Problem with kerberos - kvno getting bumped..

Karuppiah, Deepak dkaruppiah at microstrategy.com
Wed Oct 20 14:11:06 EDT 2010 

The password is indeed reset automatically as per this blog article from
MSFT folks which explains the increments in KVNO.

http://blogs.msdn.com/b/openspecification/archive/2009/11/13/to-kvno-or-
not-to-kvno-what-is-the-version.aspx

I am not certain if that is true if the Linux box turned off.
Thanks,
-Deepak

-----Original Message-----
From: kerberos-bounces at MIT.EDU [mailto:kerberos-bounces at MIT.EDU] On
Behalf Of Eric Youngdale
Sent: Wednesday, October 20, 2010 12:37 PM
To: kerberos at MIT.EDU
Subject: Problem with kerberos - kvno getting bumped..


            I have a Linux (Ubuntu) box joined to a Windows domain (I
believe the domain controllers are server 2003) so I can use Kerberos
authentication.  Initially everything is working fine - I can ssh into
the box using gssapiauthentication.

 

            After some number of days, this stops working however.   I
would find that I could re-generate the keytab and the problem would go
away for a while and eventually come back.   The most recent time I
noticed that it stopped working on a Monday morning - implying perhaps
that something changed over a weekend.

 

I build the Kerberos libraries with optimization turned off so I could
step through, and what became clear was that the KVNO for the machine
account had changed - in AD the number was now 30, but the keytab had a
KVNO of 24.  So it wasn't just one bump - there were several (the keys
were generated on 09/25/10).

 

At this point, I don't know *why* the kvno is changing.   Right now I
have a script running that polls the KVNO every 5 minutes so I can see
exactly when the thing changes - once I have a time, I can start looking
at logs (both on the Linux box and perhaps even on the domain
controller).   For that matter, I could probably shut down the Linux box
for a few weeks to see whether the KVNO bumps happen without the machine
being up or not.

 

            Does anyone have anything else to suggest for what I should
be looking for?

 

-Eric

 

 

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list