Bug 15644 - Changing a service account’s password invalidates Kerberos service tickets intended for delegation or user‐to‐user authentication
Summary: Changing a service account’s password invalidates Kerberos service tickets in...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.19.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-05-09 03:34 UTC by Jo Sutton
Modified: 2024-05-09 03:37 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jo Sutton 2024-05-09 03:34:50 UTC
If you obtain a Kerberos service ticket to an account and present it to the KDC to perform constrained delegation, but that account has changed its password in the meantime, the KDC will not be able to decrypt the service ticket. This affects Group Managed Service Accounts, which periodically have their passwords rotated.