From b7aa85ea053aa78fa23de98d6c48e155f0cc06bc Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 12 Jun 2017 14:42:47 +0200 Subject: [PATCH 182/182] krb5: use plain principal if password is expired MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Similar as in https://pagure.io/SSSD/sssd/issue/3426 enterprise principals should be avoided while requesting a kadmin/changepw@REALM principal for a password change. Resolves https://pagure.io/SSSD/sssd/issue/3419 Reviewed-by: Fabiano FidĂȘncio (cherry picked from commit 7e2ec7caa2d1c17e475fff78c5025496b8695509) --- src/providers/krb5/krb5_child.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 3cd8bfba76a35acd2c885ee2aac4765a6c1cc03c..3a76b900444dea50ec0b783496e22d25aad797ab 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -64,6 +64,7 @@ struct cli_opts { struct krb5_req { krb5_context ctx; krb5_principal princ; + krb5_principal princ_orig; char* name; krb5_creds *creds; bool otp; @@ -1975,7 +1976,7 @@ static errno_t tgt_req_child(struct krb5_req *kr) } set_changepw_options(kr->options); - kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ, + kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ_orig, password_or_responder(password), sss_krb5_prompter, kr, 0, SSSD_KRB5_CHANGEPW_PRINCIPAL, @@ -2303,6 +2304,8 @@ static int krb5_cleanup(struct krb5_req *kr) sss_krb5_free_unparsed_name(kr->ctx, kr->name); if (kr->princ != NULL) krb5_free_principal(kr->ctx, kr->princ); + if (kr->princ_orig != NULL) + krb5_free_principal(kr->ctx, kr->princ_orig); if (kr->ctx != NULL) krb5_free_context(kr->ctx); @@ -2847,6 +2850,12 @@ static int k5c_setup(struct krb5_req *kr, uint32_t offline) return kerr; } + kerr = krb5_parse_name(kr->ctx, kr->upn, &kr->princ_orig); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + return kerr; + } + kerr = krb5_unparse_name(kr->ctx, kr->princ, &kr->name); if (kerr != 0) { KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); -- 2.9.4