diff options
-rw-r--r-- | src/kadmin/server/misc.c | 4 | ||||
-rw-r--r-- | src/tests/t_policy.py | 5 |
2 files changed, 7 insertions, 2 deletions
diff --git a/src/kadmin/server/misc.c b/src/kadmin/server/misc.c index 192145c..27a6376 100644 --- a/src/kadmin/server/misc.c +++ b/src/kadmin/server/misc.c @@ -177,10 +177,12 @@ check_min_life(void *server_handle, krb5_principal principal, if(ret) return ret; if(princ.aux_attributes & KADM5_POLICY) { + /* Look up the policy. If it doesn't exist, treat this principal as if + * it had no policy. */ if((ret=kadm5_get_policy(handle->lhandle, princ.policy, &pol)) != KADM5_OK) { (void) kadm5_free_principal_ent(handle->lhandle, &princ); - return ret; + return (ret == KADM5_UNK_POLICY) ? 0 : ret; } if((now - princ.last_pwd_change) < pol.pw_min_life && !(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { diff --git a/src/tests/t_policy.py b/src/tests/t_policy.py index f4cb4b4..7b95342 100644 --- a/src/tests/t_policy.py +++ b/src/tests/t_policy.py @@ -2,7 +2,7 @@ from k5test import * import re -realm = K5Realm(create_host=False) +realm = K5Realm(create_host=False, start_kadmind=True) # Test password quality enforcement. realm.run_kadminl('addpol -minlength 6 -minclasses 2 pwpol') @@ -48,6 +48,9 @@ if ('WARNING: policy "newpol" does not exist' not in out or out = realm.run_kadminl('cpw -pw 3rdpassword pwuser') if ' changed.' not in out: fail('reuse of current password with nonexistent policy') +# Regression test for #8427 (min_life check with nonexistent policy). +realm.run([kadmin, '-p', 'pwuser', '-w', '3rdpassword', + '-q', 'cpw -pw 3rdpassword pwuser']) # Create newpol and verify that it is enforced. realm.run_kadminl('addpol -minlength 3 newpol') |