Index: src/include/krb5/krb5.hin =================================================================== --- src/include/krb5/krb5.hin (revision 18810) +++ src/include/krb5/krb5.hin (working copy) @@ -2418,8 +2418,8 @@ #define KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST 0x0020 #define KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST 0x0040 #define KRB5_GET_INIT_CREDS_OPT_SALT 0x0080 +#define KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT 0x0100 - void KRB5_CALLCONV krb5_get_init_creds_opt_init (krb5_get_init_creds_opt *opt); @@ -2466,8 +2466,11 @@ (krb5_get_init_creds_opt *opt, krb5_data *salt); +void KRB5_CALLCONV +krb5_get_init_creds_opt_set_change_password_prompt +(krb5_get_init_creds_opt *opt, + int prompt); - krb5_error_code KRB5_CALLCONV krb5_get_init_creds_password (krb5_context context, Index: src/lib/krb5/krb/gic_opt.c =================================================================== --- src/lib/krb5/krb/gic_opt.c (revision 18810) +++ src/lib/krb5/krb/gic_opt.c (working copy) @@ -3,7 +3,7 @@ void KRB5_CALLCONV krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt) { - opt->flags = 0; + opt->flags = KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT; } void KRB5_CALLCONV @@ -63,3 +63,13 @@ opt->flags |= KRB5_GET_INIT_CREDS_OPT_SALT; opt->salt = salt; } + +void KRB5_CALLCONV +krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, int prompt) +{ + if (prompt) + opt->flags |= KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT; + else + opt->flags &= ~KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT; +} + Index: src/lib/krb5/krb/gic_pwd.c =================================================================== --- src/lib/krb5/krb/gic_pwd.c (revision 18810) +++ src/lib/krb5/krb/gic_pwd.c (working copy) @@ -182,6 +182,14 @@ (prompter == NULL)) goto cleanup; + /* historically the default has been to prompt for password change. + * if the change password prompt option has not been set, we continue + * to prompt. Prompting is only disabled if the option has been set + * and the value has been set to false. + */ + if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) + goto cleanup; + /* ok, we have an expired password. Give the user a few chances to change it */