Package: debian-edu-config Severity: important Version: 1.818 Tags: patch Hi all,we have started creating non-POSIX / non-Kerberos accounts on a Debian Edu main server and stumble over a slight flaw debian-edu-config's gosa-sync script (password change hook).
The hook scripts tries to change the password of the underlying Kerberos principal. It does this always, even if the account to-be-updated is not a Kerberos account.
By default, we only turn POSIX accounts into Kerberos accounts (which is a sensible default). This should be honoured by the gosa-sync script as seen in the below patch (also attached to this mail):
""" --- gosa-sync.orig 2015-09-09 11:41:11.000000000 +0200 +++ gosa-sync 2015-09-09 12:19:36.703718246 +0200 @@ -17,6 +17,15 @@ USERDN="$1" USERID=`echo "$USERDN" | sed "s/^uid=\([^,]*\),.*$/\1/"`+# check if the given user account has the Kerberos principal objectClass set... +is_krbprincipal=`ldapsearch -LLL -x "(&(uid=${USERID})(objectClass=krbPrincipalAux))"`
+if [ -z "$is_krbprincipal" ]; then + + # if not, simply bail out here without noise... + exit 0 + +fi + ## The new user password is in environment, $USERPASSWORD. ## Check if provided password corresponds to hash saved in ldap database: """ It would be nice to get this fixed in Debian Edu jessie... Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
--- gosa-sync.orig 2015-09-09 11:41:11.000000000 +0200 +++ gosa-sync 2015-09-09 12:19:36.703718246 +0200 @@ -17,6 +17,15 @@ USERDN="$1" USERID=`echo "$USERDN" | sed "s/^uid=\([^,]*\),.*$/\1/"` +# check if the given user account is has the Kerberos principal objectClass set... +is_krbprincipal=`ldapsearch -LLL -x "(&(uid=${USERID})(objectClass=krbPrincipalAux))"` +if [ -z "$is_krbprincipal" ]; then + + # if not, simply bail out here without noise... + exit 0 + +fi + ## The new user password is in environment, $USERPASSWORD. ## Check if provided password corresponds to hash saved in ldap database:
Attachment:
pgpZXKMo8FGsr.pgp
Description: Digitale PGP-Signatur