From 506b98d110cb7a56570c33f779a1e5660187c5e1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Fri, 3 Jul 2009 03:16:46 +0000
Subject: [PATCH] Patch from Andrew bartlett via heimdal-bugs@h5l.org

    kdc Allow a password change when the password is expired

    This requires a rework on Heimdal's windc plugin layer, as we want
    full control over what tickets Heimdal will issue.  (In particular, in
    case our requirements become more complex in future).

    The original problem was that Heimdal's check would permit the ticket,
    but Samba would then deny it, not knowing it was for kadmin/changepw

    Andrew Bartlett

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25294 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 kdc/headers.h      |  1 +
 kdc/kdc_locl.h     |  1 -
 kdc/kerberos5.c    | 22 ++++++++--------------
 kdc/krb5tgs.c      |  8 ++++----
 kdc/windc.c        | 22 ++++++++++++++++------
 kdc/windc_plugin.h |  8 ++++++--
 6 files changed, 35 insertions(+), 27 deletions(-)

diff --git a/kdc/headers.h b/kdc/headers.h
index 2240336e3..b9a828852 100644
--- a/kdc/headers.h
+++ b/kdc/headers.h
@@ -104,6 +104,7 @@
 #ifndef NO_NTLM
 #include <heimntlm.h>
 #endif
+#include <kdc.h>
 #include <windc_plugin.h>
 
 #undef ALLOC
diff --git a/kdc/kdc_locl.h b/kdc/kdc_locl.h
index 9b291ac89..daf155839 100644
--- a/kdc/kdc_locl.h
+++ b/kdc/kdc_locl.h
@@ -39,7 +39,6 @@
 #define __KDC_LOCL_H__
 
 #include "headers.h"
-#include "kdc.h"
 
 typedef struct pk_client_params pk_client_params;
 struct DigestREQ;
diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 355926792..6d74f32f1 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -668,11 +668,11 @@ log_as_req(krb5_context context,
  */
 
 krb5_error_code
-_kdc_check_flags(krb5_context context,
-		 krb5_kdc_configuration *config,
-		 hdb_entry_ex *client_ex, const char *client_name,
-		 hdb_entry_ex *server_ex, const char *server_name,
-		 krb5_boolean is_as_req)
+kdc_check_flags(krb5_context context,
+		krb5_kdc_configuration *config,
+		hdb_entry_ex *client_ex, const char *client_name,
+		hdb_entry_ex *server_ex, const char *server_name,
+		krb5_boolean is_as_req)
 {
     if(client_ex != NULL) {
 	hdb_entry *client = &client_ex->entry;
@@ -921,7 +921,6 @@ _kdc_as_rep(krb5_context context,
 		"AS-REQ malformed server name from %s", from);
 	goto out;
     }
-
     if(b->cname == NULL){
 	ret = KRB5KRB_ERR_GENERIC;
 	e_text = "No client in request";
@@ -1329,14 +1328,9 @@ _kdc_as_rep(krb5_context context,
      * with in a preauth mech.
      */
 
-    ret = _kdc_check_flags(context, config,
-			   client, client_name,
-			   server, server_name,
-			   TRUE);
-    if(ret)
-	goto out;
-
-    ret = _kdc_windc_client_access(context, client, req, &e_data);
+    ret = _kdc_check_access(context, config, client, client_name,
+			    server, server_name,
+			    req, &e_data);
     if(ret)
 	goto out;
 
diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index 3abdb18ae..59104da3d 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -1860,10 +1860,10 @@ server_lookup:
      * Check flags
      */
 
-    ret = _kdc_check_flags(context, config,
-			   client, cpn,
-			   server, spn,
-			   FALSE);
+    ret = kdc_check_flags(context, config,
+			  client, cpn,
+			  server, spn,
+			  FALSE);
     if(ret)
 	goto out;
 
diff --git a/kdc/windc.c b/kdc/windc.c
index fe3cd997e..9d7fa52ce 100644
--- a/kdc/windc.c
+++ b/kdc/windc.c
@@ -99,12 +99,22 @@ _kdc_pac_verify(krb5_context context,
 }
 
 krb5_error_code
-_kdc_windc_client_access(krb5_context context,
-			 struct hdb_entry_ex *client,
-			 KDC_REQ *req,
-			 krb5_data *e_data)
+_kdc_check_access(krb5_context context,
+		  krb5_kdc_configuration *config,
+		  hdb_entry_ex *client_ex, const char *client_name,
+		  hdb_entry_ex *server_ex, const char *server_name,
+		  KDC_REQ *req,
+		  krb5_data *e_data)
 {
     if (windcft == NULL)
-	return 0;
-    return (windcft->client_access)(windcctx, context, client, req, e_data);
+	    return kdc_check_flags(context, config,
+				   client_ex, client_name,
+				   server_ex, server_name,
+				   req->msg_type == krb_as_req);
+
+    return (windcft->client_access)(windcctx, 
+				    context, config, 
+				    client_ex, client_name, 
+				    server_ex, server_name, 
+				    req, e_data);
 }
diff --git a/kdc/windc_plugin.h b/kdc/windc_plugin.h
index 34016694b..c7efb7b85 100644
--- a/kdc/windc_plugin.h
+++ b/kdc/windc_plugin.h
@@ -64,10 +64,14 @@ typedef krb5_error_code
 
 typedef krb5_error_code
 (*krb5plugin_windc_client_access)(
-    void *, krb5_context, struct hdb_entry_ex *, KDC_REQ *, krb5_data *);
+	void *, krb5_context, 
+	krb5_kdc_configuration *config,
+	hdb_entry_ex *, const char *, 
+	hdb_entry_ex *, const char *, 
+	KDC_REQ *, krb5_data *);
 
 
-#define KRB5_WINDC_PLUGING_MINOR		3
+#define KRB5_WINDC_PLUGING_MINOR		4
 
 typedef struct krb5plugin_windc_ftable {
     int			minor_version;