Univention Bugzilla – Attachment 10150 Details for
Bug 49964
S4-Connector: Allow missing NT-Hash (sambaNTpassword)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
s4c_allow_missing_nthash.patch
s4c_allow_missing_nthash.patch (text/plain), 5.01 KB, created by
Arvid Requate
on 2019-08-05 16:01:43 CEST
(
hide
)
Description:
s4c_allow_missing_nthash.patch
Filename:
MIME Type:
Creator:
Arvid Requate
Created:
2019-08-05 16:01:43 CEST
Size:
5.01 KB
patch
obsolete
>diff --git a/services/univention-s4-connector/modules/univention/s4connector/s4/password.py b/services/univention-s4-connector/modules/univention/s4connector/s4/password.py >index af7ffbe439..4bd358d24f 100644 >--- a/services/univention-s4-connector/modules/univention/s4connector/s4/password.py >+++ b/services/univention-s4-connector/modules/univention/s4connector/s4/password.py >@@ -565,6 +565,12 @@ def password_sync_ucs_to_s4(s4connector, key, object): > else: > ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: Failed to get LM Password-Hash from S4") > >+ supplementalCredentials_new = None >+ if krb5Principal: >+ # encoding of Samba4 supplementalCredentials >+ if krb5Key: >+ supplementalCredentials_new = calculate_supplementalCredentials(krb5Key, supplementalCredentials) >+ > modlist = [] > if krb5Principal != userPrincipalName_attr: > if krb5Principal: >@@ -597,6 +603,17 @@ def password_sync_ucs_to_s4(s4connector, key, object): > if pwd_set and unicodePwd_new: > modlist.append((ldap.MOD_REPLACE, 'unicodePwd', unicodePwd_new)) > >+ if supplementalCredentials_new: >+ if supplementalCredentials_new != supplementalCredentials: >+ pwd_set = True >+ modlist.append((ldap.MOD_REPLACE, 'supplementalCredentials', supplementalCredentials_new)) >+ # if supplementalCredentials: >+ # modlist.append((ldap.MOD_REPLACE, 'msDS-KeyVersionNumber', krb5KeyVersionNumber)) >+ # else: >+ # modlist.append((ldap.MOD_ADD, 'msDS-KeyVersionNumber', krb5KeyVersionNumber)) >+ else: >+ ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: no supplementalCredentials_new") >+ > if not ucsLMhash == s4LMhash: > ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: LM Hash S4: %s LM Hash UCS: %s" % (s4LMhash, ucsLMhash)) > pwd_set = True >@@ -608,19 +625,6 @@ def password_sync_ucs_to_s4(s4connector, key, object): > # modlist.append((ldap.MOD_DELETE, 'dBCSPwd', dBCSPwd_attr)) > > if pwd_set or not supplementalCredentials: >- if krb5Principal: >- # encoding of Samba4 supplementalCredentials >- if krb5Key: >- supplementalCredentials_new = calculate_supplementalCredentials(krb5Key, supplementalCredentials) >- if supplementalCredentials_new: >- modlist.append((ldap.MOD_REPLACE, 'supplementalCredentials', supplementalCredentials_new)) >- else: >- ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: no supplementalCredentials_new") >- # if supplementalCredentials: >- # modlist.append((ldap.MOD_REPLACE, 'msDS-KeyVersionNumber', krb5KeyVersionNumber)) >- # else: >- # modlist.append((ldap.MOD_ADD, 'msDS-KeyVersionNumber', krb5KeyVersionNumber)) >- > if sambaPwdLastSet is None: > sambaPwdLastSet = int(time.time()) > newpwdlastset = str(univention.s4connector.s4.samba2s4_time(sambaPwdLastSet)) >@@ -689,15 +693,17 @@ def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru > s4_search_attributes = res[0][1] > > unicodePwd_attr = s4_search_attributes.get('unicodePwd', [None])[0] >- if unicodePwd_attr: >- ntPwd = binascii.b2a_hex(unicodePwd_attr).upper() >+ supplementalCredentials = s4_search_attributes.get('supplementalCredentials', [None])[0] >+ if supplementalCredentials or unicodePwd_attr: >+ ntPwd = '' >+ if unicodePwd_attr: >+ ntPwd = binascii.b2a_hex(unicodePwd_attr).upper() > > lmPwd = '' > dBCSPwd = s4_search_attributes.get('dBCSPwd', [None])[0] > if dBCSPwd: > lmPwd = binascii.b2a_hex(dBCSPwd).upper() > >- supplementalCredentials = s4_search_attributes.get('supplementalCredentials', [None])[0] > msDS_KeyVersionNumber = s4_search_attributes.get('msDS-KeyVersionNumber', [0])[0] > > ntPwd_ucs = '' >@@ -732,25 +738,29 @@ def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru > userPassword_ucs = ucs_object_attributes.get('userPassword', [None])[0] > krb5KeyVersionNumber = ucs_object_attributes.get('krb5KeyVersionNumber', [None])[0] > >+ krb5Key_new = '' >+ if supplementalCredentials: >+ if krb5Principal: >+ # decoding of Samba4 supplementalCredentials >+ krb5Key_new = calculate_krb5key(unicodePwd_attr, supplementalCredentials, int(msDS_KeyVersionNumber)) >+ > pwd_changed = False > if ntPwd != ntPwd_ucs: > pwd_changed = True > modlist.append(('sambaNTPassword', ntPwd_ucs, str(ntPwd))) > >- if lmPwd != lmPwd_ucs: >- pwd_changed = True >- modlist.append(('sambaLMPassword', lmPwd_ucs, str(lmPwd))) >- >- if pwd_changed: >+ if supplementalCredentials != krb5Key_new: > if krb5Principal: >- # decoding of Samba4 supplementalCredentials >- krb5Key_new = calculate_krb5key(unicodePwd_attr, supplementalCredentials, int(msDS_KeyVersionNumber)) >- >+ pwd_changed = True > modlist.append(('krb5Key', krb5Key_ucs, krb5Key_new)) > if int(msDS_KeyVersionNumber) != int(krb5KeyVersionNumber): > modlist.append(('krb5KeyVersionNumber', krb5KeyVersionNumber, msDS_KeyVersionNumber)) > >- # Append modification as well to modlist, to apply in one transaction >+ if lmPwd != lmPwd_ucs: >+ pwd_changed = True >+ modlist.append(('sambaLMPassword', lmPwd_ucs, str(lmPwd))) >+ >+ if pwd_changed: > if modifyUserPassword: > modlist.append(('userPassword', userPassword_ucs, '{K5KEY}')) > else:
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=10150">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 49964
: 10150