search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r14170: Paranioa fix for sesssetup.
[Samba/bb.git] / source3 / libads / krb5_setpw.c
blob42ca36f344eaf76e825c17f32ee10ac2c02bdbbf
1 /*
2 Unix SMB/CIFS implementation.
3 krb5 set password implementation
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com)
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
20 */
21
22 #include "includes.h"
23
24 #ifdef HAVE_KRB5
25
26 #define DEFAULT_KPASSWD_PORT 464
27
28 #define KRB5_KPASSWD_VERS_CHANGEPW 1
29
30 #define KRB5_KPASSWD_VERS_SETPW 0xff80
31 #define KRB5_KPASSWD_VERS_SETPW_ALT 2
32
33 #define KRB5_KPASSWD_SUCCESS 0
34 #define KRB5_KPASSWD_MALFORMED 1
35 #define KRB5_KPASSWD_HARDERROR 2
36 #define KRB5_KPASSWD_AUTHERROR 3
37 #define KRB5_KPASSWD_SOFTERROR 4
38 #define KRB5_KPASSWD_ACCESSDENIED 5
39 #define KRB5_KPASSWD_BAD_VERSION 6
40 #define KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7
41
42 /* Those are defined by kerberos-set-passwd-02.txt and are probably
43 * not supported by M$ implementation */
44 #define KRB5_KPASSWD_POLICY_REJECT 8
45 #define KRB5_KPASSWD_BAD_PRINCIPAL 9
46 #define KRB5_KPASSWD_ETYPE_NOSUPP 10
47
48 /* This implements kerberos password change protocol as specified in
49 * kerb-chg-password-02.txt and kerberos-set-passwd-02.txt
50 * as well as microsoft version of the protocol
51 * as specified in kerberos-set-passwd-00.txt
52 */
53 static DATA_BLOB encode_krb5_setpw(const char *principal, const char *password)
54 {
55 char* princ_part1 = NULL;
56 char* princ_part2 = NULL;
57 char* realm = NULL;
58 char* c;
59 char* princ;
60
61 ASN1_DATA req;
62 DATA_BLOB ret;
63
64
65 princ = SMB_STRDUP(principal);
66
67 if ((c = strchr_m(princ, '/')) == NULL) {
68 c = princ;
69 } else {
70 *c = '\0';
71 c++;
72 princ_part1 = princ;
73 }
74
75 princ_part2 = c;
76
77 if ((c = strchr_m(c, '@')) != NULL) {
78 *c = '\0';
79 c++;
80 realm = c;
81 } else {
82 /* We must have a realm component. */
83 return data_blob(NULL, 0);
84 }
85
86 memset(&req, 0, sizeof(req));
87
88 asn1_push_tag(&req, ASN1_SEQUENCE(0));
89 asn1_push_tag(&req, ASN1_CONTEXT(0));
90 asn1_write_OctetString(&req, password, strlen(password));
91 asn1_pop_tag(&req);
92
93 asn1_push_tag(&req, ASN1_CONTEXT(1));
94 asn1_push_tag(&req, ASN1_SEQUENCE(0));
95
96 asn1_push_tag(&req, ASN1_CONTEXT(0));
97 asn1_write_Integer(&req, 1);
98 asn1_pop_tag(&req);
99
100 asn1_push_tag(&req, ASN1_CONTEXT(1));
101 asn1_push_tag(&req, ASN1_SEQUENCE(0));
102
103 if (princ_part1) {
104 asn1_write_GeneralString(&req, princ_part1);
105 }
106
107 asn1_write_GeneralString(&req, princ_part2);
108 asn1_pop_tag(&req);
109 asn1_pop_tag(&req);
110 asn1_pop_tag(&req);
111 asn1_pop_tag(&req);
112
113 asn1_push_tag(&req, ASN1_CONTEXT(2));
114 asn1_write_GeneralString(&req, realm);
115 asn1_pop_tag(&req);
116 asn1_pop_tag(&req);
117
118 ret = data_blob(req.data, req.length);
119 asn1_free(&req);
120
121 free(princ);
122
123 return ret;
124 }
125
126 static krb5_error_code build_kpasswd_request(uint16 pversion,
127 krb5_context context,
