From 05cc9b0af9794b62d65a781a4d1c3e4eb8f573f6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Thu, 7 Aug 2014 15:04:42 +0200
Subject: mit-kdb: Restrict admin/changepw principal db_entry with some flags

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/kdc/mit-kdb/kdb_samba_principals.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'source4/kdc/mit-kdb')

diff --git a/source4/kdc/mit-kdb/kdb_samba_principals.c b/source4/kdc/mit-kdb/kdb_samba_principals.c
index 1c374975d30..28908bc3069 100644
--- a/source4/kdc/mit-kdb/kdb_samba_principals.c
+++ b/source4/kdc/mit-kdb/kdb_samba_principals.c
@@ -277,6 +277,18 @@ krb5_error_code kdb_samba_db_get_principal(krb5_context context,
 
 	code = ks_get_principal(context, princ, kflags, kentry);
 
+	/*
+	 * This restricts the changepw account so it isn't able to request a
+	 * service ticket. It also marks the principal as the changepw service.
+	 */
+	if (ks_is_kadmin_changepw(context, princ)) {
+		/* FIXME: shouldn't we also set KRB5_KDB_DISALLOW_TGT_BASED ?
+		 * testing showed that setpw kpasswd command fails then on the
+		 * server though... */
+		(*kentry)->attributes |= KRB5_KDB_PWCHANGE_SERVICE;
+		(*kentry)->max_life = CHANGEPW_LIFETIME;
+	}
+
 	return code;
 }
 
-- 
cgit v1.2.1