diff options
Diffstat (limited to 'src/windows/ms2mit/ChangeLog')
-rw-r--r-- | src/windows/ms2mit/ChangeLog | 87 |
1 files changed, 84 insertions, 3 deletions
diff --git a/src/windows/ms2mit/ChangeLog b/src/windows/ms2mit/ChangeLog index b68c646..d7ac6af 100644 --- a/src/windows/ms2mit/ChangeLog +++ b/src/windows/ms2mit/ChangeLog @@ -1,14 +1,95 @@ +2004-01-31 Jeffrey Altman <jaltman@mit.edu> + + * ms2mit.c: Do not allow ticket importing of the Initial TGT cannot + be obtained. The MSLSA krb5_ccache will not export the Initial TGT + if the session key enctype is NULL. + +2003-12-11 Jeffrey Altman <jaltman@mit.edu> + + * ms2mit.c, Makefile.in: + + Remove all of the code that manipulates the MS LSA cache. Instead + of reading in the TGT directly we now take advantage of the new + "MSLSA:" krb5_ccache type. We open the MS LSA cache as a read-only + ccache and copy it to the default ccache for the system. + + This removes the dependency on secur32.dll from this file. + +2003-10-21 Jeffrey Altman <jaltman@mit.edu> + + * ms2mit.c: + + Because of the failure of Windows 2000 and Windows XP to perform + proper ticket expiration time management, the MS Kerberos LSA will + return tickets to a calling application with lifetimes as short as + one second. Tickets with lifetimes less than five minutes can cause + problems for most apps. Tickets with lifetimes less than 20 minutes + will trigger the Leash ticket lifetime warnings. + + Instead of accepting whatever tickets are returned by MS LSA from + the cache, if the ticket lifetime is less than 20 minutes force a + retrieval operation bypassing the LSA ticket cache. + + +2003-07-16 Jeffrey Altman <jaltman@mit.edu> + + * ms2mit.c: + + Functional changes: + (1) do not restrict ourselves to DES-CBC-CRC instead support any + ticket with an enctype we support. as of this date (rev 1.3) + this includes all but RC4-MD4. + (2) do not accept invalid tickets + (3) when attempting to retrieve tickets do not specify either the + enctype or cache options (if possible). doing so will force a + TGS request and prevent the results from being stored into the + cache. + (4) when the LSA cache contains a TGT which has expired Microsoft will + not perform a new TGS request until the cache has been purged. + Instead the expired ticket continues to be used along with its + embedded authorization data. When PURGE_ENABLED is defined, if the + tickets are expired, the cache will be purged before requesting + new tickets, else we ignore the contents of the cache and force + a new TGS request. + (5) when the LSA cache is empty do not abort. On XP or 2003, use + the SecurityLogonSessionData to determine the Realm (UserDnsDomain + in MS-speak) and request an appropriate TGT. On 2000, check the + Registry for the HKCU\"Volatile Environment":"USERDNSDOMAIN" + instead. This will allow ms2mit to be used to repopulate the + LSA cache. If the current session is not Kerberos authenticated + an appropriate error message will be generated. + + Code changes: + (1) several memory leaks plugged + (2) several support functions copied from the Leashw32.dll sources + (3) get_STRING_from_registry() uses the ANSI versions of the Registry + functions and should at a later date be converted to use the + Unicode versions. + + Notes: an ms2mit.exe based on the Leash_import() function + should be considered. Leash_import() not only imports the TGT from + the LSA but also performs the krb524 conversion and AFS token retrieval. + Of course, that version of ms2mit.exe could not exist within the krb5 + source tree. + +2003-06-20 Jeffrey Altman <jaltman@mit.edu> + + * ms2mit.c: Windows Credentials are addressless. Do not store the + credentials in the MIT cache with addresses since they do not + contain addresses in the encrypted portion of the credential. + Instead generate a valid empty address list. + 2002-08-29 Ken Raeburn <raeburn@mit.edu> - * Makefile.in: Revert $(S)=>/ change, for Windows support. + * Makefile.in: Revert $(S)=>/ change, for Windows support. 2002-08-23 Ken Raeburn <raeburn@mit.edu> - * Makefile.in: Change $(S)=>/ and $(U)=>.. globally. + * Makefile.in: Change $(S)=>/ and $(U)=>.. globally. 2001-11-28 Danilo Almeida <dalmeida@mit.edu> - * ms2mit.c: Make sure we get a des-cbc-crc session key instead of + * ms2mit.c: Make sure we get a des-cbc-crc session key instead of potentially getting whatever happens to be in the cache. Remove unnecessary static variables. Make function headers use a consistent format. Rename ShowLastError() to ShowWinError() and |