15644 – Changing a service account’s password invalidates Kerberos service tickets intended for delegation or user‐to‐user authentication

Bug 15644 - Changing a service account’s password invalidates Kerberos service tickets intended for delegation or user‐to‐user authentication

Summary: Changing a service account’s password invalidates Kerberos service tickets in...

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.19.2
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-05-09 03:34 UTC by Jennifer Sutton
Modified:	2024-05-29 13:30 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jennifer Sutton 2024-05-09 03:34:50 UTC

If you obtain a Kerberos service ticket to an account and present it to the KDC to perform constrained delegation, but that account has changed its password in the meantime, the KDC will not be able to decrypt the service ticket. This affects Group Managed Service Accounts, which periodically have their passwords rotated.

Comment 1 Stefan Metzmacher 2024-05-29 13:30:51 UTC

(In reply to Jo Sutton from comment #0)

Why? The key should be identified by kvno in order to get the one for decryption...