Bug 30525 – /etc/krb5.keytab not always complete

Bug 30525 - /etc/krb5.keytab not always complete


Summary:	/etc/krb5.keytab not always complete

Status:	CLOSED DUPLICATE of bug 31725

Product:	UCS
Classification:	Unclassified
Component:	Samba4
Version:	UCS 3.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 3.1-1-errata
Assigned To:	Stefan Gohmann
QA Contact:	Arvid Requate

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-02-20 17:09 CET by Janis Meybohm
Modified:	2013-07-25 09:27 CEST (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Janis Meybohm

2013-02-20 17:09:25 CET

Ticket#: 2013020521000727
<http://forum.univention.de/viewtopic.php?f=48&t=2383&p=8090>

In some cases kerberos authentication fails because the requested kvno is missing in /etc/krb5.keytab.
It looks like in this cases the kvno (but only that one) exists in samba's /var/lib/samba/private/secrets.keytab.

In my tests via the ticket the authentication did not always fail (4 of 5 times "samba-tool drs showrepl" failed connecting to samba, last try went okay) and copying the keytab does not solve the problem.

Comment 1 Arvid Requate

2013-02-20 19:44:37 CET

Are there any significant log messages in the case of the ticket?

Note: Before UCS 3.1-0 running univention-join again on a Samba4 DC did not preserve the keys that were present in the krb5.keytab before the re-join,
Bug 25393 attempted to fix this. The truncated log messages in the forum posting look very similar. Cannot see from the context of the ticket if this is a relevant remark in that case.

In the case of the ticket, IIRC one thing that seemed to be irritating, was that klist -v always showed "kvno 1" in its ouput. But this seems to be unrelated to the problem at hand. On a memerserver e.g. (bad example, I know..) where I changed passwords a lot I find
===============================================================
root@member2:~# ktutil list
FILE:/etc/krb5.keytab:

Vno  Type              Principal                     Aliases
 78  arcfour-hmac-md5  host/member2.test.fb@TEST.FB  
 78  des-cbc-md5       host/member2.test.fb@TEST.FB  
 78  des-cbc-crc       host/member2.test.fb@TEST.FB  
root@member2:~# kinit 'member2'
root@member2:~# klist -v | grep "Ticket etype"
Ticket etype: arcfour-hmac-md5, kvno 1
===============================================================
So, this "kvno 1" output might have a different interpretation.. more data ist needed in this case.

Comment 2 Janis Meybohm

2013-06-04 14:58:16 CEST

This hit a number of customers already. ATM we suggest that this is a subsequent error from bug27426 / bug31635

Comment 3 Stefan Gohmann

2013-07-15 18:56:34 CEST

It looks like a duplicate of Bug #31725. If it occurs again with errata130, please reopen.

*** This bug has been marked as a duplicate of bug 31725 ***

Comment 4 Arvid Requate

2013-07-15 20:57:13 CEST

Yes, as Janis noted, we had one case where it was pretty obvious that this is a corrolary of Bug 31635 which should be fixed by Bug 31725.

Comment 5 Moritz Muehlenhoff

2013-07-25 09:27:32 CEST

No errata release needed.