When installing the adtrust code we need to be able to get the ipaNTHash
populated as in some cases we may need it to authenticate connections
over SMB w/o using kerberos during the trust setup phase.
The NT hash is really just the same thing as the rc4-hmac key we already
have by default in the Kerberos Keys.
This patch-set implements a check in the password plugin for the pre-mod
operation to catch the attempt to replace the attribute with the value
'MagicRegen' in the ipaNThash attribute.
If no previous ipaNTHash value is present, and the kerberos keys are
available, then we attempt to find the rc4-hmac key and if we find it we
store it in the ipaNTHash.
This will allow us to give the admin user (and potentially any other
user) the NT hash samba requires without forcing them to reset their
password, assuming the rc4-hmac key is present (currently it is by
default).
I marked this patch-set as RFC as I want opinions on the method (LDAP
modify with replace operation) I utilized to perform the extraction.
If it bode well with everybody we can consider the patch-set for
inclusion.
I tested it and extracting the hash works fine and it works later on
using smbclient to access a share.
This patchset implements task #2867:
https://fedorahosted.org/freeipa/ticket/2867
Simo.
--
Simo Sorce * Red Hat, Inc * New York
From c3d1c24413698e6d371b1de17b6efde9e1b7acb0 Mon Sep 17 00:00:00 2001
From: Simo Sorce sso...@redhat.com
Date: Fri, 6 Jul 2012 11:15:15 -0400
Subject: [PATCH 1/7] Move code into common krb5 utils
This moves the decoding function that reads the keys from the ber format
into a structure in the common krb5 util code right below the function
that encodes the same data structure into a ber format.
This way the 2 functions are in the same place and can be both used by
all ia components.
---
daemons/ipa-kdb/ipa_kdb_principals.c | 148 ++---
util/ipa_krb5.c | 150 ++
util/ipa_krb5.h |2 +
3 files changed, 159 insertions(+), 141 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index d87d6fe9f82b479db6ab8e6b59a8b5ee580b9a27..6f8b296fa4cb19cbfe5c37536316d6f0e7f83b9c 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -205,152 +205,18 @@ static int ipadb_ldap_attr_to_key_data(LDAP *lcontext, LDAPMessage *le,
krb5_kvno *res_mkvno)
{
struct berval **vals;
-krb5_key_data *keys = NULL;
-BerElement *be = NULL;
-void *tmp;
-int i = 0;
-int ret = ENOENT;
+int mkvno;
+int ret;
vals = ldap_get_values_len(lcontext, le, attrname);
-if (vals) {
-ber_tag_t tag;
-ber_int_t major_vno;
-ber_int_t minor_vno;
-ber_int_t kvno;
-ber_int_t mkvno;
-ber_int_t type;
-ber_tag_t seqtag;
-ber_len_t seqlen;
-ber_len_t setlen;
-ber_tag_t retag;
-ber_tag_t opttag;
-struct berval tval;
-
-be = ber_alloc_t(LBER_USE_DER);
-if (!be) {
-return ENOMEM;
-}
-
-/* reinit the ber element with the new val */
-ber_init2(be, vals[0], LBER_USE_DER);
-
-/* fill key_data struct with the data */
-retag = ber_scanf(be, {t[i]t[i]t[i]t[i]t[{,
- tag, major_vno,
- tag, minor_vno,
- tag, kvno,
- tag, mkvno,
- seqtag);
-if (retag == LBER_ERROR ||
-major_vno != 1 ||
-minor_vno != 1 ||
-seqtag != (LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 4)) {
-ret = EINVAL;
-goto done;
-}
-
-retag = ber_skip_tag(be, seqlen);
-
-/* sequence of keys */
-for (i = 0; retag == LBER_SEQUENCE; i++) {
-
-tmp = realloc(keys, (i + 1) * sizeof(krb5_key_data));
-if (!tmp) {
-ret = ENOMEM;
-goto done;
-}
-keys = tmp;
-
-memset(keys[i], 0, sizeof(krb5_key_data));
-
-keys[i].key_data_kvno = kvno;
-
-/* do we have a salt type ? (optional) */
-retag = ber_scanf(be, t, opttag);
-if (retag == LBER_ERROR) {
-ret = EINVAL;
-goto done;
-}
-if (opttag == (LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 0)) {
-keys[i].key_data_ver = 2;
-
-retag = ber_scanf(be, [l{tl[i],
- seqlen, tag, setlen, type);
-if (tag != (LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 0)) {
-ret = EINVAL;
-goto done;
-}
-keys[i].key_data_type[1] = type;
-
-/* do we have salt data ? (optional) */
-