Kerberos Changelog

Kerberos Changes in Nevada

ARC Cases

Build 104
PSARC 2008/572 Kerberos autologin for r-cmds

Build 102
PSARC 2008/631 Kerberos PKINIT

PSARC 2008/358 removal of kadm5.keytab

Build 91
PSARC 2007/401 kclient version 2 

Build 75
PSARC 2007/335
kdcmgr utility

Build 73

PSARC 2006/277 Support for Kerberos Records in LDAP Directory

Build 71
PSARC 2006/690 Kerberos client configuration improvements

Build 51

PSARC 2006/424 Kerberos 1.4 KDC Resync

Build 38
PSARC 2006/027 Open Kerberos APIs

Build 12

2005/054 Kerberos Cred Auto-Renew

Change Requests

Build 119

• 6835384 KDC doesn't rebind after rebooted LDAP server
• 6848169 fix for kdb ldap plugin timeout incomplete, still using 10ms, should be 1s
• 6787354 kpropd cored when converting incremental update to kdb entry for a particular principal

Build 118

• 6405422 Solaris acceptors fail in AD-KDC environments when using non-"host" services (e.g. "cifs")
• 6824434 Unable to accept context establishment initiated by Windows 2000 clients
• 6787343 kclient's site lookups fail in certain network environments
• 6692646 kclient should output errors to stderr
• 6745582 SUNWkdcu missing package dependencies after kclientv2 integration
• 6525327 kinit failed when arcfour-hmac-md5-exp was used for the principal's key
• 6814806 kdcmgr lies when it says it will remove files
• 6825171 kdcmgr calls /usr/ucb/tr which isn't found in OpenSolaris

Build 117

• 6802931 krb5 nfs allows access to shares without credentials by symlinking to someone else's cred cache
• 6840235 Some slight changes need to be made to gssd_getuid.c to be more readable

Build 116

• 6837512 krb5.h C++ guards are wrong

Build 111

• 6799884 pam_krb5 could allow authentication to an attacker's KDC
• 6746597 kpropd full resync window does not time out

Build 106

• 6758625 pam_krb5 is unable to communicate with ktkt_warnd; 50-second delays to login/screen unlock

Build 105

6752096 krb5_renew_tgt incorrectly tests for the value of char filepath

• 6724959 pam_modules/krb5/utils.h`set_active_user() declaration is adrift
• 6724557 Potential for a memory leak in krb5_setcred's krb5_renew_tgt routine
• 6691206 pam_krb5's store_cred should always store new credentials if a previous auth pass was successful

Build 104

• 6763503 Prompts for kadmin and ktutil use too much space
• 6756928 Kerberos incorrectly displays the error message "krb5 conf file not configured"
• 6756312 krb5int_pbkdf2_hmac_sha1() should not call C_DestroyObject() after C_GenerateKey() fails
• 6748874 Assertion panic in cryptmod due to incorrect calculation of assertion.
• 6712440 AES-256 not functioning on T6320 chip
• 6704459 assert defined in k5-thread.h produces number of false positives
• 6683649 krb5.conf autologin setting should be valid for rsh/rlogin/rcp/rdist as well as telnet
• 6680327 kdb5_util/kdb5_ldap_util core dumps and prints incorrect progname on error paths
• 5047971 kadmin could use libtecla for enhanced command history and editing

Build 102

• 6749302 pam_krb5 auth fails with key table entry not found
• 6698059 Resync with mit 1.6.3 (pkinit)

Build 99

• 6736781 Memory leak in mech_krb5.so.1 when obtaining FQHN for comparison to host principal

Build 96

• 6727618 panic in n2cp::blockatomic
• 6716600 cryptmod encrypt_block() "plainlen" needs to be replaced by "cipherlen"

Build 93

• 6647874 LDAP backend uses 10ms connection timeout
• 6607813 pam_krb5 setcred coredumps on successful refresh if auth was not previously called

