Problem with kerberos - kvno getting bumped..

Christopher D. Clausen cclausen at acm.org
Mon Oct 25 17:59:41 EDT 2010


That blog doesn't say what you think it says, and I suspect it is referning 
to domain joined Windows computers, not pure Kerberos non-Windows ones.

You'll note that when the CLIENT initiates a password change, the kvno is 
incremented.  This happens with any flavor of Kerberos.  The (client) 
computer should know the new password and update the keytab if it is 
changing the computer account password.

The real question is, what is changing the password on the account that you 
are using in the keytab?  Are you using something like samba instead of pure 
Kerberos utilities?

My Linux systems (with Windows AD as a KDC) do not have their kvnos 
randomaly incremented, it happens only when I knowingly do a password/keytab 
change.

If you have some unknown process changing your Kerberos passwords, you 
really need to find out what is going that.

If you are trying to share a single account for a Windows and a Linux 
computer, don't do that.  Give each computer (and each service) its own 
principal within AD or at least realize the consequences of sharing them.

<<CDC

Karuppiah, Deepak <dkaruppiah at microstrategy.com> wrote:
> The password is indeed reset automatically as per this blog article from
> MSFT folks which explains the increments in KVNO.
>
> http://blogs.msdn.com/b/openspecification/archive/2009/11/13/to-kvno-or-
> not-to-kvno-what-is-the-version.aspx
>
> I am not certain if that is true if the Linux box turned off.
> Thanks,
> -Deepak
>
> -----Original Message-----
> From: kerberos-bounces at MIT.EDU [mailto:kerberos-bounces at MIT.EDU] On
> Behalf Of Eric Youngdale
> Sent: Wednesday, October 20, 2010 12:37 PM
> To: kerberos at MIT.EDU
> Subject: Problem with kerberos - kvno getting bumped..
>
>
>            I have a Linux (Ubuntu) box joined to a Windows domain (I
> believe the domain controllers are server 2003) so I can use Kerberos
> authentication.  Initially everything is working fine - I can ssh into
> the box using gssapiauthentication.
>
>
>
>            After some number of days, this stops working however.   I
> would find that I could re-generate the keytab and the problem would go
> away for a while and eventually come back.   The most recent time I
> noticed that it stopped working on a Monday morning - implying perhaps
> that something changed over a weekend.
>
>
>
> I build the Kerberos libraries with optimization turned off so I could
> step through, and what became clear was that the KVNO for the machine
> account had changed - in AD the number was now 30, but the keytab had a
> KVNO of 24.  So it wasn't just one bump - there were several (the keys
> were generated on 09/25/10).
>
>
>
> At this point, I don't know *why* the kvno is changing.   Right now I
> have a script running that polls the KVNO every 5 minutes so I can see
> exactly when the thing changes - once I have a time, I can start looking
> at logs (both on the Linux box and perhaps even on the domain
> controller).   For that matter, I could probably shut down the Linux box
> for a few weeks to see whether the KVNO bumps happen without the machine
> being up or not.
>
>
>
>            Does anyone have anything else to suggest for what I should
> be looking for?
>
>
>
> -Eric




More information about the Kerberos mailing list