diff options
author | Andrew Bartlett <abartlet@samba.org> | 2009-06-18 11:08:46 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2009-06-18 13:49:30 +1000 |
commit | 19413c52495877d54c90c60229568d0077fda30b (patch) | |
tree | c148e96ba2ff28933f2d5f3714b8fc7e60957dec /source4/heimdal/kdc/kerberos5.c | |
parent | 2afc6df9b49a246129acdd7c8c24448c8cf3b6ef (diff) | |
download | samba-19413c52495877d54c90c60229568d0077fda30b.tar.gz samba-19413c52495877d54c90c60229568d0077fda30b.tar.bz2 samba-19413c52495877d54c90c60229568d0077fda30b.zip |
s4:kdc Allow a password change when the password is expired
This requires a rework on Heimdal's windc plugin layer, as we want
full control over what tickets Heimdal will issue. (In particular, in
case our requirements become more complex in future).
The original problem was that Heimdal's check would permit the ticket,
but Samba would then deny it, not knowing it was for kadmin/changepw
Also (in hdb-samba4) be a bit more careful on what entries we will
make the 'change_pw' service mark that this depends on.
Andrew Bartlett
Diffstat (limited to 'source4/heimdal/kdc/kerberos5.c')
-rw-r--r-- | source4/heimdal/kdc/kerberos5.c | 22 |
1 files changed, 8 insertions, 14 deletions
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index 941a2e0572..ac495b1ac7 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -668,11 +668,11 @@ log_as_req(krb5_context context, */ krb5_error_code -_kdc_check_flags(krb5_context context, - krb5_kdc_configuration *config, - hdb_entry_ex *client_ex, const char *client_name, - hdb_entry_ex *server_ex, const char *server_name, - krb5_boolean is_as_req) +kdc_check_flags(krb5_context context, + krb5_kdc_configuration *config, + hdb_entry_ex *client_ex, const char *client_name, + hdb_entry_ex *server_ex, const char *server_name, + krb5_boolean is_as_req) { if(client_ex != NULL) { hdb_entry *client = &client_ex->entry; @@ -921,7 +921,6 @@ _kdc_as_rep(krb5_context context, "AS-REQ malformed server name from %s", from); goto out; } - if(b->cname == NULL){ ret = KRB5KRB_ERR_GENERIC; e_text = "No client in request"; @@ -1345,14 +1344,9 @@ _kdc_as_rep(krb5_context context, * with in a preauth mech. */ - ret = _kdc_check_flags(context, config, - client, client_name, - server, server_name, - TRUE); - if(ret) - goto out; - - ret = _kdc_windc_client_access(context, client, req, &e_data); + ret = _kdc_check_access(context, config, client, client_name, + server, server_name, + req, &e_data); if(ret) goto out; |