diff options
Diffstat (limited to 'source4/kdc/kpasswd-service-heimdal.c')
-rw-r--r-- | source4/kdc/kpasswd-service-heimdal.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/source4/kdc/kpasswd-service-heimdal.c b/source4/kdc/kpasswd-service-heimdal.c index c804852c3a7..1a6c2b60d03 100644 --- a/source4/kdc/kpasswd-service-heimdal.c +++ b/source4/kdc/kpasswd-service-heimdal.c @@ -24,6 +24,7 @@ #include "param/param.h" #include "auth/auth.h" #include "auth/gensec/gensec.h" +#include "gensec_krb5_helpers.h" #include "kdc/kdc-server.h" #include "kdc/kpasswd_glue.h" #include "kdc/kpasswd-service.h" @@ -31,6 +32,7 @@ static krb5_error_code kpasswd_change_password(struct kdc_server *kdc, TALLOC_CTX *mem_ctx, + const struct gensec_security *gensec_security, struct auth_session_info *session_info, DATA_BLOB *password, DATA_BLOB *kpasswd_reply, @@ -42,6 +44,17 @@ static krb5_error_code kpasswd_change_password(struct kdc_server *kdc, const char *reject_string = NULL; struct samr_DomInfo1 *dominfo; bool ok; + int ret; + + /* + * We're doing a password change (rather than a password set), so check + * that we were given an initial ticket. + */ + ret = gensec_krb5_initial_ticket(gensec_security); + if (ret != 1) { + *error_string = "Expected an initial ticket"; + return KRB5_KPASSWD_INITIAL_FLAG_NEEDED; + } status = samdb_kpasswd_change_password(mem_ctx, kdc->task->lp_ctx, @@ -81,6 +94,7 @@ static krb5_error_code kpasswd_change_password(struct kdc_server *kdc, static krb5_error_code kpasswd_set_password(struct kdc_server *kdc, TALLOC_CTX *mem_ctx, + const struct gensec_security *gensec_security, struct auth_session_info *session_info, DATA_BLOB *decoded_data, DATA_BLOB *kpasswd_reply, @@ -173,6 +187,7 @@ static krb5_error_code kpasswd_set_password(struct kdc_server *kdc, free_ChangePasswdDataMS(&chpw); return kpasswd_change_password(kdc, mem_ctx, + gensec_security, session_info, &password, kpasswd_reply, @@ -272,6 +287,7 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc, return kpasswd_change_password(kdc, mem_ctx, + gensec_security, session_info, &password, kpasswd_reply, @@ -280,6 +296,7 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc, case KRB5_KPASSWD_VERS_SETPW: { return kpasswd_set_password(kdc, mem_ctx, + gensec_security, session_info, decoded_data, kpasswd_reply, |