diff options
author | Sumit Bose <sbose@redhat.com> | 2012-11-14 14:56:47 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2012-11-19 22:42:46 +0100 |
commit | 9459006424bb9975b8728c7700605f9b061c791e (patch) | |
tree | 6abb423d5725e647c27e70431bb83e0b49a24c0c | |
parent | ba098f8670c680c805531dd2714f32bd2c108860 (diff) | |
download | sssd-9459006424bb9975b8728c7700605f9b061c791e.tar.gz sssd-9459006424bb9975b8728c7700605f9b061c791e.tar.bz2 sssd-9459006424bb9975b8728c7700605f9b061c791e.zip |
Disable canonicalization during password changes
If canonicalization is enabled Active Directory KDCs return
'krbtgt/AD.DOMAIN' as service name instead of the expected
'kadmin/changepw' which causes a 'KDC reply did not match expectations'
error.
Additionally the forwardable and proxiable flags are disabled, the
renewable lifetime is set to 0 and the lifetime of the ticket is set to
5 minutes as recommended in https://fedorahosted.org/sssd/ticket/1405
and also done by the kpasswd utility.
Fixes: https://fedorahosted.org/sssd/ticket/1405
https://fedorahosted.org/sssd/ticket/1615
-rw-r--r-- | src/providers/krb5/krb5_child.c | 45 |
1 files changed, 43 insertions, 2 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 34e8ac91..66e22f43 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -101,6 +101,28 @@ struct krb5_req { static krb5_context krb5_error_ctx; #define KRB5_CHILD_DEBUG(level, error) KRB5_DEBUG(level, krb5_error_ctx, error) +static krb5_error_code get_changepw_options(krb5_context ctx, + krb5_get_init_creds_opt **_options) +{ + krb5_get_init_creds_opt *options; + krb5_error_code kerr; + + kerr = sss_krb5_get_init_creds_opt_alloc(ctx, &options); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + return kerr; + } + + sss_krb5_get_init_creds_opt_set_canonicalize(options, 0); + krb5_get_init_creds_opt_set_forwardable(options, 0); + krb5_get_init_creds_opt_set_proxiable(options, 0); + krb5_get_init_creds_opt_set_renew_life(options, 0); + krb5_get_init_creds_opt_set_tkt_life(options, 5*60); + + *_options = options; + + return 0; +} static errno_t sss_send_pac(krb5_authdata **pac_authdata) { @@ -1056,6 +1078,7 @@ static errno_t changepw_child(int fd, struct krb5_req *kr) krb5_prompter_fct prompter = sss_krb5_prompter; const char *realm_name; int realm_length; + krb5_get_init_creds_opt *chagepw_options; DEBUG(SSSDBG_TRACE_LIBS, ("Password change operation\n")); @@ -1078,6 +1101,12 @@ static errno_t changepw_child(int fd, struct krb5_req *kr) prompter = NULL; } + kerr = get_changepw_options(kr->ctx, &chagepw_options); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, ("get_changepw_options failed.\n")); + goto sendresponse; + } + sss_krb5_princ_realm(kr->ctx, kr->princ, &realm_name, &realm_length); DEBUG(SSSDBG_TRACE_FUNC, @@ -1085,7 +1114,8 @@ static errno_t changepw_child(int fd, struct krb5_req *kr) kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ, pass_str, prompter, kr, 0, SSSD_KRB5_CHANGEPW_PRINCIPAL, - kr->options); + chagepw_options); + sss_krb5_get_init_creds_opt_free(kr->ctx, chagepw_options); if (kerr != 0) { pam_status = kerr_handle_error(kerr); goto sendresponse; @@ -1192,6 +1222,7 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr) krb5_error_code kerr = 0; char *pass_str = NULL; int pam_status = PAM_SYSTEM_ERR; + krb5_get_init_creds_opt *chagepw_options; DEBUG(SSSDBG_TRACE_LIBS, ("Attempting to get a TGT\n")); @@ -1225,10 +1256,20 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr) KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); DEBUG(1, ("Failed to unset expire callback, continue ...\n")); } + + kerr = get_changepw_options(kr->ctx, &chagepw_options); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, ("get_changepw_options failed.\n")); + goto sendresponse; + } + kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ, pass_str, sss_krb5_prompter, kr, 0, SSSD_KRB5_CHANGEPW_PRINCIPAL, - kr->options); + chagepw_options); + + sss_krb5_get_init_creds_opt_free(kr->ctx, chagepw_options); + krb5_free_cred_contents(kr->ctx, kr->creds); if (kerr == 0) { kerr = KRB5KDC_ERR_KEY_EXP; |