{
if (num_prompts == 0) return 0;
+ if ((num_prompts == 2) &&
+ (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) &&
+ (prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) {
+ /*
+ * We don't want to change passwords here. We're
+ * called from heimal when the KDC returns
+ * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
+ * have the chance to ask the user for a new
+ * password. If we return 0 (i.e. success), we will be
+ * spinning in the endless for-loop in
+ * change_password() in
+ * source4/heimdal/lib/krb5/init_creds_pw.c:526ff
+ */
+ return KRB5KDC_ERR_KEY_EXPIRED;
+ }
+
memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
if (prompts[0].reply->length > 0) {
if (data) {