Treat maxlife=0 in password policy as "never expire". Delete
krbPasswordExpiration in user entry when password should never expire.
https://fedorahosted.org/freeipa/ticket/2795
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
When kadmin tries to change a password it will get the allowed keysalts
from the password policy. Failure to provide them will result in kadmin
using the defaults specified in the kdc.conf file or hardcoded defaults
(the default salt is then of type NORMAL).
This patch provides the supported values that have been read out of the
appropriate LDAP attribute when we read the server configuration.
Then at actual password change, check if kadmin is handing us back the exact
list of supported encsalts we sent it, and in that case replace it with the
real default encsalts.
Fixes https://fedorahosted.org/freeipa/ticket/4914
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Martin Babinsky <mbabinsk@redhat.com>
Since in Kerberos V5 are used 32-bit unix timestamps, setting
maxlife in pwpolicy to values such as 9999 days would cause
integer overflow in krbPasswordExpiration attribute.
This would result into unpredictable behaviour such as users
not being able to log in after password expiration if password
policy was changed (#3114) or new users not being able to log
in at all (#3312).
The timestamp value is truncated to Jan 1, 2038 in ipa-kdc driver.
https://fedorahosted.org/freeipa/ticket/3312https://fedorahosted.org/freeipa/ticket/3114
Some of these are not real defects, because we are guaranteed to have valid
context in some functions, and checks are not necessary.
I added the checks anyway in order to silence Coverity on these issues.
One meleak on error condition was fixed in
daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
Silence errors in ipa-client/ipa-getkeytab.c, the code looks wrong, but it is
actually fine as we count before hand so we never actually use the wrong value
that is computed on the last pass when p == 0
Fixes: https://fedorahosted.org/freeipa/ticket/2488
We were not searching for objectclass so the test to se if a user had the
posixAccount attribute was failing and the user was not marked as ipa_user.
This in turn caused us to not synchronize legacy hashes by not trying to store
the userPassword attribute.
Fixes: https://fedorahosted.org/freeipa/ticket/1820
Expiration time should be enforced as per policy only for users and only when a
password change occurs, ina ll other cases we should just let kadmin decide
whther it is going to set a password expiration time or just leave it empty.
In general service tickts have strong random passwords so they do not need a
password policy or expiration at all.
https://fedorahosted.org/freeipa/ticket/1839
