Problems parsing old krbPrincipalKey attributes from LDAP backend
Ken Dreyer
ktdreyer at ktdreyer.com
Wed Oct 1 18:44:17 EDT 2014
On Mon, May 26, 2014 at 4:45 AM, Frank Steinberg
<steinberg at ibr.cs.tu-bs.de> wrote:
> Am 25.05.2014 um 05:14 schrieb Greg Hudson <ghudson at MIT.EDU>:
>> If you decide to go with patching the KDC, the candidate fixes are here:
>>
>> https://github.com/krb5/krb5/pull/129
>>
>> These changes should get pushed to master within a week or so, and
>> will eventually make their way into 1.12 and probably 1.11 patch releases.
>
> I took some time to find a python ASN.1 decoder/encoder and came up with
> the following python script. It should be able to convert the key data,
> so that a KrbSalt with only a type == 0 will be added where it's missing.
> With two test cases it seemed to work for me. However I did not yet apply
> it to our whole user database. If you have any comments, please let me know.
>
Hi Frank,
I converted my MIT KDC from CentOS 6 to CentOS 7 today, and your
kdb_ldap_fixkeys Python script was invaluable for repairing some
entries. Thanks!
(Looks like the -b option and the filter options are not documented in
usage() :-)
I was using krb5-server-1.11.3-49.el7. It looks like
https://github.com/krb5/krb5/pull/129 did get cherry-picked to the
krb5-1.12 branch, but not to krb5-1.11 yet.
- Ken
More information about the Kerberos
mailing list