sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-08-29 13:49:30 +03:00
Code Activity

s4:kdc: translate sdb_entry->old[er]_keys into hdb_add_history_key()

Browse Source 
It means that using the old or older password no longer
changes badPwdCount for Kerberos authentication.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Jun 24 07:18:03 UTC 2023 on atb-devel-224
This commit is contained in:
Stefan Metzmacher
2022-02-07 19:32:08 +01:00
committed by Andrew Bartlett
parent d4007b0ef9
commit a75378e354
3 changed files with 50 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
selftest/knownfail.d/test_login_basics_krb5
View File

@ -1 +0,0 @@
^samba4.ldap.login_basics.python.*.__main__.BasicUserAuthTests.test_login_basics_krb5

5
selftest/knownfail_mit_kdc
View File

@ -2221,3 +2221,8 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_bad_pwd_allowed_from_user_deny.ad_dc
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_denied_no_fast.ad_dc
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_tgt_lifetime_min.ad_dc
#
# MIT does not support password history in order to avoid badPwdCount changes
# with the last password, see https://bugzilla.samba.org/show_bug.cgi?id=14054
#
^samba4.ldap.login_basics.python.*.__main__.BasicUserAuthTests.test_login_basics_krb5

45
source4/kdc/sdb_to_hdb.c
View File

@ -147,6 +147,31 @@ static int sdb_keys_to_Keys(const struct sdb_keys *s, Keys *h)
return 0;
}
static int sdb_keys_to_HistKeys(krb5_context context,
const struct sdb_keys *s,
krb5_kvno kvno,
hdb_entry *h)
{
unsigned int i;
for (i = 0; i < s->len; i++) {
Key k = { 0, };
int ret;
ret = sdb_key_to_Key(&s->val[i], &k);
if (ret != 0) {
return ENOMEM;
}
ret = hdb_add_history_key(context, h, kvno, &k);
free_Key(&k);
if (ret != 0) {
return ENOMEM;
}
}
return 0;
}
static int sdb_event_to_Event(krb5_context context,
const struct sdb_event *s, Event *h)
{
@ -192,6 +217,26 @@ int sdb_entry_to_hdb_entry(krb5_context context,
goto error;
}
if (h->kvno > 1) {
rc = sdb_keys_to_HistKeys(context,
&s->old_keys,
h->kvno - 1,
h);
if (rc != 0) {
goto error;
}
}
if (h->kvno > 2) {
rc = sdb_keys_to_HistKeys(context,
&s->older_keys,
h->kvno - 2,
h);
if (rc != 0) {
goto error;
}
}
rc = sdb_event_to_Event(context,
&s->created_by,
&h->created_by);