Patch for fixing pb when users have a valid ticket and the server change its password

Andrew Bartlett abartlet at samba.org
Mon May 24 18:10:33 MDT 2010


On Tue, 2010-05-25 at 02:02 +0400, Matthieu Patou wrote:
> Hello,
> On 22/05/2010 09:03, Matthieu Patou wrote:
> > On 21/05/2010 18:24, John H Terpstra wrote:
> >> On 05/21/2010 09:11 AM, Matthieu Patou wrote:
> >>> Hello,
> >>>
> >>> Find attach a patch proposal for bug 7099.
> >>>
> >>> My patch store a copy of the previous password on password change and
> >>> try this password for validating tickets presented by the user to the
> >>> server.
> >>>
> >>> This should hopefully solve the bug that when the password of a samba 3
> >>> server is changed: for all tickets that are still valid for the 
> >>> server's
> >>> principals but emitted before the server has changed its password, the
> >>> server is not anymore able to validate them (as it didn't has the
> >>> previous passwords).
> >>>
> >>> I also attached a backport for samba3.5.x (I applied it to 3.5.3 and
> >>> 3.5.2 and compiled it on 3.5.2).
> >>>
> >>> Cheers.
> >>>
> >>> Matthieu.
> >>>
> >> Matthieu,
> >>
> >> Thank you for fixing that bug. Much appreciated.
> >>
> > John, just pay attention that I didn't tested it thoroughly with real 
> > windows workstation. It just don't show the pb when using smbclient 
> > and forcing the password change with net changetrustpw. So for your 
> > clusters it's worth to wait a little bit still.
> >
> Now I tested it and I had to change the patch a little bit.
> Here is the update version.

This looks good.  I hope to rework this properly some day to use
exclusively the keytab approach (so we don't waste CPU re-salting the
machine password), but this fixes the issue without a bit change in the
structure.

The main concern I have is that by changing from one 'for' loop to two
different for loops, that the meaning of 'break' has changed.  Some of
the error conditions should cause a retry with a different enc type,
while others are fatal.  As far as I can tell, you only have an early
exit for success. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100525/51dc1cfc/attachment.pgp>


More information about the samba-technical mailing list