From fc4e89d12c0947f18a26d382436ceb03ec5c353b Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 21 Mar 2014 11:01:09 +0100 Subject: [PATCH 3/3] krb5-child: add revert_changepw_options() After changing the Kerberos password krb5-child will try to get a fresh TGT with the new password. This patch tires to make sure the right gic options are used. Resolves: https://fedorahosted.org/sssd/ticket/2289 --- src/providers/krb5/krb5_child.c | 50 +++++++++++++++++++++++++++++------------ 1 file changed, 36 insertions(+), 14 deletions(-) diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index dc9990f..2dbb902 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -110,6 +110,20 @@ static krb5_error_code set_lifetime_options(krb5_get_init_creds_opt *options) return 0; } +static void krb5_set_canonicalize(krb5_get_init_creds_opt *opts) +{ + int canonicalize = 0; + char *tmp_str; + + tmp_str = getenv(SSSD_KRB5_CANONICALIZE); + if (tmp_str != NULL && strcasecmp(tmp_str, "true") == 0) { + canonicalize = 1; + } + DEBUG(SSSDBG_CONF_SETTINGS, ("%s is set to [%s]\n", + SSSD_KRB5_CANONICALIZE, tmp_str ? tmp_str : "not set")); + sss_krb5_get_init_creds_opt_set_canonicalize(opts, canonicalize); +} + static void set_changepw_options(krb5_context ctx, krb5_get_init_creds_opt *options) { @@ -120,6 +134,24 @@ static void set_changepw_options(krb5_context ctx, krb5_get_init_creds_opt_set_tkt_life(options, 5*60); } +static void revert_changepw_options(krb5_get_init_creds_opt *options) +{ + krb5_error_code kerr; + + krb5_set_canonicalize(options); + + /* Currently we do not set forwardable and proxiable explicitly, the flags + * must be removed so that libkrb5 can take the defaults from krb5.conf */ + options->flags &= ~(KRB5_GET_INIT_CREDS_OPT_FORWARDABLE); + options->flags &= ~(KRB5_GET_INIT_CREDS_OPT_PROXIABLE); + + kerr = set_lifetime_options(options); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, ("set_lifetime_options failed.\n")); + } +} + + static errno_t sss_send_pac(krb5_authdata **pac_authdata) { struct sss_cli_req_data sss_data; @@ -869,20 +901,6 @@ done: } -static void krb5_set_canonicalize(krb5_get_init_creds_opt *opts) -{ - int canonicalize = 0; - char *tmp_str; - - tmp_str = getenv(SSSD_KRB5_CANONICALIZE); - if (tmp_str != NULL && strcasecmp(tmp_str, "true") == 0) { - canonicalize = 1; - } - DEBUG(SSSDBG_CONF_SETTINGS, ("%s is set to [%s]\n", - SSSD_KRB5_CANONICALIZE, tmp_str ? tmp_str : "not set")); - sss_krb5_get_init_creds_opt_set_canonicalize(opts, canonicalize); -} - static krb5_error_code get_and_save_tgt_with_keytab(krb5_context ctx, krb5_principal princ, krb5_keytab keytab, @@ -1181,6 +1199,10 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim) krb5_free_cred_contents(kr->ctx, kr->creds); + /* We changed some of the gic options for the password change, now we have + * to change them back to get a fresh TGT. */ + revert_changepw_options(kr->options); + kerr = get_and_save_tgt(kr, newpassword); sss_authtok_set_empty(kr->pd->newauthtok); -- 1.8.3.1