[PATCH] Revert "winbind: Fix 100% loop"
Andreas Schneider
asn at samba.org
Tue Sep 1 16:09:56 UTC 2015
On Tuesday 01 September 2015 17:14:53 Volker Lendecke wrote:
> Hi!
>
> Until our Kerberos experts had the time to take a deeper
> look I would feel better with the attached patch. It seems
> we open a security hole with this patch.
>
> Review&push appreciated!
>
> Thanks,
>
> Volker
I've pushed the revert. If I understand this correctly the kerb_prompter fixes
a case in heimdal if the password is set to NULL.
For MIT Kerberos the prompter is only called if
KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT
as option is set.
So this is a workaround for a Heimdal bug only. We should #ifdef it. If I look
what kerb_prompter does it either copies the password, if provided or sets it
to '\0' so an empty string ...
If you look at source4/heimdal/lib/krb5/init_creds_pw.c +2028
It doesn't care about the reply lenght. It sets the password to the provided
password or the empty string. So the simple fix should be to have
#ifdef SAMBA4_USES_HEIMDAL
if (password == NULL) {
password = "";
}
#endif
and pass NULL instead of the kerb_prompter. This way heimdal should deal with
the password correctly.
-- andreas
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
More information about the samba-technical
mailing list