[PATCH] Revert "winbind: Fix 100% loop"

Jeremy Allison jra at samba.org
Tue Sep 1 15:49:15 UTC 2015 

On Tue, Sep 01, 2015 at 05:14:53PM +0200, Volker Lendecke wrote:
> Hi!
> 
> Until our Kerberos experts had the time to take a deeper
> look I would feel better with the attached patch. It seems
> we open a security hole with this patch.
> 
> Review&push appreciated!

Yeah fair enough. I still think this patch is correct,
and the real issue lies in the krb5 -> NTSTATUS mapping
(which is being worked on) but restoring the 100% CPU
spin and stopping the logon is better than allowing
a security issue :-).

Pushed.

Jeremy.



> -- 
> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9
> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
> http://www.sernet.de, mailto:kontakt at sernet.de

> From 5cbc3bc8da9a3429fee97370ea3d34272dd73fab Mon Sep 17 00:00:00 2001
> From: Volker Lendecke <vl at samba.org>
> Date: Tue, 1 Sep 2015 17:13:36 +0200
> Subject: [PATCH] Revert "winbind: Fix 100% loop"
> 
> This reverts commit e551cdb37d3e8cfb155bc33f9b162761c8d60889.
> ---
>  source3/libads/kerberos.c | 16 ----------------
>  1 file changed, 16 deletions(-)
> 
> diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
> index 7fe864b..e4bad74 100644
> --- a/source3/libads/kerberos.c
> +++ b/source3/libads/kerberos.c
> @@ -48,22 +48,6 @@ kerb_prompter(krb5_context ctx, void *data,
>  {
>  	if (num_prompts == 0) return 0;
>  
> -	if ((num_prompts == 2) &&
> -	    (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) &&
> -	    (prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) {
> -		/*
> -		 * We don't want to change passwords here. We're
> -		 * called from heimal when the KDC returns
> -		 * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
> -		 * have the chance to ask the user for a new
> -		 * password. If we return 0 (i.e. success), we will be
> -		 * spinning in the endless for-loop in
> -		 * change_password() in
> -		 * source4/heimdal/lib/krb5/init_creds_pw.c:526ff
> -		 */
> -		return KRB5KDC_ERR_KEY_EXPIRED;
> -	}
> -
>  	memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
>  	if (prompts[0].reply->length > 0) {
>  		if (data) {
> -- 
> 1.9.1
>

More information about the samba-technical mailing list