[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Thu Oct 1 22:17:03 UTC 2015 

The branch, master has been updated
       via  e524ab9 winbind: Fix 100% loop
      from  f9ceaf4 s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bug #11522).

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit e524ab9f7ee9f4aff50dd5bc42312f9000bf1c6e
Author: Volker Lendecke <vl at samba.org>
Date:   Fri Aug 28 12:33:13 2015 +0200

    winbind: Fix 100% loop
    
    Thanks to "L.P.H. van Belle" <belle at bazuin.nl>
    for help in reproducing the issue.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11038
    
    From the bug report:
    
    "With e551cdb37d3e re-applied the problem is gone with
    and without kerberos. Moreover, if correctly configured,
    sshd requests you to change your password at logon time,
    which then succeeds.
    
    The problem why I had this reverted was because I had not
    gone through the pain to correctly configure all the PAM
    services (in particular the "account" section), leading
    to sshd letting the user in when the password had to be
    changed."
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Alexander Bokovoy <ab at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    (cherry picked from commit e551cdb37d3e8cfb155bc33f9b162761c8d60889)
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Fri Oct  2 00:16:29 CEST 2015 on sn-devel-104

-----------------------------------------------------------------------

Summary of changes:
 source3/libads/kerberos.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)


Changeset truncated at 500 lines:

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index e4bad74..7fe864b 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -48,6 +48,22 @@ kerb_prompter(krb5_context ctx, void *data,
 {
 	if (num_prompts == 0) return 0;
 
+	if ((num_prompts == 2) &&
+	    (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) &&
+	    (prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) {
+		/*
+		 * We don't want to change passwords here. We're
+		 * called from heimal when the KDC returns
+		 * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
+		 * have the chance to ask the user for a new
+		 * password. If we return 0 (i.e. success), we will be
+		 * spinning in the endless for-loop in
+		 * change_password() in
+		 * source4/heimdal/lib/krb5/init_creds_pw.c:526ff
+		 */
+		return KRB5KDC_ERR_KEY_EXPIRED;
+	}
+
 	memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
 	if (prompts[0].reply->length > 0) {
 		if (data) {


-- 
Samba Shared Repository

More information about the samba-cvs mailing list