From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 13 Sep 2019 14:04:30 +0000 (+0200)
Subject: s3:libads: ads_krb5_chg_password() should always use the canonicalized principal
X-Git-Tag: talloc-2.3.1~703
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=303b7e59a286896888ee2473995fc50bb2b5ce5e;p=thirdparty%2Fsamba.git

s3:libads: ads_krb5_chg_password() should always use the canonicalized principal

We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.

There's no reason to have a different logic between MIT and Heimdal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
---

diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c
index 4ed3623f7c5..ee352bf0893 100644
--- a/source3/libads/krb5_setpw.c
+++ b/source3/libads/krb5_setpw.c
@@ -202,6 +202,12 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
 	krb5_get_init_creds_opt_set_renew_life(opts, 0);
 	krb5_get_init_creds_opt_set_forwardable(opts, 0);
 	krb5_get_init_creds_opt_set_proxiable(opts, 0);
+#ifdef SAMBA4_USES_HEIMDAL
+	krb5_get_init_creds_opt_set_win2k(context, opts, true);
+	krb5_get_init_creds_opt_set_canonicalize(context, opts, true);
+#else /* MIT */
+	krb5_get_init_creds_opt_set_canonicalize(opts, true);
+#endif /* MIT */
 
 	/* note that heimdal will fill in the local addresses if the addresses
 	 * in the creds_init_opt are all empty and then later fail with invalid