On Fri, 2013-02-15 at 10:22 +0100, Kaito Kumashiro wrote: > On Fri, Feb 15, 2013 at 2:26 AM, Andrew Bartlett <[email protected]> wrote: > > > > I'm using Samba 4.0.1 also to authenticate users via Kerberos. Once in a > > > while however I have to regenerate a keytab, because for reasons unknown > > to > > > me, the KVNO is increased by one. I'm not doing anything with an account > > > the SPN is bound to. The KVNO seems to change automagically after few > > days > > > and service cannot talk to the KDC unless I create a new keytab. > > > > > > What can cause the KVNO (and probably the keys) to change automagically? > > Is > > > there a way to disable this? > > In AD, the KVNO is based on the replication metatdata, specifically the > > version number for the unicodePwd attribute. It should only change if > > that attribute is changed. > > > > What is the client in this case? > > > I'm 100% positive the account with SPN has not been changed in any way by > me or my co-workers. It's a computer account (CN=Computers), so I don't see > a way any client could reset the password. > > On the other side is Postgres 9.2.2 (with GSSAPI). For example, yesterday > it asked me politely to go away, because KDC returned KVNO 18 (what was > shown in an error message) and keytab had KVNO 17 (what I confirmed with > ktutil).
Do you have more than one DC? Are you sure they are replicating correctly? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
