[Pkg-freeipa-devel] freeipa: Changes to 'upstream-unstable'

Timo Aaltonen tjaalton-guest at alioth.debian.org
Thu Nov 7 10:12:37 UTC 2013


Rebased ref, commits from common ancestor:
commit d261cc751efc7841ef720ceedf0abe07e6f211f6
Author: Martin Kosek <mkosek at redhat.com>
Date:   Fri Nov 1 16:31:42 2013 +0100

    Become IPA 3.3.3

diff --git a/VERSION b/VERSION
index a20d8bb..2e9a774 100644
--- a/VERSION
+++ b/VERSION
@@ -20,7 +20,7 @@
 ########################################################
 IPA_VERSION_MAJOR=3
 IPA_VERSION_MINOR=3
-IPA_VERSION_RELEASE=2
+IPA_VERSION_RELEASE=3
 
 ########################################################
 # For 'pre' releases the version will be               #

commit ddfc34f4bf8a0d5a018481f3662523f95beddd7a
Author: Tomas Babej <tbabej at redhat.com>
Date:   Fri Nov 1 13:59:16 2013 +0100

    ipatests: test_trust: use domain name instead of realm for user lookups

diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index c516730..68fc028 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -86,7 +86,8 @@ class TestBasicADTrust(ADTrustBase):
     def test_user_gid_uid_resolution_in_nonposix_trust(self):
         """Check that user has SID-generated UID"""
 
-        testuser = 'testuser@%s' % self.ad.domain.realm
+        # Using domain name since it is lowercased realm name for AD domains
+        testuser = 'testuser@%s' % self.ad.domain.name
         result = self.master.run_command(['getent', 'passwd', testuser])
 
         # This regex checks that Test User does not have UID 10042 nor belongs
@@ -124,7 +125,8 @@ class TestPosixADTrust(ADTrustBase):
     def test_user_uid_gid_resolution_in_posix_trust(self):
         # Check that user has AD-defined UID
 
-        testuser = 'testuser@%s' % self.ad.domain.realm
+        # Using domain name since it is lowercased realm name for AD domains
+        testuser = 'testuser@%s' % self.ad.domain.name
         result = self.master.run_command(['getent', 'passwd', testuser])
 
         testuser_stdout = "testuser@%s:*:10042:10047:"\
@@ -136,7 +138,8 @@ class TestPosixADTrust(ADTrustBase):
     def test_user_without_posix_attributes_not_visible(self):
         # Check that user has AD-defined UID
 
-        nonposixuser = 'nonposixuser@%s' % self.ad.domain.realm
+        # Using domain name since it is lowercased realm name for AD domains
+        nonposixuser = 'nonposixuser@%s' % self.ad.domain.name
         result = self.master.run_command(['getent', 'passwd', nonposixuser],
                                          raiseonerr=False)
 

commit 13a0f8694c55114f5ff224aa69bc28492419ebb1
Author: Tomas Babej <tbabej at redhat.com>
Date:   Fri Nov 1 13:57:18 2013 +0100

