SPN key kvno increasing once a week

Matthieu Patou mat at samba.org
Tue May 21 00:16:00 MDT 2013 

On 05/20/2013 05:28 PM, David Mansfield wrote:
> On 05/20/2013 07:08 PM, Andrew Bartlett wrote:
>> On Mon, 2013-05-20 at 13:57 -0400, David Mansfield wrote:
>>> Hi All:
>>>
>>> I have a number of samba3 and samba4 based winbind clients (centos 6 
>>> and
>>> Fedora 18 respectively, BTW)  connecting to a compiled-by-hand 
>>> samba4 DC
>>> running on centos6. The exported keytab for an SPN we use for apache is
>>> becoming invalid every week due to  a bump in the kvno for the SPN
>>> "HTTP/myhost.domain.com".  This also affects the
>>> "host/myhost.domain.com" SPN key and probably all of the SPN keys for
>>> that host.  I can see from google that this is not a "new" problem, but
>>> nowhere is there a note of the resolution.
>>>
>>> The winbind operation is unaffected (and is probably causing this
>>> problem) - it's internal keytab must be getting refreshed (or it's not
>>> using a keytab or something).
>>>
>>> I have not modified/set "kerberos method" in smb.conf from the 
>>> defaults,
>>> but I do have "winbind refresh tickets = true" on.
>>>
>>> Can anyone tell me:
>>>
>>> 1) why is kvno getting bumped every week, who is responsible (client or
>>> server), can it be configured and/or disabled?
>>>
>>> 2) if I can't fix #1, can I force winbind to create multiple keytabs 
>>> all
>>> over my filesystem and be sure to chown and set selinux context for me?
>>
>> It might be best to allocate these services that you want to use a
>> different keytab for their own principals.  If you are giving them
>> different levels of privilege on your server, then they each need a
>> different account, as otherwise one could compromise the other by
>> creation of fake tickets (because they all know the secret key).
>>
>
> (BTW, all the SPN are added to the machine account where the service 
> is running, is that not normal procedure?)
>
>
> Yes, that's what I have: the HTTP/myhost.domain.com goes in 
> /etc/httpd/conf/krb5.keytab (owned by apache), the 
> imap/host.domain.com goes in /etc/krb5.keytab.cyrus (owned by cyrus), 
> the smtp/myhost.domain.com goes in /etc/postfix/krb5.keytab (owned by 
> postfix).  And all of them become invalid the moment winbind changes 
> the machine password.
>
> I've researched a bit more and discovered that #1 is definitely a 
> winbind client changing the password issue.  But I don't understand 
> why (not a kerb. guru) changing the password causes all the SPN keys 
> regenerated, but it's probably a standard thing.
>
> So I'm left with either stopping winbind from changing the machine 
> password or figuring out a keytab distribution system...  Yuk.
>
By default winbindd change the password when it's about to expire for 
the account of the machine. Have you looked at the net commands to 
generate the keytab out of the password of the machine account of Samba ?

Matthieu

-- 
Matthieu Patou
Samba Team
http://samba.org

More information about the samba-technical mailing list