[Samba] [Samba 4.0] Floating KVNO

Andrew Bartlett abartlet at samba.org
Thu Feb 14 18:26:39 MST 2013

On Thu, 2013-02-14 at 14:05 +0100, Kaito Kumashiro wrote:
> Hello
> I'm using Samba 4.0.1 also to authenticate users via Kerberos. Once in a
> while however I have to regenerate a keytab, because for reasons unknown to
> me, the KVNO is increased by one. I'm not doing anything with an account
> the SPN is bound to. The KVNO seems to change automagically after few days
> and service cannot talk to the KDC unless I create a new keytab.
> What can cause the KVNO (and probably the keys) to change automagically? Is
> there a way to disable this?

In AD, the KVNO is based on the replication metatdata, specifically the
version number for the unicodePwd attribute.  It should only change if
that attribute is changed.

What is the client in this case?

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list