From fec66b3327768e1e8ed290c1958bec22b9089687 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Tue, 3 May 2005 11:11:54 +0000
Subject: [PATCH] (init): Don't disable forwardable for kadmin/changepw.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15064 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 kadmin/init.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/kadmin/init.c b/kadmin/init.c
index 4cab66972..1ea4b931a 100644
--- a/kadmin/init.c
+++ b/kadmin/init.c
@@ -175,11 +175,16 @@ init(struct init_options *opt, int argc, char **argv)
 	/* Create `kadmin/changepw' */
 	krb5_make_principal(context, &princ, realm, 
 			    "kadmin", "changepw", NULL);
+	/*
+	 * The Windows XP (at least) password changing protocol
+	 * request the `kadmin/changepw' ticket with `renewable_ok,
+	 * renewable, forwardable' and so fails if we disallow
+	 * forwardable here.
+	 */
 	create_random_entry(princ, 5*60, 5*60, 
 			    KRB5_KDB_DISALLOW_TGT_BASED|
 			    KRB5_KDB_PWCHANGE_SERVICE|
 			    KRB5_KDB_DISALLOW_POSTDATED|
-			    KRB5_KDB_DISALLOW_FORWARDABLE|
 			    KRB5_KDB_DISALLOW_RENEWABLE|
 			    KRB5_KDB_DISALLOW_PROXIABLE|
 			    KRB5_KDB_REQUIRES_PRE_AUTH);