| Age | Commit message (Collapse) | Author |
|---|
|
|
|
Update the wallet client, wallet-backend, and Wallet::Object::File
documentation for the support for storing data containing nul
characters using the new stdin support in remctld. Add this to NEWS.
|
|
Move all reporting from Wallet::Admin to Wallet::Report and simplify
the method names since they're now part of a dedicated reporting
class. Similarly, create a new wallet-report script to wrap
Wallet::Report, moving all reporting commands to it from wallet-admin,
and simplify the commands since they're for a dedicated reporting
script.
Remove the contrib script wallet-report to wallet-summary so that it
doesn't conflict with the new reporting backend script.
|
|
* Update portable and util tests for C TAP Harness 1.1.
* Remove the need for Autoconf substitution in test programs.
* Support running a single test program with runtests -o.
* Properly handle test cases that are skipped in their entirety.
* Much improved C TAP library more closely matching Test::More.
Rewrite client/basic-t to use the new test library functions and my
current test case coding style.
|
|
Use the Kerberos portability layer from rra-c-util 3.0 and avoid
Kerberos API calls deprecated on Heimdal. Break util/util.h into
separate header files and update all source files accordingly.
The test suite is not yet updated. That will come in subsequent
commits.
|
|
Add replacements for mkstemp and setenv, since we now use them when
obtaining credentials in the client. Fix the bool type with Sun Studio
12 on Solaris 10.
|
|
* Sanity-check the results of krb5-config before proceeding.
* Fall back on manual probing if krb5-config results don't work.
* Add --with-krb5-include and --with-krb5-lib configure options.
* Add --with-remctl-include and --with-remctl-lib configure options.
* Add --with-gssapi-include and --with-gssapi-lib configure options.
* Don't break if the user clobbers CPPFLAGS at build time.
* Suppress error output from krb5-config probes.
* Prefer KRB5_CONFIG over a path constructed from --with-*.
* Update GSS-API probes for Solaris 10's native implementation.
* Change AC_TRY_* to AC_*_IFELSE as recommended by Autoconf.
Also strip out more outdated AFS kaserver instructions from README.
|
|
The wallet client now uses a temporary disk ticket cache when
obtaining tickets with the -u option rather than an in-memory cache,
allowing for a libremctl built against a different Kerberos
implementation than the wallet client. This primarily helps with
testing.
|
|
The wallet client no longer enables kaserver synchronization when a
srvtab is requested with -S. Instead, it just extracts the DES key
from the keytab and writes it to a srvtab. It no longer forces the
kvno of the srvtab to 0 (a Stanford-specific action) and instead
preserves the kvno from the key in the keytab. This should now do the
right thing for sites that use a KDC that serves both Kerberos v4 and
Kerberos v5 from the same database.
|
|
|
|
KEYTAB_KRBTYPE wasn't documented in Wallet::Config. Add it and the
variable declaration. Also document the new mandatory setting in
NEWS and add the Heimdal::Kadm5 requirement to README. Remove some
of the language in README that implies that only MIT Kerberos is
supported.
Make the setting case-insensitive and improve the error message from
Wallet::Kadmin if it isn't set.
|
|
Remove kaserver synchronization support. It is no longer tested, and
retaining the code was increasing the complexity of wallet, and some
specific requirements (such as different realm names between kaserver
and Kerberos v5 and the kvno handling) were Stanford-specific. Rather
than using this support, AFS sites running kaserver will probably find
deploying Heimdal with its internal kaserver compatibility is probably
an easier transition approach.
|
|
|
|
Add a new report owners command to wallet-admin and corresponding
report_owners() method to Wallet::Admin, which returns all ACL lines
on owner ACLs for matching objects.
|
|
the data passed to store.
|
|
parse it as an argument to wallet-backend.
|
|
|
|
|
|
file (using -f) or from standard input (if -f wasn't given) when the
data isn't specified on the command line. The data still must not
contain nul characters.
|
|
|
|
|
|
projects.
The configure option requesting AFS kaserver support (and thus
building kasetkey) is now --with-kaserver instead of --with-afs.
If KRB5_CONFIG was explicitly set in the environment, don't use a
different krb5-config based on --with-krb4 or --with-krb5. If
krb5-config isn't executable, don't use it. This allows one to
force library probing by setting KRB5_CONFIG to point to a
nonexistent file.
Sanity-check the results of krb5-config before proceeding and error
out in configure if they don't work.
Stop setting Stanford-specific compile-time defaults for the wallet
server and port.
|
|
Mike Garrison.
Also update to the latest version of all of the Kerberos Autoconf probes.
|
|
the NOTGS flag) and examining principals to kasetkey. This
functionality isn't used by wallet (and probably won't be) but is
convenient for other users of kasetkey such as kadmin-remctl.
|
|
keytab object.
|
|
|
|
names of Wallet::Object::* and all ACL verifier implementations must
have class names of Wallet::ACL::*.
|
|
implementation.
|
|
implementations in the database.
|
|
|
|
empty string is valid object content.
Add a full end-to-end test suite to catch protocol mismatches between
the client and server, such as the one fixed in this release.
|
|
|
|
environment variable WALLET_CONFIG and loads configuration from the
file specified there instead of /etc/wallet/wallet.conf if it is set.
|
|
|
|
|
|
|
|
|
|
empty string as a principal argument. Be careful not to provide a
principal argument if no principal was set. This workaround can be
removed once we depend on a later version of Net::Remctl.
|
|
srvtab key before merging the keytab into an existing file.
Otherwise, if the new keys had a lower kvno than the old keys
(possible after deleting and recreating the object), the wrong key
would be extracted for the srvtab.
|
|
default ACLs to avoid creating and stranding an ACL when the naming
policy check fails.
|
|
correct script name.
|
|
order to satisfy the picky option parser.
|
|
|
|
|
|
database and list all objects and ACLs in the database.
|
|
credentials for the given user and use those for authentication rather
than using an existing ticket cache.
|
|
|
|
exists, unlink it first and then create it safely rather than
truncating it. This is much safer when creating files in a
world-writable directory.
Also add documentation for keytab merging.
|
|
keytab keys into that file rather than moving aside the old keytab and
creating a new keytab with only the new keys.
Also fix get handling in the client for all types other than keytabs.
This isn't visible yet since the server doesn't yet support other types
of objects.
|
|
function in the wallet server configuration file.
|
