Bug 45789 – Error updating dns-service account password in secrets.ldb: No saltPrincipal provided

Bug 45789 - Error updating dns-service account password in secrets.ldb: No saltPrincipal provided


Summary:	Error updating dns-service account password in secrets.ldb: No saltPrincipal ...

Status:	RESOLVED WONTFIX

Product:	UCS
Classification:	Unclassified
Component:	Samba4
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Samba maintainers
QA Contact:	Samba maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-11-28 19:00 CET by Arvid Requate
Modified:	2020-07-03 20:56 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.034
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2017112821000241, 2018020521000307, 2018073121000259
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2017-11-28 19:00:36 CET

Ticket#2017112821000241 showed a case, where kinit failed for the dns-service account. univention-system-check complained about it but I have not seen any negative influence on DDNS updates by windows clients in that case.

To fix it, I've used samba-tool user setpassword to set a new password and then I updated the corresponding "secret: " attribute for that service account in secrets.ldb (and incremented msds-KeyversionNumber). This aborted with an error message:

Failed to commit transaction: Failed to update keytab from entry samAccountName=dns-master10,CN=Principals in /var/lib/samba/private/secrets.ldb: No saltPrincipal provided

I fixed this by also adding an attribute
saltPrincipal: dns-master10@MYDOM.UCS

I guess this might be missing on UCS servers that have been updated from earlier UCS/Samba versions. In that case, the problem was only on one of four DCs. Maybe it's also just a master issue.

Comment 1 Stefan Gohmann

2018-02-09 07:57:57 CET

Same here: Ticket #2018020521000307

Comment 2 Ingo Steuwer

2020-07-03 20:56:15 CEST

This issue has been filed against UCS 4.2.

UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.