[PATCH] fix spinning winbind
Alexander Bokovoy
ab at samba.org
Fri Aug 28 14:56:25 UTC 2015
On Fri, 28 Aug 2015, Volker Lendecke wrote:
> From 20b4ad857bcc0b382f856150afa3b305c2b2a61e Mon Sep 17 00:00:00 2001
> From: Volker Lendecke <vl at samba.org>
> Date: Fri, 28 Aug 2015 12:33:13 +0200
> Subject: [PATCH] winbind: Fix 100% loop
>
> Signed-off-by: Volker Lendecke <vl at samba.org>
> ---
> source3/libads/kerberos.c | 16 ++++++++++++++++
> 1 file changed, 16 insertions(+)
>
> diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
> index d5e0238..b865d7a 100644
> --- a/source3/libads/kerberos.c
> +++ b/source3/libads/kerberos.c
> @@ -50,6 +50,22 @@ kerb_prompter(krb5_context ctx, void *data,
> {
> if (num_prompts == 0) return 0;
>
> + if ((num_prompts == 2) &&
> + (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) &&
> + (prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) {
> + /*
> + * We don't want to change passwords here. We're
> + * called from heimal when the KDC returns
> + * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
> + * have the chance to ask the user for a new
> + * password. If we return 0 (i.e. success), we will be
> + * spinning in the endless for-loop in
> + * change_password() in
> + * source4/heimdal/lib/krb5/init_creds_pw.c:526ff
> + */
> + return KRB5KDC_ERR_KEY_EXPIRED;
> + }
> +
> memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
> if (prompts[0].reply->length > 0) {
> if (data) {
ACK. In MIT Kerberos there is no endless loop (there are three tries
only) and setting KRB5KDC_ERR_KEY_EXPIRED will issue an expiration
warning and will get out.
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list