mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
ipa-pwd-extop: do not remove MagicRegen mod, replace it
In 2012, ldbm backend in 389-ds started checking entry modification after running betxnpreop plugins by comparing a number of modifications before and after. If that number didn't change, it is considered that plugins didn't modify the list. ipa-pwd-extop actually removed and re-added modification to ipaNTHash if it contained 'MagicRegen' value. This did not work since commit https://pagure.io/389-ds-base/c/6c17ec56076d34540929acbcf2f3e65534060a43 but we were lucky nothing in FreeIPA code actually relied on that except some code paths in ipasam Samba passdb driver. However, Samba didn't reach the point where the code was triggered -- until now. With support to run Samba as a domain member in IPA domain, that code path is triggered for Kerberos service principals of domain members (cifs/client.example.test, ...) and NT hash extraction from Kerberos keys does not work. Fix ipa-pwd-extop to follow recommendations in https://pagure.io/389-ds-base/issue/387#comment-120145 and https://pagure.io/389-ds-base/issue/50369#comment-570696 Fixes: https://pagure.io/freeipa/issue/7953 Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
parent
46234f0cb9
commit
a9bcf531a6
@ -517,6 +517,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
|
||||
/* check op filtering out LDAP_MOD_BVALUES */
|
||||
switch (lmod->mod_op & 0x0f) {
|
||||
case LDAP_MOD_ADD:
|
||||
case LDAP_MOD_REPLACE:
|
||||
if (!lmod->mod_bvalues ||
|
||||
!lmod->mod_bvalues[0]) {
|
||||
rc = LDAP_OPERATIONS_ERROR;
|
||||
@ -528,8 +529,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
|
||||
(strncmp(NTHASH_REGEN_VAL,
|
||||
bv->bv_val, bv->bv_len) == 0)) {
|
||||
is_magic_regen = 1;
|
||||
/* make sure the database will later ignore this mod */
|
||||
slapi_mods_remove(smods);
|
||||
/* We do not remove the mod from the list due to
|
||||
* https://pagure.io/389-ds-base/issue/387#comment-120145 */
|
||||
}
|
||||
default:
|
||||
break;
|
||||
@ -1009,7 +1010,9 @@ static int ipapwd_regen_nthash(Slapi_PBlock *pb, Slapi_Mods *smods,
|
||||
bval.bv_len = 16;
|
||||
ntvals[0] = &bval;
|
||||
|
||||
slapi_mods_add_modbvps(smods, LDAP_MOD_ADD, "ipaNTHash", ntvals);
|
||||
/* add the change as a replace operation due to
|
||||
* https://pagure.io/389-ds-base/issue/387#comment-120145 */
|
||||
slapi_mods_add_modbvps(smods, LDAP_MOD_REPLACE, "ipaNTHash", ntvals);
|
||||
|
||||
ret = LDAP_SUCCESS;
|
||||
break;
|
||||
|
@ -390,7 +390,6 @@ def test_smb_svc(request, test_host):
|
||||
|
||||
|
||||
@pytest.mark.tier0
|
||||
@pytest.mark.xfail(reason="freeipa ticket 7953", strict=True)
|
||||
@pytest.mark.skipif(u'ipantuserattrs' not in add_oc([], u'ipantuserattrs'),
|
||||
reason="Must have trust support enabled for this test")
|
||||
class test_smb_service(KeytabRetrievalTest):
|
||||
|
Loading…
Reference in New Issue
Block a user