[PATCH] Revert "winbind: Fix 100% loop"
Jeremy Allison
jra at samba.org
Tue Sep 1 16:13:49 UTC 2015
On Tue, Sep 01, 2015 at 06:09:56PM +0200, Andreas Schneider wrote:
> On Tuesday 01 September 2015 17:14:53 Volker Lendecke wrote:
> > Hi!
> >
> > Until our Kerberos experts had the time to take a deeper
> > look I would feel better with the attached patch. It seems
> > we open a security hole with this patch.
> >
> > Review&push appreciated!
> >
> > Thanks,
> >
> > Volker
>
> I've pushed the revert. If I understand this correctly the kerb_prompter fixes
> a case in heimdal if the password is set to NULL.
>
> For MIT Kerberos the prompter is only called if
>
> KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT
>
> as option is set.
>
> So this is a workaround for a Heimdal bug only. We should #ifdef it. If I look
> what kerb_prompter does it either copies the password, if provided or sets it
> to '\0' so an empty string ...
>
> If you look at source4/heimdal/lib/krb5/init_creds_pw.c +2028
>
> It doesn't care about the reply lenght. It sets the password to the provided
> password or the empty string. So the simple fix should be to have
>
> #ifdef SAMBA4_USES_HEIMDAL
> if (password == NULL) {
> password = "";
> }
> #endif
>
> and pass NULL instead of the kerb_prompter. This way heimdal should deal with
> the password correctly.
No, it's more complex than that.
Check out the work being done in:
https://bugzilla.samba.org/show_bug.cgi?id=11038
More information about the samba-technical
mailing list