[PATCH] Allow Kerberos CHANGEPW request to fallback to TCP

Jeremy Allison jra at samba.org
Wed Mar 22 23:46:34 GMT 2006

On Wed, Mar 22, 2006 at 01:49:48PM -0800, todd stecher wrote:
> The KPASSWD implementation included in Samba 3.x (libads/krb5_setpw.c)
> can easily fail during net ads join operations if the user doing the
> join is a member of > 300 groups.  This is because the MS KDC will
> respond with an error reply of "KRB5KRB_ERR_RESPONSE_TOO_BIG," requiring
> a switch to TCP and a resend of the KPASSWD message.  The current Samba
> codebase does not handle this transition (nor, btw, does the MIT
> Kerberos code).
> The attached patch fixes this problem by:

Thought you'd want a little feedback... It's good to know that
even the people who wrote Microsoft's krb5 implementation can't
write error free krb5 code (JOKE, JOKE, ok ! :-). No one writes
error free krb5 code - especially me :-) :-).

There's a memory leak around the krb5_rd_error() call you added.
The API docs say that the krb5_error struct returned from
krb5_rd_error() must be freed with krb5_free_error(), which you
do in the codepath where krberror->e_data.data == NULL, but if
this isn't the case (can that happen?) then it'll leak memory
and bleed into the rest of the "successful packet" code. After
the Coverity static analyzer ripped us a new one over things
like this I'm a little sensitive on these issues :-).

I think we need a krb5_free_error(), return XXX after this
section of the code (but what should XXX be there ?). The
other issue is that this probably won't work with Heimdal, as
the ERROR_TABLE_BASE_krb5 macro is almost certainly MIT

Do you want me to have a go at fixing this and post it to
the list for your review or do you want to address this
yourself ?


More information about the samba-technical mailing list