From 59ca512252880938ebd978f361740392d4b1e126 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 14 Nov 2012 13:56:43 +0100
Subject: Just use the service name with krb5_get_init_creds_password()

Currently we add the realm name to change password principal but
according to the MIT Kerberos docs and the upstream usage the realm name
is just ignored.

Dropping the realm name also does not lead to confusion if the change
password request was received for a user of a trusted domain.
---
 src/providers/krb5/krb5_child.c | 26 ++------------------------
 1 file changed, 2 insertions(+), 24 deletions(-)

(limited to 'src/providers/krb5')

diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index b8fc4ecb8..ef46f36c4 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1053,7 +1053,6 @@ static errno_t changepw_child(int fd, struct krb5_req *kr)
     char *user_error_message = NULL;
     size_t user_resp_len;
     uint8_t *user_resp;
-    char *changepw_princ = NULL;
     krb5_prompter_fct prompter = sss_krb5_prompter;
     const char *realm_name;
     int realm_length;
@@ -1074,16 +1073,6 @@ static errno_t changepw_child(int fd, struct krb5_req *kr)
         goto sendresponse;
     }
 
-    changepw_princ = talloc_asprintf(kr, "%s@%s", SSSD_KRB5_CHANGEPW_PRINCIPAL,
-                                                  kr->krb5_ctx->realm);
-    if (changepw_princ == NULL) {
-        DEBUG(1, ("talloc_asprintf failed.\n"));
-        kerr = KRB5KRB_ERR_GENERIC;
-        goto sendresponse;
-    }
-    DEBUG(SSSDBG_FUNC_DATA,
-          ("Created a changepw principal [%s]\n", changepw_princ));
-
     if (kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) {
         /* We do not need a password expiration warning here. */
         prompter = NULL;
@@ -1095,7 +1084,7 @@ static errno_t changepw_child(int fd, struct krb5_req *kr)
           ("Attempting kinit for realm [%s]\n",realm_name));
     kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ,
                                         pass_str, prompter, kr, 0,
-                                        changepw_princ,
+                                        SSSD_KRB5_CHANGEPW_PRINCIPAL,
                                         kr->options);
     if (kerr != 0) {
         pam_status = kerr_handle_error(kerr);
@@ -1202,7 +1191,6 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr)
     int ret;
     krb5_error_code kerr = 0;
     char *pass_str = NULL;
-    char *changepw_princ = NULL;
     int pam_status = PAM_SYSTEM_ERR;
 
     DEBUG(SSSDBG_TRACE_LIBS, ("Attempting to get a TGT\n"));
@@ -1222,16 +1210,6 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr)
         goto sendresponse;
     }
 
-    changepw_princ = talloc_asprintf(kr, "%s@%s", SSSD_KRB5_CHANGEPW_PRINCIPAL,
-                                                  kr->krb5_ctx->realm);
-    if (changepw_princ == NULL) {
-        DEBUG(1, ("talloc_asprintf failed.\n"));
-        kerr = KRB5KRB_ERR_GENERIC;
-        goto sendresponse;
-    }
-    DEBUG(SSSDBG_FUNC_DATA,
-          ("Created a changepw principal [%s]\n", changepw_princ));
-
     kerr = get_and_save_tgt(kr, pass_str);
 
     /* If the password is expired the KDC will always return
@@ -1249,7 +1227,7 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr)
         }
         kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ,
                                             pass_str, sss_krb5_prompter, kr, 0,
-                                            changepw_princ,
+                                            SSSD_KRB5_CHANGEPW_PRINCIPAL,
                                             kr->options);
         krb5_free_cred_contents(kr->ctx, kr->creds);
         if (kerr == 0) {
-- 
cgit