[PATCH] remove early check for saltPrincipal in smb_krb5_update_keytab
Garming Sam
garming at catalyst.net.nz
Thu Sep 8 00:18:11 UTC 2016
I agree that we need to figure out some kind of general upgrade path.
But I would've thought that this patch would be necessary regardless.
It's not removing the check for the saltPrincipal, only deferring it
until it needs to be used in that function. Otherwise it is just
arbitrarily blocking deletions of something knowingly corrupt or
incomplete.
Cheers,
Garming
On 07/09/16 18:40, Andreas Schneider wrote:
> On Wednesday, 7 September 2016 12:27:48 CEST Garming Sam wrote:
>> Hi,
>>
>> In trying to fix https://bugzilla.samba.org/show_bug.cgi?id=10882 for
>> recreating the BIND9 DNS accounts, we've found that sometime in the last
>> few versions, it became impossible to switch DNS backends correctly with
>> a 4.1 domain. The saltPrincipal attribute is missing in the secrets.ldb
>> and despite never needing it, it prevents deletion of the DNS accounts.
> I've added this because we had invalid entries for AES keys! Looking at the
> code it worked with Heimdel because heimdal did only use RC4 keys which
> doesn't use a saltPrincipal at all.
>
> Looks like I forgot the upgrade path and I would say we need an update
> function to add the salt principal to the secrets.ldb instead of not checking
> for the salt principal.
>
>
> Cheers,
>
>
> -- andreas
>
More information about the samba-technical
mailing list