14125 – As kerberos service/acceptor we may not accept tickets with our previous machine password

Bug 14125 - As kerberos service/acceptor we may not accept tickets with our previous machine password

Summary: As kerberos service/acceptor we may not accept tickets with our previous mach...

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	4.11.0rc4
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Stefan Metzmacher
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:	12907
Blocks:
	Show dependency tree / graph

Reported:	2019-09-13 13:19 UTC by Stefan Metzmacher
Modified:	2021-12-03 21:33 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Metzmacher 2019-09-13 13:19:29 UTC

As we don't know under what kvno a KDC stores our machine passwords
we just use fantasy numbers when filling the in memory keytab
with our (up to 4) machine passwords.

If the kvno matches by accident the number we made up, the heimdal
kerberos library may not fallback and check all other keys/passwords.

Comment 1 Andrew Bartlett 2021-12-03 17:49:28 UTC

While we can't fix existing installs, why don't we store the KVNO?  The (now deprecated) S4 member join codepath did that.

Comment 2 Stefan Metzmacher 2021-12-03 21:33:24 UTC

(In reply to Andrew Bartlett from comment #1)

There's no reliable way to get the kvno and all ways that might work most of the time just add complexity without solving the problem.