Loading...

XML

Word

Printable

Type: Story
Resolution: Unresolved
Priority: Critical
Fix Version/s: rhel-9.6
Affects Version/s: rhel-9.0.0
Component/s: samba
Labels:

Fixed in Build:
samba-4.21.1-4.el9

Pool Team:

rhel-sst-idm-sssd
Sub-System Group:

ssg_idm

Story Points:
1
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/141068
Test Coverage:

RegressionOnly

Release Note Type:
If docs needed, set a value

Experience:
Architecture:

Unspecified
Bugzilla Bug:
RHBZ: 1905927

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Description of problem:
Current, when automatically updating the machine account password winbind only add the new password to the secrets.tdb but does not update the Kerberos keys in the keytab which are derived from the machine account password. As a result, after the update the keytab entries can neither be used for authentication nor to uncrypt and verify server tickets.

If 'kerberos method = secrets and keytab' (and maybe for 'system keytab' or 'dedicated keytab' as well?) winbind should create new entries in the keytab with updated KVNO and new hashes derived from the new machine account password.

Upstream ticket: https://bugzilla.samba.org/show_bug.cgi?id=6750

blocks

RHEL-2213 net offlinejoin requestodj segfaults when kerberos method = secrets and keytab