s3-kerberos: avoid entering a password change dialogue also when using MIT.

Without this fix, for accounts with an expired password, a password change
process is initiated and - due to the prompter - this fails with a confusing
error message:

"kerberos_kinit_password Administrator@W2K12DOM.BER.REDHAT.COM failed: Password
mismatch
Failed to join domain: failed to connect to AD: Password mismatch"

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 9a7a1e70b1d3ba672d40720102a13cafb75cc218..4774a9fc726e009fe4c40928143a7977df63ddf1 100644 (file)
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -47,33 +47,44 @@ kerb_prompter(krb5_context ctx, void *data,
               krb5_prompt prompts[])
 {
        if (num_prompts == 0) return 0;
-#if HAVE_KRB5_PROMPT_TYPE
-
-       /*
-        * only heimdal has a prompt type and we need to deal with it here to
-        * avoid loops.
-        *
-        * removing the prompter completely is not an option as at least these
-        * versions would crash: heimdal-1.0.2 and heimdal-1.1. Later heimdal
-        * version have looping detection and return with a proper error code.
-        */
-
-       if ((num_prompts == 2) &&
-           (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) &&
-           (prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) {
+       if (num_prompts == 2) {
                /*
-                * We don't want to change passwords here. We're
-                * called from heimal when the KDC returns
-                * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
-                * have the chance to ask the user for a new
-                * password. If we return 0 (i.e. success), we will be
-                * spinning in the endless for-loop in
-                * change_password() in
-                * source4/heimdal/lib/krb5/init_creds_pw.c:526ff
+                * only heimdal has a prompt type and we need to deal with it here to
+                * avoid loops.
+                *
+                * removing the prompter completely is not an option as at least these
+                * versions would crash: heimdal-1.0.2 and heimdal-1.1. Later heimdal
+                * version have looping detection and return with a proper error code.
                 */
-               return KRB5KDC_ERR_KEY_EXPIRED;
+
+#if HAVE_KRB5_PROMPT_TYPE /* Heimdal */
+                if (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD &&
+                    prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) {
+                       /*
+                        * We don't want to change passwords here. We're
+                        * called from heimal when the KDC returns
+                        * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
+                        * have the chance to ask the user for a new
+                        * password. If we return 0 (i.e. success), we will be
+                        * spinning in the endless for-loop in
+                        * change_password() in
+                        * source4/heimdal/lib/krb5/init_creds_pw.c:526ff
+                        */
+                       return KRB5KDC_ERR_KEY_EXPIRED;
+               }
+#elif defined(HAVE_KRB5_GET_PROMPT_TYPES) /* MIT */
+               krb5_prompt_type *prompt_types = NULL;
+
+               prompt_types = krb5_get_prompt_types(ctx);
+               if (prompt_types != NULL) {
+                       if (prompt_types[0] == KRB5_PROMPT_TYPE_NEW_PASSWORD &&
+                           prompt_types[1] == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) {
+                               return KRB5KDC_ERR_KEY_EXP;
+                       }
+               }
+#endif
        }
-#endif /* HAVE_KRB5_PROMPT_TYPE */
+
        memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
        if (prompts[0].reply->length > 0) {
                if (data) {

diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5
index 4b3a69fa34415174404cbdc4f4bd95a90d17d6e4..9c1ad8f327960663cb5e11dc7194f6ec1868972f 100644 (file)
--- a/wscript_configure_system_mitkrb5
+++ b/wscript_configure_system_mitkrb5
@@ -115,6 +115,7 @@ conf.CHECK_FUNCS('''
        krb5_keyblock_init krb5_principal_set_realm krb5_principal_get_type
        krb5_principal_set_type
        krb5_warnx
+       krb5_get_prompt_types
        ''',
      lib='krb5 k5crypto')
 conf.CHECK_DECLS('''krb5_get_credentials_for_user