Bug 8747 - winbindd with Heimdal infinite loops when user password expired
winbindd with Heimdal infinite loops when user password expired
Status: NEW
Product: Samba 3.6
Classification: Unclassified
Component: Winbind
3.6.0
All All
: P5 major
: ---
Assigned To: Michael Adam
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-02-08 12:12 UTC by Harry Mason
Modified: 2012-02-08 12:12 UTC (History)
0 users

See Also:


Attachments
Backported Samba 4 patch (1.45 KB, patch)
2012-02-08 12:12 UTC, Harry Mason
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Harry Mason 2012-02-08 12:12:49 UTC
Created attachment 7302 [details]
Backported Samba 4 patch

source3/libads/kerberos.c installs an optional prompter function which enters the password, to work around an old Kerberos bug. When winbindd tries to get a ticket, the Kerberos library may call that function to prompt the user if necessary.

In the case where the user's password has expired, Kerberos doesn't prompt for the password; it prompts for a new password twice. The prompter only returns the password once, so the Kerberos library sees that the entered passwords don't match. MIT Kerberos only tries again three times, but Heimdal loops forever (in init_creds_pw.c).

Reproducable by creating a user in Active Directory with "User must change password at next logon" set, then get a ticket for that user with wbinfo -K.

Commit 10989431e533bd60de242dbd78c4b62c4ace7812 in Samba 4 removes this prompter, and I can confirm that this fixes the problem when applied to Samba 3.