    ipatests: Add integration tests for legacy clients
    
    Part of: https://fedorahosted.org/freeipa/ticket/3833

diff --git a/ipatests/test_integration/test_legacy_clients.py b/ipatests/test_integration/test_legacy_clients.py
new file mode 100644
index 0000000..72b7ff4
--- /dev/null
+++ b/ipatests/test_integration/test_legacy_clients.py
@@ -0,0 +1,261 @@
+# Authors:
+#   Tomas Babej <tbabej at redhat.com>
+#
+# Copyright (C) 2013  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import re
+
+import nose
+
+from ipatests.test_integration import tasks
+
+# importing test_trust under different name to avoid nose executing the test
+# base class imported from this module
+from ipatests.test_integration import test_trust as trust_tests
+
+
+class BaseTestLegacyClient(trust_tests.TestEnforcedPosixADTrust):
+    """
+    Tests legacy client support.
+    """
+
+    advice_id = None
+    backup_files = ['/etc/sysconfig/authconfig',
+                    '/etc/pam.d',
+                    '/etc/openldap/cacerts',
+                    '/etc/openldap/ldap.conf',
+                    '/etc/nsswitch.conf',
+                    '/etc/sssd/sssd.conf']
+
+    @classmethod
+    def setup_class(cls):
+        super(BaseTestLegacyClient, cls).setup_class()
+        cls.ad = cls.ad_domains[0].ads[0]
+
+        cls.legacy_client = cls.host_by_role(cls.required_extra_roles[0])
+        tasks.apply_common_fixes(cls.legacy_client)
+
+        for f in cls.backup_files:
+            tasks.backup_file(cls.legacy_client, f)
+
+    def test_remove_trust_with_posix_attributes(self):
+        pass
+
+    def test_apply_advice(self):
+        # Obtain the advice from the server
+        tasks.kinit_admin(self.master)
+        result = self.master.run_command(['ipa-advise', self.advice_id])
+        advice = result.stdout_text
+
+        # Apply the advice on the legacy client
+        advice_path = os.path.join(self.legacy_client.config.test_dir,
+                                   'advice.sh')
+        self.legacy_client.put_file_contents(advice_path, advice)
+        result = self.legacy_client.run_command(['bash', '-x', '-e',
+                                                 advice_path])
+
+        # Restart SSHD to load new PAM configuration
+        self.legacy_client.run_command(['/sbin/service', 'sshd', 'restart'])
+
+    def clear_sssd_caches(self):
+        tasks.clear_sssd_cache(self.master)
+        tasks.clear_sssd_cache(self.legacy_client)
+
+    def test_getent_ipa_user(self):
+        self.clear_sssd_caches()
+        result = self.legacy_client.run_command(['getent', 'passwd', 'admin'])
+
+        admin_regex = "^admin:\*:(\d+):(\d+):"\
+                      "Administrator:/home/admin:/bin/bash$"
+
+        assert re.search(admin_regex, result.stdout_text)
+
+    def test_getent_ipa_group(self):
+        self.clear_sssd_caches()
+        result = self.legacy_client.run_command(['getent', 'group', 'admins'])
+
+        admin_group_regex = "^admins:\*:(\d+):admin"
+
+        assert re.search(admin_group_regex, result.stdout_text)
+
+    def test_id_ipa_user(self):
+        self.clear_sssd_caches()
+        result = self.legacy_client.run_command(['id', 'admin'])
+
+        uid_regex = "uid=(\d+)\(admin\)"
+        gid_regex = "gid=(\d+)\(admins\)"
+        groups_regex = "groups=(\d+)\(admins\)"
+
+        assert re.search(uid_regex, result.stdout_text)
+        assert re.search(gid_regex, result.stdout_text)
+        assert re.search(groups_regex, result.stdout_text)
+
+    def test_getent_ad_user(self):
+        self.clear_sssd_caches()
+        testuser = 'testuser@%s' % self.ad.domain.name
+        result = self.legacy_client.run_command(['getent', 'passwd', testuser])
+
+        testuser_stdout = "testuser@%s:*:10042:10047:"\
+                          "Test User:/home/testuser:/bin/sh"\
+                          % self.ad.domain.name
+
+        assert testuser_stdout in result.stdout_text
+
+    def test_getent_ad_group(self):
+        self.clear_sssd_caches()
+        testgroup = 'test group@%s' % self.ad.domain.name
+        result = self.legacy_client.run_command(['getent', 'group', testgroup])
+
+        testgroup_stdout = "%s:\*:10047:" % testgroup
+        assert re.search(testgroup_stdout, result.stdout_text)
+
+    def test_id_ad_user(self):
+        self.clear_sssd_caches()
+        testuser = 'testuser@%s' % self.ad.domain.name
+        testgroup = 'test group@%s' % self.ad.domain.name
+
+        result = self.legacy_client.run_command(['id', testuser])
+
+        uid_regex = "uid=10042\(%s\)" % testuser
+        gid_regex = "gid=10047\(%s\)" % testgroup
+        groups_regex = "groups=10047\(%s\)" % testgroup
+
+        assert re.search(uid_regex, result.stdout_text)
+        assert re.search(gid_regex, result.stdout_text)
+        assert re.search(groups_regex, result.stdout_text)
+
+    def test_login_ipa_user(self):
+        if not self.master.transport.file_exists('/usr/bin/sshpass'):
+            raise nose.SkipTest('Package sshpass not available on %s'
+                                 % self.master.hostname)
+
+        result = self.master.run_command(
+            'sshpass -p %s '
+            'ssh '
+            '-o StrictHostKeyChecking=no '
+            '-l admin '
+            '%s '
+            '"echo test"' %
+            (self.legacy_client.config.admin_password,
+             self.legacy_client.external_hostname))
+
+        assert "test" in result.stdout_text
+
+    def test_login_ad_user(self):
+        if not self.master.transport.file_exists('/usr/bin/sshpass'):
+            raise nose.SkipTest('Package sshpass not available on %s'
+                                 % self.master.hostname)
+
+        testuser = 'testuser@%s' % self.ad.domain.name
+        result = self.master.run_command(
+            'sshpass -p Secret123 '
+            'ssh '
+            '-o StrictHostKeyChecking=no '
+            '-l %s '
+            '%s '
+            '"echo test"' %
+             (testuser, self.legacy_client.external_hostname))
+
+        assert "test" in result.stdout_text
+
+    def test_login_disabled_ipa_user(self):
+        if not self.master.transport.file_exists('/usr/bin/sshpass'):
+            raise nose.SkipTest('Package sshpass not available on %s'
+                                 % self.master.hostname)
+
+        self.clear_sssd_caches()
+
+        result = self.master.run_command(
+            'sshpass -p %s '
+            'ssh '
+            '-o StrictHostKeyChecking=no '
+            '-l disabledipauser '
+            '%s '
+            '"echo test"'
+            % (self.legacy_client.config.admin_password,
+               self.legacy_client.external_hostname),
+            raiseonerr=False)
+
+        assert result.returncode != 0
+
+    def test_login_disabled_ad_user(self):
+        if not self.master.transport.file_exists('/usr/bin/sshpass'):
+            raise nose.SkipTest('Package sshpass not available on %s'
+                                 % self.master.hostname)
+
+        testuser = 'disabledaduser@%s' % self.ad.domain.name
+        result = self.master.run_command(
+            'sshpass -p Secret123 '
+            'ssh '
+            '-o StrictHostKeyChecking=no '
+            '-l %s '
+            '%s '
+            '"echo test"' %
+            (testuser, self.legacy_client.external_hostname),
+            raiseonerr=False)
+
+        assert result.returncode != 0
+
+    @classmethod
+    def install(cls):
+        super(BaseTestLegacyClient, cls).install()
+
+        password_confirmation = (
+            cls.master.config.admin_password +
+            '\n' +
+            cls.master.config.admin_password
+            )
+
+        cls.master.run_command(['ipa', 'user-add', 'disabledipauser',
+                                        '--first', 'disabled',
+                                        '--last', 'ipauser',
+                                        '--password'],
+                                 stdin_text=password_confirmation)
+
+        cls.master.run_command(['ipa', 'user-disable', 'disabledipauser'])
+
+    @classmethod
+    def uninstall(cls):
+        cls.master.run_command(['ipa', 'user-del', 'disabledipauser'],
+                                raiseonerr=False)
+        tasks.unapply_fixes(cls.legacy_client)
+        super(BaseTestLegacyClient, cls).uninstall()
+
+
+class TestLegacySSSDBefore19RedHat(BaseTestLegacyClient):
+
+    advice_id = 'config-redhat-sssd-before-1-9'
+    required_extra_roles = ['legacy_client_sssd_redhat']
+
+
+class TestLegacyNssPamLdapdRedHat(BaseTestLegacyClient):
+
+    advice_id = 'config-redhat-nss-pam-ldapd'
+    required_extra_roles = ['legacy_client_nss_pam_ldapd_redhat']
+
+    def clear_sssd_caches(self):
+        tasks.clear_sssd_cache(self.master)
+
+
+class TestLegacyNssLdapRedHat(BaseTestLegacyClient):
+
+    advice_id = 'config-redhat-nss-ldap'
+    required_extra_roles = ['legacy_client_nss_ldap_redhat']
+
+    def clear_sssd_caches(self):
+        tasks.clear_sssd_cache(self.master)

