Bug 48426 - old knvo are removed from /etc/krb5.keytab during password change with samba >= 4.9
old knvo are removed from /etc/krb5.keytab during password change with samba ...
Status: NEW
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
Samba maintainers
:
Depends on: 49034
Blocks:
  Show dependency treegraph
 
Reported: 2019-01-04 11:30 CET by Felix Botner
Modified: 2019-03-19 11:45 CET (History)
1 user (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2019-01-04 11:30:59 CET
UCS 4.3 (samba 4.7)

-> ktutil list
1  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
...

-> bash /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange

-> ktutil list
1  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
2  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
...

-> bash /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange

-> ktutil list
1  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
2  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
3  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
...

-> bash /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange

-> ktutil list
1  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
2  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
3  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
4  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
...

UCS 4.4 (samba 4.9)

-> ktutil list
1  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
...

-> bash /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange

-> ktutil list
1  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
2  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
...

-> bash /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange

-> ktutil list
2  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
3  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
...

-> bash /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange

-> ktutil list
3  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
4  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
...

UCS 4.4 behavior seems correct but may lead more confusion/problems during server password change.
Comment 1 Felix Botner univentionstaff 2019-01-04 11:33:14 CET
We have a product test which performs a server password change, afterwards ucs-test-samba4 are started and in UCS 4.4 51_samba4.62server_password_change_drs_replication.test now fails because of this problem.

Added a samba restart for all DC's in product-tests/samba/multi-server.cfg.