[Freeipa-devel] Fix password changes via kadmin

Wed May 27 14:50:59 UTC 2015

On 05/27/2015 04:33 PM, Martin Kosek wrote:
> On 05/27/2015 03:55 PM, Alexander Bokovoy wrote:
>> On Wed, 27 May 2015, Simo Sorce wrote:
>>> On Wed, 2015-05-27 at 15:25 +0200, Martin Babinsky wrote:
>>>> On 05/25/2015 10:48 AM, Martin Babinsky wrote:
>>>>> On 04/06/2015 12:53 AM, Simo Sorce wrote:
>>>>>> Fix for bug 4914.
>>>>>>
>>>>>> I've tested it locally and seem to do exactly what is needed. I couldn't
>>>>>> detect any side effects, except that if you use kadmin to get a
>>>>>> randomized password for a service then you'll get a key for all
>>>>>> supported types (currently aes256, aes128, des3, rc4, camellia128,
>>>>>> camellia256) instead of just the default ones (aes256, aes128, des3,
>>>>>> rc4) if you do not specify enctypes. I think that is fine, we use
>>>>>> ipa-getkeytab anyway in the normal course of business and that one uses
>>>>>> a different code path.
>>>>>>
>>>>>> Simo.
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> Hi Simo,
>>>>>
>>>>> the patch works as expected.
>>>>>
>>>>> My only gripe is with the duplicate code in 'daemons/ipa-kdb/ipa_kdb.c'
>>>>> between lines 389 and 455. It could be made into a single function to
>>>>> get key encoding/salt types from LDAP (see my feeble and untested
>>>>> attempt which I attached).
>>>>>
>>>>>
>>>>>
>>>> ACK.
>>>>
>>>> I will then send the patch fixing duplicate code separately once I
>>>> consult it with somebody more skilled in C than myself.
>>>>
>>>
>>> Thanks, added your reviewed-by and pushed to master.
>>>
>>> Martin, should we push this to other branches too ?
>> I think we also need this in 4.1 so that it can go to Fedora, Debian,
>> and RHEL releases.
>
> 4.2 will be released soon, but if you are confident about the patch so that it
> does not break stuff, we may add it to 4.1.x too, given the positive impact.
>
I actually tested it also with 4.1 branch with no problem.

-- 
Martin^3 Babinsky