source/libads/krb5_setpw.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    krb5 set password implementation
   4    Copyright (C) Andrew Tridgell 2001
   5    Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com)
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License as published by
   9    the Free Software Foundation; either version 2 of the License, or
  10    (at your option) any later version.
  11
  12    This program is distributed in the hope that it will be useful,
  13    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15    GNU General Public License for more details.
  16
  17    You should have received a copy of the GNU General Public License
  18    along with this program; if not, write to the Free Software
  19    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  20 */
  21
  22 #include "includes.h"
  23
  24 #ifdef HAVE_KRB5
  25
  26 #define DEFAULT_KPASSWD_PORT    464
  27 #define KRB5_KPASSWD_VERS_CHANGEPW              1
  28 #define KRB5_KPASSWD_VERS_SETPW                 2
  29 #define KRB5_KPASSWD_VERS_SETPW_MS              0xff80
  30 #define KRB5_KPASSWD_ACCESSDENIED               5
  31 #define KRB5_KPASSWD_BAD_VERSION                6
  32 #define KRB5_KPASSWD_INITIAL_FLAG_NEEDED        7
  33
  34 /* Those are defined by kerberos-set-passwd-02.txt and are probably
  35  * not supported by M$ implementation */
  36 #define KRB5_KPASSWD_POLICY_REJECT              8
  37 #define KRB5_KPASSWD_BAD_PRINCIPAL              9
  38 #define KRB5_KPASSWD_ETYPE_NOSUPP               10
  39
  40 /* This implements kerberos password change protocol as specified in
  41  * kerb-chg-password-02.txt and kerberos-set-passwd-02.txt
  42  * as well as microsoft version of the protocol
  43  * as specified in kerberos-set-passwd-00.txt
  44  */
  45 static DATA_BLOB encode_krb5_setpw(const char *principal, const char *password)
  46 {
  47         char* princ_part1 = NULL;
  48         char* princ_part2 = NULL;
  49         char* realm = NULL;
  50         char* c;
  51         char* princ;
  52
  53         ASN1_DATA req;
  54         DATA_BLOB ret;
  55
  56
  57         princ = strdup(principal);
  58
  59         if ((c = strchr(princ, '/')) == NULL) {
  60             c = princ;
  61         } else {
  62             *c = '\0';
  63             c++;
  64             princ_part1 = princ;
  65         }
  66
  67         princ_part2 = c;
  68
  69         if ((c = strchr(c, '@')) != NULL) {
  70             *c = '\0';
  71             c++;
  72             realm = c;
  73         }
  74
  75         memset(&req, 0, sizeof(req));
  76
  77         asn1_push_tag(&req, ASN1_SEQUENCE(0));
  78         asn1_push_tag(&req, ASN1_CONTEXT(0));
  79         asn1_write_OctetString(&req, password, strlen(password));
  80         asn1_pop_tag(&req);
  81
  82         asn1_push_tag(&req, ASN1_CONTEXT(1));
  83         asn1_push_tag(&req, ASN1_SEQUENCE(0));
  84
  85         asn1_push_tag(&req, ASN1_CONTEXT(0));
  86         asn1_write_Integer(&req, 1);
  87         asn1_pop_tag(&req);
  88
  89         asn1_push_tag(&req, ASN1_CONTEXT(1));
  90         asn1_push_tag(&req, ASN1_SEQUENCE(0));
  91
  92         if (princ_part1)
  93             asn1_write_GeneralString(&req, princ_part1);
  94
  95         asn1_write_GeneralString(&req, princ_part2);
  96         asn1_pop_tag(&req);
  97         asn1_pop_tag(&req);
  98         asn1_pop_tag(&req);
  99         asn1_pop_tag(&req);
 100
 101         asn1_push_tag(&req, ASN1_CONTEXT(2));
 102         asn1_write_GeneralString(&req, realm);
 103         asn1_pop_tag(&req);
 104         asn1_pop_tag(&req);
 105
