[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

krb5_set_password - Cross realm bug?

I am writing a Linux program with the Heimdal libraries.  The program
allows an *Administrative* Active Directory user to set the password
of another Active Directory principal (actually a host principal) from
Linux.  The program is supposed to be general so the Admin principal
does not need to be in the same realm as the principal whose password
is being changed.  Provided the admin principal has the proper priveleges
and the proper trusts are set up in Active Directory, this should work
using the krb5_set_password() function and cross-realm authentication. 
However, I couldn't get this to work.  I did some packet sniffing to try
and figure this out.  When I call krb5_set_password(), it communicates
with the KDC in the Administrator's realm (even if I pass it a cross-realm
TGT or a cross-realm kadmin/changepw ticket), instead of the target
principal's realm.  I think this is a bug. 
I looked at the source code.  The function change_password_loop() is called by krb5_set_password() and seems to do the real work.  The following declaration is made in the beginning of that function:
      krb5_realm realm = creds->client->realm;
Shouldn't that code be looking at server's realm, not the Administrator's realm?   Or am I misunderstanding how to call this function?  Seems like that line should be:
     krb5_realm realm = creds->server->realm;
Anyways, when I changed this line and recompiled Heimdal, my code works.  
Any help is much appreciated.  Thanks.
Brian Joh