The Samba-Bugzilla – Attachment 18679 Details for
Bug 15886
net ads keytab create broken for domain controllers
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Fix keytab sync regression for domain controllers
0001-kerberos_keytab-Fix-keytab-sync-regression-for-domai.patch (text/plain), 1.81 KB, created by
Evgeny Sinelnikov
on 2025-07-27 20:05:40 UTC
(
hide
)
Description:
Fix keytab sync regression for domain controllers
Filename:
MIME Type:
Creator:
Evgeny Sinelnikov
Created:
2025-07-27 20:05:40 UTC
Size:
1.81 KB
patch
obsolete
>From bec68d1d8c983c5531ba34d6bfd9e4aef2f8e495 Mon Sep 17 00:00:00 2001 >From: Evgeny Sinelnikov <sin@altlinux.org> >Date: Sun, 27 Jul 2025 18:15:58 +0400 >Subject: [PATCH] kerberos_keytab: Fix keytab sync regression for domain > controllers > >The keytab sync was broken for domain controllers (both AD and IPA) by the >introduction of the 'sync machine password to keytab' option. We now extend >it to work on Active Directory and IPA domain controllers (ROLE_ACTIVE_DIRECTORY_DC >and ROLE_IPA_DC), while maintaining the existing behavior for other roles. > >While here, improve debug messages and use clearer switch statement. > >Signed-off-by: Evgeny Sinelnikov <sin@altlinux.org> >--- > source3/libads/kerberos_keytab.c | 18 +++++++++++++----- > 1 file changed, 13 insertions(+), 5 deletions(-) > >diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c >index 49a892e5a55..86218f646cf 100644 >--- a/source3/libads/kerberos_keytab.c >+++ b/source3/libads/kerberos_keytab.c >@@ -1043,13 +1043,20 @@ NTSTATUS sync_pw2keytabs(void) > int i; > size_t num_keytabs; > >- DBG_DEBUG("Syncing machine password from secrets to keytabs.\n"); >- >- if (lp_server_role() != ROLE_DOMAIN_MEMBER) { >- TALLOC_FREE(frame); >- return NT_STATUS_OK; /* nothing todo */ >+ switch (lp_server_role()) { >+ case ROLE_DOMAIN_MEMBER: >+ case ROLE_ACTIVE_DIRECTORY_DC: >+ case ROLE_IPA_DC: >+ break; >+ default: >+ DBG_DEBUG("Skip syncing machine password from secrets to " >+ "keytabs. Nothing to do on if server role is not " >+ "domain member or domain controller.\n"); >+ goto out; > } > >+ DBG_DEBUG("Syncing machine password from secrets to keytabs.\n"); >+ > state = talloc_zero(frame, struct pw2kt_global_state); > if (state == NULL) { > TALLOC_FREE(frame); >@@ -1149,6 +1156,7 @@ params_ready: > } > } > >+out: > TALLOC_FREE(frame); > return NT_STATUS_OK; > } >-- >2.42.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=18679">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 15886
: 18679