On 05/27/2015 04:50 PM, Martin Babinsky wrote:
On 05/27/2015 04:33 PM, Martin Kosek wrote:
On 05/27/2015 03:55 PM, Alexander Bokovoy wrote:
On Wed, 27 May 2015, Simo Sorce wrote:
On Wed, 2015-05-27 at 15:25 +0200, Martin Babinsky wrote:
On 05/25/2015 10:48 AM, Martin Babinsky wrote:
On 04/06/2015 12:53 AM, Simo Sorce wrote:
Fix for bug 4914.

I've tested it locally and seem to do exactly what is needed. I couldn't
detect any side effects, except that if you use kadmin to get a
randomized password for a service then you'll get a key for all
supported types (currently aes256, aes128, des3, rc4, camellia128,
camellia256) instead of just the default ones (aes256, aes128, des3,
rc4) if you do not specify enctypes. I think that is fine, we use
ipa-getkeytab anyway in the normal course of business and that one uses
a different code path.


Hi Simo,

the patch works as expected.

My only gripe is with the duplicate code in 'daemons/ipa-kdb/ipa_kdb.c' between lines 389 and 455. It could be made into a single function to
get key encoding/salt types from LDAP (see my feeble and untested
attempt which I attached).


I will then send the patch fixing duplicate code separately once I
consult it with somebody more skilled in C than myself.

Thanks, added your reviewed-by and pushed to master.

Martin, should we push this to other branches too ?
I think we also need this in 4.1 so that it can go to Fedora, Debian,
and RHEL releases.

4.2 will be released soon, but if you are confident about the patch so that it does not break stuff, we may add it to 4.1.x too, given the positive impact.

I actually tested it also with 4.1 branch with no problem.


there is actually a problem with this patch.

I built it on both branches (to be sure) and the patch causes the ipa-server-install fail during the provisioning of directory server keytab [1] on *Fedora 21*. The failure is reproducible. Martin was able to reproduce it on F21. Apparently Martin only tested the patch on F22 where it doesn't cause any (immediately visible) problems.

[1]: http://paste.fedoraproject.org/226915/90153914/


Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to