128 krb5_auth_context auth_context,
129 krb5_data *ap_req,
130 const char *princ,
131 const char *passwd,
132 krb5_data *packet)
133 {
134 krb5_error_code ret;
135 krb5_data cipherpw;
136 krb5_data encoded_setpw;
137 krb5_replay_data replay;
138 char *p;
139 DATA_BLOB setpw;
140
141 ret = krb5_auth_con_setflags(context,
142 auth_context,KRB5_AUTH_CONTEXT_DO_SEQUENCE);
143 if (ret) {
144 DEBUG(1,("krb5_auth_con_setflags failed (%s)\n",
145 error_message(ret)));
146 return ret;
147 }
148
149 /* handle protocol differences in chpw and setpw */
150 if (pversion == KRB5_KPASSWD_VERS_CHANGEPW)
151 setpw = data_blob(passwd, strlen(passwd));
152 else if (pversion == KRB5_KPASSWD_VERS_SETPW ||
153 pversion == KRB5_KPASSWD_VERS_SETPW_ALT)
154 setpw = encode_krb5_setpw(princ, passwd);
155 else
156 return EINVAL;
157
158 if (setpw.data == NULL || setpw.length == 0) {
159 return EINVAL;
160 }
161
162 encoded_setpw.data = (char *)setpw.data;
163 encoded_setpw.length = setpw.length;
164
165 ret = krb5_mk_priv(context, auth_context,
166 &encoded_setpw, &cipherpw, &replay);
167
168 data_blob_free(&setpw); /*from 'encode_krb5_setpw(...)' */
169
170 if (ret) {
171 DEBUG(1,("krb5_mk_priv failed (%s)\n", error_message(ret)));
172 return ret;
173 }
174
175 packet->data = (char *)SMB_MALLOC(ap_req->length + cipherpw.length + 6);
176 if (!packet->data)
177 return -1;
178
179 /* see the RFC for details */
180 p = ((char *)packet->data) + 2;
181 RSSVAL(p, 0, pversion);
182 p += 2;
183 RSSVAL(p, 0, ap_req->length);
184 p += 2;
185 memcpy(p, ap_req->data, ap_req->length);
186 p += ap_req->length;
187 memcpy(p, cipherpw.data, cipherpw.length);
188 p += cipherpw.length;
189 packet->length = PTR_DIFF(p,packet->data);
190 RSSVAL(packet->data, 0, packet->length);
191
192 free(cipherpw.data); /* from 'krb5_mk_priv(...)' */
193
194 return 0;
195 }
196
197 static const struct kpasswd_errors {
198 int result_code;
199 const char *error_string;
200 } kpasswd_errors[] = {
201 {KRB5_KPASSWD_MALFORMED, "Malformed request error"},
202 {KRB5_KPASSWD_HARDERROR, "Server error"},
203 {KRB5_KPASSWD_AUTHERROR, "Authentication error"},
204 {KRB5_KPASSWD_SOFTERROR, "Password change rejected"},
205 {KRB5_KPASSWD_ACCESSDENIED, "Client does not have proper authorization"},
206 {KRB5_KPASSWD_BAD_VERSION, "Protocol version not supported"},
207 {KRB5_KPASSWD_INITIAL_FLAG_NEEDED, "Authorization ticket must have initial flag set"},
208 {KRB5_KPASSWD_POLICY_REJECT, "Password rejected due to policy requirements"},
209 {KRB5_KPASSWD_BAD_PRINCIPAL, "Target principal does not exist"},
210 {KRB5_KPASSWD_ETYPE_NOSUPP, "Unsupported encryption type"},
211 {0, NULL}
212 };
213
214 static krb5_error_code setpw_result_code_string(krb5_context context,
215 int result_code,
216 const char **code_string)
217 {
218 unsigned int idx = 0;
219
220 while (kpasswd_errors[idx].error_string != NULL) {
221 if (kpasswd_errors[idx].result_code ==
222 result_code) {
223 *code_string = kpasswd_errors[idx].error_string;
224 return 0;
225 }
226 idx++;
227 }