commit 33ea1496572aa2f8545b853cc2b3bb4e3d5cc967
Author: Tomas Babej <tbabej at redhat.com>
Date:   Wed Oct 30 10:08:08 2013 +0100

    ipatests: Use command -v instead of which in legacy client advice
    
    Part of: https://fedorahosted.org/freeipa/ticket/3833

diff --git a/ipaserver/advise/plugins/legacy_clients.py b/ipaserver/advise/plugins/legacy_clients.py
index 1e076bf..6d17f7e 100644
--- a/ipaserver/advise/plugins/legacy_clients.py
+++ b/ipaserver/advise/plugins/legacy_clients.py
@@ -52,7 +52,7 @@ class config_base_legacy_client(Advice):
                          '/etc/openldap/cacerts/ipa.crt\n' % api.env.host)
 
         self.log.comment('Generate hashes for the openldap library')
-        self.log.command('which cacertdir_rehash')
+        self.log.command('command -v cacertdir_rehash')
         self.log.command('if [ $? -ne 0 ] ; then')
         self.log.command(' wget "%s" -O cacertdir_rehash ;' % cacertdir_rehash)
         self.log.command(' chmod 755 ./cacertdir_rehash ;')
@@ -362,7 +362,7 @@ class config_redhat_nss_ldap(config_base_legacy_client):
 
         self.log.comment('Install required packages via yum')
         self.log.command('yum install -y wget openssl nss_ldap '
-                         'authconfig which\n')
+                         'authconfig\n')
 
         self.configure_ca_cert()
 

commit 6aed1c61abd82af521f5009404d0188bb1424659
Author: Martin Kosek <mkosek at redhat.com>
Date:   Fri Nov 1 09:25:33 2013 +0100

