|
|
|---|
| 37 |
from optparse import OptionParser |
37 |
from optparse import OptionParser |
| 38 |
import tempfile |
38 |
import tempfile |
| 39 |
import os |
39 |
import os |
|
|
40 |
from univention.config_registry import ConfigRegistry |
| 40 |
|
41 |
|
| 41 |
parser = OptionParser() |
42 |
parser = OptionParser() |
| 42 |
parser.add_option("-k", "--keytab", dest="keytab", help="write keytab to FILE", metavar="FILE") |
43 |
parser.add_option("-k", "--keytab", dest="keytab", help="write keytab to FILE", metavar="FILE") |
|
|
|---|
| 58 |
if not options.password: |
59 |
if not options.password: |
| 59 |
parser.error("password argument missing") |
60 |
parser.error("password argument missing") |
| 60 |
|
61 |
|
|
|
62 |
configRegistry = ConfigRegistry() |
| 63 |
configRegistry.load() |
| 64 |
|
| 61 |
keytab_filename = options.keytab |
65 |
keytab_filename = options.keytab |
| 62 |
|
66 |
|
| 63 |
krb5_context = heimdal.context() |
67 |
krb5_context = heimdal.context() |
| 64 |
permitted_enctypes = krb5_context.get_permitted_enctypes() |
68 |
|
|
|
69 |
# Heimdal doesn't ignores the "permitted_enctypes" in krb5.conf during the get_permitted_enctypes() call, so we have to filter explicitly: |
| 70 |
ucr_permitted_enctypes = configRegistry.get('kerberos/defaults/enctypes/permitted', |
| 71 |
'aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1') |
| 72 |
ucr_permitted_enctypes_list = ucr_permitted_enctypes.split() |
| 73 |
|
| 74 |
def is_permitted_enctype(etype): |
| 75 |
return str(etype) in ucr_permitted_enctypes_list |
| 76 |
permitted_enctypes = filter(is_permitted_enctype, krb5_context.get_permitted_enctypes()) |
| 77 |
|
| 65 |
permitted_enctypes.reverse() |
78 |
permitted_enctypes.reverse() |
| 66 |
temp_keytab_filename = tempfile.mktemp() |
79 |
temp_keytab_filename = tempfile.mktemp() |
| 67 |
for krb5_enctype in permitted_enctypes: |
80 |
for krb5_enctype in permitted_enctypes: |