kerberos: login fails when kerberos library tries to inform user via prompter without asking for user input
Illustrative case
I am using gnome-online-accounts-3.32.1 and mit-krb5-1.17 on Gentoo and I am trying to login to Samba 4.10 AD domain using kerberos. GOA asks for password and then shows "timeout" after some time. Logs show goa-identity-se[2636]: goa_kerberos_identity_inquiry_new: assertion 'number_of_prompts > 0' failed.
Manually using kinit in terminal results in successful login.
Reason
My domain account has password expiration set, and kinit warns me about it (Warning: Your password will expire in...
) on successful ticket acquisition. The same warning is passed to GOA by kerberos library, however due to how GOA is coded currently, it does not handle informative only prompts (which do not require answers from the user). If I remove password expiration from the domain account, GOA succeeds logging me with it, because no expiration means no warning to pass from kerberos library to GOA.
How to reproduce
Setup Samba AD domain controller, create domain user, make sure it has a soon to be expired password (you can check with kinit if it warns you about that), try logging in with GOA using kerberos.
Analysis
goa_kerberos_identity_sign_in(...) calls krb5_get_init_creds_password( ...,(krb5_prompter_fct) on_kerberos_inquiry,... ). Then if kerberos library needs user to be prompted for something, on_kerberos_inquiry( ..., const char *banner, int number_of_prompts, krb5_prompt prompts[] ) is called back, which in turn passes its mentioned parameters to goa_kerberos_identity_inquiry_new ( *..., const char banner, krb5_prompt prompts[], int number_of_prompts ).
goa_kerberos_identity_inquiry_new(...) has
g_return_val_if_fail (number_of_prompts > 0, NULL);
, but according to MIT Kerberos docs:
The prompter will be invoked each time the krb5 library has a question to ask or information to present. When the prompter callback is invoked, the banner argument (if not null) is intended to be displayed to the user, and the questions to be answered are specified in the prompts array.
so even if number_of_prompts == 0
, it still should be a valid case when kerberos library has something to tell to the user (banner != NULL
, i.e. in my case banner == "Warning: Your password will expire in 28 days on 2019 m. gruodžio 08 d. 21:17:5"
- checked that while debugging).
I think g_return_val_if_fail (number_of_prompts > 0, NULL);
should go away, but it seems just doing that won't be enough. I tried removing that line, but login still failed - more code changes are necessary.