228 *code_string = "Password change failed";
229 return (0);
230 }
231
232 krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code)
233 {
234 switch(res_code) {
235 case KRB5_KPASSWD_ACCESSDENIED:
236 return KRB5KDC_ERR_BADOPTION;
237 case KRB5_KPASSWD_INITIAL_FLAG_NEEDED:
238 return KRB5KDC_ERR_BADOPTION;
239 /* return KV5M_ALT_METHOD; MIT-only define */
240 case KRB5_KPASSWD_ETYPE_NOSUPP:
241 return KRB5KDC_ERR_ETYPE_NOSUPP;
242 case KRB5_KPASSWD_BAD_PRINCIPAL:
243 return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
244 case KRB5_KPASSWD_POLICY_REJECT:
245 case KRB5_KPASSWD_SOFTERROR:
246 return KRB5KDC_ERR_POLICY;
247 default:
248 return KRB5KRB_ERR_GENERIC;
249 }
250 }
251 static krb5_error_code parse_setpw_reply(krb5_context context,
252 krb5_auth_context auth_context,
253 krb5_data *packet)
254 {
255 krb5_data ap_rep;
256 char *p;
257 int vnum, ret, res_code;
258 krb5_data cipherresult;
259 krb5_data clearresult;
260 krb5_ap_rep_enc_part *ap_rep_enc;
261 krb5_replay_data replay;
262
263 if (packet->length < 4) {
264 return KRB5KRB_AP_ERR_MODIFIED;
265 }
266
267 p = packet->data;
268
269 if (((char *)packet->data)[0] == 0x7e || ((char *)packet->data)[0] == 0x5e) {
270 /* it's an error packet. We should parse it ... */
271 DEBUG(1,("Got error packet 0x%x from kpasswd server\n",
272 ((char *)packet->data)[0]));
273 return KRB5KRB_AP_ERR_MODIFIED;
274 }
275
276 if (RSVAL(p, 0) != packet->length) {
277 DEBUG(1,("Bad packet length (%d/%d) from kpasswd server\n",
278 RSVAL(p, 0), packet->length));
279 return KRB5KRB_AP_ERR_MODIFIED;
280 }
281
282 p += 2;
283
284 vnum = RSVAL(p, 0); p += 2;
285
286 /* FIXME: According to standard there is only one type of reply */
287 if (vnum != KRB5_KPASSWD_VERS_SETPW &&
288 vnum != KRB5_KPASSWD_VERS_SETPW_ALT &&
289 vnum != KRB5_KPASSWD_VERS_CHANGEPW) {
290 DEBUG(1,("Bad vnum (%d) from kpasswd server\n", vnum));
291 return KRB5KDC_ERR_BAD_PVNO;
292 }
293
294 ap_rep.length = RSVAL(p, 0); p += 2;
295
296 if (p + ap_rep.length >= (char *)packet->data + packet->length) {
297 DEBUG(1,("ptr beyond end of packet from kpasswd server\n"));
298 return KRB5KRB_AP_ERR_MODIFIED;
299 }
300
301 if (ap_rep.length == 0) {
302 DEBUG(1,("got unencrypted setpw result?!\n"));
303 return KRB5KRB_AP_ERR_MODIFIED;
304 }
305
306 /* verify ap_rep */
307 ap_rep.data = p;
308 p += ap_rep.length;
309
310 ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc);
311 if (ret) {
312 DEBUG(1,("failed to rd setpw reply (%s)\n", error_message(ret)));
313 return KRB5KRB_AP_ERR_MODIFIED;
314 }
315
316 krb5_free_ap_rep_enc_part(context, ap_rep_enc);
317
318 cipherresult.data = p;
319 cipherresult.length = ((char *)packet->data + packet->length) - p;
320
321 ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult,
322 &replay);
323 if (ret) {
324 DEBUG(1,("failed to decrypt setpw reply (%s)\n", error_message(ret)));
325 return KRB5KRB_AP_ERR_MODIFIED;
326 }
327
328 if (clearresult.length < 2) {
329 free(clearresult.data);
330 ret = KRB5KRB_AP_ERR_MODIFIED;
331 return KRB5KRB_AP_ERR_MODIFIED;
