Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-RT-Original-Encoding: iso-8859-1
Content-Length: 3547
Hello,
Recently I found wrong logic in krb5_locate_kpasswd() function
(krb5/build/src/lib/krb5/os/changepw.c file).
If we got success on first call for krb5int_locate_server(), then the
following code will not be executed:
if (!code) {
/* Success with admin_server but now we need to change the
port number to use DEFAULT_KPASSWD_PORT and the
socktype. */
int i;
for (i=0; i<addrlist->naddrs; i++) {
struct addrinfo *a = addrlist->addrs[i].ai;
if (a->ai_family == AF_INET)
sa2sin (a->ai_addr)->sin_port =
htons(DEFAULT_KPASSWD_PORT);
if (sockType != SOCK_STREAM)
a->ai_socktype = sockType;
}
}
As a result MS Kpasswd request will be wrongly sent to 88 port. Default
port for kadmin/chpasswd is 464.
The following patch will fix issue:
==== //xxxxx/krb5/build/src/lib/krb5/os/changepw.c#4 -
/yyyyy/krb5/build/src/lib/krb5/os/changepw.c ====
@@ -70,6 +70,7 @@
code = krb5int_locate_server (context, realm, addrlist,
locate_service_kadmin,
SOCK_STREAM,
AF_INET);
+ }
if (!code) {
/* Success with admin_server but now we need to change the
port number to use DEFAULT_KPASSWD_PORT and the
socktype. */
@@ -82,7 +83,7 @@
a->ai_socktype = sockType;
}
}
- }
+
return (code);
}
Thanks,
Roman