From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 11 Mar 2024 16:45:43 +0000 (+0100)
Subject: s3:libads: kerberos_set_password() don't need to kinit before ads_krb5_chg_password()
X-Git-Tag: tdb-1.4.11~733
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=432273dd3ec94ecc695002ab51f99f38048c3902;p=thirdparty%2Fsamba.git

s3:libads: kerberos_set_password() don't need to kinit before ads_krb5_chg_password()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---

diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c
index 62072357693..11aff8131fb 100644
--- a/source3/libads/krb5_setpw.c
+++ b/source3/libads/krb5_setpw.c
@@ -305,18 +305,23 @@ ADS_STATUS kerberos_set_password(const char *auth_principal,
 	const int time_offset = 0;
 	int ret;
 
+	if (strcmp(auth_principal, target_principal) == 0) {
+		/*
+		 * kinit is done inside of ads_krb5_chg_password()
+		 * without any ccache, just with raw krb5_creds.
+		 */
+		return ads_krb5_chg_password(target_principal,
+					     auth_password,
+					     new_password);
+	}
+
 	if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL))) {
 		DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal, error_message(ret)));
 		return ADS_ERROR_KRB5(ret);
 	}
 
-	if (!strcmp(auth_principal, target_principal)) {
-		return ads_krb5_chg_password(target_principal,
-					     auth_password, new_password);
-	} else {
-		return ads_krb5_set_password(target_principal,
-					     new_password);
-	}
+	return ads_krb5_set_password(target_principal,
+				     new_password);
 }
 
 #endif