|
37 |
from optparse import OptionParser |
37 |
from optparse import OptionParser |
38 |
import tempfile |
38 |
import tempfile |
39 |
import os |
39 |
import os |
|
|
40 |
from univention.config_registry import ConfigRegistry |
40 |
|
41 |
|
41 |
parser = OptionParser() |
42 |
parser = OptionParser() |
42 |
parser.add_option("-k", "--keytab", dest="keytab", help="write keytab to FILE", metavar="FILE") |
43 |
parser.add_option("-k", "--keytab", dest="keytab", help="write keytab to FILE", metavar="FILE") |
|
58 |
if not options.password: |
59 |
if not options.password: |
59 |
parser.error("password argument missing") |
60 |
parser.error("password argument missing") |
60 |
|
61 |
|
|
|
62 |
configRegistry = ConfigRegistry() |
63 |
configRegistry.load() |
64 |
|
61 |
keytab_filename = options.keytab |
65 |
keytab_filename = options.keytab |
62 |
|
66 |
|
63 |
krb5_context = heimdal.context() |
67 |
krb5_context = heimdal.context() |
64 |
permitted_enctypes = krb5_context.get_permitted_enctypes() |
68 |
|
|
|
69 |
# Heimdal doesn't ignores the "permitted_enctypes" in krb5.conf during the get_permitted_enctypes() call, so we have to filter explicitly: |
70 |
ucr_permitted_enctypes = configRegistry.get('kerberos/defaults/enctypes/permitted', |
71 |
'aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1') |
72 |
ucr_permitted_enctypes_list = ucr_permitted_enctypes.split() |
73 |
|
74 |
def is_permitted_enctype(etype): |
75 |
return str(etype) in ucr_permitted_enctypes_list |
76 |
permitted_enctypes = filter(is_permitted_enctype, krb5_context.get_permitted_enctypes()) |
77 |
|
65 |
permitted_enctypes.reverse() |
78 |
permitted_enctypes.reverse() |
66 |
temp_keytab_filename = tempfile.mktemp() |
79 |
temp_keytab_filename = tempfile.mktemp() |
67 |
for krb5_enctype in permitted_enctypes: |
80 |
for krb5_enctype in permitted_enctypes: |