[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: smbk5pwd: pass change exop works, {K5KEY} check doesn't

Kris Maglione wrote:
 That seems obvious. The problem is, as I said, I can kinit to the
 principal with the password set with the exop. That pretty much rules
 out the kdc using another source. I store the keys in K4, K5, and
 AFS formats, if that makes a difference

Yes, that makes the difference. The passwd_exop code sets all of the configured keytypes but the check function only checks the first key value, and it assumes it is a K5 key. It doesn't handle K4/AFS salt formats. So it appears that it's trying to apply a K5 salt to a K4/AFS key, which obviously doesn't work. (It *is* called "K5KEY" after all, not something generic like "KRBKEY" because it is only intended for Kerberos 5 keys.)

I guess you should file an ITS; the code should at least make sure that the key it is checking has a type that's compatible with the salt it is generating, instead of blindly applying the K5 salt.

 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support