NIM file ccache support improvements
NIM supports the ability of the user to specify an
explicit ccache name for use with an identity. If
this ccache is a FILE ccache, we need to be able to
store credentials into the ccache. krb5cred.dll
did not previously specify the KRB5_TC_OPENCLOSE flag
on the ccache when setting other flags such as
KRB5_TC_NOTICKET (which is used with MSLSA ccaches).
As a result, open/close mode was turned off, the
ccache file would be opened in read-only mode and
attempts to store credentials into the ccache would
fail. This is fixed by specifying KRB5_TC_OPENCLOSE
when setting the ccache flags.
When a CCAPI implementation is unavailable, we need
to automatically generate the FILE ccache name if
one has not already been specified. We default to
a file stored in the user's Local Settings\Temp
directory. The generated ccache is then added to
the file ccache watch list.
Finally, some users have complained about the
behavior of Microsoft Vista's UAC mode and how
it makes the CCAPI cache useless for storing
credentials that must be used in conjunction
with processes that do not have restricted
privileges since those processes run in a
separate logon session. For these users we
have added a "DefaultToFileCache" registry
value that can be specified to force the use
of FILE ccaches in preference to CCAPI ccaches
when there is no explicit ccache specified
for a given identity. Unlike CCAPI ccaches,
the FILE ccaches are accessible from both
restricted and unrestricted processes when
UAC is active.
ticket: new
component: windows
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19897
dc483132-0cff-0310-8789-
dd5450dbe970
projects / krb5.git / commit