332 }
333
334 p = clearresult.data;
335
336 res_code = RSVAL(p, 0);
337
338 free(clearresult.data);
339
340 if ((res_code < KRB5_KPASSWD_SUCCESS) ||
341 (res_code > KRB5_KPASSWD_ETYPE_NOSUPP)) {
342 return KRB5KRB_AP_ERR_MODIFIED;
343 }
344
345 if(res_code == KRB5_KPASSWD_SUCCESS)
346 return 0;
347 else {
348 const char *errstr;
349 setpw_result_code_string(context, res_code, &errstr);
350 DEBUG(1, ("Error changing password: %s (%d)\n", errstr, res_code));
351
352 return kpasswd_err_to_krb5_err(res_code);
353 }
354 }
355
356 static ADS_STATUS do_krb5_kpasswd_request(krb5_context context,
357 const char *kdc_host,
358 uint16 pversion,
359 krb5_creds *credsp,
360 const char *princ,
361 const char *newpw)
362 {
363 krb5_auth_context auth_context = NULL;
364 krb5_data ap_req, chpw_req, chpw_rep;
365 int ret, sock;
366 socklen_t addr_len;
367 struct sockaddr remote_addr, local_addr;
368 krb5_address local_kaddr, remote_kaddr;
369
370 ret = krb5_mk_req_extended(context, &auth_context, AP_OPTS_USE_SUBKEY,
371 NULL, credsp, &ap_req);
372 if (ret) {
373 DEBUG(1,("krb5_mk_req_extended failed (%s)\n", error_message(ret)));
374 return ADS_ERROR_KRB5(ret);
375 }
376
377 sock = open_udp_socket(kdc_host, DEFAULT_KPASSWD_PORT);
378 if (sock == -1) {
379 int rc = errno;
380 free(ap_req.data);
381 krb5_auth_con_free(context, auth_context);
382 DEBUG(1,("failed to open kpasswd socket to %s (%s)\n",
383 kdc_host, strerror(errno)));
384 return ADS_ERROR_SYSTEM(rc);
385 }
386
387 addr_len = sizeof(remote_addr);
388 getpeername(sock, &remote_addr, &addr_len);
389 addr_len = sizeof(local_addr);
390 getsockname(sock, &local_addr, &addr_len);
391
392 setup_kaddr(&remote_kaddr, &remote_addr);
393 setup_kaddr(&local_kaddr, &local_addr);
394
395 ret = krb5_auth_con_setaddrs(context, auth_context, &local_kaddr, NULL);
396 if (ret) {
397 close(sock);
398 free(ap_req.data);
399 krb5_auth_con_free(context, auth_context);
400 DEBUG(1,("krb5_auth_con_setaddrs failed (%s)\n", error_message(ret)));
401 return ADS_ERROR_KRB5(ret);
402 }
403
404 ret = build_kpasswd_request(pversion, context, auth_context, &ap_req,
405 princ, newpw, &chpw_req);
406 if (ret) {
407 close(sock);
408 free(ap_req.data);
409 krb5_auth_con_free(context, auth_context);
410 DEBUG(1,("build_setpw_request failed (%s)\n", error_message(ret)));
411 return ADS_ERROR_KRB5(ret);
412 }
413
414 if (write(sock, chpw_req.data, chpw_req.length) != chpw_req.length) {
415 close(sock);
416 free(chpw_req.data);
417 free(ap_req.data);
418 krb5_auth_con_free(context, auth_context);
419 DEBUG(1,("send of chpw failed (%s)\n", strerror(errno)));
420 return ADS_ERROR_SYSTEM(errno);
421 }
422
423 free(chpw_req.data);
424
425 chpw_rep.length = 1500;
426 chpw_rep.data = (char *) SMB_MALLOC(chpw_rep.length);
427 if (!chpw_rep.data) {
428 close(sock);
429 free(ap_req.data);
430 krb5_auth_con_free(context, auth_context);
431 DEBUG(1,("send of chpw failed (%s)\n", strerror(errno)));
432 errno = ENOMEM;
433 return ADS_ERROR_SYSTEM(errno);
434 }
435
436 ret = read(sock, chpw_rep.data, chpw_rep.length);
