Thanks to "L.P.H. van Belle" <belle@bazuin.nl>
for help in reproducing the issue.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11038
From the bug report:
"With
e551cdb37d3e re-applied the problem is gone with
and without kerberos. Moreover, if correctly configured,
sshd requests you to change your password at logon time,
which then succeeds.
The problem why I had this reverted was because I had not
gone through the pain to correctly configure all the PAM
services (in particular the "account" section), leading
to sshd letting the user in when the password had to be
changed."
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
e551cdb37d3e8cfb155bc33f9b162761c8d60889)
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Oct 2 00:16:29 CEST 2015 on sn-devel-104
(cherry picked from commit
e524ab9f7ee9f4aff50dd5bc42312f9000bf1c6e)
{
if (num_prompts == 0) return 0;
+ if ((num_prompts == 2) &&
+ (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) &&
+ (prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) {
+ /*
+ * We don't want to change passwords here. We're
+ * called from heimal when the KDC returns
+ * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
+ * have the chance to ask the user for a new
+ * password. If we return 0 (i.e. success), we will be
+ * spinning in the endless for-loop in
+ * change_password() in
+ * source4/heimdal/lib/krb5/init_creds_pw.c:526ff
+ */
+ return KRB5KDC_ERR_KEY_EXPIRED;
+ }
+
memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
if (prompts[0].reply->length > 0) {
if (data) {
git.samba.org / samba.git / commitdiff