SPN key kvno increasing once a week
David Mansfield
samba at dm.cobite.com
Mon May 20 18:28:21 MDT 2013
On 05/20/2013 07:08 PM, Andrew Bartlett wrote:
> On Mon, 2013-05-20 at 13:57 -0400, David Mansfield wrote:
>> Hi All:
>>
>> I have a number of samba3 and samba4 based winbind clients (centos 6 and
>> Fedora 18 respectively, BTW) connecting to a compiled-by-hand samba4 DC
>> running on centos6. The exported keytab for an SPN we use for apache is
>> becoming invalid every week due to a bump in the kvno for the SPN
>> "HTTP/myhost.domain.com". This also affects the
>> "host/myhost.domain.com" SPN key and probably all of the SPN keys for
>> that host. I can see from google that this is not a "new" problem, but
>> nowhere is there a note of the resolution.
>>
>> The winbind operation is unaffected (and is probably causing this
>> problem) - it's internal keytab must be getting refreshed (or it's not
>> using a keytab or something).
>>
>> I have not modified/set "kerberos method" in smb.conf from the defaults,
>> but I do have "winbind refresh tickets = true" on.
>>
>> Can anyone tell me:
>>
>> 1) why is kvno getting bumped every week, who is responsible (client or
>> server), can it be configured and/or disabled?
>>
>> 2) if I can't fix #1, can I force winbind to create multiple keytabs all
>> over my filesystem and be sure to chown and set selinux context for me?
>
> It might be best to allocate these services that you want to use a
> different keytab for their own principals. If you are giving them
> different levels of privilege on your server, then they each need a
> different account, as otherwise one could compromise the other by
> creation of fake tickets (because they all know the secret key).
>
(BTW, all the SPN are added to the machine account where the service is
running, is that not normal procedure?)
Yes, that's what I have: the HTTP/myhost.domain.com goes in
/etc/httpd/conf/krb5.keytab (owned by apache), the imap/host.domain.com
goes in /etc/krb5.keytab.cyrus (owned by cyrus), the
smtp/myhost.domain.com goes in /etc/postfix/krb5.keytab (owned by
postfix). And all of them become invalid the moment winbind changes the
machine password.
I've researched a bit more and discovered that #1 is definitely a
winbind client changing the password issue. But I don't understand why
(not a kerb. guru) changing the password causes all the SPN keys
regenerated, but it's probably a standard thing.
So I'm left with either stopping winbind from changing the machine
password or figuring out a keytab distribution system... Yuk.
> Andrew Bartlett
>
More information about the samba-technical
mailing list