diff options
author | Günther Deschner <gd@samba.org> | 2014-08-07 15:04:42 +0200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2016-03-17 04:32:29 +0100 |
commit | 05cc9b0af9794b62d65a781a4d1c3e4eb8f573f6 (patch) | |
tree | 943c486963157bc46ec9d72c1eba8828466c2942 | |
parent | b76cf191d9502401780cad83a83f1a685e776ef5 (diff) | |
download | samba-05cc9b0af9794b62d65a781a4d1c3e4eb8f573f6.tar.gz |
mit-kdb: Restrict admin/changepw principal db_entry with some flags
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r-- | source4/kdc/mit-kdb/kdb_samba_principals.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/source4/kdc/mit-kdb/kdb_samba_principals.c b/source4/kdc/mit-kdb/kdb_samba_principals.c index 1c374975d30..28908bc3069 100644 --- a/source4/kdc/mit-kdb/kdb_samba_principals.c +++ b/source4/kdc/mit-kdb/kdb_samba_principals.c @@ -277,6 +277,18 @@ krb5_error_code kdb_samba_db_get_principal(krb5_context context, code = ks_get_principal(context, princ, kflags, kentry); + /* + * This restricts the changepw account so it isn't able to request a + * service ticket. It also marks the principal as the changepw service. + */ + if (ks_is_kadmin_changepw(context, princ)) { + /* FIXME: shouldn't we also set KRB5_KDB_DISALLOW_TGT_BASED ? + * testing showed that setpw kpasswd command fails then on the + * server though... */ + (*kentry)->attributes |= KRB5_KDB_PWCHANGE_SERVICE; + (*kentry)->max_life = CHANGEPW_LIFETIME; + } + return code; } |