In 2012, ldbm backend in 389-ds started checking entry modification after running betxnpreop plugins by comparing a number of modifications before and after. If that number didn't change, it is considered that plugins didn't modify the list.
ipa-pwd-extop actually removed and re-added modification to ipaNTHash if it contained 'MagicRegen' value. This did not work since commit https://pagure.io/389-ds-base/c/6c17ec56076d34540929acbcf2f3e65534060a43 but we were lucky nothing in FreeIPA code actually relied on that except some code paths in ipasam Samba passdb driver. However, Samba didn't reach the point where the code was triggered -- until now.
With support to run Samba as a domain member in IPA domain, that code path is triggered for Kerberos service principals of domain members (cifs/client.example.test, ...) and NT hash extraction from Kerberos keys does not work.
Fix ipa-pwd-extop to follow recommendations in https://pagure.io/389-ds-base/issue/387#comment-120145 and https://pagure.io/389-ds-base/issue/50369#comment-570696
master:
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.