ipa-pwd-extop: do not remove MagicRegen mod, replace it

In 2012, ldbm backend in 389-ds started checking entry modification
after running betxnpreop plugins by comparing a number of modifications
before and after. If that number didn't change, it is considered that
plugins didn't modify the list.

ipa-pwd-extop actually removed and re-added modification to ipaNTHash if
it contained 'MagicRegen' value. This did not work since commit
https://pagure.io/389-ds-base/c/6c17ec56076d34540929acbcf2f3e65534060a43
but we were lucky nothing in FreeIPA code actually relied on that except
some code paths in ipasam Samba passdb driver. However, Samba didn't
reach the point where the code was triggered -- until now.

With support to run Samba as a domain member in IPA domain, that code
path is triggered for Kerberos service principals of domain members
(cifs/client.example.test, ...) and NT hash extraction from Kerberos
keys does not work.

Fix ipa-pwd-extop to follow recommendations in
https://pagure.io/389-ds-base/issue/387#comment-120145 and
https://pagure.io/389-ds-base/issue/50369#comment-570696

Fixes: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
Alexander Bokovoy 2019-05-16 13:12:38 +03:00
parent 46234f0cb9
commit a9bcf531a6
2 changed files with 6 additions and 4 deletions

View File

@ -517,6 +517,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
/* check op filtering out LDAP_MOD_BVALUES */
switch (lmod->mod_op & 0x0f) {
case LDAP_MOD_ADD:
case LDAP_MOD_REPLACE:
if (!lmod->mod_bvalues ||
!lmod->mod_bvalues[0]) {
rc = LDAP_OPERATIONS_ERROR;
@ -528,8 +529,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
(strncmp(NTHASH_REGEN_VAL,
bv->bv_val, bv->bv_len) == 0)) {
is_magic_regen = 1;
/* make sure the database will later ignore this mod */
slapi_mods_remove(smods);
/* We do not remove the mod from the list due to
* https://pagure.io/389-ds-base/issue/387#comment-120145 */
}
default:
break;
@ -1009,7 +1010,9 @@ static int ipapwd_regen_nthash(Slapi_PBlock *pb, Slapi_Mods *smods,
bval.bv_len = 16;
ntvals[0] = &bval;
slapi_mods_add_modbvps(smods, LDAP_MOD_ADD, "ipaNTHash", ntvals);
/* add the change as a replace operation due to
* https://pagure.io/389-ds-base/issue/387#comment-120145 */
slapi_mods_add_modbvps(smods, LDAP_MOD_REPLACE, "ipaNTHash", ntvals);
ret = LDAP_SUCCESS;
break;

View File

@ -390,7 +390,6 @@ def test_smb_svc(request, test_host):
@pytest.mark.tier0
@pytest.mark.xfail(reason="freeipa ticket 7953", strict=True)
@pytest.mark.skipif(u'ipantuserattrs' not in add_oc([], u'ipantuserattrs'),
reason="Must have trust support enabled for this test")
class test_smb_service(KeytabRetrievalTest):