[36511] in Kerberos
Re: Problems parsing old krbPrincipalKey attributes from LDAP backend
daemon@ATHENA.MIT.EDU (Ken Dreyer)
Wed Oct 1 18:44:29 2014
MIME-Version: 1.0
In-Reply-To: <FE970282-CA96-48E6-9CA4-9A8E740F7CFE@ibr.cs.tu-bs.de>
Date: Wed, 1 Oct 2014 16:44:17 -0600
Message-ID: <CAD3FbMV5WH2taNOYsJTU8+skKVWQ_qmJJKB7XYVKAae3-y_qKw@mail.gmail.com>
From: Ken Dreyer <ktdreyer@ktdreyer.com>
To: Frank Steinberg <steinberg@ibr.cs.tu-bs.de>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, May 26, 2014 at 4:45 AM, Frank Steinberg
<steinberg@ibr.cs.tu-bs.de> wrote:
> Am 25.05.2014 um 05:14 schrieb Greg Hudson <ghudson@MIT.EDU>:
>> If you decide to go with patching the KDC, the candidate fixes are here:
>>
>> https://github.com/krb5/krb5/pull/129
>>
>> These changes should get pushed to master within a week or so, and
>> will eventually make their way into 1.12 and probably 1.11 patch releases.
>
> I took some time to find a python ASN.1 decoder/encoder and came up with
> the following python script. It should be able to convert the key data,
> so that a KrbSalt with only a type == 0 will be added where it's missing.
> With two test cases it seemed to work for me. However I did not yet apply
> it to our whole user database. If you have any comments, please let me know.
>
Hi Frank,
I converted my MIT KDC from CentOS 6 to CentOS 7 today, and your
kdb_ldap_fixkeys Python script was invaluable for repairing some
entries. Thanks!
(Looks like the -b option and the filter options are not documented in
usage() :-)
I was using krb5-server-1.11.3-49.el7. It looks like
https://github.com/krb5/krb5/pull/129 did get cherry-picked to the
krb5-1.12 branch, but not to krb5-1.11 yet.
- Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
