Bug 472810

Summary: adding to keytab erases password
Product: Red Hat Enterprise Linux 5 Reporter: Petr Sklenar <psklenar>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED NOTABUG QA Contact: BaseOS QE <qe-baseos-auto>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.4CC: jplans
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-24 19:43:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Sklenar 2008-11-24 19:16:53 UTC 
Description of problem:
create password for user with ank -pw $rootpass host/test.$domain
Then adding to keytab erases password.

Version-Release number of selected component (if applicable):
# rpm -qa krb5-*
krb5-server-ldap-1.6.1-26.el5ipa
krb5-libs-1.6.1-30.el5
krb5-workstation-1.6.1-30.el5
krb5-auth-dialog-0.7-1
krb5-server-1.6.1-30.el5
krb5-libs-1.6.1-30.el5


How reproducible:
always

Steps to Reproduce:


kdb5_util create -s -P $kdcpass

echo "Starting services"
service kadmin start
service krb5kdc start

echo "Creating user $user credentials"
kadmin.local -q "addprinc -pw $rootpass root/admin"
kadmin.local -q "addprinc -randkey host/$host"

kadmin.local -q "ktadd host/$host"
useradd $user
echo $syspass | passwd --stdin $user
kadmin.local -q "addprinc -pw $krbpass $user"

echo $syspass | kinit $user
kadmin.local -q "ank -randkey DNS/`hostname`"
kadmin.local -q "ktadd DNS/`hostname`"

kadmin.local -q "ank -pw $rootpass host/test.$domain"

kadmin.local -q "ktadd host/test.$domain"
^when i do "ktadd", then password is erased and i have to set up password manually, i cannot connect after these command with "kinit client"

kinit host/test.$domain
## i write me $rootpass here


Actual results:
password is incorrect, when record is added to keytab. I cannot connect with kinit host/test.$domain

Expected results:
password is not erased

Additional info:
without line kadmin.local -q "ktadd host/test.$domain" everything works as I expected and password is $rootpass.
Comment 1 Nalin Dahyabhai 2008-11-24 19:43:49 UTC 
That's how kadmin's "ktadd" command works -- it generates a new randomized key for the principal, sets it on the KDC (note: the key is sent from the client to the KDC, never the other way), and then stores a copy in the indicated keytab.  To get the result you're expecting, you need to use ktutil's "addent" command instead.
Comment 2 Petr Sklenar 2008-11-24 19:57:28 UTC 
ok thank much for explanation