Bug 48585 – kpasswd broken on master if samba/connector is installed on backup

Bug 48585 - kpasswd broken on master if samba/connector is installed on backup


Summary:	kpasswd broken on master if samba/connector is installed on backup

Status:	RESOLVED WONTFIX

Product:	UCS
Classification:	Unclassified
Component:	Kerberos
Version:	UCS 4.3
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-02-01 11:21 CET by Felix Botner
Modified:	2021-05-14 16:34 CEST (History)
CC List:	0 users

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.091
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2019012121000554
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Botner

2019-02-01 11:21:45 CET

Master and a backup with samba (and connector)

On the master "dns_lookup_kdc = true" is configured in the krb5.conf. And the samba installation seems to have removed non-samba DC's from the dns kdc list:

DN: relativeDomainName=_kerberos._tcp,zoneName=four.three,cn=dns,dc=four,dc=three
  location: 0 100 88 backup.four.three.
  name: kerberos tcp
  zonettl: 3 hours

DN: relativeDomainName=_kerberos._udp,zoneName=four.three,cn=dns,dc=four,dc=three
  location: 0 100 88 backup.four.three.
  name: kerberos udp
  zonettl: 3 hours

So any kerberos authentication request goes to the backup (samba). But the default "kpasswd_server" on the master points to the master, with the heimdal-kdc.

This does not work (the samba ticket is useless with the heimdal kpasswd service)

-> kpasswd test1
test1@FOUR.THREE's Password: 
New password for test1@FOUR.THREE: 
Verify password - New password for test1@FOUR.THREE: 
Auth error : Authentication failed


Workaround for now.

Set the kpasswd server on the non samba DC to one of the samba DC's. 

-> ucr set kerberos/kpasswdserver='backup.four.three'
-> kpasswd test1
test1@FOUR.THREE's Password: 
New password for test1@FOUR.THREE: 
Verify password - New password for test1@FOUR.THREE: 
Success : Password changed

Comment 1 Ingo Steuwer

2021-05-14 15:43:14 CEST

This issue has been filed against UCS 4.3.

UCS 4.3 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.