[Samba] Strange KVNO updating

Matthieu Patou mat at samba.org
Thu Oct 2 19:48:56 MDT 2014

On 10/01/2014 10:25 PM, Bruno MACADRE wrote:
> Le 02/10/2014 00:07, Matthieu Patou a écrit :
>> Hi Bruno,
>> On 09/30/2014 11:12 PM, Bruno MACADRÉ wrote:
>>> Hi,
>>>     I'm working in an educational environment so I've some 
>>> obligations that complicate my work. For example in all rooms of 
>>> practical class all the workstations are in dual boot (Win7 + 
>>> XUbuntu 14.04). I've tried 2 solutions :
>>>         1- Setting the same hostname to both OS, joigning Win7 to AD 
>>> and using the created (by joining) keytab on linux side for sssd.
>>>         2- Setting different hostname to both OS, joigning Win7 to 
>>> AD and joigning linux to AD, using winbind for users and groups.
>>>     I've chosen the first one (may be it's not the better 
>>> choice....), but actually I'm facing a strange problem... some times 
>>> my keytab on the Samba4 server is updated (KVNO incremented) without 
>>> any human intervention.... so my sssd on linux side can't speak with 
>>> the server anymore....
>> Is Samba4 your AD DC ?, if so when you say that the keytab is updated 
>> is not really that it's the info stored in the computer object that 
>> are changed (and amongst them the kvno).
> Yes I'm in Samba4 so I suppose that the keytab appears to be changed 
> 'cause the computer object was modified.
>>>     Is anybody know why a keytab can change internaly ?
>>>     Can Win7 change keytab (refresh or modify or anything else) when 
>>> any user using it ?
>> Windows machine are changing periodically their password, when the 
>> password is changed the kvno is also changed.
> It's I supposed but I'm not advanced enough in win admin to know 
> why..... this answer confirms my idea.
>>>     I just want to understand why I have to upload new keytab on 
>>> linux side frequently ?
>>>     I know this problem isn't really a samba problem, but I hope 
>>> that somebody on this list knows this behaviour...
>> You can create a GPO that will apply only on Computers to disable 
>> password change.
> If it's possible to disable password changing I will do that
> Thanks a lot for your answers, it's what I've searched for long days !
In the mean time you can have a look at the samba-tool command: you can 
chang the Maximum password age to something much bigger for the moment 
(but it will apply to users as well).
./bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=dfsr12smb,DC=home,DC=matws,DC=net'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 1
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30

> Best Regards,
> Bruno

Matthieu Patou
Samba Team

More information about the samba mailing list