Univention Bugzilla – Bug 33779
squid-kerberos: password mismatch if user account for service principal already exists
Last modified: 2014-04-17 08:15:38 CEST
Ticket#: 2013121821001997 UCS@school S4-Slave 98univention-squid-samba4.inst generates a random password and creates a user object and a keytab (objectClass=kerberosSecret) with that password. If the server (slave) is reinstalled, the user already exists, but a new keytab with a new random password is generated. Now the password from the keytab/kerberosSecret object does not match the password of the user account and squid kerberos authentication fails. Configure 98univention-squid-samba4.inst Mon Sep 30 10:54:50 CEST 2013 Object exists: (uid) : http-proxy-school2 Added 1 records successfully Modified 1 records successfully Workaround: change the password of the user account to the password of the keytab -> ldbsearch -H /var/lib/samba/private/secrets.ldb samAccountName=http-proxy-ucs-gsadbg secret -> udm users/user modify \ --dn uid=http-proxy-school2,cn=users,dc=test,dc=de \ --set password=$secret Fix: The join script should change the password of the user account, if the user already exists.
2014-03-03-univention-squid-kerberos.yaml Added a test to check if the service principal account already exist (if so, only the password is updated).
Created attachment 5857 [details] SPN_DN.patch Currently the account DN is fixed to be below cn=users,$ldap_base, maybe it's better to use the DN as found on the system, see attached patch proposal.
(In reply to Arvid Requate from comment #2) > Created attachment 5857 [details] > SPN_DN.patch > > Currently the account DN is fixed to be below cn=users,$ldap_base, maybe > it's better to use the DN as found on the system, see attached patch > proposal. fixed
I removed the entry of univention-squid-samba4 from /var/univention-join/status and called univention-run-join-scripts. The log file shows that something went wrong: RUNNING 98univention-squid-samba4.inst Object modified: uid=http-proxy-backup41,cn=users,dc=ar320i1,dc=qa ERR: Entry already exists : "Entry samAccountName=http-proxy-backup41,CN=Principals already exists" on DN samAccountName=http-proxy-backup41,CN=Principals at block before line 9 Add failed after processing 0 records ERR: (Attribute or value exists) "attribute 'servicePrincipalName': value #0 on 'CN=http-proxy-backup41,CN=Users,DC=ar320i1,DC=qa' already exists" on DN CN=http-proxy-backup41,CN=Users,DC=ar320i1,DC=qa at block before line 5 Modify failed after processing 0 records EXITCODE=0 Apart from fixing the problem, maybe the error should be reflected in the exit code as well.
Replaced the samba4 spn stuff with /usr/share/univention-samba4/scripts/create_spn_account.sh in 98univention-squid-samba4.inst. create_spn_account.sh already checks if the account/spn exists.
Ok, on a samba4 DC the joinscript now uses the common create_spn_account.sh script from univention-samba4. To test this I messed up the password of the account and after running the joinscript again the create_spn_account.sh script created a new password so the existing account works again. On the other hand, if the account is present and the password works then it doesn't touch it. Advisory OK.
http://errata.univention.de/ucs/3.2/90.html