diff options
author | Nathaniel McCallum <npmccallum@redhat.com> | 2014-03-07 12:21:11 -0500 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-03-10 16:56:38 +0100 |
commit | bd7fdcaf0da3ddf77514bd3caa9027d6b87748a1 (patch) | |
tree | b1724aa3d771bc65cc040397ca98b5ffad5c80f6 /src/tools/sss_cache.c | |
parent | 5f904508153151975e860df72b66753b129a48f4 (diff) | |
download | sssd-bd7fdcaf0da3ddf77514bd3caa9027d6b87748a1.tar.gz sssd-bd7fdcaf0da3ddf77514bd3caa9027d6b87748a1.tar.xz sssd-bd7fdcaf0da3ddf77514bd3caa9027d6b87748a1.zip |
Fix krb5 changepw when FAST-only preauth methods are used (like OTP)
Before this patch, a different set of options was used when calling
krb5_get_init_creds_password() for the changepw principal. Because
this set of options did not contain the same FAST settings as the
options for normal requests, all authentication would fail when the
password of a FAST-only account would expire.
The two sets approach was cargo-cult from kinit where multiple
requests could be issued using the same options set. However, in the
case of krb5_child, only one request (or occasionally a well-defined
second request) will be issued. Two option sets are therefore not
required.
To fix this problem we removed the second option set used for changepw
requests. All requests now use a single option set which is modified,
if needed, for well-defined subsequent requests.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Diffstat (limited to 'src/tools/sss_cache.c')
0 files changed, 0 insertions, 0 deletions