diff options
author | Sumit Bose <sbose@redhat.com> | 2012-11-14 13:56:43 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2012-11-19 22:42:46 +0100 |
commit | 6ef6612dd9e52c879e536a8b06bfeb4408d337b1 (patch) | |
tree | 72dc28e1087098d8e1b64ced582adde411bd930b /src/providers/krb5 | |
parent | 24c3186d01d8d1c11832baab24ab3f0de121c666 (diff) | |
download | sssd-6ef6612dd9e52c879e536a8b06bfeb4408d337b1.tar.gz sssd-6ef6612dd9e52c879e536a8b06bfeb4408d337b1.tar.bz2 sssd-6ef6612dd9e52c879e536a8b06bfeb4408d337b1.zip |
Just use the service name with krb5_get_init_creds_password()
Currently we add the realm name to change password principal but
according to the MIT Kerberos docs and the upstream usage the realm name
is just ignored.
Dropping the realm name also does not lead to confusion if the change
password request was received for a user of a trusted domain.
Diffstat (limited to 'src/providers/krb5')
-rw-r--r-- | src/providers/krb5/krb5_child.c | 26 |
1 files changed, 2 insertions, 24 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 8a68f275..34e8ac91 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -1053,7 +1053,6 @@ static errno_t changepw_child(int fd, struct krb5_req *kr) char *user_error_message = NULL; size_t user_resp_len; uint8_t *user_resp; - char *changepw_princ = NULL; krb5_prompter_fct prompter = sss_krb5_prompter; const char *realm_name; int realm_length; @@ -1074,16 +1073,6 @@ static errno_t changepw_child(int fd, struct krb5_req *kr) goto sendresponse; } - changepw_princ = talloc_asprintf(kr, "%s@%s", SSSD_KRB5_CHANGEPW_PRINCIPAL, - kr->krb5_ctx->realm); - if (changepw_princ == NULL) { - DEBUG(1, ("talloc_asprintf failed.\n")); - kerr = KRB5KRB_ERR_GENERIC; - goto sendresponse; - } - DEBUG(SSSDBG_FUNC_DATA, - ("Created a changepw principal [%s]\n", changepw_princ)); - if (kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) { /* We do not need a password expiration warning here. */ prompter = NULL; @@ -1095,7 +1084,7 @@ static errno_t changepw_child(int fd, struct krb5_req *kr) ("Attempting kinit for realm [%s]\n",realm_name)); kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ, pass_str, prompter, kr, 0, - changepw_princ, + SSSD_KRB5_CHANGEPW_PRINCIPAL, kr->options); if (kerr != 0) { pam_status = kerr_handle_error(kerr); @@ -1202,7 +1191,6 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr) int ret; krb5_error_code kerr = 0; char *pass_str = NULL; - char *changepw_princ = NULL; int pam_status = PAM_SYSTEM_ERR; DEBUG(SSSDBG_TRACE_LIBS, ("Attempting to get a TGT\n")); @@ -1222,16 +1210,6 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr) goto sendresponse; } - changepw_princ = talloc_asprintf(kr, "%s@%s", SSSD_KRB5_CHANGEPW_PRINCIPAL, - kr->krb5_ctx->realm); - if (changepw_princ == NULL) { - DEBUG(1, ("talloc_asprintf failed.\n")); - kerr = KRB5KRB_ERR_GENERIC; - goto sendresponse; - } - DEBUG(SSSDBG_FUNC_DATA, - ("Created a changepw principal [%s]\n", changepw_princ)); - kerr = get_and_save_tgt(kr, pass_str); /* If the password is expired the KDC will always return @@ -1249,7 +1227,7 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr) } kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ, pass_str, sss_krb5_prompter, kr, 0, - changepw_princ, + SSSD_KRB5_CHANGEPW_PRINCIPAL, kr->options); krb5_free_cred_contents(kr->ctx, kr->creds); if (kerr == 0) { |