[Date Prev][Date Next] [Chronological] [Thread] [Top]

smbk5pwd: pass change exop works, {K5KEY} check doesn't

I posted this along with another (solved) problem a few weeks back.

I have smbk5pwd with Samba 3 and heimdal 0.6.2 and openldap 2.2.26.
smbk5pwd.c is revision 1.6

When I set up an account with Samba and Heimdal credentials and perfrom
a password change exop, both the Samba and Heimdal passwords are
changes. I can auth against the account via kinit and Samba with the new
password. The problem is that authenticating against the {K5KEY}
attribute doesn't work. The callback in smbk5pwd is called, but it
returns false no matter what.

Also, the pass change exop leaves a hashed password in the userPassword
field (replacing {K5KEY} anyway). While this is good, since I can't auth
against LDAP without it for now, it is not ideal. I want to store as few
versions of a user's password as possible.

The only thing that I've noticed of any possible significance in gdb is
that the string passed to decode_Key has my Kerberos realm appended to
the end in lower case.
Also, it makes it all the way through k5key_chk's last do-while loop. It

Thanks for any help

Attachment: signature.asc
Description: OpenPGP digital signature