|
 |
ecf709 |
From b7aa85ea053aa78fa23de98d6c48e155f0cc06bc Mon Sep 17 00:00:00 2001
|
|
|
ecf709 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
ecf709 |
Date: Mon, 12 Jun 2017 14:42:47 +0200
|
|
|
ecf709 |
Subject: [PATCH 182/182] krb5: use plain principal if password is expired
|
|
|
ecf709 |
MIME-Version: 1.0
|
|
|
ecf709 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ecf709 |
Content-Transfer-Encoding: 8bit
|
|
|
ecf709 |
|
|
|
ecf709 |
Similar as in https://pagure.io/SSSD/sssd/issue/3426 enterprise
|
|
|
ecf709 |
principals should be avoided while requesting a kadmin/changepw@REALM
|
|
|
ecf709 |
principal for a password change.
|
|
|
ecf709 |
|
|
|
ecf709 |
Resolves https://pagure.io/SSSD/sssd/issue/3419
|
|
|
ecf709 |
|
|
|
ecf709 |
Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
|
|
|
ecf709 |
(cherry picked from commit 7e2ec7caa2d1c17e475fff78c5025496b8695509)
|
|
|
ecf709 |
---
|
|
|
ecf709 |
src/providers/krb5/krb5_child.c | 11 ++++++++++-
|
|
|
ecf709 |
1 file changed, 10 insertions(+), 1 deletion(-)
|
|
|
ecf709 |
|
|
|
ecf709 |
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
|
|
|
ecf709 |
index 3cd8bfba76a35acd2c885ee2aac4765a6c1cc03c..3a76b900444dea50ec0b783496e22d25aad797ab 100644
|
|
|
ecf709 |
--- a/src/providers/krb5/krb5_child.c
|
|
|
ecf709 |
+++ b/src/providers/krb5/krb5_child.c
|
|
|
ecf709 |
@@ -64,6 +64,7 @@ struct cli_opts {
|
|
|
ecf709 |
struct krb5_req {
|
|
|
ecf709 |
krb5_context ctx;
|
|
|
ecf709 |
krb5_principal princ;
|
|
|
ecf709 |
+ krb5_principal princ_orig;
|
|
|
ecf709 |
char* name;
|
|
|
ecf709 |
krb5_creds *creds;
|
|
|
ecf709 |
bool otp;
|
|
|
ecf709 |
@@ -1975,7 +1976,7 @@ static errno_t tgt_req_child(struct krb5_req *kr)
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
set_changepw_options(kr->options);
|
|
|
ecf709 |
- kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ,
|
|
|
ecf709 |
+ kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ_orig,
|
|
|
ecf709 |
password_or_responder(password),
|
|
|
ecf709 |
sss_krb5_prompter, kr, 0,
|
|
|
ecf709 |
SSSD_KRB5_CHANGEPW_PRINCIPAL,
|
|
|
ecf709 |
@@ -2303,6 +2304,8 @@ static int krb5_cleanup(struct krb5_req *kr)
|
|
|
ecf709 |
sss_krb5_free_unparsed_name(kr->ctx, kr->name);
|
|
|
ecf709 |
if (kr->princ != NULL)
|
|
|
ecf709 |
krb5_free_principal(kr->ctx, kr->princ);
|
|
|
ecf709 |
+ if (kr->princ_orig != NULL)
|
|
|
ecf709 |
+ krb5_free_principal(kr->ctx, kr->princ_orig);
|
|
|
ecf709 |
if (kr->ctx != NULL)
|
|
|
ecf709 |
krb5_free_context(kr->ctx);
|
|
|
ecf709 |
|
|
|
ecf709 |
@@ -2847,6 +2850,12 @@ static int k5c_setup(struct krb5_req *kr, uint32_t offline)
|
|
|
ecf709 |
return kerr;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
+ kerr = krb5_parse_name(kr->ctx, kr->upn, &kr->princ_orig);
|
|
|
ecf709 |
+ if (kerr != 0) {
|
|
|
ecf709 |
+ KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
|
|
|
ecf709 |
+ return kerr;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
kerr = krb5_unparse_name(kr->ctx, kr->princ, &kr->name);
|
|
|
ecf709 |
if (kerr != 0) {
|
|
|
ecf709 |
KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
|
|
|
ecf709 |
--
|
|
|
ecf709 |
2.9.4
|
|
|
ecf709 |
|