 106         ret = data_blob(req.data, req.length);
 107         asn1_free(&req);
 108
 109         free(princ);
 110
 111         return ret;
 112 }
 113
 114 static krb5_error_code build_kpasswd_request(uint16 pversion,
 115                                            krb5_context context,
 116                                            krb5_auth_context auth_context,
 117                                            krb5_data *ap_req,
 118                                            const char *princ,
 119                                            const char *passwd,
 120                                            krb5_data *packet)
 121 {
 122         krb5_error_code ret;
 123         krb5_data cipherpw;
 124         krb5_data encoded_setpw;
 125         krb5_replay_data replay;
 126         char *p;
 127         DATA_BLOB setpw;
 128
 129         ret = krb5_auth_con_setflags(context,
 130                                      auth_context,KRB5_AUTH_CONTEXT_DO_SEQUENCE);
 131         if (ret) {
 132                 DEBUG(1,("krb5_auth_con_setflags failed (%s)\n",
 133                          error_message(ret)));
 134                 return ret;
 135         }
 136
 137         /* handle protocol differences in chpw and setpw */
 138         if (pversion  == KRB5_KPASSWD_VERS_CHANGEPW)
 139                 setpw = data_blob(passwd, strlen(passwd));
 140         else if (pversion == KRB5_KPASSWD_VERS_SETPW ||
 141                  pversion == KRB5_KPASSWD_VERS_SETPW_MS)
 142                 setpw = encode_krb5_setpw(princ, passwd);
 143         else
 144                 return EINVAL;
 145
 146         encoded_setpw.data = setpw.data;
 147         encoded_setpw.length = setpw.length;
 148
 149         ret = krb5_mk_priv(context, auth_context,
 150                            &encoded_setpw, &cipherpw, &replay);
 151
 152         data_blob_free(&setpw);         /*from 'encode_krb5_setpw(...)' */
 153
 154         if (ret) {
 155                 DEBUG(1,("krb5_mk_priv failed (%s)\n", error_message(ret)));
 156                 return ret;
 157         }
 158
 159         packet->data = (char *)malloc(ap_req->length + cipherpw.length + 6);
 160         if (!packet->data)
 161                 return -1;
 162
 163         /* see the RFC for details */
 164         p = ((char *)packet->data) + 2;
 165         RSSVAL(p, 0, pversion);
 166         p += 2;
 167         RSSVAL(p, 0, ap_req->length);
 168         p += 2;
 169         memcpy(p, ap_req->data, ap_req->length);
 170         p += ap_req->length;
 171         memcpy(p, cipherpw.data, cipherpw.length);
 172         p += cipherpw.length;
 173         packet->length = PTR_DIFF(p,packet->data);
 174         RSSVAL(packet->data, 0, packet->length);
 175
 176         free(cipherpw.data);    /* from 'krb5_mk_priv(...)' */
 177
 178         return 0;
 179 }
 180
 181 static krb5_error_code krb5_setpw_result_code_string(krb5_context context,
 182                                                      int result_code,
 183                                                      const char **code_string)
 184 {
 185    switch (result_code) {
 186    case KRB5_KPASSWD_MALFORMED:
 187       *code_string = "Malformed request error";
 188       break;
 189    case KRB5_KPASSWD_HARDERROR:
 190       *code_string = "Server error";
 191       break;
 192    case KRB5_KPASSWD_AUTHERROR:
 193       *code_string = "Authentication error";
 194       break;
 195    case KRB5_KPASSWD_SOFTERROR:
 196       *code_string = "Password change rejected";
 197       break;
 198    case KRB5_KPASSWD_ACCESSDENIED:
 199       *code_string = "Client does not have proper authorization";
