Univention Bugzilla – Full Text Bug Listing |
Summary: | squid-kerberos: password mismatch if user account for service principal already exists | ||
---|---|---|---|
Product: | UCS | Reporter: | Felix Botner <botner> |
Component: | Squid | Assignee: | Felix Botner <botner> |
Status: | CLOSED FIXED | QA Contact: | Arvid Requate <requate> |
Severity: | normal | ||
Priority: | P5 | CC: | gohmann, jmm |
Version: | UNSTABLE | ||
Target Milestone: | UCS 3.2-1-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 34575 | ||
Attachments: | SPN_DN.patch |
Description
Felix Botner
2013-12-19 09:21:24 CET
2014-03-03-univention-squid-kerberos.yaml Added a test to check if the service principal account already exist (if so, only the password is updated). Created attachment 5857 [details]
SPN_DN.patch
Currently the account DN is fixed to be below cn=users,$ldap_base, maybe it's better to use the DN as found on the system, see attached patch proposal.
(In reply to Arvid Requate from comment #2) > Created attachment 5857 [details] > SPN_DN.patch > > Currently the account DN is fixed to be below cn=users,$ldap_base, maybe > it's better to use the DN as found on the system, see attached patch > proposal. fixed I removed the entry of univention-squid-samba4 from /var/univention-join/status and called univention-run-join-scripts. The log file shows that something went wrong: RUNNING 98univention-squid-samba4.inst Object modified: uid=http-proxy-backup41,cn=users,dc=ar320i1,dc=qa ERR: Entry already exists : "Entry samAccountName=http-proxy-backup41,CN=Principals already exists" on DN samAccountName=http-proxy-backup41,CN=Principals at block before line 9 Add failed after processing 0 records ERR: (Attribute or value exists) "attribute 'servicePrincipalName': value #0 on 'CN=http-proxy-backup41,CN=Users,DC=ar320i1,DC=qa' already exists" on DN CN=http-proxy-backup41,CN=Users,DC=ar320i1,DC=qa at block before line 5 Modify failed after processing 0 records EXITCODE=0 Apart from fixing the problem, maybe the error should be reflected in the exit code as well. Replaced the samba4 spn stuff with /usr/share/univention-samba4/scripts/create_spn_account.sh in 98univention-squid-samba4.inst. create_spn_account.sh already checks if the account/spn exists. Ok, on a samba4 DC the joinscript now uses the common create_spn_account.sh script from univention-samba4. To test this I messed up the password of the account and after running the joinscript again the create_spn_account.sh script created a new password so the existing account works again. On the other hand, if the account is present and the password works then it doesn't touch it. Advisory OK. |