Bug 11546 - dbcheck should detect < 2048 bit PREFERRED_KEY and remove
Summary: dbcheck should detect < 2048 bit PREFERRED_KEY and remove
Status: RESOLVED DUPLICATE of bug 11285
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.3.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 11538
  Show dependency treegraph
 
Reported: 2015-10-07 17:25 UTC by Andrew Bartlett
Modified: 2016-07-29 02:51 UTC (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2015-10-07 17:25:14 UTC
dbcheck should notice that the RSA key stored for new BackupKey encryptions is not 2048 bits, and remove (possibly re-generate) that key.
Comment 1 Andrew Bartlett 2015-10-07 17:26:26 UTC
This would avoid bugs like 11538, where the upgraded domain still didn't work.
Comment 2 Andrew Bartlett 2015-10-16 09:38:56 UTC
To be clear, the steps required are here:

https://lists.samba.org/archive/samba/2014-November/187205.html

The hard part will be parsing the key from the python code in dbcheck, we will probably need a re-factor
Comment 3 Stefan Metzmacher 2015-10-26 10:38:17 UTC
(In reply to Andrew Bartlett from comment #2)

Andrew, are you sure we'll never need the private key again?
I'd avoid to automatically delete private keys.
Comment 4 Andrew Bartlett 2015-10-26 18:25:54 UTC
My sloppy language disguised the fact that I don't want to remove the key, but the CN=BCKUPKEY_PREFERRED Secret pointer to the key.  The key remains (and is indeed still required do decrypt an old backup) but should not be used again for new encryptions.
Comment 5 Andrew Bartlett 2016-07-29 02:51:16 UTC

*** This bug has been marked as a duplicate of bug 11285 ***