[krbdev.mit.edu #3142] kinit fails when password-change required attribute is set

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[krbdev.mit.edu #3142] kinit fails when password-change required attribute is set

Greg Hudson via RT
When kinit is used to obtain an initial ticket, if the passwd change
required attribute is set (pwchg attribute in case of HP-UX kerberos
servers) for the principal, kinit fails with 'Realm unknown' error
instead of asking for a new password.
I have attached the fix below.

Source files changed:
/vob/krb5-1.3.3/src/lib/krb5/krb/gic_pwd.c


Source file changed

***************
*** /vob/krb5-1.3.3/src/lib/krb5/krb/gic_pwd.c
--- /vob/krb5-1.3.3/src/lib/krb5/krb/gic_pwd.c.fix
*** 131,143 ****
     if (ret == 0)
        goto cleanup;
   
     /* If all the kdc's are unavailable, or if the error was due to a
        user interrupt, or preauth errored out, fail */
   
     if ((ret == KRB5_KDC_UNREACH) ||
         (ret == KRB5_PREAUTH_FAILED) ||
!        (ret == KRB5_LIBOS_PWDINTR) ||
!          (ret == KRB5_REALM_CANT_RESOLVE))
        goto cleanup;
   
     /* if the reply did not come from the master kdc, try again with
--- 131,147 ----
     if (ret == 0)
        goto cleanup;
   
+    /* If it's passwd change */
+    if (ret == KRB5KDC_ERR_KEY_EXP)
+       goto passwd_chg;
+
     /* If all the kdc's are unavailable, or if the error was due to a
        user interrupt, or preauth errored out, fail */
   
     if ((ret == KRB5_KDC_UNREACH) ||
         (ret == KRB5_PREAUTH_FAILED) ||
!        (ret == KRB5_LIBOS_PWDINTR) /*||
!          (ret == KRB5_REALM_CANT_RESOLVE)*/)
        goto cleanup;
   
     /* if the reply did not come from the master kdc, try again with
***************
*** 163,174 ****
        /* if the master is unreachable, return the error from the
         slave we were able to contact */
   
        if ((ret2 == KRB5_KDC_UNREACH) ||
          (ret2 == KRB5_REALM_CANT_RESOLVE) ||
!         (ret2 == KRB5_REALM_UNKNOWN))
!        goto cleanup;
   
-       ret = ret2;
     }
   
  #ifdef USE_LOGIN_LIBRARY
--- 167,180 ----
        /* if the master is unreachable, return the error from the
         slave we were able to contact */
   
+       ret = ret2;
+
        if ((ret2 == KRB5_KDC_UNREACH) ||
          (ret2 == KRB5_REALM_CANT_RESOLVE) ||
!         (ret2 == KRB5_REALM_UNKNOWN)) {
!             goto cleanup;
!       }
   
     }
   
  #ifdef USE_LOGIN_LIBRARY
***************
*** 179,185 ****
     /* at this point, we have an error from the master.  if the error
        is not password expired, or if it is but there's no prompter,
        return this error */
!
     if ((ret != KRB5KDC_ERR_KEY_EXP) ||
         (prompter == NULL))
        goto cleanup;
--- 185,191 ----
     /* at this point, we have an error from the master.  if the error
        is not password expired, or if it is but there's no prompter,
        return this error */
! passwd_chg:
     if ((ret != KRB5KDC_ERR_KEY_EXP) ||
         (prompter == NULL))
        goto cleanup;

_______________________________________________
krb5-bugs mailing list
[hidden email]
https://mailman.mit.edu/mailman/listinfo/krb5-bugs