[Freeipa-devel] [PATCHES][RFC] Implement special operation to revoer NT hash for a user

Simo Sorce simo at redhat.com
Wed Jul 11 13:20:41 UTC 2012 

On Wed, 2012-07-11 at 15:41 +0300, Alexander Bokovoy wrote:
> If users don't have RC4-HMAC key and don't have ipaNTHash set, they
> can't log in into smbd anyway until they change their password.

Yes the point is that you may have users you do not want to give a
password to. No need to keep retrying to generate a hash.

> >My idea was that when the ipa trust-add operation is run we execute a
> >magicregen op for the user that run it. Then we can run a process that
> >adds ipaNThash via magicregen for all users we want it to.
> So we get to the same issue of a task run against potentially unbound
> number of users, including replication interaction.
> 
> Instead, a scheme with ipasam-based generator would mean we:
> 1. Fetch the user attributes from LDAP
> 2. Notice ipaNTHash is missing and not disabled
> 3. Issue ipaNTHash update request if (2) is true.
> 
> Maybe we can turn off ipaNTHash from your pre-mod code if there is no
> RC4-HMAC key and ipaNTHash wasn't set? Password change op will get that
> overriden, of course. Then we can rely on it in (2) above.

Not sure what you mean by 'turn off ipaNTHash from your pre-mod code'.

> If we decide to use it in ipasam, extended operation will be simpliest
> thing -- contrary to other approaches which would require two LDAP
> requests. It also allows to return the key in the same go.

True, but it is still required only once per user, in normal course of
action you should always get the ipaNTHash back. Even in the race
condition case the worst that can happen is that you fail auth once.
Given it is not that critical as it can happen only once per user I am
not sure it is worth optimizing for this case and create a whole new
extended operation for it.

> See above. Being able to differentiate cases 
> - RC4-HMAC is missing, no automatic ipaNTHash generation
> - RC4-HMAC is available, generate ipaNTHash
> - ipaNTHash is generated via password change
> 
> is worth it because it allows to avoid additional roundtrips from
> ipasam and still be able to avoid generator tasks.

It still doesn't give you much, there are 2 cases:

1) For users that are supposed to have the ipaNTHash, you will go
through this operation *once* in the lifetime of a pre-existing user
(new users get ipaNTHash immediately).

2) For users that will never get the ipaNTHash will simply never have
it, you only keep repeating this operation and then fail authentication
as you won't get back a valid hash, I do not think optimizing this
failure case is worth a full extop.

The generator task is not strictly necessary, it's an option, you can
make the 2 roundtrips in ipasam (I think I will have to relax
permissions to allow you to do that as a cifs/fqdn principal) once per
user, doesn't look like a big deal.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list