[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: using kpasswd with ldap db (0.7.2)

To: heimdal-discuss@sics.se
Subject: Re: using kpasswd with ldap db (0.7.2)
From: Stefan Gohmann <gohmann@univention.de>
Date: Thu, 6 Sep 2007 15:52:51 +0200
In-Reply-To: <20060616173720.GJ3336@mandriva.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Organization: Univention GmbH
References: <6f3edef40605191020n260b881fj84b9576144ec2091@mail.gmail.com> <20060614210650.GG3547@mandriva.com> <20060616173720.GJ3336@mandriva.com>
Reply-To: heimdal-discuss@sics.se, Stefan Gohmann <gohmann@univention.de>
User-Agent: KMail/1.7 (proko2 branch after 2.1.4)

Am Freitag, 16. Juni 2006 19:37 schrieb Andreas Hasenack:
> On Wed, Jun 14, 2006 at 06:06:51PM -0300, Andreas Hasenack wrote:
> > On Wed, Jun 14, 2006 at 04:50:55PM -0400, Love Hörnquist Åstrand wrote:
> > > Andreas Hasenack <ahasenack@terra.com.br> writes:
> > > > I applied the attached patch hdb-ldap:LDAP_message2entry() to check,
> > > > seems to work. This is just to show the issue (no re-identation to
> > > > make the patch clearer), I'm not familiar with the code to tell if
> > > > this is the correct fix.
> > >
> > > If there already is a ETYPE_ARCFOUR_HMAC_MD5, should the
> > > sambaNTPassword be added att all ?
> >
> > I'm not sure how this interaction with samba works.
> >
> > When I first add a principal, I get 6 krb5Key attributes. The last of
> > them is ARCFOUR (as shown by kadmin's list -l command).
> >
> > If I then add samba attributes (like smbpasswd -a userfoo) and then run
> > kpasswd again, one of the krb5Key attributes is removed from LDAP (I have
> > then 5) and krb5EncryptionType is set to 23. kadmin, however, still
> > reports 6 types of keys for the principal, so the sambaNTPassword hash
> > got converted on the fly to a krb5 key (probably by decode_Key() in
> > LDAP_message2entry() if I'm reading this right). That's why I left it
> > still be added in this test patch.
> >
> > I don't know why there is a krb5EncryptionType multi-valued attribute:
> > isn't the encryption type part of the key itself? Even if it's not, there
> > is no way to map one krb5EncryptionType to one krb5Key in the same entry.
>
> Any news on this? Is there a bugtracker for heimdal where I could input
> this so it's not (easily) forgotten?

I've got the same problem with heimdal 0.7.2 (the default debian etch 
version). Is this behaviour solved in a newer version?

Cheers
Stefan

-- 
Stefan Gohmann         Entwicklung              gohmann@univention.de
Univention GmbH        Linux for your Business  fon: +49 421 22 232- 0
Mary-Somerville-Str.1  28359 Bremen             fax: +49 421 22 232-99
                       http://www.univention.de

Follow-Ups:
- Re: using kpasswd with ldap db (0.7.2)
  - From: =?UTF-8?B?VsOhY2xhdiBIxa9sYQ==?= <ax@natur.cuni.cz>

Prev by Date: Re: conflict between heimdal and umich gssapi library and their consequences
Next by Date: Re: using kpasswd with ldap db (0.7.2)
Prev by thread: HURRAY USER!!!
Next by thread: Re: using kpasswd with ldap db (0.7.2)
Index(es):
- Date
- Thread