Skip to content

Commit

Permalink
Ignore password attributes for S4U2Self requests
Browse files Browse the repository at this point in the history 
For consistency with Windows KDCs, allow protocol transition to work
even if the password has expired or needs changing.

Also, when looking up an enterprise principal with an AS request,
treat ERR_KEY_EXP as confirmation that the client is present in the
realm.

[ghudson@mit.edu: added comment in kdc_process_s4u2self_req(); edited
commit message]

ticket: 8763 (new)
tags: pullup
target_version: 1.17
  • Loading branch information
@iboukris @greghudson
iboukris authored and greghudson committed Dec 8, 2018
1 parent 23ef16a commit 5e6d179
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 1 deletion.
5 changes: 5 additions & 0 deletions src/kdc/kdc_util.c
View file
Expand Up @@ -1607,6 +1607,11 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,


memset(&no_server, 0, sizeof(no_server)); memset(&no_server, 0, sizeof(no_server));


/* Ignore password expiration and needchange attributes (as Windows
* does), since S4U2Self is not password authentication. */
princ->pw_expiration = 0;
clear(princ->attributes, KRB5_KDB_REQUIRES_PWCHANGE);

code = validate_as_request(kdc_active_realm, request, *princ, code = validate_as_request(kdc_active_realm, request, *princ,
no_server, kdc_time, status, &e_data); no_server, kdc_time, status, &e_data);
if (code) { if (code) {
Expand Down
2 changes: 1 addition & 1 deletion src/lib/krb5/krb/s4u_creds.c
View file
Expand Up @@ -116,7 +116,7 @@ s4u_identify_user(krb5_context context,
code = k5_get_init_creds(context, &creds, &client, NULL, NULL, 0, NULL, code = k5_get_init_creds(context, &creds, &client, NULL, NULL, 0, NULL,
opts, krb5_get_as_key_noop, &userid, &use_master, opts, krb5_get_as_key_noop, &userid, &use_master,
NULL); NULL);
if (code == 0 || code == KRB5_PREAUTH_FAILED) { if (!code || code == KRB5_PREAUTH_FAILED || code == KRB5KDC_ERR_KEY_EXP) {
*canon_user = userid.user; *canon_user = userid.user;
userid.user = NULL; userid.user = NULL;
code = 0; code = 0;
Expand Down
8 changes: 8 additions & 0 deletions src/tests/gssapi/t_s4u.py
View file
Expand Up @@ -19,6 +19,14 @@
# Get forwardable creds for service1 in the default cache. # Get forwardable creds for service1 in the default cache.
realm.kinit(service1, None, ['-f', '-k']) realm.kinit(service1, None, ['-f', '-k'])


# Try S4U2Self for user with a restricted password.
realm.run([kadminl, 'modprinc', '+needchange', realm.user_princ])
realm.run(['./t_s4u', 'e:user', '-'])
realm.run([kadminl, 'modprinc', '-needchange',
'-pwexpire', '1/1/2000', realm.user_princ])
realm.run(['./t_s4u', 'e:user', '-'])
realm.run([kadminl, 'modprinc', '-pwexpire', 'never', realm.user_princ])

# Try krb5 -> S4U2Proxy with forwardable user creds. This should fail # Try krb5 -> S4U2Proxy with forwardable user creds. This should fail
# at the S4U2Proxy step since the DB2 back end currently has no # at the S4U2Proxy step since the DB2 back end currently has no
# support for allowing it. # support for allowing it.
Expand Down

0 comments on commit 5e6d179

Please sign in to comment.