Problem with kerberos - kvno getting bumped..

[Eric Youngdale]

            I have a Linux (Ubuntu) box joined to a Windows domain (I
believe the domain controllers are server 2003) so I can use Kerberos
authentication.  Initially everything is working fine - I can ssh into
the box using gssapiauthentication.

 

            After some number of days, this stops working however.   I
would find that I could re-generate the keytab and the problem would go
away for a while and eventually come back.   The most recent time I
noticed that it stopped working on a Monday morning - implying perhaps
that something changed over a weekend.

 

I build the Kerberos libraries with optimization turned off so I could
step through, and what became clear was that the KVNO for the machine
account had changed - in AD the number was now 30, but the keytab had a
KVNO of 24.  So it wasn't just one bump - there were several (the keys
were generated on 09/25/10).

 

At this point, I don't know *why* the kvno is changing.   Right now I
have a script running that polls the KVNO every 5 minutes so I can see
exactly when the thing changes - once I have a time, I can start looking
at logs (both on the Linux box and perhaps even on the domain
controller).   For that matter, I could probably shut down the Linux box
for a few weeks to see whether the KVNO bumps happen without the machine
being up or not.

 

            Does anyone have anything else to suggest for what I should
be looking for?

 

-Eric