Bug 34575 - squid-kerberos: password mismatch if user account for service principal already exists
squid-kerberos: password mismatch if user account for service principal alrea...
Product: UCS
Classification: Unclassified
Component: Squid
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 3.2-1-errata
Assigned To: Felix Botner
Arvid Requate
Depends on: 33779
  Show dependency treegraph
Reported: 2014-04-17 08:15 CEST by Stefan Gohmann
Modified: 2017-02-09 17:28 CET (History)
4 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2014-04-17 08:15:38 CEST
The UCS@school single master join failed:

RUNNING 98univention-squid-samba4.inst
univention_samaccountname_ldap_check: ldb_add of user and group object is disabled

ERROR(ldb): Failed to add user 'http-proxy-master201':  - ldb_request: Unwilling to perform (53)
WARNING: samba4 did not create a keytab for samAccountName=http-proxy-master201

After downgrading to univention-squid-kerberos=3.0.2-1.12.201309271205 the join script exited successfully.

+++ This bug was initially created as a clone of Bug #33779 +++

Ticket#: 2013121821001997

UCS@school S4-Slave

98univention-squid-samba4.inst generates a random password and creates a user object and a keytab (objectClass=kerberosSecret) with that password. 

If the server (slave) is reinstalled, the user already exists, but a new keytab with a new random password is generated. Now the password from the keytab/kerberosSecret object does not match the password of the user account and squid kerberos authentication fails.

Configure 98univention-squid-samba4.inst Mon Sep 30 10:54:50 CEST 2013
Object exists: (uid) : http-proxy-school2
Added 1 records successfully
Modified 1 records successfully


change the password of the user account to the password of the keytab

-> ldbsearch -H /var/lib/samba/private/secrets.ldb samAccountName=http-proxy-ucs-gsadbg secret

-> udm users/user modify \
   --dn uid=http-proxy-school2,cn=users,dc=test,dc=de \
   --set password=$secret


The join script should change the password of the user account, if the user already exists.
Comment 1 Felix Botner univentionstaff 2014-04-17 14:27:59 CEST
Reverted last patch and tests if spn exists in secrets.ldb.

YAML: 2014-17-04-univention-squid-kerberos.yaml
Comment 2 Arvid Requate univentionstaff 2014-04-17 16:58:43 CEST

 * Update UCS@school Samba4 DC Slave + re-execution of the specific joinscript
 * Update UCS@school Memberserver 
 * Fresh install of UCS@school Samba4 DC Slave via UCS@school wizard
 * Fresh install of univention-squid-kerberos on a UCS@school Memberserver

After setting

 ucr set squid/krb5auth=yes squid/ntlmauth=no squid/basicauth=no
 /etc/init.d/squid3 restart; ## plus eventually an rdate call

in all cases, a domain user logged on to a windows client could access (firefox) web pages via Kerberos authenticated access over a Squid proxy.
Comment 3 Janek Walkenhorst univentionstaff 2014-04-17 17:19:23 CEST