2003-07-16 Jeffrey Altman <jaltman@mit.edu> * ms2mit.c: Functional changes: (1) do not restrict ourselves to DES-CBC-CRC instead support any ticket with an enctype we support. as of this date (rev 1.3) this includes all but RC4-MD4. (2) do not accept invalid tickets (3) when attempting to retrieve tickets do not specify either the enctype or cache options (if possible). doing so will force a TGS request and prevent the results from being stored into the cache. (4) when the LSA cache contains a TGT which has expired Microsoft will not perform a new TGS request until the cache has been purged. Instead the expired ticket continues to be used along with its embedded authorization data. When PURGE_ENABLED is defined, if the tickets are expired, the cache will be purged before requesting new tickets, else we ignore the contents of the cache and force a new TGS request. (5) when the LSA cache is empty do not abort. On XP or 2003, use the SecurityLogonSessionData to determine the Realm (UserDnsDomain in MS-speak) and request an appropriate TGT. On 2000, check the Registry for the HKCU\"Volatile Environment":"USERDNSDOMAIN" instead. This will allow ms2mit to be used to repopulate the LSA cache. If the current session is not Kerberos authenticated an appropriate error message will be generated. Code changes: (1) several memory leaks plugged (2) several support functions copied from the Leashw32.dll sources (3) get_STRING_from_registry() uses the ANSI versions of the Registry functions and should at a later date be converted to use the Unicode versions. Notes: an ms2mit.exe based on the Leash_import() function should be considered. Leash_import() not only imports the TGT from the LSA but also performs the krb524 conversion and AFS token retrieval. Of course, that version of ms2mit.exe could not exist within the krb5 source tree. 2003-06-20 Jeffrey Altman <jaltman@mit.edu> * ms2mit.c: Windows Credentials are addressless. Do not store the credentials in the MIT cache with addresses since they do not contain addresses in the encrypted portion of the credential. Instead generate a valid empty address list. 2002-08-29 Ken Raeburn <raeburn@mit.edu> * Makefile.in: Revert $(S)=>/ change, for Windows support. 2002-08-23 Ken Raeburn <raeburn@mit.edu> * Makefile.in: Change $(S)=>/ and $(U)=>.. globally. 2001-11-28 Danilo Almeida <dalmeida@mit.edu> * ms2mit.c: Make sure we get a des-cbc-crc session key instead of potentially getting whatever happens to be in the cache. Remove unnecessary static variables. Make function headers use a consistent format. Rename ShowLastError() to ShowWinError() and ShowNTError() to ShowLsaError().