Bug 48426

Summary: old knvo are removed from /etc/krb5.keytab during password change with samba >= 4.9
Product: UCS Reporter: Felix Botner <botner>
Component: Samba4Assignee: Samba maintainers <samba-maintainers>
Status: NEW --- QA Contact: Samba maintainers <samba-maintainers>
Severity: normal    
Priority: P5 CC: requate
Version: UCS 4.4   
Target Milestone: ---   
Hardware: Other   
OS: Linux   
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=48084
https://forge.univention.org/bugzilla/show_bug.cgi?id=49034
What kind of report is it?: Development Internal What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Bug Depends on: 49034    
Bug Blocks:    

Description Felix Botner univentionstaff 2019-01-04 11:30:59 CET 
UCS 4.3 (samba 4.7)

-> ktutil list
1  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
...

-> bash /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange

-> ktutil list
1  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
2  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
...

-> bash /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange

-> ktutil list
1  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
2  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
3  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
...

-> bash /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange

-> ktutil list
1  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
2  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
3  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
4  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
...

UCS 4.4 (samba 4.9)

-> ktutil list
1  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
...

-> bash /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange

-> ktutil list
1  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
2  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
...

-> bash /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange

-> ktutil list
2  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
3  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
...

-> bash /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange

-> ktutil list
3  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
4  aes256-cts-hmac-sha1-96  MASTER$@W2K12.TEST
...

UCS 4.4 behavior seems correct but may lead more confusion/problems during server password change.
Comment 1 Felix Botner univentionstaff 2019-01-04 11:33:14 CET 
We have a product test which performs a server password change, afterwards ucs-test-samba4 are started and in UCS 4.4 51_samba4.62server_password_change_drs_replication.test now fails because of this problem.

Added a samba restart for all DC's in product-tests/samba/multi-server.cfg.