From b3931af2df293a9cb75f21cdb5555fb6725dff34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Mon, 15 Feb 2016 12:58:07 +0100 Subject: [PATCH] s3-kerberos: avoid entering a password change dialogue also when using MIT. Without this fix, for accounts with an expired password, a password change process is initiated and - due to the prompter - this fails with a confusing error message: "kerberos_kinit_password Administrator@W2K12DOM.BER.REDHAT.COM failed: Password mismatch Failed to join domain: failed to connect to AD: Password mismatch" BUG: https://bugzilla.samba.org/show_bug.cgi?id=11906 Guenther Signed-off-by: Guenther Deschner Reviewed-by: Jeremy Allison --- source3/libads/kerberos.c | 59 ++++++++++++++++++++++++---------------- wscript_configure_system_mitkrb5 | 1 + 2 files changed, 36 insertions(+), 24 deletions(-) diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index 9a7a1e7..4774a9f 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -47,33 +47,44 @@ kerb_prompter(krb5_context ctx, void *data, krb5_prompt prompts[]) { if (num_prompts == 0) return 0; -#if HAVE_KRB5_PROMPT_TYPE - - /* - * only heimdal has a prompt type and we need to deal with it here to - * avoid loops. - * - * removing the prompter completely is not an option as at least these - * versions would crash: heimdal-1.0.2 and heimdal-1.1. Later heimdal - * version have looping detection and return with a proper error code. - */ - - if ((num_prompts == 2) && - (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) && - (prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) { + if (num_prompts == 2) { /* - * We don't want to change passwords here. We're - * called from heimal when the KDC returns - * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't - * have the chance to ask the user for a new - * password. If we return 0 (i.e. success), we will be - * spinning in the endless for-loop in - * change_password() in - * source4/heimdal/lib/krb5/init_creds_pw.c:526ff + * only heimdal has a prompt type and we need to deal with it here to + * avoid loops. + * + * removing the prompter completely is not an option as at least these + * versions would crash: heimdal-1.0.2 and heimdal-1.1. Later heimdal + * version have looping detection and return with a proper error code. */ - return KRB5KDC_ERR_KEY_EXPIRED; + +#if HAVE_KRB5_PROMPT_TYPE /* Heimdal */ + if (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD && + prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) { + /* + * We don't want to change passwords here. We're + * called from heimal when the KDC returns + * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't + * have the chance to ask the user for a new + * password. If we return 0 (i.e. success), we will be + * spinning in the endless for-loop in + * change_password() in + * source4/heimdal/lib/krb5/init_creds_pw.c:526ff + */ + return KRB5KDC_ERR_KEY_EXPIRED; + } +#elif defined(HAVE_KRB5_GET_PROMPT_TYPES) /* MIT */ + krb5_prompt_type *prompt_types = NULL; + + prompt_types = krb5_get_prompt_types(ctx); + if (prompt_types != NULL) { + if (prompt_types[0] == KRB5_PROMPT_TYPE_NEW_PASSWORD && + prompt_types[1] == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) { + return KRB5KDC_ERR_KEY_EXP; + } + } +#endif } -#endif /* HAVE_KRB5_PROMPT_TYPE */ + memset(prompts[0].reply->data, '\0', prompts[0].reply->length); if (prompts[0].reply->length > 0) { if (data) { diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5 index 4b3a69f..9c1ad8f 100644 --- a/wscript_configure_system_mitkrb5 +++ b/wscript_configure_system_mitkrb5 @@ -115,6 +115,7 @@ conf.CHECK_FUNCS(''' krb5_keyblock_init krb5_principal_set_realm krb5_principal_get_type krb5_principal_set_type krb5_warnx + krb5_get_prompt_types ''', lib='krb5 k5crypto') conf.CHECK_DECLS('''krb5_get_credentials_for_user -- 2.5.5