s3:libads: Do not turn on canonicalization flag for MIT Kerberos

This partially reverts 303b7e59a286896888ee2473995fc50bb2b5ce5e.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14155

Pair-Programmed-With: Isaac Boukris <iboukris@redhat.com>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Sat Oct 12 17:39:13 UTC 2019 on sn-devel-184

diff --git a/selftest/knownfail.d/net_ads_mit b/selftest/knownfail.d/net_ads_mit
deleted file mode 100644 (file)
index 3646314..0000000
--- a/selftest/knownfail.d/net_ads_mit
+++ /dev/null
@@ -1 +0,0 @@
-^samba4.blackbox.net_ads.changetrustpw

diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c
index ee352bf0893eef85c8e56452571207baa8461798..8f638dcdb8eddd2f4f5c2dcdcee83e737e8998ea 100644 (file)
--- a/source3/libads/krb5_setpw.c
+++ b/source3/libads/krb5_setpw.c
@@ -206,7 +206,22 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
        krb5_get_init_creds_opt_set_win2k(context, opts, true);
        krb5_get_init_creds_opt_set_canonicalize(context, opts, true);
 #else /* MIT */
+#if 0
+       /*
+        * FIXME
+        *
+        * Due to an upstream MIT Kerberos bug, this feature is not
+        * not working. Affection versions (2019-10-09): <= 1.17
+        *
+        * Reproducer:
+        * kinit -C aDmInIsTrAtOr@ACME.COM -S kadmin/changepw@ACME.COM
+        *
+        * This is NOT a problem if the service is a krbtgt.
+        *
+        * https://bugzilla.samba.org/show_bug.cgi?id=14155
+        */
        krb5_get_init_creds_opt_set_canonicalize(opts, true);
+#endif
 #endif /* MIT */
 
        /* note that heimdal will fill in the local addresses if the addresses