Detect default encsalts kadmin password change

When kadmin tries to change a password it will get the allowed keysalts
from the password policy. Failure to provide them will result in kadmin
using the defaults specified in the kdc.conf file or hardcoded defaults
(the default salt is then of type NORMAL).

This patch provides the supported values that have been read out of the
appropriate LDAP attribute when we read the server configuration.

Then at actual password change, check if kadmin is handing us back the exact
list of supported encsalts we sent it, and in that case replace it with the
real default encsalts.

Fixes https://fedorahosted.org/freeipa/ticket/4914

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Martin Babinsky <mbabinsk@redhat.com>

1 files changed, 16 insertions, 0 deletions

diff --git a/daemons/ipa-kdb/ipa_kdb_passwords.c b/daemons/ipa-kdb/ipa_kdb_passwords.c
index 974ae8fc8..ad57181d5 100644
--- a/daemons/ipa-kdb/ipa_kdb_passwords.c
+++ b/daemons/ipa-kdb/ipa_kdb_passwords.c
@@ -159,6 +159,22 @@ krb5_error_code ipadb_change_pwd(krb5_context context,
     pwd.data = passwd;
     pwd.length = strlen(passwd);
 
+    /* detect if kadmin is just passing along the default set */
+    if (ks_tuple_count == ipactx->n_supp_encs) {
+        for (i = 0; i < ks_tuple_count; i++) {
+            if (ks_tuple[i].ks_enctype != ipactx->supp_encs[i].ks_enctype)
+                break;
+            if (ks_tuple[i].ks_salttype != ipactx->supp_encs[i].ks_salttype)
+                break;
+        }
+        if (i == ks_tuple_count) {
+            /* we got passed the default supported enctypes, replace with
+             * the actual default enctypes to use */
+            ks_tuple = ipactx->def_encs;
+            ks_tuple_count = ipactx->n_def_encs;
+        }
+    }
+
     /* We further filter supported enctypes to restrict to the list
      * we have in ldap */
     kerr = filter_key_salt_tuples(context, ks_tuple, ks_tuple_count,