Hi,
a recent patch unified the usage of the krb5_get_init_creds_opt options to make sure the same set of FAST related options are uses for authentication and password changes. Before changing the password some options were set to special values but were not reverted before requesting a new TGT with the new password. As a result the new TGT will have some unexpected options set or the request might even fail.
This patch set resets the password change related option to their original values before requesting the new TGT.
The first two patches are just refactorings which are required to keep the third patch simple.
bye, Sumit
On Fri, Mar 21, 2014 at 02:22:47PM +0100, Sumit Bose wrote:
Hi,
a recent patch unified the usage of the krb5_get_init_creds_opt options to make sure the same set of FAST related options are uses for authentication and password changes. Before changing the password some options were set to special values but were not reverted before requesting a new TGT with the new password. As a result the new TGT will have some unexpected options set or the request might even fail.
This patch set resets the password change related option to their original values before requesting the new TGT.
The first two patches are just refactorings which are required to keep the third patch simple.
bye, Sumit
On IRC Jakub pointed out that the lifetimes are not correctly reset if not given explicitly. Additionally he asked to rename krb5_set_canonicalize().
New versions attached. The rename of krb5_set_canonicalize() is now in a separate patch.
bye, Sumit
On Fri, Mar 21, 2014 at 04:40:22PM +0100, Sumit Bose wrote:
On Fri, Mar 21, 2014 at 02:22:47PM +0100, Sumit Bose wrote:
Hi,
a recent patch unified the usage of the krb5_get_init_creds_opt options to make sure the same set of FAST related options are uses for authentication and password changes. Before changing the password some options were set to special values but were not reverted before requesting a new TGT with the new password. As a result the new TGT will have some unexpected options set or the request might even fail.
This patch set resets the password change related option to their original values before requesting the new TGT.
The first two patches are just refactorings which are required to keep the third patch simple.
bye, Sumit
On IRC Jakub pointed out that the lifetimes are not correctly reset if not given explicitly. Additionally he asked to rename krb5_set_canonicalize().
New versions attached. The rename of krb5_set_canonicalize() is now in a separate patch.
bye, Sumit
This time the patches work as expected. I tested password change against AD and also OTP password change against IPA.
ACK to all patches.
On Fri, 2014-03-21 at 18:18 +0100, Jakub Hrozek wrote:
On Fri, Mar 21, 2014 at 04:40:22PM +0100, Sumit Bose wrote:
On Fri, Mar 21, 2014 at 02:22:47PM +0100, Sumit Bose wrote:
Hi,
a recent patch unified the usage of the krb5_get_init_creds_opt options to make sure the same set of FAST related options are uses for authentication and password changes. Before changing the password some options were set to special values but were not reverted before requesting a new TGT with the new password. As a result the new TGT will have some unexpected options set or the request might even fail.
This patch set resets the password change related option to their original values before requesting the new TGT.
The first two patches are just refactorings which are required to keep the third patch simple.
bye, Sumit
On IRC Jakub pointed out that the lifetimes are not correctly reset if not given explicitly. Additionally he asked to rename krb5_set_canonicalize().
New versions attached. The rename of krb5_set_canonicalize() is now in a separate patch.
bye, Sumit
This time the patches work as expected. I tested password change against AD and also OTP password change against IPA.
ACK to all patches.
Pushed all to master and sssd-1-11
sssd-devel@lists.fedorahosted.org
-
Jakub Hrozek -
Jakub Hrozek -
Sumit Bose