 200       break;
 201    case KRB5_KPASSWD_BAD_VERSION:
 202       *code_string = "Protocol version not supported";
 203       break;
 204    case KRB5_KPASSWD_INITIAL_FLAG_NEEDED:
 205       *code_string = "Authorization ticket must have initial flag set";
 206       break;
 207    case KRB5_KPASSWD_POLICY_REJECT:
 208       *code_string = "Password rejected due to policy requirements";
 209       break;
 210    case KRB5_KPASSWD_BAD_PRINCIPAL:
 211       *code_string = "Target principal does not exist";
 212       break;
 213    case KRB5_KPASSWD_ETYPE_NOSUPP:
 214       *code_string = "Unsupported encryption type";
 215       break;
 216    default:
 217       *code_string = "Password change failed";
 218       break;
 219    }
 220
 221    return(0);
 222 }
 223
 224 static krb5_error_code parse_setpw_reply(krb5_context context,
 225                                          krb5_auth_context auth_context,
 226                                          krb5_data *packet)
 227 {
 228         krb5_data ap_rep;
 229         char *p;
 230         int vnum, ret, res_code;
 231         krb5_data cipherresult;
 232         krb5_data clearresult;
 233         krb5_ap_rep_enc_part *ap_rep_enc;
 234         krb5_replay_data replay;
 235
 236         if (packet->length < 4) {
 237                 return KRB5KRB_AP_ERR_MODIFIED;
 238         }
 239
 240         p = packet->data;
 241
 242         if (((char *)packet->data)[0] == 0x7e || ((char *)packet->data)[0] == 0x5e) {
 243                 /* it's an error packet. We should parse it ... */
 244                 DEBUG(1,("Got error packet 0x%x from kpasswd server\n",
 245                          ((char *)packet->data)[0]));
 246                 return KRB5KRB_AP_ERR_MODIFIED;
 247         }
 248
 249         if (RSVAL(p, 0) != packet->length) {
 250                 DEBUG(1,("Bad packet length (%d/%d) from kpasswd server\n",
 251                          RSVAL(p, 0), packet->length));
 252                 return KRB5KRB_AP_ERR_MODIFIED;
 253         }
 254
 255         p += 2;
 256
 257         vnum = RSVAL(p, 0); p += 2;
 258
 259         /* FIXME: According to standard there is only one type of reply */
 260         if (vnum != KRB5_KPASSWD_VERS_SETPW &&
 261             vnum != KRB5_KPASSWD_VERS_SETPW_MS &&
 262             vnum != KRB5_KPASSWD_VERS_CHANGEPW) {
 263                 DEBUG(1,("Bad vnum (%d) from kpasswd server\n", vnum));
 264                 return KRB5KDC_ERR_BAD_PVNO;
 265         }
 266
 267         ap_rep.length = RSVAL(p, 0); p += 2;
 268
 269         if (p + ap_rep.length >= (char *)packet->data + packet->length) {
 270                 DEBUG(1,("ptr beyond end of packet from kpasswd server\n"));
 271                 return KRB5KRB_AP_ERR_MODIFIED;
 272         }
 273
 274         if (ap_rep.length == 0) {
 275                 DEBUG(1,("got unencrypted setpw result?!\n"));
 276                 return KRB5KRB_AP_ERR_MODIFIED;
 277         }
 278
 279         /* verify ap_rep */
 280         ap_rep.data = p;
 281         p += ap_rep.length;
 282
 283         ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc);
 284         if (ret) {
 285                 DEBUG(1,("failed to rd setpw reply (%s)\n", error_message(ret)));
 286                 return KRB5KRB_AP_ERR_MODIFIED;
 287         }
 288
 289         krb5_free_ap_rep_enc_part(context, ap_rep_enc);
 290
 291         cipherresult.data = p;
 292         cipherresult.length = ((char *)packet->data + packet->length) - p;
 293
 294         ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult,
 295                            &replay);
 296         if (ret) {
