IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Improve keytab code to select the right principal.

Browse Source 
Whe requesting a keytab the salt used is the NORMAL type (for backwards and AD
compatibility), however since we added alias support we need to search for the
krbCanonicalName in preference, hen nothing is specified, and for the requested
principal name when a getkeytab operation is performed. This is so that the
correct salt can be applied. (Windows AD uses some peculiar aliases for some
special accounts to generate the salt).

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Simo Sorce 2015-12-02 15:20:42 -05:00 committed by Martin Basti
parent 4bef7577b7
commit e011b376a5
4 changed files with 20 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
View File

@ -104,6 +104,7 @@ void ipapwd_keyset_free(struct ipapwd_keyset **pkset)
Slapi_Value **ipapwd_encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
struct ipapwd_data *data,
char *preferred_principal,
int num_encsalts,
krb5_key_salt_tuple *encsalts,
char **errMesg)
@ -128,12 +129,20 @@ Slapi_Value **ipapwd_encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
kvno = ipapwd_get_cur_kvno(data->target);
krbPrincipalName = slapi_entry_attr_get_charptr(data->target,
"krbPrincipalName");
if (!krbPrincipalName) {
*errMesg = "no krbPrincipalName present in this entry\n";
LOG_FATAL("%s", *errMesg);
goto enc_error;
if (preferred_principal) {
krbPrincipalName = slapi_ch_strdup(preferred_principal);
} else {
krbPrincipalName = slapi_entry_attr_get_charptr(data->target,
"krbCanonicalName");
if (!krbPrincipalName) {
krbPrincipalName = slapi_entry_attr_get_charptr(data->target,
"krbPrincipalName");
}
if (!krbPrincipalName) {
*errMesg = "no krbPrincipalName present in this entry\n";
LOG_FATAL("%s", *errMesg);
goto enc_error;
}
}
krberr = krb5_parse_name(krbctx, krbPrincipalName, &princ);
@ -215,7 +224,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
if (is_krb) {
*svals = ipapwd_encrypt_encode_key(krbcfg, data,
*svals = ipapwd_encrypt_encode_key(krbcfg, data, NULL,
krbcfg->num_pref_encsalts,
krbcfg->pref_encsalts,
errMesg);

3
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
View File

@ -661,6 +661,7 @@ static Slapi_Entry *get_entry_by_principal(const char *principal)
Slapi_PBlock *pb = NULL;
char *attrlist[] = { "krbPrincipalKey", "krbLastPwdChange",
"userPassword", "krbPrincipalName",
"krbCanonicalName",
"enrolledBy", NULL };
Slapi_Entry **es = NULL;
int res, ret, i;
@ -1648,7 +1649,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
data.target = target_entry;
data.password = password;
svals = ipapwd_encrypt_encode_key(krbcfg, &data,
svals = ipapwd_encrypt_encode_key(krbcfg, &data, service_name,
kenctypes ? num_kenctypes :
krbcfg->num_pref_encsalts,
kenctypes ? kenctypes :

1
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
View File

@ -143,6 +143,7 @@ void ipapwd_keyset_free(struct ipapwd_keyset **pkset);
Slapi_Value **ipapwd_encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
struct ipapwd_data *data,
char *preferred_principal,
int num_encsalts,
krb5_key_salt_tuple *encsalts,
char **errMesg);

2
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
View File

@ -1386,7 +1386,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
static const char *attrs_list[] = {
SLAPI_USERPWD_ATTR, "ipaUserAuthType", "krbprincipalkey", "uid",
"krbprincipalname", "objectclass", "passwordexpirationtime",
"passwordhistory", "krbprincipalexpiration",
"passwordhistory", "krbprincipalexpiration", "krbcanonicalname",
NULL
};
struct berval *credentials = NULL;