Fix kadmin min_life check with nonexistent policy

In kadmind, self-service key changes require a check against the
policy's min_life field.  If the policy does not exist, this check
should succeed according to the semantics introduced by ticket #7385.
Fix check_min_life() to return 0 if kadm5_get_policy() returns
KADM5_UNK_POLICY.  Reported by John Devitofranceschi.

(back ported from commit 5fca279ca4d18f1b5798847a98e7df8737d2eb7c)

ticket: 8427
version_fixed: 1.13.6
tags: -pullup
status: resolved

diff --git a/src/kadmin/server/misc.c b/src/kadmin/server/misc.c
index 192145c60d38669fb9705bba8052f3f6cf149300..27a6376af6b17b00a1cc9859985da872857cbe61 100644 (file)
--- a/src/kadmin/server/misc.c
+++ b/src/kadmin/server/misc.c
@@ -177,10 +177,12 @@ check_min_life(void *server_handle, krb5_principal principal,
     if(ret)
         return ret;
     if(princ.aux_attributes & KADM5_POLICY) {
+        /* Look up the policy.  If it doesn't exist, treat this principal as if
+         * it had no policy. */
         if((ret=kadm5_get_policy(handle->lhandle,
                                  princ.policy, &pol)) != KADM5_OK) {
             (void) kadm5_free_principal_ent(handle->lhandle, &princ);
-            return ret;
+            return (ret == KADM5_UNK_POLICY) ? 0 : ret;
         }
         if((now - princ.last_pwd_change) < pol.pw_min_life &&
            !(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {

diff --git a/src/tests/t_policy.py b/src/tests/t_policy.py
index f4cb4b4d74ba683e20d6fd3ae84fb29d325875e6..7b95342ab56f4c7772d79670750d3dd3efc9e86e 100644 (file)
--- a/src/tests/t_policy.py
+++ b/src/tests/t_policy.py
@@ -2,7 +2,7 @@
 from k5test import *
 import re
 
-realm = K5Realm(create_host=False)
+realm = K5Realm(create_host=False, start_kadmind=True)
 
 # Test password quality enforcement.
 realm.run_kadminl('addpol -minlength 6 -minclasses 2 pwpol')
@@ -48,6 +48,9 @@ if ('WARNING: policy "newpol" does not exist' not in out or
 out = realm.run_kadminl('cpw -pw 3rdpassword pwuser')
 if ' changed.' not in out:
     fail('reuse of current password with nonexistent policy')
+# Regression test for #8427 (min_life check with nonexistent policy).
+realm.run([kadmin, '-p', 'pwuser', '-w', '3rdpassword',
+           '-q', 'cpw -pw 3rdpassword pwuser'])
 
 # Create newpol and verify that it is enforced.
 realm.run_kadminl('addpol -minlength 3 newpol')