Build 92

• 6704617 kclient needs cleanup and occasionally hangs during join when a DC is down within the domain
• 6663377 krb5int_dns\init() doesn't initialize \_res_state structure
• 6523785 kerberos unseal from buggy client causes a core

Build 91

• 6707999 6692336 breaks nightly
• 6692336 ktkt_warnd(1M) client code should be a library
  6679338 nfs with sec=krb5 slows around service ticket expiration
• 6629530 kpasswd(1) in SET_CHANGE mode should try kpasswd_server first
• 6405691 kclient should be used to configure DHCP/VPN clients and for non-Solaris KDCs
• 6362266 kclient doesn't support aliasing KDCs
• 6287615 kclient enhancement to support domain joining for AD interop
• 6263626 kclient does not accept 'search' type lines in resolv.conf

Build 90

• 6689008 kwarn_add_warning should not output errors to stderr
• 6574888 Principals using delegated credentials are not being registered with ktkt_warnd for auto-renewal
• 6516568 Warning messages still being displayed on krb ccache ownership

Build 89

• 6642279 kdcmgr has to run twice if the pw file option is used and an existing db is present
• 6455225 pam_krb5 should overwrite ccache with new credentials when handling pam_setcred(PAM_REFRESH_CRED)

Build 88

• 6658621 Configuration checks for kerberos daemons should be done by the daemons themselves
• 6658624 Missing error strings for new kerberos DB error types
• 6658627 kpropd should use its executable name and not the full path when logging error messages
• 6658631 error messages in kerberos deamons need cleanup
• 6664832 various memleaks in krb libs
• 6245750 kadmin "Bad encryption type" error should state the enctype

Build 84

• 6618414 Kerberos KDC db integrity issue

Build 83

• 6620943 ktadd fails for principal with history when using ldap plugin
• 6604635 kdb ldap integration removed rev/recurse kdb5_util dumps

Build 82

• 6621239 adb_policy_init makes the wrong assertion
• 6641415 kadmind cores when using the ldap backend and "sunw_dbprop_enable" is set to true
• 6644742 kadmind cores when using an 'afs3' salt and password > 8 chars
• 6647708 Cannot create des keys with afs3 salt
• 6612490 kdb5_util should not coredump if krb5.conf is misconfigured

Build 81

• 6621129 generic_gss_release_oid() should check for oid == NULL before dereferencing

Build 80

• 6355106 rcache should include the "none" type

Build 78

• 6548599 AES encrypt function in kmech_krb5 is broken for 16 byte input, causes NFSsec interop problems

Build 76

• 6607007 kdcmgr left tmp files in /etc/krb5 directory
• 6607659 Despite calling pam_end, pam_krb5 module data not being freed
• 6607874 Kerberos incremental propagation no longer working

Build 75

• 6231080 Solaris Kerberos needs a cmdline utility to auto-configure a master/slave KDC
• 6588844 gkadmin's help file uses user-visible SCCS keywords
• 6596185 kadmin negates -allow_tix when adding a principal record
  6598545 Client key decrypt receives bad integrity check when master key is AES
• 6608620 krb ldap putback broke the export source build

Build 74

• 6573019 mit 1.4 sub-glue layer resync
• 6586580 kadmin dumps core on error path due to a double-free.
• 6595197 kadmin dumps a core during ktadd

Build 73

• 6399903 Support for Kerberos Records in LDAP Directory
• 6520554 MIT bug #5427 with krb5_kt_get_name()
• 6538725 ktutil can't list keys with unknown (unsupported) encryption types.
• 6558280 klist and ktutil should be more detailed about message displayed for unsupported encryption type
• 6597851 dmake lint in usr/src/lib/gss_mechs/mech_krb5 broken

Build 71

• 6496710 enable dns_lookup_kdc by default
• 6499339 krb zero conf needs better realm lookup logic
• 6523887 krb should support client side referrals
• 6528391 krb5.conf should not be delivered in a misconfigured state

