[PATCH] remove early check for saltPrincipal in smb_krb5_update_keytab
Andreas Schneider
asn at samba.org
Wed Sep 7 06:40:39 UTC 2016
On Wednesday, 7 September 2016 12:27:48 CEST Garming Sam wrote:
> Hi,
>
> In trying to fix https://bugzilla.samba.org/show_bug.cgi?id=10882 for
> recreating the BIND9 DNS accounts, we've found that sometime in the last
> few versions, it became impossible to switch DNS backends correctly with
> a 4.1 domain. The saltPrincipal attribute is missing in the secrets.ldb
> and despite never needing it, it prevents deletion of the DNS accounts.
I've added this because we had invalid entries for AES keys! Looking at the
code it worked with Heimdel because heimdal did only use RC4 keys which
doesn't use a saltPrincipal at all.
Looks like I forgot the upgrade path and I would say we need an update
function to add the salt principal to the secrets.ldb instead of not checking
for the salt principal.
Cheers,
-- andreas
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
More information about the samba-technical
mailing list