Univention Bugzilla – Bug 30525
/etc/krb5.keytab not always complete
Last modified: 2013-07-25 09:27:32 CEST
Ticket#: 2013020521000727 <http://forum.univention.de/viewtopic.php?f=48&t=2383&p=8090> In some cases kerberos authentication fails because the requested kvno is missing in /etc/krb5.keytab. It looks like in this cases the kvno (but only that one) exists in samba's /var/lib/samba/private/secrets.keytab. In my tests via the ticket the authentication did not always fail (4 of 5 times "samba-tool drs showrepl" failed connecting to samba, last try went okay) and copying the keytab does not solve the problem.
Are there any significant log messages in the case of the ticket? Note: Before UCS 3.1-0 running univention-join again on a Samba4 DC did not preserve the keys that were present in the krb5.keytab before the re-join, Bug 25393 attempted to fix this. The truncated log messages in the forum posting look very similar. Cannot see from the context of the ticket if this is a relevant remark in that case. In the case of the ticket, IIRC one thing that seemed to be irritating, was that klist -v always showed "kvno 1" in its ouput. But this seems to be unrelated to the problem at hand. On a memerserver e.g. (bad example, I know..) where I changed passwords a lot I find =============================================================== root@member2:~# ktutil list FILE:/etc/krb5.keytab: Vno Type Principal Aliases 78 arcfour-hmac-md5 host/member2.test.fb@TEST.FB 78 des-cbc-md5 host/member2.test.fb@TEST.FB 78 des-cbc-crc host/member2.test.fb@TEST.FB root@member2:~# kinit 'member2' root@member2:~# klist -v | grep "Ticket etype" Ticket etype: arcfour-hmac-md5, kvno 1 =============================================================== So, this "kvno 1" output might have a different interpretation.. more data ist needed in this case.
This hit a number of customers already. ATM we suggest that this is a subsequent error from bug27426 / bug31635
It looks like a duplicate of Bug #31725. If it occurs again with errata130, please reopen. *** This bug has been marked as a duplicate of bug 31725 ***
Yes, as Janis noted, we had one case where it was pretty obvious that this is a corrolary of Bug 31635 which should be fixed by Bug 31725.
No errata release needed.