Univention Bugzilla – Bug 48426
old knvo are removed from /etc/krb5.keytab during password change with samba >= 4.9
Last modified: 2019-03-19 11:45:13 CET
UCS 4.3 (samba 4.7) -> ktutil list 1 aes256-cts-hmac-sha1-96 MASTER$@W2K12.TEST ... -> bash /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange -> ktutil list 1 aes256-cts-hmac-sha1-96 MASTER$@W2K12.TEST 2 aes256-cts-hmac-sha1-96 MASTER$@W2K12.TEST ... -> bash /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange -> ktutil list 1 aes256-cts-hmac-sha1-96 MASTER$@W2K12.TEST 2 aes256-cts-hmac-sha1-96 MASTER$@W2K12.TEST 3 aes256-cts-hmac-sha1-96 MASTER$@W2K12.TEST ... -> bash /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange -> ktutil list 1 aes256-cts-hmac-sha1-96 MASTER$@W2K12.TEST 2 aes256-cts-hmac-sha1-96 MASTER$@W2K12.TEST 3 aes256-cts-hmac-sha1-96 MASTER$@W2K12.TEST 4 aes256-cts-hmac-sha1-96 MASTER$@W2K12.TEST ... UCS 4.4 (samba 4.9) -> ktutil list 1 aes256-cts-hmac-sha1-96 MASTER$@W2K12.TEST ... -> bash /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange -> ktutil list 1 aes256-cts-hmac-sha1-96 MASTER$@W2K12.TEST 2 aes256-cts-hmac-sha1-96 MASTER$@W2K12.TEST ... -> bash /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange -> ktutil list 2 aes256-cts-hmac-sha1-96 MASTER$@W2K12.TEST 3 aes256-cts-hmac-sha1-96 MASTER$@W2K12.TEST ... -> bash /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange -> ktutil list 3 aes256-cts-hmac-sha1-96 MASTER$@W2K12.TEST 4 aes256-cts-hmac-sha1-96 MASTER$@W2K12.TEST ... UCS 4.4 behavior seems correct but may lead more confusion/problems during server password change.
We have a product test which performs a server password change, afterwards ucs-test-samba4 are started and in UCS 4.4 51_samba4.62server_password_change_drs_replication.test now fails because of this problem. Added a samba restart for all DC's in product-tests/samba/multi-server.cfg.