krb5 commit [krb5-1.17]: Ignore password attributes for S4U2Self requests

Mon Jan 7 11:19:15 EST 2019

https://github.com/krb5/krb5/commit/18f64cd1dea7d213fd9d337bdb831eca2a86d2fa
commit 18f64cd1dea7d213fd9d337bdb831eca2a86d2fa
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Mon Dec 3 02:33:07 2018 +0200

    Ignore password attributes for S4U2Self requests
    
    For consistency with Windows KDCs, allow protocol transition to work
    even if the password has expired or needs changing.
    
    Also, when looking up an enterprise principal with an AS request,
    treat ERR_KEY_EXP as confirmation that the client is present in the
    realm.
    
    [ghudson at mit.edu: added comment in kdc_process_s4u2self_req(); edited
    commit message]
    
    (cherry picked from commit 5e6d1796106df8ba6bc1973ee0917c170d929086)
    
    ticket: 8763
    version_fixed: 1.17

 src/kdc/kdc_util.c           |    5 +++++
 src/lib/krb5/krb/s4u_creds.c |    2 +-
 src/tests/gssapi/t_s4u.py    |    8 ++++++++
 3 files changed, 14 insertions(+), 1 deletions(-)

diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index dfeaf7e..0155c28 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1595,6 +1595,11 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
 
         memset(&no_server, 0, sizeof(no_server));
 
+        /* Ignore password expiration and needchange attributes (as Windows
+         * does), since S4U2Self is not password authentication. */
+        princ->pw_expiration = 0;
+        clear(princ->attributes, KRB5_KDB_REQUIRES_PWCHANGE);
+
         code = validate_as_request(kdc_active_realm, request, *princ,
                                    no_server, kdc_time, status, &e_data);
         if (code) {
diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
index d2fdcb3..614ed41 100644
--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
@@ -116,7 +116,7 @@ s4u_identify_user(krb5_context context,
     code = k5_get_init_creds(context, &creds, &client, NULL, NULL, 0, NULL,
                              opts, krb5_get_as_key_noop, &userid, &use_master,
                              NULL);
-    if (code == 0 || code == KRB5_PREAUTH_FAILED) {
+    if (!code || code == KRB5_PREAUTH_FAILED || code == KRB5KDC_ERR_KEY_EXP) {
         *canon_user = userid.user;
         userid.user = NULL;
         code = 0;
diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
index fd29e1a..84f3fbd 100755
--- a/src/tests/gssapi/t_s4u.py
+++ b/src/tests/gssapi/t_s4u.py
@@ -19,6 +19,14 @@ pservice2 = 'p:' + service2
 # Get forwardable creds for service1 in the default cache.
 realm.kinit(service1, None, ['-f', '-k'])
 
+# Try S4U2Self for user with a restricted password.
+realm.run([kadminl, 'modprinc', '+needchange', realm.user_princ])
+realm.run(['./t_s4u', 'e:user', '-'])
+realm.run([kadminl, 'modprinc', '-needchange',
+          '-pwexpire', '1/1/2000', realm.user_princ])
+realm.run(['./t_s4u', 'e:user', '-'])
+realm.run([kadminl, 'modprinc', '-pwexpire', 'never', realm.user_princ])
+
 # Try krb5 -> S4U2Proxy with forwardable user creds.  This should fail
 # at the S4U2Proxy step since the DB2 back end currently has no
 # support for allowing it.
