[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: krb5_set_password - Cross realm bug?

brian.joh@comcast.net writes:

> Hi,
> I am writing a Linux program with the Heimdal libraries.  The program
> allows an *Administrative* Active Directory user to set the password
> of another Active Directory principal (actually a host principal) from
> Linux.  The program is supposed to be general so the Admin principal
> does not need to be in the same realm as the principal whose password
> is being changed.  Provided the admin principal has the proper priveleges
> and the proper trusts are set up in Active Directory, this should work
> using the krb5_set_password() function and cross-realm authentication. 
> However, I couldn't get this to work.  I did some packet sniffing to try
> and figure this out.  When I call krb5_set_password(), it communicates
> with the KDC in the Administrator's realm (even if I pass it a cross-realm
> TGT or a cross-realm kadmin/changepw ticket), instead of the target
> principal's realm.  I think this is a bug. 
> I looked at the source code.  The function change_password_loop() is called by
> krb5_set_password() and seems to do the real work.  The following declaration
> is made in the beginning of that function:
>       krb5_realm realm = creds->client->realm;
> Shouldn't that code be looking at server's realm, not the Administrator's
> realm?   Or am I misunderstanding how to call this function?  Seems like that
> line should be:
>      krb5_realm realm = creds->server->realm;
> Anyways, when I changed this line and recompiled Heimdal, my code works.  

I think you are right, it didn't matter before becase there wasn't any
"target principal" passed into the code.

So shouldn't that be the targprinc's realm instead, then I can keep the
creds->client->realm because that and server->realm should be the same in
case of non-admin change of password.


--- lib/krb5/changepw.c	08 Sep 2005 13:38:01 +0200	1.54
+++ lib/krb5/changepw.c	14 Sep 2005 17:36:51 +0200	
@@ -522,7 +522,12 @@
     int sock;
     int i;
     int done = 0;
-    krb5_realm realm = creds->client->realm;
+    krb5_realm realm;
+    if (targprinc)
+	realm = targprinc->realm;
+    else
+	realm = creds->client->realm;
     ret = krb5_auth_con_init (context, &auth_context);
     if (ret)

PGP signature