The Samba-Bugzilla – Attachment 12081 Details for
Bug 11906
Inapropriate error message issued when joining with an expired password
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch from master for v4-4-test
patch (text/plain), 4.02 KB, created by
Guenther Deschner
on 2016-05-06 13:39:50 UTC
(
hide
)
Description:
patch from master for v4-4-test
Filename:
MIME Type:
Creator:
Guenther Deschner
Created:
2016-05-06 13:39:50 UTC
Size:
4.02 KB
patch
obsolete
>From b3931af2df293a9cb75f21cdb5555fb6725dff34 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Mon, 15 Feb 2016 12:58:07 +0100 >Subject: [PATCH] s3-kerberos: avoid entering a password change dialogue also > when using MIT. > >Without this fix, for accounts with an expired password, a password change >process is initiated and - due to the prompter - this fails with a confusing >error message: > >"kerberos_kinit_password Administrator@W2K12DOM.BER.REDHAT.COM failed: Password >mismatch >Failed to join domain: failed to connect to AD: Password mismatch" > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11906 > >Guenther > >Signed-off-by: Guenther Deschner <gd@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >--- > source3/libads/kerberos.c | 59 ++++++++++++++++++++++++---------------- > wscript_configure_system_mitkrb5 | 1 + > 2 files changed, 36 insertions(+), 24 deletions(-) > >diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c >index 9a7a1e7..4774a9f 100644 >--- a/source3/libads/kerberos.c >+++ b/source3/libads/kerberos.c >@@ -47,33 +47,44 @@ kerb_prompter(krb5_context ctx, void *data, > krb5_prompt prompts[]) > { > if (num_prompts == 0) return 0; >-#if HAVE_KRB5_PROMPT_TYPE >- >- /* >- * only heimdal has a prompt type and we need to deal with it here to >- * avoid loops. >- * >- * removing the prompter completely is not an option as at least these >- * versions would crash: heimdal-1.0.2 and heimdal-1.1. Later heimdal >- * version have looping detection and return with a proper error code. >- */ >- >- if ((num_prompts == 2) && >- (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) && >- (prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) { >+ if (num_prompts == 2) { > /* >- * We don't want to change passwords here. We're >- * called from heimal when the KDC returns >- * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't >- * have the chance to ask the user for a new >- * password. If we return 0 (i.e. success), we will be >- * spinning in the endless for-loop in >- * change_password() in >- * source4/heimdal/lib/krb5/init_creds_pw.c:526ff >+ * only heimdal has a prompt type and we need to deal with it here to >+ * avoid loops. >+ * >+ * removing the prompter completely is not an option as at least these >+ * versions would crash: heimdal-1.0.2 and heimdal-1.1. Later heimdal >+ * version have looping detection and return with a proper error code. > */ >- return KRB5KDC_ERR_KEY_EXPIRED; >+ >+#if HAVE_KRB5_PROMPT_TYPE /* Heimdal */ >+ if (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD && >+ prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) { >+ /* >+ * We don't want to change passwords here. We're >+ * called from heimal when the KDC returns >+ * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't >+ * have the chance to ask the user for a new >+ * password. If we return 0 (i.e. success), we will be >+ * spinning in the endless for-loop in >+ * change_password() in >+ * source4/heimdal/lib/krb5/init_creds_pw.c:526ff >+ */ >+ return KRB5KDC_ERR_KEY_EXPIRED; >+ } >+#elif defined(HAVE_KRB5_GET_PROMPT_TYPES) /* MIT */ >+ krb5_prompt_type *prompt_types = NULL; >+ >+ prompt_types = krb5_get_prompt_types(ctx); >+ if (prompt_types != NULL) { >+ if (prompt_types[0] == KRB5_PROMPT_TYPE_NEW_PASSWORD && >+ prompt_types[1] == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) { >+ return KRB5KDC_ERR_KEY_EXP; >+ } >+ } >+#endif > } >-#endif /* HAVE_KRB5_PROMPT_TYPE */ >+ > memset(prompts[0].reply->data, '\0', prompts[0].reply->length); > if (prompts[0].reply->length > 0) { > if (data) { >diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5 >index 4b3a69f..9c1ad8f 100644 >--- a/wscript_configure_system_mitkrb5 >+++ b/wscript_configure_system_mitkrb5 >@@ -115,6 +115,7 @@ conf.CHECK_FUNCS(''' > krb5_keyblock_init krb5_principal_set_realm krb5_principal_get_type > krb5_principal_set_type > krb5_warnx >+ krb5_get_prompt_types > ''', > lib='krb5 k5crypto') > conf.CHECK_DECLS('''krb5_get_credentials_for_user >-- >2.5.5 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jra
:
review+
gd
:
review?
(
obnox
)
Actions:
View
Attachments on
bug 11906
: 12081