1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-27 14:04:05 +03:00

s4:kdc Add support for changing password of a servicePrincipalName

Apparently AD supports setting a password on a servicePrincipalName,
not just a user principal name.  This should fix (part of) the join of
OpenSolaris's internal CIFS server to Samba4 as reported by Bug #7273

Andrew Bartlett
This commit is contained in:
Andrew Bartlett 2010-03-25 16:27:40 +11:00
parent 6199ae4745
commit 5f6f7a2e51

View File

@ -250,6 +250,7 @@ static bool kpasswd_process_request(struct kdc_server *kdc,
krb5_principal principal;
char *set_password_on_princ;
struct ldb_dn *set_password_on_dn;
bool service_principal_name = false;
size_t len;
int ret;
@ -311,6 +312,21 @@ static bool kpasswd_process_request(struct kdc_server *kdc,
}
free_ChangePasswdDataMS(&chpw);
if (principal->name.name_string.len >= 2) {
service_principal_name = true;
/* We use this, rather than 'no realm' flag,
* as we don't want to accept a password
* change on a principal from another realm */
if (krb5_unparse_name_short(context, principal, &set_password_on_princ) != 0) {
krb5_free_principal(context, principal);
return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_MALFORMED,
"krb5_unparse_name failed!",
reply);
}
} else {
if (krb5_unparse_name(context, principal, &set_password_on_princ) != 0) {
krb5_free_principal(context, principal);
return kpasswdd_make_error_reply(kdc, mem_ctx,
@ -318,7 +334,7 @@ static bool kpasswd_process_request(struct kdc_server *kdc,
"krb5_unparse_name failed!",
reply);
}
}
krb5_free_principal(context, principal);
samdb = samdb_connect(mem_ctx, kdc->task->event_ctx, kdc->task->lp_ctx, session_info);
@ -344,9 +360,15 @@ static bool kpasswd_process_request(struct kdc_server *kdc,
reply);
}
if (service_principal_name) {
status = crack_service_principal_name(samdb, mem_ctx,
set_password_on_princ,
&set_password_on_dn, NULL);
} else {
status = crack_user_principal_name(samdb, mem_ctx,
set_password_on_princ,
&set_password_on_dn, NULL);
}
free(set_password_on_princ);
if (!NT_STATUS_IS_OK(status)) {
ldb_transaction_cancel(samdb);