Bug 8747 - winbindd with Heimdal infinite loops when user password expired
Summary: winbindd with Heimdal infinite loops when user password expired
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.6.0
Hardware: All All
: P5 major
Target Milestone: ---
Assignee: Michael Adam
QA Contact: Samba QA Contact
Depends on:
Reported: 2012-02-08 12:12 UTC by Harry Mason
Modified: 2017-07-16 22:29 UTC (History)
1 user (show)

See Also:

Backported Samba 4 patch (1.45 KB, patch)
2012-02-08 12:12 UTC, Harry Mason
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Harry Mason 2012-02-08 12:12:49 UTC
Created attachment 7302 [details]
Backported Samba 4 patch

source3/libads/kerberos.c installs an optional prompter function which enters the password, to work around an old Kerberos bug. When winbindd tries to get a ticket, the Kerberos library may call that function to prompt the user if necessary.

In the case where the user's password has expired, Kerberos doesn't prompt for the password; it prompts for a new password twice. The prompter only returns the password once, so the Kerberos library sees that the entered passwords don't match. MIT Kerberos only tries again three times, but Heimdal loops forever (in init_creds_pw.c).

Reproducable by creating a user in Active Directory with "User must change password at next logon" set, then get a ticket for that user with wbinfo -K.

Commit 10989431e533bd60de242dbd78c4b62c4ace7812 in Samba 4 removes this prompter, and I can confirm that this fixes the problem when applied to Samba 3.
Comment 1 Andrew Bartlett 2017-07-16 22:28:57 UTC
I think this has been fixed in master by b3931af2df293a9cb75f21cdb5555fb6725dff34 for Samba 4.5.