summaryrefslogtreecommitdiff
path: root/src/providers/krb5
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2012-11-14 13:56:43 +0100
committerJakub Hrozek <jhrozek@redhat.com>2012-11-19 22:42:46 +0100
commit6ef6612dd9e52c879e536a8b06bfeb4408d337b1 (patch)
tree72dc28e1087098d8e1b64ced582adde411bd930b /src/providers/krb5
parent24c3186d01d8d1c11832baab24ab3f0de121c666 (diff)
downloadsssd-6ef6612dd9e52c879e536a8b06bfeb4408d337b1.tar.gz
sssd-6ef6612dd9e52c879e536a8b06bfeb4408d337b1.tar.bz2
sssd-6ef6612dd9e52c879e536a8b06bfeb4408d337b1.zip
Just use the service name with krb5_get_init_creds_password()
Currently we add the realm name to change password principal but according to the MIT Kerberos docs and the upstream usage the realm name is just ignored. Dropping the realm name also does not lead to confusion if the change password request was received for a user of a trusted domain.
Diffstat (limited to 'src/providers/krb5')
-rw-r--r--src/providers/krb5/krb5_child.c26
1 files changed, 2 insertions, 24 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 8a68f275..34e8ac91 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1053,7 +1053,6 @@ static errno_t changepw_child(int fd, struct krb5_req *kr)
char *user_error_message = NULL;
size_t user_resp_len;
uint8_t *user_resp;
- char *changepw_princ = NULL;
krb5_prompter_fct prompter = sss_krb5_prompter;
const char *realm_name;
int realm_length;
@@ -1074,16 +1073,6 @@ static errno_t changepw_child(int fd, struct krb5_req *kr)
goto sendresponse;
}
- changepw_princ = talloc_asprintf(kr, "%s@%s", SSSD_KRB5_CHANGEPW_PRINCIPAL,
- kr->krb5_ctx->realm);
- if (changepw_princ == NULL) {
- DEBUG(1, ("talloc_asprintf failed.\n"));
- kerr = KRB5KRB_ERR_GENERIC;
- goto sendresponse;
- }
- DEBUG(SSSDBG_FUNC_DATA,
- ("Created a changepw principal [%s]\n", changepw_princ));
-
if (kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) {
/* We do not need a password expiration warning here. */
prompter = NULL;
@@ -1095,7 +1084,7 @@ static errno_t changepw_child(int fd, struct krb5_req *kr)
("Attempting kinit for realm [%s]\n",realm_name));
kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ,
pass_str, prompter, kr, 0,
- changepw_princ,
+ SSSD_KRB5_CHANGEPW_PRINCIPAL,
kr->options);
if (kerr != 0) {
pam_status = kerr_handle_error(kerr);
@@ -1202,7 +1191,6 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr)
int ret;
krb5_error_code kerr = 0;
char *pass_str = NULL;
- char *changepw_princ = NULL;
int pam_status = PAM_SYSTEM_ERR;
DEBUG(SSSDBG_TRACE_LIBS, ("Attempting to get a TGT\n"));
@@ -1222,16 +1210,6 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr)
goto sendresponse;
}
- changepw_princ = talloc_asprintf(kr, "%s@%s", SSSD_KRB5_CHANGEPW_PRINCIPAL,
- kr->krb5_ctx->realm);
- if (changepw_princ == NULL) {
- DEBUG(1, ("talloc_asprintf failed.\n"));
- kerr = KRB5KRB_ERR_GENERIC;
- goto sendresponse;
- }
- DEBUG(SSSDBG_FUNC_DATA,
- ("Created a changepw principal [%s]\n", changepw_princ));
-
kerr = get_and_save_tgt(kr, pass_str);
/* If the password is expired the KDC will always return
@@ -1249,7 +1227,7 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr)
}
kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ,
pass_str, sss_krb5_prompter, kr, 0,
- changepw_princ,
+ SSSD_KRB5_CHANGEPW_PRINCIPAL,
kr->options);
krb5_free_cred_contents(kr->ctx, kr->creds);
if (kerr == 0) {