[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Thu Oct 1 22:17:03 UTC 2015
The branch, master has been updated
via e524ab9 winbind: Fix 100% loop
from f9ceaf4 s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bug #11522).
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit e524ab9f7ee9f4aff50dd5bc42312f9000bf1c6e
Author: Volker Lendecke <vl at samba.org>
Date: Fri Aug 28 12:33:13 2015 +0200
winbind: Fix 100% loop
Thanks to "L.P.H. van Belle" <belle at bazuin.nl>
for help in reproducing the issue.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11038
From the bug report:
"With e551cdb37d3e re-applied the problem is gone with
and without kerberos. Moreover, if correctly configured,
sshd requests you to change your password at logon time,
which then succeeds.
The problem why I had this reverted was because I had not
gone through the pain to correctly configure all the PAM
services (in particular the "account" section), leading
to sshd letting the user in when the password had to be
changed."
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit e551cdb37d3e8cfb155bc33f9b162761c8d60889)
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Oct 2 00:16:29 CEST 2015 on sn-devel-104
-----------------------------------------------------------------------
Summary of changes:
source3/libads/kerberos.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
Changeset truncated at 500 lines:
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index e4bad74..7fe864b 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -48,6 +48,22 @@ kerb_prompter(krb5_context ctx, void *data,
{
if (num_prompts == 0) return 0;
+ if ((num_prompts == 2) &&
+ (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) &&
+ (prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) {
+ /*
+ * We don't want to change passwords here. We're
+ * called from heimal when the KDC returns
+ * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
+ * have the chance to ask the user for a new
+ * password. If we return 0 (i.e. success), we will be
+ * spinning in the endless for-loop in
+ * change_password() in
+ * source4/heimdal/lib/krb5/init_creds_pw.c:526ff
+ */
+ return KRB5KDC_ERR_KEY_EXPIRED;
+ }
+
memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
if (prompts[0].reply->length > 0) {
if (data) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list