SPN key kvno increasing once a week
Andrew Bartlett
abartlet at samba.org
Mon May 20 17:08:04 MDT 2013
On Mon, 2013-05-20 at 13:57 -0400, David Mansfield wrote:
> Hi All:
>
> I have a number of samba3 and samba4 based winbind clients (centos 6 and
> Fedora 18 respectively, BTW) connecting to a compiled-by-hand samba4 DC
> running on centos6. The exported keytab for an SPN we use for apache is
> becoming invalid every week due to a bump in the kvno for the SPN
> "HTTP/myhost.domain.com". This also affects the
> "host/myhost.domain.com" SPN key and probably all of the SPN keys for
> that host. I can see from google that this is not a "new" problem, but
> nowhere is there a note of the resolution.
>
> The winbind operation is unaffected (and is probably causing this
> problem) - it's internal keytab must be getting refreshed (or it's not
> using a keytab or something).
>
> I have not modified/set "kerberos method" in smb.conf from the defaults,
> but I do have "winbind refresh tickets = true" on.
>
> Can anyone tell me:
>
> 1) why is kvno getting bumped every week, who is responsible (client or
> server), can it be configured and/or disabled?
>
> 2) if I can't fix #1, can I force winbind to create multiple keytabs all
> over my filesystem and be sure to chown and set selinux context for me?
It might be best to allocate these services that you want to use a
different keytab for their own principals. If you are giving them
different levels of privilege on your server, then they each need a
different account, as otherwise one could compromise the other by
creation of fake tickets (because they all know the secret key).
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list