kdc: Rotate smart-card only underlying password in 2nd half of lifetime

This is a measure to avoid multiple servers rotating the password
but means that the maximum password age really must be set to
twice the TGT lifetime, eg a default of 20 hours.  The internet
suggestions of 1 day for this feature should work fine.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 167e7e71ec38f5161237867372fedd3b4c15ffd3..1f52f48d6c8a9e3946bc56e70b14ca5a6c958c3d 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -73,7 +73,6 @@
 #
 ^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_no_des3.ad_dc
 ^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_ntlm_from_pac_must_change_now\(
-^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_smartcard_required_must_change_before_tgt_expiry\(
 #
 # Windows 2000 PK-INIT tests
 #

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 0ef1672c5c1088c0a76cf8cf5d3a9ceb3ac340ec..57007aef760eb2afcb7619624fe489c946c7856b 100644 (file)
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -2908,16 +2908,32 @@ static krb5_error_code samba_kdc_fetch_client(krb5_context context,
                         * However we must first
                         * check if this is before the TGT is due to
                         * expire.
+                        *
+                        * Then we check if we are half-way
+                        * though the password lifetime before we make
+                        * a password rotation.
                         */
                        NTTIME must_change_time
                                = samdb_result_nttime(msg,
                                                      "msDS-UserPasswordExpiryTimeComputed",
                                                      0);
+                       NTTIME pw_lifetime = must_change_time - pwd_last_set_this_loop;
+                       NTTIME pw_halflife = pw_lifetime / 2;
                        if (must_change_time
                            > entry->skdc_entry->enforced_tgt_lifetime_nt_ticks + entry->skdc_entry->current_nttime) {
                                /* Password will not expire before TGT will */
                                break;
                        }
+
+                       if (pwd_last_set_this_loop != 0
+                           && pwd_last_set_this_loop + pw_halflife > entry->skdc_entry->current_nttime) {
+                               /*
+                                * Still in first half of password
+                                * lifetime, no change per
+                                * https://lists.samba.org/archive/cifs-protocol/2024-May/004316.html
+                                */
+                               break;
+                       }
                        /* Keep processing */
                }