437 if (ret < 0) {
438 close(sock);
439 free(chpw_rep.data);
440 free(ap_req.data);
441 krb5_auth_con_free(context, auth_context);
442 DEBUG(1,("recv of chpw reply failed (%s)\n", strerror(errno)));
443 return ADS_ERROR_SYSTEM(errno);
444 }
445
446 close(sock);
447 chpw_rep.length = ret;
448
449 ret = krb5_auth_con_setaddrs(context, auth_context, NULL,&remote_kaddr);
450 if (ret) {
451 free(chpw_rep.data);
452 free(ap_req.data);
453 krb5_auth_con_free(context, auth_context);
454 DEBUG(1,("krb5_auth_con_setaddrs on reply failed (%s)\n",
455 error_message(ret)));
456 return ADS_ERROR_KRB5(ret);
457 }
458
459 ret = parse_setpw_reply(context, auth_context, &chpw_rep);
460 free(chpw_rep.data);
461
462 if (ret) {
463 free(ap_req.data);
464 krb5_auth_con_free(context, auth_context);
465 DEBUG(1,("parse_setpw_reply failed (%s)\n",
466 error_message(ret)));
467 return ADS_ERROR_KRB5(ret);
468 }
469
470 free(ap_req.data);
471 krb5_auth_con_free(context, auth_context);
472
473 return ADS_SUCCESS;
474 }
475
476 ADS_STATUS ads_krb5_set_password(const char *kdc_host, const char *princ,
477 const char *newpw, int time_offset)
478 {
479
480 ADS_STATUS aret;
481 krb5_error_code ret = 0;
482 krb5_context context = NULL;
483 krb5_principal principal = NULL;
484 char *princ_name = NULL;
485 char *realm = NULL;
486 krb5_creds creds, *credsp = NULL;
487 #if KRB5_PRINC_REALM_RETURNS_REALM
488 krb5_realm orig_realm;
489 #else
490 krb5_data orig_realm;
491 #endif
492 krb5_ccache ccache = NULL;
493
494 ZERO_STRUCT(creds);
495
496 initialize_krb5_error_table();
497 ret = krb5_init_context(&context);
498 if (ret) {
499 DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret)));
500 return ADS_ERROR_KRB5(ret);
501 }
502
503 if (time_offset != 0) {
504 krb5_set_real_time(context, time(NULL) + time_offset, 0);
505 }
506
507 ret = krb5_cc_default(context, &ccache);
508 if (ret) {
509 krb5_free_context(context);
510 DEBUG(1,("Failed to get default creds (%s)\n", error_message(ret)));
511 return ADS_ERROR_KRB5(ret);
512 }
513
514 realm = strchr_m(princ, '@');
515 if (!realm) {
516 krb5_cc_close(context, ccache);
517 krb5_free_context(context);
518 DEBUG(1,("Failed to get realm\n"));
519 return ADS_ERROR_KRB5(-1);
520 }
521 realm++;
522
523 asprintf(&princ_name, "kadmin/changepw@%s", realm);
524 ret = krb5_parse_name(context, princ_name, &creds.server);
525 if (ret) {
526 krb5_cc_close(context, ccache);
527 krb5_free_context(context);
528 DEBUG(1,("Failed to parse kadmin/changepw (%s)\n", error_message(ret)));
529 return ADS_ERROR_KRB5(ret);
530 }
531 free(princ_name);
532
533 /* parse the principal we got as a function argument */
534 ret = krb5_parse_name(context, princ, &principal);
535 if (ret) {
536 krb5_cc_close(context, ccache);
537 krb5_free_principal(context, creds.server);
538 krb5_free_context(context);
539 DEBUG(1,("Failed to parse %s (%s)\n", princ_name, error_message(ret)));
540 return ADS_ERROR_KRB5(ret);
541 }
542
543 /* The creds.server principal takes ownership of this memory.
