Fix keytab load issue

v7.0.2

fix swallowed error in keytab load

Version 7 API Refactor

Version 7

Version 7 is a significant refactor and review of the API.

Below are the most significant changes to the API.
Not all changes are covered here.

Client Configuration

KRB5 Configuration

In previous versions of gokrb5 a client would be created with a constructor
function and then the WithConfig function would be used to provide krb5
configuration. In v7 the constructor takes the krb configuration as an argument.

cl := client.NewClientWithKeytab("username", "REALM.COM", kt, cfg)

Optional Client Settings

Perviously optional settings on the client could be made by updating field values
on the client's GoKrb5Conf cl.GoKrb5Conf.DisablePAFXFast = true. In v7 these
settings are provided to the constructor. For example:

cl := client.NewClientWithPassword("username", "REALM.COM", "password", cfg, client.DisablePAFXFAST(true))

Client SPNEGO

In previous versions there was a SetSPNEGOHeader method on the client.
In v7 the is a SetSPNEGOHeader function that takes a pointer to a client stuct
as an argument:

err := SetSPNEGOHeader(&cl, r, "")

Service SPNEGO

In previous versions configuring a http handler to be wrapped in SPNEGO authentication
would require a service configuration struct and a logger to be passed as arguments.
In v7 the http handler, point to keytab and optional settings are passed:

spnego.SPNEGOKRB5Authenticate(inner, &kt, service.Logger(l))

GSS-API and SPNEGO

The GSS-API, SPNEGO interfaces have been fully refactored in v7.
Perviously SPNEGO functionality was part of the gssapi package.
There are now separate gssapi and spngeo packages.

Other Public Function and Field Changes

TGS Exchange

The TGSExchange function would generate the TGS_REQ message and then exchange
it with the KDC. In v7 this now takes the TGS_REQ message as an argument.
The new TGSREQGenerateAndExchange function is the v7 equivalent of previous
versions' TGSExchange function.

Client AddSession

In previous versions AddSession was a public method. In v7 this is now private.

Client Credentials

Many of the client credentials' fields have been made private. Public methods have
now been provided to access the values.

The functions for creating a new client credentials instance has been renamed from
credentials.NewCredentials to credentials.New and from NewCredentialsFromPrincipal
to NewFromPrincipal . This is to eliminate the
stutter in the code style.

Keytab

New Keytab

The function for creating a new keytab instance has been renamed from
keytab.NewKeytab to keytab.New. This is to eliminate the
stutter in the code style.

Parsing Keytab Bytes

In previous versions a stream of bytes would be read into a keytab instance using
the keytab.Parse function. This has been replaced with an Unmarshal method
on the keytab struct.

Pincipal Name as String

Previously there was a GetPrincipalNameString to return a principal name as
a string. The name of this method has been simplified to PrincipalNameString

AP_REQ Verification

Previously the function ValidateAPREQ was available to verify an AP_REQ. As
part of achieving consistency throughout the codebase use of validate and
verify has been reviewed ValidateAPREQ has been renamed VerifyAPREQ.

Minor fix

• Fix to types.GetHostAddress which is used during AP_REQ validation

User-to-user authentication

• Support for user-to-user authentication (https://tools.ietf.org/html/rfc4120#section-3.7)
• PAC processing function that ignores all but the mandatory PAC info buffers.

Client deadlock fix

• Fixed issue where client would hang as a result of deadlock with automatic ticket renewal
• Respect the case of realms in the dns to realm mapping configuration

EncType configuration fix

Fix enctype configuration name to ID mapping

Cryptography improvements

• prevent potential for timing side channel on hash comparisons.
• ensure weak 3DES keys are not used.

Bug fixes for pre-auth and SPNEGO

• Support for SPNEGO Microsoft Legacy KRB5 mech type
• Client now remembers the enctype to use for pre-authentication and will better handle a KDC_ERR_PREAUTH_FAILED error to attempt pre-authentication

Minor fixes and enhancements

• Improved errors from krb5 config parsing
• Fixed truncated FQDN of client credential when KDC is Active Directory
• Integration testing against Apache HTTPD 2.4 mod_auth_gssapi

PAC Decoding Improvements and General Refactoring

service.SPNEGOKRB5Authenticate now takes a service.Config argument

Adopts goidentity.v3 interface for credentials added to the http request context on the service side. This interface supports arbitrary attributes. Code that extracts the credential from the context and performs type assertion to a Credentials type will need to be updated to assert to an goidentity.Identity type.

NDR decoding now uses gopkg.in/jcmturner/rpc.v1 The following packages have been removed:
gopkg.in/jcmturner/gokrb5.v5/mstypes
gopkg.in/jcmturner/gokrb5.v5/ndr

Review of exported functions, methods and fields. The following have been made private:

• client.SendToKDC
• client.GetSessionFromPrincipalName
• client.GetSessionFromRealm
• client’s Cache field
• client.sessions - all fields
• service.Cache’s Entries field
• service.clientEntries - all fields
• service.replayCacheEntry - all fields

config.LibDefaults field is now a value not a pointer