Attachment #9391 for bug #46292

Lines 37-42 import binascii Link Here

(-)a/base/univention-heimdal/univention-create-keytab (-1 / +14 lines)
37	from optparse import OptionParser	37	from optparse import OptionParser
38	import tempfile	38	import tempfile
39	import os	39	import os
		40	from univention.config_registry import ConfigRegistry
40		41
41	parser = OptionParser()	42	parser = OptionParser()
42	parser.add_option("-k", "--keytab", dest="keytab", help="write keytab to FILE", metavar="FILE")	43	parser.add_option("-k", "--keytab", dest="keytab", help="write keytab to FILE", metavar="FILE")
Lines 58-67 if not options.kvno: Link Here
58	if not options.password:	59	if not options.password:
59	parser.error("password argument missing")	60	parser.error("password argument missing")
60		61
		62	configRegistry = ConfigRegistry()
		63	configRegistry.load()
		64
61	keytab_filename = options.keytab	65	keytab_filename = options.keytab
62		66
63	krb5_context = heimdal.context()	67	krb5_context = heimdal.context()
64	permitted_enctypes = krb5_context.get_permitted_enctypes()	68
		69	# Heimdal doesn't ignores the "permitted_enctypes" in krb5.conf during the get_permitted_enctypes() call, so we have to filter explicitly:
		70	ucr_permitted_enctypes = configRegistry.get('kerberos/defaults/enctypes/permitted',
		71	'aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1')
		72	ucr_permitted_enctypes_list = ucr_permitted_enctypes.split()
		73
		74	def is_permitted_enctype(etype):
		75	return str(etype) in ucr_permitted_enctypes_list
		76	permitted_enctypes = filter(is_permitted_enctype, krb5_context.get_permitted_enctypes())
		77
65	permitted_enctypes.reverse()	78	permitted_enctypes.reverse()
66	temp_keytab_filename = tempfile.mktemp()	79	temp_keytab_filename = tempfile.mktemp()
67	for krb5_enctype in permitted_enctypes:	80	for krb5_enctype in permitted_enctypes:




		password = str(password)
	if not krb5_context:
		krb5_context = heimdal.context()

	# Heimdal doesn't ignores the "permitted_enctypes" in krb5.conf during the get_permitted_enctypes() call, so we have to filter explicitly:
	ucr_permitted_enctypes = configRegistry.get('kerberos/defaults/enctypes/permitted',
			'aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1')
	ucr_permitted_enctypes_list = ucr_permitted_enctypes.split()

	def is_permitted_enctype(etype):
		return str(etype) in ucr_permitted_enctypes_list
	permitted_enctypes = filter(is_permitted_enctype, krb5_context.get_permitted_enctypes())

	for krb5_etype in permitted_enctypes:
		if str(krb5_etype) == 'des3-cbc-md5' and configRegistry.is_false('password/krb5/enctype/des3-cbc-md5', True):
			continue
		krb5_principal = heimdal.principal(krb5_context, principal)

Return to bug 46292

Lines 97-103 def krb5_asn1(principal, password, krb5_context=None): Link Here

(-)a/management/univention-directory-manager-modules/modules/univention/admin/password.py (-1 / +11 lines)
97	password = str(password)	97	password = str(password)
98	if not krb5_context:	98	if not krb5_context:
99	krb5_context = heimdal.context()	99	krb5_context = heimdal.context()
100	for krb5_etype in krb5_context.get_permitted_enctypes():	100
		101	# Heimdal doesn't ignores the "permitted_enctypes" in krb5.conf during the get_permitted_enctypes() call, so we have to filter explicitly:
		102	ucr_permitted_enctypes = configRegistry.get('kerberos/defaults/enctypes/permitted',
		103	'aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1')
		104	ucr_permitted_enctypes_list = ucr_permitted_enctypes.split()
		105
		106	def is_permitted_enctype(etype):
		107	return str(etype) in ucr_permitted_enctypes_list
		108	permitted_enctypes = filter(is_permitted_enctype, krb5_context.get_permitted_enctypes())
		109
		110	for krb5_etype in permitted_enctypes:
101	if str(krb5_etype) == 'des3-cbc-md5' and configRegistry.is_false('password/krb5/enctype/des3-cbc-md5', True):	111	if str(krb5_etype) == 'des3-cbc-md5' and configRegistry.is_false('password/krb5/enctype/des3-cbc-md5', True):
102	continue	112	continue
103	krb5_principal = heimdal.principal(krb5_context, principal)	113	krb5_principal = heimdal.principal(krb5_context, principal)