Bug 30471 - 45univention-join.inst: determination of old krb5KeyVersionNumber broken
45univention-join.inst: determination of old krb5KeyVersionNumber broken
Status: CLOSED FIXED
Product: Univention Corporate Client (UCC)
Classification: Unclassified
Component: General
unspecified
Other Linux
: P5 normal
: UCC 2.0
Assigned To: Felix Botner
Erik Damrose
: interim-1
: 31168 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-02-15 14:13 CET by Felix Botner
Modified: 2014-06-12 09:19 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2013-02-15 14:13:28 CET
45univention-join.inst
...
# Read kvno from LDAP entry
kvno="$(ldapsearch -x -D "$binddn" -w "$bindpwd" "(&(objectClass=univentionCorporateClient)(cn=$hostname))" krb5KeyVersionNumber | sed -ne 's|krb5KeyVersionNumber: ||')"
...

-> echo "dds krb5KeyVersionNumber: dsd" | sed -ne 's|krb5KeyVersionNumber: ||'
nil


This could be a problem if an ucc computer object is joind multiples times. Than the keytab on the ucc client has a wrong key version number.


uccclient:
-> ktutil --keytab=/etc/krb5.keytab  list
/etc/krb5.keytab:

Vno  Type                     Principal                              Aliases
  1  arcfour-hmac-md5         host/@TEST.UCC  
  1  aes128-cts-hmac-sha1-96  host/thinclient-124.test.ucc@TEST.UCC  
  1  aes256-cts-hmac-sha1-96  host/thinclient-124.test.ucc@TEST.UCC

ucs server:
-> univention-ldapsearch cn=thinclient-124 -LLLL krb5KeyVersionNumber
dn: cn=thinclient-124,cn=computers,dc=test,dc=ucc
krb5KeyVersionNumber: 2
dn: cn=thinclient-124,cn=test.ucc,cn=dhcp,dc=test,dc=ucc
Comment 1 Felix Botner univentionstaff 2014-04-04 15:49:02 CEST
fixed

-> univention-ldapsearch cn=ucc1 krb5KeyVersionNumber
dn: cn=ucc1,cn=computers,dc=perf,dc=test
krb5KeyVersionNumber: 6

@ucc1-> ktutil list
FILE:/etc/krb5.keytab:

Vno  Type                     Principal                      Aliases
  6  arcfour-hmac-md5         host/ucc1.perf.test@PERF.TEST  
  6  aes128-cts-hmac-sha1-96  host/ucc1.perf.test@PERF.TEST  
  6  aes256-cts-hmac-sha1-96  host/ucc1.perf.test@PERF.TEST
Comment 2 Erik Damrose univentionstaff 2014-04-14 15:41:35 CEST
OK: The correct key version number is set on ucc clients in subsequent installs. 
OK: Changelog
Verified
Comment 3 Erik Damrose univentionstaff 2014-06-02 13:46:05 CEST
*** Bug 31168 has been marked as a duplicate of this bug. ***
Comment 4 Moritz Muehlenhoff univentionstaff 2014-06-12 09:19:50 CEST
UCC 2.0 has been released:
 http://docs.univention.de/release-notes-ucc-2.0.html

If this error occurs again, please use "Clone This Bug".