544 Remember to set back to original value before freeing. */
545 orig_realm = *krb5_princ_realm(context, creds.server);
546 krb5_princ_set_realm(context, creds.server, krb5_princ_realm(context, principal));
547
548 ret = krb5_cc_get_principal(context, ccache, &creds.client);
549 if (ret) {
550 krb5_cc_close(context, ccache);
551 krb5_princ_set_realm(context, creds.server, &orig_realm);
552 krb5_free_principal(context, creds.server);
553 krb5_free_principal(context, principal);
554 krb5_free_context(context);
555 DEBUG(1,("Failed to get principal from ccache (%s)\n",
556 error_message(ret)));
557 return ADS_ERROR_KRB5(ret);
558 }
559
560 ret = krb5_get_credentials(context, 0, ccache, &creds, &credsp);
561 if (ret) {
562 krb5_cc_close(context, ccache);
563 krb5_free_principal(context, creds.client);
564 krb5_princ_set_realm(context, creds.server, &orig_realm);
565 krb5_free_principal(context, creds.server);
566 krb5_free_principal(context, principal);
567 krb5_free_context(context);
568 DEBUG(1,("krb5_get_credentials failed (%s)\n", error_message(ret)));
569 return ADS_ERROR_KRB5(ret);
570 }
571
572 /* we might have to call krb5_free_creds(...) from now on ... */
573
574 aret = do_krb5_kpasswd_request(context, kdc_host,
575 KRB5_KPASSWD_VERS_SETPW,
576 credsp, princ, newpw);
577
578 krb5_free_creds(context, credsp);
579 krb5_free_principal(context, creds.client);
580 krb5_princ_set_realm(context, creds.server, &orig_realm);
581 krb5_free_principal(context, creds.server);
582 krb5_free_principal(context, principal);
583 krb5_cc_close(context, ccache);
584 krb5_free_context(context);
585
586 return aret;
587 }
588
589 /*
590 we use a prompter to avoid a crash bug in the kerberos libs when
591 dealing with empty passwords
592 this prompter is just a string copy ...
