Heimdal upgrade, really happening this time

Andrew Bartlett abartlet at samba.org
Sun Aug 8 23:12:59 UTC 2021

On Fri, 2021-07-09 at 22:29 +1200, Andrew Bartlett via samba-technical
> We now have a mostly-working branch of current Heimdal on current
> Samba, compiling on all our supported system, which is pretty
> impressive.

I just wanted to wrap back to the list with an update.  Thanks to some
great work with Luke Howard recently, host of our pull requests with
Heimdal have either been merged or will be shortly (as in, I made the
requested changes and expect them to be accepted).

This means that we are actually fairly close to upstream Heimdal,
closer than we ever have been I dare to suggest.

The remaining changes outstanding are:

(these will go in shortly)
405e9d62c4f1785b565477c14b234455e42f5a00 (lorikeet-heimdal-202108082250) Reintroduce krb5_addlog_func() as as supported API
758336ede39858c173818474ad5622fca74977ef Allow KDC to always return the salt in the PA-ETYPE-INFO[2]

(these need to be submitted, improved or removed, ideally)
ba8d4f87c1ac2ade8457c71ed7596c857ed327ee tgs-rep: always return canonical realm
dadc77a5aa8a5554c424bf564e7c43f561f90296 TODO: auth: For NTLM and KDC authentication, log the authentication duration
4745180e75403b02a6c76c72ef50827baf0bbc80 lib/krb5 correctly follow KRB5_KDC_ERR_WRONG_REALM client referrals
f64d59550727a1cdcd38faf71e608af2fc82575f TODO CHECK heimdal: Fix loss of information in _gsskrb5_canon_name() from call to krb5_sname_to_principal()
9343a315524bae25ae29307fbc27ae5ad24c1747 heimdal: Honour KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME in parse_name_canon_rules()
eec5822c9ac6d031e0ad62a55dc4e111355dd2bb TODO: heimdal: Pass extra information to hdb_auth_status() to log success and failures
ab6abb084231eda70f00eba5f8b869b71688ea7c Change KDC to respect HDB server name type if f.canonicalize is set
bb7c77747e6655aba98b365d8edfe5693c1d38a7 Export krb5_init_creds_* functions
ec3346d309ad4a12bd45216e3b778ac0db9fdb04 lib/krb5 correctly follow KRB5_KDC_ERR_WRONG_REALM client referrals
3d1e065561dc18bc30ce583ed2fc58b7aafcc51e HEIMDAL:kdc: make it possible to disable the principal based referral detection
a3cad540ecae6696b5ffcf5c5e90a665ca97a822 lib/krb5: windows KDCs always return the canoncalized server principal
0f1e376f8f93ba01aadf38be3561191f4322e7a0 HACK: Netbios Domain as Realm
7e3b4a0147dafe103cc2bfbbecf50141106fdd9a kdc: use the correct kvno number for PKINIT in the AS-REP
8f172e63a3fe34ac552965f13e2ffab31c63c5ac kdc: add krb5plugin_windc_pac_pk_generate() hook

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba-technical mailing list