    Remove deprecated AllowLMhash config
    
    Remove this ipaConfigString value as LM hash is deprecated and in
    fact even insecure.
    
    https://fedorahosted.org/freeipa/ticket/3795

diff --git a/install/updates/50-ipaconfig.update b/install/updates/50-ipaconfig.update
index 69783f1..ce617fe 100644
--- a/install/updates/50-ipaconfig.update
+++ b/install/updates/50-ipaconfig.update
@@ -1,5 +1,5 @@
 dn: cn=ipaConfig,cn=etc,$SUFFIX
 add:ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
 add:ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023
-
 add:ipaUserObjectClasses: ipasshuser
+remove:ipaConfigString:AllowLMhash

commit 88f52302f95e01deec14f3590f0a7a17f7324e33
Author: Sumit Bose <sbose at redhat.com>
Date:   Tue Oct 29 12:19:01 2013 +0100

    Remove generation and handling of LM hashes
    
    https://fedorahosted.org/freeipa/ticket/3795

diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 59ddcef..674085d 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -2637,10 +2637,9 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
 	char *name;
 	char *trustpw = NULL;
 	char *trustpw_utf8 = NULL;
-	char *trustpw_utf8_uc = NULL;
 	char *tmp_str = NULL;
 	int ret;
-	struct ntlm_keys ntlm_keys;
+	uint8_t nt_key[16];
 	size_t converted_size;
 	bool res;
 	char *sid_str;
@@ -2706,23 +2705,13 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
 		goto done;
 	}
 
-	if (!push_utf8_talloc(user, &trustpw_utf8_uc, tmp_str, &converted_size)) {
-		res = false;
-		goto done;
-	}
-
-	ret = encode_ntlm_keys(trustpw_utf8, trustpw_utf8_uc, true, true,
-			       &ntlm_keys);
+	ret = encode_nt_key(trustpw_utf8, nt_key);
 	if (ret != 0) {
 		res = false;
 		goto done;
 	}
 
-	if (!pdb_set_lanman_passwd(user, ntlm_keys.lm, PDB_SET)) {
-		res = false;
-		goto done;
-	}
-	if (!pdb_set_nt_passwd(user, ntlm_keys.nt, PDB_SET)) {
+	if (!pdb_set_nt_passwd(user, nt_key, PDB_SET)) {
 		res = false;
 		goto done;
 	}
@@ -2741,10 +2730,6 @@ done:
 		memset(tmp_str, 0, strlen(tmp_str));
 		talloc_free(tmp_str);
 	}
-	if (trustpw_utf8_uc != NULL) {
-		memset(trustpw_utf8_uc, 0, strlen(trustpw_utf8_uc));
-		talloc_free(trustpw_utf8_uc);
-	}
 
 	return res;
 }
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index f0339c4..2538a40 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -366,7 +366,6 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
     slapi_entry_free(config_entry);
 
     /* get the ipa etc/ipaConfig entry */
-    config->allow_lm_hash = false;
     config->allow_nt_hash = false;
     ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL);
     if (ret != LDAP_SUCCESS) {
@@ -376,10 +375,6 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
         tmparray = slapi_entry_attr_get_charray(config_entry,
                                                 "ipaConfigString");
         for (i = 0; tmparray && tmparray[i]; i++) {
-            if (strcasecmp(tmparray[i], "AllowLMhash") == 0) {
-                config->allow_lm_hash = true;
-                continue;
-            }
             if (strcasecmp(tmparray[i], "AllowNThash") == 0) {
                 config->allow_nt_hash = true;
                 continue;
@@ -928,7 +923,6 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
     Slapi_Value **pwvals = NULL;
     struct tm utctime;
     char timestr[GENERALIZED_TIME_LENGTH+1];
-    char *lm = NULL;
     char *nt = NULL;
     int is_smb = 0;
     int is_ipant = 0;
@@ -965,7 +959,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
     ret = ipapwd_gen_hashes(krbcfg, data,
                             data->password,
                             is_krb, is_smb, is_ipant,
-                            &svals, &nt, &lm, &ntvals, &errMesg);
+                            &svals, &nt, &ntvals, &errMesg);
     if (ret) {
         goto free_and_return;
     }
@@ -1004,11 +998,6 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
 		}
 	}
 
