[PATCH] Allow Kerberos CHANGEPW request to fallback to TCP

[todd stecher]

The KPASSWD implementation included in Samba 3.x (libads/krb5_setpw.c)
can easily fail during net ads join operations if the user doing the
join is a member of > 300 groups.  This is because the MS KDC will
respond with an error reply of "KRB5KRB_ERR_RESPONSE_TOO_BIG," requiring
a switch to TCP and a resend of the KPASSWD message.  The current Samba
codebase does not handle this transition (nor, btw, does the MIT
Kerberos code).

The attached patch fixes this problem by:

1) Digesting the returned raw KRB_ERROR response from the overly large
request.

2) Switching to TCP (mainly just adding / digesting size bytes prepended
to the front of the TCP messages, and sending them to the KDC via TCP).


Couple of notes here:

1) The organization I'm working with is using CVS, so I'm not sure how
compatible this diff is with one generated by SVN (no difference,
AFAIK).

2) The code base is roughly the 3.0.11 Samba distribution.  The 3.0.11
version of krb5_setpw.c is == to the 3.0.21a version, so that should be
a no-op.

3) I worked at Microsoft for 9 years, mostly as the primary kerberos /
spnego developer. I was also intimately familiar with NTLM / SSL / PKI /
Netlogon / Active Directory development.  I have since moved on to
independent consulting in the authentication / authorization space, with
an emphasis on cross platform integration.

If there's a question of "taint", feel free to deny this patch
submission - note that I have not worked at MS in this capacity since
Sep 2004, nor was any MS IP / source code used in the creation of this
patch.  I spoke offline with Andrew about this issue, and he proposed we
hash it out in an open forum.

Thanks!
Todd






-------------- next part --------------
A non-text attachment was scrubbed...
Name: tcpchpw.diff
Type: text/x-patch
Size: 11071 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20060322/4da4987c/tcpchpw.bin