[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: smbk5pwd: pass change exop works, {K5KEY} check doesn't [SOLVED]

Kris Maglione wrote:

I posted this along with another (solved) problem a few weeks back.

I have smbk5pwd with Samba 3 and heimdal 0.6.2 and openldap 2.2.26.
smbk5pwd.c is revision 1.6

When I set up an account with Samba and Heimdal credentials and perfrom
a password change exop, both the Samba and Heimdal passwords are
changes. I can auth against the account via kinit and Samba with the new
password. The problem is that authenticating against the {K5KEY}
attribute doesn't work. The callback in smbk5pwd is called, but it
returns false no matter what.

Also, the pass change exop leaves a hashed password in the userPassword
field (replacing {K5KEY} anyway). While this is good, since I can't auth
against LDAP without it for now, it is not ideal. I want to store as few
versions of a user's password as possible.

The only thing that I've noticed of any possible significance in gdb is
that the string passed to decode_Key has my Kerberos realm appended to
the end in lower case.
Also, it makes it all the way through k5key_chk's last do-while loop. It

Thanks for any help

password-hash should be set to {K5KEY}
i.e., in slapd.conf: password-hash        {K5KEY}
This line /must/ come after: moduleload        smbk5pwd.so

The other problem was that I was collecting v5, v4, and afs3 keys. The afs3 format was listed first in my krb5.conf, and, thus, generated and listed first. The k5key_chk operation checked that key first, and interperated it as a v5 key. reversing the order of the list in krb5.conf solved the problem. The line should look something like:
default_keys = v5 v4 afs3