 297                 DEBUG(1,("failed to decrypt setpw reply (%s)\n", error_message(ret)));
 298                 return KRB5KRB_AP_ERR_MODIFIED;
 299         }
 300
 301         if (clearresult.length < 2) {
 302                 free(clearresult.data);
 303                 ret = KRB5KRB_AP_ERR_MODIFIED;
 304                 return KRB5KRB_AP_ERR_MODIFIED;
 305         }
 306
 307         p = clearresult.data;
 308
 309         res_code = RSVAL(p, 0);
 310
 311         free(clearresult.data);
 312
 313         if ((res_code < KRB5_KPASSWD_SUCCESS) ||
 314             (res_code > KRB5_KPASSWD_ETYPE_NOSUPP)) {
 315                 return KRB5KRB_AP_ERR_MODIFIED;
 316         }
 317
 318         if(res_code == KRB5_KPASSWD_SUCCESS)
 319                         return 0;
 320         else {
 321                 const char *errstr;
 322                 krb5_setpw_result_code_string(context, res_code, &errstr);
 323                 DEBUG(1, ("Error changing password: %s\n", errstr));
 324
 325                 switch(res_code) {
 326                         case KRB5_KPASSWD_ACCESSDENIED:
 327                                 return KRB5KDC_ERR_BADOPTION;
 328                                 break;
 329                         case KRB5_KPASSWD_INITIAL_FLAG_NEEDED:
 330                                 return KRB5KDC_ERR_BADOPTION;
 331                                 /* return KV5M_ALT_METHOD; MIT-only define */
 332                                 break;
 333                         case KRB5_KPASSWD_ETYPE_NOSUPP:
 334                                 return KRB5KDC_ERR_ETYPE_NOSUPP;
 335                                 break;
 336                         case KRB5_KPASSWD_BAD_PRINCIPAL:
 337                                 return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
 338                                 break;
 339                         case KRB5_KPASSWD_POLICY_REJECT:
 340                                 return KRB5KDC_ERR_POLICY;
 341                                 break;
 342                         default:
 343                                 return KRB5KRB_ERR_GENERIC;
 344                                 break;
 345                 }
 346         }
 347 }
 348
 349 static ADS_STATUS do_krb5_kpasswd_request(krb5_context context,
 350                                           const char *kdc_host,
 351                                           uint16 pversion,
 352                                           krb5_creds *credsp,
 353                                           const char *princ,
 354                                           const char *newpw)
 355 {
 356         krb5_auth_context auth_context = NULL;
 357         krb5_data ap_req, chpw_req, chpw_rep;
 358         int ret, sock, addr_len;
 359         struct sockaddr remote_addr, local_addr;
 360         krb5_address local_kaddr, remote_kaddr;
 361
 362         ret = krb5_mk_req_extended(context, &auth_context, AP_OPTS_USE_SUBKEY,
 363                                    NULL, credsp, &ap_req);
 364         if (ret) {
 365                 DEBUG(1,("krb5_mk_req_extended failed (%s)\n", error_message(ret)));
 366                 return ADS_ERROR_KRB5(ret);
 367         }
 368
 369         sock = open_udp_socket(kdc_host, DEFAULT_KPASSWD_PORT);
 370         if (sock == -1) {
 371                 int rc = errno;
 372                 free(ap_req.data);
 373                 krb5_auth_con_free(context, auth_context);
 374                 DEBUG(1,("failed to open kpasswd socket to %s (%s)\n",
 375                          kdc_host, strerror(errno)));
 376                 return ADS_ERROR_SYSTEM(rc);
 377         }
 378
