winbind: Fix 100% loop

[samba.git] / source3 / libads / kerberos.c

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index e4bad749286834b523719535a5c710f7c542b76e..7fe864bf96e4fdcc2776719c2f372079abbb34b1 100644 (file)
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -48,6 +48,22 @@ kerb_prompter(krb5_context ctx, void *data,
 {
        if (num_prompts == 0) return 0;
 
+       if ((num_prompts == 2) &&
+           (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) &&
+           (prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) {
+               /*
+                * We don't want to change passwords here. We're
+                * called from heimal when the KDC returns
+                * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
+                * have the chance to ask the user for a new
+                * password. If we return 0 (i.e. success), we will be
+                * spinning in the endless for-loop in
+                * change_password() in
+                * source4/heimdal/lib/krb5/init_creds_pw.c:526ff
+                */
+               return KRB5KDC_ERR_KEY_EXPIRED;
+       }
+
        memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
        if (prompts[0].reply->length > 0) {
                if (data) {