From 63ae2dd4da360c3635a525189d0375c603fa1914 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 28 Aug 2015 12:33:13 +0200 Subject: [PATCH 1/2] winbind: Fix 100% loop Thanks to "L.P.H. van Belle" for help in reproducing the issue. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11038 From the bug report: "With e551cdb37d3e re-applied the problem is gone with and without kerberos. Moreover, if correctly configured, sshd requests you to change your password at logon time, which then succeeds. The problem why I had this reverted was because I had not gone through the pain to correctly configure all the PAM services (in particular the "account" section), leading to sshd letting the user in when the password had to be changed." Signed-off-by: Volker Lendecke Reviewed-by: Alexander Bokovoy Reviewed-by: Jeremy Allison (cherry picked from commit e551cdb37d3e8cfb155bc33f9b162761c8d60889) Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Fri Oct 2 00:16:29 CEST 2015 on sn-devel-104 (cherry picked from commit e524ab9f7ee9f4aff50dd5bc42312f9000bf1c6e) --- source3/libads/kerberos.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index e4bad74..7fe864b 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -48,6 +48,22 @@ kerb_prompter(krb5_context ctx, void *data, { if (num_prompts == 0) return 0; + if ((num_prompts == 2) && + (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) && + (prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) { + /* + * We don't want to change passwords here. We're + * called from heimal when the KDC returns + * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't + * have the chance to ask the user for a new + * password. If we return 0 (i.e. success), we will be + * spinning in the endless for-loop in + * change_password() in + * source4/heimdal/lib/krb5/init_creds_pw.c:526ff + */ + return KRB5KDC_ERR_KEY_EXPIRED; + } + memset(prompts[0].reply->data, '\0', prompts[0].reply->length); if (prompts[0].reply->length > 0) { if (data) { -- 2.1.4 From 143e3ac1261fcc3f6718d7a0181990eb6a75e40b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Fri, 2 Oct 2015 04:23:59 +0200 Subject: [PATCH 2/2] kerberos: make sure we only use prompter type when available. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We also verified that we cannot simply remove the prompter as several older versions of Heimdal would crash. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11038 Guenther Signed-off-by: Günther Deschner Reviewed-by: Volker Lendecke Autobuild-User(master): Günther Deschner Autobuild-Date(master): Fri Oct 2 07:29:43 CEST 2015 on sn-devel-104 (cherry picked from commit 6755376cedaf0c88230b47e04c584c7d9fce13e3) --- source3/libads/kerberos.c | 12 +++++++++++- source4/heimdal_build/wscript_configure | 1 + wscript_configure_system_mitkrb5 | 2 ++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index 7fe864b..9a7a1e7 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -47,6 +47,16 @@ kerb_prompter(krb5_context ctx, void *data, krb5_prompt prompts[]) { if (num_prompts == 0) return 0; +#if HAVE_KRB5_PROMPT_TYPE + + /* + * only heimdal has a prompt type and we need to deal with it here to + * avoid loops. + * + * removing the prompter completely is not an option as at least these + * versions would crash: heimdal-1.0.2 and heimdal-1.1. Later heimdal + * version have looping detection and return with a proper error code. + */ if ((num_prompts == 2) && (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) && @@ -63,7 +73,7 @@ kerb_prompter(krb5_context ctx, void *data, */ return KRB5KDC_ERR_KEY_EXPIRED; } - +#endif /* HAVE_KRB5_PROMPT_TYPE */ memset(prompts[0].reply->data, '\0', prompts[0].reply->length); if (prompts[0].reply->length > 0) { if (data) { diff --git a/source4/heimdal_build/wscript_configure b/source4/heimdal_build/wscript_configure index 710a53d..2635b8a 100755 --- a/source4/heimdal_build/wscript_configure +++ b/source4/heimdal_build/wscript_configure @@ -168,6 +168,7 @@ conf.define('HAVE_KRB5_PRINCIPAL_SET_REALM', 1) conf.define('HAVE_KRB5_PRINCIPAL_SET_TYPE', 1) conf.define('HAVE_KRB5_PRINCIPAL_GET_TYPE', 1) conf.define('HAVE_KRB5_WARNX', 1) +conf.define('HAVE_KRB5_PROMPT_TYPE', 1) heimdal_includedirs = [] heimdal_libdirs = [] diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5 index 351e9d8..4b3a69f 100644 --- a/wscript_configure_system_mitkrb5 +++ b/wscript_configure_system_mitkrb5 @@ -137,6 +137,8 @@ conf.CHECK_STRUCTURE_MEMBER('krb5_address', 'addrtype', headers='krb5.h', define='HAVE_ADDRTYPE_IN_KRB5_ADDRESS') conf.CHECK_STRUCTURE_MEMBER('krb5_ap_req', 'ticket', headers='krb5.h', define='HAVE_TICKET_POINTER_IN_KRB5_AP_REQ') +conf.CHECK_STRUCTURE_MEMBER('krb5_prompt', 'type', headers='krb5.h', + define='HAVE_KRB5_PROMPT_TYPE') conf.CHECK_TYPE('krb5_encrypt_block', headers='krb5.h') -- 2.1.4