Vastool auth to keytab core dumps Segmentation Fault
vastool passwd -k <path> always defaults to 1 for the KVNO in the keytab when creating a new keytab instead of the correct number.
Product Defect 25610
* vastool: When changing the password for a user that is not a service account
and saving the new password out to a keytab, the correct KVNO is now set in
the keytab.
The Key Version Number (KVNO) must match in in the keytab file and the attribute for msDS-KeyVersionNumber the service account.
The two commands below show 2 for KVNO and they match:
1 - /opt/quest/bin/vastool ktutil -k /etc/opt/quest/vas/sap.keytab list
/etc/opt/quest/vas/sap.keytab:
Vno Type Principal
2 aes128-cts-hmac-sha1-96 user-sap@I.TS.HAL.CA.QSFT (file://user-sap@i.ts.hal.ca.qsft/)
2 aes128-cts-hmac-sha1-96 sap/user.i.ts.hal.ca.qsft@I.TS.HAL.CA.QSFT (file://sap/user.i.ts.hal.ca.qsft@I.TS.HAL.CA.QSFT)
2 aes256-cts-hmac-sha1-96 user-sap@I.TS.HAL.CA.QSFT (file://user-sap@i.ts.hal.ca.qsft/)
2 aes256-cts-hmac-sha1-96 sap/user.i.ts.hal.ca.qsft@I.TS.HAL.CA.QSFT (file://sap/user.i.ts.hal.ca.qsft@I.TS.HAL.CA.QSFT)
2 arcfour-hmac-md5 user-sap@I.TS.HAL.CA.QSFT (file://user-sap@i.ts.hal.ca.qsft/)
2 arcfour-hmac-md5 sap/user.i.ts.hal.ca.qsft@I.TS.HAL.CA.QSFT (file://sap/user.i.ts.hal.ca.qsft@I.TS.HAL.CA.QSFT)
2 - /opt/quest/bin/vastool -u administrator attrs user-sap msDS-KeyVersionNumber
msDS-KeyVersionNumber: 2
WORKAROUND 1:
Reset the password for the keytab will sometimes set the KVNO to the correct value.
/opt/quest/bin/vastool -u <ADadmin> passwd -k <path to keytab file> <service account name>
For example:
/opt/quest/bin/vastool -u Administrator passwd -k /etc/opt/quest/vas/sap.keytab sap
STATUS: Fixed in QAS 4.0.3.88 and up
RESOLUTION:
Upgrade to the QAS 4.0.3 Maintenance Release
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center