IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Improve keytab code to select the right principal.

Browse Source 
Whe requesting a keytab the salt used is the NORMAL type (for backwards and AD
compatibility), however since we added alias support we need to search for the
krbCanonicalName in preference, hen nothing is specified, and for the requested
principal name when a getkeytab operation is performed. This is so that the
correct salt can be applied. (Windows AD uses some peculiar aliases for some
special accounts to generate the salt).

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Simo Sorce 2015-12-02 15:20:42 -05:00 committed by Martin Basti
parent 4bef7577b7
commit e011b376a5
4 changed files with 20 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
View File

@ -104,6 +104,7 @@ void ipapwd_keyset_free(struct ipapwd_keyset **pkset)
Slapi_Value **ipapwd_encrypt_encode_key(struct ipapwd_krbcfg *krbcfg, Slapi_Value **ipapwd_encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
struct ipapwd_data *data, struct ipapwd_data *data,
char *preferred_principal,
int num_encsalts, int num_encsalts,
krb5_key_salt_tuple *encsalts, krb5_key_salt_tuple *encsalts,
char **errMesg) char **errMesg)
@ -128,13 +129,21 @@ Slapi_Value **ipapwd_encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
kvno = ipapwd_get_cur_kvno(data->target); kvno = ipapwd_get_cur_kvno(data->target);
if (preferred_principal) {
krbPrincipalName = slapi_ch_strdup(preferred_principal);
} else {
krbPrincipalName = slapi_entry_attr_get_charptr(data->target,
"krbCanonicalName");
if (!krbPrincipalName) {
krbPrincipalName = slapi_entry_attr_get_charptr(data->target, krbPrincipalName = slapi_entry_attr_get_charptr(data->target,
"krbPrincipalName"); "krbPrincipalName");
}
if (!krbPrincipalName) { if (!krbPrincipalName) {
*errMesg = "no krbPrincipalName present in this entry\n"; *errMesg = "no krbPrincipalName present in this entry\n";
LOG_FATAL("%s", *errMesg); LOG_FATAL("%s", *errMesg);
goto enc_error; goto enc_error;
} }
}
krberr = krb5_parse_name(krbctx, krbPrincipalName, &princ); krberr = krb5_parse_name(krbctx, krbPrincipalName, &princ);
if (krberr) { if (krberr) {
@ -215,7 +224,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
if (is_krb) { if (is_krb) {
*svals = ipapwd_encrypt_encode_key(krbcfg, data, *svals = ipapwd_encrypt_encode_key(krbcfg, data, NULL,
krbcfg->num_pref_encsalts, krbcfg->num_pref_encsalts,
krbcfg->pref_encsalts, krbcfg->pref_encsalts,
errMesg); errMesg);

3
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
View File

@ -661,6 +661,7 @@ static Slapi_Entry *get_entry_by_principal(const char *principal)
Slapi_PBlock *pb = NULL; Slapi_PBlock *pb = NULL;
char *attrlist[] = { "krbPrincipalKey", "krbLastPwdChange", char *attrlist[] = { "krbPrincipalKey", "krbLastPwdChange",
"userPassword", "krbPrincipalName", "userPassword", "krbPrincipalName",
"krbCanonicalName",
"enrolledBy", NULL }; "enrolledBy", NULL };
Slapi_Entry **es = NULL; Slapi_Entry **es = NULL;
int res, ret, i; int res, ret, i;
@ -1648,7 +1649,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
data.target = target_entry; data.target = target_entry;
data.password = password; data.password = password;
svals = ipapwd_encrypt_encode_key(krbcfg, &data, svals = ipapwd_encrypt_encode_key(krbcfg, &data, service_name,
kenctypes ? num_kenctypes : kenctypes ? num_kenctypes :
krbcfg->num_pref_encsalts, krbcfg->num_pref_encsalts,
kenctypes ? kenctypes : kenctypes ? kenctypes :

1
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
View File

@ -143,6 +143,7 @@ void ipapwd_keyset_free(struct ipapwd_keyset **pkset);
Slapi_Value **ipapwd_encrypt_encode_key(struct ipapwd_krbcfg *krbcfg, Slapi_Value **ipapwd_encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
struct ipapwd_data *data, struct ipapwd_data *data,
char *preferred_principal,
int num_encsalts, int num_encsalts,
krb5_key_salt_tuple *encsalts, krb5_key_salt_tuple *encsalts,
char **errMesg); char **errMesg);

2
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
View File

@ -1386,7 +1386,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
static const char *attrs_list[] = { static const char *attrs_list[] = {
SLAPI_USERPWD_ATTR, "ipaUserAuthType", "krbprincipalkey", "uid", SLAPI_USERPWD_ATTR, "ipaUserAuthType", "krbprincipalkey", "uid",
"krbprincipalname", "objectclass", "passwordexpirationtime", "krbprincipalname", "objectclass", "passwordexpirationtime",
"passwordhistory", "krbprincipalexpiration", "passwordhistory", "krbprincipalexpiration", "krbcanonicalname",
NULL NULL
}; };
struct berval *credentials = NULL; struct berval *credentials = NULL;