sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-08 21:18:16 +03:00
Code

s3-kerberos: avoid entering a password change dialogue also when using MIT.

Browse Source 
Without this fix, for accounts with an expired password, a password change
process is initiated and - due to the prompter - this fails with a confusing
error message:

"kerberos_kinit_password Administrator@W2K12DOM.BER.REDHAT.COM failed: Password
mismatch
Failed to join domain: failed to connect to AD: Password mismatch"

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
Günther Deschner 2016-02-15 12:58:07 +01:00 committed by Jeremy Allison
parent f6f43c496e
commit b3931af2df
2 changed files with 36 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
source3/libads/kerberos.c
View File

@ -47,33 +47,44 @@ kerb_prompter(krb5_context ctx, void *data,
krb5_prompt prompts[])
{
if (num_prompts == 0) return 0;
#if HAVE_KRB5_PROMPT_TYPE
/*
* only heimdal has a prompt type and we need to deal with it here to
* avoid loops.
*
* removing the prompter completely is not an option as at least these
* versions would crash: heimdal-1.0.2 and heimdal-1.1. Later heimdal
* version have looping detection and return with a proper error code.
*/
if ((num_prompts == 2) &&
(prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) &&
(prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) {
if (num_prompts == 2) {
/*
* We don't want to change passwords here. We're
* called from heimal when the KDC returns
* KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
* have the chance to ask the user for a new
* password. If we return 0 (i.e. success), we will be
* spinning in the endless for-loop in
* change_password() in
* source4/heimdal/lib/krb5/init_creds_pw.c:526ff
* only heimdal has a prompt type and we need to deal with it here to
* avoid loops.
*
* removing the prompter completely is not an option as at least these
* versions would crash: heimdal-1.0.2 and heimdal-1.1. Later heimdal
* version have looping detection and return with a proper error code.
*/
return KRB5KDC_ERR_KEY_EXPIRED;
#if HAVE_KRB5_PROMPT_TYPE /* Heimdal */
if (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD &&
prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) {
/*
* We don't want to change passwords here. We're
* called from heimal when the KDC returns
* KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
* have the chance to ask the user for a new
* password. If we return 0 (i.e. success), we will be
* spinning in the endless for-loop in
* change_password() in
* source4/heimdal/lib/krb5/init_creds_pw.c:526ff
*/
return KRB5KDC_ERR_KEY_EXPIRED;
}
#elif defined(HAVE_KRB5_GET_PROMPT_TYPES) /* MIT */
krb5_prompt_type *prompt_types = NULL;
prompt_types = krb5_get_prompt_types(ctx);
if (prompt_types != NULL) {
if (prompt_types[0] == KRB5_PROMPT_TYPE_NEW_PASSWORD &&
prompt_types[1] == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) {
return KRB5KDC_ERR_KEY_EXP;
}
}
#endif
}
#endif /* HAVE_KRB5_PROMPT_TYPE */
memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
if (prompts[0].reply->length > 0) {
if (data) {

1
wscript_configure_system_mitkrb5
View File

@ -115,6 +115,7 @@ conf.CHECK_FUNCS('''
krb5_keyblock_init krb5_principal_set_realm krb5_principal_get_type
krb5_principal_set_type
krb5_warnx
krb5_get_prompt_types
''',
lib='krb5 k5crypto')
conf.CHECK_DECLS('''krb5_get_credentials_for_user