krb5_set_password - Cross realm bug?

[brian.joh@comcast.net]

Hi,

 

I am writing a Linux program with the Heimdal libraries.  The program

allows an *Administrative* Active Directory user to set the password

of another Active Directory principal (actually a host principal) from

Linux.  The program is supposed to be general so the Admin principal

does not need to be in the same realm as the principal whose password

is being changed.  Provided the admin principal has the proper priveleges

and the proper trusts are set up in Active Directory, this should work

using the krb5_set_password() function and cross-realm authentication. 

However, I couldn't get this to work.  I did some packet sniffing to try

and figure this out.  When I call krb5_set_password(), it communicates

with the KDC in the Administrator's realm (even if I pass it a cross-realm

TGT or a cross-realm kadmin/changepw ticket), instead of the target

principal's realm.  I think this is a bug. 

 

I looked at the source code.  The function change_password_loop() is called by krb5_set_password() and seems to do the real work.  The following declaration is made in the beginning of that function:

 

      krb5_realm realm = creds->client->realm;

 

Shouldn't that code be looking at server's realm, not the Administrator's realm?   Or am I misunderstanding how to call this function?  Seems like that line should be:

 

     krb5_realm realm = creds->server->realm;

 

Anyways, when I changed this line and recompiled Heimdal, my code works.  

 

Any help is much appreciated.  Thanks.

 

Brian Joh