Univention Bugzilla – Attachment 9391 Details for
Bug 46292
4.3 master, 4.2 backup with s4connector, connector on backup segfaults
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
manually_filter_permitted_enctypes.patch
manually_filter_permitted_enctypes.patch (text/plain), 2.95 KB, created by
Arvid Requate
on 2018-02-15 16:47:12 CET
(
hide
)
Description:
manually_filter_permitted_enctypes.patch
Filename:
MIME Type:
Creator:
Arvid Requate
Created:
2018-02-15 16:47:12 CET
Size:
2.95 KB
patch
obsolete
>diff --git a/base/univention-heimdal/univention-create-keytab b/base/univention-heimdal/univention-create-keytab >index 8a9960b476..e4f35d4490 100755 >--- a/base/univention-heimdal/univention-create-keytab >+++ b/base/univention-heimdal/univention-create-keytab >@@ -37,6 +37,7 @@ import binascii > from optparse import OptionParser > import tempfile > import os >+from univention.config_registry import ConfigRegistry > > parser = OptionParser() > parser.add_option("-k", "--keytab", dest="keytab", help="write keytab to FILE", metavar="FILE") >@@ -58,10 +59,22 @@ if not options.kvno: > if not options.password: > parser.error("password argument missing") > >+configRegistry = ConfigRegistry() >+configRegistry.load() >+ > keytab_filename = options.keytab > > krb5_context = heimdal.context() >-permitted_enctypes = krb5_context.get_permitted_enctypes() >+ >+# Heimdal doesn't ignores the "permitted_enctypes" in krb5.conf during the get_permitted_enctypes() call, so we have to filter explicitly: >+ucr_permitted_enctypes = configRegistry.get('kerberos/defaults/enctypes/permitted', >+ 'aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1') >+ucr_permitted_enctypes_list = ucr_permitted_enctypes.split() >+ >+def is_permitted_enctype(etype): >+ return str(etype) in ucr_permitted_enctypes_list >+permitted_enctypes = filter(is_permitted_enctype, krb5_context.get_permitted_enctypes()) >+ > permitted_enctypes.reverse() > temp_keytab_filename = tempfile.mktemp() > for krb5_enctype in permitted_enctypes: >diff --git a/management/univention-directory-manager-modules/modules/univention/admin/password.py b/management/univention-directory-manager-modules/modules/univention/admin/password.py >index 9979aac916..32978fc6f7 100644 >--- a/management/univention-directory-manager-modules/modules/univention/admin/password.py >+++ b/management/univention-directory-manager-modules/modules/univention/admin/password.py >@@ -97,7 +97,17 @@ def krb5_asn1(principal, password, krb5_context=None): > password = str(password) > if not krb5_context: > krb5_context = heimdal.context() >- for krb5_etype in krb5_context.get_permitted_enctypes(): >+ >+ # Heimdal doesn't ignores the "permitted_enctypes" in krb5.conf during the get_permitted_enctypes() call, so we have to filter explicitly: >+ ucr_permitted_enctypes = configRegistry.get('kerberos/defaults/enctypes/permitted', >+ 'aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1') >+ ucr_permitted_enctypes_list = ucr_permitted_enctypes.split() >+ >+ def is_permitted_enctype(etype): >+ return str(etype) in ucr_permitted_enctypes_list >+ permitted_enctypes = filter(is_permitted_enctype, krb5_context.get_permitted_enctypes()) >+ >+ for krb5_etype in permitted_enctypes: > if str(krb5_etype) == 'des3-cbc-md5' and configRegistry.is_false('password/krb5/enctype/des3-cbc-md5', True): > continue > krb5_principal = heimdal.principal(krb5_context, principal)
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=9391">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 46292
: 9391 |
9392
|
9393