[PATCH] fix spinning winbind
Alexander Bokovoy
ab at samba.org
Fri Aug 28 16:36:48 UTC 2015
On Fri, 28 Aug 2015, Jeremy Allison wrote:
> On Fri, Aug 28, 2015 at 05:56:25PM +0300, Alexander Bokovoy wrote:
> > On Fri, 28 Aug 2015, Volker Lendecke wrote:
> > > From 20b4ad857bcc0b382f856150afa3b305c2b2a61e Mon Sep 17 00:00:00 2001
> > > From: Volker Lendecke <vl at samba.org>
> > > Date: Fri, 28 Aug 2015 12:33:13 +0200
> > > Subject: [PATCH] winbind: Fix 100% loop
> > >
> > > Signed-off-by: Volker Lendecke <vl at samba.org>
> > > ---
> > > source3/libads/kerberos.c | 16 ++++++++++++++++
> > > 1 file changed, 16 insertions(+)
> > >
> > > diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
> > > index d5e0238..b865d7a 100644
> > > --- a/source3/libads/kerberos.c
> > > +++ b/source3/libads/kerberos.c
> > > @@ -50,6 +50,22 @@ kerb_prompter(krb5_context ctx, void *data,
> > > {
> > > if (num_prompts == 0) return 0;
> > >
> > > + if ((num_prompts == 2) &&
> > > + (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) &&
> > > + (prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) {
> > > + /*
> > > + * We don't want to change passwords here. We're
> > > + * called from heimal when the KDC returns
> > > + * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
> > > + * have the chance to ask the user for a new
> > > + * password. If we return 0 (i.e. success), we will be
> > > + * spinning in the endless for-loop in
> > > + * change_password() in
> > > + * source4/heimdal/lib/krb5/init_creds_pw.c:526ff
> > > + */
> > > + return KRB5KDC_ERR_KEY_EXPIRED;
> > > + }
> > > +
> > > memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
> > > if (prompts[0].reply->length > 0) {
> > > if (data) {
> > ACK. In MIT Kerberos there is no endless loop (there are three tries
> > only) and setting KRB5KDC_ERR_KEY_EXPIRED will issue an expiration
> > warning and will get out.
>
> Oh that's some *horrible* code in Heimal...
>
> Just to clarify Alexander, that's an ACK (Reviewed-by:) on
> the patch here ?
Yes, it is RB+. I'm too used to ACK/NOACK on other projects, sorry for
creating a confusion.
>
> I also checked inside MIT krb5 latest source, and this
> change in the prompter looks safe, as it will cause
> krb5_get_init_creds_password() to bail with
> KRB5KDC_ERR_KEY_EXPIRED.
>
> Are you happy to push ?
I'm fine with the patch. If you have other patches pending, please push
it together with them.
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list