The Samba-Bugzilla – Attachment 11474 Details for
Bug 11038
Logging with an account which has the "User must change password on next logon" flag cause winbindd to use 100% cpu and stop answering request
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am back-port for 4.2.next
bug-11535-4.2 (text/plain), 5.34 KB, created by
Jeremy Allison
on 2015-10-02 18:53:56 UTC
(
hide
)
Description:
git-am back-port for 4.2.next
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2015-10-02 18:53:56 UTC
Size:
5.34 KB
patch
obsolete
>From 6c7836dbeec1f5e78cf80daaf948b8343ff68721 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Fri, 28 Aug 2015 12:33:13 +0200 >Subject: [PATCH 1/2] winbind: Fix 100% loop > >Thanks to "L.P.H. van Belle" <belle@bazuin.nl> >for help in reproducing the issue. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11038 > >From the bug report: > >"With e551cdb37d3e re-applied the problem is gone with >and without kerberos. Moreover, if correctly configured, >sshd requests you to change your password at logon time, >which then succeeds. > >The problem why I had this reverted was because I had not >gone through the pain to correctly configure all the PAM >services (in particular the "account" section), leading >to sshd letting the user in when the password had to be >changed." > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Alexander Bokovoy <ab@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> > >(cherry picked from commit e551cdb37d3e8cfb155bc33f9b162761c8d60889) > >Autobuild-User(master): Jeremy Allison <jra@samba.org> >Autobuild-Date(master): Fri Oct 2 00:16:29 CEST 2015 on sn-devel-104 > >(cherry picked from commit e524ab9f7ee9f4aff50dd5bc42312f9000bf1c6e) >--- > source3/libads/kerberos.c | 16 ++++++++++++++++ > 1 file changed, 16 insertions(+) > >diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c >index d5e0238..b865d7a 100644 >--- a/source3/libads/kerberos.c >+++ b/source3/libads/kerberos.c >@@ -50,6 +50,22 @@ kerb_prompter(krb5_context ctx, void *data, > { > if (num_prompts == 0) return 0; > >+ if ((num_prompts == 2) && >+ (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) && >+ (prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) { >+ /* >+ * We don't want to change passwords here. We're >+ * called from heimal when the KDC returns >+ * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't >+ * have the chance to ask the user for a new >+ * password. If we return 0 (i.e. success), we will be >+ * spinning in the endless for-loop in >+ * change_password() in >+ * source4/heimdal/lib/krb5/init_creds_pw.c:526ff >+ */ >+ return KRB5KDC_ERR_KEY_EXPIRED; >+ } >+ > memset(prompts[0].reply->data, '\0', prompts[0].reply->length); > if (prompts[0].reply->length > 0) { > if (data) { >-- >2.1.4 > > >From 6071cc5e8c74409ea2825c619251027a9428f723 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Fri, 2 Oct 2015 04:23:59 +0200 >Subject: [PATCH 2/2] kerberos: make sure we only use prompter type when > available. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >We also verified that we cannot simply remove the prompter as several older >versions of Heimdal would crash. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11038 > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >Reviewed-by: Volker Lendecke <vl@samba.org> > >Autobuild-User(master): Günther Deschner <gd@samba.org> >Autobuild-Date(master): Fri Oct 2 07:29:43 CEST 2015 on sn-devel-104 > >(cherry picked from commit 6755376cedaf0c88230b47e04c584c7d9fce13e3) >--- > source3/libads/kerberos.c | 12 +++++++++++- > source4/heimdal_build/wscript_configure | 1 + > wscript_configure_system_mitkrb5 | 2 ++ > 3 files changed, 14 insertions(+), 1 deletion(-) > >diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c >index b865d7a..8811581 100644 >--- a/source3/libads/kerberos.c >+++ b/source3/libads/kerberos.c >@@ -49,6 +49,16 @@ kerb_prompter(krb5_context ctx, void *data, > krb5_prompt prompts[]) > { > if (num_prompts == 0) return 0; >+#if HAVE_KRB5_PROMPT_TYPE >+ >+ /* >+ * only heimdal has a prompt type and we need to deal with it here to >+ * avoid loops. >+ * >+ * removing the prompter completely is not an option as at least these >+ * versions would crash: heimdal-1.0.2 and heimdal-1.1. Later heimdal >+ * version have looping detection and return with a proper error code. >+ */ > > if ((num_prompts == 2) && > (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) && >@@ -65,7 +75,7 @@ kerb_prompter(krb5_context ctx, void *data, > */ > return KRB5KDC_ERR_KEY_EXPIRED; > } >- >+#endif /* HAVE_KRB5_PROMPT_TYPE */ > memset(prompts[0].reply->data, '\0', prompts[0].reply->length); > if (prompts[0].reply->length > 0) { > if (data) { >diff --git a/source4/heimdal_build/wscript_configure b/source4/heimdal_build/wscript_configure >index 5b7109e..90df14c 100755 >--- a/source4/heimdal_build/wscript_configure >+++ b/source4/heimdal_build/wscript_configure >@@ -167,6 +167,7 @@ conf.define('HAVE_KRB5_DATA_COPY', 1) > conf.define('HAVE_KRB5_PRINCIPAL_SET_REALM', 1) > conf.define('HAVE_KRB5_PRINCIPAL_GET_TYPE', 1) > conf.define('HAVE_KRB5_WARNX', 1) >+conf.define('HAVE_KRB5_PROMPT_TYPE', 1) > > heimdal_includedirs = [] > heimdal_libdirs = [] >diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5 >index e0d3760..0db55ce 100644 >--- a/wscript_configure_system_mitkrb5 >+++ b/wscript_configure_system_mitkrb5 >@@ -132,6 +132,8 @@ conf.CHECK_STRUCTURE_MEMBER('krb5_address', 'addrtype', headers='krb5.h', > define='HAVE_ADDRTYPE_IN_KRB5_ADDRESS') > conf.CHECK_STRUCTURE_MEMBER('krb5_ap_req', 'ticket', headers='krb5.h', > define='HAVE_TICKET_POINTER_IN_KRB5_AP_REQ') >+conf.CHECK_STRUCTURE_MEMBER('krb5_prompt', 'type', headers='krb5.h', >+ define='HAVE_KRB5_PROMPT_TYPE') > > conf.CHECK_TYPE('krb5_encrypt_block', headers='krb5.h') > >-- >2.1.4 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
vl
:
review+
gd
:
review+
Actions:
View
Attachments on
bug 11038
:
11378
|
11385
|
11387
|
11388
|
11471
|
11473
| 11474