[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: using kpasswd with ldap db (0.7.2)

On Wed, Jun 14, 2006 at 04:50:55PM -0400, Love Hörnquist Åstrand wrote:
> Andreas Hasenack <ahasenack@terra.com.br> writes:
> > I applied the attached patch hdb-ldap:LDAP_message2entry() to check,
> > seems to work. This is just to show the issue (no re-identation to make
> > the patch clearer), I'm not familiar with the code to tell if this is the
> > correct fix.
> If there already is a ETYPE_ARCFOUR_HMAC_MD5, should the sambaNTPassword be
> added att all ?

I'm not sure how this interaction with samba works.

When I first add a principal, I get 6 krb5Key attributes. The last of them is
ARCFOUR (as shown by kadmin's list -l command).

If I then add samba attributes (like smbpasswd -a userfoo) and then run kpasswd
again, one of the krb5Key attributes is removed from LDAP (I have then 5) and
krb5EncryptionType is set to 23. kadmin, however, still reports 6 types of keys
for the principal, so the sambaNTPassword hash got converted on the fly to a
krb5 key (probably by decode_Key() in LDAP_message2entry() if I'm reading this
right). That's why I left it still be added in this test patch.

I don't know why there is a krb5EncryptionType multi-valued attribute: isn't
the encryption type part of the key itself? Even if it's not, there is no way
to map one krb5EncryptionType to one krb5Key in the same entry.