-    if (lm && is_smb) {
-        slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
-                              "sambaLMPassword", lm);
-    }
-
     if (nt && is_smb) {
         slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
                               "sambaNTPassword", nt);
@@ -1069,7 +1058,6 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
     LOG_TRACE("<= result: %d\n", ret);
 
 free_and_return:
-    if (lm) slapi_ch_free((void **)&lm);
     if (nt) slapi_ch_free((void **)&nt);
     if (modtime) slapi_ch_free((void **)&modtime);
     slapi_mods_free(&smods);
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
index a92eaf0..28f164e 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
@@ -201,15 +201,13 @@ enc_error:
 int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
                       struct ipapwd_data *data, char *userpw,
                       int is_krb, int is_smb, int is_ipant, Slapi_Value ***svals,
-                      char **nthash, char **lmhash, Slapi_Value ***ntvals,
+                      char **nthash, Slapi_Value ***ntvals,
                       char **errMesg)
 {
     int rc;
-    char *userpw_uc = NULL;
 
     *svals = NULL;
     *nthash = NULL;
-    *lmhash = NULL;
     *errMesg = NULL;
 
     if (is_krb) {
@@ -225,40 +223,24 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
     }
 
     if (is_smb || is_ipant) {
-        char lm[33], nt[33];
-        struct ntlm_keys ntlm;
+        char nt[33];
+        uint8_t nt_key[16];
         int ret;
 
-        userpw_uc = (char *) slapi_utf8StrToUpper((unsigned char *) userpw);
-        if (!userpw_uc) {
-            *errMesg = "Failed to generate upper case password\n";
-            LOG_FATAL("%s", *errMesg);
-            rc = LDAP_OPERATIONS_ERROR;
-            goto done;
-        }
-
-        ret = encode_ntlm_keys(userpw,
-                               userpw_uc,
-                               krbcfg->allow_lm_hash,
-                               krbcfg->allow_nt_hash,
-                               &ntlm);
-        memset(userpw_uc, 0, strlen(userpw_uc));
-        slapi_ch_free_string(&userpw_uc);
-        if (ret) {
-            *errMesg = "Failed to generate NT/LM hashes\n";
-            LOG_FATAL("%s", *errMesg);
-            rc = LDAP_OPERATIONS_ERROR;
-            goto done;
-        }
-        if (krbcfg->allow_lm_hash) {
-            hexbuf(lm, ntlm.lm);
-            lm[32] = '\0';
-            *lmhash = slapi_ch_strdup(lm);
-        }
         if (krbcfg->allow_nt_hash) {
-            hexbuf(nt, ntlm.nt);
+            ret = encode_nt_key(userpw, nt_key);
+            if (ret) {
+                *errMesg = "Failed to generate NT/LM hashes\n";
+                LOG_FATAL("%s", *errMesg);
+                rc = LDAP_OPERATIONS_ERROR;
+                goto done;
+            }
+
+            hexbuf(nt, nt_key);
             nt[32] = '\0';
             *nthash = slapi_ch_strdup(nt);
+        } else {
+            memset(nt_key, 0, 16);
         }
 
         if (is_ipant) {
@@ -269,7 +251,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
                 goto done;
             }
             (*ntvals)[0] = slapi_value_new();
-            if (slapi_value_set((*ntvals)[0], ntlm.nt, 16) == NULL) {
+            if (slapi_value_set((*ntvals)[0], nt_key, 16) == NULL) {
                 rc = LDAP_OPERATIONS_ERROR;
                 goto done;
             }
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
index 74b6362..b408748 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
@@ -132,7 +132,6 @@ struct ipapwd_krbcfg {
     krb5_key_salt_tuple *pref_encsalts;
     char **passsync_mgrs;
     int num_passsync_mgrs;
-    bool allow_lm_hash;
     bool allow_nt_hash;
 };
 
@@ -172,7 +171,7 @@ void ipapwd_keyset_free(struct ipapwd_keyset **pkset);
 int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
                       struct ipapwd_data *data, char *userpw,
                       int is_krb, int is_smb, int is_ipant,
-                      Slapi_Value ***svals, char **nthash, char **lmhash,
+                      Slapi_Value ***svals, char **nthash,
                       Slapi_Value ***ntvals, char **errMesg);
 
 /* from prepost.c */
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 64a9d31..ef37b5e 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -325,13 +325,12 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
         Slapi_Value **svals = NULL;
         Slapi_Value **ntvals = NULL;
         char *nt = NULL;
-        char *lm = NULL;
 
         pwdop->is_krb = is_krb;
 
         rc = ipapwd_gen_hashes(krbcfg, &pwdop->pwdata,
                                userpw, is_krb, is_smb, is_ipant,
-                               &svals, &nt, &lm, &ntvals, &errMesg);
+                               &svals, &nt, &ntvals, &errMesg);
         if (rc != LDAP_SUCCESS) {
             goto done;
         }
@@ -349,11 +348,6 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
             ipapwd_free_slapi_value_array(&svals);
         }
 
