Attachment 12081 Details for Bug 11906 – patch from master for v4-4-test

[patch] patch from master for v4-4-test

patch (text/plain), 4.02 KB, created by Guenther Deschner on 2016-05-06 13:39:50 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Guenther Deschner

Created: 2016-05-06 13:39:50 UTC

Size: 4.02 KB

patch

obsolete

>From b3931af2df293a9cb75f21cdb5555fb6725dff34 Mon Sep 17 00:00:00 2001
>From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
>Date: Mon, 15 Feb 2016 12:58:07 +0100
>Subject: [PATCH] s3-kerberos: avoid entering a password change dialogue also
> when using MIT.
>
>Without this fix, for accounts with an expired password, a password change
>process is initiated and - due to the prompter - this fails with a confusing
>error message:
>
>"kerberos_kinit_password Administrator@W2K12DOM.BER.REDHAT.COM failed: Password
>mismatch
>Failed to join domain: failed to connect to AD: Password mismatch"
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=11906
>
>Guenther
>
>Signed-off-by: Guenther Deschner <gd@samba.org>
>Reviewed-by: Jeremy Allison <jra@samba.org>
>---
> source3/libads/kerberos.c        | 59 ++++++++++++++++++++++++----------------
> wscript_configure_system_mitkrb5 |  1 +
> 2 files changed, 36 insertions(+), 24 deletions(-)
>
>diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
>index 9a7a1e7..4774a9f 100644
>--- a/source3/libads/kerberos.c
>+++ b/source3/libads/kerberos.c
>@@ -47,33 +47,44 @@ kerb_prompter(krb5_context ctx, void *data,
> 	       krb5_prompt prompts[])
> {
> 	if (num_prompts == 0) return 0;
>-#if HAVE_KRB5_PROMPT_TYPE
>-
>-	/*
>-	 * only heimdal has a prompt type and we need to deal with it here to
>-	 * avoid loops.
>-	 *
>-	 * removing the prompter completely is not an option as at least these
>-	 * versions would crash: heimdal-1.0.2 and heimdal-1.1. Later heimdal
>-	 * version have looping detection and return with a proper error code.
>-	 */
>-
>-	if ((num_prompts == 2) &&
>-	    (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) &&
>-	    (prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) {
>+	if (num_prompts == 2) {
> 		/*
>-		 * We don't want to change passwords here. We're
>-		 * called from heimal when the KDC returns
>-		 * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
>-		 * have the chance to ask the user for a new
>-		 * password. If we return 0 (i.e. success), we will be
>-		 * spinning in the endless for-loop in
>-		 * change_password() in
>-		 * source4/heimdal/lib/krb5/init_creds_pw.c:526ff
>+		 * only heimdal has a prompt type and we need to deal with it here to
>+		 * avoid loops.
>+		 *
>+		 * removing the prompter completely is not an option as at least these
>+		 * versions would crash: heimdal-1.0.2 and heimdal-1.1. Later heimdal
>+		 * version have looping detection and return with a proper error code.
> 		 */
>-		return KRB5KDC_ERR_KEY_EXPIRED;
>+
>+#if HAVE_KRB5_PROMPT_TYPE /* Heimdal */
>+		 if (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD &&
>+		     prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) {
>+			/*
>+			 * We don't want to change passwords here. We're
>+			 * called from heimal when the KDC returns
>+			 * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
>+			 * have the chance to ask the user for a new
>+			 * password. If we return 0 (i.e. success), we will be
>+			 * spinning in the endless for-loop in
>+			 * change_password() in
>+			 * source4/heimdal/lib/krb5/init_creds_pw.c:526ff
>+			 */
>+			return KRB5KDC_ERR_KEY_EXPIRED;
>+		}
>+#elif defined(HAVE_KRB5_GET_PROMPT_TYPES) /* MIT */
>+		krb5_prompt_type *prompt_types = NULL;
>+
>+		prompt_types = krb5_get_prompt_types(ctx);
>+		if (prompt_types != NULL) {
>+			if (prompt_types[0] == KRB5_PROMPT_TYPE_NEW_PASSWORD &&
>+			    prompt_types[1] == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) {
>+				return KRB5KDC_ERR_KEY_EXP;
>+			}
>+		}
>+#endif
> 	}
>-#endif /* HAVE_KRB5_PROMPT_TYPE */
>+
> 	memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
> 	if (prompts[0].reply->length > 0) {
> 		if (data) {
>diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5
>index 4b3a69f..9c1ad8f 100644
>--- a/wscript_configure_system_mitkrb5
>+++ b/wscript_configure_system_mitkrb5
>@@ -115,6 +115,7 @@ conf.CHECK_FUNCS('''
>        krb5_keyblock_init krb5_principal_set_realm krb5_principal_get_type
>        krb5_principal_set_type
>        krb5_warnx
>+       krb5_get_prompt_types
>        ''',
>      lib='krb5 k5crypto')
> conf.CHECK_DECLS('''krb5_get_credentials_for_user
>-- 
>2.5.5
>

Flags:

jra: review+
gd: review? (obnox)

Actions: View

Attachments on bug 11906: 12081