From b7aa85ea053aa78fa23de98d6c48e155f0cc06bc Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 12 Jun 2017 14:42:47 +0200
Subject: [PATCH 182/182] krb5: use plain principal if password is expired
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Similar as in https://pagure.io/SSSD/sssd/issue/3426 enterprise
principals should be avoided while requesting a kadmin/changepw@REALM
principal for a password change.

Resolves https://pagure.io/SSSD/sssd/issue/3419

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 7e2ec7caa2d1c17e475fff78c5025496b8695509)
---
 src/providers/krb5/krb5_child.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 3cd8bfba76a35acd2c885ee2aac4765a6c1cc03c..3a76b900444dea50ec0b783496e22d25aad797ab 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -64,6 +64,7 @@ struct cli_opts {
 struct krb5_req {
     krb5_context ctx;
     krb5_principal princ;
+    krb5_principal princ_orig;
     char* name;
     krb5_creds *creds;
     bool otp;
@@ -1975,7 +1976,7 @@ static errno_t tgt_req_child(struct krb5_req *kr)
     }
 
     set_changepw_options(kr->options);
-    kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ,
+    kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ_orig,
                                         password_or_responder(password),
                                         sss_krb5_prompter, kr, 0,
                                         SSSD_KRB5_CHANGEPW_PRINCIPAL,
@@ -2303,6 +2304,8 @@ static int krb5_cleanup(struct krb5_req *kr)
         sss_krb5_free_unparsed_name(kr->ctx, kr->name);
     if (kr->princ != NULL)
         krb5_free_principal(kr->ctx, kr->princ);
+    if (kr->princ_orig != NULL)
+        krb5_free_principal(kr->ctx, kr->princ_orig);
     if (kr->ctx != NULL)
         krb5_free_context(kr->ctx);
 
@@ -2847,6 +2850,12 @@ static int k5c_setup(struct krb5_req *kr, uint32_t offline)
         return kerr;
     }
 
+    kerr = krb5_parse_name(kr->ctx, kr->upn, &kr->princ_orig);
+    if (kerr != 0) {
+        KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
+        return kerr;
+    }
+
     kerr = krb5_unparse_name(kr->ctx, kr->princ, &kr->name);
     if (kerr != 0) {
         KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
-- 
2.9.4