[Freeipa-devel] Fix password changes via kadmin

Fri May 29 13:30:34 UTC 2015

On Fri, 2015-05-29 at 14:20 +0200, Milan Kubik wrote:
> On 05/27/2015 04:50 PM, Martin Babinsky wrote:
> > On 05/27/2015 04:33 PM, Martin Kosek wrote:
> >> On 05/27/2015 03:55 PM, Alexander Bokovoy wrote:
> >>> On Wed, 27 May 2015, Simo Sorce wrote:
> >>>> On Wed, 2015-05-27 at 15:25 +0200, Martin Babinsky wrote:
> >>>>> On 05/25/2015 10:48 AM, Martin Babinsky wrote:
> >>>>>> On 04/06/2015 12:53 AM, Simo Sorce wrote:
> >>>>>>> Fix for bug 4914.
> >>>>>>>
> >>>>>>> I've tested it locally and seem to do exactly what is needed. I 
> >>>>>>> couldn't
> >>>>>>> detect any side effects, except that if you use kadmin to get a
> >>>>>>> randomized password for a service then you'll get a key for all
> >>>>>>> supported types (currently aes256, aes128, des3, rc4, camellia128,
> >>>>>>> camellia256) instead of just the default ones (aes256, aes128, 
> >>>>>>> des3,
> >>>>>>> rc4) if you do not specify enctypes. I think that is fine, we use
> >>>>>>> ipa-getkeytab anyway in the normal course of business and that 
> >>>>>>> one uses
> >>>>>>> a different code path.
> >>>>>>>
> >>>>>>> Simo.
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>> Hi Simo,
> >>>>>>
> >>>>>> the patch works as expected.
> >>>>>>
> >>>>>> My only gripe is with the duplicate code in 
> >>>>>> 'daemons/ipa-kdb/ipa_kdb.c'
> >>>>>> between lines 389 and 455. It could be made into a single 
> >>>>>> function to
> >>>>>> get key encoding/salt types from LDAP (see my feeble and untested
> >>>>>> attempt which I attached).
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>> ACK.
> >>>>>
> >>>>> I will then send the patch fixing duplicate code separately once I
> >>>>> consult it with somebody more skilled in C than myself.
> >>>>>
> >>>>
> >>>> Thanks, added your reviewed-by and pushed to master.
> >>>>
> >>>> Martin, should we push this to other branches too ?
> >>> I think we also need this in 4.1 so that it can go to Fedora, Debian,
> >>> and RHEL releases.
> >>
> >> 4.2 will be released soon, but if you are confident about the patch 
> >> so that it
> >> does not break stuff, we may add it to 4.1.x too, given the positive 
> >> impact.
> >>
> > I actually tested it also with 4.1 branch with no problem.
> >
> Hello,
> 
> there is actually a problem with this patch.
> 
> I built it on both branches (to be sure) and the patch causes the 
> ipa-server-install fail during the provisioning of directory server 
> keytab [1] on *Fedora 21*.
> The failure is reproducible. Martin was able to reproduce it on F21. 
> Apparently Martin only tested the patch on F22 where it doesn't cause 
> any (immediately visible) problems.
> 
> [1]: http://paste.fedoraproject.org/226915/90153914/

Thanks for specifying it happens only on F21, I have been testing on F22
too and couldn't reproduce.
I will try to take a look ASAP.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York