Bug 48426 – old knvo are removed from /etc/krb5.keytab during password change with samba >= 4.9

Bug 48426 - old knvo are removed from /etc/krb5.keytab during password change with samba >= 4.9


Summary:	old knvo are removed from /etc/krb5.keytab during password change with samba ...

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	Samba4
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Samba maintainers
QA Contact:	Samba maintainers

URL:
Keywords:

Depends on:	49034
Blocks:
	Show dependency tree / graph

Reported:	2019-01-04 11:30 CET by Felix Botner
Modified:	2019-03-19 11:45 CET (History)
CC List:	1 user (show)

See Also:	48084 49034
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Botner

2019-01-04 11:30:59 CET

UCS 4.3 (samba 4.7)

-> ktutil list
1  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
...

-> bash /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange

-> ktutil list
1  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
2  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
...

-> bash /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange

-> ktutil list
1  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
2  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
3  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
...

-> bash /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange

-> ktutil list
1  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
2  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
3  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
4  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
...

UCS 4.4 (samba 4.9)

-> ktutil list
1  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
...

-> bash /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange

-> ktutil list
1  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
2  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
...

-> bash /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange

-> ktutil list
2  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
3  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
...

-> bash /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange

-> ktutil list
3  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
4  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
...

UCS 4.4 behavior seems correct but may lead more confusion/problems during server password change.

Comment 1 Felix Botner

2019-01-04 11:33:14 CET

We have a product test which performs a server password change, afterwards ucs-test-samba4 are started and in UCS 4.4 51_samba4.62server_password_change_drs_replication.test now fails because of this problem.

Added a samba restart for all DC's in product-tests/samba/multi-server.cfg.