^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc
-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc
#
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc
-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc
#include "param/param.h"
#include "auth/auth.h"
#include "auth/gensec/gensec.h"
+#include "gensec_krb5_helpers.h"
#include "kdc/kdc-server.h"
#include "kdc/kpasswd_glue.h"
#include "kdc/kpasswd-service.h"
static krb5_error_code kpasswd_change_password(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
+ const struct gensec_security *gensec_security,
struct auth_session_info *session_info,
DATA_BLOB *password,
DATA_BLOB *kpasswd_reply,
const char *reject_string = NULL;
struct samr_DomInfo1 *dominfo;
bool ok;
+ int ret;
+
+ /*
+ * We're doing a password change (rather than a password set), so check
+ * that we were given an initial ticket.
+ */
+ ret = gensec_krb5_initial_ticket(gensec_security);
+ if (ret != 1) {
+ *error_string = "Expected an initial ticket";
+ return KRB5_KPASSWD_INITIAL_FLAG_NEEDED;
+ }
status = samdb_kpasswd_change_password(mem_ctx,
kdc->task->lp_ctx,
static krb5_error_code kpasswd_set_password(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
+ const struct gensec_security *gensec_security,
struct auth_session_info *session_info,
DATA_BLOB *decoded_data,
DATA_BLOB *kpasswd_reply,
free_ChangePasswdDataMS(&chpw);
return kpasswd_change_password(kdc,
mem_ctx,
+ gensec_security,
session_info,
&password,
kpasswd_reply,
return kpasswd_change_password(kdc,
mem_ctx,
+ gensec_security,
session_info,
&password,
kpasswd_reply,
case KRB5_KPASSWD_VERS_SETPW: {
return kpasswd_set_password(kdc,
mem_ctx,
+ gensec_security,
session_info,
decoded_data,
kpasswd_reply,
#include "param/param.h"
#include "auth/auth.h"
#include "auth/gensec/gensec.h"
+#include "gensec_krb5_helpers.h"
#include "kdc/kdc-server.h"
#include "kdc/kpasswd_glue.h"
#include "kdc/kpasswd-service.h"
static krb5_error_code kpasswd_change_password(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
+ const struct gensec_security *gensec_security,
struct auth_session_info *session_info,
DATA_BLOB *password,
DATA_BLOB *kpasswd_reply,
const char *reject_string = NULL;
struct samr_DomInfo1 *dominfo;
bool ok;
+ int ret;
+
+ /*
+ * We're doing a password change (rather than a password set), so check
+ * that we were given an initial ticket.
+ */
+ ret = gensec_krb5_initial_ticket(gensec_security);
+ if (ret != 1) {
+ *error_string = "Expected an initial ticket";
+ return KRB5_KPASSWD_INITIAL_FLAG_NEEDED;
+ }
status = samdb_kpasswd_change_password(mem_ctx,
kdc->task->lp_ctx,
static krb5_error_code kpasswd_set_password(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
+ const struct gensec_security *gensec_security,
struct auth_session_info *session_info,
DATA_BLOB *decoded_data,
DATA_BLOB *kpasswd_reply,
return kpasswd_change_password(kdc,
mem_ctx,
+ gensec_security,
session_info,
&password,
kpasswd_reply,
return kpasswd_change_password(kdc,
mem_ctx,
+ gensec_security,
session_info,
&password,
kpasswd_reply,
case RFC3244_VERSION: {
return kpasswd_set_password(kdc,
mem_ctx,
+ gensec_security,
session_info,
decoded_data,
kpasswd_reply,
krb5samba
samba_server_gensec
KPASSWD_GLUE
+ gensec_krb5_helpers
''')
bld.SAMBA_SUBSYSTEM('KDC-GLUE',