Today I found another regression in the kpasswd password change path. I filed ticket #1820
Legacy password hashes were not generated due to an issue with the list of attributes being searched in ipadb_get_principal(), objectclass was missing. This patch fixes it. Simo. -- Simo Sorce * Red Hat, Inc * New York
>From 157c36d62b20c682935178572cff0a3539741ed2 Mon Sep 17 00:00:00 2001 From: Simo Sorce <[email protected]> Date: Mon, 19 Sep 2011 15:53:17 -0400 Subject: [PATCH] ipa-kdb: Fix legacy password hashes generation We were not searching for objectclass so the test to se if a user had the posixAccount attribute was failing and the user was not marked as ipa_user. This in turn caused us to not synchronize legacy hashes by not trying to store the userPassword attribute. Fixes: https://fedorahosted.org/freeipa/ticket/1820 --- daemons/ipa-kdb/ipa_kdb_passwords.c | 4 +--- daemons/ipa-kdb/ipa_kdb_principals.c | 1 + 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_passwords.c b/daemons/ipa-kdb/ipa_kdb_passwords.c index 18be9be017454ca10f52d622a66e7749b828ae67..748ee9e7b52a95f82ddcca1899cf35dfc626679b 100644 --- a/daemons/ipa-kdb/ipa_kdb_passwords.c +++ b/daemons/ipa-kdb/ipa_kdb_passwords.c @@ -283,9 +283,7 @@ krb5_error_code ipadb_get_pwd_expiration(krb5_context context, krb5_principal mod_princ = NULL; krb5_boolean truexp = true; - - /* Assume all principals with just one component as user principals */ - if (entry->princ->length == 1) { + if (ied->ipa_user) { kerr = krb5_dbe_lookup_mod_princ_data(context, entry, &mod_time, &mod_princ); if (kerr) { diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index ed5195fb9ee0489c888e118d746e6797867bde03..c9259c6f14a3d681a83c3c6078f0ea1d978b6ccc 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -53,6 +53,7 @@ static char *std_principal_attrs[] = { "nsaccountlock", "passwordHistory", + "objectClass", NULL }; -- 1.7.6.2
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
