From 123584294cfd153acc2d9a5be9d71c395c847a25 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 9 Oct 2019 16:32:47 +0200 Subject: [PATCH] s3:libads: Do not turn on canonicalization flag for MIT Kerberos This partially reverts 303b7e59a286896888ee2473995fc50bb2b5ce5e. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14155 Pair-Programmed-With: Isaac Boukris Signed-off-by: Andreas Schneider Signed-off-by: Isaac Boukris Reviewed-by: Stefan Metzmacher Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Sat Oct 12 17:39:13 UTC 2019 on sn-devel-184 --- selftest/knownfail.d/net_ads_mit | 1 - source3/libads/krb5_setpw.c | 15 +++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) delete mode 100644 selftest/knownfail.d/net_ads_mit diff --git a/selftest/knownfail.d/net_ads_mit b/selftest/knownfail.d/net_ads_mit deleted file mode 100644 index 3646314476f..00000000000 --- a/selftest/knownfail.d/net_ads_mit +++ /dev/null @@ -1 +0,0 @@ -^samba4.blackbox.net_ads.changetrustpw diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c index ee352bf0893..8f638dcdb8e 100644 --- a/source3/libads/krb5_setpw.c +++ b/source3/libads/krb5_setpw.c @@ -206,7 +206,22 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host, krb5_get_init_creds_opt_set_win2k(context, opts, true); krb5_get_init_creds_opt_set_canonicalize(context, opts, true); #else /* MIT */ +#if 0 + /* + * FIXME + * + * Due to an upstream MIT Kerberos bug, this feature is not + * not working. Affection versions (2019-10-09): <= 1.17 + * + * Reproducer: + * kinit -C aDmInIsTrAtOr@ACME.COM -S kadmin/changepw@ACME.COM + * + * This is NOT a problem if the service is a krbtgt. + * + * https://bugzilla.samba.org/show_bug.cgi?id=14155 + */ krb5_get_init_creds_opt_set_canonicalize(opts, true); +#endif #endif /* MIT */ /* note that heimdal will fill in the local addresses if the addresses -- 2.47.3