when changing password via kadmin the generated kerberos keys end up using the "Normal" salt instead of the preferred SPECIAL salt (ie random salt). This causes a REGRESSION in that renaming a user will not allow it to continue to log in but will requiren a password reset as the proper salt will not be sent to the client when the PREAUTH request is sent.
Further info. I "think" we can easily fix this, by providing password policy info about supported enctypes back to kadmin when it calls the get_policy DAL function.
We currently pass back NULL which is not great. The only annoyance is that we'll have to translate back enc-salts arrays into strings. When we do that we should reorder the policy such that "special" enctypes-salts pairs are listed before the "normal" salt pairs.
master:
ipa-4-1:
Metadata Update from @simo: - Issue assigned to simo - Issue set to the milestone: FreeIPA 4.2
Login to comment on this ticket.