[Samba] [Samba 4.0] Floating KVNO

Kaito Kumashiro kumashiro.kaito at gmail.com
Fri Feb 15 02:22:04 MST 2013

On Fri, Feb 15, 2013 at 2:26 AM, Andrew Bartlett <abartlet at samba.org> wrote:

> > I'm using Samba 4.0.1 also to authenticate users via Kerberos. Once in a
> > while however I have to regenerate a keytab, because for reasons unknown
> to
> > me, the KVNO is increased by one. I'm not doing anything with an account
> > the SPN is bound to. The KVNO seems to change automagically after few
> days
> > and service cannot talk to the KDC unless I create a new keytab.
> >
> > What can cause the KVNO (and probably the keys) to change automagically?
> Is
> > there a way to disable this?
> In AD, the KVNO is based on the replication metatdata, specifically the
> version number for the unicodePwd attribute.  It should only change if
> that attribute is changed.
> What is the client in this case?
I'm 100% positive the account with SPN has not been changed in any way by
me or my co-workers. It's a computer account (CN=Computers), so I don't see
a way any client could reset the password.

On the other side is Postgres 9.2.2 (with GSSAPI). For example, yesterday
it asked me politely to go away, because KDC returned KVNO 18 (what was
shown in an error message) and keytab had KVNO 17 (what I confirmed with


More information about the samba mailing list