[Samba] FW: Questions about Samba 4

[Volker Lendecke]

On Thu, Aug 27, 2015 at 08:17:15AM +0200, L.P.H. van Belle wrote:
> This was a test on debian Jessie with sernet samba 4.2.3. 
> and the test was, "login" with a AD user on ssh. 
> this worked, fine, but this i noticed later. 

Currently recompiling with the attached patch. I haven't
tested it yet, but I am pretty sure this will fix the issue.

For everyone interested, the comment should be pretty
self-explaining.

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
-------------- next part --------------
From 20b4ad857bcc0b382f856150afa3b305c2b2a61e Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Fri, 28 Aug 2015 12:33:13 +0200
Subject: [PATCH] winbind: Fix 100% loop

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 source3/libads/kerberos.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index d5e0238..b865d7a 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -50,6 +50,22 @@ kerb_prompter(krb5_context ctx, void *data,
 {
 	if (num_prompts == 0) return 0;
 
+	if ((num_prompts == 2) &&
+	    (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) &&
+	    (prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) {
+		/*
+		 * We don't want to change passwords here. We're
+		 * called from heimal when the KDC returns
+		 * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
+		 * have the chance to ask the user for a new
+		 * password. If we return 0 (i.e. success), we will be
+		 * spinning in the endless for-loop in
+		 * change_password() in
+		 * source4/heimdal/lib/krb5/init_creds_pw.c:526ff
+		 */
+		return KRB5KDC_ERR_KEY_EXPIRED;
+	}
+
 	memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
 	if (prompts[0].reply->length > 0) {
 		if (data) {
-- 
1.9.1