Heimdal upgrade, really happening this time

Andrew Bartlett abartlet at samba.org
Thu Aug 26 00:27:01 UTC 2021

Just another update on the Heimdal upgrade.

I was motivated to rebase again so we could potentially allow Luke to
test his new FAST changes with our tests.

All the Samba-specific patches to Heimdal are now in lorikeet-heimdal,
and are listed here:

c946d9e63dcefcc2f99fbe32e8f8eff24262abb9 (HEAD -> lorikeet-heimdal-tmp, lorikeet-heimdal/lorikeet-heimdal-202108260003, lorikeet-heimdal-202108260003) source4/heimdal/lib/krb5/init_creds_pw.c KRB5_NT_ENTERPRISE_PRINCIPAL ctx->flags.canonicalize = 1
da776d5299ab3e843fd56c5edc9a557b6d7d0b87 source4/heimdal/lib/krb5/mcache.c anonymous resolving
40a36415a01da169e74a6e2b77c8b26fd93e93d5 tgs-rep: always return canonical realm
342ad14433cabae9e15dea43d73ae62217988f58 TODO: auth: For NTLM and KDC authentication, log the authentication duration
947caea4cdd2c0fffbc69329c0b50b08b1671067 lib/krb5 correctly follow KRB5_KDC_ERR_WRONG_REALM client referrals
299dce8c28a9e1bef1d234a4afec8de549d0c98b TODO CHECK heimdal: Fix loss of information in _gsskrb5_canon_name() from call to krb5_sname_to_principal()
4fc9a9b0a2a37af6a545de7c7c1841152f384375 heimdal: Honour KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME in parse_name_canon_rules()
f6538470c0f18466bec12aef48ab142c7dbcdb6e TODO: kdc: match new GSS pre-auth prototype to ENC-TS etc
bf0d53ff66c026e38c894c5ac74109c4bd711fdc TODO: heimdal: Pass extra information to hdb_auth_status() to log success and failures
1fd6203e8bb3ce04a519f1a6c1ecd75d4377c263 Change KDC to respect HDB server name type if f.canonicalize is set
f22b2b980078ab9f52d6bbe4cb48395c57b7f777 lib/krb5 correctly follow KRB5_KDC_ERR_WRONG_REALM client referrals
c9b20508c251b8e190dec4e554b68c325c1acac2 HEIMDAL:kdc: make it possible to disable the principal based referral detection
85ab37844b4819b1c30e4b642c13774cddd0f9b9 lib/krb5: windows KDCs always return the canoncalized server principal
e5ec1c4f8b08d927d8abe0bdce8d81dfde7bc3a1 HACK: Netbios Domain as Realm
8a2fd96dfe00306dc64df75731cf3fa0fa42b0f9 kdc: use the correct kvno number for PKINIT in the AS-REP
3b73118dd77dfec525958aba9353f893785be847 kdc: add krb5plugin_windc_pac_pk_generate() hook

I need to stop now but next I'll see about dropping the 
 source4/heimdal/lib/krb5/init_creds_pw.c KRB5_NT_ENTERPRISE_PRINCIPAL ctx->flags.canonicalize = 1

We also need to fix our KDC tests not to use the -1111 enc type, as
Heimdal considers it (correctly per the RFC) as 'modern'.  We need to
perhaps change it to 3des or such to get the pattern we want.

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba-technical mailing list