|
 |
fb3c09 |
From 5e6d1796106df8ba6bc1973ee0917c170d929086 Mon Sep 17 00:00:00 2001
|
|
|
fb3c09 |
From: Isaac Boukris <iboukris@gmail.com>
|
|
|
fb3c09 |
Date: Mon, 3 Dec 2018 02:33:07 +0200
|
|
|
fb3c09 |
Subject: [PATCH] Ignore password attributes for S4U2Self requests
|
|
|
fb3c09 |
|
|
|
fb3c09 |
For consistency with Windows KDCs, allow protocol transition to work
|
|
|
fb3c09 |
even if the password has expired or needs changing.
|
|
|
fb3c09 |
|
|
|
fb3c09 |
Also, when looking up an enterprise principal with an AS request,
|
|
|
fb3c09 |
treat ERR_KEY_EXP as confirmation that the client is present in the
|
|
|
fb3c09 |
realm.
|
|
|
fb3c09 |
|
|
|
fb3c09 |
[ghudson@mit.edu: added comment in kdc_process_s4u2self_req(); edited
|
|
|
fb3c09 |
commit message]
|
|
|
fb3c09 |
|
|
|
fb3c09 |
ticket: 8763 (new)
|
|
|
fb3c09 |
tags: pullup
|
|
|
fb3c09 |
target_version: 1.17
|
|
|
fb3c09 |
---
|
|
|
fb3c09 |
src/kdc/kdc_util.c | 5 +++++
|
|
|
fb3c09 |
src/lib/krb5/krb/s4u_creds.c | 2 +-
|
|
|
fb3c09 |
src/tests/gssapi/t_s4u.py | 8 ++++++++
|
|
|
fb3c09 |
3 files changed, 14 insertions(+), 1 deletion(-)
|
|
|
fb3c09 |
|
|
|
fb3c09 |
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
|
|
|
fb3c09 |
index 6d53173fb0..6517a213cd 100644
|
|
|
fb3c09 |
--- a/src/kdc/kdc_util.c
|
|
|
fb3c09 |
+++ b/src/kdc/kdc_util.c
|
|
|
fb3c09 |
@@ -1574,6 +1574,11 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
|
|
|
fb3c09 |
|
|
|
fb3c09 |
memset(&no_server, 0, sizeof(no_server));
|
|
|
fb3c09 |
|
|
|
fb3c09 |
+ /* Ignore password expiration and needchange attributes (as Windows
|
|
|
fb3c09 |
+ * does), since S4U2Self is not password authentication. */
|
|
|
fb3c09 |
+ princ->pw_expiration = 0;
|
|
|
fb3c09 |
+ clear(princ->attributes, KRB5_KDB_REQUIRES_PWCHANGE);
|
|
|
fb3c09 |
+
|
|
|
fb3c09 |
code = validate_as_request(kdc_active_realm, request, *princ,
|
|
|
fb3c09 |
no_server, kdc_time, status, &e_data);
|
|
|
fb3c09 |
if (code) {
|
|
|
fb3c09 |
diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
|
|
|
fb3c09 |
index d2fdcb3f16..614ed41908 100644
|
|
|
fb3c09 |
--- a/src/lib/krb5/krb/s4u_creds.c
|
|
|
fb3c09 |
+++ b/src/lib/krb5/krb/s4u_creds.c
|
|
|
fb3c09 |
@@ -117,7 +117,7 @@ s4u_identify_user(krb5_context context,
|
|
|
fb3c09 |
code = k5_get_init_creds(context, &creds, client, NULL, NULL, 0, NULL,
|
|
|
fb3c09 |
opts, krb5_get_as_key_noop, &userid, &use_master,
|
|
|
fb3c09 |
NULL);
|
|
|
fb3c09 |
- if (code == 0 || code == KRB5_PREAUTH_FAILED) {
|
|
|
fb3c09 |
+ if (!code || code == KRB5_PREAUTH_FAILED || code == KRB5KDC_ERR_KEY_EXP) {
|
|
|
fb3c09 |
*canon_user = userid.user;
|
|
|
fb3c09 |
userid.user = NULL;
|
|
|
fb3c09 |
code = 0;
|
|
|
fb3c09 |
diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
|
|
|
fb3c09 |
index fd29e1a270..84f3fbd752 100755
|
|
|
fb3c09 |
--- a/src/tests/gssapi/t_s4u.py
|
|
|
fb3c09 |
+++ b/src/tests/gssapi/t_s4u.py
|
|
|
fb3c09 |
@@ -20,6 +20,14 @@
|
|
|
fb3c09 |
# Get forwardable creds for service1 in the default cache.
|
|
|
fb3c09 |
realm.kinit(service1, None, ['-f', '-k'])
|
|
|
fb3c09 |
|
|
|
fb3c09 |
+# Try S4U2Self for user with a restricted password.
|
|
|
fb3c09 |
+realm.run([kadminl, 'modprinc', '+needchange', realm.user_princ])
|
|
|
fb3c09 |
+realm.run(['./t_s4u', 'e:user', '-'])
|
|
|
fb3c09 |
+realm.run([kadminl, 'modprinc', '-needchange',
|
|
|
fb3c09 |
+ '-pwexpire', '1/1/2000', realm.user_princ])
|
|
|
fb3c09 |
+realm.run(['./t_s4u', 'e:user', '-'])
|
|
|
fb3c09 |
+realm.run([kadminl, 'modprinc', '-pwexpire', 'never', realm.user_princ])
|
|
|
fb3c09 |
+
|
|
|
fb3c09 |
# Try krb5 -> S4U2Proxy with forwardable user creds. This should fail
|
|
|
fb3c09 |
# at the S4U2Proxy step since the DB2 back end currently has no
|
|
|
fb3c09 |
# support for allowing it.
|