[Freeipa-devel] Fix password changes via kadmin
Milan Kubik
mkubik at redhat.com
Fri May 29 12:20:31 UTC 2015
On 05/27/2015 04:50 PM, Martin Babinsky wrote:
> On 05/27/2015 04:33 PM, Martin Kosek wrote:
>> On 05/27/2015 03:55 PM, Alexander Bokovoy wrote:
>>> On Wed, 27 May 2015, Simo Sorce wrote:
>>>> On Wed, 2015-05-27 at 15:25 +0200, Martin Babinsky wrote:
>>>>> On 05/25/2015 10:48 AM, Martin Babinsky wrote:
>>>>>> On 04/06/2015 12:53 AM, Simo Sorce wrote:
>>>>>>> Fix for bug 4914.
>>>>>>>
>>>>>>> I've tested it locally and seem to do exactly what is needed. I
>>>>>>> couldn't
>>>>>>> detect any side effects, except that if you use kadmin to get a
>>>>>>> randomized password for a service then you'll get a key for all
>>>>>>> supported types (currently aes256, aes128, des3, rc4, camellia128,
>>>>>>> camellia256) instead of just the default ones (aes256, aes128,
>>>>>>> des3,
>>>>>>> rc4) if you do not specify enctypes. I think that is fine, we use
>>>>>>> ipa-getkeytab anyway in the normal course of business and that
>>>>>>> one uses
>>>>>>> a different code path.
>>>>>>>
>>>>>>> Simo.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> Hi Simo,
>>>>>>
>>>>>> the patch works as expected.
>>>>>>
>>>>>> My only gripe is with the duplicate code in
>>>>>> 'daemons/ipa-kdb/ipa_kdb.c'
>>>>>> between lines 389 and 455. It could be made into a single
>>>>>> function to
>>>>>> get key encoding/salt types from LDAP (see my feeble and untested
>>>>>> attempt which I attached).
>>>>>>
>>>>>>
>>>>>>
>>>>> ACK.
>>>>>
>>>>> I will then send the patch fixing duplicate code separately once I
>>>>> consult it with somebody more skilled in C than myself.
>>>>>
>>>>
>>>> Thanks, added your reviewed-by and pushed to master.
>>>>
>>>> Martin, should we push this to other branches too ?
>>> I think we also need this in 4.1 so that it can go to Fedora, Debian,
>>> and RHEL releases.
>>
>> 4.2 will be released soon, but if you are confident about the patch
>> so that it
>> does not break stuff, we may add it to 4.1.x too, given the positive
>> impact.
>>
> I actually tested it also with 4.1 branch with no problem.
>
Hello,
there is actually a problem with this patch.
I built it on both branches (to be sure) and the patch causes the
ipa-server-install fail during the provisioning of directory server
keytab [1] on *Fedora 21*.
The failure is reproducible. Martin was able to reproduce it on F21.
Apparently Martin only tested the patch on F22 where it doesn't cause
any (immediately visible) problems.
[1]: http://paste.fedoraproject.org/226915/90153914/
Milan
More information about the Freeipa-devel
mailing list