af 100644
--- a/src/windows/ms2mit/ChangeLog
+++ b/src/windows/ms2mit/ChangeLog
@@ -1,14 +1,95 @@
+2004-01-31  Jeffrey Altman <jaltman@mit.edu>
+
+    * ms2mit.c: Do not allow ticket importing of the Initial TGT cannot
+      be obtained.  The MSLSA krb5_ccache will not export the Initial TGT
+      if the session key enctype is NULL.  
+
+2003-12-11  Jeffrey Altman <jaltman@mit.edu>
+
+    * ms2mit.c, Makefile.in:
+
+    Remove all of the code that manipulates the MS LSA cache.  Instead
+    of reading in the TGT directly we now take advantage of the new
+    "MSLSA:" krb5_ccache type.  We open the MS LSA cache as a read-only
+    ccache and copy it to the default ccache for the system.
+
+    This removes the dependency on secur32.dll from this file.
+
+2003-10-21  Jeffrey Altman <jaltman@mit.edu>
+
+    * ms2mit.c:
+
+    Because of the failure of Windows 2000 and Windows XP to perform 
+    proper ticket expiration time management, the MS Kerberos LSA will 
+    return tickets to a calling application with lifetimes as short as 
+    one second.  Tickets with lifetimes less than five minutes can cause 
+    problems for most apps.  Tickets with lifetimes less than 20 minutes 
+    will trigger the Leash ticket lifetime warnings.
+
+    Instead of accepting whatever tickets are returned by MS LSA from 
+    the cache, if the ticket lifetime is less than 20 minutes force a 
+    retrieval operation bypassing the LSA ticket cache.
+
+
+2003-07-16  Jeffrey Altman <jaltman@mit.edu>
+
+    * ms2mit.c: 
+
+    Functional changes:
+    (1) do not restrict ourselves to DES-CBC-CRC instead support any
+        ticket with an enctype we support.  as of this date (rev 1.3)
+        this includes all but RC4-MD4.
+    (2) do not accept invalid tickets
+    (3) when attempting to retrieve tickets do not specify either the
+        enctype or cache options (if possible).  doing so will force a 
+        TGS request and prevent the results from being stored into the 
+        cache.
+    (4) when the LSA cache contains a TGT which has expired Microsoft will 
+        not perform a new TGS request until the cache has been purged.
+        Instead the expired ticket continues to be used along with its
+        embedded authorization data.  When PURGE_ENABLED is defined, if the 
+        tickets are expired, the cache will be purged before requesting
+        new tickets, else we ignore the contents of the cache and force 
+        a new TGS request.
+    (5) when the LSA cache is empty do not abort.  On XP or 2003, use
+        the SecurityLogonSessionData to determine the Realm (UserDnsDomain
+        in MS-speak) and request an appropriate TGT.  On 2000, check the
+        Registry for the HKCU\"Volatile Environment":"USERDNSDOMAIN" 
+        instead.  This will allow ms2mit to be used to repopulate the
+        LSA cache.  If the current session is not Kerberos authenticated
+        an appropriate error message will be generated.
+
+    Code changes:
+    (1) several memory leaks plugged
+    (2) several support functions copied from the Leashw32.dll sources
+    (3) get_STRING_from_registry() uses the ANSI versions of the Registry
+        functions and should at a later date be converted to use the 
+        Unicode versions.
+
+    Notes: an ms2mit.exe based on the Leash_import() function
+    should be considered.  Leash_import() not only imports the TGT from
+    the LSA but also performs the krb524 conversion and AFS token retrieval.
+    Of course, that version of ms2mit.exe could not exist within the krb5
+    source tree.
+
+2003-06-20  Jeffrey Altman <jaltman@mit.edu>
+
+    * ms2mit.c: Windows Credentials are addressless. Do not store the
+	credentials in the MIT cache with addresses since they do not
+	contain addresses in the encrypted portion of the credential.
+	Instead generate a valid empty address list.
+
 2002-08-29  Ken Raeburn  <raeburn@mit.edu>
 
-	* Makefile.in: Revert $(S)=>/ change, for Windows support.
+    * Makefile.in: Revert $(S)=>/ change, for Windows support.
 
 2002-08-23  Ken Raeburn  <raeburn@mit.edu>
 
-	* Makefile.in: Change $(S)=>/ and $(U)=>.. globally.
+    * Makefile.in: Change $(S)=>/ and $(U)=>.. globally.
 
 2001-11-28  Danilo Almeida  <dalmeida@mit.edu>
 
-	* ms2mit.c: Make sure we get a des-cbc-crc session key instead of
+    * ms2mit.c: Make sure we get a des-cbc-crc session key instead of
 	potentially getting whatever happens to be in the cache.  Remove
 	unnecessary static variables.  Make function headers use a
 	consistent format.  Rename ShowLastError() to ShowWinError() and