Blob Blame History Raw
From 62b3828dae4445e30d948cf858e0ecbe120eaf36 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 21 Mar 2014 16:16:23 +0100
Subject: [PATCH 117/117] krb5-child: add revert_changepw_options()

After changing the Kerberos password krb5-child will try to get a fresh
TGT with the new password. This patch tries to make sure the right gic
options are used.

Resolves: https://fedorahosted.org/sssd/ticket/2289

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/providers/krb5/krb5_child.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 674dad7387c6874209ee5e491cefc18eba4a6da5..97c5a590ad78080613325b5a397ac965905932fd 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -140,6 +140,24 @@ static void set_changepw_options(krb5_context ctx,
     krb5_get_init_creds_opt_set_tkt_life(options, 5*60);
 }
 
+static void revert_changepw_options(krb5_get_init_creds_opt *options)
+{
+    krb5_error_code kerr;
+
+    set_canonicalize_option(options);
+
+    /* Currently we do not set forwardable and proxiable explicitly, the flags
+     * must be removed so that libkrb5 can take the defaults from krb5.conf */
+    options->flags &= ~(KRB5_GET_INIT_CREDS_OPT_FORWARDABLE);
+    options->flags &= ~(KRB5_GET_INIT_CREDS_OPT_PROXIABLE);
+
+    kerr = set_lifetime_options(options);
+    if (kerr != 0) {
+        DEBUG(SSSDBG_OP_FAILURE, ("set_lifetime_options failed.\n"));
+    }
+}
+
+
 static errno_t sss_send_pac(krb5_authdata **pac_authdata)
 {
     struct sss_cli_req_data sss_data;
@@ -1187,6 +1205,10 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
 
     krb5_free_cred_contents(kr->ctx, kr->creds);
 
+    /* We changed some of the gic options for the password change, now we have
+     * to change them back to get a fresh TGT. */
+    revert_changepw_options(kr->options);
+
     kerr = get_and_save_tgt(kr, newpassword);
 
     sss_authtok_set_empty(kr->pd->newauthtok);
-- 
1.8.5.3