-        if (lm && is_smb) {
-            /* set value */
-            slapi_entry_attr_set_charptr(e, "sambaLMPassword", lm);
-            slapi_ch_free_string(&lm);
-        }
         if (nt && is_smb) {
             /* set value */
             slapi_entry_attr_set_charptr(e, "sambaNTPassword", nt);
@@ -814,11 +808,10 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
         Slapi_Value **svals = NULL;
         Slapi_Value **ntvals = NULL;
         char *nt = NULL;
-        char *lm = NULL;
 
         rc = ipapwd_gen_hashes(krbcfg, &pwdop->pwdata, unhashedpw,
                                gen_krb_keys, is_smb, is_ipant,
-                               &svals, &nt, &lm, &ntvals, &errMesg);
+                               &svals, &nt, &ntvals, &errMesg);
         if (rc) {
             goto done;
         }
@@ -830,12 +823,6 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
             ipapwd_free_slapi_value_array(&svals);
         }
 
-        if (lm && is_smb) {
-            /* replace value */
-            slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
-                                  "sambaLMPassword", lm);
-            slapi_ch_free_string(&lm);
-        }
         if (nt && is_smb) {
             /* replace value */
             slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
diff --git a/util/ipa_pwd.h b/util/ipa_pwd.h
index a6990ca..bc07549 100644
--- a/util/ipa_pwd.h
+++ b/util/ipa_pwd.h
@@ -74,15 +74,6 @@ int ipapwd_generate_new_history(char *password,
                                 char ***new_pwd_history,
                                 int *new_pwd_hlen);
 
-struct ntlm_keys {
-    uint8_t lm[16];
-    uint8_t nt[16];
-};
-
-int encode_ntlm_keys(char *newPasswd,
-                     char *upperPasswd,
-                     bool do_lm_hash,
-                     bool do_nt_hash,
-                     struct ntlm_keys *keys);
+int encode_nt_key(char *newPasswd, uint8_t *nt_key);
 
 #endif
diff --git a/util/ipa_pwd_ntlm.c b/util/ipa_pwd_ntlm.c
index a3399b5..8ffa666 100644
--- a/util/ipa_pwd_ntlm.c
+++ b/util/ipa_pwd_ntlm.c
@@ -32,178 +32,70 @@
 #define KTF_UTF8 "UTF-8"
 #define KTF_UCS2 "UCS-2LE"
 
-static const uint8_t parity_table[128] = {
-      1,  2,  4,  7,  8, 11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31,
-     32, 35, 37, 38, 41, 42, 44, 47, 49, 50, 52, 55, 56, 59, 61, 62,
-     64, 67, 69, 70, 73, 74, 76, 79, 81, 82, 84, 87, 88, 91, 93, 94,
-     97, 98,100,103,104,107,109,110,112,115,117,118,121,122,124,127,
-    128,131,133,134,137,138,140,143,145,146,148,151,152,155,157,158,
-    161,162,164,167,168,171,173,174,176,179,181,182,185,186,188,191,
-    193,194,196,199,200,203,205,206,208,211,213,214,217,218,220,223,
-    224,227,229,230,233,234,236,239,241,242,244,247,248,251,253,254
-};
-
-static void lm_shuffle(uint8_t *out, uint8_t *in)
-{
-    out[0] = parity_table[in[0]>>1];
-    out[1] = parity_table[((in[0]<<6)|(in[1]>>2)) & 0x7F];
-    out[2] = parity_table[((in[1]<<5)|(in[2]>>3)) & 0x7F];
-    out[3] = parity_table[((in[2]<<4)|(in[3]>>4)) & 0x7F];
-    out[4] = parity_table[((in[3]<<3)|(in[4]>>5)) & 0x7F];
-    out[5] = parity_table[((in[4]<<2)|(in[5]>>6)) & 0x7F];
-    out[6] = parity_table[((in[5]<<1)|(in[6]>>7)) & 0x7F];
-    out[7] = parity_table[in[6] & 0x7F];
-}
-
-/* create the lm and nt hashes
+/* create the nt hash
    newPassword: the clear text utf8 password
-   upperPasswd: upper case version of clear text utf8 password
-   do_lm_hash: determine if LM hash is generated
-   do_nt_hash: determine if NT hash is generated
-   keys[out]: array with generated hashes
+   nt_key[out]: array with generated hash
 */
-int encode_ntlm_keys(char *newPasswd,
-                     char *upperPasswd,
-                     bool do_lm_hash,
-                     bool do_nt_hash,
-                     struct ntlm_keys *keys)
+int encode_nt_key(char *newPasswd, uint8_t *nt_key)
 {
     int ret = 0;
+    iconv_t cd;
+    size_t cs, il, ol, sl;
+    char *inc, *outc;
+    char *ucs2Passwd;
+    MD4_CTX md4ctx;
+
+    /* TODO: must store the dos charset somewhere in the directory */
+    cd = iconv_open(KTF_UCS2, KTF_UTF8);
+    if (cd == (iconv_t)(-1)) {
+        ret = -1;
+        goto done;
+    }
 
