Bug #2407

Kerberos keytab file is missing for new services

Added by Davide Principi over 7 years ago. Updated over 7 years ago.

Status:CLOSEDStart date:11/29/2013
Priority:NormalDue date:11/29/2013
Assignee:-% Done:

100%

Category:nethserver-samba
Target version:v6.5-beta3
Security class: Resolution:
Affected version:v6.4-beta1 NEEDINFO:No

Description

When a kerberized service is installed in a system already configured as AD member, the service keytab file is not created automatically.

By now the keytab are (re)created when the machine password is renewed, and when AD join occurs.

Related issues

Related to NethServer 6 - Feature #1987: Squid GSSAPI/GSS-Negotiate (Kerberos) authentication CLOSED 11/28/2013 11/29/2013

Associated revisions

Revision 0af6fbfa
Added by Davide Principi over 7 years ago

smbads helper script: added "initkeytabs" command. Refs #2407

Revision 50d9f67b
Added by Davide Principi over 7 years ago

Expand kerberos keytab on installation. Refs #2407

If on installation the machine is already AD member, the kerberos
keytab file must be created.

Revision 8ee2d2bb
Added by Davide Principi over 7 years ago

Create kerberos keytab if machine has samba ADS role. Refs #2407 #1987

Revision b0913f78
Added by Davide Principi over 7 years ago

Create kerberos keytab if machine has samba ADS role. Refs #2407 #1987

Revision 521093f6
Added by Davide Principi about 6 years ago

Fixed nethserver-squid-conf on keytab re-initialization. Refs #2407

The exec() call prevented the following lines to be executed.

History

#1 Updated by Davide Principi over 7 years ago

  • Due date set to 11/29/2013
  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • Start date set to 11/29/2013
  • % Done changed from 20 to 30
  • Estimated time set to 2.00

Solution:
add an initkeytabs command to smbads and invoke it from service *-update event.

#2 Updated by Davide Principi over 7 years ago

  • Subject changed from Keytab is missing for new service to Kerberos keytab file is missing for new services
  • Description updated (diff)

#3 Updated by Davide Principi over 7 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

MODIFIED

Test case
Check if the service keytab file exists, if nethserver-directory or nethserver-squid are installed AFTER AD join.

  • /var/lib/dovecot/krb5.keytab
  • /var/lib/misc/nsrv-squid.keytab

#4 Updated by Davide Principi over 7 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing:
nethserver-mail-server-1.4.6-8.0git50d9f67b.ns6.noarch.rpm
nethserver-samba-1.3.6-4.0git0af6fbfa.ns6.noarch.rpm

#5 Updated by Giacomo Sanchietti over 7 years ago

  • Assignee set to Giacomo Sanchietti

#6 Updated by Giacomo Sanchietti over 7 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 70 to 90

Both files are present and correctly generated by smbads command.

Marking as VERIFIED.

#7 Updated by Davide Principi over 7 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates:
nethserver-samba-1.4.0-1.ns6.noarch.rpm
nethserver-directory-1.3.0-1.ns6.noarch.rpm
nethserver-dnsmasq-1.1.0-1.ns6.noarch.rpm
nethserver-shorewall-1.0.3-1.ns6.noarch.rpm
nethserver-mail-server-1.5.0-1.ns6.noarch.rpm
nethserver-mail-filter-1.1.4-1.ns6.noarch.rpm
nethserver-nethgui-1.3.0-1.ns6.noarch.rpm
nethserver-base-1.5.0-1.ns6.noarch.rpm
nethserver-lib-1.4.0-1.ns6.noarch.rpm
nethserver-httpd-admin-1.1.0-1.ns6.noarch.rpm
nethserver-yum-1.2.0-1.ns6.noarch.rpm
nethserver-ntopng-1.1.0-1.ns6.noarch.rpm

Also available in: Atom PDF