Univention Bugzilla – Attachment 10304 Details for
Bug 50492
Windows login fails in UCS Samba/AD domain after changing password in MS AD domain
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
adapted patch 92_allow_missing_des-cbc to allow every combination of keys
92_allow_missing_des-cbc.quilt (text/plain), 4.11 KB, created by
Julia Bremer
on 2020-03-06 17:53:27 CET
(
hide
)
Description:
adapted patch 92_allow_missing_des-cbc to allow every combination of keys
Filename:
MIME Type:
Creator:
Julia Bremer
Created:
2020-03-06 17:53:27 CET
Size:
4.11 KB
patch
obsolete
>Index: samba-4.10.1/source4/dsdb/samdb/ldb_modules/password_hash.c >=================================================================== >--- samba-4.10.1.orig/source4/dsdb/samdb/ldb_modules/password_hash.c >+++ samba-4.10.1/source4/dsdb/samdb/ldb_modules/password_hash.c >@@ -334,16 +336,6 @@ static int password_hash_bypass(struct l > "Primary:Packages missing"); > } > >- if (scpk == NULL) { >- /* >- * If Primary:Kerberos is missing w2k8r2 reboots >- * when a password is changed. >- */ >- return ldb_error(ldb, >- LDB_ERR_CONSTRAINT_VIOLATION, >- "Primary:Kerberos missing"); >- } >- > if (scpp) { > struct package_PackagesBlob *p; > uint32_t n; >@@ -407,34 +399,11 @@ static int password_hash_bypass(struct l > "PrimaryKerberos strlen(salt) == 0"); > } > >- if (k->ctr.ctr3.num_keys != 2) { >- return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, >- "PrimaryKerberos num_keys != 2"); >- } >- > if (k->ctr.ctr3.num_old_keys > k->ctr.ctr3.num_keys) { > return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, > "PrimaryKerberos num_old_keys > num_keys"); > } > >- if (k->ctr.ctr3.keys[0].keytype != ENCTYPE_DES_CBC_MD5) { >- return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, >- "PrimaryKerberos key[0] != DES_CBC_MD5"); >- } >- if (k->ctr.ctr3.keys[1].keytype != ENCTYPE_DES_CBC_CRC) { >- return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, >- "PrimaryKerberos key[1] != DES_CBC_CRC"); >- } >- >- if (k->ctr.ctr3.keys[0].value_len != 8) { >- return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, >- "PrimaryKerberos key[0] value_len != 8"); >- } >- if (k->ctr.ctr3.keys[1].value_len != 8) { >- return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, >- "PrimaryKerberos key[1] value_len != 8"); >- } >- > for (i = 0; i < k->ctr.ctr3.num_old_keys; i++) { > if (k->ctr.ctr3.old_keys[i].keytype == > k->ctr.ctr3.keys[i].keytype && >@@ -442,6 +411,10 @@ static int password_hash_bypass(struct l > k->ctr.ctr3.keys[i].value_len) { > continue; > } >+ if (k->ctr.ctr3.old_keys[i].keytype == DUMMY_NTHASH_KEYTYPE || >+ k->ctr.ctr3.keys[i].keytype == DUMMY_NTHASH_KEYTYPE) { >+ continue; >+ } > > return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, > "PrimaryKerberos old_keys type/value_len doesn't match"); >@@ -480,11 +453,6 @@ static int password_hash_bypass(struct l > "KerberosNewerKeys strlen(salt) == 0"); > } > >- if (k->ctr.ctr4.num_keys != 4) { >- return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, >- "KerberosNewerKeys num_keys != 2"); >- } >- > if (k->ctr.ctr4.num_old_keys > k->ctr.ctr4.num_keys) { > return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, > "KerberosNewerKeys num_old_keys > num_keys"); >@@ -495,23 +463,6 @@ static int password_hash_bypass(struct l > "KerberosNewerKeys num_older_keys > num_old_keys"); > } > >- if (k->ctr.ctr4.keys[0].keytype != ENCTYPE_AES256_CTS_HMAC_SHA1_96) { >- return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, >- "KerberosNewerKeys key[0] != AES256"); >- } >- if (k->ctr.ctr4.keys[1].keytype != ENCTYPE_AES128_CTS_HMAC_SHA1_96) { >- return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, >- "KerberosNewerKeys key[1] != AES128"); >- } >- if (k->ctr.ctr4.keys[2].keytype != ENCTYPE_DES_CBC_MD5) { >- return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, >- "KerberosNewerKeys key[2] != DES_CBC_MD5"); >- } >- if (k->ctr.ctr4.keys[3].keytype != ENCTYPE_DES_CBC_CRC) { >- return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, >- "KerberosNewerKeys key[3] != DES_CBC_CRC"); >- } >- > if (k->ctr.ctr4.keys[0].value_len != 32) { > return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, > "KerberosNewerKeys key[0] value_len != 32"); >@@ -524,7 +475,8 @@ static int password_hash_bypass(struct l > return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, > "KerberosNewerKeys key[2] value_len != 8"); > } >- if (k->ctr.ctr4.keys[3].value_len != 8) { >+ if (k->ctr.ctr4.keys[3].value_len != 8 && >+ k->ctr.ctr4.keys[3].keytype == ENCTYPE_DES_CBC_CRC) { > return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, > "KerberosNewerKeys key[3] value_len != 8"); > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=10304">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 50492
: 10304 |
10306