From 6c7836dbeec1f5e78cf80daaf948b8343ff68721 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 28 Aug 2015 12:33:13 +0200 Subject: [PATCH] winbind: Fix 100% loop Thanks to "L.P.H. van Belle" for help in reproducing the issue. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11038 From the bug report: "With e551cdb37d3e re-applied the problem is gone with and without kerberos. Moreover, if correctly configured, sshd requests you to change your password at logon time, which then succeeds. The problem why I had this reverted was because I had not gone through the pain to correctly configure all the PAM services (in particular the "account" section), leading to sshd letting the user in when the password had to be changed." Signed-off-by: Volker Lendecke Reviewed-by: Alexander Bokovoy Reviewed-by: Jeremy Allison (cherry picked from commit e551cdb37d3e8cfb155bc33f9b162761c8d60889) Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Fri Oct 2 00:16:29 CEST 2015 on sn-devel-104 (cherry picked from commit e524ab9f7ee9f4aff50dd5bc42312f9000bf1c6e) --- source3/libads/kerberos.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index d5e0238..b865d7a 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -50,6 +50,22 @@ kerb_prompter(krb5_context ctx, void *data, { if (num_prompts == 0) return 0; + if ((num_prompts == 2) && + (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) && + (prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) { + /* + * We don't want to change passwords here. We're + * called from heimal when the KDC returns + * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't + * have the chance to ask the user for a new + * password. If we return 0 (i.e. success), we will be + * spinning in the endless for-loop in + * change_password() in + * source4/heimdal/lib/krb5/init_creds_pw.c:526ff + */ + return KRB5KDC_ERR_KEY_EXPIRED; + } + memset(prompts[0].reply->data, '\0', prompts[0].reply->length); if (prompts[0].reply->length > 0) { if (data) { -- 2.1.4