mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
kdc: Rotate smart-card only underlying password in 2nd half of lifetime
This is a measure to avoid multiple servers rotating the password but means that the maximum password age really must be set to twice the TGT lifetime, eg a default of 20 hours. The internet suggestions of 1 day for this feature should work fine. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
This commit is contained in:
parent
8afe27058b
commit
491b79d445
@ -73,7 +73,6 @@
|
||||
#
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_no_des3.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_ntlm_from_pac_must_change_now\(
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_smartcard_required_must_change_before_tgt_expiry\(
|
||||
#
|
||||
# Windows 2000 PK-INIT tests
|
||||
#
|
||||
|
@ -2908,16 +2908,32 @@ static krb5_error_code samba_kdc_fetch_client(krb5_context context,
|
||||
* However we must first
|
||||
* check if this is before the TGT is due to
|
||||
* expire.
|
||||
*
|
||||
* Then we check if we are half-way
|
||||
* though the password lifetime before we make
|
||||
* a password rotation.
|
||||
*/
|
||||
NTTIME must_change_time
|
||||
= samdb_result_nttime(msg,
|
||||
"msDS-UserPasswordExpiryTimeComputed",
|
||||
0);
|
||||
NTTIME pw_lifetime = must_change_time - pwd_last_set_this_loop;
|
||||
NTTIME pw_halflife = pw_lifetime / 2;
|
||||
if (must_change_time
|
||||
> entry->skdc_entry->enforced_tgt_lifetime_nt_ticks + entry->skdc_entry->current_nttime) {
|
||||
/* Password will not expire before TGT will */
|
||||
break;
|
||||
}
|
||||
|
||||
if (pwd_last_set_this_loop != 0
|
||||
&& pwd_last_set_this_loop + pw_halflife > entry->skdc_entry->current_nttime) {
|
||||
/*
|
||||
* Still in first half of password
|
||||
* lifetime, no change per
|
||||
* https://lists.samba.org/archive/cifs-protocol/2024-May/004316.html
|
||||
*/
|
||||
break;
|
||||
}
|
||||
/* Keep processing */
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user