Description of problem: python3-ldap3 wants to load MD4 from Crypto, which isn't available on Rocky 9 and appears to now be provided by Cryptodome? Version-Release number of selected component (if applicable): python3-ldap3-2.8.1-4.el9.noarch How reproducible: I discovered this when trying to use a script developed on Rocky 8 on a new Rocky 9 system, so it's reproducible on every Rocky 9 system. Steps to Reproduce: 1. Try to use ntlm auth to bind to AD with the python-ldap3 package. Actual results: Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/ldap3/utils/ntlm.py", line 500, in ntowf_v2 from Crypto.Hash import MD4 # try with the Crypto library if present ModuleNotFoundError: No module named 'Crypto' Expected results: The script would authenticate and return results from Active Directory. Additional info: The fix I am using is to install python3-pycryptodomex and patch /usr/lib/python3.9/site-packages/ldap3/utils/ntlm.py as shown here: --- utils/ntlm.py.orig 2020-08-18 14:22:20.000000000 -0700 +++ utils/ntlm.py 2024-04-25 06:35:29.844194294 -0700 @@ -497,7 +497,7 @@ password_digest = hashlib.new('MD4', self._password.encode('utf-16-le')).digest() except ValueError as e: try: - from Crypto.Hash import MD4 # try with the Crypto library if present + from Cryptodome.Hash import MD4 # try with the Cryptodome library if present password_digest = MD4.new(self._password.encode('utf-16-le')).digest() except ImportError: raise e # raise original exception
Upon closer inspection it appears that the local script we use when ran on Rocky 8 does not authenticate in the same way and so doesn't try to import the MD4 hash. But I don't understand the internals of this well enough to guess why. In both cases we're doing a kinit to get a credential then running the script. Patching to use Cryptodome definitely fixes it for us in Rocky 9 though.