The Samba-Bugzilla – Attachment 11471 Details for
Bug 11038
Logging with an account which has the "User must change password on next logon" flag cause winbindd to use 100% cpu and stop answering request
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 4.3.next, 4.2.next.
0001-winbind-Fix-100-loop.patch (text/plain), 2.20 KB, created by
Jeremy Allison
on 2015-10-01 22:20:58 UTC
(
hide
)
Description:
git-am fix for 4.3.next, 4.2.next.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2015-10-01 22:20:58 UTC
Size:
2.20 KB
patch
obsolete
>From 6c7836dbeec1f5e78cf80daaf948b8343ff68721 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Fri, 28 Aug 2015 12:33:13 +0200 >Subject: [PATCH] winbind: Fix 100% loop > >Thanks to "L.P.H. van Belle" <belle@bazuin.nl> >for help in reproducing the issue. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11038 > >From the bug report: > >"With e551cdb37d3e re-applied the problem is gone with >and without kerberos. Moreover, if correctly configured, >sshd requests you to change your password at logon time, >which then succeeds. > >The problem why I had this reverted was because I had not >gone through the pain to correctly configure all the PAM >services (in particular the "account" section), leading >to sshd letting the user in when the password had to be >changed." > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Alexander Bokovoy <ab@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> > >(cherry picked from commit e551cdb37d3e8cfb155bc33f9b162761c8d60889) > >Autobuild-User(master): Jeremy Allison <jra@samba.org> >Autobuild-Date(master): Fri Oct 2 00:16:29 CEST 2015 on sn-devel-104 > >(cherry picked from commit e524ab9f7ee9f4aff50dd5bc42312f9000bf1c6e) >--- > source3/libads/kerberos.c | 16 ++++++++++++++++ > 1 file changed, 16 insertions(+) > >diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c >index d5e0238..b865d7a 100644 >--- a/source3/libads/kerberos.c >+++ b/source3/libads/kerberos.c >@@ -50,6 +50,22 @@ kerb_prompter(krb5_context ctx, void *data, > { > if (num_prompts == 0) return 0; > >+ if ((num_prompts == 2) && >+ (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) && >+ (prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) { >+ /* >+ * We don't want to change passwords here. We're >+ * called from heimal when the KDC returns >+ * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't >+ * have the chance to ask the user for a new >+ * password. If we return 0 (i.e. success), we will be >+ * spinning in the endless for-loop in >+ * change_password() in >+ * source4/heimdal/lib/krb5/init_creds_pw.c:526ff >+ */ >+ return KRB5KDC_ERR_KEY_EXPIRED; >+ } >+ > memset(prompts[0].reply->data, '\0', prompts[0].reply->length); > if (prompts[0].reply->length > 0) { > if (data) { >-- >2.1.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=11471">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 11038
:
11378
|
11385
|
11387
|
11388
|
11471
|
11473
|
11474