Univention Bugzilla – Bug 34575
squid-kerberos: password mismatch if user account for service principal already exists
Last modified: 2017-02-09 17:28:35 CET
The UCS@school single master join failed: ----------------------------------------------------------------------------- RUNNING 98univention-squid-samba4.inst univention_samaccountname_ldap_check: ldb_add of user and group object is disabled ERROR(ldb): Failed to add user 'http-proxy-master201': - ldb_request: Unwilling to perform (53) WARNING: samba4 did not create a keytab for samAccountName=http-proxy-master201 EXITCODE=1 ----------------------------------------------------------------------------- After downgrading to univention-squid-kerberos=3.0.2-1.12.201309271205 the join script exited successfully. +++ This bug was initially created as a clone of Bug #33779 +++ Ticket#: 2013121821001997 UCS@school S4-Slave 98univention-squid-samba4.inst generates a random password and creates a user object and a keytab (objectClass=kerberosSecret) with that password. If the server (slave) is reinstalled, the user already exists, but a new keytab with a new random password is generated. Now the password from the keytab/kerberosSecret object does not match the password of the user account and squid kerberos authentication fails. Configure 98univention-squid-samba4.inst Mon Sep 30 10:54:50 CEST 2013 Object exists: (uid) : http-proxy-school2 Added 1 records successfully Modified 1 records successfully Workaround: change the password of the user account to the password of the keytab -> ldbsearch -H /var/lib/samba/private/secrets.ldb samAccountName=http-proxy-ucs-gsadbg secret -> udm users/user modify \ --dn uid=http-proxy-school2,cn=users,dc=test,dc=de \ --set password=$secret Fix: The join script should change the password of the user account, if the user already exists.
Reverted last patch and tests if spn exists in secrets.ldb. YAML: 2014-17-04-univention-squid-kerberos.yaml
Verified. Tested: * Update UCS@school Samba4 DC Slave + re-execution of the specific joinscript * Update UCS@school Memberserver * Fresh install of UCS@school Samba4 DC Slave via UCS@school wizard * Fresh install of univention-squid-kerberos on a UCS@school Memberserver After setting ucr set squid/krb5auth=yes squid/ntlmauth=no squid/basicauth=no /etc/init.d/squid3 restart; ## plus eventually an rdate call in all cases, a domain user logged on to a windows client could access (firefox) web pages via Kerberos authenticated access over a Squid proxy.
http://errata.univention.de/ucs/3.2/96.html