- if we successfully change the user's password during an attempt to get

initial credentials, but then fail to get initial creds from a non-master using the new password, retry against the master (#432334)
2008-09-04 15:13:51 +00:00 · 2008-09-04 15:13:51 +00:00 · b1efb9b86d
commit b1efb9b86d
parent bb9aa2106c
2 changed files with 55 additions and 0 deletions
--- a/krb5-trunk-preauth-master.patch
+++ b/krb5-trunk-preauth-master.patch
@ -0,0 +1,48 @@
+Assume that KRB5_PREAUTH_FAILED is subject to propagation delay between the
+master and replicas (this error is only returned when ENC_TIMESTAMP fails),
+and if we get a key-expired error right after changing the password, try
+again against the master KDC.  RT#6108
+
+Index: src/lib/krb5/krb/gic_pwd.c
+===================================================================
+--- src/lib/krb5/krb/gic_pwd.c	(revision 20704)
+++ src/lib/krb5/krb/gic_pwd.c	(working copy)
+@@ -147,10 +147,10 @@
+       goto cleanup;
+ 
+    /* If all the kdc's are unavailable, or if the error was due to a
+-      user interrupt, or preauth errored out, fail */
+      user interrupt, or preauth errored out against the master, fail */
+ 
+    if ((ret == KRB5_KDC_UNREACH) ||
+-       (ret == KRB5_PREAUTH_FAILED) ||
+       ((ret == KRB5_PREAUTH_FAILED) && use_master) ||
+        (ret == KRB5_LIBOS_PWDINTR) ||
+ 	   (ret == KRB5_REALM_CANT_RESOLVE))
+       goto cleanup;
+@@ -320,6 +320,25 @@
+ 			     krb5_get_as_key_password, (void *) &pw0,
+ 			     &use_master, &as_reply);
+ 
+   if ((ret != KRB5KDC_ERR_KEY_EXP) || use_master)
+      goto cleanup;
+   else {
+      /* Okay, we *just* changed the password. Retry against a master KDC,
+       * because either the non-master's using outdated data or the admin
+       * has set an impossibly low maximum password lifetime. */
+      use_master = 1;
+      ret2 = krb5_get_init_creds(context, creds, client, prompter, data,
+			         start_time, in_tkt_service, opte,
+			         krb5_get_as_key_password, (void *) &pw0,
+			         &use_master, &as_reply);
+      if ((ret2 != KRB5_KDC_UNREACH) &&
+	  (ret2 != KRB5_REALM_CANT_RESOLVE) &&
+	  (ret2 != KRB5_REALM_UNKNOWN))
+	 ret = ret2;
+      else
+	 use_master = 0;
+   }
+
+ cleanup:
+    krb5int_set_prompt_types(context, 0);
+    /* if getting the password was successful, then check to see if the
--- a/krb5.spec
+++ b/krb5.spec
@ -101,6 +101,7 @@ Patch76: krb5-CVE-2007-5901.patch
 Patch77: krb5-CVE-2007-5971.patch
 Patch78: krb5-1.6.3-lucid-acceptor.patch
 Patch79: krb5-trunk-ftp_mget_case.patch
+Patch80: krb5-trunk-preauth-master.patch

 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@ -231,6 +232,11 @@ to obtain initial credentials from a KDC using a private key and a
 certificate.

 %changelog
+* Thu Sep  4 2008 Nalin Dahyabhai <nalin@redhat.com>
+- if we successfully change the user's password during an attempt to get
+  initial credentials, but then fail to get initial creds from a non-master
+  using the new password, retry against the master (#432334)
+
 * Tue Aug  5 2008 Tom "spot" Callaway <tcallawa@redhat.com> 1.6.3-16
 - fix license tag

@ -1383,6 +1389,7 @@ popd
 %patch77 -p0 -b .2007-5971
 %patch78 -p0 -b .lucid_acceptor
 %patch79 -p0 -b .ftp_mget_case
+%patch80 -p0 -b .preauth_master
 cp src/krb524/README README.krb524
 gzip doc/*.ps