Bug 13478 - "net ads keytab add nfs" writes only one enctype with older kerberos libraries
Summary: "net ads keytab add nfs" writes only one enctype with older kerberos libraries
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-06-19 23:01 UTC by Christof Schmitt
Modified: 2018-06-27 08:37 UTC (History)
1 user (show)

See Also:


Attachments
patch for 4.7 (1.50 KB, patch)
2018-06-23 03:57 UTC, Christof Schmitt
ab: review+
Details
patch for 4.8 (1.50 KB, patch)
2018-06-23 03:58 UTC, Christof Schmitt
ab: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Christof Schmitt 2018-06-19 23:01:43 UTC
net ads keytab add nfs -P -d10
on a system with MIT kerberos 1.13 shows this behavior:

../lib/krb5_wrap/krb5_samba.c:1719: adding keytab entry for (nfs/SERVER@EXAMPLE.COM) with encryption type (18) and version (989)
../lib/krb5_wrap/krb5_samba.c:1477: Will try to delete old keytab entries
../lib/krb5_wrap/krb5_samba.c:1504: ignoring keytab entry principal nfs/SERVER@EXAMPLE.COM, kvno = 221
../lib/krb5_wrap/krb5_samba.c:1563: Found old entry for principal: nfs/server.example.com@EXAMPLE.COM (kvno 221) - trying to remove it.
../lib/krb5_wrap/krb5_samba.c:1580: removed old entry for principal: nfs/server.example.com@EXAMPLE.COM (kvno 221).
../lib/krb5_wrap/krb5_samba.c:1504: ignoring keytab entry principal nfs/SERVER@EXAMPLE.COM, kvno = 221
../lib/krb5_wrap/krb5_samba.c:1719: adding keytab entry for (nfs/server.example.com@EXAMPLE.COM) with encryption type (23) and version (989)
../lib/krb5_wrap/krb5_samba.c:1477: Will try to delete old keytab entries
../lib/krb5_wrap/krb5_samba.c:1563: Found old entry for principal: nfs/SERVER@EXAMPLE.COM (kvno 221) - trying to remove it.
../lib/krb5_wrap/krb5_samba.c:1580: removed old entry for principal: nfs/SERVER@EXAMPLE.COM (kvno 221).
../lib/krb5_wrap/krb5_samba.c:1504: ignoring keytab entry principal nfs/server.example.com@EXAMPLE.COM, kvno = 221
../lib/krb5_wrap/krb5_samba.c:1719: adding keytab entry for (nfs/SERVER@EXAMPLE.COM) with encryption type (23) and version (989)

An entry is added with the current KVNO (989 == 0x3DD). The next check
then only finds the KVNO stored with the lower 8 bit (221 == 0xDD)
and removes it again, resulting in an incomplete keytab file that
has only one enctype per entry.

MIT Kerberos 1.14 introduced larger KVNOs, so the problem affects
only systems with kerberos libraries 1.13 or older.

The fix would be to limit the check to the lower 8 bits of the KVNO.
Comment 1 Christof Schmitt 2018-06-23 03:57:52 UTC
Created attachment 14254 [details]
patch for 4.7
Comment 2 Christof Schmitt 2018-06-23 03:58:19 UTC
Created attachment 14255 [details]
patch for 4.8
Comment 3 Alexander Bokovoy 2018-06-23 08:08:52 UTC
Comment on attachment 14254 [details]
patch for 4.7

LGTM.
Comment 4 Alexander Bokovoy 2018-06-23 08:09:09 UTC
Comment on attachment 14255 [details]
patch for 4.8

LGTM.
Comment 5 Alexander Bokovoy 2018-06-23 08:09:49 UTC
Karolin, please commit these two changes to 4-8 and 4-7.
Comment 6 Karolin Seeger 2018-06-25 10:54:50 UTC
(In reply to Alexander Bokovoy from comment #5)
Pushed to autobuild-v4-[8,7]-test.
Comment 7 Karolin Seeger 2018-06-27 08:37:27 UTC
(In reply to Karolin Seeger from comment #6)
Pushed to both branches.
Closing out bug report.

Thanks!