diff options
Diffstat (limited to 'source4/kdc/kpasswd-service-heimdal.c')
| -rw-r--r-- | source4/kdc/kpasswd-service-heimdal.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/source4/kdc/kpasswd-service-heimdal.c b/source4/kdc/kpasswd-service-heimdal.c index a0352d1ad35..4d009b9eb24 100644 --- a/source4/kdc/kpasswd-service-heimdal.c +++ b/source4/kdc/kpasswd-service-heimdal.c @@ -253,6 +253,7 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc, { struct auth_session_info *session_info; NTSTATUS status; + krb5_error_code code; status = gensec_session_info(gensec_security, mem_ctx, @@ -264,6 +265,18 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc, return KRB5_KPASSWD_HARDERROR; } + /* + * Since the kpasswd service shares its keys with the krbtgt, we might + * have received a TGT rather than a kpasswd ticket. We need to check + * the ticket type to ensure that TGTs cannot be misused in this manner. + */ + code = kpasswd_check_non_tgt(session_info, + error_string); + if (code != 0) { + DBG_WARNING("%s\n", *error_string); + return code; + } + switch(verno) { case KRB5_KPASSWD_VERS_CHANGEPW: { DATA_BLOB password = data_blob_null; |