Univention Bugzilla – Attachment 10306 Details for
Bug 50492
Windows login fails in UCS Samba/AD domain after changing password in MS AD domain
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Alternative 14_univention-k5pwd-use-correct-salt.quilt
14_univention-k5pwd-use-correct-salt.quilt (text/plain), 2.67 KB, created by
Arvid Requate
on 2020-03-09 19:25:35 CET
(
hide
)
Description:
Alternative 14_univention-k5pwd-use-correct-salt.quilt
Filename:
MIME Type:
Creator:
Arvid Requate
Created:
2020-03-09 19:25:35 CET
Size:
2.67 KB
patch
obsolete
>Bug #50492: Use the correct salt for hash comparison, not the default salt. > >Index: openldap-2.4.45+dfsg/contrib/slapd-modules/k5pwd/k5pwd.c >=================================================================== >--- openldap-2.4.45+dfsg.orig/contrib/slapd-modules/k5pwd/k5pwd.c >+++ openldap-2.4.45+dfsg/contrib/slapd-modules/k5pwd/k5pwd.c >@@ -155,7 +155,7 @@ static int k5key_chk( > Attribute *a, *a_krb5PrincipalName; > krb5_error_code ret; > krb5_keyblock key; >- krb5_salt salt; >+ krb5_salt salt = {0}; > hdb_entry ent; > int decode_ret; > >@@ -201,37 +201,13 @@ static int k5key_chk( > } > } > >- ret = krb5_get_pw_salt( context, ent.principal, &salt ); > krb5_free_principal( context, ent.principal ); > >- if (ret) { >- const char *error_string; >- error_string = krb5_get_error_message( context, ret ); >- Debug( LDAP_DEBUG_ANY, "%s: k5pwd: " >- "k5key_chk: krb5_get_pw_salt failed for: %s.\n", >- op->o_log_prefix, a_krb5PrincipalName->a_vals[0].bv_val, 0 ); >- if (error_string) { >- Debug( LDAP_DEBUG_ANY, "%s: k5pwd: " >- "k5key_chk: error_string: %s.\n", >- op->o_log_prefix, error_string, 0 ); >- krb5_free_error_message(context, error_string); >- } else { >- Debug( LDAP_DEBUG_ANY, "%s: k5pwd: " >- "k5key_chk: ret=%d.\n", >- op->o_log_prefix, ret, 0 ); >- }; >- >- rc = LUTIL_PASSWD_ERR; >- break; >- } >- > a = attr_find( e->e_attrs, ad_krb5Key ); > if ( !a ) break; > >- ent.keys.len = 1; >- ent.keys.val = &ekey; > decode_ret = decode_Key((unsigned char *) a->a_vals[0].bv_val, >- (size_t) a->a_vals[0].bv_len, &ent.keys.val[0], &l); >+ (size_t) a->a_vals[0].bv_len, &ekey, &l); > > if (decode_ret) { > const char *error_string; >@@ -254,6 +230,32 @@ static int k5key_chk( > rc = LUTIL_PASSWD_ERR; > break; > } >+ if (ekey.salt) { >+ salt.saltvalue.data = ekey.salt->salt.data; >+ salt.saltvalue.length = ekey.salt->salt.length; >+ salt.salttype = KRB5_PW_SALT; >+ } else { >+ ret = krb5_get_pw_salt( context, ent.principal, &salt ); >+ if (ret) { >+ const char *error_string; >+ error_string = krb5_get_error_message( context, ret ); >+ Debug( LDAP_DEBUG_ANY, "%s: k5pwd: " >+ "k5key_chk: krb5_get_pw_salt failed for: %s.\n", >+ op->o_log_prefix, a_krb5PrincipalName->a_vals[0].bv_val, 0 ); >+ if (error_string) { >+ Debug( LDAP_DEBUG_ANY, "%s: k5pwd: " >+ "k5key_chk: error_string: %s.\n", >+ op->o_log_prefix, error_string, 0 ); >+ krb5_free_error_message(context, error_string); >+ } else { >+ Debug( LDAP_DEBUG_ANY, "%s: k5pwd: " >+ "k5key_chk: ret=%d.\n", >+ op->o_log_prefix, ret, 0 ); >+ }; >+ >+ rc = LUTIL_PASSWD_ERR; >+ break; >+ } > > if ( db->HDB_MASTER_KEY_SET ) > hdb_unseal_keys( context, db, &ent );
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=10306">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 50492
:
10304
| 10306