 379         addr_len = sizeof(remote_addr);
 380         getpeername(sock, &remote_addr, &addr_len);
 381         addr_len = sizeof(local_addr);
 382         getsockname(sock, &local_addr, &addr_len);
 383
 384         setup_kaddr(&remote_kaddr, &remote_addr);
 385         setup_kaddr(&local_kaddr, &local_addr);
 386
 387         ret = krb5_auth_con_setaddrs(context, auth_context, &local_kaddr, NULL);
 388         if (ret) {
 389                 close(sock);
 390                 free(ap_req.data);
 391                 krb5_auth_con_free(context, auth_context);
 392                 DEBUG(1,("krb5_auth_con_setaddrs failed (%s)\n", error_message(ret)));
 393                 return ADS_ERROR_KRB5(ret);
 394         }
 395
 396         ret = build_kpasswd_request(pversion, context, auth_context, &ap_req,
 397                                   princ, newpw, &chpw_req);
 398         if (ret) {
 399                 close(sock);
 400                 free(ap_req.data);
 401                 krb5_auth_con_free(context, auth_context);
 402                 DEBUG(1,("build_setpw_request failed (%s)\n", error_message(ret)));
 403                 return ADS_ERROR_KRB5(ret);
 404         }
 405
 406         if (write(sock, chpw_req.data, chpw_req.length) != chpw_req.length) {
 407                 close(sock);
 408                 free(chpw_req.data);
 409                 free(ap_req.data);
 410                 krb5_auth_con_free(context, auth_context);
 411                 DEBUG(1,("send of chpw failed (%s)\n", strerror(errno)));
 412                 return ADS_ERROR_SYSTEM(errno);
 413         }
 414
 415         free(chpw_req.data);
 416
 417         chpw_rep.length = 1500;
 418         chpw_rep.data = (char *) malloc(chpw_rep.length);
 419         if (!chpw_rep.data) {
 420                 close(sock);
 421                 free(ap_req.data);
 422                 krb5_auth_con_free(context, auth_context);
 423                 DEBUG(1,("send of chpw failed (%s)\n", strerror(errno)));
 424                 errno = ENOMEM;
 425                 return ADS_ERROR_SYSTEM(errno);
 426         }
 427
 428         ret = read(sock, chpw_rep.data, chpw_rep.length);
 429         if (ret < 0) {
 430                 close(sock);
 431                 free(chpw_rep.data);
 432                 free(ap_req.data);
 433                 krb5_auth_con_free(context, auth_context);
 434                 DEBUG(1,("recv of chpw reply failed (%s)\n", strerror(errno)));
 435                 return ADS_ERROR_SYSTEM(errno);
 436         }
 437
 438         close(sock);
 439         chpw_rep.length = ret;
 440
 441         ret = krb5_auth_con_setaddrs(context, auth_context, NULL,&remote_kaddr);
 442         if (ret) {
 443                 free(chpw_rep.data);
 444                 free(ap_req.data);
 445                 krb5_auth_con_free(context, auth_context);
 446                 DEBUG(1,("krb5_auth_con_setaddrs on reply failed (%s)\n",
 447                          error_message(ret)));
 448                 return ADS_ERROR_KRB5(ret);
 449         }
 450
 451         ret = parse_setpw_reply(context, auth_context, &chpw_rep);
 452         free(chpw_rep.data);
 453
 454         if (ret) {
 455                 free(ap_req.data);
 456                 krb5_auth_con_free(context, auth_context);
 457                 DEBUG(1,("parse_setpw_reply failed (%s)\n",
 458                          error_message(ret)));
 459                 return ADS_ERROR_KRB5(ret);
 460         }
 461
 462         free(ap_req.data);
 463         krb5_auth_con_free(context, auth_context);
 464
 465         return ADS_SUCCESS;
 466 }
 467
