1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

kdc: Rotate smart-card only underlying password in 2nd half of lifetime

This is a measure to avoid multiple servers rotating the password
but means that the maximum password age really must be set to
twice the TGT lifetime, eg a default of 20 hours.  The internet
suggestions of 1 day for this feature should work fine.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
This commit is contained in:
Andrew Bartlett 2024-05-17 17:34:36 +12:00
parent 8afe27058b
commit 491b79d445
2 changed files with 16 additions and 1 deletions

View File

@ -73,7 +73,6 @@
#
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_no_des3.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_ntlm_from_pac_must_change_now\(
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_smartcard_required_must_change_before_tgt_expiry\(
#
# Windows 2000 PK-INIT tests
#

View File

@ -2908,16 +2908,32 @@ static krb5_error_code samba_kdc_fetch_client(krb5_context context,
* However we must first
* check if this is before the TGT is due to
* expire.
*
* Then we check if we are half-way
* though the password lifetime before we make
* a password rotation.
*/
NTTIME must_change_time
= samdb_result_nttime(msg,
"msDS-UserPasswordExpiryTimeComputed",
0);
NTTIME pw_lifetime = must_change_time - pwd_last_set_this_loop;
NTTIME pw_halflife = pw_lifetime / 2;
if (must_change_time
> entry->skdc_entry->enforced_tgt_lifetime_nt_ticks + entry->skdc_entry->current_nttime) {
/* Password will not expire before TGT will */
break;
}
if (pwd_last_set_this_loop != 0
&& pwd_last_set_this_loop + pw_halflife > entry->skdc_entry->current_nttime) {
/*
* Still in first half of password
* lifetime, no change per
* https://lists.samba.org/archive/cifs-protocol/2024-May/004316.html
*/
break;
}
/* Keep processing */
}