[PATCH] Avoid password change with expired passwords and MIT kerberos

Günther Deschner gd at samba.org
Fri Feb 19 13:40:33 UTC 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

please review and push, I sucessfully verified the fix with expired
accounts, a Windows 2012 R2 DC and with:

heimdal-1.0.2
heimdal-1.1
heimdal-1.3.3
heimdal-1.5.1
heimdal-1.5.2
heimdal-1.5.3
heimdal-1.5
krb5-1.10.3
krb5-1.10.4
krb5-1.11.1
krb5-1.11.2
krb5-1.11.3
krb5-1.11.5
krb5-1.11
krb5-1.12.1
krb5-1.13
krb5-1.14
krb5-1.6.1
krb5-1.6.2
krb5-1.6.3
krb5-1.7.1
krb5-1.7.2
krb5-1.8.1
krb5-1.8.2
krb5-1.8.3
krb5-1.8.5
krb5-1.8
krb5-1.9.1
krb5-1.9.2
krb5-1.9.3
krb5-1.9.5
krb5-1.9

Thanks,
Guenther

- -- 
Günther Deschner                    GPG-ID: 8EE11688
Red Hat                         gdeschner at redhat.com
Samba Team                              gd at samba.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlbHG0kACgkQSOk3aI7hFojGzQCgjU5XXQAQabSaN5RIBPtGyukP
ga4AnirPsuCAKwxYV7rpb1ufN7wEj7dY
=CoRU
-----END PGP SIGNATURE-----
-------------- next part --------------
From cea32b43181e51f159981194336311541cc07eb2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd at samba.org>
Date: Mon, 15 Feb 2016 12:58:07 +0100
Subject: [PATCH] s3-kerberos: avoid entering a password change dialogue also
 when using MIT.

Without this fix, for accounts with an expired password, a password change
process is initiated and - due to the prompter - this fails with a confusing
error message:

"kerberos_kinit_password Administrator at W2K12DOM.BER.REDHAT.COM failed: Password
mismatch
Failed to join domain: failed to connect to AD: Password mismatch"

Guenther

Signed-off-by: Guenther Deschner <gd at samba.org>
---
 source3/libads/kerberos.c        | 59 ++++++++++++++++++++++++----------------
 wscript_configure_system_mitkrb5 |  1 +
 2 files changed, 36 insertions(+), 24 deletions(-)

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 9a7a1e7..4774a9f 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -47,33 +47,44 @@ kerb_prompter(krb5_context ctx, void *data,
 	       krb5_prompt prompts[])
 {
 	if (num_prompts == 0) return 0;
-#if HAVE_KRB5_PROMPT_TYPE
-
-	/*
-	 * only heimdal has a prompt type and we need to deal with it here to
-	 * avoid loops.
-	 *
-	 * removing the prompter completely is not an option as at least these
-	 * versions would crash: heimdal-1.0.2 and heimdal-1.1. Later heimdal
-	 * version have looping detection and return with a proper error code.
-	 */
-
-	if ((num_prompts == 2) &&
-	    (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) &&
-	    (prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) {
+	if (num_prompts == 2) {
 		/*
-		 * We don't want to change passwords here. We're
-		 * called from heimal when the KDC returns
-		 * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
-		 * have the chance to ask the user for a new
-		 * password. If we return 0 (i.e. success), we will be
-		 * spinning in the endless for-loop in
-		 * change_password() in
-		 * source4/heimdal/lib/krb5/init_creds_pw.c:526ff
+		 * only heimdal has a prompt type and we need to deal with it here to
+		 * avoid loops.
+		 *
+		 * removing the prompter completely is not an option as at least these
+		 * versions would crash: heimdal-1.0.2 and heimdal-1.1. Later heimdal
+		 * version have looping detection and return with a proper error code.
 		 */
-		return KRB5KDC_ERR_KEY_EXPIRED;
+
+#if HAVE_KRB5_PROMPT_TYPE /* Heimdal */
+		 if (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD &&
+		     prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) {
+			/*
+			 * We don't want to change passwords here. We're
+			 * called from heimal when the KDC returns
+			 * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
+			 * have the chance to ask the user for a new
+			 * password. If we return 0 (i.e. success), we will be
+			 * spinning in the endless for-loop in
+			 * change_password() in
+			 * source4/heimdal/lib/krb5/init_creds_pw.c:526ff
+			 */
+			return KRB5KDC_ERR_KEY_EXPIRED;
+		}
+#elif defined(HAVE_KRB5_GET_PROMPT_TYPES) /* MIT */
+		krb5_prompt_type *prompt_types = NULL;
+
+		prompt_types = krb5_get_prompt_types(ctx);
+		if (prompt_types != NULL) {
+			if (prompt_types[0] == KRB5_PROMPT_TYPE_NEW_PASSWORD &&
+			    prompt_types[1] == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) {
+				return KRB5KDC_ERR_KEY_EXP;
+			}
+		}
+#endif
 	}
-#endif /* HAVE_KRB5_PROMPT_TYPE */
+
 	memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
 	if (prompts[0].reply->length > 0) {
 		if (data) {
diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5
index 4b3a69f..9c1ad8f 100644
--- a/wscript_configure_system_mitkrb5
+++ b/wscript_configure_system_mitkrb5
@@ -115,6 +115,7 @@ conf.CHECK_FUNCS('''
        krb5_keyblock_init krb5_principal_set_realm krb5_principal_get_type
        krb5_principal_set_type
        krb5_warnx
+       krb5_get_prompt_types
        ''',
      lib='krb5 k5crypto')
 conf.CHECK_DECLS('''krb5_get_credentials_for_user
-- 
2.5.0

More information about the samba-technical mailing list