summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2012-11-14 13:56:43 +0100
committerJakub Hrozek <jhrozek@redhat.com>2012-11-20 08:19:53 +0100
commit59ca512252880938ebd978f361740392d4b1e126 (patch)
tree2d978b6c99fe11701672a4492e8ccd74513958b8
parent7df5fd383ed1f1b26c0a9a0071d6e4fc612550e7 (diff)
downloadsssd-59ca512252880938ebd978f361740392d4b1e126.tar.gz
sssd-59ca512252880938ebd978f361740392d4b1e126.tar.xz
sssd-59ca512252880938ebd978f361740392d4b1e126.zip
Just use the service name with krb5_get_init_creds_password()
Currently we add the realm name to change password principal but according to the MIT Kerberos docs and the upstream usage the realm name is just ignored. Dropping the realm name also does not lead to confusion if the change password request was received for a user of a trusted domain.
-rw-r--r--src/providers/krb5/krb5_child.c26
1 files changed, 2 insertions, 24 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index b8fc4ecb8..ef46f36c4 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1053,7 +1053,6 @@ static errno_t changepw_child(int fd, struct krb5_req *kr)
char *user_error_message = NULL;
size_t user_resp_len;
uint8_t *user_resp;
- char *changepw_princ = NULL;
krb5_prompter_fct prompter = sss_krb5_prompter;
const char *realm_name;
int realm_length;
@@ -1074,16 +1073,6 @@ static errno_t changepw_child(int fd, struct krb5_req *kr)
goto sendresponse;
}
- changepw_princ = talloc_asprintf(kr, "%s@%s", SSSD_KRB5_CHANGEPW_PRINCIPAL,
- kr->krb5_ctx->realm);
- if (changepw_princ == NULL) {
- DEBUG(1, ("talloc_asprintf failed.\n"));
- kerr = KRB5KRB_ERR_GENERIC;
- goto sendresponse;
- }
- DEBUG(SSSDBG_FUNC_DATA,
- ("Created a changepw principal [%s]\n", changepw_princ));
-
if (kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) {
/* We do not need a password expiration warning here. */
prompter = NULL;
@@ -1095,7 +1084,7 @@ static errno_t changepw_child(int fd, struct krb5_req *kr)
("Attempting kinit for realm [%s]\n",realm_name));
kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ,
pass_str, prompter, kr, 0,
- changepw_princ,
+ SSSD_KRB5_CHANGEPW_PRINCIPAL,
kr->options);
if (kerr != 0) {
pam_status = kerr_handle_error(kerr);
@@ -1202,7 +1191,6 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr)
int ret;
krb5_error_code kerr = 0;
char *pass_str = NULL;
- char *changepw_princ = NULL;
int pam_status = PAM_SYSTEM_ERR;
DEBUG(SSSDBG_TRACE_LIBS, ("Attempting to get a TGT\n"));
@@ -1222,16 +1210,6 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr)
goto sendresponse;
}
- changepw_princ = talloc_asprintf(kr, "%s@%s", SSSD_KRB5_CHANGEPW_PRINCIPAL,
- kr->krb5_ctx->realm);
- if (changepw_princ == NULL) {
- DEBUG(1, ("talloc_asprintf failed.\n"));
- kerr = KRB5KRB_ERR_GENERIC;
- goto sendresponse;
- }
- DEBUG(SSSDBG_FUNC_DATA,
- ("Created a changepw principal [%s]\n", changepw_princ));
-
kerr = get_and_save_tgt(kr, pass_str);
/* If the password is expired the KDC will always return
@@ -1249,7 +1227,7 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr)
}
kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ,
pass_str, sss_krb5_prompter, kr, 0,
- changepw_princ,
+ SSSD_KRB5_CHANGEPW_PRINCIPAL,
kr->options);
krb5_free_cred_contents(kr->ctx, kr->creds);
if (kerr == 0) {