Bug 34575 - squid-kerberos: password mismatch if user account for service principal already exists
squid-kerberos: password mismatch if user account for service principal alrea...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Squid
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 3.2-1-errata
Assigned To: Felix Botner
Arvid Requate
:
Depends on: 33779
Blocks:
  Show dependency treegraph
 
Reported: 2014-04-17 08:15 CEST by Stefan Gohmann
Modified: 2017-02-09 17:28 CET (History)
4 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2014-04-17 08:15:38 CEST
The UCS@school single master join failed:

-----------------------------------------------------------------------------
RUNNING 98univention-squid-samba4.inst
univention_samaccountname_ldap_check: ldb_add of user and group object is disabled

ERROR(ldb): Failed to add user 'http-proxy-master201':  - ldb_request: Unwilling to perform (53)
WARNING: samba4 did not create a keytab for samAccountName=http-proxy-master201
EXITCODE=1
-----------------------------------------------------------------------------

After downgrading to univention-squid-kerberos=3.0.2-1.12.201309271205 the join script exited successfully.

+++ This bug was initially created as a clone of Bug #33779 +++

Ticket#: 2013121821001997

UCS@school S4-Slave

98univention-squid-samba4.inst generates a random password and creates a user object and a keytab (objectClass=kerberosSecret) with that password. 

If the server (slave) is reinstalled, the user already exists, but a new keytab with a new random password is generated. Now the password from the keytab/kerberosSecret object does not match the password of the user account and squid kerberos authentication fails.

Configure 98univention-squid-samba4.inst Mon Sep 30 10:54:50 CEST 2013
Object exists: (uid) : http-proxy-school2
Added 1 records successfully
Modified 1 records successfully

Workaround:

change the password of the user account to the password of the keytab

-> ldbsearch -H /var/lib/samba/private/secrets.ldb samAccountName=http-proxy-ucs-gsadbg secret

-> udm users/user modify \
   --dn uid=http-proxy-school2,cn=users,dc=test,dc=de \
   --set password=$secret

Fix:

The join script should change the password of the user account, if the user already exists.
Comment 1 Felix Botner univentionstaff 2014-04-17 14:27:59 CEST
Reverted last patch and tests if spn exists in secrets.ldb.

YAML: 2014-17-04-univention-squid-kerberos.yaml
Comment 2 Arvid Requate univentionstaff 2014-04-17 16:58:43 CEST
Verified.

Tested:
 * Update UCS@school Samba4 DC Slave + re-execution of the specific joinscript
 * Update UCS@school Memberserver 
 * Fresh install of UCS@school Samba4 DC Slave via UCS@school wizard
 * Fresh install of univention-squid-kerberos on a UCS@school Memberserver

After setting

 ucr set squid/krb5auth=yes squid/ntlmauth=no squid/basicauth=no
 /etc/init.d/squid3 restart; ## plus eventually an rdate call

in all cases, a domain user logged on to a windows client could access (firefox) web pages via Kerberos authenticated access over a Squid proxy.
Comment 3 Janek Walkenhorst univentionstaff 2014-04-17 17:19:23 CEST
http://errata.univention.de/ucs/3.2/96.html