Expired or must change password with linux/unix/mac clients
against Samba4 KDC
Love Hörnquist Åstrand
lha at kth.se
Sat Jan 31 22:08:39 GMT 2009
Mattheui,
To get the windows behavior you need the attached patch.
The reason the AS-REQ to kadmin/admin is probably that the hdb layer
in samba4 doesn't set flags.change_pw flag in the entry for kadmin/
admin principal, andrew ?
Love
-------------- next part --------------
diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 433cef0..e90a8ba 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -1076,13 +1076,6 @@ _kdc_as_rep(krb5_context context,
if(ret)
goto out;
- ret = _kdc_check_flags(context, config,
- client, client_name,
- server, server_name,
- TRUE);
- if(ret)
- goto out;
-
memset(&et, 0, sizeof(et));
memset(&ek, 0, sizeof(ek));
@@ -1366,6 +1359,19 @@ _kdc_as_rep(krb5_context context,
}
/*
+ * Verify flags after the user been required to prove its identity
+ * with in a preauth mech.
+ */
+
+ ret = _kdc_check_flags(context, config,
+ client, client_name,
+ server, server_name,
+ TRUE);
+ if(ret)
+ goto out;
+
+
+ /*
* Find the client key (for preauth ENC-TS verification and reply
* encryption). Then the best encryption type for the KDC and
* last the best session key that shared between the client and
-------------- next part --------------
30 jan 2009 kl. 12:04 skrev Matthieu Patou:
> Dear all,
>
> I discovered recently that a it's impossible to change the password
> for
> an account that has its password expired or flagged as must be
> change at
> next login.
> I first tried with kpasswd (ie. kpasswd user_tst), the server
> immediatly
> reply with error_code: KRB5KDC_ERR_KEY_EXP without asking about the
> password (btw it might be a security issue because it's easy to know
> which account has a password either expired or that need to be changed
> at next login), i tried also with libpam-krb5 3.12 (the latest stable)
> and in this case pam first try to talk with krbtgt/REALM server, then
> prompt for password and then to talk kadmin/changepw but in both case
> it received KRB5KDC_ERR_KEY_EXP.
>
> If you have a look of kpasswd/W2K3 exchange, we can see that things
> are
> completly differents:
>
> * First the server ask the client for a password by replying with an
> error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25)
> * Then after checking that the password is correct the server replies
> with an error_code KRB5KDC_ERR_KEY_EXP
> * The client then issue a request to the kadmin/changepw server
> which is
> first replied with KRB5KDC_ERR_PREAUTH_REQUIRED error_code and once
> the
> client provides the password the request is validated
> * The client can prompt for a new password and go ahead in the process
> for changing the password.
>
>
> Is it possible to make some change to samba kdc so that we achieve
> more
> or less the same behavior ?
> I think more precisely at bypassing the call to authsam_account_ok if
> the server name is kadmin/changepw.
>
> I attached network capture of kinit client versus Samba4
> (4.0.0alpha7-GIT-d8f15e4) and versus Windows 2003R2.
>
> Any comments ?
>
> Matthieu.
>
>
>
>
> <kinit2><kinit_samba>
More information about the samba-technical
mailing list