Remove krb5_changepw_principal option

Fixes: #531
author: Jakub Hrozek <jhrozek@redhat.com> 2010-06-10 15:09:35 +0200
committer: Stephen Gallagher <sgallagh@redhat.com> 2010-06-14 16:54:30 -0400
commit: f520e7a2f4fe29747f25118621e20b0d89d296fc (patch)
tree: 3b6cc7b5ab6ee927c8a9afadbb9487cd7a018dd3 /src/providers
parent: 946aba311fd280fbd673944c0181063d2600c878 (diff)
download: sssd-f520e7a2f4fe29747f25118621e20b0d89d296fc.tar.gz
sssd-f520e7a2f4fe29747f25118621e20b0d89d296fc.tar.xz
sssd-f520e7a2f4fe29747f25118621e20b0d89d296fc.zip
6 files changed, 23 insertions, 44 deletions
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 580b66f40..3ada423e8 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -121,7 +121,6 @@ struct dp_option ipa_def_krb5_opts[] = {
     { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "krb5_ccachedir", DP_OPT_STRING, { "/tmp" }, NULL_STRING },
     { "krb5_ccname_template", DP_OPT_STRING, { "FILE:%d/krb5cc_%U_XXXXXX" }, NULL_STRING},
-    { "krb5_changepw_principal", DP_OPT_STRING, { "kadmin/changepw" }, NULL_STRING },
     { "krb5_auth_timeout", DP_OPT_NUMBER, { .number = 15 }, NULL_NUMBER },
     { "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING },
     { "krb5_validate", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index fe9ca5418..3b40e41ef 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -40,7 +40,7 @@ struct ipa_service {
 /* the following define is used to keep track of the options in the krb5
  * module, so that if they change and ipa is not updated correspondingly
  * this will trigger a runtime abort error */
-#define IPA_KRB5_OPTS_TEST 10
+#define IPA_KRB5_OPTS_TEST 9
 
 enum ipa_basic_opt {
     IPA_DOMAIN = 0,
diff --git a/src/providers/krb5/krb5_auth.h b/src/providers/krb5/krb5_auth.h
index 293375da9..9dbf7c6db 100644
--- a/src/providers/krb5/krb5_auth.h
+++ b/src/providers/krb5/krb5_auth.h
@@ -33,7 +33,6 @@
 #include "providers/krb5/krb5_common.h"
 
 #define CCACHE_ENV_NAME "KRB5CCNAME"
-#define SSSD_KRB5_CHANGEPW_PRINCIPLE "SSSD_KRB5_CHANGEPW_PRINCIPLE"
 
 #define ILLEGAL_PATH_PATTERN "//|/\\./|/\\.\\./"
 
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 18b7a220a..b538c841c 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -36,6 +36,8 @@
 #include "providers/krb5/krb5_auth.h"
 #include "providers/krb5/krb5_utils.h"
 
+#define SSSD_KRB5_CHANGEPW_PRINCIPLE "kadmin/changepw"
+
 struct krb5_child_ctx {
     /* opts taken from kinit */
     /* in seconds */
@@ -63,7 +65,6 @@ struct krb5_child_ctx {
 
     char *kdcip;
     char *realm;
-    char *changepw_principle;
     char *ccache_dir;
     char *ccname_template;
     int auth_timeout;
@@ -571,6 +572,7 @@ static errno_t changepw_child(int fd, struct krb5_req *kr)
     char *user_error_message = NULL;
     size_t user_resp_len;
     uint8_t *user_resp;
+    char *changepw_princ = NULL;
     krb5_prompter_fct prompter = sss_krb5_prompter;
 
     pass_str = talloc_strndup(kr, (const char *) kr->pd->authtok,
@@ -581,6 +583,14 @@ static errno_t changepw_child(int fd, struct krb5_req *kr)
         goto sendresponse;
     }
 
+    changepw_princ = talloc_asprintf(kr, "%s@%s", SSSD_KRB5_CHANGEPW_PRINCIPLE,
+                                                  kr->krb5_ctx->realm);
+    if (changepw_princ == NULL) {
+        DEBUG(1, ("talloc_asprintf failed.\n"));
+        kerr = KRB5KRB_ERR_GENERIC;
+        goto sendresponse;
+    }
+
     if (kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) {
         /* We do not need a password expiration warning here. */
         prompter = NULL;
@@ -588,7 +598,7 @@ static errno_t changepw_child(int fd, struct krb5_req *kr)
 
     kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ,
                                         pass_str, prompter, kr, 0,
-                                        kr->krb5_ctx->changepw_principle,
+                                        changepw_princ,
                                         kr->options);
     if (kerr != 0) {
         KRB5_DEBUG(1, kerr);
@@ -702,6 +712,7 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr)
     int ret;
     krb5_error_code kerr = 0;
     char *pass_str = NULL;
+    char *changepw_princ = NULL;
     int pam_status = PAM_SYSTEM_ERR;
 
     pass_str = talloc_strndup(kr, (const char *) kr->pd->authtok,
@@ -712,6 +723,14 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr)
         goto sendresponse;
     }
 
+    changepw_princ = talloc_asprintf(kr, "%s@%s", SSSD_KRB5_CHANGEPW_PRINCIPLE,
+                                                  kr->krb5_ctx->realm);
+    if (changepw_princ == NULL) {
+        DEBUG(1, ("talloc_asprintf failed.\n"));
+        kerr = KRB5KRB_ERR_GENERIC;
+        goto sendresponse;
+    }
+
     kerr = get_and_save_tgt(kr, pass_str);
 
