[Freeipa-devel] [PATCHES][RFC] Implement special operation to revoer NT hash for a user
Simo Sorce
simo at redhat.com
Thu Jul 12 12:08:02 UTC 2012
On Thu, 2012-07-12 at 10:48 +0300, Alexander Bokovoy wrote:
> On Wed, 11 Jul 2012, Simo Sorce wrote:
> >From 84ef09a1193ff42fc301fb71354055c5039f51a5 Mon Sep 17 00:00:00 2001
> >From: Simo Sorce <ssorce at redhat.com>
> >Date: Fri, 6 Jul 2012 16:18:29 -0400
> >Subject: [PATCH] Add special modify op to regen ipaNTHash
> >
> >The NT Hash is the same thing as the RC4-HMAC key, so we add a function to
> >extract it from krb5 keys if they are available to avoid forcing a password
> >change when configuring trust relationships.
> >---
> > .../ipa-pwd-extop/ipapwd_prepost.c | 147 +++++++++++++++++++-
> > 1 file changed, 144 insertions(+), 3 deletions(-)
> >
> >diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
> >index deae6477772f82edcc4674a1c9580661c3dae94b..24fa52eb9ac92004576ccdba4f576162c358770d 100644
> >--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
> >+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
> >@@ -41,7 +41,12 @@
> > # include <config.h>
> > #endif
> >
> >-#define _XOPEN_SOURCE /* strptime needs this */
> >+/* strptime needs _XOPEN_SOURCE and endian.h needs __USE_BSD
> >+ * _GNU_SOURCE imply both, and we use it elsewhere, so use this */
> >+#ifndef _GNU_SOURCE
> >+#define _GNU_SOURCE 1
> >+#endif
> >+
> > #include <stdio.h>
> > #include <string.h>
> > #include <strings.h>
> >@@ -53,6 +58,7 @@
> > #include <dirsrv/slapi-plugin.h>
> > #include <lber.h>
> > #include <time.h>
> >+#include <endian.h>
> >
> > #include "ipapwd.h"
> > #include "util.h"
> >@@ -379,6 +385,12 @@ done:
> > return 0;
> > }
> >
> >+#define NTHASH_REGEN_VAL "MagicRegen"
> >+#define NTHASH_REGEN_LEN sizeof(NTHASH_REGEN_VAL)
> >+static int ipapwd_regen_nthash(Slapi_PBlock *pb, Slapi_Mods *smods,
> >+ char *dn, struct slapi_entry *entry,
> >+ struct ipapwd_krbcfg *krbcfg);
> >+
> > /* PRE MOD Operation:
> > * Gets the clean text password (fail the operation if the password came
> > * pre-hashed, unless this is a replicated operation).
> >@@ -407,6 +419,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
> > int has_krb_keys = 0;
> > int has_history = 0;
> > int gen_krb_keys = 0;
> >+ int is_magic_regen = 0;
> > int ret, rc;
> >
> > LOG_TRACE( "=>\n");
> >@@ -447,6 +460,27 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
> > default:
> > break;
> > }
> >+ } else if (slapi_attr_types_equivalent(lmod->mod_type, "ipaNTHash")) {
> >+ /* check op filtering out LDAP_MOD_BVALUES */
> >+ switch (lmod->mod_op & 0x0f) {
> >+ case LDAP_MOD_REPLACE:
> This is still LDAP_MOD_REPLACE, not LDAP_MOD_ADD.
This is because I resent the old patch :(
Hopefully the correct patch is now attached.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-494-0003-3-Add-special-modify-op-to-regen-ipaNTHash.patch
Type: text/x-patch
Size: 7152 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120712/f8d64c44/attachment.bin>
More information about the Freeipa-devel
mailing list