[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Patch to prevent krb5Key attrs in Samba LDAP entries
Howard Chu <hyc@highlandsun.com> writes:
>> I think the last point is the key issue here. A patch that I think
>> would make more sense is one that uses the presence of an existing
>> krb5key attribute to determine if it should be updated.
>
> Again, agreed.
James, like this then ?
Love
--- lib/hdb/hdb-ldap.c 18 Apr 2005 08:03:54 -0000
+++ lib/hdb/hdb-ldap.c 19 May 2005 11:32:30 -0000
@@ -666,7 +666,13 @@
}
if (ent->etypes) {
- /* clobber and replace encryption types. */
+ int add_krb5EncryptionType = 0;
+
+ /*
+ * Only add/modify krb5EncryptionType if its a new heimdal
+ * entry or krb5EncryptionType already exists on the entry.
+ */
+
if (!is_new_entry) {
values = ldap_get_values(HDB2LDAP(db), msg, "krb5EncryptionType");
if (values) {
@@ -675,8 +681,12 @@
NULL);
if (ret)
goto out;
+ add_krb5EncryptionType = 1;
}
- }
+ } else if (is_heimdal_entry)
+ add_krb5EncryptionType = 1;
+
+ if (add_krb5EncryptionType) {
for (i = 0; i < ent->etypes->len; i++) {
if (is_samba_account &&
ent->keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5)
@@ -691,6 +701,7 @@
}
}
}
+ }
/* for clarity */
ret = 0;
PGP signature