Build 69

• 6550530 pam_krb5_migrate's expire_pw expires the Kerberos password too late
• 6557188 included pam_krb5 doesn't function correctly as 'auth required' in pam.conf
• 6559678 kpasswd returns "KDC reply did not match expectations" when using Heimdal server
• 6564714 Option "-m" doesn't work for kadmind. 
• 6564718 kdb5_util dump doesn't create a "dump ok" file if the master key is not available
• 6570434 libkadm5srv should be smarter in figuring out the enc type of the master key in the stash file
• 6575452 kdb5_util should be more robust after CF providers have failed

Build 66

• 6440682 mech_krb5 should make fewer calls to PKCS#11 for AES
• 6543610 Possible memory leak in krb5_acct_mgmt
• 6549922 krb build broken when -DDEBUG used

Build 65

• 6217259 A sun4u specific kmech_krb5 is unnecessary
• 6475878 nss2 Memleak test suite may have exposes a mech_krb5 Memleak
• 6534935 Potential memory leak within libkadm5clnt.so.1 if out of memory condition occurs.

Build 64

• 6543658 krb5_set_default_tgs_enctypes: referenced symbol not found

Build 63

• 5073551 krlogin, krsh, ktelnet default PAM stacks look wrong.
• 6533858 zones unusable in s10u4_04 due to corrupted local zone pam.conf

Build 62

• 6531864 ktkt_warnd not warning after login

Build 60

• 6527403 pam_krb5 acct mgmt does not respect the account authority in certain configurations

Build 59

• 6394510 error table is out of whack
• 6497698 krb5kdc(1) should also provide password expiration information
• 6497703 pam_krb5(5) should interpret the key expiration field to display expiration warning information
• 6515558 Pre-s10 client's keytab file are generated incorrectly when auth princ == target princ
• 6523684 Memory rcache function doesn't acquire the right locks

Build 58

• 6476400 kerberized r-commands are not compatible with earlier versions for large buffers

Build 56

• 4854431 krb5_gss_acquire_cred() does not implement correct GSS_C_NO_NAME semantics
• 6290693 krb mech isn't doing the right thing in regards to gss_delete_sec_context and the output token
• 6266812 pam_krb5 and pam_krb5_migrate localize their syslog messages
• 6251822 klist will core dump if KRB5CCNAME is set to empty string("export KRB5CCNAME=")
• 6225779 kadmin.local -q listprincs should not output warnings to stdout
• 6396614 kadmin's Usage output is incomplete, missing [-w password]]
• 6430941 pam_krb5 pam_sm\setcred can cause /tmp/krb5cc\<PAM_USER> to be owned by euid rather than PAM_USER
• 6460287 kadmin should use pager for listpols
• 6463960 Missing dependencies in some gss and krb packages
• 6484675 pam_krb5(5) needs some cleanup
• 6491792 gss_unwrap() is causing duplicate token detection to fail for subsequent calls to gss_unwrap()
• 6499804 pam_krb5 account management should not return success if user is not defined in kerberos realm

Build 52

• 6471429 clients using SET_CHANGE do not log the change to kadmin.log
• 6474547 After setting SET_CHANGE kpasswd returns false positives
• 6478028 pam_krb5's password management should not be prompting for old or for new passwords
• 6478031 Typo in krb change pw too soon message
• 6367849 kdb5_util will core dump if krb5.conf doesn't contain default_realm info.
• 6415909 kadmin hangs when authenticating with an admin principal which contains '\@'
• 6419447 HAVE_ACCESS should be defined for prof_file.c

Build 51

• 6406993 kdc and client resync with MIT 1.4 [PSARC 2006/424]

Build 50

• 6461867 RootDialog uses unstable "Sun proprietary" API java.awt.peer.ComponentPeer
• 6464346 pam_krb5 should never prompt for the user name

