SPN key kvno increasing once a week

David Mansfield samba at dm.cobite.com
Mon May 20 11:57:01 MDT 2013


Hi All:

I have a number of samba3 and samba4 based winbind clients (centos 6 and 
Fedora 18 respectively, BTW)  connecting to a compiled-by-hand samba4 DC 
running on centos6. The exported keytab for an SPN we use for apache is 
becoming invalid every week due to  a bump in the kvno for the SPN 
"HTTP/myhost.domain.com".  This also affects the 
"host/myhost.domain.com" SPN key and probably all of the SPN keys for 
that host.  I can see from google that this is not a "new" problem, but 
nowhere is there a note of the resolution.

The winbind operation is unaffected (and is probably causing this 
problem) - it's internal keytab must be getting refreshed (or it's not 
using a keytab or something).

I have not modified/set "kerberos method" in smb.conf from the defaults, 
but I do have "winbind refresh tickets = true" on.

Can anyone tell me:

1) why is kvno getting bumped every week, who is responsible (client or 
server), can it be configured and/or disabled?

2) if I can't fix #1, can I force winbind to create multiple keytabs all 
over my filesystem and be sure to chown and set selinux context for me?

-- 
Thanks,
David Mansfield
Cobite, INC.



More information about the samba-technical mailing list