#! /bin/sh /usr/share/dpatch/dpatch-run ## 33_hdb_ldap_enctypes_fix.dpatch by ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: Backport from HEAD of minor fix to an issue that prevents using ## DP: hdb-ldap in conjunction with Samba. Heimdal's hdp-ldap was ## DP: attempting to write two krb5EncryptionType attributes, ## DP: which is invalid for the HDB schema. This caused password ## DP: changes to the Kerberos Principal to only succeed once ## DP: if LDAP DN was also a sambaSAMAccount. @DPATCH@ --- heimdal-0.7.2.orig/lib/hdb/hdb-ldap.c 2005-04-18 04:03:54.000000000 -0400 +++ heimdal-0.7.2/lib/hdb/hdb-ldap.c 2007-06-15 21:19:12.000000000 -0400 @@ -666,6 +666,7 @@ } if (ent->etypes) { + int add_krb5EncryptionType = 0; /* clobber and replace encryption types. */ if (!is_new_entry) { values = ldap_get_values(HDB2LDAP(db), msg, "krb5EncryptionType"); @@ -675,19 +676,24 @@ NULL); if (ret) goto out; + add_krb5EncryptionType = 1; } - } - for (i = 0; i < ent->etypes->len; i++) { - if (is_samba_account && - ent->keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) - { - ; - } else if (is_heimdal_entry) { - ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_ADD, - "krb5EncryptionType", - ent->etypes->val[i]); - if (ret) - goto out; + } else if (is_heimdal_entry) + add_krb5EncryptionType = 1; + + if (add_krb5EncryptionType) { + for (i = 0; i < ent->etypes->len; i++) { + if (is_samba_account && + ent->keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) + { + ; + } else if (is_heimdal_entry) { + ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_ADD, + "krb5EncryptionType", + ent->etypes->val[i]); + if (ret) + goto out; + } } } }