[PATCH] Revert "winbind: Fix 100% loop"

Andreas Schneider asn at samba.org
Tue Sep 1 16:09:56 UTC 2015

On Tuesday 01 September 2015 17:14:53 Volker Lendecke wrote:
> Hi!
> Until our Kerberos experts had the time to take a deeper
> look I would feel better with the attached patch. It seems
> we open a security hole with this patch.
> Review&push appreciated!
> Thanks,
> Volker

I've pushed the revert. If I understand this correctly the kerb_prompter fixes 
a case in heimdal if the password is set to NULL.

For MIT Kerberos the prompter is only called if


as option is set.

So this is a workaround for a Heimdal bug only. We should #ifdef it. If I look 
what kerb_prompter does it either copies the password, if provided or sets it 
to '\0' so an empty string ...

If you look at source4/heimdal/lib/krb5/init_creds_pw.c +2028

It doesn't care about the reply lenght. It sets the password to the provided 
password or the empty string. So the simple fix should be to have

if (password == NULL) {
	password = "";

and pass NULL instead of the kerb_prompter. This way heimdal should deal with 
the password correctly.

	-- andreas 

Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org

More information about the samba-technical mailing list