From 58333eaab74dca6b65031961432c48fcb425537d Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Fri, 28 Aug 2015 12:33:13 +0200
Subject: [PATCH] winbind: Fix 100% loop

Thanks to "L.P.H. van Belle" <belle@bazuin.nl>
for help in reproducing the issue.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11038

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Aug 28 22:03:31 CEST 2015 on sn-devel-104

(cherry picked from commit e551cdb37d3e8cfb155bc33f9b162761c8d60889)
---
 source3/libads/kerberos.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index e4bad74..7fe864b 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -48,6 +48,22 @@ kerb_prompter(krb5_context ctx, void *data,
 {
 	if (num_prompts == 0) return 0;
 
+	if ((num_prompts == 2) &&
+	    (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) &&
+	    (prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) {
+		/*
+		 * We don't want to change passwords here. We're
+		 * called from heimal when the KDC returns
+		 * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
+		 * have the chance to ask the user for a new
+		 * password. If we return 0 (i.e. success), we will be
+		 * spinning in the endless for-loop in
+		 * change_password() in
+		 * source4/heimdal/lib/krb5/init_creds_pw.c:526ff
+		 */
+		return KRB5KDC_ERR_KEY_EXPIRED;
+	}
+
 	memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
 	if (prompts[0].reply->length > 0) {
 		if (data) {
-- 
2.5.0.457.gab17608