[PATCH] fix spinning winbind

Jeremy Allison jra at samba.org
Fri Aug 28 16:33:41 UTC 2015 

On Fri, Aug 28, 2015 at 05:56:25PM +0300, Alexander Bokovoy wrote:
> On Fri, 28 Aug 2015, Volker Lendecke wrote:
> > From 20b4ad857bcc0b382f856150afa3b305c2b2a61e Mon Sep 17 00:00:00 2001
> > From: Volker Lendecke <vl at samba.org>
> > Date: Fri, 28 Aug 2015 12:33:13 +0200
> > Subject: [PATCH] winbind: Fix 100% loop
> > 
> > Signed-off-by: Volker Lendecke <vl at samba.org>
> > ---
> >  source3/libads/kerberos.c | 16 ++++++++++++++++
> >  1 file changed, 16 insertions(+)
> > 
> > diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
> > index d5e0238..b865d7a 100644
> > --- a/source3/libads/kerberos.c
> > +++ b/source3/libads/kerberos.c
> > @@ -50,6 +50,22 @@ kerb_prompter(krb5_context ctx, void *data,
> >  {
> >  	if (num_prompts == 0) return 0;
> >  
> > +	if ((num_prompts == 2) &&
> > +	    (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) &&
> > +	    (prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) {
> > +		/*
> > +		 * We don't want to change passwords here. We're
> > +		 * called from heimal when the KDC returns
> > +		 * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
> > +		 * have the chance to ask the user for a new
> > +		 * password. If we return 0 (i.e. success), we will be
> > +		 * spinning in the endless for-loop in
> > +		 * change_password() in
> > +		 * source4/heimdal/lib/krb5/init_creds_pw.c:526ff
> > +		 */
> > +		return KRB5KDC_ERR_KEY_EXPIRED;
> > +	}
> > +
> >  	memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
> >  	if (prompts[0].reply->length > 0) {
> >  		if (data) {
> ACK. In MIT Kerberos there is no endless loop (there are three tries
> only) and setting KRB5KDC_ERR_KEY_EXPIRED will issue an expiration
> warning and will get out.

Oh that's some *horrible* code in Heimal...

Just to clarify Alexander, that's an ACK (Reviewed-by:) on
the patch here ?

I also checked inside MIT krb5 latest source, and this
change in the prompter looks safe, as it will cause
krb5_get_init_creds_password() to bail with
KRB5KDC_ERR_KEY_EXPIRED.

Are you happy to push ?

Cheers,

	Jeremy.

More information about the samba-technical mailing list