Bug 34575

Summary: squid-kerberos: password mismatch if user account for service principal already exists
Product: UCS Reporter: Stefan Gohmann <gohmann>
Component: SquidAssignee: Felix Botner <botner>
Status: CLOSED FIXED QA Contact: Arvid Requate <requate>
Severity: normal    
Priority: P5 CC: botner, gohmann, jmm, walkenhorst
Version: UCS 3.2   
Target Milestone: UCS 3.2-1-errata   
Hardware: Other   
OS: Linux   
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=34669
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Bug Depends on: 33779    
Bug Blocks:    

Description Stefan Gohmann univentionstaff 2014-04-17 08:15:38 CEST 
The UCS@school single master join failed:

-----------------------------------------------------------------------------
RUNNING 98univention-squid-samba4.inst
univention_samaccountname_ldap_check: ldb_add of user and group object is disabled

ERROR(ldb): Failed to add user 'http-proxy-master201':  - ldb_request: Unwilling to perform (53)
WARNING: samba4 did not create a keytab for samAccountName=http-proxy-master201
EXITCODE=1
-----------------------------------------------------------------------------

After downgrading to univention-squid-kerberos=3.0.2-1.12.201309271205 the join script exited successfully.

+++ This bug was initially created as a clone of Bug #33779 +++

Ticket#: 2013121821001997

UCS@school S4-Slave

98univention-squid-samba4.inst generates a random password and creates a user object and a keytab (objectClass=kerberosSecret) with that password. 

If the server (slave) is reinstalled, the user already exists, but a new keytab with a new random password is generated. Now the password from the keytab/kerberosSecret object does not match the password of the user account and squid kerberos authentication fails.

Configure 98univention-squid-samba4.inst Mon Sep 30 10:54:50 CEST 2013
Object exists: (uid) : http-proxy-school2
Added 1 records successfully
Modified 1 records successfully

Workaround:

change the password of the user account to the password of the keytab

-> ldbsearch -H /var/lib/samba/private/secrets.ldb samAccountName=http-proxy-ucs-gsadbg secret

-> udm users/user modify \
   --dn uid=http-proxy-school2,cn=users,dc=test,dc=de \
   --set password=$secret

Fix:

The join script should change the password of the user account, if the user already exists.
Comment 1 Felix Botner univentionstaff 2014-04-17 14:27:59 CEST 
Reverted last patch and tests if spn exists in secrets.ldb.

YAML: 2014-17-04-univention-squid-kerberos.yaml
Comment 2 Arvid Requate univentionstaff 2014-04-17 16:58:43 CEST 
Verified.

Tested:
 * Update UCS@school Samba4 DC Slave + re-execution of the specific joinscript
 * Update UCS@school Memberserver 
 * Fresh install of UCS@school Samba4 DC Slave via UCS@school wizard
 * Fresh install of univention-squid-kerberos on a UCS@school Memberserver

After setting

 ucr set squid/krb5auth=yes squid/ntlmauth=no squid/basicauth=no
 /etc/init.d/squid3 restart; ## plus eventually an rdate call

in all cases, a domain user logged on to a windows client could access (firefox) web pages via Kerberos authenticated access over a Squid proxy.
Comment 3 Janek Walkenhorst univentionstaff 2014-04-17 17:19:23 CEST 
http://errata.univention.de/ucs/3.2/96.html