Codebase list krb5 / 18f64cd
Ignore password attributes for S4U2Self requests For consistency with Windows KDCs, allow protocol transition to work even if the password has expired or needs changing. Also, when looking up an enterprise principal with an AS request, treat ERR_KEY_EXP as confirmation that the client is present in the realm. [ghudson@mit.edu: added comment in kdc_process_s4u2self_req(); edited commit message] (cherry picked from commit 5e6d1796106df8ba6bc1973ee0917c170d929086) ticket: 8763 version_fixed: 1.17 Isaac Boukris authored 5 years ago Greg Hudson committed 5 years ago
3 changed file(s) with 14 addition(s) and 1 deletion(s). Raw diff Collapse all Expand all
+5
-0
src/kdc/kdc_util.c less more
15941594
15951595 memset(&no_server, 0, sizeof(no_server));
15961596
1597 /* Ignore password expiration and needchange attributes (as Windows
1598 * does), since S4U2Self is not password authentication. */
1599 princ->pw_expiration = 0;
1600 clear(princ->attributes, KRB5_KDB_REQUIRES_PWCHANGE);
1601
15971602 code = validate_as_request(kdc_active_realm, request, *princ,
15981603 no_server, kdc_time, status, &e_data);
15991604 if (code) {
+1
-1
src/lib/krb5/krb/s4u_creds.c less more
115115 code = k5_get_init_creds(context, &creds, &client, NULL, NULL, 0, NULL,
116116 opts, krb5_get_as_key_noop, &userid, &use_master,
117117 NULL);
118 if (code == 0 || code == KRB5_PREAUTH_FAILED) {
118 if (!code || code == KRB5_PREAUTH_FAILED || code == KRB5KDC_ERR_KEY_EXP) {
119119 *canon_user = userid.user;
120120 userid.user = NULL;
121121 code = 0;
+8
-0
src/tests/gssapi/t_s4u.py less more
1717
1818 # Get forwardable creds for service1 in the default cache.
1919 realm.kinit(service1, None, ['-f', '-k'])
20
21 # Try S4U2Self for user with a restricted password.
22 realm.run([kadminl, 'modprinc', '+needchange', realm.user_princ])
23 realm.run(['./t_s4u', 'e:user', '-'])
24 realm.run([kadminl, 'modprinc', '-needchange',
25 '-pwexpire', '1/1/2000', realm.user_princ])
26 realm.run(['./t_s4u', 'e:user', '-'])
27 realm.run([kadminl, 'modprinc', '-pwexpire', 'never', realm.user_princ])
2028
2129 # Try krb5 -> S4U2Proxy with forwardable user creds. This should fail
2230 # at the S4U2Proxy step since the DB2 back end currently has no