Re: smbk5pwd: pass change exop works, {K5KEY} check doesn't

[Howard Chu <hyc@symas.com>]

Kris Maglione wrote:
>  That seems obvious. The problem is, as I said, I can kinit to the
>  principal with the password set with the exop. That pretty much rules
>  out the kdc using another source. I store the keys in K4, K5, and
>  AFS formats, if that makes a difference

Yes, that makes the difference. The passwd_exop code sets all of the 
configured keytypes but the check function only checks the first key 
value, and it assumes it is a K5 key. It doesn't handle K4/AFS salt 
formats. So it appears that it's trying to apply a K5 salt to a K4/AFS 
key, which obviously doesn't work. (It *is* called "K5KEY" after all, 
not something generic like "KRBKEY" because it is only intended for 
Kerberos 5 keys.)

I guess you should file an ITS; the code should at least make sure that 
the key it is checking has a type that's compatible with the salt it is 
generating, instead of blindly applying the K5 salt.

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support