[PATCH] Revert "winbind: Fix 100% loop"

[Volker Lendecke]

Hi!

Until our Kerberos experts had the time to take a deeper
look I would feel better with the attached patch. It seems
we open a security hole with this patch.

Review&push appreciated!

Thanks,

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
-------------- next part --------------
From 5cbc3bc8da9a3429fee97370ea3d34272dd73fab Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Tue, 1 Sep 2015 17:13:36 +0200
Subject: [PATCH] Revert "winbind: Fix 100% loop"

This reverts commit e551cdb37d3e8cfb155bc33f9b162761c8d60889.
---
 source3/libads/kerberos.c | 16 ----------------
 1 file changed, 16 deletions(-)

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 7fe864b..e4bad74 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -48,22 +48,6 @@ kerb_prompter(krb5_context ctx, void *data,
 {
 	if (num_prompts == 0) return 0;
 
-	if ((num_prompts == 2) &&
-	    (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) &&
-	    (prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) {
-		/*
-		 * We don't want to change passwords here. We're
-		 * called from heimal when the KDC returns
-		 * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
-		 * have the chance to ask the user for a new
-		 * password. If we return 0 (i.e. success), we will be
-		 * spinning in the endless for-loop in
-		 * change_password() in
-		 * source4/heimdal/lib/krb5/init_creds_pw.c:526ff
-		 */
-		return KRB5KDC_ERR_KEY_EXPIRED;
-	}
-
 	memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
 	if (prompts[0].reply->length > 0) {
 		if (data) {
-- 
1.9.1