[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: smbk5pwd: pass change exop works, {K5KEY} check doesn't
Howard Chu wrote:
> These two paragraphs don't make sense. The userPassword will get
> whatever hash is specified by the "password-hash" directive in
> slapd.conf. The only way the k5key_chk function can get called is if
> the hash is actually {K5KEY}. So if you're seeing a different value in
> the userPassword attribute, then your slapd.conf is wrong. And if it
> really is different, then the k5key_chk function will never get
> invoked. If k5key_chk is actually executing, then that means the
> userPassword value *is* {K5KEY}.
I'm sorry I didn't explain that better. I set the value back to {K5KEY}
after the exop changed it. I've read in several places that
"password-hash" had to be set to {CLEARTEXT} for this module to work,
but that stored the cleartext password. I tried setting it to {K5KEY},
but that didn't work.
>
> If it makes it all the way to the end and returns ERROR then that
> means the password you specified didn't match the one that was stored.
That seems obvious. The problem is, as I said, I can kinit to the
principal with the password set with the exop. That pretty much rules
out the kdc using another source. I store the keys in K4, K5, and AFS
formats, if that makes a difference
>
> decode_Key has nothing to do with the encryption mechanism, it is
> merely unwrapping the encoding that was used to store the keys in the
> LDAP attribute. (Heimdal stores keys in BER format.) If you're seeing
> a human-readable realm name here, then something is probably invalid
> in the stored keys; usually a key is a sequence of binary data, mostly
> gibberish. (Of course it depends on what encryption types you've
> configured in krb5.conf.)
I understand that also. What I was noting was that, at the end of the
sequence of binary data was my realm name in /lower case/. Since the
realm name is used for salt, I can easily see that as causing a problem.
I'm suspicious that it's checking the AFS key (whose realm name should
be lower case), but I don't know if that would make a difference.