Re: using kpasswd with ldap db (0.7.2)

[Andreas Hasenack <ahasenack@terra.com.br>]

On Wed, Jun 14, 2006 at 06:06:51PM -0300, Andreas Hasenack wrote:
> On Wed, Jun 14, 2006 at 04:50:55PM -0400, Love Hörnquist Åstrand wrote:
> > 
> > Andreas Hasenack <ahasenack@terra.com.br> writes:
> > 
> > > I applied the attached patch hdb-ldap:LDAP_message2entry() to check,
> > > seems to work. This is just to show the issue (no re-identation to make
> > > the patch clearer), I'm not familiar with the code to tell if this is the
> > > correct fix.
> > 
> > If there already is a ETYPE_ARCFOUR_HMAC_MD5, should the sambaNTPassword be
> > added att all ?
> 
> I'm not sure how this interaction with samba works.
> 
> When I first add a principal, I get 6 krb5Key attributes. The last of them is
> ARCFOUR (as shown by kadmin's list -l command).
> 
> If I then add samba attributes (like smbpasswd -a userfoo) and then run kpasswd
> again, one of the krb5Key attributes is removed from LDAP (I have then 5) and
> krb5EncryptionType is set to 23. kadmin, however, still reports 6 types of keys
> for the principal, so the sambaNTPassword hash got converted on the fly to a
> krb5 key (probably by decode_Key() in LDAP_message2entry() if I'm reading this
> right). That's why I left it still be added in this test patch.
> 
> I don't know why there is a krb5EncryptionType multi-valued attribute: isn't
> the encryption type part of the key itself? Even if it's not, there is no way
> to map one krb5EncryptionType to one krb5Key in the same entry.

Any news on this? Is there a bugtracker for heimdal where I could input this so
it's not (easily) forgotten?