The Samba-Bugzilla – Attachment 9722 Details for
Bug 6750
After 'machine password timeout' /etc/krb5.keytab is not updated
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
keytab autorefresh patch for 3.6
auto-refresh-keytab.patch (text/plain), 1.96 KB, created by
Vitaliy Filippov
on 2014-02-25 15:12:19 UTC
(
hide
)
Description:
keytab autorefresh patch for 3.6
Filename:
MIME Type:
Creator:
Vitaliy Filippov
Created:
2014-02-25 15:12:19 UTC
Size:
1.96 KB
patch
obsolete
>Refresh default kerberos keytab (usually /etc/krb5.keytab) >on each machine password change. Without it machine password >changes break non-samba krb5 auth. > >Index: samba-3.6.6/source3/winbindd/winbindd_dual.c >=================================================================== >--- samba-3.6.6.orig/source3/winbindd/winbindd_dual.c 2012-06-24 17:21:16.000000000 +0000 >+++ samba-3.6.6/source3/winbindd/winbindd_dual.c 2014-02-25 15:12:53.762149486 +0000 >@@ -36,6 +36,7 @@ > #include "system/select.h" > #include "messages.h" > #include "../lib/util/tevent_unix.h" >+#include "ads.h" > > #undef DBGC_CLASS > #define DBGC_CLASS DBGC_WINBIND >@@ -1031,6 +1032,31 @@ > "trust_pw_find_change_and_store_it returned %s\n", > nt_errstr(result))); > >+ /** >+ * Refresh kerberos keytab to not break other applications >+ * Run from under the machine account, like 'net ads keytab create -P' >+ */ >+ if (NT_STATUS_IS_OK(result) && USE_KERBEROS_KEYTAB) { >+ ADS_STRUCT *ads = ads_init(lp_realm(), lp_workgroup(), NULL); >+ if (ads) { >+ ADS_STATUS status; >+ ads->auth.user_name = smb_xstrdup(global_myname()); >+ ads->auth.realm = smb_xstrdup(lp_realm()); >+ ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); >+ status = ads_connect(ads); >+ if (ADS_ERR_OK(status)) { >+ if (ads_keytab_create_default(ads)) { >+ DEBUG(0,("failed to refresh keytab - raise log level to see details\n")); >+ } >+ } else { >+ DEBUG(0,("failed to refresh keytab - ads_connect() returned %s\n", ads_errstr(status))); >+ } >+ ads_destroy(&ads); >+ } else { >+ DEBUG(0,("failed to refresh keytab - ads_init() failed\n")); >+ } >+ } >+ > if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) { > DEBUG(3,("machine_password_change_handler: password set returned " > "ACCESS_DENIED. Maybe the trust account " >@@ -1445,7 +1471,6 @@ > } > > if (child->domain && child->domain->primary && >- !USE_KERBEROS_KEYTAB && > lp_server_role() == ROLE_DOMAIN_MEMBER) { > > struct timeval next_change;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=9722">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 6750
: 9722 |
10032