Build 47

• 6395124 pam_krb5 tries to validate twice when given a bad password

Build 40

• 6419764 mech_krb5.so is missing krb5_set_principal_realm()
• 6403208 kadmin.local -q 'cpw -randkey <princ>' not using all supported enctypes
• 6334655 with <rc type>=MEMORY as said in krb5envvar(5), replay cache is not working.
• 6234782 Kerberos and GSSAPI should not use fopen

Build 39

• 6249682 kadmin allocates a structure of the wrong size
• 6380982 Kerberos cred expire/renew warning messages are ambiguous

Build 38

• 6381288 we should expose the krb5 api [PSARC 2006/027]
• 6359452 kerberos are not parsing time format correctly
• 6354746 krb5 is not adding ipv6 addresses to AS-REQ messages.

Build 37

• 6388132 Since 1.4 resync, prompts with double ":"'s have cropped up
• 6366878 Double free in krb5_get_server_rcache
• 6362413 double free in krb5 code
• 6362366 logic error in krb5 replay cache name parsing

Build 36

• 6380193 when the kerberos db is created obsolete principals should not be created.

Build 35

• 6291368 kinit dumps core when authenticating against heimdal 0.7pre KDCs when the KDC requires preauthentica
• 6250268 kadmind error log message when keytab entries not found isn't helpful
• 6380111 kadmind should try to provide iprop service even if it can't provide kadmin or changepw services.

Build 34

• 6378797 cryptmod panic seen with MIT rlogin client

Build 33

• 6317227 telnet doesn't like default_tgs_enctypes = des-cbc-md5

Build 31

• 6355094 Some parts of the krb mem rcache should use locking
• 6355096 rcache name value is now expected to be fully qualified
• 6364866 Call to krb5_kt_free_entry() after krb5_kt_get_entry() fails results in a crash

Build 30

• 6344030 gcc and krb5 don't get along anymore

Build 27 

• 6224704 core kerberos mechanism resync with MIT 1.4

Build 26

• 6320871 kinit fails if default_tkt_enctypes = des-cbc-crc but princ has des-cbc-md5 and preauth required

Build 23

• 6303768 kinit core dumping trying to authenicate against Heimdal KDC server

Build 22

• 6271231 gcc and cmd/krb5 don't get along

Build 21

• 6301844 mech_krb5 has problem working on 64 bit systems
• 6292709 gss_store_cred() doesn't set elements_stored if it's called with desired_mech=Kerberos.
• 6262680 lock usage error in krb5_gss_init_sec_context()

Build 20

• 6260520 Call gss_context_time() with a handle of an un-established SPNEGO context, it will core dump.
• 6259944 call gss_acquire_cred() with SPNEGO OID, it returns GSS_S_COMPLETE but did not return any credential

Build 19

• 6265737 Decrypt integrity failure with kpasswd and AD
• 6193587 Can not specify encryption types when creating new principals via gkadmin
• 6280644 "/usr/lib/krb5/kprop -P $port $host" won't work on little endian systems(x86)
• 6278018 Setting kpasswd_protocol affects more than change password
• 6264514 krb5kdc's documentation properties points to kadmind(1M)

Build 18

• 6278388 more possible mech_krb5 memory leaks

Build 17

• 6248987 6219223 went too far -- previous gssd_handle.c copyright should be restored

Build 15

• 6247126 krb5_verify_init_creds returns ERR if def keytab is missing, even though verify_ap_req_nofail=false

Build 12

• 6190609 SMF: kpropd service should be separated from krb5kdc
• 6239271 kadmin/kadmin.local will hang if the user issue "ank -e" without salt specified.
• 6231403 mech_krb5 has a non-integral constant expression for MAX_CHARS_FOR_INT_TYPE
• 5088665 ktkt_warnd(1m) should kinit -R for users whos tickets are expiring [PSARC 2005/054]

Build 10

• 6227969 smf(5) introduces race condition between connection tear down and port bind, on kadmin svc restart
• 6219104 FTP and FTPD buffers are too small, cause AD interop issues