[PATCH] fix for bug 10882

Andreas Schneider asn at samba.org
Fri Sep 9 08:10:16 UTC 2016 

On Thursday, 8 September 2016 13:02:59 CEST Jeremy Allison wrote:
> On Thu, Sep 08, 2016 at 08:36:26PM +0100, Rowland Penny wrote:
> > On Thu, 8 Sep 2016 12:27:30 -0700
> > 
> > Jeremy Allison <jra at samba.org> wrote:
> > > On Thu, Sep 08, 2016 at 06:33:44PM +0100, Rowland Penny wrote:
> > > > I am posting this at Jeremy's request, this Patch along with
> > > > Garmin's Patch, fixes the inability to recreate a deleted Bind user
> > > > 'dns-*' with samba_upgradedns.
> > > > 
> > > > It is quite a simple patch, it move the deletion of the users from
> > > > the bottom of the script (where they are only deleted if you are
> > > > upgrading to the internal dns server and they exist) to midway in
> > > > the script before the script portions for 'BIND9_DLZ' and
> > > > 'SAMBA_INTERNAL'. It doesn't matter if they are deleted here, this
> > > > is because if they are required, they will be created again.
> > > > 
> > > > This has always worked for me since I wrote it two months ago, it
> > > > just didn't work if your AD DC was created with an old version,
> > > > Garmin's patch fixes this.
> > > > 
> > > > Jeremy asked me to post Garmin's patch, but it is already posted
> > > > here:
> > > > 
> > > > https://lists.samba.org/archive/samba-technical/2016-September/116018.
> > > > html
> > > 
> > > Rowland, Andreas replied to that saying he'd like to see
> > > the saltPrincipal value updated rather than removing the
> > > check.
> > > 
> > > https://lists.samba.org/archive/samba-technical/2016-September/116024.ht
> > > ml
> > > 
> > > So I think Garmin's patch isn't quite right here.
> > 
> > I have just done a bit of checking here, it was a patch from Andreas
> > that added the saltPrincipal, so I think it is wrong to say that
> > Garmin's patch isn't right.
> 
> What commit refspec was that ? Andreas, can you comment here
> so we can get this sorted ?

Some time ago I fixed serveral issues with stronger encryption keys like AES. 
The issue was that the saltPrincipal was not stored in the database so only 
RC4 worked. Heimdal always used RC4 here so it wasn't the issues but MIT 
Kerberos relied on AES and failed.

86652c02083b411ad94217a871a2bcc81f16b369 adds a salt principal for the dns 
entries in the databases

and

c9a8fff52519bb57040bf34b730263f191a6a88f starts to use salt principals so that 
we can generate valid AES keys

The issue is that if you provisioned the domain with a release before 
86652c02083b411ad94217a871a2bcc81f16b369 was added, there is no saltPrincipal 
in the database. For tdbs we have update functions to update schemas. I don't 
know if we have something like that for ldb's. We need one to add the salt 
principal if it doesn't exist yet ...

I hope this helps ...


	andreas


-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
www.samba.org

More information about the samba-technical mailing list