[PATCH] fix spinning winbind

[Volker Lendecke]

Hi!

For everyone who has not followed samba at samba.org: Attached
find a patch that fixes the spinning winbind when a user's
password has expired.

I'm sure this needs a ton of #ifdefs, so I'd like to ask the
Kerberos interop people (gd, asn, obnox?) to take a look.

Nevertheless, please review!

Thanks,

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
-------------- next part --------------
From 20b4ad857bcc0b382f856150afa3b305c2b2a61e Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Fri, 28 Aug 2015 12:33:13 +0200
Subject: [PATCH] winbind: Fix 100% loop

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 source3/libads/kerberos.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index d5e0238..b865d7a 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -50,6 +50,22 @@ kerb_prompter(krb5_context ctx, void *data,
 {
 	if (num_prompts == 0) return 0;
 
+	if ((num_prompts == 2) &&
+	    (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) &&
+	    (prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) {
+		/*
+		 * We don't want to change passwords here. We're
+		 * called from heimal when the KDC returns
+		 * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
+		 * have the chance to ask the user for a new
+		 * password. If we return 0 (i.e. success), we will be
+		 * spinning in the endless for-loop in
+		 * change_password() in
+		 * source4/heimdal/lib/krb5/init_creds_pw.c:526ff
+		 */
+		return KRB5KDC_ERR_KEY_EXPIRED;
+	}
+
 	memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
 	if (prompts[0].reply->length > 0) {
 		if (data) {
-- 
1.9.1