s4:kdc Allow a password change when the password is expired

This requires a rework on Heimdal's windc plugin layer, as we want
full control over what tickets Heimdal will issue.  (In particular, in
case our requirements become more complex in future).

The original problem was that Heimdal's check would permit the ticket,
but Samba would then deny it, not knowing it was for kadmin/changepw

Also (in hdb-samba4) be a bit more careful on what entries we will
make the 'change_pw' service mark that this depends on.

Andrew Bartlett

1 files changed, 12 insertions, 1 deletions

diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index c0fa5132d1..eda7867bb5 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -627,7 +627,18 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db,
 
 		entry_ex->entry.flags.invalid = 0;
 		entry_ex->entry.flags.server = 1;
-		entry_ex->entry.flags.change_pw = 1;
+
+		/* Don't mark all requests for the krbtgt/realm as
+		 * 'change password', as otherwise we could get into
+		 * trouble, and not enforce the password expirty.
+		 * Instead, only do it when request is for the kpasswd service */
+		if (ent_type == HDB_SAMBA4_ENT_TYPE_SERVER
+		    && principal->name.name_string.len == 2
+		    && (strcmp(principal->name.name_string.val[0], "kadmin") == 0)
+		    && (strcmp(principal->name.name_string.val[1], "changepw") == 0)
+		    && lp_is_my_domain_or_realm(lp_ctx, principal->realm)) {
+			entry_ex->entry.flags.change_pw = 1;
+		}
 		entry_ex->entry.flags.client = 0;
 		entry_ex->entry.flags.forwardable = 1;
 		entry_ex->entry.flags.ok_as_delegate = 1;