 468 ADS_STATUS krb5_set_password(const char *kdc_host, const char *princ, const char *newpw,
 469                              int time_offset)
 470 {
 471
 472         ADS_STATUS aret;
 473         krb5_error_code ret;
 474         krb5_context context;
 475         krb5_principal principal;
 476         char *princ_name;
 477         char *realm;
 478         krb5_creds creds, *credsp;
 479         krb5_ccache ccache;
 480
 481         ret = krb5_init_context(&context);
 482         if (ret) {
 483                 DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret)));
 484                 return ADS_ERROR_KRB5(ret);
 485         }
 486
 487         if (time_offset != 0) {
 488                 krb5_set_real_time(context, time(NULL) + time_offset, 0);
 489         }
 490
 491         ret = krb5_cc_default(context, &ccache);
 492         if (ret) {
 493                 krb5_free_context(context);
 494                 DEBUG(1,("Failed to get default creds (%s)\n", error_message(ret)));
 495                 return ADS_ERROR_KRB5(ret);
 496         }
 497
 498         ZERO_STRUCT(creds);
 499
 500         realm = strchr(princ, '@');
 501         realm++;
 502
 503         asprintf(&princ_name, "kadmin/changepw@%s", realm);
 504         ret = krb5_parse_name(context, princ_name, &creds.server);
 505         if (ret) {
 506                 krb5_free_context(context);
 507                 DEBUG(1,("Failed to parse kadmin/changepw (%s)\n", error_message(ret)));
 508                 return ADS_ERROR_KRB5(ret);
 509         }
 510         free(princ_name);
 511
 512         /* parse the principal we got as a function argument */
 513         ret = krb5_parse_name(context, princ, &principal);
 514         if (ret) {
 515                 krb5_free_context(context);
 516                 DEBUG(1,("Failed to parse %s (%s)\n", princ_name, error_message(ret)));
 517                 return ADS_ERROR_KRB5(ret);
 518         }
 519
 520         krb5_princ_set_realm(context, creds.server,
 521                              krb5_princ_realm(context, principal));
 522
 523         ret = krb5_cc_get_principal(context, ccache, &creds.client);
 524         if (ret) {
 525                 krb5_free_principal(context, principal);
 526                 krb5_free_context(context);
 527                 DEBUG(1,("Failed to get principal from ccache (%s)\n",
 528                          error_message(ret)));
 529                 return ADS_ERROR_KRB5(ret);
 530         }
 531
 532         ret = krb5_get_credentials(context, 0, ccache, &creds, &credsp);
 533         if (ret) {
 534                 krb5_free_principal(context, creds.client);
 535                 krb5_free_principal(context, principal);
 536                 krb5_free_context(context);
 537                 DEBUG(1,("krb5_get_credentials failed (%s)\n", error_message(ret)));
 538                 return ADS_ERROR_KRB5(ret);
 539         }
 540
 541         /* we might have to call krb5_free_creds(...) from now on ... */
 542
 543         aret = do_krb5_kpasswd_request(context, kdc_host,
 544                                        KRB5_KPASSWD_VERS_SETPW_MS,
 545                                        credsp, princ, newpw);
 546
 547         krb5_free_creds(context, credsp);
 548         krb5_free_principal(context, creds.client);
 549         krb5_free_principal(context, creds.server);
 550         krb5_free_principal(context, principal);
 551         krb5_free_context(context);
 552
 553         return aret;
 554 }
 555
 556 /*
 557   we use a prompter to avoid a crash bug in the kerberos libs when
 558   dealing with empty passwords
 559   this prompter is just a string copy ...
