sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-26 21:57:41 +03:00
Code

s3:libads: ads_krb5_chg_password() should always use the canonicalized principal

Browse Source 
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.

There's no reason to have a different logic between MIT and Heimdal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
This commit is contained in:
Stefan Metzmacher 2019-09-13 16:04:30 +02:00 committed by Günther Deschner
parent 162b419949
commit 303b7e59a2
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
source3/libads/krb5_setpw.c
View File

@ -202,6 +202,12 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
krb5_get_init_creds_opt_set_renew_life(opts, 0);
krb5_get_init_creds_opt_set_forwardable(opts, 0);
krb5_get_init_creds_opt_set_proxiable(opts, 0);
#ifdef SAMBA4_USES_HEIMDAL
krb5_get_init_creds_opt_set_win2k(context, opts, true);
krb5_get_init_creds_opt_set_canonicalize(context, opts, true);
#else /* MIT */
krb5_get_init_creds_opt_set_canonicalize(opts, true);
#endif /* MIT */
/* note that heimdal will fill in the local addresses if the addresses
* in the creds_init_opt are all empty and then later fail with invalid