SPN key kvno increasing once a week

David Mansfield samba at dm.cobite.com
Mon May 20 18:28:21 MDT 2013 

On 05/20/2013 07:08 PM, Andrew Bartlett wrote:
> On Mon, 2013-05-20 at 13:57 -0400, David Mansfield wrote:
>> Hi All:
>>
>> I have a number of samba3 and samba4 based winbind clients (centos 6 and
>> Fedora 18 respectively, BTW)  connecting to a compiled-by-hand samba4 DC
>> running on centos6. The exported keytab for an SPN we use for apache is
>> becoming invalid every week due to  a bump in the kvno for the SPN
>> "HTTP/myhost.domain.com".  This also affects the
>> "host/myhost.domain.com" SPN key and probably all of the SPN keys for
>> that host.  I can see from google that this is not a "new" problem, but
>> nowhere is there a note of the resolution.
>>
>> The winbind operation is unaffected (and is probably causing this
>> problem) - it's internal keytab must be getting refreshed (or it's not
>> using a keytab or something).
>>
>> I have not modified/set "kerberos method" in smb.conf from the defaults,
>> but I do have "winbind refresh tickets = true" on.
>>
>> Can anyone tell me:
>>
>> 1) why is kvno getting bumped every week, who is responsible (client or
>> server), can it be configured and/or disabled?
>>
>> 2) if I can't fix #1, can I force winbind to create multiple keytabs all
>> over my filesystem and be sure to chown and set selinux context for me?
>
> It might be best to allocate these services that you want to use a
> different keytab for their own principals.  If you are giving them
> different levels of privilege on your server, then they each need a
> different account, as otherwise one could compromise the other by
> creation of fake tickets (because they all know the secret key).
>

(BTW, all the SPN are added to the machine account where the service is 
running, is that not normal procedure?)


Yes, that's what I have: the HTTP/myhost.domain.com goes in 
/etc/httpd/conf/krb5.keytab (owned by apache), the imap/host.domain.com 
goes in /etc/krb5.keytab.cyrus (owned by cyrus), the 
smtp/myhost.domain.com goes in /etc/postfix/krb5.keytab (owned by 
postfix).  And all of them become invalid the moment winbind changes the 
machine password.

I've researched a bit more and discovered that #1 is definitely a 
winbind client changing the password issue.  But I don't understand why 
(not a kerb. guru) changing the password causes all the SPN keys 
regenerated, but it's probably a standard thing.

So I'm left with either stopping winbind from changing the machine 
password or figuring out a keytab distribution system...  Yuk.


> Andrew Bartlett
>

More information about the samba-technical mailing list