[PATCH] fix spinning winbind

Alexander Bokovoy ab at samba.org
Fri Aug 28 16:36:48 UTC 2015 

On Fri, 28 Aug 2015, Jeremy Allison wrote:
> On Fri, Aug 28, 2015 at 05:56:25PM +0300, Alexander Bokovoy wrote:
> > On Fri, 28 Aug 2015, Volker Lendecke wrote:
> > > From 20b4ad857bcc0b382f856150afa3b305c2b2a61e Mon Sep 17 00:00:00 2001
> > > From: Volker Lendecke <vl at samba.org>
> > > Date: Fri, 28 Aug 2015 12:33:13 +0200
> > > Subject: [PATCH] winbind: Fix 100% loop
> > > 
> > > Signed-off-by: Volker Lendecke <vl at samba.org>
> > > ---
> > >  source3/libads/kerberos.c | 16 ++++++++++++++++
> > >  1 file changed, 16 insertions(+)
> > > 
> > > diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
> > > index d5e0238..b865d7a 100644
> > > --- a/source3/libads/kerberos.c
> > > +++ b/source3/libads/kerberos.c
> > > @@ -50,6 +50,22 @@ kerb_prompter(krb5_context ctx, void *data,
> > >  {
> > >  	if (num_prompts == 0) return 0;
> > >  
> > > +	if ((num_prompts == 2) &&
> > > +	    (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) &&
> > > +	    (prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) {
> > > +		/*
> > > +		 * We don't want to change passwords here. We're
> > > +		 * called from heimal when the KDC returns
> > > +		 * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
> > > +		 * have the chance to ask the user for a new
> > > +		 * password. If we return 0 (i.e. success), we will be
> > > +		 * spinning in the endless for-loop in
> > > +		 * change_password() in
> > > +		 * source4/heimdal/lib/krb5/init_creds_pw.c:526ff
> > > +		 */
> > > +		return KRB5KDC_ERR_KEY_EXPIRED;
> > > +	}
> > > +
> > >  	memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
> > >  	if (prompts[0].reply->length > 0) {
> > >  		if (data) {
> > ACK. In MIT Kerberos there is no endless loop (there are three tries
> > only) and setting KRB5KDC_ERR_KEY_EXPIRED will issue an expiration
> > warning and will get out.
> 
> Oh that's some *horrible* code in Heimal...
> 
> Just to clarify Alexander, that's an ACK (Reviewed-by:) on
> the patch here ?
Yes, it is RB+. I'm too used to ACK/NOACK on other projects, sorry for
creating a confusion.

> 
> I also checked inside MIT krb5 latest source, and this
> change in the prompter looks safe, as it will cause
> krb5_get_init_creds_password() to bail with
> KRB5KDC_ERR_KEY_EXPIRED.
> 
> Are you happy to push ?
I'm fine with the patch. If you have other patches pending, please push
it together with them.
-- 
/ Alexander Bokovoy

More information about the samba-technical mailing list