krb5_set_password - Cross realm bug?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

krb5_set_password - Cross realm bug?

brian.joh
Hi,
 
I am writing a Linux program with the Heimdal libraries.  The program
allows an *Administrative* Active Directory user to set the password
of another Active Directory principal (actually a host principal) from
Linux.  The program is supposed to be general so the Admin principal
does not need to be in the same realm as the principal whose password
is being changed.  Provided the admin principal has the proper priveleges
and the proper trusts are set up in Active Directory, this should work
using the krb5_set_password() function and cross-realm authentication. 
However, I couldn't get this to work.  I did some packet sniffing to try
and figure this out.  When I call krb5_set_password(), it communicates
with the KDC in the Administrator's realm (even if I pass it a cross-realm
TGT or a cross-realm kadmin/changepw ticket), instead of the target
principal's realm.  I think this is a bug. 
 
I looked at the source code.  The function change_password_loop() is called by krb5_set_password() and seems to do the real work.  The following declaration is made in the beginning of that function:
 
      krb5_realm realm = creds->client->realm;
 
Shouldn't that code be looking at server's realm, not the Administrator's realm?   Or am I misunderstanding how to call this function?  Seems like that line should be:
 
     krb5_realm realm = creds->server->realm;
 
Anyways, when I changed this line and recompiled Heimdal, my code works.  
 
Any help is much appreciated.  Thanks.
 
Brian Joh
Reply | Threaded
Open this post in threaded view
|

Re: krb5_set_password - Cross realm bug?

Love Hörnquist Åstrand

[hidden email] writes:

> Hi,
>  
> I am writing a Linux program with the Heimdal libraries.  The program
> allows an *Administrative* Active Directory user to set the password
> of another Active Directory principal (actually a host principal) from
> Linux.  The program is supposed to be general so the Admin principal
> does not need to be in the same realm as the principal whose password
> is being changed.  Provided the admin principal has the proper priveleges
> and the proper trusts are set up in Active Directory, this should work
> using the krb5_set_password() function and cross-realm authentication.
> However, I couldn't get this to work.  I did some packet sniffing to try
> and figure this out.  When I call krb5_set_password(), it communicates
> with the KDC in the Administrator's realm (even if I pass it a cross-realm
> TGT or a cross-realm kadmin/changepw ticket), instead of the target
> principal's realm.  I think this is a bug.
>  
> I looked at the source code.  The function change_password_loop() is called by
> krb5_set_password() and seems to do the real work.  The following declaration
> is made in the beginning of that function:
>  
>       krb5_realm realm = creds->client->realm;
>  
> Shouldn't that code be looking at server's realm, not the Administrator's
> realm?   Or am I misunderstanding how to call this function?  Seems like that
> line should be:
>  
>      krb5_realm realm = creds->server->realm;
>  
> Anyways, when I changed this line and recompiled Heimdal, my code works.  
I think you are right, it didn't matter before becase there wasn't any
"target principal" passed into the code.

So shouldn't that be the targprinc's realm instead, then I can keep the
creds->client->realm because that and server->realm should be the same in
case of non-admin change of password.

Love


--- lib/krb5/changepw.c 08 Sep 2005 13:38:01 +0200 1.54
+++ lib/krb5/changepw.c 14 Sep 2005 17:36:51 +0200
@@ -522,7 +522,12 @@
     int sock;
     int i;
     int done = 0;
-    krb5_realm realm = creds->client->realm;
+    krb5_realm realm;
+
+    if (targprinc)
+ realm = targprinc->realm;
+    else
+ realm = creds->client->realm;
 
     ret = krb5_auth_con_init (context, &auth_context);
     if (ret)

attachment0 (487 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: krb5_set_password - Cross realm bug?

brian.joh
In reply to this post by brian.joh
Love Hörnquist Åstrand wrote:
> I think you are right, it didn't matter before becase there wasn't any
> "target principal" passed into the code.
>
> So shouldn't that be the targprinc's realm instead, then I can keep the
> creds->client->realm because that and server->realm should be the same in
> case of non-admin change of password.
Yeah, that seems a bit better than the change I made.  Thanks.
 
-Brian