mit-kdb: Restrict admin/changepw principal db_entry with some flags

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

1 files changed, 12 insertions, 0 deletions

diff --git a/source4/kdc/mit-kdb/kdb_samba_principals.c b/source4/kdc/mit-kdb/kdb_samba_principals.c
index 1c374975d30..28908bc3069 100644
--- a/source4/kdc/mit-kdb/kdb_samba_principals.c
+++ b/source4/kdc/mit-kdb/kdb_samba_principals.c
@@ -277,6 +277,18 @@ krb5_error_code kdb_samba_db_get_principal(krb5_context context,
 
 	code = ks_get_principal(context, princ, kflags, kentry);
 
+	/*
+	 * This restricts the changepw account so it isn't able to request a
+	 * service ticket. It also marks the principal as the changepw service.
+	 */
+	if (ks_is_kadmin_changepw(context, princ)) {
+		/* FIXME: shouldn't we also set KRB5_KDB_DISALLOW_TGT_BASED ?
+		 * testing showed that setpw kpasswd command fails then on the
+		 * server though... */
+		(*kentry)->attributes |= KRB5_KDB_PWCHANGE_SERVICE;
+		(*kentry)->max_life = CHANGEPW_LIFETIME;
+	}
+
 	return code;
 }