-    /* do lanman first */
-    if (do_lm_hash) {
-        iconv_t cd;
-        size_t cs, il, ol;
-        char *inc, *outc;
-        char *asciiPasswd;
-        DES_key_schedule schedule;
-        DES_cblock deskey;
-        DES_cblock magic = "KGS!@#$%";
-
-        if (upperPasswd == NULL) {
-            ret = -1;
-            goto done;
-        }
-        il = strlen(upperPasswd);
-
-        /* TODO: must store the dos charset somewhere in the directory */
-        cd = iconv_open(KTF_DOS_CHARSET, KTF_UTF8);
-        if (cd == (iconv_t)(-1)) {
-            ret = -1;
-            goto done;
-        }
-
-        /* an ascii string can only be smaller than or equal to an utf8 one */
-        ol = il;
-        if (ol < 14) ol = 14;
-        asciiPasswd = calloc(ol+1, 1);
-        if (!asciiPasswd) {
-            iconv_close(cd);
-            ret = -1;
-            goto done;
-        }
-
-        inc = upperPasswd;
-        outc = asciiPasswd;
-        cs = iconv(cd, &inc, &il, &outc, &ol);
-        if (cs == -1) {
-            ret = -1;
-            free(asciiPasswd);
-            iconv_close(cd);
-            goto done;
-        }
+    il = strlen(newPasswd);
 
-        /* done with these */
+    /* an ucs2 string can be at most double than an utf8 one */
+    sl = ol = (il+1)*2;
+    ucs2Passwd = calloc(ol, 1);
+    if (!ucs2Passwd) {
+        ret = -1;
         iconv_close(cd);
-
-        /* we are interested only in the first 14 ASCII chars for lanman */
-        if (strlen(asciiPasswd) > 14) {
-            asciiPasswd[14] = '\0';
-        }
-
-        /* first half */
-        lm_shuffle(deskey, (uint8_t *)asciiPasswd);
-
-        DES_set_key_unchecked(&deskey, &schedule);
-        DES_ecb_encrypt(&magic, (DES_cblock *)keys->lm,
-                        &schedule, DES_ENCRYPT);
-
-        /* second half */
-        lm_shuffle(deskey, (uint8_t *)&asciiPasswd[7]);
-
-        DES_set_key_unchecked(&deskey, &schedule);
-        DES_ecb_encrypt(&magic, (DES_cblock *)&(keys->lm[8]),
-                        &schedule, DES_ENCRYPT);
-
-        /* done with it */
-        free(asciiPasswd);
-
-    } else {
-        memset(keys->lm, 0, 16);
+        goto done;
     }
 
-    if (do_nt_hash) {
-        iconv_t cd;
-        size_t cs, il, ol, sl;
-        char *inc, *outc;
-        char *ucs2Passwd;
-        MD4_CTX md4ctx;
-
-        /* TODO: must store the dos charset somewhere in the directory */
-        cd = iconv_open(KTF_UCS2, KTF_UTF8);
-        if (cd == (iconv_t)(-1)) {
-            ret = -1;
-            goto done;
-        }
-
-        il = strlen(newPasswd);
-
-        /* an ucs2 string can be at most double than an utf8 one */
-        sl = ol = (il+1)*2;
-        ucs2Passwd = calloc(ol, 1);
-        if (!ucs2Passwd) {
-            ret = -1;
-            iconv_close(cd);
-            goto done;
-        }
-
-        inc = newPasswd;
-        outc = ucs2Passwd;
-        cs = iconv(cd, &inc, &il, &outc, &ol);
-        if (cs == -1) {
-            ret = -1;
-            free(ucs2Passwd);
-            iconv_close(cd);
-            goto done;
-        }
-
-        /* done with it */
+    inc = newPasswd;
+    outc = ucs2Passwd;
+    cs = iconv(cd, &inc, &il, &outc, &ol);
+    if (cs == -1) {
+        ret = -1;
+        free(ucs2Passwd);
         iconv_close(cd);
+        goto done;
+    }
 
