sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-01 04:58:35 +03:00
Code

mit-kdb: Restrict admin/changepw principal db_entry with some flags

Browse Source 
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Günther Deschner 2014-08-07 15:04:42 +02:00 committed by Andrew Bartlett
parent b76cf191d9
commit 05cc9b0af9
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
source4/kdc/mit-kdb/kdb_samba_principals.c
View File

@ -277,6 +277,18 @@ krb5_error_code kdb_samba_db_get_principal(krb5_context context,
code = ks_get_principal(context, princ, kflags, kentry);
/*
* This restricts the changepw account so it isn't able to request a
* service ticket. It also marks the principal as the changepw service.
*/
if (ks_is_kadmin_changepw(context, princ)) {
/* FIXME: shouldn't we also set KRB5_KDB_DISALLOW_TGT_BASED ?
* testing showed that setpw kpasswd command fails then on the
* server though... */
(*kentry)->attributes |= KRB5_KDB_PWCHANGE_SERVICE;
(*kentry)->max_life = CHANGEPW_LIFETIME;
}
return code;
}