diff options
-rw-r--r-- | source3/include/ads.h | 7 | ||||
-rw-r--r-- | source3/libads/krb5_setpw.c | 66 | ||||
-rw-r--r-- | source3/utils/net_ads.c | 9 |
3 files changed, 45 insertions, 37 deletions
diff --git a/source3/include/ads.h b/source3/include/ads.h index f90983e405..07bf6e4b3b 100644 --- a/source3/include/ads.h +++ b/source3/include/ads.h @@ -213,3 +213,10 @@ typedef void **ADS_MODLIST; #if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5) #define ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC_MD5 #endif + +/* The older versions of heimdal that don't have this + define don't seem to use it anyway. I'm told they + always use a subkey */ +#ifndef AP_OPTS_USE_SUBKEY +#define AP_OPTS_USE_SUBKEY 0 +#endif diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c index ac7377cd2f..a5b9eee4ce 100644 --- a/source3/libads/krb5_setpw.c +++ b/source3/libads/krb5_setpw.c @@ -178,47 +178,39 @@ static krb5_error_code build_kpasswd_request(uint16 pversion, return 0; } +static const struct kpasswd_errors { + int result_code; + const char *error_string; +} kpasswd_errors[] = { + {KRB5_KPASSWD_MALFORMED, "Malformed request error"}, + {KRB5_KPASSWD_HARDERROR, "Server error"}, + {KRB5_KPASSWD_AUTHERROR, "Authentication error"}, + {KRB5_KPASSWD_SOFTERROR, "Password change rejected"}, + {KRB5_KPASSWD_ACCESSDENIED, "Client does not have proper authorization"}, + {KRB5_KPASSWD_BAD_VERSION, "Protocol version not supported"}, + {KRB5_KPASSWD_INITIAL_FLAG_NEEDED, "Authorization ticket must have initial flag set"}, + {KRB5_KPASSWD_POLICY_REJECT, "Password rejected due to policy requirements"}, + {KRB5_KPASSWD_BAD_PRINCIPAL, "Target principal does not exist"}, + {KRB5_KPASSWD_ETYPE_NOSUPP, "Unsupported encryption type"}, + {0, NULL} +}; + static krb5_error_code krb5_setpw_result_code_string(krb5_context context, int result_code, const char **code_string) { - switch (result_code) { - case KRB5_KPASSWD_MALFORMED: - *code_string = "Malformed request error"; - break; - case KRB5_KPASSWD_HARDERROR: - *code_string = "Server error"; - break; - case KRB5_KPASSWD_AUTHERROR: - *code_string = "Authentication error"; - break; - case KRB5_KPASSWD_SOFTERROR: - *code_string = "Password change rejected"; - break; - case KRB5_KPASSWD_ACCESSDENIED: - *code_string = "Client does not have proper authorization"; - break; - case KRB5_KPASSWD_BAD_VERSION: - *code_string = "Protocol version not supported"; - break; - case KRB5_KPASSWD_INITIAL_FLAG_NEEDED: - *code_string = "Authorization ticket must have initial flag set"; - break; - case KRB5_KPASSWD_POLICY_REJECT: - *code_string = "Password rejected due to policy requirements"; - break; - case KRB5_KPASSWD_BAD_PRINCIPAL: - *code_string = "Target principal does not exist"; - break; - case KRB5_KPASSWD_ETYPE_NOSUPP: - *code_string = "Unsupported encryption type"; - break; - default: - *code_string = "Password change failed"; - break; - } - - return(0); + unsigned int idx = 0; + + while (kpasswd_errors[idx].error_string != NULL) { + if (kpasswd_errors[idx].result_code == + result_code) { + *code_string = kpasswd_errors[idx].error_string; + return 0; + } + idx++; + } + *code_string = "Password change failed"; + return (0); } static krb5_error_code parse_setpw_reply(krb5_context context, diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index 8cd3bac802..b4697d73dd 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -899,6 +899,15 @@ static int net_ads_password(int argc, const char **argv) in realms other than default */ if (!(ads = ads_init(realm, NULL, NULL))) return -1; + /* we don't actually need a full connect, but it's the easy way to + fill in the KDC's addresss */ + ads_connect(ads); + + if (!ads || !ads->config.realm) { + d_printf("Didn't find the kerberos server!\n"); + return -1; + } + asprintf(&prompt, "Enter new password for %s:", argv[0]); new_password = getpass(prompt); |