diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2009-06-18 11:08:46 +1000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2009-06-18 13:49:30 +1000 |
| commit | 19413c52495877d54c90c60229568d0077fda30b (patch) | |
| tree | c148e96ba2ff28933f2d5f3714b8fc7e60957dec /source4/heimdal/kdc | |
| parent | 2afc6df9b49a246129acdd7c8c24448c8cf3b6ef (diff) | |
| download | samba-19413c52495877d54c90c60229568d0077fda30b.tar.gz samba-19413c52495877d54c90c60229568d0077fda30b.tar.bz2 samba-19413c52495877d54c90c60229568d0077fda30b.zip | |
s4:kdc Allow a password change when the password is expired
This requires a rework on Heimdal's windc plugin layer, as we want
full control over what tickets Heimdal will issue. (In particular, in
case our requirements become more complex in future).
The original problem was that Heimdal's check would permit the ticket,
but Samba would then deny it, not knowing it was for kadmin/changepw
Also (in hdb-samba4) be a bit more careful on what entries we will
make the 'change_pw' service mark that this depends on.
Andrew Bartlett
Diffstat (limited to 'source4/heimdal/kdc')
| -rw-r--r-- | source4/heimdal/kdc/headers.h | 1 | ||||
| -rw-r--r-- | source4/heimdal/kdc/kdc_locl.h | 1 | ||||
| -rw-r--r-- | source4/heimdal/kdc/kerberos5.c | 22 | ||||
| -rw-r--r-- | source4/heimdal/kdc/krb5tgs.c | 8 | ||||
| -rw-r--r-- | source4/heimdal/kdc/windc.c | 22 | ||||
| -rw-r--r-- | source4/heimdal/kdc/windc_plugin.h | 8 |
6 files changed, 35 insertions, 27 deletions
diff --git a/source4/heimdal/kdc/headers.h b/source4/heimdal/kdc/headers.h index 2240336e31..b9a828852a 100644 --- a/source4/heimdal/kdc/headers.h +++ b/source4/heimdal/kdc/headers.h @@ -104,6 +104,7 @@ #ifndef NO_NTLM #include <heimntlm.h> #endif +#include <kdc.h> #include <windc_plugin.h> #undef ALLOC diff --git a/source4/heimdal/kdc/kdc_locl.h b/source4/heimdal/kdc/kdc_locl.h index 9b291ac896..daf155839c 100644 --- a/source4/heimdal/kdc/kdc_locl.h +++ b/source4/heimdal/kdc/kdc_locl.h @@ -39,7 +39,6 @@ #define __KDC_LOCL_H__ #include "headers.h" -#include "kdc.h" typedef struct pk_client_params pk_client_params; struct DigestREQ; diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index 941a2e0572..ac495b1ac7 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -668,11 +668,11 @@ log_as_req(krb5_context context, */ krb5_error_code -_kdc_check_flags(krb5_context context, - krb5_kdc_configuration *config, - hdb_entry_ex *client_ex, const char *client_name, - hdb_entry_ex *server_ex, const char *server_name, - krb5_boolean is_as_req) +kdc_check_flags(krb5_context context, + krb5_kdc_configuration *config, + hdb_entry_ex *client_ex, const char *client_name, + hdb_entry_ex *server_ex, const char *server_name, + krb5_boolean is_as_req) { if(client_ex != NULL) { hdb_entry *client = &client_ex->entry; @@ -921,7 +921,6 @@ _kdc_as_rep(krb5_context context, "AS-REQ malformed server name from %s", from); goto out; } - if(b->cname == NULL){ ret = KRB5KRB_ERR_GENERIC; e_text = "No client in request"; @@ -1345,14 +1344,9 @@ _kdc_as_rep(krb5_context context, * with in a preauth mech. */ - ret = _kdc_check_flags(context, config, - client, client_name, - server, server_name, - TRUE); - if(ret) - goto out; - - ret = _kdc_windc_client_access(context, client, req, &e_data); + ret = _kdc_check_access(context, config, client, client_name, + server, server_name, + req, &e_data); if(ret) goto out; diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index 3abdb18ae4..59104da3d6 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -1860,10 +1860,10 @@ server_lookup: * Check flags */ - ret = _kdc_check_flags(context, config, - client, cpn, - server, spn, - FALSE); + ret = kdc_check_flags(context, config, + client, cpn, + server, spn, + FALSE); if(ret) goto out; diff --git a/source4/heimdal/kdc/windc.c b/source4/heimdal/kdc/windc.c index fe3cd997e7..9d7fa52cea 100644 --- a/source4/heimdal/kdc/windc.c +++ b/source4/heimdal/kdc/windc.c @@ -99,12 +99,22 @@ _kdc_pac_verify(krb5_context context, } krb5_error_code -_kdc_windc_client_access(krb5_context context, - struct hdb_entry_ex *client, - KDC_REQ *req, - krb5_data *e_data) +_kdc_check_access(krb5_context context, + krb5_kdc_configuration *config, + hdb_entry_ex *client_ex, const char *client_name, + hdb_entry_ex *server_ex, const char *server_name, + KDC_REQ *req, + krb5_data *e_data) { if (windcft == NULL) - return 0; - return (windcft->client_access)(windcctx, context, client, req, e_data); + return kdc_check_flags(context, config, + client_ex, client_name, + server_ex, server_name, + req->msg_type == krb_as_req); + + return (windcft->client_access)(windcctx, + context, config, + client_ex, client_name, + server_ex, server_name, + req, e_data); } diff --git a/source4/heimdal/kdc/windc_plugin.h b/source4/heimdal/kdc/windc_plugin.h index 34016694b2..c7efb7b852 100644 --- a/source4/heimdal/kdc/windc_plugin.h +++ b/source4/heimdal/kdc/windc_plugin.h @@ -64,10 +64,14 @@ typedef krb5_error_code typedef krb5_error_code (*krb5plugin_windc_client_access)( - void *, krb5_context, struct hdb_entry_ex *, KDC_REQ *, krb5_data *); + void *, krb5_context, + krb5_kdc_configuration *config, + hdb_entry_ex *, const char *, + hdb_entry_ex *, const char *, + KDC_REQ *, krb5_data *); -#define KRB5_WINDC_PLUGING_MINOR 3 +#define KRB5_WINDC_PLUGING_MINOR 4 typedef struct krb5plugin_windc_ftable { int minor_version; |