593 */
594 static krb5_error_code
595 kerb_prompter(krb5_context ctx, void *data,
596 const char *name,
597 const char *banner,
598 int num_prompts,
599 krb5_prompt prompts[])
600 {
601 if (num_prompts == 0) return 0;
602
603 memset(prompts[0].reply->data, 0, prompts[0].reply->length);
604 if (prompts[0].reply->length > 0) {
605 if (data) {
606 strncpy(prompts[0].reply->data, data, prompts[0].reply->length-1);
607 prompts[0].reply->length = strlen(prompts[0].reply->data);
608 } else {
609 prompts[0].reply->length = 0;
610 }
611 }
612 return 0;
613 }
614
615 static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
616 const char *principal,
617 const char *oldpw,
618 const char *newpw,
619 int time_offset)
620 {
621 ADS_STATUS aret;
622 krb5_error_code ret;
623 krb5_context context = NULL;
624 krb5_principal princ;
625 krb5_get_init_creds_opt opts;
626 krb5_creds creds;
627 char *chpw_princ = NULL, *password;
628
629 initialize_krb5_error_table();
630 ret = krb5_init_context(&context);
631 if (ret) {
632 DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret)));
633 return ADS_ERROR_KRB5(ret);
634 }
635
636 if ((ret = krb5_parse_name(context, principal,
637 &princ))) {
638 krb5_free_context(context);
639 DEBUG(1,("Failed to parse %s (%s)\n", principal, error_message(ret)));
640 return ADS_ERROR_KRB5(ret);
641 }
642
643 krb5_get_init_creds_opt_init(&opts);
644 krb5_get_init_creds_opt_set_tkt_life(&opts, 5*60);
645 krb5_get_init_creds_opt_set_renew_life(&opts, 0);
646 krb5_get_init_creds_opt_set_forwardable(&opts, 0);
647 krb5_get_init_creds_opt_set_proxiable(&opts, 0);
648
649 /* We have to obtain an INITIAL changepw ticket for changing password */
650 asprintf(&chpw_princ, "kadmin/changepw@%s",
651 (char *) krb5_princ_realm(context, princ));
652 password = SMB_STRDUP(oldpw);
653 ret = krb5_get_init_creds_password(context, &creds, princ, password,
654 kerb_prompter, NULL,
655 0, chpw_princ, &opts);
656 SAFE_FREE(chpw_princ);
657 SAFE_FREE(password);
658
659 if (ret) {
660 if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY)
661 DEBUG(1,("Password incorrect while getting initial ticket"));
662 else
663 DEBUG(1,("krb5_get_init_creds_password failed (%s)\n", error_message(ret)));
664
665 krb5_free_principal(context, princ);
666 krb5_free_context(context);
667 return ADS_ERROR_KRB5(ret);
668 }
669
670 aret = do_krb5_kpasswd_request(context, kdc_host,
671 KRB5_KPASSWD_VERS_CHANGEPW,
672 &creds, principal, newpw);
673
674 krb5_free_principal(context, princ);
675 krb5_free_context(context);
676
677 return aret;
678 }
679
680
681 ADS_STATUS kerberos_set_password(const char *kpasswd_server,
682 const char *auth_principal, const char *auth_password,
683 const char *target_principal, const char *new_password,
684 int time_offset)
685 {
686 int ret;
687
688 if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL, NULL, NULL, False, 0))) {
689 DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal, error_message(ret)));
690 return ADS_ERROR_KRB5(ret);
691 }
692
693 if (!strcmp(auth_principal, target_principal))
694 return ads_krb5_chg_password(kpasswd_server, target_principal,
695 auth_password, new_password, time_offset);
696 else
697 return ads_krb5_set_password(kpasswd_server, target_principal,
698 new_password, time_offset);
699 }
700
701
702 /**
703 * Set the machine account password
704 * @param ads connection to ads server
705 * @param hostname machine whose password is being set
706 * @param password new password
707 * @return status of password change
708 **/
709 ADS_STATUS ads_set_machine_password(ADS_STRUCT *ads,
710 const char *machine_account,
711 const char *password)
712 {
713 ADS_STATUS status;
714 char *principal = NULL;
715
716 /*
717 we need to use the '$' form of the name here (the machine account name),
718 as otherwise the server might end up setting the password for a user
719 instead
720 */
721 asprintf(&principal, "%s@%s", machine_account, ads->config.realm);
722
723 status = ads_krb5_set_password(ads->auth.kdc_server, principal,
724 password, ads->auth.time_offset);
725
726 free(principal);
727
728 return status;
729 }
730
731
732
733 #endif