Computer Account Reset AD

Douglas E. Engert deengert at anl.gov
Tue May 11 10:36:07 EDT 2010



Richard Smits wrote:
> Hello,
> 
> We have a problem where we keep getting stuck when we try to find the 
> answer. I hope someone on this list can give us tips or hints in the 
> right direction.
> 
> I will explain it below :
> 
> We use Linux/Fedora clients with a nfs4/krb5 mount to a NetApp nashead.
> Our KDC is our Windows 2003/2008 AD.
> 
> The problem i was first facing was to establish root access to this 
> nashead. I found out that we had to create a root keytab.
> 
> No problem there, but we installed a "management station" for creating 
> users an other maintenance work. Then you are going to face the "expired 
> ticket" problem.
> 
> I solved it this way.
> 
> In the crontab, every hour :
> /usr/kerberos/bin/kinit -l 300d -k root/hostname.domain.net at DOMAIN.NET
> 
> 300 days does not work, but one week seems to work.
> 
> klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: root/hostname.domain.net at DOMAIN.NET
> 
> Valid starting     Expires            Service principal
> 05/11/10 08:15:01  05/11/10 18:15:02  krbtgt/DOMAIN.NET at DOMAIN.NET
> 	renew until 05/18/10 08:15:01
> 05/11/10 08:20:01  05/11/10 18:15:02  srv005$@DOMAIN.NET
> 	renew until 05/18/10 08:15:01
> 
> But now I will explain our problem.
> 
> Every week (on the second) the computer object in the AD is reset. Why, 
> we don't know. See logfile below :
> 
> --------------------------------------------
> 27-4-2010	12:49:56	Security	Success Audit	Account Management 	646	NT 
> AUTHORITY\ANONYMOUS LOGON	SRV005	"Computer Account Changed:
>   	-
>   	Target Account Name:	nasmgt$
>   	Target Domain:	DASTUD
>   	Target Account ID:	DOMAIN\nasmgt$
>   	Caller User Name:	SRV005$
>   	Caller Domain:	DASTUD
>   	Caller Logon ID:	(0x0,0x3E7)
>   	Privileges:	-
>   Changed Attributes:
>   	Sam Account Name:	-
>   	Display Name:	-
>   	User Principal Name:	-
>   	Home Directory:	-
>   	Home Drive:	-
>   	Script Path:	-
>   	Profile Path:	-
>   	User Workstations:	-
>   	Password Last Set:	4/27/2010 12:49:56 PM
>   	Account Expires:	-
>   	Primary Group ID:	-
>   	AllowedToDelegateTo:	-
>   	Old UAC Value:	-
>   	New UAC Value:	-
>   	User Account Control:	-
>   	User Parameters:	-
>   	Sid History:	-
>   	Logon Hours:	-
>   	DNS Host Name:	-
>   	Service Principal Names:	-
>   "
> 27-4-2010	12:49:56	Security	Success Audit	Account Management 	646	NT 
> AUTHORITY\ANONYMOUS LOGON	SRV005	"Computer Account Changed:
>   	-
>   	Target Account Name:	nasmgt$
>   	Target Domain:	DASTUD
>   	Target Account ID:	DOMAIN\nasmgt$
>   	Caller User Name:	SRV005$
>   	Caller Domain:	DASTUD
>   	Caller Logon ID:	(0x0,0x3E7)
>   	Privileges:	-
>   Changed Attributes:
>   	Sam Account Name:	-
>   	Display Name:	-
>   	User Principal Name:	-
>   	Home Directory:	-
>   	Home Drive:	-
>   	Script Path:	-
>   	Profile Path:	-
>   	User Workstations:	-
>   	Password Last Set:	4/27/2010 12:49:56 PM
>   	Account Expires:	-
>   	Primary Group ID:	-
>   	AllowedToDelegateTo:	-
>   	Old UAC Value:	-
>   	New UAC Value:	-
>   	User Account Control:	-
>   	User Parameters:	-
>   	Sid History:	-
>   	Logon Hours:	-
>   	DNS Host Name:	-
>   	Service Principal Names:	-
> 
> 
> 
> Event Type:	Success Audit
> Event Source:	Security
> Event Category:	Account Management
> Event ID:	646
> Date:		4-5-2010
> Time:		12:49:56
> User:		NT AUTHORITY\ANONYMOUS LOGON
> Computer:	SRV005
> Description:
> Computer Account Changed:
>   	-
>   	Target Account Name:	nasmgt$
>   	Target Domain:	DASTUD
>   	Target Account ID:	DOMAIN\nasmgt$
>   	Caller User Name:	SRV005$
>   	Caller Domain:	DASTUD
>   	Caller Logon ID:	(0x0,0x3E7)
>   	Privileges:	-
>   Changed Attributes:
>   	Sam Account Name:	-
>   	Display Name:	-
>   	User Principal Name:	-
>   	Home Directory:	-
>   	Home Drive:	-
>   	Script Path:	-
>   	Profile Path:	-
>   	User Workstations:	-
>   	Password Last Set:	5/4/2010 12:49:56 PM
>   	Account Expires:	-
>   	Primary Group ID:	-
>   	AllowedToDelegateTo:	-
>   	Old UAC Value:	-
>   	New UAC Value:	-
>   	User Account Control:	-
>   	User Parameters:	-
>   	Sid History:	-
>   	Logon Hours:	-
>   	DNS Host Name:	-
>   	Service Principal Names:	-
> 
> 
> For more information, see Help and Support Center at 
> http://go.microsoft.com/fwlink/events.asp.
> 
> --------------------
> 
> Event Type:	Success Audit
> Event Source:	Security
> Event Category:	Account Management
> Event ID:	646
> Date:		4-5-2010
> Time:		12:49:56
> User:		NT AUTHORITY\ANONYMOUS LOGON
> Computer:	SRV005
> Description:
> Computer Account Changed:
>   	-
>   	Target Account Name:	nasmgt$
>   	Target Domain:	DASTUD
>   	Target Account ID:	DOMAIN\nasmgt$
>   	Caller User Name:	SRV005$
>   	Caller Domain:	DASTUD
>   	Caller Logon ID:	(0x0,0x3E7)
>   	Privileges:	-
>   Changed Attributes:
>   	Sam Account Name:	-
>   	Display Name:	-
>   	User Principal Name:	-
>   	Home Directory:	-
>   	Home Drive:	-
>   	Script Path:	-
>   	Profile Path:	-
>   	User Workstations:	-
>   	Password Last Set:	5/4/2010 12:49:56 PM
>   	Account Expires:	-
>   	Primary Group ID:	-
>   	AllowedToDelegateTo:	-
>   	Old UAC Value:	-
>   	New UAC Value:	-
>   	User Account Control:	-
>   	User Parameters:	-
>   	Sid History:	-
>   	Logon Hours:	-
>   	DNS Host Name:	-
>   	Service Principal Names:	-
> ===================================
> 
> As a result the KVNO (Key Version Number) AD attribute :
> msDS-KeyVersionNumber keeps changing and is getting higher and higher.
> We were at version 2. I rejoined the domain a few times and i am at 
> version 6 now.
> See below.
> 
> The problem is that I have to recreate a new keytab file because our
> clients are also using a nfs4/krb5 mount on another server.
> 
> When the version is higher than local in the keytab, the krb5 security
> will not work anymore.
> 
> I have talked to the Windows sysadmins and the say that the password for
> a computer object is changed every 30 days, but my experience is that
> the key is increased every seven days.