 560 */
 561 static krb5_error_code
 562 kerb_prompter(krb5_context ctx, void *data,
 563                const char *name,
 564                const char *banner,
 565                int num_prompts,
 566                krb5_prompt prompts[])
 567 {
 568         if (num_prompts == 0) return 0;
 569
 570         memset(prompts[0].reply->data, 0, prompts[0].reply->length);
 571         if (prompts[0].reply->length > 0) {
 572                 if (data) {
 573                         strncpy(prompts[0].reply->data, data, prompts[0].reply->length-1);
 574                         prompts[0].reply->length = strlen(prompts[0].reply->data);
 575                 } else {
 576                         prompts[0].reply->length = 0;
 577                 }
 578         }
 579         return 0;
 580 }
 581
 582 ADS_STATUS krb5_chg_password(const char *kdc_host,
 583                                 const char *principal,
 584                                 const char *oldpw,
 585                                 const char *newpw,
 586                                 int time_offset)
 587 {
 588     ADS_STATUS aret;
 589     krb5_error_code ret;
 590     krb5_context context;
 591     krb5_principal princ;
 592     krb5_get_init_creds_opt opts;
 593     krb5_creds creds;
 594     char *chpw_princ = NULL, *password;
 595
 596     ret = krb5_init_context(&context);
 597     if (ret) {
 598         DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret)));
 599         return ADS_ERROR_KRB5(ret);
 600     }
 601
 602     if ((ret = krb5_parse_name(context, principal,
 603                                     &princ))) {
 604         krb5_free_context(context);
 605         DEBUG(1,("Failed to parse %s (%s)\n", principal, error_message(ret)));
 606         return ADS_ERROR_KRB5(ret);
 607     }
 608
 609     krb5_get_init_creds_opt_init(&opts);
 610     krb5_get_init_creds_opt_set_tkt_life(&opts, 5*60);
 611     krb5_get_init_creds_opt_set_renew_life(&opts, 0);
 612     krb5_get_init_creds_opt_set_forwardable(&opts, 0);
 613     krb5_get_init_creds_opt_set_proxiable(&opts, 0);
 614
 615     /* We have to obtain an INITIAL changepw ticket for changing password */
 616     asprintf(&chpw_princ, "kadmin/changepw@%s",
 617                                 (char *) krb5_princ_realm(context, princ));
 618     password = strdup(oldpw);
 619     ret = krb5_get_init_creds_password(context, &creds, princ, password,
 620                                            kerb_prompter, NULL,
 621                                            0, chpw_princ, &opts);
 622     SAFE_FREE(chpw_princ);
 623     SAFE_FREE(password);
 624
 625     if (ret) {
 626       if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY)
 627         DEBUG(1,("Password incorrect while getting initial ticket"));
 628       else
 629         DEBUG(1,("krb5_get_init_creds_password failed (%s)\n", error_message(ret)));
 630
 631         krb5_free_principal(context, princ);
 632         krb5_free_context(context);
 633         return ADS_ERROR_KRB5(ret);
 634     }
 635
 636     aret = do_krb5_kpasswd_request(context, kdc_host,
 637                                    KRB5_KPASSWD_VERS_CHANGEPW,
 638                                    &creds, principal, newpw);
 639
 640     krb5_free_principal(context, princ);
 641     krb5_free_context(context);
 642
 643     return aret;
 644 }
 645
 646
 647 ADS_STATUS kerberos_set_password(const char *kpasswd_server,
 648                                  const char *auth_principal, const char *auth_password,
 649                                  const char *target_principal, const char *new_password,
 650                                  int time_offset)
 651 {
 652     int ret;
 653
 654     if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset))) {
 655         DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal, error_message(ret)));
 656         return ADS_ERROR_KRB5(ret);
 657     }
 658
 659     if (!strcmp(auth_principal, target_principal))
 660         return krb5_chg_password(kpasswd_server, target_principal,
 661                                     auth_password, new_password, time_offset);
 662     else
 663         return krb5_set_password(kpasswd_server, target_principal,
 664                                  new_password, time_offset);
 665 }
 666
 667
 668 /**
 669  * Set the machine account password
 670  * @param ads connection to ads server
 671  * @param hostname machine whose password is being set
 672  * @param password new password
 673  * @return status of password change
 674  **/
 675 ADS_STATUS ads_set_machine_password(ADS_STRUCT *ads,
 676                                     const char *hostname,
 677                                     const char *password)
 678 {
 679         ADS_STATUS status;
 680         char *host = strdup(hostname);
 681         char *principal;
 682
 683         strlower(host);
 684
 685         /*
 686           we need to use the '$' form of the name here, as otherwise the
 687           server might end up setting the password for a user instead
 688          */
 689         asprintf(&principal, "%s$@%s", host, ads->auth.realm);
 690
 691         status = krb5_set_password(ads->auth.kdc_server, principal, password, ads->auth.time_offset);
 692
 693         free(host);
 694         free(principal);
 695
 696         return status;
 697 }
 698
 699
 700
 701 #endif