Computer Account Reset AD
Richard Smits
R.Smits at tudelft.nl
Tue May 11 03:37:20 EDT 2010
Hello,
We have a problem where we keep getting stuck when we try to find the
answer. I hope someone on this list can give us tips or hints in the
right direction.
I will explain it below :
We use Linux/Fedora clients with a nfs4/krb5 mount to a NetApp nashead.
Our KDC is our Windows 2003/2008 AD.
The problem i was first facing was to establish root access to this
nashead. I found out that we had to create a root keytab.
No problem there, but we installed a "management station" for creating
users an other maintenance work. Then you are going to face the "expired
ticket" problem.
I solved it this way.
In the crontab, every hour :
/usr/kerberos/bin/kinit -l 300d -k root/hostname.domain.net at DOMAIN.NET
300 days does not work, but one week seems to work.
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root/hostname.domain.net at DOMAIN.NET
Valid starting Expires Service principal
05/11/10 08:15:01 05/11/10 18:15:02 krbtgt/DOMAIN.NET at DOMAIN.NET
renew until 05/18/10 08:15:01
05/11/10 08:20:01 05/11/10 18:15:02 srv005$@DOMAIN.NET
renew until 05/18/10 08:15:01
But now I will explain our problem.
Every week (on the second) the computer object in the AD is reset. Why,
we don't know. See logfile below :
--------------------------------------------
27-4-2010 12:49:56 Security Success Audit Account Management 646 NT
AUTHORITY\ANONYMOUS LOGON SRV005 "Computer Account Changed:
-
Target Account Name: nasmgt$
Target Domain: DASTUD
Target Account ID: DOMAIN\nasmgt$
Caller User Name: SRV005$
Caller Domain: DASTUD
Caller Logon ID: (0x0,0x3E7)
Privileges: -
Changed Attributes:
Sam Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: 4/27/2010 12:49:56 PM
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: -
New UAC Value: -
User Account Control: -
User Parameters: -
Sid History: -
Logon Hours: -
DNS Host Name: -
Service Principal Names: -
"
27-4-2010 12:49:56 Security Success Audit Account Management 646 NT
AUTHORITY\ANONYMOUS LOGON SRV005 "Computer Account Changed:
-
Target Account Name: nasmgt$
Target Domain: DASTUD
Target Account ID: DOMAIN\nasmgt$
Caller User Name: SRV005$
Caller Domain: DASTUD
Caller Logon ID: (0x0,0x3E7)
Privileges: -
Changed Attributes:
Sam Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: 4/27/2010 12:49:56 PM
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: -
New UAC Value: -
User Account Control: -
User Parameters: -
Sid History: -
Logon Hours: -
DNS Host Name: -
Service Principal Names: -
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 646
Date: 4-5-2010
Time: 12:49:56
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SRV005
Description:
Computer Account Changed:
-
Target Account Name: nasmgt$
Target Domain: DASTUD
Target Account ID: DOMAIN\nasmgt$
Caller User Name: SRV005$
Caller Domain: DASTUD
Caller Logon ID: (0x0,0x3E7)
Privileges: -
Changed Attributes:
Sam Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: 5/4/2010 12:49:56 PM
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: -
New UAC Value: -
User Account Control: -
User Parameters: -
Sid History: -
Logon Hours: -
DNS Host Name: -
Service Principal Names: -
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
--------------------
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 646
Date: 4-5-2010
Time: 12:49:56
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SRV005
Description:
Computer Account Changed:
-
Target Account Name: nasmgt$
Target Domain: DASTUD
Target Account ID: DOMAIN\nasmgt$
Caller User Name: SRV005$
Caller Domain: DASTUD
Caller Logon ID: (0x0,0x3E7)
Privileges: -
Changed Attributes:
Sam Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: 5/4/2010 12:49:56 PM
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: -
New UAC Value: -
User Account Control: -
User Parameters: -
Sid History: -
Logon Hours: -
DNS Host Name: -
Service Principal Names: -
===================================
As a result the KVNO (Key Version Number) AD attribute :
msDS-KeyVersionNumber keeps changing and is getting higher and higher.
We were at version 2. I rejoined the domain a few times and i am at
version 6 now.
See below.
The problem is that I have to recreate a new keytab file because our
clients are also using a nfs4/krb5 mount on another server.
When the version is higher than local in the keytab, the krb5 security
will not work anymore.
I have talked to the Windows sysadmins and the say that the password for
a computer object is changed every 30 days, but my experience is that
the key is increased every seven days.
-----
klist -k -e
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
6 root/nasmgt.domain.net at DOMAIN.NET (DES cbc mode with CRC-32)
6 root/nasmgt.domain.net at DOMAIN.NET (DES cbc mode with RSA-MD5)
6 root/nasmgt.domain.net at DOMAIN.NET (ArcFour with HMAC/md5)
6 root/nasmgt at DOMAIN.NET (DES cbc mode with CRC-32)
6 root/nasmgt at DOMAIN.NET (DES cbc mode with RSA-MD5)
6 root/nasmgt at DOMAIN.NET (ArcFour with HMAC/md5)
----------------
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root/nasmgt.domain.net at DOMAIN.NET
Valid starting Expires Service principal
04/21/10 12:15:01 04/21/10 22:15:01 krbtgt/DOMAIN.NET at DOMAIN.NET
renew until 04/28/10 12:15:01
04/21/10 12:25:01 04/21/10 22:15:01 srv005$@DOMAIN.NET
renew until 04/28/10 12:15:01
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
----------------------------
Reminder :
Because this is our maintenance / root station for our nashead, I am
renewing our ticket every hour with a cronjob. So the lifetime of the
ticket is extended every hour. Could this be one of the actions that
causes this ?
Greetings ... Richard Smits
--
R. (Richard) Smits
Systeembeheerder
TU Delft / Shared Service centre ICT
Landbergstraat 15, 2628CE Delft
Kamer: 2B-46
Postbus 354, 2600AJ Delft
T +31 (0)15 27 87312
F +31 (0)15 27 83787
E r.smits at tudelft.nl
I www.ssc-ict.tudelft.nl/pdc
aanwezig: maandag t/m donderdag
More information about the Kerberos
mailing list