[Samba] [Samba 4.0] Floating KVNO
abartlet at samba.org
Fri Feb 15 14:45:32 MST 2013
On Fri, 2013-02-15 at 10:22 +0100, Kaito Kumashiro wrote:
> On Fri, Feb 15, 2013 at 2:26 AM, Andrew Bartlett <abartlet at samba.org> wrote:
> > > I'm using Samba 4.0.1 also to authenticate users via Kerberos. Once in a
> > > while however I have to regenerate a keytab, because for reasons unknown
> > to
> > > me, the KVNO is increased by one. I'm not doing anything with an account
> > > the SPN is bound to. The KVNO seems to change automagically after few
> > days
> > > and service cannot talk to the KDC unless I create a new keytab.
> > >
> > > What can cause the KVNO (and probably the keys) to change automagically?
> > Is
> > > there a way to disable this?
> > In AD, the KVNO is based on the replication metatdata, specifically the
> > version number for the unicodePwd attribute. It should only change if
> > that attribute is changed.
> > What is the client in this case?
> I'm 100% positive the account with SPN has not been changed in any way by
> me or my co-workers. It's a computer account (CN=Computers), so I don't see
> a way any client could reset the password.
> On the other side is Postgres 9.2.2 (with GSSAPI). For example, yesterday
> it asked me politely to go away, because KDC returned KVNO 18 (what was
> shown in an error message) and keytab had KVNO 17 (what I confirmed with
Do you have more than one DC? Are you sure they are replicating
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba