diff options
-rw-r--r-- | selftest/knownfail.d/net_ads_mit | 1 | ||||
-rw-r--r-- | source3/libads/krb5_setpw.c | 15 |
2 files changed, 15 insertions, 1 deletions
diff --git a/selftest/knownfail.d/net_ads_mit b/selftest/knownfail.d/net_ads_mit deleted file mode 100644 index 3646314476f..00000000000 --- a/selftest/knownfail.d/net_ads_mit +++ /dev/null @@ -1 +0,0 @@ -^samba4.blackbox.net_ads.changetrustpw diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c index ee352bf0893..8f638dcdb8e 100644 --- a/source3/libads/krb5_setpw.c +++ b/source3/libads/krb5_setpw.c @@ -206,7 +206,22 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host, krb5_get_init_creds_opt_set_win2k(context, opts, true); krb5_get_init_creds_opt_set_canonicalize(context, opts, true); #else /* MIT */ +#if 0 + /* + * FIXME + * + * Due to an upstream MIT Kerberos bug, this feature is not + * not working. Affection versions (2019-10-09): <= 1.17 + * + * Reproducer: + * kinit -C aDmInIsTrAtOr@ACME.COM -S kadmin/changepw@ACME.COM + * + * This is NOT a problem if the service is a krbtgt. + * + * https://bugzilla.samba.org/show_bug.cgi?id=14155 + */ krb5_get_init_creds_opt_set_canonicalize(opts, true); +#endif #endif /* MIT */ /* note that heimdal will fill in the local addresses if the addresses |