From 6c7836dbeec1f5e78cf80daaf948b8343ff68721 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 28 Aug 2015 12:33:13 +0200 Subject: [PATCH 1/2] winbind: Fix 100% loop Thanks to "L.P.H. van Belle" for help in reproducing the issue. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11038 From the bug report: "With e551cdb37d3e re-applied the problem is gone with and without kerberos. Moreover, if correctly configured, sshd requests you to change your password at logon time, which then succeeds. The problem why I had this reverted was because I had not gone through the pain to correctly configure all the PAM services (in particular the "account" section), leading to sshd letting the user in when the password had to be changed." Signed-off-by: Volker Lendecke Reviewed-by: Alexander Bokovoy Reviewed-by: Jeremy Allison (cherry picked from commit e551cdb37d3e8cfb155bc33f9b162761c8d60889) Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Fri Oct 2 00:16:29 CEST 2015 on sn-devel-104 (cherry picked from commit e524ab9f7ee9f4aff50dd5bc42312f9000bf1c6e) --- source3/libads/kerberos.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index d5e0238..b865d7a 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -50,6 +50,22 @@ kerb_prompter(krb5_context ctx, void *data, { if (num_prompts == 0) return 0; + if ((num_prompts == 2) && + (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) && + (prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) { + /* + * We don't want to change passwords here. We're + * called from heimal when the KDC returns + * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't + * have the chance to ask the user for a new + * password. If we return 0 (i.e. success), we will be + * spinning in the endless for-loop in + * change_password() in + * source4/heimdal/lib/krb5/init_creds_pw.c:526ff + */ + return KRB5KDC_ERR_KEY_EXPIRED; + } + memset(prompts[0].reply->data, '\0', prompts[0].reply->length); if (prompts[0].reply->length > 0) { if (data) { -- 2.1.4 From 6071cc5e8c74409ea2825c619251027a9428f723 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Fri, 2 Oct 2015 04:23:59 +0200 Subject: [PATCH 2/2] kerberos: make sure we only use prompter type when available. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We also verified that we cannot simply remove the prompter as several older versions of Heimdal would crash. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11038 Guenther Signed-off-by: Günther Deschner Reviewed-by: Volker Lendecke Autobuild-User(master): Günther Deschner Autobuild-Date(master): Fri Oct 2 07:29:43 CEST 2015 on sn-devel-104 (cherry picked from commit 6755376cedaf0c88230b47e04c584c7d9fce13e3) --- source3/libads/kerberos.c | 12 +++++++++++- source4/heimdal_build/wscript_configure | 1 + wscript_configure_system_mitkrb5 | 2 ++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index b865d7a..8811581 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -49,6 +49,16 @@ kerb_prompter(krb5_context ctx, void *data, krb5_prompt prompts[]) { if (num_prompts == 0) return 0; +#if HAVE_KRB5_PROMPT_TYPE + + /* + * only heimdal has a prompt type and we need to deal with it here to + * avoid loops. + * + * removing the prompter completely is not an option as at least these + * versions would crash: heimdal-1.0.2 and heimdal-1.1. Later heimdal + * version have looping detection and return with a proper error code. + */ if ((num_prompts == 2) && (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) && @@ -65,7 +75,7 @@ kerb_prompter(krb5_context ctx, void *data, */ return KRB5KDC_ERR_KEY_EXPIRED; } - +#endif /* HAVE_KRB5_PROMPT_TYPE */ memset(prompts[0].reply->data, '\0', prompts[0].reply->length); if (prompts[0].reply->length > 0) { if (data) { diff --git a/source4/heimdal_build/wscript_configure b/source4/heimdal_build/wscript_configure index 5b7109e..90df14c 100755 --- a/source4/heimdal_build/wscript_configure +++ b/source4/heimdal_build/wscript_configure @@ -167,6 +167,7 @@ conf.define('HAVE_KRB5_DATA_COPY', 1) conf.define('HAVE_KRB5_PRINCIPAL_SET_REALM', 1) conf.define('HAVE_KRB5_PRINCIPAL_GET_TYPE', 1) conf.define('HAVE_KRB5_WARNX', 1) +conf.define('HAVE_KRB5_PROMPT_TYPE', 1) heimdal_includedirs = [] heimdal_libdirs = [] diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5 index e0d3760..0db55ce 100644 --- a/wscript_configure_system_mitkrb5 +++ b/wscript_configure_system_mitkrb5 @@ -132,6 +132,8 @@ conf.CHECK_STRUCTURE_MEMBER('krb5_address', 'addrtype', headers='krb5.h', define='HAVE_ADDRTYPE_IN_KRB5_ADDRESS') conf.CHECK_STRUCTURE_MEMBER('krb5_ap_req', 'ticket', headers='krb5.h', define='HAVE_TICKET_POINTER_IN_KRB5_AP_REQ') +conf.CHECK_STRUCTURE_MEMBER('krb5_prompt', 'type', headers='krb5.h', + define='HAVE_KRB5_PROMPT_TYPE') conf.CHECK_TYPE('krb5_encrypt_block', headers='krb5.h') -- 2.1.4