SPN key kvno increasing once a week

Andrew Bartlett abartlet at samba.org
Mon May 20 18:55:16 MDT 2013 

On Mon, 2013-05-20 at 20:28 -0400, David Mansfield wrote:
> On 05/20/2013 07:08 PM, Andrew Bartlett wrote:
> > On Mon, 2013-05-20 at 13:57 -0400, David Mansfield wrote:
> >> Hi All:
> >>
> >> I have a number of samba3 and samba4 based winbind clients (centos 6 and
> >> Fedora 18 respectively, BTW)  connecting to a compiled-by-hand samba4 DC
> >> running on centos6. The exported keytab for an SPN we use for apache is
> >> becoming invalid every week due to  a bump in the kvno for the SPN
> >> "HTTP/myhost.domain.com".  This also affects the
> >> "host/myhost.domain.com" SPN key and probably all of the SPN keys for
> >> that host.  I can see from google that this is not a "new" problem, but
> >> nowhere is there a note of the resolution.
> >>
> >> The winbind operation is unaffected (and is probably causing this
> >> problem) - it's internal keytab must be getting refreshed (or it's not
> >> using a keytab or something).
> >>
> >> I have not modified/set "kerberos method" in smb.conf from the defaults,
> >> but I do have "winbind refresh tickets = true" on.
> >>
> >> Can anyone tell me:
> >>
> >> 1) why is kvno getting bumped every week, who is responsible (client or
> >> server), can it be configured and/or disabled?
> >>
> >> 2) if I can't fix #1, can I force winbind to create multiple keytabs all
> >> over my filesystem and be sure to chown and set selinux context for me?
> >
> > It might be best to allocate these services that you want to use a
> > different keytab for their own principals.  If you are giving them
> > different levels of privilege on your server, then they each need a
> > different account, as otherwise one could compromise the other by
> > creation of fake tickets (because they all know the secret key).
> >
> 
> (BTW, all the SPN are added to the machine account where the service is 
> running, is that not normal procedure?)

It is, as long as all the services you are protecting are of the same
privilege level. 

> Yes, that's what I have: the HTTP/myhost.domain.com goes in 
> /etc/httpd/conf/krb5.keytab (owned by apache), the imap/host.domain.com 
> goes in /etc/krb5.keytab.cyrus (owned by cyrus), the 
> smtp/myhost.domain.com goes in /etc/postfix/krb5.keytab (owned by 
> postfix).  And all of them become invalid the moment winbind changes the 
> machine password.

Indeed.

> I've researched a bit more and discovered that #1 is definitely a 
> winbind client changing the password issue.  But I don't understand why 
> (not a kerb. guru) changing the password causes all the SPN keys 
> regenerated, but it's probably a standard thing.

It is - there is no such thing as SPN keys, they all share the same key,
that is the domain member account password that winbind is changing. 

> So I'm left with either stopping winbind from changing the machine 
> password or figuring out a keytab distribution system...  Yuk.

Or pointing all the services at the same keytab.  My point is that if
this is not desired (because you want privilege separation on your
system, quite reasonably) that you actually need to have a different
account per service, as otherwise they are equivalent to each other.  

Sadly kerberos is a private-key based system, not a public-key based
system, so any service that has access to decrypt incoming tickets can
also encrypt a new fake ticket in any name, real or imagined, including
(say) root or a privileged user. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list