Description of problem: When creating a new entry with the userPassword attribute in IPA, the ADD pre-operation plugin checks if its value is hashed or not. If it is, it tries to retrieve the unhashed value from the unhashed#user#password pseudo attribute. Unfortunately, it assumes that if this value exists, it contains the unhashed password and generates kerberos keys from it. The problem is that sometimes, the pseudo attribute contains the hashed password, resulting in invalid kerberos keys being generated. The problem lies in daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c: 3302 /* check if we have access to the unhashed user password */ 3303 userpw = slapi_entry_attr_get_charptr(e, "unhashed#user#password"); 3304 if (!userpw) { 3305 slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME, 3306 "Pre-Encoded passwords are not valid\n"); 3307 errMesg = "Pre-Encoded passwords are not valid\n"; 3308 rc = LDAP_CONSTRAINT_VIOLATION; 3309 goto done; 3310 } Version-Release number of selected component (if applicable): v2.0 How reproducible: always Steps to Reproduce: 1. create an LDIF file that a new user entry, example: $ cat bug.ldif dn: uid=pzuna,cn=users,cn=accounts,dc=winry changetype: add uid: pzuna objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount userPassword: {SSHA}DPqFvWYFS1SSDjMxr3WXKbP0sqNNJIQkOLWmWg== uidNumber: 5467 gidNumber: 5894 sn: Zuna homeDirectory: /home/pzuna krbPrincipalName: pzuna@WINRY givenName: Pavel cn: Pavel Zuna 2. add the user to IPA using ldapmodify: $ ldapmodify -D "cn=Directory Manager" -W -x -h "ldap://localhost:389" -f bug.ldif Enter LDAP password: 3. check that invalid kerberos keys have been created $ ldapsearch -D "cn=Directory Manager" -W -x -h localhost -b "dc=winry" "(uid=pzuna)" or $ kinit pzuna Password for pzuna@WINRY: kinit(v5): Password incorrect while getting initial credentials Actual results: Invalid kerberos key (krbPrincipalKey) is generated. Expected results: The ADD operation is aborted due to lack of unhashed password. Additional info: If this isn't proof enough, print the value of userpw variable after line 3310 in ipa_pwd_extop.c to see that it contains the hashed password.
Maybe my explanation wasn't clear enough, so here's a link describing the same problem on another directory server: http://forums.sun.com/thread.jspa?threadID=5350032
https://fedorahosted.org/freeipa/ticket/257
Fixed more than a year ago by me impersonating 'root'. :) master: fd5742cc7910bfe4bf896d0e5742a54380366e5e https://fedorahosted.org/freeipa/changeset/fd5742cc7910bfe4bf896d0e5742a54380366e5e