diff options
author | Sumit Bose <sbose@redhat.com> | 2014-03-21 16:16:23 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-03-21 23:06:26 +0100 |
commit | 6bbff437dcea7e56d71cf119d1391be7264dfaf0 (patch) | |
tree | 30bce2784807f21e2820363d22b3b12ca73fa812 /src/providers/krb5 | |
parent | 4bdc95dd47a7f2898dea30c61355ed0f3be402d9 (diff) | |
download | sssd-6bbff437dcea7e56d71cf119d1391be7264dfaf0.tar.gz sssd-6bbff437dcea7e56d71cf119d1391be7264dfaf0.tar.xz sssd-6bbff437dcea7e56d71cf119d1391be7264dfaf0.zip |
krb5-child: add revert_changepw_options()
After changing the Kerberos password krb5-child will try to get a fresh
TGT with the new password. This patch tries to make sure the right gic
options are used.
Resolves: https://fedorahosted.org/sssd/ticket/2289
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/providers/krb5')
-rw-r--r-- | src/providers/krb5/krb5_child.c | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index b37bbec9a..913d458b7 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -140,6 +140,24 @@ static void set_changepw_options(krb5_context ctx, krb5_get_init_creds_opt_set_tkt_life(options, 5*60); } +static void revert_changepw_options(krb5_get_init_creds_opt *options) +{ + krb5_error_code kerr; + + set_canonicalize_option(options); + + /* Currently we do not set forwardable and proxiable explicitly, the flags + * must be removed so that libkrb5 can take the defaults from krb5.conf */ + options->flags &= ~(KRB5_GET_INIT_CREDS_OPT_FORWARDABLE); + options->flags &= ~(KRB5_GET_INIT_CREDS_OPT_PROXIABLE); + + kerr = set_lifetime_options(options); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, ("set_lifetime_options failed.\n")); + } +} + + static errno_t sss_send_pac(krb5_authdata **pac_authdata) { struct sss_cli_req_data sss_data; @@ -1196,6 +1214,10 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim) krb5_free_cred_contents(kr->ctx, kr->creds); + /* We changed some of the gic options for the password change, now we have + * to change them back to get a fresh TGT. */ + revert_changepw_options(kr->options); + kerr = get_and_save_tgt(kr, newpassword); sss_authtok_set_empty(kr->pd->newauthtok); |