diff options
| author | Sumit Bose <sbose@redhat.com> | 2013-10-07 16:49:33 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2013-10-08 09:18:57 +0200 |
| commit | 091e8fac3473e794e339b4a1a1ae819de8736af9 (patch) | |
| tree | 06fc13a78b37937f96cafaf546a7411d7319bd9f | |
| parent | 12ae6a054a20134fe51f195933ced7b52b2bd2ed (diff) | |
| download | freeipa.git-091e8fac3473e794e339b4a1a1ae819de8736af9.tar.gz freeipa.git-091e8fac3473e794e339b4a1a1ae819de8736af9.tar.xz freeipa.git-091e8fac3473e794e339b4a1a1ae819de8736af9.zip | |
Use the right attribute with ipapwd_entry_checks for MagicRegen
There is a special mode to set the ipaNTHash attribute if a RC4 Kerberos
key is available for the corresponding user. This is typically triggered
by samba via the ipa_sam passdb plugin. The principal used by samba to
connect to the IPA directory server has the right to modify ipaNTHash
but no other password attribute. This means that the current check on
the userPassword attribute is too strict for this case and leads to a
failure of the whole operation.
With this patch the access right on ipaNTHash are checked if no other
password operations are requested.
| -rw-r--r-- | daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c index 8a222650..64a9d314 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c @@ -554,7 +554,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) rc = ipapwd_entry_checks(pb, e, &is_root, &is_krb, &is_smb, &is_ipant, - SLAPI_USERPWD_ATTR, SLAPI_ACL_WRITE); + is_pwd_op ? SLAPI_USERPWD_ATTR : "ipaNTHash", + SLAPI_ACL_WRITE); if (rc) { goto done; } |