     /* If the password is expired the KDC will always return
@@ -721,7 +740,7 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr)
     if (kerr == KRB5KDC_ERR_KEY_EXP) {
         kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ,
                                             pass_str, sss_krb5_prompter, kr, 0,
-                                            kr->krb5_ctx->changepw_principle,
+                                            changepw_princ,
                                             kr->options);
         krb5_free_cred_contents(kr->ctx, kr->creds);
         if (kerr == 0) {
@@ -872,15 +891,6 @@ static int krb5_setup(struct krb5_req *kr, uint32_t offline)
         goto failed;
     }
 
-    kr->krb5_ctx->changepw_principle = getenv(SSSD_KRB5_CHANGEPW_PRINCIPLE);
-    if (kr->krb5_ctx->changepw_principle == NULL) {
-        DEBUG(1, ("Cannot read [%s] from environment.\n",
-                  SSSD_KRB5_CHANGEPW_PRINCIPLE));
-        if (kr->pd->cmd == SSS_PAM_CHAUTHTOK) {
-            goto failed;
-        }
-    }
-
     kr->krb5_ctx->realm = getenv(SSSD_KRB5_REALM);
     if (kr->krb5_ctx->realm == NULL) {
         DEBUG(2, ("Cannot read [%s] from environment.\n", SSSD_KRB5_REALM));
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index fbc308895..57d7b1d0c 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -36,7 +36,6 @@ struct dp_option default_krb5_opts[] = {
     { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "krb5_ccachedir", DP_OPT_STRING, { "/tmp" }, NULL_STRING },
     { "krb5_ccname_template", DP_OPT_STRING, { "FILE:%d/krb5cc_%U_XXXXXX" }, NULL_STRING},
-    { "krb5_changepw_principal", DP_OPT_STRING, { "kadmin/changepw" }, NULL_STRING },
     { "krb5_auth_timeout", DP_OPT_NUMBER, { .number = 15 }, NULL_NUMBER },
     { "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING },
     { "krb5_validate", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
@@ -48,7 +47,6 @@ errno_t check_and_export_options(struct dp_option *opts,
                                  struct sss_domain_info *dom)
 {
     int ret;
-    char *value;
     const char *realm;
     const char *dummy;
 
@@ -90,31 +88,6 @@ errno_t check_and_export_options(struct dp_option *opts,
         return EINVAL;
     }
 
-    dummy = dp_opt_get_cstring(opts, KRB5_CHANGEPW_PRINC);
-    if (dummy == NULL) {
-        DEBUG(1, ("Missing change password principle.\n"));
-        return EINVAL;
-    }
-    if (strchr(dummy, '@') == NULL) {
-        value = talloc_asprintf(opts, "%s@%s", dummy, realm);
-        if (value == NULL) {
-            DEBUG(7, ("talloc_asprintf failed.\n"));
-            return ENOMEM;
-        }
-        ret = dp_opt_set_string(opts, KRB5_CHANGEPW_PRINC, value);
-        if (ret != EOK) {
-            DEBUG(1, ("dp_opt_set_string failed.\n"));
-            return ret;
-        }
-        dummy = value;
-    }
-
-    ret = setenv(SSSD_KRB5_CHANGEPW_PRINCIPLE, dummy, 1);
-    if (ret != EOK) {
-        DEBUG(2, ("setenv %s failed, password change might fail.\n",
-                  SSSD_KRB5_CHANGEPW_PRINCIPLE));
-    }
-
     return EOK;
 }
 
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index 342481e5d..f3bbbb84b 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -35,7 +35,6 @@
 
 #define SSSD_KRB5_KDC "SSSD_KRB5_KDC"
 #define SSSD_KRB5_REALM "SSSD_KRB5_REALM"
-#define SSSD_KRB5_CHANGEPW_PRINCIPLE "SSSD_KRB5_CHANGEPW_PRINCIPLE"
 
 #define KDCINFO_TMPL PUBCONF_PATH"/kdcinfo.%s"
 #define KPASSWDINFO_TMPL PUBCONF_PATH"/kpasswdinfo.%s"
@@ -48,7 +47,6 @@ enum krb5_opts {
     KRB5_REALM,
     KRB5_CCACHEDIR,
     KRB5_CCNAME_TMPL,
-    KRB5_CHANGEPW_PRINC,
     KRB5_AUTH_TIMEOUT,
     KRB5_KEYTAB,
     KRB5_VALIDATE,
author	Jakub Hrozek <jhrozek@redhat.com>	2010-06-10 15:09:35 +0200
committer	Stephen Gallagher <sgallagh@redhat.com>	2010-06-14 16:54:30 -0400
commit	f520e7a2f4fe29747f25118621e20b0d89d296fc (patch)
tree	3b6cc7b5ab6ee927c8a9afadbb9487cd7a018dd3 /src/providers
parent	946aba311fd280fbd673944c0181063d2600c878 (diff)
download	sssd-f520e7a2f4fe29747f25118621e20b0d89d296fc.tar.gz sssd-f520e7a2f4fe29747f25118621e20b0d89d296fc.tar.xz sssd-f520e7a2f4fe29747f25118621e20b0d89d296fc.zip