Am 25.05.2014 um 05:14 schrieb Greg Hudson <ghud...@mit.edu>: > If you decide to go with patching the KDC, the candidate fixes are here: > > https://github.com/krb5/krb5/pull/129 > > These changes should get pushed to master within a week or so, and > will eventually make their way into 1.12 and probably 1.11 patch releases.
I took some time to find a python ASN.1 decoder/encoder and came up with the following python script. It should be able to convert the key data, so that a KrbSalt with only a type == 0 will be added where it's missing. With two test cases it seemed to work for me. However I did not yet apply it to our whole user database. If you have any comments, please let me know.
#!/usr/bin/python # # kdb_ldap_fixkeys.py - emit LDIF change records to fix krbPrincipalKey attributes in LDAP for use with MIT Kerberos 1.11+ # # Copyright (c) 2014 Frank Steinberg, TU Braunschweig. # # see also: # http://krbdev.mit.edu/rt/Ticket/Display.html?id=7918 # http://krbdev.mit.edu/rt/Ticket/Display.html?id=7919 # import sys import ldap import getopt from base64 import b64encode from pyasn1.codec.ber import encoder, decoder from pyasn1.type.univ import Sequence, SequenceOf, Integer, OctetString from pyasn1.type.namedtype import NamedType, NamedTypes, OptionalNamedType from pyasn1.type.tag import Tag, tagClassContext, tagFormatSimple # KrbKeySet ::= SEQUENCE { # attribute-major-vno [0] UInt16, # attribute-minor-vno [1] UInt16, # kvno [2] UInt32, # mkvno [3] UInt32 OPTIONAL, # keys [4] SEQUENCE OF KrbKey, # ... # } # # KrbKey ::= SEQUENCE { # salt [0] KrbSalt OPTIONAL, # key [1] EncryptionKey, # s2kparams [2] OCTET STRING OPTIONAL, # ... # } # # KrbSalt ::= SEQUENCE { # type [0] Int32, # salt [1] OCTET STRING OPTIONAL # } # # EncryptionKey ::= SEQUENCE { # keytype [0] Int32, # keyvalue [1] OCTET STRING # } class UInt16(Integer): pass class UInt32(Integer): pass class Int32(Integer): pass class EncryptionKey(Sequence): componentType = NamedTypes( NamedType('keytype', Int32( tagSet = Int32.tagSet.tagExplicitly(Tag(tagClassContext, tagFormatSimple, 0)))), NamedType('keyvalue', OctetString( tagSet = OctetString.tagSet.tagExplicitly(Tag(tagClassContext, tagFormatSimple, 1)))) ) class KrbSalt(Sequence): componentType = NamedTypes( NamedType('type', Int32( tagSet = Int32.tagSet.tagExplicitly(Tag(tagClassContext, tagFormatSimple, 0)))), OptionalNamedType('salt', OctetString( tagSet = OctetString.tagSet.tagExplicitly(Tag(tagClassContext, tagFormatSimple, 1)))) ) class KrbKey(Sequence): componentType = NamedTypes( OptionalNamedType('salt', KrbSalt( tagSet = KrbSalt.tagSet.tagExplicitly(Tag(tagClassContext, tagFormatSimple, 0)))), NamedType('key', EncryptionKey( tagSet = EncryptionKey.tagSet.tagExplicitly(Tag(tagClassContext, tagFormatSimple, 1)))), OptionalNamedType('s2kparams', OctetString( tagSet = OctetString.tagSet.tagExplicitly(Tag(tagClassContext, tagFormatSimple, 2)))) ) class KrbKeySet(Sequence): componentType = NamedTypes( NamedType('attribute_major_vno', UInt16( tagSet = UInt16.tagSet.tagExplicitly(Tag(tagClassContext, tagFormatSimple, 0)))), NamedType('attribute_minor_vno', UInt16( tagSet = UInt16.tagSet.tagExplicitly(Tag(tagClassContext, tagFormatSimple, 1)))), NamedType('kvno', UInt32( tagSet = UInt32.tagSet.tagExplicitly(Tag(tagClassContext, tagFormatSimple, 2)))), OptionalNamedType('mkvno', UInt32( tagSet = UInt32.tagSet.tagExplicitly(Tag(tagClassContext, tagFormatSimple, 3)))), NamedType('keys', SequenceOf( tagSet = SequenceOf.tagSet.tagExplicitly(Tag(tagClassContext, tagFormatSimple, 4)), componentType = KrbKey())) ) def usage(): print("kdb5_ldap_fixkeys [-D user_dn [-w passwd]] [-H ldapuri]") return try: opts, args = getopt.getopt(sys.argv[1:], "hD:w:H:b:", ["help", "binddn=", "password=", "ldapuri=", "base="]) except getopt.GetoptError as err: print(str(err)) usage() sys.exit(2) binddn = "" password = "" base = "" ldapuri = "ldapi:///" for o, a in opts: if o in ("-h", "--help"): usage() sys.exit() elif o in ("-D", "--binddn"): binddn = a elif o in ("-w", "--password"): password = a elif o in ("-H", "--ldapuri"): ldapuri = a elif o in ("-b", "--base"): base = a else: assert False, "unhandled option" try: l = ldap.initialize(ldapuri) l.bind(binddn, password, ldap.AUTH_SIMPLE) except ldap.LDAPError, error_message: print(error_message) if len(args) != 1: usage() sys.exit() filter = args[0] try: r = l.search_s(base, ldap.SCOPE_SUBTREE, filter, ["krbPrincipalKey"]) for dn,entry in r: if "krbPrincipalKey" in entry: cnt = 0 keyset = decoder.decode(entry["krbPrincipalKey"][0], asn1Spec=KrbKeySet())[0] for k in keyset.getComponentByPosition(4): if k.getComponentByPosition(0) == None: cnt = cnt + 1 k.setComponentByName("salt", KrbSalt(tagSet = KrbSalt.tagSet.tagExplicitly(Tag(tagClassContext, tagFormatSimple, 0))). setComponentByName("type", Int32(tagSet = Int32.tagSet.tagExplicitly(Tag(tagClassContext, tagFormatSimple, 0)), value = 0))) if cnt > 0: print("# Adding empty KrbSalt on %d KrbKeys for %s" % (cnt, dn)) keydata = encoder.encode(keyset) print "dn: %s" % dn print "changetype: modify" print "replace: krbPrincipalKey" print "# krbPrincipalKey:: %s" % b64encode(entry["krbPrincipalKey"][0]) print "krbPrincipalKey:: %s" % b64encode(keydata) print "-\n" else: print("# The krbPrincipalKey attribute for %s seems to be ok" % dn) else: print("# No krbPrincipalKey attribute for %s" % dn) except ldap.LDAPError, error_message: print(error_message)
signature.asc
Description: Message signed with OpenPGP using GPGMail
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