-        /* get the final ucs2 string length */
-        sl -= ol;
+    /* done with it */
+    iconv_close(cd);
 
-        ret = MD4_Init(&md4ctx);
-        if (ret == 0) {
-            ret = -1;
-            free(ucs2Passwd);
-            goto done;
-        }
-        ret = MD4_Update(&md4ctx, ucs2Passwd, sl);
-        if (ret == 0) {
-            ret = -1;
-            free(ucs2Passwd);
-            goto done;
-        }
-        ret = MD4_Final(keys->nt, &md4ctx);
-        if (ret == 0) {
-            ret = -1;
-            free(ucs2Passwd);
-            goto done;
-        }
+    /* get the final ucs2 string length */
+    sl -= ol;
 
-    } else {
-        memset(keys->nt, 0, 16);
+    ret = MD4_Init(&md4ctx);
+    if (ret == 0) {
+        ret = -1;
+        free(ucs2Passwd);
+        goto done;
+    }
+    ret = MD4_Update(&md4ctx, ucs2Passwd, sl);
+    if (ret == 0) {
+        ret = -1;
+        free(ucs2Passwd);
+        goto done;
+    }
+    ret = MD4_Final(nt_key, &md4ctx);
+    if (ret == 0) {
+        ret = -1;
+        free(ucs2Passwd);
+        goto done;
     }
 
     ret = 0;

commit 34c707e3fe90be09e3cbe5e5439696d946d948d5
Author: Sumit Bose <sbose at redhat.com>
Date:   Tue Oct 29 11:37:03 2013 +0100

    Remove AllowLMhash from the allowed IPA config strings
    
    Fixes https://fedorahosted.org/freeipa/ticket/3795

diff --git a/API.txt b/API.txt
index 40871f6..605f9ee 100644
--- a/API.txt
+++ b/API.txt
@@ -499,7 +499,7 @@ args: 0,24,3
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('delattr*', cli_name='delattr', exclude='webui')
-option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowLMhash', u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout'))
+option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout'))
 option: Str('ipadefaultemaildomain', attribute=True, autofill=False, cli_name='emaildomain', multivalue=False, required=False)
 option: Str('ipadefaultloginshell', attribute=True, autofill=False, cli_name='defaultshell', multivalue=False, required=False)
 option: Str('ipadefaultprimarygroup', attribute=True, autofill=False, cli_name='defaultgroup', multivalue=False, required=False)
diff --git a/install/ui/src/freeipa/serverconfig.js b/install/ui/src/freeipa/serverconfig.js
index 94e1454..7dea5d1 100644
--- a/install/ui/src/freeipa/serverconfig.js
+++ b/install/ui/src/freeipa/serverconfig.js
@@ -69,7 +69,7 @@ return {
                             name: 'ipaconfigstring',
                             $type: 'checkboxes',
                             options: IPA.create_options([
-                                'AllowLMhash', 'AllowNThash',
+                                'AllowNThash',
                                 'KDC:Disable Last Success', 'KDC:Disable Lockout'
                             ])
                         },
diff --git a/install/ui/test/data/ipa_init_commands.json b/install/ui/test/data/ipa_init_commands.json
index 4f28701..2073181 100644
--- a/install/ui/test/data/ipa_init_commands.json
+++ b/install/ui/test/data/ipa_init_commands.json
@@ -2278,7 +2278,6 @@
                         "name": "ipaconfigstring",
                         "type": "unicode",
                         "values": [
-                            "AllowLMhash",
                             "AllowNThash",
                             "KDC:Disable Last Success",
                             "KDC:Disable Lockout"
diff --git a/install/ui/test/data/ipa_init_objects.json b/install/ui/test/data/ipa_init_objects.json
index bef3cc6..8550e82 100644
--- a/install/ui/test/data/ipa_init_objects.json
+++ b/install/ui/test/data/ipa_init_objects.json
@@ -580,7 +580,6 @@
                         "name": "ipaconfigstring",
                         "type": "unicode",
                         "values": [
-                            "AllowLMhash",
                             "AllowNThash",
                             "KDC:Disable Last Success",
                             "KDC:Disable Lockout"
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index b9cf050..fbaacb7 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -178,7 +178,7 @@ class config(LDAPObject):
             cli_name='ipaconfigstring',
             label=_('Password plugin features'),
             doc=_('Extra hashes to generate in password plug-in'),
-            values=(u'AllowLMhash', u'AllowNThash',
+            values=(u'AllowNThash',
                     u'KDC:Disable Last Success', u'KDC:Disable Lockout'),



More information about the Pkg-freeipa-devel mailing list