diff options
Diffstat (limited to 'src/providers/krb5/krb5_child.c')
| -rw-r--r-- | src/providers/krb5/krb5_child.c | 34 |
1 files changed, 22 insertions, 12 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 18b7a220a..b538c841c 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -36,6 +36,8 @@ #include "providers/krb5/krb5_auth.h" #include "providers/krb5/krb5_utils.h" +#define SSSD_KRB5_CHANGEPW_PRINCIPLE "kadmin/changepw" + struct krb5_child_ctx { /* opts taken from kinit */ /* in seconds */ @@ -63,7 +65,6 @@ struct krb5_child_ctx { char *kdcip; char *realm; - char *changepw_principle; char *ccache_dir; char *ccname_template; int auth_timeout; @@ -571,6 +572,7 @@ static errno_t changepw_child(int fd, struct krb5_req *kr) char *user_error_message = NULL; size_t user_resp_len; uint8_t *user_resp; + char *changepw_princ = NULL; krb5_prompter_fct prompter = sss_krb5_prompter; pass_str = talloc_strndup(kr, (const char *) kr->pd->authtok, @@ -581,6 +583,14 @@ static errno_t changepw_child(int fd, struct krb5_req *kr) goto sendresponse; } + changepw_princ = talloc_asprintf(kr, "%s@%s", SSSD_KRB5_CHANGEPW_PRINCIPLE, + kr->krb5_ctx->realm); + if (changepw_princ == NULL) { + DEBUG(1, ("talloc_asprintf failed.\n")); + kerr = KRB5KRB_ERR_GENERIC; + goto sendresponse; + } + if (kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) { /* We do not need a password expiration warning here. */ prompter = NULL; @@ -588,7 +598,7 @@ static errno_t changepw_child(int fd, struct krb5_req *kr) kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ, pass_str, prompter, kr, 0, - kr->krb5_ctx->changepw_principle, + changepw_princ, kr->options); if (kerr != 0) { KRB5_DEBUG(1, kerr); @@ -702,6 +712,7 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr) int ret; krb5_error_code kerr = 0; char *pass_str = NULL; + char *changepw_princ = NULL; int pam_status = PAM_SYSTEM_ERR; pass_str = talloc_strndup(kr, (const char *) kr->pd->authtok, @@ -712,6 +723,14 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr) goto sendresponse; } + changepw_princ = talloc_asprintf(kr, "%s@%s", SSSD_KRB5_CHANGEPW_PRINCIPLE, + kr->krb5_ctx->realm); + if (changepw_princ == NULL) { + DEBUG(1, ("talloc_asprintf failed.\n")); + kerr = KRB5KRB_ERR_GENERIC; + goto sendresponse; + } + kerr = get_and_save_tgt(kr, pass_str); /* If the password is expired the KDC will always return @@ -721,7 +740,7 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr) if (kerr == KRB5KDC_ERR_KEY_EXP) { kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ, pass_str, sss_krb5_prompter, kr, 0, - kr->krb5_ctx->changepw_principle, + changepw_princ, kr->options); krb5_free_cred_contents(kr->ctx, kr->creds); if (kerr == 0) { @@ -872,15 +891,6 @@ static int krb5_setup(struct krb5_req *kr, uint32_t offline) goto failed; } - kr->krb5_ctx->changepw_principle = getenv(SSSD_KRB5_CHANGEPW_PRINCIPLE); - if (kr->krb5_ctx->changepw_principle == NULL) { - DEBUG(1, ("Cannot read [%s] from environment.\n", - SSSD_KRB5_CHANGEPW_PRINCIPLE)); - if (kr->pd->cmd == SSS_PAM_CHAUTHTOK) { - goto failed; - } - } - kr->krb5_ctx->realm = getenv(SSSD_KRB5_REALM); if (kr->krb5_ctx->realm == NULL) { DEBUG(2, ("Cannot read [%s] from environment.\n", SSSD_KRB5_REALM)); |