Description Stefan Gohmann 2014-04-17 08:15:38 CEST

The UCS@school single master join failed:

-----------------------------------------------------------------------------
RUNNING 98univention-squid-samba4.inst
univention_samaccountname_ldap_check: ldb_add of user and group object is disabled

ERROR(ldb): Failed to add user 'http-proxy-master201':  - ldb_request: Unwilling to perform (53)
WARNING: samba4 did not create a keytab for samAccountName=http-proxy-master201
EXITCODE=1
-----------------------------------------------------------------------------

After downgrading to univention-squid-kerberos=3.0.2-1.12.201309271205 the join script exited successfully.

+++ This bug was initially created as a clone of Bug #33779 +++

Ticket#: 2013121821001997

UCS@school S4-Slave

98univention-squid-samba4.inst generates a random password and creates a user object and a keytab (objectClass=kerberosSecret) with that password. 

If the server (slave) is reinstalled, the user already exists, but a new keytab with a new random password is generated. Now the password from the keytab/kerberosSecret object does not match the password of the user account and squid kerberos authentication fails.

Configure 98univention-squid-samba4.inst Mon Sep 30 10:54:50 CEST 2013
Object exists: (uid) : http-proxy-school2
Added 1 records successfully
Modified 1 records successfully

Workaround:

change the password of the user account to the password of the keytab

-> ldbsearch -H /var/lib/samba/private/secrets.ldb samAccountName=http-proxy-ucs-gsadbg secret

-> udm users/user modify \
   --dn uid=http-proxy-school2,cn=users,dc=test,dc=de \
   --set password=$secret

Fix:

The join script should change the password of the user account, if the user already exists.