Univention Bugzilla – Attachment 9405 Details for
Bug 32082
krb5 key version (kvno) not synchronous in Samba4 and OpenLDAP
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
s4connector_sync_to_ucs_KeyVersionNumber.patch
s4connector_sync_to_ucs_KeyVersionNumber.patch (text/plain), 5.63 KB, created by
Arvid Requate
on 2018-02-21 14:56:10 CET
(
hide
)
Description:
s4connector_sync_to_ucs_KeyVersionNumber.patch
Filename:
MIME Type:
Creator:
Arvid Requate
Created:
2018-02-21 14:56:10 CET
Size:
5.63 KB
patch
obsolete
>diff --git a/services/univention-s4-connector/modules/univention/s4connector/s4/password.py b/services/univention-s4-connector/modules/univention/s4connector/s4/password.py >index 0622a89d4d..a441f52451 100644 >--- a/services/univention-s4-connector/modules/univention/s4connector/s4/password.py >+++ b/services/univention-s4-connector/modules/univention/s4connector/s4/password.py >@@ -668,11 +668,6 @@ def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru > object = s4connector._object_mapping(key, ucs_object, 'ucs') > s4_object_attributes = s4connector.lo_s4.get(compatible_modstring(object['dn']), ['objectSid', 'pwdLastSet']) > >- if s4connector.isInCreationList(object['dn']): >- s4connector.removeFromCreationList(object['dn']) >- ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: Synchronisation of password has been canceled. Object was just created.") >- return >- > pwdLastSet = None > if 'pwdLastSet' in s4_object_attributes: > pwdLastSet = long(s4_object_attributes['pwdLastSet'][0]) >@@ -683,11 +678,35 @@ def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru > # if s4_object_attributes.has_key('objectSid'): > # rid = str(univention.s4connector.s4.decode_sid(s4_object_attributes['objectSid'][0]).split('-')[-1]) > >+ ### get current Samba/AD attribute values > filter_expr = format_escaped('(objectSid={0!e})', objectSid) > res = s4connector.lo_s4.search(filter=filter_expr, attr=['unicodePwd', 'supplementalCredentials', 'msDS-KeyVersionNumber', 'dBCSPwd']) > s4_search_attributes = res[0][1] >- >+ msDS_KeyVersionNumber = s4_search_attributes.get('msDS-KeyVersionNumber', [0])[0] >+ supplementalCredentials = s4_search_attributes.get('supplementalCredentials', [None])[0] > unicodePwd_attr = s4_search_attributes.get('unicodePwd', [None])[0] >+ >+ ### get current OpenLDAP attribute values >+ ucs_object_attributes = s4connector.lo.get(ucs_object['dn'], ['sambaPwdMustChange', 'sambaPwdLastSet', 'sambaNTPassword', 'sambaLMPassword', 'krb5PrincipalName', 'krb5Key', 'krb5KeyVersionNumber', 'userPassword', 'shadowLastChange', 'shadowMax', 'krb5PasswordEnd', 'univentionService']) >+ krb5Principal = ucs_object_attributes.get('krb5PrincipalName', [''])[0] >+ krb5KeyVersionNumber = ucs_object_attributes.get('krb5KeyVersionNumber', [None])[0] >+ krb5Key_ucs = ucs_object_attributes.get('krb5Key', []) >+ >+ ### First handle the KeyVersionNumber, even if the user was just created >+ modlist = [] >+ if krb5Principal: >+ if int(msDS_KeyVersionNumber) != int(krb5KeyVersionNumber): >+ modlist.append(('krb5KeyVersionNumber', krb5KeyVersionNumber, msDS_KeyVersionNumber)) >+ >+ if s4connector.isInCreationList(object['dn']): >+ s4connector.removeFromCreationList(object['dn']) >+ ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: Synchronisation of password has been canceled. Object was just created.") >+ if len(modlist) > 0: >+ # ud.debug(ud.LDAP, ud.PROCESS, 'password_sync_s4_to_ucs: Only synchronizing KeyVersionNumber.') >+ ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: modlist: %s" % modlist) >+ s4connector.lo.lo.modify(ucs_object['dn'], modlist) >+ return >+ > if unicodePwd_attr: > ntPwd = binascii.b2a_hex(unicodePwd_attr).upper() > >@@ -696,15 +715,9 @@ def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru > if dBCSPwd: > lmPwd = binascii.b2a_hex(dBCSPwd).upper() > >- supplementalCredentials = s4_search_attributes.get('supplementalCredentials', [None])[0] >- msDS_KeyVersionNumber = s4_search_attributes.get('msDS-KeyVersionNumber', [0])[0] >- > ntPwd_ucs = '' > lmPwd_ucs = '' >- krb5Principal = '' > userPassword = '' >- modlist = [] >- ucs_object_attributes = s4connector.lo.get(ucs_object['dn'], ['sambaPwdMustChange', 'sambaPwdLastSet', 'sambaNTPassword', 'sambaLMPassword', 'krb5PrincipalName', 'krb5Key', 'krb5KeyVersionNumber', 'userPassword', 'shadowLastChange', 'shadowMax', 'krb5PasswordEnd', 'univentionService']) > > services = ucs_object_attributes.get('univentionService', []) > if 'S4 SlavePDC' in services: >@@ -715,8 +728,6 @@ def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru > ntPwd_ucs = ucs_object_attributes['sambaNTPassword'][0] > if 'sambaLMPassword' in ucs_object_attributes: > lmPwd_ucs = ucs_object_attributes['sambaLMPassword'][0] >- if 'krb5PrincipalName' in ucs_object_attributes: >- krb5Principal = ucs_object_attributes['krb5PrincipalName'][0] > if 'userPassword' in ucs_object_attributes: > userPassword = ucs_object_attributes['userPassword'][0] > sambaPwdLastSet = None >@@ -727,9 +738,7 @@ def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru > if 'sambaPwdMustChange' in ucs_object_attributes: > sambaPwdMustChange = ucs_object_attributes['sambaPwdMustChange'][0] > ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: sambaPwdMustChange: %s" % sambaPwdMustChange) >- krb5Key_ucs = ucs_object_attributes.get('krb5Key', []) > userPassword_ucs = ucs_object_attributes.get('userPassword', [None])[0] >- krb5KeyVersionNumber = ucs_object_attributes.get('krb5KeyVersionNumber', [None])[0] > > pwd_changed = False > if ntPwd != ntPwd_ucs: >@@ -744,10 +753,7 @@ def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru > if krb5Principal: > # decoding of Samba4 supplementalCredentials > krb5Key_new = calculate_krb5key(unicodePwd_attr, supplementalCredentials, int(msDS_KeyVersionNumber)) >- > modlist.append(('krb5Key', krb5Key_ucs, krb5Key_new)) >- if int(msDS_KeyVersionNumber) != int(krb5KeyVersionNumber): >- modlist.append(('krb5KeyVersionNumber', krb5KeyVersionNumber, msDS_KeyVersionNumber)) > > # Append modification as well to modlist, to apply in one transaction > if modifyUserPassword:
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=9405">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 32082
: 9405