> I am writing a Linux program with the Heimdal libraries. The program
> allows an *Administrative* Active Directory user to set the password
> of another Active Directory principal (actually a host principal) from
> Linux. The program is supposed to be general so the Admin principal
> does not need to be in the same realm as the principal whose password
> is being changed. Provided the admin principal has the proper priveleges
> and the proper trusts are set up in Active Directory, this should work
> using the krb5_set_password() function and cross-realm authentication.
> However, I couldn't get this to work. I did some packet sniffing to try
> and figure this out. When I call krb5_set_password(), it communicates
> with the KDC in the Administrator's realm (even if I pass it a cross-realm
> TGT or a cross-realm kadmin/changepw ticket), instead of the target
> principal's realm. I think this is a bug.
> I looked at the source code. The function change_password_loop() is called by
> krb5_set_password() and seems to do the real work. The following declaration
> is made in the beginning of that function:
> krb5_realm realm = creds->client->realm;
> Shouldn't that code be looking at server's realm, not the Administrator's
> realm? Or am I misunderstanding how to call this function? Seems like that
> line should be:
> krb5_realm realm = creds->server->realm;
> Anyways, when I changed this line and recompiled Heimdal, my code works.
I think you are right, it didn't matter before becase there wasn't any
"target principal" passed into the code.
So shouldn't that be the targprinc's realm instead, then I can keep the
creds->client->realm because that and server->realm should be the same in
case of non-admin change of password.
> I think you are right, it didn't matter before becase there wasn't any > "target principal" passed into the code. > > So shouldn't that be the targprinc's realm instead, then I can keep the > creds->client->realm because that and server->realm should be the same in > case of non-admin change of password.
Yeah, that seems a bit better than the change I made. Thanks.