SPN key kvno increasing once a week
Denis Cardon
denis.cardon at tranquil-it-systems.fr
Tue May 21 02:03:17 MDT 2013
Hi Mathieu,
>>>> I have a number of samba3 and samba4 based winbind clients (centos 6
>>>> and
>>>> Fedora 18 respectively, BTW) connecting to a compiled-by-hand
>>>> samba4 DC
>>>> running on centos6. The exported keytab for an SPN we use for apache is
>>>> becoming invalid every week due to a bump in the kvno for the SPN
>>>> "HTTP/myhost.domain.com". This also affects the
>>>> "host/myhost.domain.com" SPN key and probably all of the SPN keys for
>>>> that host. I can see from google that this is not a "new" problem, but
>>>> nowhere is there a note of the resolution.
>>>>
>>>> The winbind operation is unaffected (and is probably causing this
>>>> problem) - it's internal keytab must be getting refreshed (or it's not
>>>> using a keytab or something).
>>>>
>>>> I have not modified/set "kerberos method" in smb.conf from the
>>>> defaults,
>>>> but I do have "winbind refresh tickets = true" on.
>>>>
>>>> Can anyone tell me:
>>>>
>>>> 1) why is kvno getting bumped every week, who is responsible (client or
>>>> server), can it be configured and/or disabled?
>>>>
>>>> 2) if I can't fix #1, can I force winbind to create multiple keytabs
>>>> all
>>>> over my filesystem and be sure to chown and set selinux context for me?
>>>
>>> It might be best to allocate these services that you want to use a
>>> different keytab for their own principals. If you are giving them
>>> different levels of privilege on your server, then they each need a
>>> different account, as otherwise one could compromise the other by
>>> creation of fake tickets (because they all know the secret key).
>>>
>>
>> (BTW, all the SPN are added to the machine account where the service
>> is running, is that not normal procedure?)
>>
>>
>> Yes, that's what I have: the HTTP/myhost.domain.com goes in
>> /etc/httpd/conf/krb5.keytab (owned by apache), the
>> imap/host.domain.com goes in /etc/krb5.keytab.cyrus (owned by cyrus),
>> the smtp/myhost.domain.com goes in /etc/postfix/krb5.keytab (owned by
>> postfix). And all of them become invalid the moment winbind changes
>> the machine password.
>>
>> I've researched a bit more and discovered that #1 is definitely a
>> winbind client changing the password issue. But I don't understand
>> why (not a kerb. guru) changing the password causes all the SPN keys
>> regenerated, but it's probably a standard thing.
>>
>> So I'm left with either stopping winbind from changing the machine
>> password or figuring out a keytab distribution system... Yuk.
>>
> By default winbindd change the password when it's about to expire for
> the account of the machine. Have you looked at the net commands to
> generate the keytab out of the password of the machine account of Samba ?
could you elaborate on that one? I have the same issue as David. I had
some partial success with k5start (or krenew, I don't remember), but I
am not very happy with the solution.
The "net ads keytab add HTTP" works fine, but I get everything in the
same keytab file. And I'd like to use the machine account rather than
another generic one.
Thanks,
Denis
>
> Matthieu
>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
More information about the samba-technical
mailing list