Re: gsskrb5_accept_delegated_token leaks a ccache

2007-02-07 Thread Michael B Allen
On Thu, 8 Feb 2007 09:33:34 +1100 Love Hörnquist Åstrand [EMAIL PROTECTED] wrote: 6 feb 2007 kl. 15.14 skrev Michael B Allen: On Mon, 5 Feb 2007 22:59:34 -0500 Michael B Allen [EMAIL PROTECTED] wrote: If I simply remove the ccache = NULL line in gsskrb5_accept_delegated_token the leak

Re: gsskrb5_accept_delegated_token leaks a ccache

2007-02-07 Thread Love Hörnquist Åstrand
Doesn't the ccache = NULL in gsskrb5_accept_delegated_token prevent id from being closed? 180 (*delegated_cred_handle)-cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE; 181 ccache = NULL; ^^ 182 } 183 184 out: 185 if (ccache) { 186 if

Re: password changes

2007-02-07 Thread Love Hörnquist Åstrand
Hello, I am using heimdal 0.7.2 with Openldap 2.3.32 backend. When I change passwords using MIT kpasswd from a RedHat 40 U4 server, the password changes however I don't see through kadmin? The password changed doesn't exist in in released heimdal, 0.8 will have support for it. The kadmin

Re: gsskrb5_accept_delegated_token leaks a ccache

2007-02-07 Thread Michael B Allen
On Thu, 8 Feb 2007 10:39:45 +1100 Love Hörnquist Åstrand [EMAIL PROTECTED] wrote: Doesn't the ccache = NULL in gsskrb5_accept_delegated_token prevent id from being closed? 180 (*delegated_cred_handle)-cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE; 181 ccache =

Re: gsskrb5_accept_delegated_token leaks a ccache

2007-02-07 Thread Michael B Allen
Mmm, somethings off. I just rsync'd and did a cvs co heimdal and the latest log entry I have is: revision 1.56 date: 2006/05/09 07:16:39; author: lha; state: Exp; lines: +3 -1 (gsskrb5_is_cfx): always set is_cfx. From Andrew Abartlet. Has the procedure changed? Nevermind. I found

Empty padata in AS-REQ

2007-02-07 Thread Michael B Allen
Hi, Trying to aquire a TGT without the necessary password, ccache or keytab entry will result in an AS-REQ with an empty padata field. I'm not talking about the initial requrest with *null* padata. This is a second request with a padata SEQUENCE that is simply empty: $ dumpasn1 /tmp/out.bin

Does this happen in the new mechglue too?

2007-02-07 Thread Michael B Allen
Unfortunately I'm still using mechglue-branch at the moment. I have found numerous bugs that I'm sure you don't care about anymore but there was one issue that could conceivably exist in the new code. The issue was that trying to acquire a credential could result in a redundant AS-REQ. It turned

Detect when KRB5CCNAME changes for certain server scenarios

2007-02-07 Thread Michael B Allen
Consider a web application that authenticates clients using gss_accept_sec_context, places the delegated credential into a file and exports KRB5CCNAME. If the web application were to then call a library function (e.g. ldap_sasl_bind_s) that also used Heimdals GSSAPI it may fail to find the