[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: krb5_set_password - Cross realm bug?

To: brian.joh@comcast.net
Subject: Re: krb5_set_password - Cross realm bug?
From: Love Hörnquist Åstrand <lha@kth.se>
Date: Wed, 14 Sep 2005 17:38:28 +0200
Cc: heimdal-discuss@sics.se
In-Reply-To: <090620051802.20992.431DD99C0006EE9D000052002200735446080106D2020E079D0D@comcast.net> (brianjoh's message of "Tue, 06 Sep 2005 18:02:04 +0000")
References: <090620051802.20992.431DD99C0006EE9D000052002200735446080106D2020E079D0D@comcast.net>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/22.0.50 (darwin)


brian.joh@comcast.net writes:

> Hi,
>  
> I am writing a Linux program with the Heimdal libraries.  The program
> allows an *Administrative* Active Directory user to set the password
> of another Active Directory principal (actually a host principal) from
> Linux.  The program is supposed to be general so the Admin principal
> does not need to be in the same realm as the principal whose password
> is being changed.  Provided the admin principal has the proper priveleges
> and the proper trusts are set up in Active Directory, this should work
> using the krb5_set_password() function and cross-realm authentication. 
> However, I couldn't get this to work.  I did some packet sniffing to try
> and figure this out.  When I call krb5_set_password(), it communicates
> with the KDC in the Administrator's realm (even if I pass it a cross-realm
> TGT or a cross-realm kadmin/changepw ticket), instead of the target
> principal's realm.  I think this is a bug. 
>  
> I looked at the source code.  The function change_password_loop() is called by
> krb5_set_password() and seems to do the real work.  The following declaration
> is made in the beginning of that function:
>  
>       krb5_realm realm = creds->client->realm;
>  
> Shouldn't that code be looking at server's realm, not the Administrator's
> realm?   Or am I misunderstanding how to call this function?  Seems like that
> line should be:
>  
>      krb5_realm realm = creds->server->realm;
>  
> Anyways, when I changed this line and recompiled Heimdal, my code works.  

I think you are right, it didn't matter before becase there wasn't any
"target principal" passed into the code.

So shouldn't that be the targprinc's realm instead, then I can keep the
creds->client->realm because that and server->realm should be the same in
case of non-admin change of password.

Love


--- lib/krb5/changepw.c	08 Sep 2005 13:38:01 +0200	1.54
+++ lib/krb5/changepw.c	14 Sep 2005 17:36:51 +0200	
@@ -522,7 +522,12 @@
     int sock;
     int i;
     int done = 0;
-    krb5_realm realm = creds->client->realm;
+    krb5_realm realm;
+
+    if (targprinc)
+	realm = targprinc->realm;
+    else
+	realm = creds->client->realm;
 
     ret = krb5_auth_con_init (context, &auth_context);
     if (ret)

PGP signature

References:
- krb5_set_password - Cross realm bug?
  - From: brian.joh@comcast.net

Prev by Date: Re: heimdal 0.6.5 kinit from keytab/srvtab: oddness
Next by Date: Re: Question on logging
Prev by thread: krb5_set_password - Cross realm bug?
Next by thread: Re: krb5_set_password - Cross realm bug?
Index(es):
- Date
- Thread