Re: smbk5pwd: pass change exop works, {K5KEY} check doesn't [SOLVED]

[Kris Maglione <bsdaemon@comcast.net>]

Kris Maglione wrote:

> I posted this along with another (solved) problem a few weeks back.
>
> I have smbk5pwd with Samba 3 and heimdal 0.6.2 and openldap 2.2.26.
> smbk5pwd.c is revision 1.6
>
> When I set up an account with Samba and Heimdal credentials and perfrom
> a password change exop, both the Samba and Heimdal passwords are
> changes. I can auth against the account via kinit and Samba with the new
> password. The problem is that authenticating against the {K5KEY}
> attribute doesn't work. The callback in smbk5pwd is called, but it
> returns false no matter what.
>
> Also, the pass change exop leaves a hashed password in the userPassword
> field (replacing {K5KEY} anyway). While this is good, since I can't auth
> against LDAP without it for now, it is not ideal. I want to store as few
> versions of a user's password as possible.
>
> The only thing that I've noticed of any possible significance in gdb is
> that the string passed to decode_Key has my Kerberos realm appended to
> the end in lower case.
> Also, it makes it all the way through k5key_chk's last do-while loop. It
> returns LUTIL_PASSWD_ERROR
>
> Thanks for any help
password-hash should be set to {K5KEY}
i.e., in slapd.conf: password-hash        {K5KEY}
This line /must/ come after: moduleload        smbk5pwd.so

The other problem was that I was collecting v5, v4, and afs3 keys. The 
afs3 format was listed first in my krb5.conf, and, thus, generated and 
listed first. The k5key_chk operation checked that key first, and 
interperated it as a v5 key. reversing the order of the list in 
krb5.conf solved the problem. The line should look something like:
[kadmin]
   default_keys = v5 v4 afs3