Looks like the SRV005 at DASTDU is changing the password.

Are you using a single AD account for the machine and the root/host?

What is SRV005$ is this the samAccountName of the machine's account?

Is there a cron job or some NAS daemon that is changing it, and expecting
to change the host/fqdn at realm keys in the keytab at the same time?

Did you do a setspn command to add root/hostname.domain.net at DOMAIN.NET
(What UPN and SPNs are on the account?)

You may have been bit by AD using a single password per account which is
used to derive the keys on the fly for the UPN and all SPNs associated with
the account.

Normally the /etc/krb5.keytab has host/fqdn at realm principals,and not a
root/fqdn at realm principals. Did you clobber the previous /etc/krb5.keytab
which may have had a host/fqdn at realm principal?

You could consider separating using two the computer account one for root
and one for the machine. You may not need a root/fqdn at realm principal at
all. Look at ~.k5login and use kinit -k host/fqdn at realm

> 
> -----
> klist -k -e
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>     6 root/nasmgt.domain.net at DOMAIN.NET (DES cbc mode with CRC-32)
>     6 root/nasmgt.domain.net at DOMAIN.NET (DES cbc mode with RSA-MD5)
>     6 root/nasmgt.domain.net at DOMAIN.NET (ArcFour with HMAC/md5)
>     6 root/nasmgt at DOMAIN.NET (DES cbc mode with CRC-32)
>     6 root/nasmgt at DOMAIN.NET (DES cbc mode with RSA-MD5)
>     6 root/nasmgt at DOMAIN.NET (ArcFour with HMAC/md5)
> 
> ----------------
> klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: root/nasmgt.domain.net at DOMAIN.NET
> 
> Valid starting     Expires            Service principal
> 04/21/10 12:15:01  04/21/10 22:15:01  krbtgt/DOMAIN.NET at DOMAIN.NET
>      renew until 04/28/10 12:15:01
> 04/21/10 12:25:01  04/21/10 22:15:01  srv005$@DOMAIN.NET
>      renew until 04/28/10 12:15:01
> 
> 
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> ----------------------------
> 
> Reminder :
> 
> Because this is our maintenance / root station for our nashead, I am 
> renewing our ticket every hour with a cronjob. So the lifetime of the 
> ticket is extended every hour. Could this be one of the actions that 
> causes this ?
> 
> Greetings ... Richard Smits
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list