Use the right attribute with ipapwd_entry_checks for MagicRegen

There is a special mode to set the ipaNTHash attribute if a RC4 Kerberos key is available for the corresponding user. This is typically triggered by samba via the ipa_sam passdb plugin. The principal used by samba to connect to the IPA directory server has the right to modify ipaNTHash but no other password attribute. This means that the current check on the userPassword attribute is too strict for this case and leads to a failure of the whole operation. With this patch the access right on ipaNTHash are checked if no other password operations are requested.
2025-02-25 18:55:28 -06:00 · 2013-10-07 16:49:33 +02:00
parent 12ae6a054a
commit 091e8fac34
1 changed files with 2 additions and 1 deletions
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -554,7 +554,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)

    rc = ipapwd_entry_checks(pb, e,
                             &is_root, &is_krb, &is_smb, &is_ipant,
-                             SLAPI_USERPWD_ATTR, SLAPI_ACL_WRITE);
+                             is_pwd_op ? SLAPI_USERPWD_ATTR : "ipaNTHash",
+                             SLAPI_ACL_WRITE);
    if (rc) {
        goto done;
    }