Check if AD is patched with spn alias uniqueness check that breaks CM spn creation

cloudera-ps / prereq-checks

Prerequisites checker for Cloudera Manager and CDP PVC Base installations

GNU General Public License v3.0

57 stars 58 forks source link

Check if AD is patched with spn alias uniqueness check that breaks CM spn creation #143

Closed melvin-koh closed 2 years ago

melvin-koh commented 2 years ago

Simulate the generation of two SPN alias for the same host to check if the Active Directory is installed with the update KB5008382 for CVE-2021-42282. E.g.

create SPN "host/randomhost@test.com"
create SPN "HTTP/randomhost@test.com"

Before the patch, the above should complete successfully. If patched is installed, step 2 will fail with constraint violation error.

melvin-koh commented 2 years ago

For reference: Microsoft KB5008382 - https://prod.support.services.microsoft.com/en-us/topic/kb5008382-verification-of-uniqueness-for-user-principal-name-service-principal-name-and-the-service-principal-name-alias-cve-2021-42282-4651b175-290c-4e59-8fcb-e4e5cd0cdb29

Cloudera TSB544 - https://my.cloudera.com/knowledge/Cloudera-Customer-Advisory-544-Microsoft-AD-November-2021?id=331852

melvin-koh commented 2 years ago

Before KB5008382 patch:

After KB5008382 patch: