Blame SOURCES/0171-krb5-disable-enterprise-principals-during-password-c.patch

bb7cd1
From 0956acb31884e87ef48c3be8c59960acfc03a547 Mon Sep 17 00:00:00 2001
bb7cd1
From: Sumit Bose <sbose@redhat.com>
bb7cd1
Date: Thu, 8 Jun 2017 11:06:02 +0200
bb7cd1
Subject: [PATCH 171/171] krb5: disable enterprise principals during password
bb7cd1
 changes
bb7cd1
bb7cd1
Currently using enterprise principals during password changes does not
bb7cd1
work reliable.
bb7cd1
bb7cd1
First there is a special behavior if canonicalization, which in general
bb7cd1
should be used together with enterprise principals, is enabled with AD,
bb7cd1
see https://pagure.io/SSSD/sssd/issue/1405 and
bb7cd1
https://pagure.io/SSSD/sssd/issue/1615 for details. As a result of this
bb7cd1
SSSD currently disables canonicalization during password changes.
bb7cd1
bb7cd1
Additionally it looks like MIT Kerberos does not handle canonicalized
bb7cd1
principals well, even if canonicalization is enabled, if not the default
bb7cd1
krbtgt/REALM@REALM but kadmin/changepw@REALM is requested. Since it is
bb7cd1
currently not clear what is the expected behavior here it make sense to
bb7cd1
completely disable enterprise principals during password changes for the
bb7cd1
time being.
bb7cd1
bb7cd1
Resolves https://pagure.io/SSSD/sssd/issue/3426
bb7cd1
bb7cd1
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
bb7cd1
(cherry picked from commit 614057ea85c05d3a6d4b62217a41b8b5db8d5d38)
bb7cd1
---
bb7cd1
 src/providers/krb5/krb5_child_handler.c | 3 ++-
bb7cd1
 1 file changed, 2 insertions(+), 1 deletion(-)
bb7cd1
bb7cd1
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
bb7cd1
index 11ac867e62d2ff96b827cf6d4ff341fc8ff0a286..0007f92a61ba711aed6be5ee28664e5f7de0f226 100644
bb7cd1
--- a/src/providers/krb5/krb5_child_handler.c
bb7cd1
+++ b/src/providers/krb5/krb5_child_handler.c
bb7cd1
@@ -143,7 +143,8 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
bb7cd1
         return EINVAL;
bb7cd1
     }
bb7cd1
 
bb7cd1
-    if (kr->pd->cmd == SSS_CMD_RENEW || kr->is_offline) {
bb7cd1
+    if (kr->pd->cmd == SSS_CMD_RENEW || kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM
bb7cd1
+            || kr->pd->cmd == SSS_PAM_CHAUTHTOK || kr->is_offline) {
bb7cd1
         use_enterprise_principal = false;
bb7cd1
     } else {
bb7cd1
         use_enterprise_principal = dp_opt_get_bool(kr->krb5_ctx->opts,
bb7cd1
-- 
bb7cd1
2.9.4
bb7cd1