kvno overflow
Jonathan Reams
jr3074 at columbia.edu
Mon Jan 31 15:11:59 EST 2011
It looks like there's a difference between how kvnos are handled in keytabs vs the principals database/kadmin. In order to monitor our iprop setup, we have a principal who's key gets added to a keytab once an hour, and when the kvno hit 257, it reset to 0 in the keytab, but not in kadmin.
[root at doversole ~]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
0 iprop_monitor at CC.COLUMBIA.EDU
0 iprop_monitor at CC.COLUMBIA.EDU
0 iprop_monitor at CC.COLUMBIA.EDU
0 iprop_monitor at CC.COLUMBIA.EDU
[root at doversole ~]# kadmin -p rjr3074
Authenticating as principal rjr3074 with password.
Password for rjr3074 at CC.COLUMBIA.EDU:
kadmin: getprinc iprop_monitor
Principal: iprop_monitor at CC.COLUMBIA.EDU
Expiration date: [never]
Last password change: Mon Jan 31 12:01:01 EST 2011
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Jan 31 12:01:01 EST 2011 (iprop_monitor at CC.COLUMBIA.EDU)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 257, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 257, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 257, ArcFour with HMAC/md5, no salt
Key: vno 257, DES cbc mode with CRC-32, no salt
Looks like a bug to me. In the meantime, is there any way to reset the kvno in kadmin so the keytab and kadmin can be in sync again?
Jonathan Reams
Columbia University
More information about the krbdev
mailing list